Commit Hooks

The Curity Identity Server provides a way to run scripts when a configuration transaction has been committed. This can be useful to run administrative tasks, such as logging, backup or sending external events.

Put the scripts in <IDSVR_HOME>/usr/bin/post-commit-cli-scripts and <IDSVR_HOME>/usr/bin/post-commit-scripts (see details below); no reload or restart is required for the Curity Identity Server to pick them up. The log file <IDSVR_HOME>/var/log/post-commit-scripts.log contains the output of the scripts and audit-data about running or skipped scripts.

Note

Both types of scripts have access to the environment variables the Curity Identity Server has access to. For the .cli scripts, $EPOCH_TIMESTAMP is also available, with value the epoch timestamp of the script’s execution.

Commit Hook CLI Scripts

CLI commit hook scripts can be very useful for exporting the current configuration. They take advantage of the Command Line Interface.

The Curity Identity Server executes all .cli files in <IDSVR_HOME>/usr/bin/post-commit-cli-scripts within the command-line-interface context when a configuration change has been committed.

Example: Export a full config backup in xml:

Listing 315 Example post-commit cli-script that creates a config backup
show configuration | display xml | save /tmp/config-backup.${EPOCH_TIMESTAMP}.xml

Example: Create a json file with the current active nodes:

Listing 316 Example post-commit cli-script that stores the service uptime in json format
show environments environment services runtime-service | display json | save /tmp/runtime-service.${EPOCH_TIMESTAMP}.json

Example: export the configuration into multiple xml files:

Listing 317 Example post-commit cli-script that creates a fine-grained config backup, where each sub-tree is in different file.
show configuration profiles profile <authentication-profile-id> | display xml | save /tmp/authentication-profile-backup.${EPOCH_TIMESTAMP}.xml
show configuration profiles profile <token-service-profile-id> | display xml | save /tmp/token-service-profile-backup.${EPOCH_TIMESTAMP}.xml
show configuration facilities | display xml | save /tmp/facilities-backup.${EPOCH_TIMESTAMP}.xml
show configuration processing | display xml | save /tmp/processing-backup.${EPOCH_TIMESTAMP}.xml
show configuration aaa | display xml | save /tmp/aaa-backup.${EPOCH_TIMESTAMP}.xml
show configuration nacm | display xml | save /tmp/nacm-backup.${EPOCH_TIMESTAMP}.xml

Note

CLI scripts that contain the commit command are ignored as they could cause a cyclic behavior.

Commit Hook Scripts

The Curity Identity Server executes all executable files under <IDSVR_HOME>/usr/bin/post-commit-scripts when a configuration change has been committed.

Example: Send an email to notify of a configuration change.

Listing 318 Example post-commit script that sends an email
#!/bin/bash
T=`date +%s`
ADMIN_EMAIL="admin@example.com"
echo "Sending email to ${ADMIN_EMAIL}"
mail -s "Configuration updated" ${ADMIN_EMAIL} << EOF
        AutoGenerated email from Curity Identity Server
        Current timestamp: ${T}
EOF

Example: Use the idsh command to export all the procedures and format them to javascript.

Warning

Be careful when using idsh within a post-commit script. Accidentally commiting a (non-idempotent) change here could cause an infinite loop.

Listing 319 Example post-commit script that saves all configured procedures into javascript files (Advanced).
#!/bin/bash
T=`date +%s`
TARGET=/tmp/${T}

mkdir -p ${TARGET}

function _export_procedures() {
    type=$1
    procedures=$(idsh <<< "show configuration processing procedures $type | display-level 1")

    while IFS= read -r procedure
        do
                procedure=$(echo $procedure | sed 's/\;//g')
                name=$(echo $procedure | awk '{split($0, column, " "); print column[2]}')

                echo "Exporting procedure $type $name"

                b64_script=$(idsh <<< "show configuration processing procedures $type $name script")
                b64_script=$(echo $b64_script | sed 's/.*script \(.*\);.*/\1/')
                mkdir -p $TARGET/$type

                echo $b64_script | base64 -D > $TARGET/$type/$name.js

        done <<< "$procedures"
}

function _export_procedures_with_subtype() {
        type=$1
        procedures=$(idsh <<< "show configuration processing procedures $type | display-level 1")

        while IFS= read -r procedure
        do
                procedure=$(echo $procedure | sed 's/\;//g')
                name=$(echo $procedure | awk '{split($0, column, " "); print column[2]}')
                subtype=$(echo $procedure | awk '{split($0, column, " "); print column[3]}')
                echo "Exporting token procedure $type $name"
                b64_script=$(idsh <<< "show configuration processing procedures $type $name $subtype script")
                b64_script=$(echo $b64_script | sed 's/.*script \(.*\);.*/\1/')
                mkdir -p $TARGET/$type/$subtype
                echo $b64_script | base64 -D > $TARGET/$type/$subtype/$name.js
        done <<< "$procedures"
}

_export_procedures_with_subtype token-procedure
_export_procedures filter-procedure
_export_procedures transformation-procedure
_export_procedures event-listener-procedure
_export_procedures validation-procedure

Note

Since post-commit scripts are run when a transaction has been committed, but before any locks have been released, it is advisable not to run tasks with long durations.