Feature: Add SRAM integration through SBS

ci/qa-config/rector.php

@@ -33,4 +33,5 @@
         \Rector\Php81\Rector\FuncCall\NullToStrictStringFuncCallArgRector::class,
         \Rector\Php81\Rector\Property\ReadOnlyPropertyRector::class,
         \Rector\DeadCode\Rector\StaticCall\RemoveParentCallWithoutParentRector::class,
+        \Rector\Php82\Rector\Class_\ReadOnlyClassRector::class,
     ]);

config/packages/engineblock_features.yaml

@@ -15,3 +15,4 @@ parameters:
         eb.feature_enable_idp_initiated_flow: "%feature_enable_idp_initiated_flow%"
         eb.stepup.sfo.override_engine_entityid: "%feature_stepup_sfo_override_engine_entityid%"
         eb.stepup.send_user_attributes: "%feature_stepup_send_user_attributes%"
+        eb.feature_enable_sram_interrupt: "%feature_enable_sram_interrupt%"

config/packages/parameters.yml.dist

@@ -223,6 +223,7 @@ parameters:
     feature_enable_idp_initiated_flow: true
     feature_stepup_sfo_override_engine_entityid: false
     feature_stepup_send_user_attributes: false
+    feature_enable_sram_interrupt: false
 
     ##########################################################################################
     ## PROFILE SETTINGS
@@ -307,3 +308,20 @@ parameters:
     # used in the authentication log record. The attributeName will be searched in the response attributes and if present
     # the log data will be enriched. The values of the response attributes are the final values after ARP and Attribute Manipulation.
     auth.log.attributes: []
+
+    ##########################################################################################
+    ## SRAM Settings
+    ##########################################################################################
+    ## Config for connecting with SBS server
+    ## base_url must end with /. Locations must not start with /.
+    sram.api_token: xxx
+    sram.base_url: 'https://engine.dev.openconext.local/functional-testing/'
+    sram.authz_location: authz
+    sram.attributes_location: attributes
+    sram.interrupt_location: interrupt
+    sram.verify_peer: false
+    sram.allowed_attributes:
+        - 'urn:mace:dir:attribute-def:eduPersonEntitlement'
+        - 'urn:mace:dir:attribute-def:eduPersonPrincipalName'
+        - 'urn:mace:dir:attribute-def:uid'
+        - 'urn:oid:1.3.6.1.4.1.24552.500.1.1.1.13'

config/routes/functional_testing/functional_testing.yml

@@ -69,3 +69,18 @@ functional_testing_gateway:
     path: "/gateway/second-factor-only/single-sign-on"
     defaults:
         _controller: engineblock.functional_test.controller.stepup_mock::ssoAction
+
+functional_testing_sram_authz:
+    path: "/authz"
+    defaults:
+        _controller: engineblock.functional_test.controller.sbs::authzAction
+
+functional_testing_sram_interrupt:
+    path: "/interrupt"
+    defaults:
+        _controller: engineblock.functional_test.controller.sbs::interruptAction
+
+functional_testing_sram_attributes:
+    path: "/attributes"
+    defaults:
+        _controller: engineblock.functional_test.controller.sbs::attributesAction

config/services/ci/controllers.yml

@@ -50,3 +50,9 @@ services:
             - '@OpenConext\EngineBlock\Validator\UnsolicitedSsoRequestValidator'
             - '@OpenConext\EngineBlock\Service\AuthenticationStateHelper'
             - '@engineblock.functional_testing.fixture.features'
+
+    engineblock.functional_test.controller.sbs:
+        class: OpenConext\EngineBlockFunctionalTestingBundle\Controllers\SbsController
+        arguments:
+            - '@engineblock.functional_testing.fixture.sbs_client_state_manager'
+            - '@engineblock.functional_testing.data_store.sbs_server_state'

config/services/ci/services.yml

@@ -7,6 +7,8 @@ parameters:
     engineblock.functional_testing.attribute_aggregation_data_store.file:     "/tmp/eb-fixtures/attribute_aggregation.json"
     engineblock.functional_testing.stepup_gateway_mock_data_store.file:       "/tmp/eb-fixtures/stepup_gateway_mock.json"
     engineblock.functional_testing.translator_mock_data_store.file:           "/tmp/eb-fixtures/translator_mock.json"
+    engineblock.functional_testing.sbs_client_state_manager_data_store.file:  "/tmp/eb-fixtures/sbs_client_state_manager.json"
+    engineblock.functional_testing.sbs_controller_data_store.file:            "/tmp/eb-fixtures/sbs_server_state.json"
 
 services:
     _defaults:
@@ -58,6 +60,11 @@ services:
             - '@engineblock.mock_entities.sp_factory'
             - "@engineblock.compat.application"
 
+    engineblock.functional_testing.fixture.sbs_client_state_manager:
+        class: OpenConext\EngineBlockFunctionalTestingBundle\Fixtures\SbsClientStateManager
+        arguments:
+            - "@engineblock.functional_testing.data_store.sbs_client_state_mananger"
+
     #endregion Fixtures
 
     #region Data Stores
@@ -77,6 +84,14 @@ services:
         class: OpenConext\EngineBlockFunctionalTestingBundle\Fixtures\DataStore\JsonDataStore
         arguments: ['%engineblock.functional_testing.authentication_loop_guard_data_store.file%']
 
+    engineblock.functional_testing.data_store.sbs_client_state_mananger:
+        class: OpenConext\EngineBlockFunctionalTestingBundle\Fixtures\DataStore\JsonDataStore
+        arguments: ['%engineblock.functional_testing.sbs_client_state_manager_data_store.file%']
+
+    engineblock.functional_testing.data_store.sbs_server_state:
+        class: OpenConext\EngineBlockFunctionalTestingBundle\Fixtures\DataStore\JsonDataStore
+        arguments: [ '%engineblock.functional_testing.sbs_controller_data_store.file%' ]
+
     engineblock.function_testing.data_store.attribute_aggregation_client:
         class: OpenConext\EngineBlockFunctionalTestingBundle\Fixtures\DataStore\JsonDataStore
         arguments: ['%engineblock.functional_testing.attribute_aggregation_data_store.file%']

config/services/services.yml

@@ -342,3 +342,33 @@ services:
     symfony.mailer:
         public: true
         alias: mailer
+
+    engineblock.sbs.sbs_client:
+        class: OpenConext\EngineBlockBundle\Sbs\SbsClient
+        arguments:
+            - "@engineblock.sbs.http_client"
+            - "%sram.base_url%"
+            - "%sram.authz_location%"
+            - "%sram.attributes_location%"
+            - "%sram.interrupt_location%"
+            - "%sram.api_token%"
+            - "%sram.verify_peer%"
+
+    engineblock.sbs.http_client:
+        class: OpenConext\EngineBlock\Http\HttpClient
+        arguments:
+            - "@engineblock.sbs.guzzle_http_client"
+
+    engineblock.sbs.guzzle_http_client:
+        class: GuzzleHttp\Client
+        arguments:
+            - base_uri: "%sram.base_url%/"
+              options:
+                  headers:
+                      Authentication: "%sram.api_token%"
+              timeout: "%http_client.timeout%"
+
+    engineblock.sbs.attribute_merger:
+        class: OpenConext\EngineBlockBundle\Sbs\SbsAttributeMerger
+        arguments:
+            - "%sram.allowed_attributes%"

config/services_ci.yaml

@@ -67,3 +67,7 @@ services:
 
     OpenConext\EngineBlockFunctionalTestingBundle\Features\Context\MinkContext:
         tags: ['fob.context']
+
+    OpenConext\EngineBlockFunctionalTestingBundle\Fixtures\SbsClientStateManager:
+        arguments:
+            - "@engineblock.functional_testing.data_store.sbs_client_state_mananger"

docker/docker-compose.yml

@@ -2,7 +2,6 @@ services:
 
     mariadb:
         image: mariadb:10.6
-        restart: always
         container_name: eb-db-test
         environment:
             MYSQL_ROOT_PASSWORD: "root"
@@ -62,5 +61,4 @@ services:
             - ../theme:/theme
 
 volumes:
-    eb-mysql-data:
     eb-mysql-test-data:

docs/filter_commands.md

@@ -1,8 +1,8 @@
 # EngineBlock Input and Output Command Chains
 
 EngineBlock pre-processes incoming and outgoing SAML Responses using so-called Filters. These filters provide specific,
-critical functionality, by invoking a sequence of Filter Commands. However, it is not easily discoverable what these 
-Filters and Filter Commands exactly do and how they work. This document outlines how these Filters and Filter Commands 
+critical functionality, by invoking a sequence of Filter Commands. However, it is not easily discoverable what these
+Filters and Filter Commands exactly do and how they work. This document outlines how these Filters and Filter Commands
 work and what each filter command does.
 
 The chains are:
@@ -13,11 +13,11 @@ The specific commands can be found in the [`library\EngineBlock\Corto\Filter\Com
 
 ## Input and Output Filters
 
-These are called by [`ProxyServer`][ps], through [`filterOutputAssertionAttributes`][fOAA] and 
+These are called by [`ProxyServer`][ps], through [`filterOutputAssertionAttributes`][fOAA] and
 [`filterInputAssertionAttributes`][fIAA] calling [`callAttributeFilter`][cAF], which invokes the actual Filter Commands.
 
 Each Filter then executes Filter Commands in a specified order for Input (between receiving Assertion from IdP and
-Consent) and Output (after Consent, before sending Response to SP).  
+Consent) and Output (after Consent, before sending Response to SP).
 What the filter does is:
 ```
 Loop over given Filter Commands, for each Command:
@@ -30,7 +30,7 @@ Loop over given Filter Commands, for each Command:
     set the collabPersonId (either: string stored in session, string found in Response, string found in responseAttributes, string found in nameId response or null, in that order)
     execute the command
 ```
-During the loop, the Response, responseAttributes and collabPersonId are retrieved from the previous command and are 
+During the loop, the Response, responseAttributes and collabPersonId are retrieved from the previous command and are
 used by the commands that follows.
 
 A command can also stop filtering by calling `$this->stopFiltering();`
@@ -67,7 +67,7 @@ Uses:
 - EngineBlock_Saml2_ResponseAnnotationDecorator
 - responseAttributes
 
-### NormalizeAttributes 
+### NormalizeAttributes
 Convert all OID attributes to URN and remove the OID variant
 
 Depends on:
@@ -193,7 +193,7 @@ Modifies:
 See: [Engineblock Attribute Aggregation](attribute_aggregation.md) for more information.
 
 ### EnforcePolicy
-Makes a call to the external PolicyDecisionPoint service. This returns a response which details whether or not the 
+Makes a call to the external PolicyDecisionPoint service. This returns a response which details whether or not the
 current User is allowed access to the Service Provider. For more information see [the PDP repository README][pdp-repo]
 
 Depends On:
@@ -343,8 +343,18 @@ Uses:
 - OpenConext\EngineBlock\Metadata\Entity\IdentityProvider
 - EngineBlock_Saml2_AuthnRequestAnnotationDecorator
 
+### SRAM test filter
+SRAM integration.
+In order to facilitate fine-grained access to SRAM, EB integrates with SRAM through the SBS service.
 
+This process is only enabled if both the `feature_enable_sram_interrupt` feature flag is enabled and the `collabEnabled` coin of the SP is true.
 
+If enabled, the SramInterruptFilter will call SBS with the sessionId.
+If the sessionId is known in SBS, EB will merge the attributes supplied by SBS into the Auth request.
+IF the sessionId is unknown, later in the Consume Assertion process, the browser will be redirected to SBS,
+which will redirect back to EB after a successful check. Then the attributes from SBS will be merged after all.
+
+See https://github.com/OpenConext/OpenConext-engineblock/issues/1804 for details.
 
 
 [input]: https://github.com/OpenConext/OpenConext-engineblock/tree/master/library/EngineBlock/Corto/Filter/Input.php

library/EngineBlock/Application/DiContainer.php

@@ -26,6 +26,8 @@
 use OpenConext\EngineBlock\Stepup\StepupEntityFactory;
 use OpenConext\EngineBlock\Stepup\StepupGatewayCallOutHelper;
 use OpenConext\EngineBlock\Validator\AllowedSchemeValidator;
+use OpenConext\EngineBlockBundle\Sbs\SbsAttributeMerger;
+use OpenConext\EngineBlockBundle\Sbs\SbsClientInterface;
 use Symfony\Component\DependencyInjection\ContainerInterface as SymfonyContainerInterface;
 use Symfony\Component\Mailer\MailerInterface;
 use Twig\Environment;
@@ -309,6 +311,16 @@ protected function getSymfonyContainer()
         return $this->container;
     }
 
+    public function getSbsAttributeMerger(): SbsAttributeMerger
+    {
+        return $this->container->get('engineblock.sbs.attribute_merger');
+    }
+
+    public function getSbsClient(): SbsClientInterface
+    {
+        return $this->container->get('engineblock.sbs.sbs_client');
+    }
+
     public function getPdpClient()
     {
         return $this->container->get(\OpenConext\EngineBlockBundle\Pdp\PdpClient::class);

library/EngineBlock/Application/ErrorHandler.php

@@ -62,7 +62,6 @@ public function exception(Throwable $e)
         foreach ($this->_exitHandlers as $exitHandler) {
             $exitHandler($e);
         }
-        throw $e;
 
         $this->_application->reportError($e);
 

library/EngineBlock/Application/TestDiContainer.php

@@ -16,7 +16,6 @@
  * limitations under the License.
  */
 
-use OpenConext\EngineBlock\Stepup\StepupEndpoint;
 use OpenConext\EngineBlockBundle\Pdp\PdpClientInterface;
 
 /**
@@ -49,7 +48,7 @@ public function getPdpClient()
         return $this->pdpClient ?? parent::getPdpClient();
     }
 
-    public function setPdpClient(PdpClientInterface $pdpClient)
+    public function setPdpClient(?PdpClientInterface $pdpClient)
     {
         $this->pdpClient = $pdpClient;
     }

library/EngineBlock/Corto/Adapter.php

@@ -127,6 +127,11 @@ public function processWayf()
         $this->_callCortoServiceUri('continueToIdp');
     }
 
+    public function processSramInterrupt()
+    {
+        $this->_callCortoServiceUri('SramInterruptService');
+    }
+
     public function processConsent()
     {
         $this->_callCortoServiceUri('processConsentService');