Change the ValidateAllowedConnection input filter so that collab_enabled-services skip the IdP-SP check. I.e., if coin:collab_enabled is set, skip the check if the correct IdP is connected, and always allow the flow to continue.

Author: johanib

library/EngineBlock/Corto/Filter/Command/EnforcePolicy.php

@@ -63,7 +63,7 @@ public function execute()
 
         try {
             $pdp = $this->getPdpClient();
-            $policyDecision = $pdp->requestDecisionFor($pdpRequest);
+            $policyDecision = $pdp->requestInterruptDecisionFor($pdpRequest);
         } catch (\OpenConext\EngineBlock\Http\Exception\HttpException $e) {
             throw new EngineBlock_Exception_PdpCheckFailed(
                 'Policy Enforcement Point: Could not perform PDP check: ' . $e->getMessage()

library/EngineBlock/Corto/Filter/Command/SRAMTestFilter.php

@@ -29,7 +29,6 @@ public function getResponseAttributes()
 
     public function execute(): void
     {
-
         $application = EngineBlock_ApplicationSingleton::getInstance();
 
         $sramEndpoint = $application->getDiContainer()->getSRAMEndpoint();
@@ -46,8 +45,15 @@ public function execute(): void
         $user_id = $attributes['urn:mace:dir:attribute-def:uid'][0];
         $continue_url = $this->_server->getUrl('SRAMInterruptService', '') . "?ID=$id";
         $service_id = $this->_serviceProvider->entityId;
+        // @TODO at the very start of this function, check if the SP has `coin:collab_enabled`, skip otherwise?
         $issuer_id = $this->_identityProvider->entityId;
 
+        /***
+         * @TODO Move all curl related things to new HttpClient. See PDPClient as an example.
+         * @TODO Make sure it has tests
+         * @TODO add tests for this Input Filter
+         */
+
         $headers = array(
             "Authorization: $sramApiToken"
         );
@@ -74,16 +80,16 @@ public function execute(): void
         $data = curl_exec($ch);
         curl_close($ch);
 
-        $body = json_decode($data);
+        $body = json_decode($data, false);
         // error_log("SRAMTestFilter " . var_export($body, true));
 
+        // @TODO Add integration test: Assert the redirect url on the saml response is SRAM
+
         $msg = $body->msg;
-        if ('interrupt' == $msg) {
+        if ($msg === 'interrupt') {
             $this->_response->setSRAMInterruptNonce($body->nonce);
-        } else {
-            if ($body->attributes) {
-                $this->_responseAttributes = array_merge_recursive($this->_responseAttributes, (array) $body->attributes);
-            }
+        } elseif ($body->attributes) {
+            $this->_responseAttributes = array_merge_recursive($this->_responseAttributes, (array) $body->attributes);
         }
 
     }

library/EngineBlock/Corto/Filter/Command/ValidateAllowedConnection.php

@@ -16,6 +16,8 @@
  * limitations under the License.
  */
 
+use OpenConext\EngineBlock\Metadata\Entity\ServiceProvider;
+
 /**
  * Validate if the IDP sending this response is allowed to connect to the SP that made the request.
  **/
@@ -24,6 +26,11 @@ class EngineBlock_Corto_Filter_Command_ValidateAllowedConnection extends EngineB
     public function execute()
     {
         $sp = $this->_serviceProvider;
+
+        if ($this->sbsFlowActive($sp)) {
+            return;
+        }
+
         // When dealing with an SP that acts as a trusted proxy, we should perform the validatoin on the proxying SP
         // and not the proxy itself.
         if ($sp->getCoins()->isTrustedProxy()) {
@@ -41,4 +48,9 @@ public function execute()
             );
         }
     }
+
+    private function sbsFlowActive(ServiceProvider $sp)
+    {
+        return $sp->getCoins()->collabEnabled();
+    }
 }

library/EngineBlock/Corto/Filter/Input.php

@@ -100,6 +100,8 @@ public function getCommands()
 
         // SRAM Test filter
         // When feature_enable_sram_interrupt enabled
+        // @TODO Should this check be here, or in the filter itself like \EngineBlock_Corto_Filter_Command_SsoNotificationCookieFilter
+        // @TODO if it stays here, add test to make sure it's in the command[] or not
         if ($featureConfiguration->isEnabled('eb.feature_enable_sram_interrupt')) {
             $commands[] = new EngineBlock_Corto_Filter_Command_SRAMTestFilter();
         }

library/EngineBlock/Corto/Module/Service/AssertionConsumer.php

@@ -171,7 +171,7 @@ public function serve($serviceName, Request $httpRequest)
         $this->_server->filterInputAssertionAttributes($receivedResponse, $receivedRequest);
 
         // Send SRAM Interrupt call
-        if ("" != $receivedResponse->getSRAMInterruptNonce()) {
+        if ($receivedResponse->getSRAMInterruptNonce() !== "") {
             $log->info('Handle SRAM Interrupt callout');
 
             // Add the SRAM step

library/EngineBlock/Saml2/ResponseAnnotationDecorator.php

@@ -311,24 +311,11 @@ public function setIsTransparentErrorResponse(bool $isTransparentErrorResponse):
         $this->isTransparentErrorResponse = $isTransparentErrorResponse;
     }
 
-    /**
-     * @param bool
-     */
-    public function setSRAMInterrupt(bool $SRAMInterrupt)
-    {
-        $this->SRAMInterrupt = $SRAMInterrupt;
-    }
-
-    /**
-     * @param string
-     */
-    public function setSRAMInterruptNonce(string $SRAMInterruptNonce)
+    public function setSRAMInterruptNonce(string $SRAMInterruptNonce): void
     {
         $this->SRAMInterruptNonce = $SRAMInterruptNonce;
     }
-    /**
-     * @return string
-     */
+
     public function getSRAMInterruptNonce(): string
     {
         return $this->SRAMInterruptNonce;

src/OpenConext/EngineBlockBundle/Pdp/PdpClient.php

@@ -43,7 +43,7 @@ public function __construct(
         $this->policyDecisionPointPath = $policyDecisionPointPath;
     }
 
-    public function requestDecisionFor(Request $request) : PolicyDecision
+    public function requestInterruptDecisionFor(Request $request) : PolicyDecision
     {
         $jsonData = $this->httpClient->post(
             json_encode($request),

src/OpenConext/EngineBlockBundle/Pdp/PdpClientInterface.php

@@ -22,5 +22,5 @@
 
 interface PdpClientInterface
 {
-    public function requestDecisionFor(Request $request) : PolicyDecision;
+    public function requestInterruptDecisionFor(Request $request) : PolicyDecision;
 }

src/OpenConext/EngineBlockBundle/Resources/config/services.yml

@@ -207,11 +207,32 @@ services:
         arguments:
             - base_uri: "%pdp.host%"
               auth: ["%pdp.username%", "%pdp.password%", "Basic"]
-              # Verify CAs for certificates for prod, but not for other environments
-              # as we are working with self signed signatures
+                # Verify CAs for certificates for prod, but not for other environments
+                # as we are working with self signed signatures
               verify: "@=service('kernel').getEnvironment() === 'prod'"
               timeout: "%http_client.timeout%"
 
+    engineblock.sbs.sbs_client:
+        class: OpenConext\EngineBlockBundle\Sbs\SbsClient
+        arguments:
+            - "@engineblock.sbs.http_client"
+            - "%sram.interrupt_location%"
+            - "%sram.entitlements_location%"
+
+    engineblock.sbs.http_client:
+        class: OpenConext\EngineBlock\Http\HttpClient
+        arguments:
+            - "@engineblock.sbs.guzzle_http_client"
+
+    engineblock.sbs.guzzle_http_client:
+        class: GuzzleHttp\Client
+        arguments:
+            - base_uri: "%sram.authz_location%"
+              options:
+                  headers:
+                        Authentication: "%sram.api_token%"
+              timeout: "%http_client.timeout%"
+
     engineblock.authentication.authentication_loop_guard:
         class: OpenConext\EngineBlockBundle\Authentication\AuthenticationLoopGuard
         arguments:

src/OpenConext/EngineBlockBundle/Sbs/SbsClient.php

@@ -0,0 +1,83 @@
+<?php
+
+/**
+ * Copyright 2025 SURFnet B.V.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+namespace OpenConext\EngineBlockBundle\Sbs;
+
+use OpenConext\EngineBlock\Http\HttpClient;
+use OpenConext\EngineBlockBundle\Pdp\Dto\Request;
+use OpenConext\EngineBlockBundle\Pdp\Dto\Response;
+use OpenConext\EngineBlockBundle\Pdp\PdpClientInterface;
+use OpenConext\EngineBlockBundle\Pdp\PolicyDecision;
+
+final class SbsClient implements PdpClientInterface
+{
+    /**
+     * @var HttpClient
+     */
+    private $httpClient;
+    /**
+     * @var string
+     */
+    private $interruptLocation;
+    /**
+     * @var string
+     */
+    private $entitlementsLocation;
+
+
+    public function __construct(
+        HttpClient $httpClient,
+        string $interruptLocation,
+        string $entitlementsLocation
+    ) {
+        $this->httpClient              = $httpClient;
+        $this->interruptLocation = $interruptLocation;
+        $this->entitlementsLocation = $entitlementsLocation;
+    }
+
+    public function requestInterruptDecisionFor(Request $request) : PolicyDecision
+    {
+        $jsonData = $this->httpClient->post(
+            json_encode($request),
+            $this->interruptLocation,
+            [],
+            [
+                'Content-Type' => 'application/json',
+                'Accept'       => 'application/json',
+            ]
+        );
+        $response = Response::fromData($jsonData);
+
+        return PolicyDecision::fromResponse($response);
+    }
+    public function requestEntitlementsFor(Request $request) : PolicyDecision
+    {
+        $jsonData = $this->httpClient->post(
+            json_encode($request),
+            $this->entitlementsLocation,
+            [],
+            [
+                'Content-Type' => 'application/json',
+                'Accept'       => 'application/json',
+            ]
+        );
+        $response = Response::fromData($jsonData);
+
+        return PolicyDecision::fromResponse($response);
+    }
+}