Add sbs-stub

Align EB/stub with real SBS authz parameters

Use SBS api namespace

Author: mrvanes

app/config/parameters.yml.dist

@@ -312,3 +312,12 @@ parameters:
     # used in the authentication log record. The attributeName will be searched in the response attributes and if present
     # the log data will be enriched. The values of the response attributes are the final values after ARP and Attribute Manipulation.
     auth.log.attributes: []
+
+    ##########################################################################################
+    ## SRAM Settings
+    ##########################################################################################
+    ## Currently this is used for the outgoing requests with the PDP and AA client
+    sram.api_token: "xxx"
+    sram.authz_location: "http://127.0.0.1:12345/api"
+    sram.interrupt_location: "http://127.0.0.1:12345/interrupt"
+    sram.entitlements_location: "http://127.0.0.1:12345/entitlements"

library/EngineBlock/Corto/Filter/Command/SRAMTestFilter.php

@@ -41,17 +41,22 @@ public function execute(): void
 
         $attributes = $this->getResponseAttributes();
 
-        $uid = $attributes['urn:mace:dir:attribute-def:uid'][0];
         $id = $this->_request->getId();
+
+        $user_id = $attributes['urn:mace:dir:attribute-def:uid'][0];
         $continue_url = $this->_server->getUrl('SRAMInterruptService', '') . "?ID=$id";
+        $service_id = $this->_serviceProvider->entityId;
+        $issuer_id = $this->_identityProvider->entityId;
 
         $headers = array(
             "Authorization: $sramApiToken"
         );
 
         $post = array(
-            'uid' => $uid,
+            'user_id' => $user_id,
             'continue_url' => $continue_url,
+            'service_id' => $service_id,
+            'issuer_id' => $issuer_id
         );
 
         $options = [
@@ -70,11 +75,15 @@ public function execute(): void
         curl_close($ch);
 
         $body = json_decode($data);
-        error_log("SRAMTestFilter " . var_export($body, true));
+        // error_log("SRAMTestFilter " . var_export($body, true));
 
         $msg = $body->msg;
         if ('interrupt' == $msg) {
             $this->_response->setSRAMInterruptNonce($body->nonce);
+        } else {
+            if ($body->attributes) {
+                $this->_responseAttributes = array_merge_recursive($this->_responseAttributes, (array) $body->attributes);
+            }
         }
 
     }

library/EngineBlock/Corto/Module/Service/AssertionConsumer.php

@@ -171,7 +171,7 @@ public function serve($serviceName, Request $httpRequest)
         $this->_server->filterInputAssertionAttributes($receivedResponse, $receivedRequest);
 
         // Send SRAM Interrupt call
-        if ($receivedResponse->getSRAMInterruptNonce() != Null) {
+        if ("" != $receivedResponse->getSRAMInterruptNonce()) {
             $log->info('Handle SRAM Interrupt callout');
 
             // Add the SRAM step

library/EngineBlock/Corto/Module/Service/SRAMInterrupt.php

@@ -120,11 +120,9 @@ public function serve($serviceName, Request $httpRequest)
         curl_close($ch);
 
         $body = json_decode($data);
-        $entitlements = $body->entitlements;
 
-
-        if ($entitlements) {
-            $attributes['eduPersonEntitlement'] = $entitlements;
+        if ($body->attributes) {
+            $attributes = array_merge_recursive($attributes, (array) $body->attributes);
             $receivedResponse->getAssertion()->setAttributes($attributes);
         }
 

library/EngineBlock/Saml2/ResponseAnnotationDecorator.php

@@ -82,7 +82,7 @@ class EngineBlock_Saml2_ResponseAnnotationDecorator extends EngineBlock_Saml2_Me
 
     protected $isTransparentErrorResponse = false;
 
-    protected $SRAMInterruptNonce = Null;
+    protected $SRAMInterruptNonce = "";
 
     /**
      * @param Response $response

sbs-stub/requirements.txt

@@ -0,0 +1 @@
+flask

sbs-stub/sbs.py

@@ -0,0 +1,97 @@
+#!/usr/bin/env python
+import json
+import logging
+import secrets
+
+from flask import Flask, Response, request, render_template
+
+logging.getLogger().setLevel(logging.DEBUG)
+logging.getLogger('flask_pyoidc').setLevel(logging.ERROR)
+logging.getLogger('oic').setLevel(logging.ERROR)
+logging.getLogger('jwkest').setLevel(logging.ERROR)
+logging.getLogger('urllib3').setLevel(logging.ERROR)
+logging.getLogger('werkzeug').setLevel(logging.ERROR)
+
+app = Flask(__name__, template_folder='templates', static_folder='static')
+
+nonces = {}
+
+
+def debug(request):
+    for header in request.headers:
+        logging.debug(header)
+    for key, value in request.form.items():
+        logging.debug(f'POST {key}: {value}')
+
+
+@app.route('/api/users/proxy_authz_eb', methods=['POST'])
+def api():
+    logging.debug('-> /api/users/proxy_authz_eb')
+    debug(request)
+
+    uid = request.form.get('user_id')
+    continue_url = request.form.get('continue_url')
+    service_entity_id = request.form.get('service_id')
+    issuer_id = request.form.get('issuer_id')
+
+    nonce = secrets.token_urlsafe()
+    nonces[nonce] = (uid, continue_url, service_entity_id, issuer_id)
+
+    response = Response(status=200)
+    body = {
+        'msg': 'interrupt',
+        # 'msg': 'skip',
+        'nonce': nonce,
+        'attributes': {
+            'urn:mace:dir:attribute-def:eduPersonEntitlement': [
+                uid,
+                nonce,
+                'urn:foobar'
+            ]
+        }
+    }
+
+    logging.debug(f'<- {body}')
+    response.data = json.dumps(body)
+
+    return response
+
+
+@app.route('/api/users/interrupt', methods=['GET'])
+def interrupt():
+    logging.debug('-> /api/users/interrupt')
+    nonce = request.args.get('nonce')
+    (uid, continue_url, service_entity_id, issuer_id) = nonces.get(nonce, ('unknown', '/', '/', ''))
+    response = render_template('interrupt.j2', uid=uid,
+                               service_entity_id=service_entity_id, issuer_id=issuer_id, url=continue_url)
+
+    return response
+
+
+@app.route('/api/users/attributes', methods=['POST'])
+def entitlements():
+    logging.debug('-> /api/users/attributes')
+    debug(request)
+
+    nonce = request.form.get('nonce')
+    (uid, _, _, _) = nonces.pop(nonce)
+
+    response = Response(status=200)
+    body = {
+        'attributes': {
+            'urn:mace:dir:attribute-def:eduPersonEntitlement': [
+                uid,
+                nonce,
+                'urn:foobar',
+            ]
+        }
+    }
+
+    logging.debug(f'<- {body}')
+    response.data = json.dumps(body)
+
+    return response
+
+
+if __name__ == "__main__":
+    app.run(host='0.0.0.0', port=12345, debug=True)

sbs-stub/start

@@ -0,0 +1,2 @@
+#!/bin/sh
+./venv/bin/python sbs.py

sbs-stub/templates/interrupt.j2

@@ -0,0 +1,9 @@
+<html>
+<body>
+<p>Hello {{uid}}!!</p>
+<p>Coming from {{issuer_id}}</p>
+<p>Going to {{service_entity_id}}</p>
+<p><input type=checkbox> Accept AUP</p>
+<p><a href="{{url}}">Continue</a></p>
+</body>
+</html>

src/OpenConext/EngineBlock/SRAM/SRAMEndpoint.php

@@ -41,12 +41,12 @@ class SRAMEndpoint
      */
     private $entitlementsLocation;
 
-    public function __construct(?string $apiToken,
-                                ?string $authzLocation,
-                                ?string $interruptLocation,
-                                ?string $entitlementsLocation
-                                )
-    {
+    public function __construct(
+        ?string $apiToken,
+        ?string $authzLocation,
+        ?string $interruptLocation,
+        ?string $entitlementsLocation
+    ) {
         $this->apiToken = $apiToken;
         $this->authzLocation = $authzLocation;
         $this->interruptLocation = $interruptLocation;
@@ -84,5 +84,4 @@ public function getEntitlementsLocation() : string
     {
         return $this->entitlementsLocation;
     }
-
 }