Implement state control

Author: johanib

app/config/parameters.yml.dist

@@ -231,7 +231,7 @@ parameters:
     feature_enable_consent: true
     feature_stepup_sfo_override_engine_entityid: false
     feature_enable_idp_initiated_flow: true
-    feature_enable_sram_interrupt: false
+    feature_enable_sram_interrupt: true
 
     ##########################################################################################
     ## PROFILE SETTINGS
@@ -318,8 +318,14 @@ parameters:
     ##########################################################################################
     ## Config for connecting with SBS server
     ## base_url must end with /. Locations must not start with /.
-    sram.api_token: "xxx"
-    sram.base_url: "http://127.0.0.1:12345/api/"
-    sram.authz_location: "authz"
-    sram.interrupt_location: "interrupt"
-    sram.entitlements_location: "entitlements"
+    sram.api_token: xxx
+    sram.base_url: 'https://engine.dev.openconext.local/functional-testing/'
+    sram.authz_location: authz
+    sram.interrupt_location: interrupt
+    sram.entitlements_location: entitlements
+    sram.verify_peer: false
+    sram.allowed_attributes:
+        - eduPersonEntitlement
+        - eduPersonPrincipalName
+        - uid
+        - sshkey

ci/qa/behat.sh

@@ -16,8 +16,8 @@ echo -e "\nInstalling database fixtures...\n"
 ./app/console doctrine:schema:drop --force --env=ci
 ./app/console doctrine:schema:create --env=ci
 
-#echo -e "\nPreparing frontend assets\n"
-#EB_THEME=skeune ./theme/scripts/prepare-test.js > /dev/null
+echo -e "\nPreparing frontend assets\n"
+EB_THEME=skeune ./theme/scripts/prepare-test.js > /dev/null
 
 chown -R www-data app/cache/
 chmod -R 0777 /tmp/eb-fixtures

docs/filter_commands.md

@@ -344,7 +344,7 @@ Uses:
 - EngineBlock_Saml2_AuthnRequestAnnotationDecorator
 
 ### SRAM test filter
-<<Add description here>>
+When enabled and the SP has the collab_enabled coin, the SBS integration flow will be activated allowing SRAM integration.
 
 
 

library/EngineBlock/Application/DiContainer.php

@@ -26,6 +26,7 @@
 use OpenConext\EngineBlock\Stepup\StepupEntityFactory;
 use OpenConext\EngineBlock\Stepup\StepupGatewayCallOutHelper;
 use OpenConext\EngineBlock\Validator\AllowedSchemeValidator;
+use OpenConext\EngineBlockBundle\Sbs\SbsAttributeMerger;
 use Symfony\Component\DependencyInjection\ContainerInterface as SymfonyContainerInterface;
 
 class EngineBlock_Application_DiContainer extends Pimple
@@ -306,6 +307,11 @@ protected function getSymfonyContainer()
         return $this->container;
     }
 
+    public function getSbsAttributeMerger(): SbsAttributeMerger
+    {
+        return $this->container->get('engineblack.sbs.attribute_merger');
+    }
+
     public function getSbsClient(): \OpenConext\EngineBlockBundle\Sbs\SbsClientInterface
     {
         return $this->container->get('engineblock.sbs.sbs_client');

library/EngineBlock/Application/ErrorHandler.php

@@ -64,7 +64,7 @@ public function exception(Throwable $e)
         }
 
         $this->_application->reportError($e);
-        die($e->getMessage());
+
         $message = 'An exceptional condition occurred. Contact support if this error persists.';
         die($message);
     }

library/EngineBlock/Application/FunctionalTestDiContainer.php

@@ -81,6 +81,4 @@ public function getEncryptionKeysConfiguration()
             ],
         ];
     }
-
-
 }

library/EngineBlock/Corto/Filter/Command/SRAMTestFilter.php

@@ -3,6 +3,7 @@
 use OpenConext\EngineBlockBundle\Configuration\FeatureConfigurationInterface;
 use OpenConext\EngineBlockBundle\Exception\InvalidSbsResponseException;
 use OpenConext\EngineBlockBundle\Sbs\Dto\AuthzRequest;
+use OpenConext\EngineBlockBundle\Sbs\SbsAttributeMerger;
 
 /**
  * Copyright 2021 Stichting Kennisnet
@@ -48,29 +49,17 @@ public function execute(): void
 
         try {
             $request = $this->buildRequest();
+
             $interruptResponse = $this->getSbsClient()->authz($request);
 
             if ($interruptResponse->msg === 'interrupt') {
-                // @TODO Consider if this should be an attribute?
                 $this->_response->setSRAMInterruptNonce($interruptResponse->nonce);
             } elseif ($interruptResponse->msg === 'authorized' && !empty($interruptResponse->attributes)) {
-                // @TODO make sure this has test coverage
-                // @TODO Discussed with Bas/Peter: Add list of allowed parameter names via parameters.yml
-                /**
-                 * "eduPersonEntitlement": ["[email protected]", "[email protected]"],
-                 * "eduPersonPrincipalName": ["[email protected]"],
-                 * "uid": ["test_user"],
-                 * "sshkey": ["ssh_key1", "ssh_key2"]
-                 */
-                $this->_responseAttributes = array_merge_recursive(
-                    $this->_responseAttributes,
-                    $interruptResponse->attributes
-                );
+                $this->_responseAttributes = $this->getSbsAttributeMerger()->mergeAttributes($this->_responseAttributes, $interruptResponse->attributes);
             } else {
                 throw new InvalidSbsResponseException(sprintf('Invalid SBS response received: %s', $interruptResponse->msg));
             }
         }catch (Throwable $e){
-            die($e->getMessage());
             throw new EngineBlock_Exception_SbsCheckFailed('The SBS server could not be queried: ' . $e->getMessage());
         }
     }
@@ -85,6 +74,11 @@ private function getFeatureConfiguration(): FeatureConfigurationInterface
         return EngineBlock_ApplicationSingleton::getInstance()->getDiContainer()->getFeatureConfiguration();
     }
 
+    private function getSbsAttributeMerger(): SbsAttributeMerger
+    {
+        return EngineBlock_ApplicationSingleton::getInstance()->getDiContainer()->getSbsAttributeMerger();
+    }
+
     /**
      * @return AuthzRequest
      * @throws EngineBlock_Corto_ProxyServer_Exception
@@ -94,7 +88,6 @@ private function buildRequest(): AuthzRequest
         $attributes = $this->getResponseAttributes();
         $id = $this->_request->getId();
 
-        // @TODO Check: can it occur this is not set?
         $user_id = $attributes['urn:mace:dir:attribute-def:uid'][0];
         $continue_url = $this->_server->getUrl('SRAMInterruptService', '') . "?ID=$id";
         $service_id = $this->_serviceProvider->entityId;

library/EngineBlock/Corto/Filter/Input.php

@@ -90,15 +90,13 @@ public function getCommands()
                 $diContainer->getAttributeAggregationClient()
             ),
 
+            new EngineBlock_Corto_Filter_Command_SRAMTestFilter(),
+
             // Check if the Policy Decision Point needs to be consulted for this request
             new EngineBlock_Corto_Filter_Command_EnforcePolicy(),
 
             // Apply the Attribute Release Policy before we do consent.
             new EngineBlock_Corto_Filter_Command_AttributeReleasePolicy(),
-
-            /* @TODO According to spec, this should be between AttributeAggregator and EnforcePolicy.
-             * Why is it here? */
-            new EngineBlock_Corto_Filter_Command_SRAMTestFilter(),
         );
 
         if (!$featureConfiguration->isEnabled('eb.run_all_manipulations_prior_to_consent')) {

library/EngineBlock/Corto/Module/Service/AssertionConsumer.php

@@ -175,15 +175,14 @@ public function serve($serviceName, Request $httpRequest)
             $log->info('Handle SRAM Interrupt callout');
 
             // Add the SRAM step
-            $currentProcessStep = $this->_processingStateHelper->addStep(
+            $this->_processingStateHelper->addStep(
                 $receivedRequest->getId(),
                 ProcessingStateHelperInterface::STEP_SRAM,
                 $this->getEngineSpRole($this->_server),
                 $receivedResponse
             );
 
-            // Redirect to SBS?
-            // It sets the header?
+            // Redirect to SRAM
             $this->_server->sendSRAMInterruptRequest($receivedResponse, $receivedRequest);
         }
 
@@ -231,7 +230,6 @@ public function serve($serviceName, Request $httpRequest)
             $nameId,
             $sp->getCoins()->isStepupForceAuthn()
         );
-
    }
 
     /**

library/EngineBlock/Corto/Module/Service/SRAMInterrupt.php

@@ -20,6 +20,7 @@
 use OpenConext\EngineBlock\Service\ProcessingStateHelperInterface;
 use OpenConext\EngineBlock\Stepup\StepupGatewayCallOutHelper;
 use OpenConext\EngineBlockBundle\Sbs\Dto\EntitlementsRequest;
+use OpenConext\EngineBlockBundle\Sbs\SbsAttributeMerger;
 use Symfony\Component\HttpFoundation\Request;
 
 class EngineBlock_Corto_Module_Service_SRAMInterrupt
@@ -45,18 +46,25 @@ class EngineBlock_Corto_Module_Service_SRAMInterrupt
      */
     private $_stepupGatewayCallOutHelper;
 
+    /**
+     * @var SbsAttributeMerger
+     */
+    private $sbsAttributeMerger;
+
 
     public function __construct(
         EngineBlock_Corto_ProxyServer $server,
         AuthenticationStateHelperInterface $stateHelper,
         ProcessingStateHelperInterface $processingStateHelper,
-        StepupGatewayCallOutHelper $stepupGatewayCallOutHelper
+        StepupGatewayCallOutHelper $stepupGatewayCallOutHelper,
+        SbsAttributeMerger $sbsAttributeMerger
     )
     {
         $this->_server = $server;
         $this->_authenticationStateHelper = $stateHelper;
         $this->_processingStateHelper = $processingStateHelper;
         $this->_stepupGatewayCallOutHelper = $stepupGatewayCallOutHelper;
+        $this->sbsAttributeMerger = $sbsAttributeMerger;
     }
 
     /**
@@ -69,7 +77,6 @@ public function __construct(
      */
     public function serve($serviceName, Request $httpRequest)
     {
-        /** @TODO How to test this class? */
         $application = EngineBlock_ApplicationSingleton::getInstance();
 
         // Get active request
@@ -90,18 +97,10 @@ public function serve($serviceName, Request $httpRequest)
         $interruptResponse = $this->getSbsClient()->requestEntitlementsFor($request);
 
         if (!empty($interruptResponse->attributes)) {
-            /**
-             * @TODO make sure this has test coverage
-             */
-            $attributes = array_merge_recursive($attributes, $interruptResponse->attributes);
+            $attributes = $this->sbsAttributeMerger->mergeAttributes($attributes, $interruptResponse->attributes);
             $receivedResponse->getAssertion()->setAttributes($attributes);
         }
 
-        /**
-         * @JOHAN Waarom zit hier stepup in? Zou dat niet via de 'reguliere' flow afgetrapt moeten worden?
-         * Kunnen we hier \EngineBlock_Corto_Module_Service_AssertionConsumer::serve gebruiken? Code daar wegsplitsen naar een shared service?
-         */
-
         /*
          * Continue to Consent/StepUp
          */
@@ -135,7 +134,7 @@ public function serve($serviceName, Request $httpRequest)
             return;
         }
 
-        $log->info('Handle Stepup authentication callout');
+        $this->_server->getLogger()->info('Handle Stepup authentication callout');
 
         // Add Stepup authentication step
         $currentProcessStep = $this->_processingStateHelper->addStep(