Add SRAM Testfilter

Add processSRAMInterrupt route

Working SRAM interrupt route

Manipulate attributes in interrupt

Add token parameter

Rename endpoints

Author: mrvanes

app/config/config.yml

@@ -29,7 +29,7 @@ open_conext_engine_block:
         eb.enable_sso_session_cookie: "%feature_enable_sso_session_cookie%"
         eb.feature_enable_idp_initiated_flow: "%feature_enable_idp_initiated_flow%"
         eb.stepup.sfo.override_engine_entityid: "%feature_stepup_sfo_override_engine_entityid%"
-
+        eb.feature_enable_sram_interrupt: "%feature_enable_sram_interrupt%"
 
 swiftmailer:
     transport: "%mailer_transport%"

app/config/parameters.yml.dist

@@ -231,6 +231,7 @@ parameters:
     feature_enable_consent: true
     feature_stepup_sfo_override_engine_entityid: false
     feature_enable_idp_initiated_flow: true
+    feature_enable_sram_interrupt: true
 
     ##########################################################################################
     ## PROFILE SETTINGS

library/EngineBlock/Application/DiContainer.php

@@ -538,6 +538,12 @@ protected function getStepupEndpoint()
         return $this->container->get('engineblock.configuration.stepup.endpoint');
     }
 
+    /** @return \OpenConext\EngineBlock\SRAM\SRAMEndpoint $sramEndpoint */
+    public function getSRAMEndpoint()
+    {
+        return $this->container->get('engineblock.configuration.sram.endpoint');
+    }
+
     /** @return string */
     public function getStepupEntityIdOverrideValue()
     {

library/EngineBlock/Corto/Adapter.php

@@ -127,6 +127,11 @@ public function processWayf()
         $this->_callCortoServiceUri('continueToIdp');
     }
 
+    public function processSRAMInterrupt()
+    {
+        $this->_callCortoServiceUri('SRAMInterruptService');
+    }
+
     public function processConsent()
     {
         $this->_callCortoServiceUri('processConsentService');

library/EngineBlock/Corto/Filter/Command/SRAMTestFilter.php

@@ -0,0 +1,81 @@
+<?php
+
+/**
+ * Copyright 2021 Stichting Kennisnet
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+class EngineBlock_Corto_Filter_Command_SRAMTestFilter extends EngineBlock_Corto_Filter_Command_Abstract
+    implements EngineBlock_Corto_Filter_Command_ResponseAttributesModificationInterface
+{
+    /**
+     * {@inheritdoc}
+     */
+    public function getResponseAttributes()
+    {
+        return $this->_responseAttributes;
+    }
+
+    public function execute(): void
+    {
+
+        $application = EngineBlock_ApplicationSingleton::getInstance();
+
+        $sramEndpoint = $application->getDiContainer()->getSRAMEndpoint();
+        $sramApiToken = $sramEndpoint->getApiToken();
+        $sramAuthzLocation = $sramEndpoint->getAuthzLocation();
+        // $sramAuthzLocation = 'http://192.168.0.1:12345/api';
+
+        error_log("SRAMTestFilter execute");
+
+        $attributes = $this->getResponseAttributes();
+
+        $uid = $attributes['urn:mace:dir:attribute-def:uid'][0];
+        $id = $this->_request->getId();
+        $continue_url = $this->_server->getUrl('SRAMInterruptService', '') . "?ID=$id";
+
+        $headers = array(
+            "Authorization: $sramApiToken"
+        );
+
+        $post = array(
+            'uid' => $uid,
+            'continue_url' => $continue_url,
+        );
+
+        $options = [
+            CURLOPT_HEADER => false,
+            CURLOPT_RETURNTRANSFER => true,
+            CURLOPT_HTTPHEADER => $headers,
+            CURLOPT_POST => true,
+            CURLOPT_POSTFIELDS => $post,
+        ];
+
+
+        $ch = curl_init($sramAuthzLocation);
+        curl_setopt_array($ch, $options);
+
+        $data = curl_exec($ch);
+        curl_close($ch);
+
+        $body = json_decode($data);
+        error_log("SRAMTestFilter " . var_export($body, true));
+
+        $msg = $body->msg;
+        if ('interrupt' == $msg) {
+            $this->_response->setSRAMInterruptNonce($body->nonce);
+        }
+
+    }
+}

library/EngineBlock/Corto/Filter/Input.php

@@ -95,8 +95,15 @@ public function getCommands()
 
             // Apply the Attribute Release Policy before we do consent.
             new EngineBlock_Corto_Filter_Command_AttributeReleasePolicy(),
+
         );
 
+        // SRAM Test filter
+        // When feature_enable_sram_interrupt enabled
+        if ($featureConfiguration->isEnabled('eb.feature_enable_sram_interrupt')) {
+            $commands[] = new EngineBlock_Corto_Filter_Command_SRAMTestFilter();
+        }
+
         if (!$featureConfiguration->isEnabled('eb.run_all_manipulations_prior_to_consent')) {
             return $commands;
         }

library/EngineBlock/Corto/Module/Service/AssertionConsumer.php

@@ -170,6 +170,21 @@ public function serve($serviceName, Request $httpRequest)
 
         $this->_server->filterInputAssertionAttributes($receivedResponse, $receivedRequest);
 
+        // Send SRAM Interrupt call
+        if ($receivedResponse->getSRAMInterruptNonce() != Null) {
+            $log->info('Handle SRAM Interrupt callout');
+
+            // Add the SRAM step
+            $currentProcessStep = $this->_processingStateHelper->addStep(
+                $receivedRequest->getId(),
+                ProcessingStateHelperInterface::STEP_SRAM,
+                $this->getEngineSpRole($this->_server),
+                $receivedResponse
+            );
+
+            $this->_server->sendSRAMInterruptRequest($receivedResponse, $receivedRequest);
+        }
+
         // Add the consent step
         $currentProcessStep = $this->_processingStateHelper->addStep(
             $receivedRequest->getId(),
@@ -214,7 +229,8 @@ public function serve($serviceName, Request $httpRequest)
             $nameId,
             $sp->getCoins()->isStepupForceAuthn()
         );
-    }
+
+   }
 
     /**
      * @return AuthenticationState

library/EngineBlock/Corto/Module/Service/SRAMInterrupt.php

@@ -0,0 +1,190 @@
+<?php
+
+/**
+ * Copyright 2010 SURFnet B.V.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+use OpenConext\EngineBlock\Service\AuthenticationStateHelperInterface;
+use OpenConext\EngineBlock\Service\ProcessingStateHelperInterface;
+use OpenConext\EngineBlock\Stepup\StepupGatewayCallOutHelper;
+use SAML2\Constants;
+use SAML2\Response;
+use Symfony\Component\HttpFoundation\Request;
+
+class EngineBlock_Corto_Module_Service_SRAMInterrupt
+    implements EngineBlock_Corto_Module_Service_ServiceInterface
+{
+    /**
+     * @var EngineBlock_Corto_ProxyServer
+     */
+    protected $_server;
+
+    /**
+     * @var AuthenticationStateHelperInterface
+     */
+    private $_authenticationStateHelper;
+
+    /**
+     * @var ProcessingStateHelperInterface
+     */
+    private $_processingStateHelper;
+
+    /**
+     * @var StepupGatewayCallOutHelper
+     */
+    private $_stepupGatewayCallOutHelper;
+
+
+    public function __construct(
+        EngineBlock_Corto_ProxyServer $server,
+        AuthenticationStateHelperInterface $stateHelper,
+        ProcessingStateHelperInterface $processingStateHelper,
+        StepupGatewayCallOutHelper $stepupGatewayCallOutHelper
+    )
+    {
+        $this->_server = $server;
+        $this->_authenticationStateHelper = $stateHelper;
+        $this->_processingStateHelper = $processingStateHelper;
+        $this->_stepupGatewayCallOutHelper = $stepupGatewayCallOutHelper;
+    }
+
+    /**
+     * @param $serviceName
+     * @param Request $httpRequest
+     */
+    public function serve($serviceName, Request $httpRequest)
+    {
+
+        $application = EngineBlock_ApplicationSingleton::getInstance();
+
+        $sramEndpoint = $application->getDiContainer()->getSRAMEndpoint();
+        $sramApiToken = $sramEndpoint->getApiToken();
+        $sramEntitlementsLocation = $sramEndpoint->getEntitlementsLocation();
+        // $sramEntitlementsLocation = 'http://192.168.0.1:12345/entitlements';
+
+        $log = $application->getLogInstance();
+
+        error_log("EngineBlock_Corto_Module_Service_SRAMInterrupt");
+
+        // Get active request
+        $id = $httpRequest->get('ID');
+
+        $nextProcessStep = $this->_processingStateHelper->getStepByRequestId(
+            $id,
+            ProcessingStateHelperInterface::STEP_SRAM
+        );
+
+        $receivedResponse = $nextProcessStep->getResponse();
+        $receivedRequest = $this->_server->getReceivedRequestFromResponse($receivedResponse);
+
+        /*
+         * TODO Add SRAM stuff
+         * Manipulate attributes
+         */
+        $attributes = $receivedResponse->getAssertion()->getAttributes();
+        $nonce = $receivedResponse->getSRAMInterruptNonce();
+
+        $headers = array(
+            "Authorization: $sramApiToken"
+        );
+
+        $post = array(
+            'nonce' => $nonce
+        );
+
+        $options = [
+            CURLOPT_HEADER => false,
+            CURLOPT_RETURNTRANSFER => true,
+            CURLOPT_HTTPHEADER => $headers,
+            CURLOPT_POST => true,
+            CURLOPT_POSTFIELDS => $post,
+        ];
+
+
+        $ch = curl_init($sramEntitlementsLocation);
+        curl_setopt_array($ch, $options);
+
+        $data = curl_exec($ch);
+        curl_close($ch);
+
+        $body = json_decode($data);
+        $entitlements = $body->entitlements;
+
+
+        if ($entitlements) {
+            $attributes['eduPersonEntitlement'] = $entitlements;
+            $receivedResponse->getAssertion()->setAttributes($attributes);
+        }
+
+        /*
+         * Continue to Consent/StepUp
+         */
+
+        // Flush log if SP or IdP has additional logging enabled
+        $issuer = $receivedResponse->getIssuer() ? $receivedResponse->getIssuer()->getValue() : '';
+        $idp = $this->_server->getRepository()->fetchIdentityProviderByEntityId($issuer);
+
+        if ($receivedRequest->isDebugRequest()) {
+            $sp = $this->_server->getEngineSpRole($this->_server);
+        } else {
+            $issuer = $receivedRequest->getIssuer() ? $receivedRequest->getIssuer()->getValue() : '';
+            $sp = $this->_server->getRepository()->fetchServiceProviderByEntityId($issuer);
+        }
+
+        // When dealing with an SP that acts as a trusted proxy, we should use the proxying SP and not the proxy itself.
+        if ($sp->getCoins()->isTrustedProxy()) {
+            // Overwrite the trusted proxy SP instance with that of the SP that uses the trusted proxy.
+            $sp = $this->_server->findOriginalServiceProvider($receivedRequest, $log);
+        }
+
+        $pdpLoas = $receivedResponse->getPdpRequestedLoas();
+        $loaRepository = $application->getDiContainer()->getLoaRepository();
+        $authnRequestLoas = $receivedRequest->getStepupObligations($loaRepository->getStepUpLoas());
+
+        $shouldUseStepup = $this->_stepupGatewayCallOutHelper->shouldUseStepup($idp, $sp, $authnRequestLoas, $pdpLoas);
+
+        // Goto consent if no Stepup authentication is needed
+        if (!$shouldUseStepup) {
+            $this->_server->sendConsentAuthenticationRequest($receivedResponse, $receivedRequest, $nextProcessStep->getRole(), $this->_authenticationStateHelper->getAuthenticationState());
+            return;
+        }
+
+        $log->info('Handle Stepup authentication callout');
+
+        // Add Stepup authentication step
+        $currentProcessStep = $this->_processingStateHelper->addStep(
+            $receivedRequest->getId(),
+            ProcessingStateHelperInterface::STEP_STEPUP,
+            $application->getDiContainer()->getStepupIdentityProvider($this->_server),
+            $receivedResponse
+        );
+
+        // Get mapped AuthnClassRef and get NameId
+        $nameId = clone $receivedResponse->getNameId();
+        $authnClassRef = $this->_stepupGatewayCallOutHelper->getStepupLoa($idp, $sp, $authnRequestLoas, $pdpLoas);
+
+
+
+        $this->_server->sendStepupAuthenticationRequest(
+            $receivedRequest,
+            $currentProcessStep->getRole(),
+            $authnClassRef,
+            $nameId,
+            $sp->getCoins()->isStepupForceAuthn()
+        );
+
+
+    }
+}

library/EngineBlock/Corto/Module/Services.php

@@ -113,6 +113,13 @@ private function factoryService($className, EngineBlock_Corto_ProxyServer $serve
                     $diContainer->getAuthenticationStateHelper(),
                     $diContainer->getProcessingStateHelper()
                 );
+            case EngineBlock_Corto_Module_Service_SRAMInterrupt::class :
+                return new EngineBlock_Corto_Module_Service_SRAMInterrupt(
+                    $server,
+                    $diContainer->getAuthenticationStateHelper(),
+                    $diContainer->getProcessingStateHelper(),
+                    $diContainer->getStepupGatewayCallOutHelper()
+                );
             case EngineBlock_Corto_Module_Service_AssertionConsumer::class :
                 return new EngineBlock_Corto_Module_Service_AssertionConsumer(
                     $server,