OpenConext
diff --git a/‎app/config/parameters.yml.dist‎
Lines changed: 13 additions & 5 deletions b/‎app/config/parameters.yml.dist‎
Lines changed: 13 additions & 5 deletions
diff --git a/‎docs/filter_commands.md‎
Lines changed: 9 additions & 8 deletions b/‎docs/filter_commands.md‎
Lines changed: 9 additions & 8 deletions
diff --git a/‎library/EngineBlock/Application/DiContainer.php‎
Lines changed: 11 additions & 6 deletions b/‎library/EngineBlock/Application/DiContainer.php‎
Lines changed: 11 additions & 6 deletions
diff --git a/‎library/EngineBlock/Application/TestDiContainer.php‎
Lines changed: 33 additions & 1 deletion b/‎library/EngineBlock/Application/TestDiContainer.php‎
Lines changed: 33 additions & 1 deletion
diff --git a/‎library/EngineBlock/Corto/Filter/Command/EnforcePolicy.php‎
Lines changed: 1 addition & 1 deletion b/‎library/EngineBlock/Corto/Filter/Command/EnforcePolicy.php‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎library/EngineBlock/Corto/Filter/Command/SRAMTestFilter.php‎
Lines changed: 58 additions & 51 deletions b/‎library/EngineBlock/Corto/Filter/Command/SRAMTestFilter.php‎
Lines changed: 58 additions & 51 deletions
diff --git a/‎library/EngineBlock/Corto/Filter/Input.php‎
Lines changed: 2 additions & 9 deletions b/‎library/EngineBlock/Corto/Filter/Input.php‎
Lines changed: 2 additions & 9 deletions
diff --git a/‎library/EngineBlock/Corto/Module/Service/AssertionConsumer.php‎
Lines changed: 2 additions & 2 deletions b/‎library/EngineBlock/Corto/Module/Service/AssertionConsumer.php‎
Lines changed: 2 additions & 2 deletions
@@ -316,8 +316,16 @@ parameters:
     ##########################################################################################
     ## SRAM Settings
     ##########################################################################################
-    ## Currently this is used for the outgoing requests with the PDP and AA client
-    sram.api_token: "xxx"
-    sram.authz_location: "http://127.0.0.1:12345/api"
-    sram.interrupt_location: "http://127.0.0.1:12345/interrupt"
-    sram.entitlements_location: "http://127.0.0.1:12345/entitlements"
+    ## Config for connecting with SBS server
+    ## base_url must end with /. Locations must not start with /.
+    sram.api_token: xxx
+    sram.base_url: 'https://engine.dev.openconext.local/functional-testing/'
+    sram.authz_location: authz
+    sram.interrupt_location: interrupt
+    sram.entitlements_location: entitlements
+    sram.verify_peer: false
+    sram.allowed_attributes:
+        - eduPersonEntitlement
+        - eduPersonPrincipalName
+        - uid
+        - sshkey
@@ -1,8 +1,8 @@
 # EngineBlock Input and Output Command Chains
 
 EngineBlock pre-processes incoming and outgoing SAML Responses using so-called Filters. These filters provide specific,
-critical functionality, by invoking a sequence of Filter Commands. However, it is not easily discoverable what these 
-Filters and Filter Commands exactly do and how they work. This document outlines how these Filters and Filter Commands 
+critical functionality, by invoking a sequence of Filter Commands. However, it is not easily discoverable what these
+Filters and Filter Commands exactly do and how they work. This document outlines how these Filters and Filter Commands
 work and what each filter command does.
 
 The chains are:
@@ -13,11 +13,11 @@ The specific commands can be found in the [`library\EngineBlock\Corto\Filter\Com
 
 ## Input and Output Filters
 
-These are called by [`ProxyServer`][ps], through [`filterOutputAssertionAttributes`][fOAA] and 
+These are called by [`ProxyServer`][ps], through [`filterOutputAssertionAttributes`][fOAA] and
 [`filterInputAssertionAttributes`][fIAA] calling [`callAttributeFilter`][cAF], which invokes the actual Filter Commands.
 
 Each Filter then executes Filter Commands in a specified order for Input (between receiving Assertion from IdP and
-Consent) and Output (after Consent, before sending Response to SP).  
+Consent) and Output (after Consent, before sending Response to SP).
 What the filter does is:
 ```
 Loop over given Filter Commands, for each Command:
@@ -30,7 +30,7 @@ Loop over given Filter Commands, for each Command:
     set the collabPersonId (either: string stored in session, string found in Response, string found in responseAttributes, string found in nameId response or null, in that order)
     execute the command
 ```
-During the loop, the Response, responseAttributes and collabPersonId are retrieved from the previous command and are 
+During the loop, the Response, responseAttributes and collabPersonId are retrieved from the previous command and are
 used by the commands that follows.
 
 A command can also stop filtering by calling `$this->stopFiltering();`
@@ -67,7 +67,7 @@ Uses:
 - EngineBlock_Saml2_ResponseAnnotationDecorator
 - responseAttributes
 
-### NormalizeAttributes 
+### NormalizeAttributes
 Convert all OID attributes to URN and remove the OID variant
 
 Depends on:
@@ -193,7 +193,7 @@ Modifies:
 See: [Engineblock Attribute Aggregation](attribute_aggregation.md) for more information.
 
 ### EnforcePolicy
-Makes a call to the external PolicyDecisionPoint service. This returns a response which details whether or not the 
+Makes a call to the external PolicyDecisionPoint service. This returns a response which details whether or not the
 current User is allowed access to the Service Provider. For more information see [the PDP repository README][pdp-repo]
 
 Depends On:
@@ -343,7 +343,8 @@ Uses:
 - OpenConext\EngineBlock\Metadata\Entity\IdentityProvider
 - EngineBlock_Saml2_AuthnRequestAnnotationDecorator
 
-
+### SRAM test filter
+When enabled and the SP has the collab_enabled coin, the SBS integration flow will be activated allowing SRAM integration.
 
 
 
 
@@ -26,6 +26,7 @@
 use OpenConext\EngineBlock\Stepup\StepupEntityFactory;
 use OpenConext\EngineBlock\Stepup\StepupGatewayCallOutHelper;
 use OpenConext\EngineBlock\Validator\AllowedSchemeValidator;
+use OpenConext\EngineBlockBundle\Sbs\SbsAttributeMerger;
 use Symfony\Component\DependencyInjection\ContainerInterface as SymfonyContainerInterface;
 
 class EngineBlock_Application_DiContainer extends Pimple
@@ -306,6 +307,16 @@ protected function getSymfonyContainer()
         return $this->container;
     }
 
+    public function getSbsAttributeMerger(): SbsAttributeMerger
+    {
+        return $this->container->get('engineblack.sbs.attribute_merger');
+    }
+
+    public function getSbsClient(): \OpenConext\EngineBlockBundle\Sbs\SbsClientInterface
+    {
+        return $this->container->get('engineblock.sbs.sbs_client');
+    }
+
     public function getPdpClient()
     {
         return $this->container->get('engineblock.pdp.pdp_client');
@@ -538,12 +549,6 @@ protected function getStepupEndpoint()
         return $this->container->get('engineblock.configuration.stepup.endpoint');
     }
 
-    /** @return \OpenConext\EngineBlock\SRAM\SRAMEndpoint $sramEndpoint */
-    public function getSRAMEndpoint()
-    {
-        return $this->container->get('engineblock.configuration.sram.endpoint');
-    }
-
     /** @return string */
     public function getStepupEntityIdOverrideValue()
     {
 
@@ -17,7 +17,9 @@
  */
 
 use OpenConext\EngineBlock\Stepup\StepupEndpoint;
+use OpenConext\EngineBlockBundle\Configuration\FeatureConfigurationInterface;
 use OpenConext\EngineBlockBundle\Pdp\PdpClientInterface;
+use OpenConext\EngineBlockBundle\Sbs\SbsClientInterface;
 
 /**
  * Creates mocked versions of dependencies for unit testing
@@ -29,6 +31,16 @@ class EngineBlock_Application_TestDiContainer extends EngineBlock_Application_Di
      */
     private $pdpClient;
 
+    /**
+     * @var SbsClientInterface|null
+     */
+    private $sbsClient;
+
+    /**
+     * @var FeatureConfigurationInterface|null
+     */
+    private $featureConfiguration;
+
     public function getXmlConverter()
     {
         return Phake::mock('EngineBlock_Corto_XmlToArray');
@@ -49,11 +61,31 @@ public function getPdpClient()
         return $this->pdpClient ?? parent::getPdpClient();
     }
 
-    public function setPdpClient(PdpClientInterface $pdpClient)
+    public function setPdpClient(?PdpClientInterface $pdpClient)
     {
         $this->pdpClient = $pdpClient;
     }
 
+    public function setSbsClient(?SbsClientInterface $sbsClient)
+    {
+        $this->sbsClient = $sbsClient;
+    }
+
+    public function getSbsClient(): SbsClientInterface
+    {
+        return $this->sbsClient ?? parent::getSbsClient();
+    }
+
+    public function setFeatureConfiguration(?FeatureConfigurationInterface $featureConfiguration)
+    {
+        $this->featureConfiguration = $featureConfiguration;
+    }
+
+    public function getFeatureConfiguration(): FeatureConfigurationInterface
+    {
+        return $this->featureConfiguration ?? parent::getFeatureConfiguration();
+    }
+
     public function getConsentFactory()
     {
         $consentFactoryMock = Phake::mock('EngineBlock_Corto_Model_Consent_Factory');
 
@@ -63,7 +63,7 @@ public function execute()
 
         try {
             $pdp = $this->getPdpClient();
-            $policyDecision = $pdp->requestInterruptDecisionFor($pdpRequest);
+            $policyDecision = $pdp->requestDecisionFor($pdpRequest);
         } catch (\OpenConext\EngineBlock\Http\Exception\HttpException $e) {
             throw new EngineBlock_Exception_PdpCheckFailed(
                 'Policy Enforcement Point: Could not perform PDP check: ' . $e->getMessage()
 
@@ -1,5 +1,10 @@
 <?php
 
+use OpenConext\EngineBlockBundle\Configuration\FeatureConfigurationInterface;
+use OpenConext\EngineBlockBundle\Exception\InvalidSbsResponseException;
+use OpenConext\EngineBlockBundle\Sbs\Dto\AuthzRequest;
+use OpenConext\EngineBlockBundle\Sbs\SbsAttributeMerger;
+
 /**
  * Copyright 2021 Stichting Kennisnet
  *
@@ -27,70 +32,72 @@ public function getResponseAttributes()
         return $this->_responseAttributes;
     }
 
+    public function getResponse()
+    {
+        return $this->_response;
+    }
+
     public function execute(): void
     {
-        $application = EngineBlock_ApplicationSingleton::getInstance();
+        if (!$this->getFeatureConfiguration()->isEnabled('eb.feature_enable_sram_interrupt')) {
+            return;
+        }
 
-        $sramEndpoint = $application->getDiContainer()->getSRAMEndpoint();
-        $sramApiToken = $sramEndpoint->getApiToken();
-        $sramAuthzLocation = $sramEndpoint->getAuthzLocation();
-        // $sramAuthzLocation = 'http://192.168.0.1:12345/api';
+        if ($this->_serviceProvider->getCoins()->collabEnabled() === false) {
+            return;
+        }
 
-        error_log("SRAMTestFilter execute");
+        try {
+            $request = $this->buildRequest();
 
-        $attributes = $this->getResponseAttributes();
+            $interruptResponse = $this->getSbsClient()->authz($request);
+
+            if ($interruptResponse->msg === 'interrupt') {
+                $this->_response->setSRAMInterruptNonce($interruptResponse->nonce);
+            } elseif ($interruptResponse->msg === 'authorized' && !empty($interruptResponse->attributes)) {
+                $this->_responseAttributes = $this->getSbsAttributeMerger()->mergeAttributes($this->_responseAttributes, $interruptResponse->attributes);
+            } else {
+                throw new InvalidSbsResponseException(sprintf('Invalid SBS response received: %s', $interruptResponse->msg));
+            }
+        }catch (Throwable $e){
+            throw new EngineBlock_Exception_SbsCheckFailed('The SBS server could not be queried: ' . $e->getMessage());
+        }
+    }
 
+    private function getSbsClient()
+    {
+        return EngineBlock_ApplicationSingleton::getInstance()->getDiContainer()->getSbsClient();
+    }
+
+    private function getFeatureConfiguration(): FeatureConfigurationInterface
+    {
+        return EngineBlock_ApplicationSingleton::getInstance()->getDiContainer()->getFeatureConfiguration();
+    }
+
+    private function getSbsAttributeMerger(): SbsAttributeMerger
+    {
+        return EngineBlock_ApplicationSingleton::getInstance()->getDiContainer()->getSbsAttributeMerger();
+    }
+
+    /**
+     * @return AuthzRequest
+     * @throws EngineBlock_Corto_ProxyServer_Exception
+     */
+    private function buildRequest(): AuthzRequest
+    {
+        $attributes = $this->getResponseAttributes();
         $id = $this->_request->getId();
 
         $user_id = $attributes['urn:mace:dir:attribute-def:uid'][0];
         $continue_url = $this->_server->getUrl('SRAMInterruptService', '') . "?ID=$id";
         $service_id = $this->_serviceProvider->entityId;
-        // @TODO at the very start of this function, check if the SP has `coin:collab_enabled`, skip otherwise?
         $issuer_id = $this->_identityProvider->entityId;
 
-        /***
-         * @TODO Move all curl related things to new HttpClient. See PDPClient as an example.
-         * @TODO Make sure it has tests
-         * @TODO add tests for this Input Filter
-         */
-
-        $headers = array(
-            "Authorization: $sramApiToken"
-        );
-
-        $post = array(
-            'user_id' => $user_id,
-            'continue_url' => $continue_url,
-            'service_id' => $service_id,
-            'issuer_id' => $issuer_id
+        return AuthzRequest::create(
+            $user_id,
+            $continue_url,
+            $service_id,
+            $issuer_id
         );
-
-        $options = [
-            CURLOPT_HEADER => false,
-            CURLOPT_RETURNTRANSFER => true,
-            CURLOPT_HTTPHEADER => $headers,
-            CURLOPT_POST => true,
-            CURLOPT_POSTFIELDS => $post,
-        ];
-
-
-        $ch = curl_init($sramAuthzLocation);
-        curl_setopt_array($ch, $options);
-
-        $data = curl_exec($ch);
-        curl_close($ch);
-
-        $body = json_decode($data, false);
-        // error_log("SRAMTestFilter " . var_export($body, true));
-
-        // @TODO Add integration test: Assert the redirect url on the saml response is SRAM
-
-        $msg = $body->msg;
-        if ($msg === 'interrupt') {
-            $this->_response->setSRAMInterruptNonce($body->nonce);
-        } elseif ($body->attributes) {
-            $this->_responseAttributes = array_merge_recursive($this->_responseAttributes, (array) $body->attributes);
-        }
-
     }
 }
@@ -90,22 +90,15 @@ public function getCommands()
                 $diContainer->getAttributeAggregationClient()
             ),
 
+            new EngineBlock_Corto_Filter_Command_SRAMTestFilter(),
+
             // Check if the Policy Decision Point needs to be consulted for this request
             new EngineBlock_Corto_Filter_Command_EnforcePolicy(),
 
             // Apply the Attribute Release Policy before we do consent.
             new EngineBlock_Corto_Filter_Command_AttributeReleasePolicy(),
-
         );
 
-        // SRAM Test filter
-        // When feature_enable_sram_interrupt enabled
-        // @TODO Should this check be here, or in the filter itself like \EngineBlock_Corto_Filter_Command_SsoNotificationCookieFilter
-        // @TODO if it stays here, add test to make sure it's in the command[] or not
-        if ($featureConfiguration->isEnabled('eb.feature_enable_sram_interrupt')) {
-            $commands[] = new EngineBlock_Corto_Filter_Command_SRAMTestFilter();
-        }
-
         if (!$featureConfiguration->isEnabled('eb.run_all_manipulations_prior_to_consent')) {
             return $commands;
         }
 
@@ -175,13 +175,14 @@ public function serve($serviceName, Request $httpRequest)
             $log->info('Handle SRAM Interrupt callout');
 
             // Add the SRAM step
-            $currentProcessStep = $this->_processingStateHelper->addStep(
+            $this->_processingStateHelper->addStep(
                 $receivedRequest->getId(),
                 ProcessingStateHelperInterface::STEP_SRAM,
                 $this->getEngineSpRole($this->_server),
                 $receivedResponse
             );
 
+            // Redirect to SRAM
             $this->_server->sendSRAMInterruptRequest($receivedResponse, $receivedRequest);
         }
 
@@ -229,7 +230,6 @@ public function serve($serviceName, Request $httpRequest)
             $nameId,
             $sp->getCoins()->isStepupForceAuthn()
         );
-
    }
 
     /**