From c2e7f080ca719a65195e095b9c9b8ceb7334a5bc Mon Sep 17 00:00:00 2001 From: Bas Zoetekouw Date: Tue, 8 Apr 2025 10:59:05 +0200 Subject: [PATCH 1/8] Add default timeout and max_authn_per_session settings Relaetd to https://github.com/OpenConext/OpenConext-engineblock/issues/1777 and https://github.com/OpenConext/OpenConext-engineblock/issues/1345 --- roles/engineblock/defaults/main.yml | 6 ++++++ roles/engineblock/templates/parameters.yml.j2 | 5 +++++ 2 files changed, 11 insertions(+) diff --git a/roles/engineblock/defaults/main.yml b/roles/engineblock/defaults/main.yml index f267d051d..747da8b2b 100644 --- a/roles/engineblock/defaults/main.yml +++ b/roles/engineblock/defaults/main.yml @@ -67,6 +67,12 @@ engine_minimum_execution_time_on_invalid_received_response: 5000 engine_time_frame_for_authentication_loop_in_seconds: 60 engine_maximum_authentication_procedures_allowed: 5 +# maximum number of outstandig AuthN requests per session; exceeding this results in a 429 +engine_max_authn_per_session: 30 + +# timeout when doing external queries (e.g., to PDP, AA, SBS) +engine_http_client_timeout: 10 + # This PCRE regex is used to blacklist incoming AuthnContextClassRef attributes on. If an empty string is used # the validation is skipped. The validator will throw an exception if the used regex is invalid. engine_stepup_authn_context_class_ref_blacklist_regex: '/http:\/\/{{ base_domain | regex_escape }}\/assurance\/loa[1-3]/' diff --git a/roles/engineblock/templates/parameters.yml.j2 b/roles/engineblock/templates/parameters.yml.j2 index 19a23f77e..78ba44eb4 100644 --- a/roles/engineblock/templates/parameters.yml.j2 +++ b/roles/engineblock/templates/parameters.yml.j2 @@ -147,6 +147,11 @@ parameters: ## The value for guest qualifier. Can be overridden for specific environments addgueststatus_guestqualifier: '{{ guest_qualifier | default('') }}' + ## the timeout used when querying external sources (PDP, AA, etc) + http_client.timeout: "{{ engine_http_client_timeout | int }}" + ## maximum number of simultaneous open authentications per session (exceed this, and receive a 429) + maximum_authentications_per_session: "{{ engine_max_authn_per_session | int }}" + ## Language cookie settings cookie.path: {{ cookie_path | default('/') }} cookie.secure: true From f3214da2565c9057c157cc44092397c76c5c512e Mon Sep 17 00:00:00 2001 From: Bas Zoetekouw Date: Mon, 14 Apr 2025 08:39:05 +0200 Subject: [PATCH 2/8] remove quotes for int --- roles/engineblock/templates/parameters.yml.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/engineblock/templates/parameters.yml.j2 b/roles/engineblock/templates/parameters.yml.j2 index 78ba44eb4..c7e720780 100644 --- a/roles/engineblock/templates/parameters.yml.j2 +++ b/roles/engineblock/templates/parameters.yml.j2 @@ -148,9 +148,9 @@ parameters: addgueststatus_guestqualifier: '{{ guest_qualifier | default('') }}' ## the timeout used when querying external sources (PDP, AA, etc) - http_client.timeout: "{{ engine_http_client_timeout | int }}" + http_client.timeout: {{ engine_http_client_timeout | int }} ## maximum number of simultaneous open authentications per session (exceed this, and receive a 429) - maximum_authentications_per_session: "{{ engine_max_authn_per_session | int }}" + maximum_authentications_per_session: {{ engine_max_authn_per_session | int }} ## Language cookie settings cookie.path: {{ cookie_path | default('/') }} From 8987ba51fd0761c79ce5551950b4542f6f65ce71 Mon Sep 17 00:00:00 2001 From: Bas Zoetekouw Date: Tue, 8 Apr 2025 11:02:49 +0200 Subject: [PATCH 3/8] Add engineblock parameters for SBS integration --- roles/engineblock/defaults/main.yml | 9 +++++++++ roles/engineblock/templates/parameters.yml.j2 | 11 +++++++++++ 2 files changed, 20 insertions(+) diff --git a/roles/engineblock/defaults/main.yml b/roles/engineblock/defaults/main.yml index 747da8b2b..e23915544 100644 --- a/roles/engineblock/defaults/main.yml +++ b/roles/engineblock/defaults/main.yml @@ -16,6 +16,7 @@ engine_api_feature_consent_listing: 1 engine_api_feature_consent_remove: 0 engine_api_feature_metadata_api: 1 engine_api_feature_deprovision: 1 +engine_feature_enable_sbs_interrupt: 0 # Cutoff point for showing unfiltered IdPs on the WAYF engine_wayf_cutoff_point_for_showing_unfiltered_idps: 50 @@ -92,6 +93,14 @@ engine_stepup_gateway_sfo_sso_location: "https://{{ engine_stepup_gateway_domain # The public key from the Stepup Gateway IdP engine_stepup_gateway_sfo_public_key_file: "{{ engine_keys.default.publicFile }}" +# SBS interrupt settings +engine_sbs_base_url: "sbs.{{ base_domain }}" +engine_sbs_attributes_allowed: + - 'urn:mace:dir:attribute-def:eduPersonEntitlement' + - 'urn:mace:dir:attribute-def:uid' + - 'urn:mace:dir:attribute-def:eduPersonPrincipalName' + - 'urn:oid:1.3.6.1.4.1.24552.500.1.1.1.13' + ## The minimum priority of messages that will be logged engine_logging_passthru_level: NOTICE diff --git a/roles/engineblock/templates/parameters.yml.j2 b/roles/engineblock/templates/parameters.yml.j2 index c7e720780..33dba58f5 100644 --- a/roles/engineblock/templates/parameters.yml.j2 +++ b/roles/engineblock/templates/parameters.yml.j2 @@ -235,6 +235,7 @@ parameters: feature_enable_consent: {{ engine_feature_enable_consent | bool | to_json }} feature_stepup_sfo_override_engine_entityid: {{ engine_feature_stepup_override_entityid | bool | to_json }} feature_enable_idp_initiated_flow: {{ engine_feature_idp_initiated_flow | bool | to_json }} + feature_enable_sram_interrupt: {{ engine_feature_enable_sbs_interrupt | bool | to_json }} ########################################################################################## ## PROFILE SETTINGS ########################################################################################## @@ -312,3 +313,13 @@ parameters: # used in the authentication log record. The attributeName will be searched in the response attributes and if present # the log data will be enriched. The values of the response attributes are the final values after ARP and Attribute Manipulation. auth.log.attributes: {{ engineblock_log_attributes }} + + ########################################################################################## + ## SBS external authorization/attribute enrichtment + ########################################################################################## + sram.api_token: "{{ engine_sbs_api_token | default('') }}" + sram.base_url: "{{ engine_sbs_base_url }}" + sram.authz_location: "authz_eb" + sram.interrupt_location: "interrupt" + sram.verify_peer: true + sram.allowed_attributes: "{{ engine_sbs_attributes_allowed }}" From 00e7fd87d3ee5e5dfe6690cbd855c69407bee829 Mon Sep 17 00:00:00 2001 From: Bas Zoetekouw Date: Fri, 11 Apr 2025 16:29:49 +0200 Subject: [PATCH 4/8] add paramaeter for eb --- roles/engineblock/templates/parameters.yml.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/engineblock/templates/parameters.yml.j2 b/roles/engineblock/templates/parameters.yml.j2 index 33dba58f5..1b00c3296 100644 --- a/roles/engineblock/templates/parameters.yml.j2 +++ b/roles/engineblock/templates/parameters.yml.j2 @@ -320,6 +320,7 @@ parameters: sram.api_token: "{{ engine_sbs_api_token | default('') }}" sram.base_url: "{{ engine_sbs_base_url }}" sram.authz_location: "authz_eb" + sram.attributes_location: "authz_eb" sram.interrupt_location: "interrupt" sram.verify_peer: true sram.allowed_attributes: "{{ engine_sbs_attributes_allowed }}" From a4a7594a3cac86ac17514ae9e98f08f2d3bc31aa Mon Sep 17 00:00:00 2001 From: Bas Zoetekouw Date: Mon, 14 Apr 2025 08:57:07 +0200 Subject: [PATCH 5/8] Fix quotes --- roles/engineblock/templates/parameters.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/engineblock/templates/parameters.yml.j2 b/roles/engineblock/templates/parameters.yml.j2 index 1b00c3296..bbd37b26d 100644 --- a/roles/engineblock/templates/parameters.yml.j2 +++ b/roles/engineblock/templates/parameters.yml.j2 @@ -323,4 +323,4 @@ parameters: sram.attributes_location: "authz_eb" sram.interrupt_location: "interrupt" sram.verify_peer: true - sram.allowed_attributes: "{{ engine_sbs_attributes_allowed }}" + sram.allowed_attributes: {{ engine_sbs_attributes_allowed }} From 328cf4466bc3ec611a020f0df173a540860b44ca Mon Sep 17 00:00:00 2001 From: Bas Zoetekouw Date: Mon, 14 Apr 2025 08:59:50 +0200 Subject: [PATCH 6/8] correct form of sbs base_url --- roles/engineblock/templates/parameters.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/engineblock/templates/parameters.yml.j2 b/roles/engineblock/templates/parameters.yml.j2 index bbd37b26d..36ae888a1 100644 --- a/roles/engineblock/templates/parameters.yml.j2 +++ b/roles/engineblock/templates/parameters.yml.j2 @@ -318,7 +318,7 @@ parameters: ## SBS external authorization/attribute enrichtment ########################################################################################## sram.api_token: "{{ engine_sbs_api_token | default('') }}" - sram.base_url: "{{ engine_sbs_base_url }}" + sram.base_url: "https://{{ engine_sbs_base_url }}/api/users" sram.authz_location: "authz_eb" sram.attributes_location: "authz_eb" sram.interrupt_location: "interrupt" From da2824c3c6bc1f5c25577bab5728a2a36c8cf8a8 Mon Sep 17 00:00:00 2001 From: Bas Zoetekouw Date: Fri, 9 May 2025 10:33:03 +0200 Subject: [PATCH 7/8] Fix SBS attribute location --- roles/engineblock/templates/parameters.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/engineblock/templates/parameters.yml.j2 b/roles/engineblock/templates/parameters.yml.j2 index 36ae888a1..796244426 100644 --- a/roles/engineblock/templates/parameters.yml.j2 +++ b/roles/engineblock/templates/parameters.yml.j2 @@ -320,7 +320,7 @@ parameters: sram.api_token: "{{ engine_sbs_api_token | default('') }}" sram.base_url: "https://{{ engine_sbs_base_url }}/api/users" sram.authz_location: "authz_eb" - sram.attributes_location: "authz_eb" + sram.attributes_location: "attributes_eb" sram.interrupt_location: "interrupt" sram.verify_peer: true sram.allowed_attributes: {{ engine_sbs_attributes_allowed }} From ea8f93c0285dcd2ef9aba0dd8fbc2bfe3d8e8937 Mon Sep 17 00:00:00 2001 From: Bas Zoetekouw Date: Fri, 9 May 2025 11:26:17 +0200 Subject: [PATCH 8/8] fix sbs.base_url --- roles/engineblock/templates/parameters.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/engineblock/templates/parameters.yml.j2 b/roles/engineblock/templates/parameters.yml.j2 index 796244426..6247a9e75 100644 --- a/roles/engineblock/templates/parameters.yml.j2 +++ b/roles/engineblock/templates/parameters.yml.j2 @@ -318,7 +318,7 @@ parameters: ## SBS external authorization/attribute enrichtment ########################################################################################## sram.api_token: "{{ engine_sbs_api_token | default('') }}" - sram.base_url: "https://{{ engine_sbs_base_url }}/api/users" + sram.base_url: "https://{{ engine_sbs_base_url }}/api/users/" sram.authz_location: "authz_eb" sram.attributes_location: "attributes_eb" sram.interrupt_location: "interrupt"