From c2e7f080ca719a65195e095b9c9b8ceb7334a5bc Mon Sep 17 00:00:00 2001 From: Bas Zoetekouw Date: Tue, 8 Apr 2025 10:59:05 +0200 Subject: [PATCH 1/2] Add default timeout and max_authn_per_session settings Relaetd to https://github.com/OpenConext/OpenConext-engineblock/issues/1777 and https://github.com/OpenConext/OpenConext-engineblock/issues/1345 --- roles/engineblock/defaults/main.yml | 6 ++++++ roles/engineblock/templates/parameters.yml.j2 | 5 +++++ 2 files changed, 11 insertions(+) diff --git a/roles/engineblock/defaults/main.yml b/roles/engineblock/defaults/main.yml index f267d051d..747da8b2b 100644 --- a/roles/engineblock/defaults/main.yml +++ b/roles/engineblock/defaults/main.yml @@ -67,6 +67,12 @@ engine_minimum_execution_time_on_invalid_received_response: 5000 engine_time_frame_for_authentication_loop_in_seconds: 60 engine_maximum_authentication_procedures_allowed: 5 +# maximum number of outstandig AuthN requests per session; exceeding this results in a 429 +engine_max_authn_per_session: 30 + +# timeout when doing external queries (e.g., to PDP, AA, SBS) +engine_http_client_timeout: 10 + # This PCRE regex is used to blacklist incoming AuthnContextClassRef attributes on. If an empty string is used # the validation is skipped. The validator will throw an exception if the used regex is invalid. engine_stepup_authn_context_class_ref_blacklist_regex: '/http:\/\/{{ base_domain | regex_escape }}\/assurance\/loa[1-3]/' diff --git a/roles/engineblock/templates/parameters.yml.j2 b/roles/engineblock/templates/parameters.yml.j2 index 19a23f77e..78ba44eb4 100644 --- a/roles/engineblock/templates/parameters.yml.j2 +++ b/roles/engineblock/templates/parameters.yml.j2 @@ -147,6 +147,11 @@ parameters: ## The value for guest qualifier. Can be overridden for specific environments addgueststatus_guestqualifier: '{{ guest_qualifier | default('') }}' + ## the timeout used when querying external sources (PDP, AA, etc) + http_client.timeout: "{{ engine_http_client_timeout | int }}" + ## maximum number of simultaneous open authentications per session (exceed this, and receive a 429) + maximum_authentications_per_session: "{{ engine_max_authn_per_session | int }}" + ## Language cookie settings cookie.path: {{ cookie_path | default('/') }} cookie.secure: true From f3214da2565c9057c157cc44092397c76c5c512e Mon Sep 17 00:00:00 2001 From: Bas Zoetekouw Date: Mon, 14 Apr 2025 08:39:05 +0200 Subject: [PATCH 2/2] remove quotes for int --- roles/engineblock/templates/parameters.yml.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/engineblock/templates/parameters.yml.j2 b/roles/engineblock/templates/parameters.yml.j2 index 78ba44eb4..c7e720780 100644 --- a/roles/engineblock/templates/parameters.yml.j2 +++ b/roles/engineblock/templates/parameters.yml.j2 @@ -148,9 +148,9 @@ parameters: addgueststatus_guestqualifier: '{{ guest_qualifier | default('') }}' ## the timeout used when querying external sources (PDP, AA, etc) - http_client.timeout: "{{ engine_http_client_timeout | int }}" + http_client.timeout: {{ engine_http_client_timeout | int }} ## maximum number of simultaneous open authentications per session (exceed this, and receive a 429) - maximum_authentications_per_session: "{{ engine_max_authn_per_session | int }}" + maximum_authentications_per_session: {{ engine_max_authn_per_session | int }} ## Language cookie settings cookie.path: {{ cookie_path | default('/') }}