From 9e92b154a9ab3057624b38c1a15041ebbeacc2fb Mon Sep 17 00:00:00 2001
From: Bas Zoetekouw <bas.zoetekouw@surf.nl>
Date: Tue, 8 Apr 2025 11:02:49 +0200
Subject: [PATCH] Add engineblock parameters for SBS integration

---
 roles/engine/defaults/main.yml           |  9 +++++++++
 roles/engine/templates/parameters.yml.j2 | 14 ++++++++++++++
 2 files changed, 23 insertions(+)

diff --git a/roles/engine/defaults/main.yml b/roles/engine/defaults/main.yml
index cdc888cd5..3721e2f54 100644
--- a/roles/engine/defaults/main.yml
+++ b/roles/engine/defaults/main.yml
@@ -17,6 +17,7 @@ engine_api_feature_consent_remove: 0
 engine_api_feature_metadata_api: 1
 engine_api_feature_deprovision: 1
 engine_feature_send_user_attributes: 0
+engine_feature_enable_sbs_interrupt: 0
 
 # Cutoff point for showing unfiltered IdPs on the WAYF
 engine_wayf_cutoff_point_for_showing_unfiltered_idps: 50
@@ -76,6 +77,14 @@ engine_stepup_gateway_sfo_entity_id: "https://{{ engine_stepup_gateway_domain }}
 # The single sign-on endpoint used for Stepup Gateway SFO callouts
 engine_stepup_gateway_sfo_sso_location: "https://{{ engine_stepup_gateway_domain }}/second-factor-only/single-sign-on"
 
+# SBS interrupt settings
+engine_sbs_base_url: "sbs.{{ base_domain }}"
+engine_sbs_attributes_allowed:
+  - 'urn:mace:dir:attribute-def:eduPersonEntitlement'
+  - 'urn:mace:dir:attribute-def:uid'
+  - 'urn:mace:dir:attribute-def:eduPersonPrincipalName'
+  - 'urn:oid:1.3.6.1.4.1.24552.500.1.1.1.13'
+
 ## The minimum priority of messages that will be logged
 engine_logging_passthru_level: NOTICE
 
diff --git a/roles/engine/templates/parameters.yml.j2 b/roles/engine/templates/parameters.yml.j2
index 77903de1e..9b416fe66 100644
--- a/roles/engine/templates/parameters.yml.j2
+++ b/roles/engine/templates/parameters.yml.j2
@@ -228,6 +228,7 @@ parameters:
   feature_stepup_sfo_override_engine_entityid: {{ engine_feature_stepup_override_entityid | bool | to_json }}
   feature_enable_idp_initiated_flow: {{ engine_feature_idp_initiated_flow | bool | to_json }}
   feature_stepup_send_user_attributes: {{ engine_feature_send_user_attributes | bool | to_json }}
+  feature_enable_sram_interrupt: { { engine_feature_enable_sbs_interrupt | bool | to_json } }
   ##########################################################################################
   ## PROFILE SETTINGS
   ##########################################################################################
@@ -310,3 +311,16 @@ parameters:
   # used in the authentication log record. The attributeName will be searched in the response attributes and if present
   # the log data will be enriched. The values of the response attributes are the final values after ARP and Attribute Manipulation.
   auth.log.attributes: {{ engine_log_attributes }}
+
+
+  ##########################################################################################
+  ## SBS external authorization/attribute enrichtment
+  ##########################################################################################
+  sram.api_token: "{{ engine_sbs_api_token | default('') }}"
+  sram.base_url: "https://{{ engine_sbs_base_url }}/api/users/"
+  sram.authz_location: "authz_eb"
+  sram.attributes_location: "authz_eb"
+  sram.attributes_location: "attributes_eb"
+  sram.interrupt_location: "interrupt"
+  sram.verify_peer: true
+  sram.allowed_attributes: {{ engine_sbs_attributes_allowed }}