implement session_not_on_or_after using new session engines (fixes #9640)

2016-01-13 17:41:13 +01:00 · 2016-01-13 17:41:13 +01:00 · 2289b8350e
parent 9143056569
commit 2289b8350e
5 changed files with 43 additions and 1 deletions
--- a/12
+++ b/12
@ -253,3 +253,15 @@ Tests
 Unit tests are written using pytest, and can be run with:

   DJANGO_SETTINGS_MODULE=testsettings py.test
+
+Remarks
+=======
+
+To honor the SessionNotOnOrAfter attribute sent by an IdP you must use a specific SessionEngine,
+only db and cached_db are supported currently, the equivalent session engines are:
+
+    mellon.sessions_backends.db
+
+and
+
+    mellon.sessions_backends.cached_db
--- a/mellon/sessions_backends/init.py
+++ b/mellon/sessions_backends/init.py
--- a/mellon/sessions_backends/cached_db.py
+++ b/mellon/sessions_backends/cached_db.py
@ -0,0 +1,6 @@
+from django.contrib.sessions.backends.db import SessionStore
+
+from . import db
+
+class SessionStore(db.SessionStore, SessionStore):
+    pass
--- a/mellon/sessions_backends/db.py
+++ b/mellon/sessions_backends/db.py
@ -0,0 +1,23 @@
+from django.contrib.sessions.backends.db import SessionStore
+
+from mellon import utils
+
+class SessionStore(SessionStore):
+
+    def get_session_not_on_or_after(self):
+        session_not_on_or_after = self.get('mellon_session', {}).get('session_not_on_or_after')
+        if session_not_on_or_after:
+            return utils.iso8601_to_datetime(session_not_on_or_after)
+        return None
+
+    def get_expiry_age(self, **kwargs):
+        session_not_on_or_after = self.get_session_not_on_or_after()
+        if session_not_on_or_after and 'expiry' not in kwargs:
+            kwargs['expiry'] = session_not_on_or_after
+        return super(SessionStore, self).get_expiry_age(**kwargs)
+
+    def get_expiry_date(self, **kwargs):
+        session_not_on_or_after = self.get_session_not_on_or_after()
+        if session_not_on_or_after and 'expiry' not in kwargs:
+            kwargs['expiry'] = session_not_on_or_after
+        return super(SessionStore, self).get_expiry_date(**kwargs)
--- a/mellon/views.py
+++ b/mellon/views.py
@ -132,7 +132,8 @@ class LoginView(LogMixin, View):
                self.log.info('user %r (NameID is %r) logged in using SAML',
                        unicode(user), attributes['name_id_content'])
                request.session['mellon_session'] = utils.flatten_datetime(attributes)
-                if 'session_not_on_or_after' in attributes:
+                if ('session_not_on_or_after' in attributes and
+                    not settings.SESSION_EXPIRE_AT_BROWSER_CLOSE):
                    request.session.set_expiry(utils.get_seconds_expiry(attributes['session_not_on_or_after']))
            else:
                return render(request, 'mellon/inactive_user.html', {