do not flatten attributes inplace, and convert expiry to seconds (fixes #9359)

Original datetime must be kept for setting the expiry, but expiry using datetime
is not supported when using JSON sessions, so we convert it to seconds expiry
before setting it.

We also make iso8601 parsed datetime timezone aware, to match with other
datetimes in Django.

mellon/utils.py

@@ -9,6 +9,7 @@ import requests
 
 from django.core.urlresolvers import reverse
 from django.template.loader import render_to_string
+from django.utils.timezone import make_aware, utc, now
 import lasso
 
 from . import app_settings
@@ -102,6 +103,7 @@ def get_idps():
                 yield idp
 
 def flatten_datetime(d):
+    d = d.copy()
     for key, value in d.iteritems():
         if isinstance(value, datetime.datetime):
             d[key] = value.isoformat() + 'Z'
@@ -116,7 +118,10 @@ def iso8601_to_datetime(date_string):
     if not m:
         raise ValueError('Invalid ISO8601 date')
     tm = time.strptime(m.group(1)+'Z', "%Y-%m-%dT%H:%M:%SZ")
-    return datetime.datetime.fromtimestamp(time.mktime(tm))
+    return make_aware(datetime.datetime.fromtimestamp(time.mktime(tm)), utc)
+
+def get_seconds_expiry(datetime_expiry):
+    return (datetime_expiry - now()).total_seconds()
 
 def to_list(func):
     @wraps(func)

mellon/views.py

@@ -133,7 +133,7 @@ class LoginView(LogMixin, View):
                         unicode(user), attributes['name_id_content'])
                 request.session['mellon_session'] = utils.flatten_datetime(attributes)
                 if 'session_not_on_or_after' in attributes:
-                    request.session.set_expiry(attributes['session_not_on_or_after'])
+                    request.session.set_expiry(utils.get_seconds_expiry(attributes['session_not_on_or_after']))
             else:
                 return render(request, 'mellon/inactive_user.html', {
                     'user': user,