misc: do not send logout requests if SingleLogout profile is not supported (#71041)

This commit is contained in:
Benjamin Dauvergne 2022-11-07 15:53:34 +01:00
parent 45c987584c
commit 750f869e5f
2 changed files with 18 additions and 2 deletions

View File

@ -68,7 +68,7 @@ def create_metadata(request):
return render_to_string('mellon/metadata.xml', ctx)
def create_server(request):
def create_server(request, remote_provider_id=None):
root = request.build_absolute_uri('/')
cache = getattr(settings, '_MELLON_SERVER_CACHE', {})
if root not in cache:
@ -109,11 +109,15 @@ def create_server(request):
key = key[0]
server.setEncryptionPrivateKeyWithPassword(key, password)
for idp in get_idps():
if remote_provider_id and idp.get('ENTITY_ID') != remote_provider_id:
continue
if idp and idp.get('METADATA'):
try:
server.addProviderFromBuffer(lasso.PROVIDER_ROLE_IDP, idp['METADATA'])
except lasso.Error as e:
logger.error('bad metadata in idp %s, %s', idp['ENTITY_ID'], e)
if not server.providers and remote_provider_id:
logger.warning('mellon: create_server, no provider found for issuer %r', remote_provider_id)
cache[root] = server
settings._MELLON_SERVER_CACHE = cache
return cache.get(root)
@ -344,3 +348,12 @@ def get_local_path(request, url):
if request.META.get('SCRIPT_NAME'):
path = path[len(request.META['SCRIPT_NAME']) :]
return path
def is_slo_supported(request, issuer):
server = create_server(request, remote_provider_id=issuer)
# verify that at least one logout method is supported
return (
server.getFirstHttpMethod(server.providers[issuer], lasso.MD_PROTOCOL_TYPE_SINGLE_LOGOUT)
!= lasso.HTTP_METHOD_NONE
)

View File

@ -748,7 +748,7 @@ class LogoutView(ProfileMixin, LogMixin, View):
logout = None
try:
issuer = request.session.get('mellon_session', {}).get('issuer')
if issuer:
if issuer and utils.is_slo_supported(request, issuer=issuer):
self.profile = logout = utils.create_logout(request)
self.get_relay_state(create=True)
try:
@ -851,6 +851,9 @@ class LogoutView(ProfileMixin, LogMixin, View):
issuer = request.session.get('mellon_session', {}).get('issuer')
if not issuer:
return None
# verify that at least one binding the logout profile is supported
if not utils.is_slo_supported(request, issuer=issuer):
return None
session_indexes = models.SessionIndex.objects.filter(
saml_identifier__user=request.user, saml_identifier__issuer__entity_id=issuer
).order_by('-id')