misc: do not send logout requests if SingleLogout profile is not supported (#71041)
This commit is contained in:
parent
45c987584c
commit
750f869e5f
|
@ -68,7 +68,7 @@ def create_metadata(request):
|
||||||
return render_to_string('mellon/metadata.xml', ctx)
|
return render_to_string('mellon/metadata.xml', ctx)
|
||||||
|
|
||||||
|
|
||||||
def create_server(request):
|
def create_server(request, remote_provider_id=None):
|
||||||
root = request.build_absolute_uri('/')
|
root = request.build_absolute_uri('/')
|
||||||
cache = getattr(settings, '_MELLON_SERVER_CACHE', {})
|
cache = getattr(settings, '_MELLON_SERVER_CACHE', {})
|
||||||
if root not in cache:
|
if root not in cache:
|
||||||
|
@ -109,11 +109,15 @@ def create_server(request):
|
||||||
key = key[0]
|
key = key[0]
|
||||||
server.setEncryptionPrivateKeyWithPassword(key, password)
|
server.setEncryptionPrivateKeyWithPassword(key, password)
|
||||||
for idp in get_idps():
|
for idp in get_idps():
|
||||||
|
if remote_provider_id and idp.get('ENTITY_ID') != remote_provider_id:
|
||||||
|
continue
|
||||||
if idp and idp.get('METADATA'):
|
if idp and idp.get('METADATA'):
|
||||||
try:
|
try:
|
||||||
server.addProviderFromBuffer(lasso.PROVIDER_ROLE_IDP, idp['METADATA'])
|
server.addProviderFromBuffer(lasso.PROVIDER_ROLE_IDP, idp['METADATA'])
|
||||||
except lasso.Error as e:
|
except lasso.Error as e:
|
||||||
logger.error('bad metadata in idp %s, %s', idp['ENTITY_ID'], e)
|
logger.error('bad metadata in idp %s, %s', idp['ENTITY_ID'], e)
|
||||||
|
if not server.providers and remote_provider_id:
|
||||||
|
logger.warning('mellon: create_server, no provider found for issuer %r', remote_provider_id)
|
||||||
cache[root] = server
|
cache[root] = server
|
||||||
settings._MELLON_SERVER_CACHE = cache
|
settings._MELLON_SERVER_CACHE = cache
|
||||||
return cache.get(root)
|
return cache.get(root)
|
||||||
|
@ -344,3 +348,12 @@ def get_local_path(request, url):
|
||||||
if request.META.get('SCRIPT_NAME'):
|
if request.META.get('SCRIPT_NAME'):
|
||||||
path = path[len(request.META['SCRIPT_NAME']) :]
|
path = path[len(request.META['SCRIPT_NAME']) :]
|
||||||
return path
|
return path
|
||||||
|
|
||||||
|
|
||||||
|
def is_slo_supported(request, issuer):
|
||||||
|
server = create_server(request, remote_provider_id=issuer)
|
||||||
|
# verify that at least one logout method is supported
|
||||||
|
return (
|
||||||
|
server.getFirstHttpMethod(server.providers[issuer], lasso.MD_PROTOCOL_TYPE_SINGLE_LOGOUT)
|
||||||
|
!= lasso.HTTP_METHOD_NONE
|
||||||
|
)
|
||||||
|
|
|
@ -748,7 +748,7 @@ class LogoutView(ProfileMixin, LogMixin, View):
|
||||||
logout = None
|
logout = None
|
||||||
try:
|
try:
|
||||||
issuer = request.session.get('mellon_session', {}).get('issuer')
|
issuer = request.session.get('mellon_session', {}).get('issuer')
|
||||||
if issuer:
|
if issuer and utils.is_slo_supported(request, issuer=issuer):
|
||||||
self.profile = logout = utils.create_logout(request)
|
self.profile = logout = utils.create_logout(request)
|
||||||
self.get_relay_state(create=True)
|
self.get_relay_state(create=True)
|
||||||
try:
|
try:
|
||||||
|
@ -851,6 +851,9 @@ class LogoutView(ProfileMixin, LogMixin, View):
|
||||||
issuer = request.session.get('mellon_session', {}).get('issuer')
|
issuer = request.session.get('mellon_session', {}).get('issuer')
|
||||||
if not issuer:
|
if not issuer:
|
||||||
return None
|
return None
|
||||||
|
# verify that at least one binding the logout profile is supported
|
||||||
|
if not utils.is_slo_supported(request, issuer=issuer):
|
||||||
|
return None
|
||||||
session_indexes = models.SessionIndex.objects.filter(
|
session_indexes = models.SessionIndex.objects.filter(
|
||||||
saml_identifier__user=request.user, saml_identifier__issuer__entity_id=issuer
|
saml_identifier__user=request.user, saml_identifier__issuer__entity_id=issuer
|
||||||
).order_by('-id')
|
).order_by('-id')
|
||||||
|
|
Loading…
Reference in New Issue