From dc1e4e56ea55cd3581e7bc764352e4598a697524 Mon Sep 17 00:00:00 2001
From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date: Wed, 16 Dec 2015 17:54:34 +0100
Subject: [PATCH] do not flatten attributes inplace, and convert expiry to
 seconds (fixes #9359)

Original datetime must be kept for setting the expiry, but expiry using datetime
is not supported when using JSON sessions, so we convert it to seconds expiry
before setting it.

We also make iso8601 parsed datetime timezone aware, to match with other
datetimes in Django.
---
 mellon/utils.py | 7 ++++++-
 mellon/views.py | 2 +-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/mellon/utils.py b/mellon/utils.py
index 992395a..1c8ff16 100644
--- a/mellon/utils.py
+++ b/mellon/utils.py
@@ -9,6 +9,7 @@ import requests
 
 from django.core.urlresolvers import reverse
 from django.template.loader import render_to_string
+from django.utils.timezone import make_aware, utc, now
 import lasso
 
 from . import app_settings
@@ -102,6 +103,7 @@ def get_idps():
                 yield idp
 
 def flatten_datetime(d):
+    d = d.copy()
     for key, value in d.iteritems():
         if isinstance(value, datetime.datetime):
             d[key] = value.isoformat() + 'Z'
@@ -116,7 +118,10 @@ def iso8601_to_datetime(date_string):
     if not m:
         raise ValueError('Invalid ISO8601 date')
     tm = time.strptime(m.group(1)+'Z', "%Y-%m-%dT%H:%M:%SZ")
-    return datetime.datetime.fromtimestamp(time.mktime(tm))
+    return make_aware(datetime.datetime.fromtimestamp(time.mktime(tm)), utc)
+
+def get_seconds_expiry(datetime_expiry):
+    return (datetime_expiry - now()).total_seconds()
 
 def to_list(func):
     @wraps(func)
diff --git a/mellon/views.py b/mellon/views.py
index a319455..881d3ec 100644
--- a/mellon/views.py
+++ b/mellon/views.py
@@ -133,7 +133,7 @@ class LoginView(LogMixin, View):
                         unicode(user), attributes['name_id_content'])
                 request.session['mellon_session'] = utils.flatten_datetime(attributes)
                 if 'session_not_on_or_after' in attributes:
-                    request.session.set_expiry(attributes['session_not_on_or_after'])
+                    request.session.set_expiry(utils.get_seconds_expiry(attributes['session_not_on_or_after']))
             else:
                 return render(request, 'mellon/inactive_user.html', {
                     'user': user,