diff --git a/larpe/trunk/larpe/saml2.ptl b/larpe/trunk/larpe/saml2.ptl index 0357c7c..b0aefc2 100644 --- a/larpe/trunk/larpe/saml2.ptl +++ b/larpe/trunk/larpe/saml2.ptl @@ -77,6 +77,7 @@ class Saml2(Saml2Directory): return self.sso_after_response(login) def sso_after_response(self, login): + providerId = login.server.providerId try: assertion = login.response.assertion[0] if assertion.subject.subjectConfirmation.subjectConfirmationData.recipient != \ @@ -103,7 +104,7 @@ class Saml2(Saml2Directory): try: audience_ok = False for audience_restriction in assertion.conditions.audienceRestriction: - if audience_restriction.audience != login.server.providerId: + if audience_restriction.audience != providerId: return template.error_page('Incorrect AudienceRestriction') audience_ok = True if not audience_ok: @@ -129,12 +130,14 @@ class Saml2(Saml2Directory): session = get_session() if login.isSessionDirty: if login.session: - session.lasso_session_dumps[login.server.providerId] = login.session.dump() + session.lasso_session_dumps[providerId] = login.session.dump() + session.lasso_session_indexes[providerId] = assertion.authnStatement[0].sessionIndex + session.lasso_session_name_identifiers[providerId] = login.nameIdentifier.content else: session.lasso_session_dumps[login.server.providerId] = None if assertion.authnStatement[0].sessionIndex: - session.lasso_session_index = assertion.authnStatement[0].sessionIndex + session.lasso_session_indexes = assertion.authnStatement[0].sessionIndex user = self.lookup_user(session, login) @@ -301,11 +304,17 @@ class Saml2(Saml2Directory): return logout = lasso.Logout(misc.get_lasso_server(protocol = 'saml2')) + providerId = logout.server.providerId logout.processRequestMsg(soap_message) name_identifier = logout.nameIdentifier.content + # find one session matching the name identifier, and eventually the request for session in get_session_manager().values(): - user = session.get_user(logout.server.providerId) - if user and logout.nameIdentifier.content in user.name_identifiers: + session_index = session.lasso_session_indexes.get(providerId) + name_identifier = session.lasso_session_name_identifiers.get(providerId) + request_name_identifier = logout.nameIdentifier.content + request_session_index = logout.request.sessionIndex + if request_name_identifier == name_identifier and \ + (not session_index or request_session_index == session_index): get_logger().info('SLO/SOAP from %s' % logout.remoteProviderId) break else: @@ -375,10 +384,15 @@ class Saml2(Saml2Directory): get_session_manager().expire_session(logout.server.providerId) try: - if not logout.request.sessionIndex: - for session2 in get_session_manager().values(): - if name_identifier == session2.name_identifier: - del get_session_manager()[session2.id] + providerId = logout.server.providerId + session_index = logout.request.sessionIndex + name_identifier = logout.nameIdentifier.content + # Remove all session for this name_identifier and if present for this session index + for session2 in get_session_manager().values(): + if session2.lasso_session_name_identifiers.get(providerId) == name_identifier \ + and ( not session_index + or session2.lasso_session_indexes.get(providerId) == session_index): + del get_session_manager()[session2.id] except: # killing all session failed, ignoring silently pass diff --git a/larpe/trunk/larpe/sessions.py b/larpe/trunk/larpe/sessions.py index 7c3c6b1..465df16 100644 --- a/larpe/trunk/larpe/sessions.py +++ b/larpe/trunk/larpe/sessions.py @@ -16,9 +16,17 @@ class BasicSession(Session): def __init__(self, id): self.users = {} self.lasso_session_dumps = {} + self.lasso_session_indexes = {} + self.lasso_session_name_identifiers = {} self.provider_id = None Session.__init__(self, id) + # lasso_session_indexes newly introduced + def __setstate__(self, dict): + self.lasso_session_indexes = {} + self.lasso_session_name_identifiers = {} + self.__dict__.update(dict) + def has_info(self): return self.users or self.lasso_session_dumps or self.provider_id or Session.has_info(self) is_dirty = has_info