From 2a1c90965ce8a326015d6d5d8c3a1afa03134918 Mon Sep 17 00:00:00 2001
From: Valentin Samir <valentin.samir@crans.org>
Date: Mon, 1 Aug 2016 11:50:15 +0200
Subject: [PATCH] Add a checkbox to forget the identity provider if we checked
 "remember the identity provider"

---
 cas_server/locale/fr/LC_MESSAGES/django.mo  | Bin 9380 -> 9460 bytes
 cas_server/locale/fr/LC_MESSAGES/django.po  |  64 +++++++++++---------
 cas_server/templates/cas_server/logged.html |   7 +++
 cas_server/tests/test_federate.py           |   4 +-
 cas_server/views.py                         |  17 +++---
 5 files changed, 53 insertions(+), 39 deletions(-)

diff --git a/cas_server/locale/fr/LC_MESSAGES/django.mo b/cas_server/locale/fr/LC_MESSAGES/django.mo
index a86d7a3c503179aba649596e3200fdf281ede2dd..d0f80edbb5787b491eb6c002ad9d48a14579dcbb 100644
GIT binary patch
delta 1711
zcmYk+duWYu9LMqRv9q(;Tz724aE?1;H_R?<oNW$sTFfP~mf2b^O;|&O)5c%!nQQ)7
zB&KGx5r3c*io`!8B_+2~gslDR{W;I`hhO`i*YEc{dv4$F_j#^V{;iCDNb#OAMuZqc
zv<xt7#1~$E7<E3g&$t0QFq~j^62IaR+?{BahH(SUPT^?m!5dhBbxCHWc;59b&SjmJ
zY&OCyYE?|ev7sJyqE;NG126@9-0e?rD(m++8oh&@;{vD~FU8?lgEMd|*5U;$!F~*2
z{$R6sT#Y`iZ#7Kjv!Nb~u)|%y!yMLWL(G_37_)E{>W14;7runL@rO7R-=J>f3$Da|
z%*O~j%di!<;A8Z1eajhU7Q{Ii!qrG>>>TP&yRZs-P*0|_YyV6n%ND|Hj38C9y~v-n
z@uLi$Mpg3~F2XKckAE;q`D_LMr2}hF>ju<?o80ZqIEVFK<QTh&l+hl!`(I!o>(@w|
z*kHf2e+24$0nEf{NEK`)p778ce)9i^4ZnDtJNPNp>?&R$pVx6=x|7=P*v;BA((EVR
z!V2u5QL6DXDz$TIjCr^R`4_u`6YwRD$KR+7`ZJs!T985hIk&B2gPNon$KowiPrO8(
zAelnz|FW?h!?+m_<68WSQ?QDIRgxA|FC4%y9>@9k1{*Mi2GWh}iZbD$?J}xK?x9Zf
z6V>gh0q4$3kn-DlB+IrPci=%(Ci+krC=Qw(!~K|y$vn0$l#Xk#9NA?TQKg99XR?XO
zGgOUd@wjBkHlk|RhQ)ZqT|Y%-;uY#O{f2SqnP|2Y<6W1dE^ramOP#3mb-U}k&i<%9
zV6uQ6&yk0)q)BGHF_wvH$|BSagxvK$R1+R@J&T2`J5ibWh#rh1@(2wtQ9<a2lx>wn
zW2)YN4W(Qo82fd8)IiF}G(u0Hr&CJxEucEFr-4{!%UnV?prJ3^Jc4rDLPFmSy`rT=
z385Y-Cvx2DGj)dEPby)&A+c;YTPce>Q4cI8=r^M`V@;-VsAOe?#uB0+Hsc$CAwnN0
z4P{c<BiXTrtX1lKL?!Y6P;K>&s|0GG=|qGmA_fpD(PTn{jK>D8V6)x1N}Asr^8JYS
zg|{_tY;0+-9g^OgJ!n-zQejqZUNCP~ac*AwQUAFAmc6(AnTZ3J?W}Lw+}Ip!YOfwU
Q%46--8R@-!88;LE0W#p9O#lD@

delta 1668
zcmYk+Sx8h-9LMp0YC73sIhL6=PK##COzPO!XliLwsR`ObLR1eCR!k2{1o?6y5rT-a
zg`O&kR*0eo+k<F9klu<OdXS1J3JO~2C8EB+JD2D%XFliLJ9F>3|NsBoAI;~Qosry(
z<3?+t7ts@GX4~+724A%HOtW{`fu}K=Wp)@};sNaPnN7j(cm%V@nBBmWSdH!3X7#w=
za|ol%Gsl|cnK@R+Ai#k&s0(#tf&PHGc-A{Uh;x`f!)f>f^}n2PW|J_C^KmI|!UWdg
zFczb4yxC|hL!QOLxP<%LA_g%I^tcDiuHZuEACZq0OfU=K9Mlchqaw8%wcr8F!Aq!x
z+{U#yjEgY9$wpj<JMjc6xM>s3g52M-7%amwBqX*IwNeM$upjkg&%N`1kmy<-cMD?x
z$%eI|7O<W#MXn2Vqh5@ogIn+^k}WIYM~?m&W}pL6)QuZZ$KzOqZODIYACf*h=AA!{
zi<w_Uh4i&|{sZcI-*6uOLb70`ezQZP%p&-W`Qtp|Kgi(bWU~vHAfA`epPvft1H8)o
z1%AQ4sb<TuhXU!qTd2^Ep&)8;HS!bNk2CQM&cG+A2);)?mRo4XB`s7){8c1z4ot^B
zT!Lr3AB<oV^Pji_Ye;-2p2Jf7jY`FA{;V1Z;|i=tU8f(n;v>`oN+}?o)z+YDW4psZ
z7dnNi?x&~~e@4=5ImM}52C<uY1Qmhvs3-q~2Qd^h8;kc)HyXkX_#OFJD;HG?61W}r
zqEhR;WuTDc6EEeg5^J#5o9{t|%0X?*6PS+Iu>}V`ZC2_At*9F6L|t#QH}CS!@4^O-
z_abX|>@EX#ioHS=-AB{{zIyWovs1-a<+%b?be%|D*#M5hbb2{mErZ@f*Apw;s(v*^
zTCF4n3vj#<=qV#~r9n^7Ojk(t4j_H*(}2y@7i}S33s6%owP?!0eYypxcSapub)Xt)
zq-(qW-<IqCK{`9aeYt?!Dm+yKDk$pDO_PdDFCC>~8C`89J?f59xnIh-%$vthTbC@k
zJER&j>8t2!dcU|$+eUj^DbSu(Q+^fdG`dnmq}@hl+(zkGr8lm}s$@sz=h4ZH<JM(m
kSBE0y!HQT-MeOJuf8gJ=vOM|5KhJmcVR3#kUUbd(7nPoqod5s;

diff --git a/cas_server/locale/fr/LC_MESSAGES/django.po b/cas_server/locale/fr/LC_MESSAGES/django.po
index c3ac888..bdcc3a7 100644
--- a/cas_server/locale/fr/LC_MESSAGES/django.po
+++ b/cas_server/locale/fr/LC_MESSAGES/django.po
@@ -7,8 +7,8 @@ msgid ""
 msgstr ""
 "Project-Id-Version: cas_server\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2016-07-30 19:19+0200\n"
-"PO-Revision-Date: 2016-07-30 19:20+0200\n"
+"POT-Creation-Date: 2016-08-01 12:01+0200\n"
+"PO-Revision-Date: 2016-08-01 12:01+0200\n"
 "Last-Translator: Valentin Samir <valentin.samir@crans.org>\n"
 "Language-Team: django <LL@li.org>\n"
 "Language: fr\n"
@@ -23,40 +23,40 @@ msgstr ""
 msgid "Central Authentication Service"
 msgstr "Service Central d'Authentification"
 
-#: forms.py:77
+#: forms.py:88
 msgid "Identity provider"
 msgstr "fournisseur d'identité"
 
-#: forms.py:80 forms.py:102 forms.py:208
-msgid "service"
-msgstr "service"
-
-#: forms.py:83
-msgid "Remember the identity provider"
-msgstr "Se souvenir du fournisseur d'identité"
-
-#: forms.py:86 forms.py:110
+#: forms.py:92 forms.py:111
 msgid "Warn me before logging me into other sites."
 msgstr "Prévenez-moi avant d'accéder à d'autres services."
 
-#: forms.py:100 models.py:600
+#: forms.py:96
+msgid "Remember the identity provider"
+msgstr "Se souvenir du fournisseur d'identité"
+
+#: forms.py:106 models.py:600
 msgid "username"
 msgstr "nom d'utilisateur"
 
-#: forms.py:104
+#: forms.py:108
 msgid "password"
 msgstr "mot de passe"
 
-#: forms.py:134
+#: forms.py:130
 msgid "The credentials you provided cannot be determined to be authentic."
 msgstr "Les informations transmises n'ont pas permis de vous authentifier."
 
-#: forms.py:194
+#: forms.py:182
 msgid "User not found in the temporary database, please try to reconnect"
 msgstr ""
 "Utilisateur non trouvé dans la base de donnée temporaire, essayez de vous "
 "reconnecter"
 
+#: forms.py:196
+msgid "service"
+msgstr "service"
+
 #: management/commands/cas_clean_federate.py:20
 msgid "Clean old federated users"
 msgstr "Nettoyer les anciens utilisateurs fédéré"
@@ -300,7 +300,11 @@ msgstr ""
 msgid "Log me out from all my sessions"
 msgstr "Me déconnecter de toutes mes sessions"
 
-#: templates/cas_server/logged.html:11
+#: templates/cas_server/logged.html:14
+msgid "Forget the identity provider"
+msgstr "Oublier le fournisseur d'identité"
+
+#: templates/cas_server/logged.html:18
 msgid "Logout"
 msgstr "Se déconnecter"
 
@@ -316,7 +320,7 @@ msgstr "Connexion"
 msgid "Connect to the service"
 msgstr "Se connecter au service"
 
-#: views.py:165
+#: views.py:168
 msgid ""
 "<h3>Logout successful</h3>You have successfully logged out from the Central "
 "Authentication Service. For security reasons, exit your web browser."
@@ -325,7 +329,7 @@ msgstr ""
 "d'Authentification. Pour des raisons de sécurité, veuillez fermer votre "
 "navigateur."
 
-#: views.py:171
+#: views.py:174
 #, python-format
 msgid ""
 "<h3>Logout successful</h3>You have successfully logged out from %s sessions "
@@ -336,7 +340,7 @@ msgstr ""
 "Service Central d'Authentification. Pour des raisons de sécurité, veuillez "
 "fermer votre navigateur."
 
-#: views.py:178
+#: views.py:181
 msgid ""
 "<h3>Logout successful</h3>You were already logged out from the Central "
 "Authentication Service. For security reasons, exit your web browser."
@@ -345,7 +349,7 @@ msgstr ""
 "d'Authentification. Pour des raisons de sécurité, veuillez fermer votre "
 "navigateur."
 
-#: views.py:351
+#: views.py:361
 #, python-format
 msgid ""
 "Invalid response from your identity provider CAS upon ticket %(ticket)s "
@@ -354,46 +358,46 @@ msgstr ""
 "Réponse invalide du CAS du fournisseur d'identité lors de la validation du "
 "ticket %(ticket)s: %(error)r"
 
-#: views.py:472
+#: views.py:483
 msgid "Invalid login ticket, please retry to login"
 msgstr "Ticket de connexion invalide, merci de réessayé de vous connecter"
 
-#: views.py:652
+#: views.py:675
 #, python-format
 msgid "Authentication has been required by service %(name)s (%(url)s)"
 msgstr ""
 "Une demande d'authentification a été émise pour le service %(name)s "
 "(%(url)s)."
 
-#: views.py:690
+#: views.py:713
 #, python-format
 msgid "Service %(url)s non allowed."
 msgstr "le service %(url)s n'est pas autorisé."
 
-#: views.py:697
+#: views.py:720
 msgid "Username non allowed"
 msgstr "Nom d'utilisateur non authorisé"
 
-#: views.py:704
+#: views.py:727
 msgid "User characteristics non allowed"
 msgstr "Caractéristique utilisateur non autorisée"
 
-#: views.py:711
+#: views.py:734
 #, python-format
 msgid "The attribute %(field)s is needed to use that service"
 msgstr "L'attribut %(field)s est nécessaire pour se connecter à ce service"
 
-#: views.py:801
+#: views.py:824
 #, python-format
 msgid "Authentication renewal required by service %(name)s (%(url)s)."
 msgstr "Demande de réauthentification pour le service %(name)s (%(url)s)."
 
-#: views.py:808
+#: views.py:831
 #, python-format
 msgid "Authentication required by service %(name)s (%(url)s)."
 msgstr "Authentification requise par le service %(name)s (%(url)s)."
 
-#: views.py:815
+#: views.py:838
 #, python-format
 msgid "Service %s non allowed"
 msgstr "Le service %s n'est pas autorisé"
diff --git a/cas_server/templates/cas_server/logged.html b/cas_server/templates/cas_server/logged.html
index 3a23b16..46e1c9a 100644
--- a/cas_server/templates/cas_server/logged.html
+++ b/cas_server/templates/cas_server/logged.html
@@ -8,6 +8,13 @@
       <input type="checkbox" name="all" value="1">{% trans "Log me out from all my sessions" %}
     </label>
   </div>
+  {% if settings.CAS_FEDERATE and request.COOKIES.remember_provider %}
+  <div class="checkbox">
+    <label>
+      <input type="checkbox" name="forget_provider" value="1">{% trans "Forget the identity provider" %}
+    </label>
+  </div>
+  {% endif %}
   <button class="btn btn-danger btn-block btn-lg" type="submit">{% trans "Logout" %}</button>
 </form>
 {% endblock %}
diff --git a/cas_server/tests/test_federate.py b/cas_server/tests/test_federate.py
index 42bef71..b6fa3f9 100644
--- a/cas_server/tests/test_federate.py
+++ b/cas_server/tests/test_federate.py
@@ -128,8 +128,8 @@ class FederateAuthLoginLogoutTestCase(
                 {'ticket': ticket, 'remember': 'on' if remember else ''}
             )
             if remember:
-                self.assertIn("_remember_provider", client.cookies)
-                self.assertEqual(client.cookies["_remember_provider"].value, provider.suffix)
+                self.assertIn("remember_provider", client.cookies)
+                self.assertEqual(client.cookies["remember_provider"].value, provider.suffix)
             self.assertEqual(response.status_code, 302)
             self.assertEqual(response["Location"], "%s/login" % (
                 'http://testserver' if django.VERSION < (1, 9) else ""
diff --git a/cas_server/views.py b/cas_server/views.py
index 2a74c4f..04de6d3 100644
--- a/cas_server/views.py
+++ b/cas_server/views.py
@@ -147,9 +147,12 @@ class LogoutView(View, LogoutMixin):
         # current querystring
         if settings.CAS_FEDERATE:
             if auth is not None:
-                params = utils.copy_params(request.GET)
+                params = utils.copy_params(request.GET, ignore={"forget_provider"})
                 url = auth.get_logout_url()
-                return HttpResponseRedirect(utils.update_url(url, params))
+                response = HttpResponseRedirect(utils.update_url(url, params))
+                if request.GET.get("forget_provider"):
+                    response.delete_cookie("remember_provider")
+                return response
         # if service is set, redirect to service after logout
         if self.service:
             list(messages.get_messages(request))  # clean messages before leaving the django app
@@ -331,7 +334,7 @@ class FederateAuth(View):
                             max_age = settings.CAS_FEDERATE_REMEMBER_TIMEOUT
                             utils.set_cookie(
                                 response,
-                                "_remember_provider",
+                                "remember_provider",
                                 provider.suffix,
                                 max_age
                             )
@@ -360,7 +363,7 @@ class FederateAuth(View):
                         ) % {'ticket': ticket, 'error': error}
                     )
                     response = redirect("cas_server:login")
-                    response.delete_cookie("_remember_provider")
+                    response.delete_cookie("remember_provider")
                     return response
         except FederatedIendityProvider.DoesNotExist:
             logger.warning("Identity provider suffix %s not found" % provider)
@@ -855,16 +858,16 @@ class LoginView(View, LogoutMixin):
                     )
                 else:
                     if (
-                        self.request.COOKIES.get('_remember_provider') and
+                        self.request.COOKIES.get('remember_provider') and
                         FederatedIendityProvider.objects.filter(
-                            suffix=self.request.COOKIES['_remember_provider']
+                            suffix=self.request.COOKIES['remember_provider']
                         )
                     ):
                         params = utils.copy_params(self.request.GET)
                         url = utils.reverse_params(
                             "cas_server:federateAuth",
                             params=params,
-                            kwargs=dict(provider=self.request.COOKIES['_remember_provider'])
+                            kwargs=dict(provider=self.request.COOKIES['remember_provider'])
                         )
                         return HttpResponseRedirect(url)
                     else: