On logout first invalidate all PGTs

This commit is contained in:
Valentin Samir 2015-11-14 00:17:31 +01:00
parent 0012a8f65d
commit df9dd5364f
2 changed files with 18 additions and 12 deletions

View file

@ -68,14 +68,14 @@ class User(models.Model):
"""Sending SLO request to all services the user logged in""" """Sending SLO request to all services the user logged in"""
async_list = [] async_list = []
session = FuturesSession(executor=ThreadPoolExecutor(max_workers=10)) session = FuturesSession(executor=ThreadPoolExecutor(max_workers=10))
ticket_classes = [ServiceTicket, ProxyTicket, ProxyGrantingTicket] # first invalidate all PGTs
ticket_classes = [ProxyGrantingTicket, ProxyTicket, ServiceTicket]
for ticket_class in ticket_classes: for ticket_class in ticket_classes:
for ticket in ticket_class.objects.filter( for ticket in ticket_class.objects.filter(
user=self, user=self,
validate=True if ticket_class != ProxyGrantingTicket else False, validate=True if ticket_class != ProxyGrantingTicket else False,
single_log_out=True
): ):
async_list.append(ticket.logout(request, session)) ticket.logout(request, session, async_list)
ticket.delete() ticket.delete()
for future in async_list: for future in async_list:
if future: if future:
@ -361,12 +361,11 @@ class Ticket(models.Model):
async_list = [] async_list = []
session = FuturesSession(executor=ThreadPoolExecutor(max_workers=10)) session = FuturesSession(executor=ThreadPoolExecutor(max_workers=10))
queryset = cls.objects.filter( queryset = cls.objects.filter(
single_log_out=True, validate=True if cls != ProxyGrantingTicket else False,
validate=True,
creation__lt=(timezone.now() - timedelta(seconds=cls.TIMEOUT)) creation__lt=(timezone.now() - timedelta(seconds=cls.TIMEOUT))
) )
for ticket in queryset: for ticket in queryset:
async_list.append(ticket.logout(None, session)) ticket.logout(None, session, async_list)
queryset.delete() queryset.delete()
for future in async_list: for future in async_list:
if future: if future:
@ -375,9 +374,13 @@ class Ticket(models.Model):
except Exception as error: except Exception as error:
sys.stderr.write("%r\n" % error) sys.stderr.write("%r\n" % error)
def logout(self, request, session): def logout(self, request, session, async_list=None):
"""Send a SLO request to the ticket service""" """Send a SLO request to the ticket service"""
if (self.validate or isinstance(self, ProxyGrantingTicket)) and self.single_log_out: if isinstance(self, ProxyGrantingTicket):
# On logout invalidate the PGT
self.validate = True
self.save()
if self.validate and self.single_log_out:
try: try:
xml = u"""<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xml = u"""<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="%(id)s" Version="2.0" IssueInstant="%(datetime)s"> ID="%(id)s" Version="2.0" IssueInstant="%(datetime)s">
@ -393,9 +396,11 @@ class Ticket(models.Model):
url = self.service_pattern.single_log_out_callback url = self.service_pattern.single_log_out_callback
else: else:
url = self.service url = self.service
return session.post( async_list.append(
url.encode('utf-8'), session.post(
data={'logoutRequest': xml.encode('utf-8')}, url.encode('utf-8'),
data={'logoutRequest': xml.encode('utf-8')},
)
) )
except Exception as error: except Exception as error:
if request is not None: if request is not None:

View file

@ -623,7 +623,8 @@ class Proxy(View):
# is the proxy granting ticket valid # is the proxy granting ticket valid
ticket = ProxyGrantingTicket.objects.get( ticket = ProxyGrantingTicket.objects.get(
value=self.pgt, value=self.pgt,
creation__gt=(timezone.now() - timedelta(seconds=ProxyGrantingTicket.VALIDITY)) creation__gt=(timezone.now() - timedelta(seconds=ProxyGrantingTicket.VALIDITY)),
validate=False
) )
# is the pgt user allowed on the target service # is the pgt user allowed on the target service
pattern.check_user(ticket.user) pattern.check_user(ticket.user)