On logout first invalidate all PGTs
This commit is contained in:
parent
0012a8f65d
commit
df9dd5364f
2 changed files with 18 additions and 12 deletions
|
@ -68,14 +68,14 @@ class User(models.Model):
|
||||||
"""Sending SLO request to all services the user logged in"""
|
"""Sending SLO request to all services the user logged in"""
|
||||||
async_list = []
|
async_list = []
|
||||||
session = FuturesSession(executor=ThreadPoolExecutor(max_workers=10))
|
session = FuturesSession(executor=ThreadPoolExecutor(max_workers=10))
|
||||||
ticket_classes = [ServiceTicket, ProxyTicket, ProxyGrantingTicket]
|
# first invalidate all PGTs
|
||||||
|
ticket_classes = [ProxyGrantingTicket, ProxyTicket, ServiceTicket]
|
||||||
for ticket_class in ticket_classes:
|
for ticket_class in ticket_classes:
|
||||||
for ticket in ticket_class.objects.filter(
|
for ticket in ticket_class.objects.filter(
|
||||||
user=self,
|
user=self,
|
||||||
validate=True if ticket_class != ProxyGrantingTicket else False,
|
validate=True if ticket_class != ProxyGrantingTicket else False,
|
||||||
single_log_out=True
|
|
||||||
):
|
):
|
||||||
async_list.append(ticket.logout(request, session))
|
ticket.logout(request, session, async_list)
|
||||||
ticket.delete()
|
ticket.delete()
|
||||||
for future in async_list:
|
for future in async_list:
|
||||||
if future:
|
if future:
|
||||||
|
@ -361,12 +361,11 @@ class Ticket(models.Model):
|
||||||
async_list = []
|
async_list = []
|
||||||
session = FuturesSession(executor=ThreadPoolExecutor(max_workers=10))
|
session = FuturesSession(executor=ThreadPoolExecutor(max_workers=10))
|
||||||
queryset = cls.objects.filter(
|
queryset = cls.objects.filter(
|
||||||
single_log_out=True,
|
validate=True if cls != ProxyGrantingTicket else False,
|
||||||
validate=True,
|
|
||||||
creation__lt=(timezone.now() - timedelta(seconds=cls.TIMEOUT))
|
creation__lt=(timezone.now() - timedelta(seconds=cls.TIMEOUT))
|
||||||
)
|
)
|
||||||
for ticket in queryset:
|
for ticket in queryset:
|
||||||
async_list.append(ticket.logout(None, session))
|
ticket.logout(None, session, async_list)
|
||||||
queryset.delete()
|
queryset.delete()
|
||||||
for future in async_list:
|
for future in async_list:
|
||||||
if future:
|
if future:
|
||||||
|
@ -375,9 +374,13 @@ class Ticket(models.Model):
|
||||||
except Exception as error:
|
except Exception as error:
|
||||||
sys.stderr.write("%r\n" % error)
|
sys.stderr.write("%r\n" % error)
|
||||||
|
|
||||||
def logout(self, request, session):
|
def logout(self, request, session, async_list=None):
|
||||||
"""Send a SLO request to the ticket service"""
|
"""Send a SLO request to the ticket service"""
|
||||||
if (self.validate or isinstance(self, ProxyGrantingTicket)) and self.single_log_out:
|
if isinstance(self, ProxyGrantingTicket):
|
||||||
|
# On logout invalidate the PGT
|
||||||
|
self.validate = True
|
||||||
|
self.save()
|
||||||
|
if self.validate and self.single_log_out:
|
||||||
try:
|
try:
|
||||||
xml = u"""<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
|
xml = u"""<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
|
||||||
ID="%(id)s" Version="2.0" IssueInstant="%(datetime)s">
|
ID="%(id)s" Version="2.0" IssueInstant="%(datetime)s">
|
||||||
|
@ -393,9 +396,11 @@ class Ticket(models.Model):
|
||||||
url = self.service_pattern.single_log_out_callback
|
url = self.service_pattern.single_log_out_callback
|
||||||
else:
|
else:
|
||||||
url = self.service
|
url = self.service
|
||||||
return session.post(
|
async_list.append(
|
||||||
url.encode('utf-8'),
|
session.post(
|
||||||
data={'logoutRequest': xml.encode('utf-8')},
|
url.encode('utf-8'),
|
||||||
|
data={'logoutRequest': xml.encode('utf-8')},
|
||||||
|
)
|
||||||
)
|
)
|
||||||
except Exception as error:
|
except Exception as error:
|
||||||
if request is not None:
|
if request is not None:
|
||||||
|
|
|
@ -623,7 +623,8 @@ class Proxy(View):
|
||||||
# is the proxy granting ticket valid
|
# is the proxy granting ticket valid
|
||||||
ticket = ProxyGrantingTicket.objects.get(
|
ticket = ProxyGrantingTicket.objects.get(
|
||||||
value=self.pgt,
|
value=self.pgt,
|
||||||
creation__gt=(timezone.now() - timedelta(seconds=ProxyGrantingTicket.VALIDITY))
|
creation__gt=(timezone.now() - timedelta(seconds=ProxyGrantingTicket.VALIDITY)),
|
||||||
|
validate=False
|
||||||
)
|
)
|
||||||
# is the pgt user allowed on the target service
|
# is the pgt user allowed on the target service
|
||||||
pattern.check_user(ticket.user)
|
pattern.check_user(ticket.user)
|
||||||
|
|
Loading…
Reference in a new issue