Project

General

Profile

0001-idp_saml2-set-sessionNotOnOrAfter-to-half-the-curren.patch

Benjamin Dauvergne, 14 Sep 2021 06:30 PM

Download (3.71 KB)

View differences:

Subject: [PATCH] idp_saml2: set sessionNotOnOrAfter to half the current
 session duration (#56865)

 src/authentic2/idp/saml/saml2_endpoints.py | 11 ++++++++---
 tests/test_idp_saml2.py                    | 11 +++++++----
 2 files changed, 15 insertions(+), 7 deletions(-)
src/authentic2/idp/saml/saml2_endpoints.py
51 51
from django.shortcuts import redirect, render
52 52
from django.urls import reverse
53 53
from django.utils.encoding import force_bytes, force_str, force_text
54
from django.utils.timezone import utc
54 55
from django.utils.translation import ugettext as _
55 56
from django.utils.translation import ugettext_noop as N_
56 57
from django.views.decorators.cache import never_cache
......
411 412
    """
412 413
    entity_id = get_entity_id(request)
413 414
    now = datetime.datetime.utcnow()
415
    timezone_now = now.replace(tzinfo=utc)
414 416
    logger.debug('NameIDFormat is %s', nid_format)
415 417
    # 1 minute ago
416 418
    notBefore = now - datetime.timedelta(0, app_settings.SECONDS_TOLERANCE)
......
453 455
    )
454 456
    assertion = login.assertion
455 457
    assertion.conditions.notOnOrAfter = notOnOrAfter.isoformat() + 'Z'
456
    # Set SessionNotOnOrAfter to expiry date of the current session, so we are sure no session on
457
    # service providers can outlive the IdP session.
458
    # Set SessionNotOnOrAfter to half of the expire duration of the current
459
    # session, so we are sure no session on service providers can outlive the
460
    # IdP session but people are asked to reauthenticate before the end of the
461
    # IdP session to prolongate it.
458 462
    expiry_date = request.session.get_expiry_date()
459
    assertion.authnStatement[0].sessionNotOnOrAfter = datetime_to_xs_datetime(expiry_date)
463
    session_not_on_or_after = timezone_now + (expiry_date - timezone_now) * 0.5
464
    assertion.authnStatement[0].sessionNotOnOrAfter = datetime_to_xs_datetime(session_not_on_or_after)
460 465
    logger.debug('assertion building in progress %s', force_text(assertion.dump()))
461 466
    fill_assertion(request, login.request, assertion, login.remoteProviderId, nid_format)
462 467
    # Save federation and new session
tests/test_idp_saml2.py
388 388
        assertion = login.assertion
389 389
        session_not_on_or_after = login.assertion.authnStatement[0].sessionNotOnOrAfter
390 390
        assert session_not_on_or_after is not None
391
        assert (
392
            datetime.datetime.strptime(session_not_on_or_after, '%Y-%m-%dT%H:%M:%SZ')
393
            > datetime.datetime.utcnow()
394
        )
391
        sp_session_expiry_date = datetime.datetime.strptime(session_not_on_or_after, '%Y-%m-%dT%H:%M:%SZ')
392
        utc_now = datetime.datetime.utcnow()
393
        assert sp_session_expiry_date > utc_now
394
        # check session duration on SP is shorter than on IdP
395
        local_session_expiry_date = self.app.session.get_expiry_date().replace(tzinfo=None)
396
        assert (sp_session_expiry_date - utc_now) < 0.6 * (local_session_expiry_date - utc_now)
397

  
395 398
        assertion_xml = assertion.exportToXml()
396 399
        namespaces = {
397 400
            'saml': lasso.SAML2_ASSERTION_HREF,
398
-