Projet

Général

Profil

0001-idp_saml2-set-sessionNotOnOrAfter-to-half-the-curren.patch

Benjamin Dauvergne, 14 septembre 2021 18:30

Télécharger (3,71 ko)

Voir les différences: 

Subject: [PATCH] idp_saml2: set sessionNotOnOrAfter to half the current
 session duration (#56865)


 src/authentic2/idp/saml/saml2_endpoints.py | 11 ++++++++---
 tests/test_idp_saml2.py                    | 11 +++++++----
 2 files changed, 15 insertions(+), 7 deletions(-)
src/authentic2/idp/saml/saml2_endpoints.py
51 51 
from django.shortcuts import redirect, render
52 52 
from django.urls import reverse
53 53 
from django.utils.encoding import force_bytes, force_str, force_text
54 
from django.utils.timezone import utc
54 55 
from django.utils.translation import ugettext as _
55 56 
from django.utils.translation import ugettext_noop as N_
56 57 
from django.views.decorators.cache import never_cache
......
411 412 
    """
412 413 
    entity_id = get_entity_id(request)
413 414 
    now = datetime.datetime.utcnow()
415 
    timezone_now = now.replace(tzinfo=utc)
414 416 
    logger.debug('NameIDFormat is %s', nid_format)
415 417 
    # 1 minute ago
416 418 
    notBefore = now - datetime.timedelta(0, app_settings.SECONDS_TOLERANCE)
......
453 455 
    )
454 456 
    assertion = login.assertion
455 457 
    assertion.conditions.notOnOrAfter = notOnOrAfter.isoformat() + 'Z'
456 
    # Set SessionNotOnOrAfter to expiry date of the current session, so we are sure no session on
457 
    # service providers can outlive the IdP session.
458 
    # Set SessionNotOnOrAfter to half of the expire duration of the current
459 
    # session, so we are sure no session on service providers can outlive the
460 
    # IdP session but people are asked to reauthenticate before the end of the
461 
    # IdP session to prolongate it.
458 462 
    expiry_date = request.session.get_expiry_date()
459 
    assertion.authnStatement[0].sessionNotOnOrAfter = datetime_to_xs_datetime(expiry_date)
463 
    session_not_on_or_after = timezone_now + (expiry_date - timezone_now) * 0.5
464 
    assertion.authnStatement[0].sessionNotOnOrAfter = datetime_to_xs_datetime(session_not_on_or_after)
460 465 
    logger.debug('assertion building in progress %s', force_text(assertion.dump()))
461 466 
    fill_assertion(request, login.request, assertion, login.remoteProviderId, nid_format)
462 467 
    # Save federation and new session
tests/test_idp_saml2.py
388 388 
        assertion = login.assertion
389 389 
        session_not_on_or_after = login.assertion.authnStatement[0].sessionNotOnOrAfter
390 390 
        assert session_not_on_or_after is not None
391 
        assert (
392 
            datetime.datetime.strptime(session_not_on_or_after, '%Y-%m-%dT%H:%M:%SZ')
393 
            > datetime.datetime.utcnow()
394 
        )
391 
        sp_session_expiry_date = datetime.datetime.strptime(session_not_on_or_after, '%Y-%m-%dT%H:%M:%SZ')
392 
        utc_now = datetime.datetime.utcnow()
393 
        assert sp_session_expiry_date > utc_now
394 
        # check session duration on SP is shorter than on IdP
395 
        local_session_expiry_date = self.app.session.get_expiry_date().replace(tzinfo=None)
396 
        assert (sp_session_expiry_date - utc_now) < 0.6 * (local_session_expiry_date - utc_now)
397 

  		




  395
  398
  
    
        assertion_xml = assertion.exportToXml()

  		




  396
  399
  
    
        namespaces = {

  		




  397
  400
  
    
            'saml': lasso.SAML2_ASSERTION_HREF,

  		




  398
  
  
    
-