0008-misc-clean-SessionIndex-during-logout-69740.patch

Benjamin Dauvergne, 04 octobre 2022 11:47

Voir les différences: en ligne côte à côte

Subject: [PATCH 8/8] misc: clean SessionIndex during logout (#69740)

SessionIndex are deleted when the linked session does not exist anymore
and 5 minutes after the creation of the logout request.

 .../0008_add_timestamp_to_session_index.py    | 27 ++++++++++++++
 mellon/models.py                              | 35 +++++++++++++++----
 mellon/views.py                               | 10 ++++--
 tests/test_sso_slo.py                         |  8 ++++-
 4 files changed, 69 insertions(+), 11 deletions(-)
 create mode 100644 mellon/migrations/0008_add_timestamp_to_session_index.py

     # Generated by Django 2.2.26 on 2022-10-04 09:10
     import django.utils.timezone
     from django.db import migrations, models
     class Migration(migrations.Migration):
         dependencies = [
             ('mellon', '0007_sessionindex_transient_name_id'),
+        ]
         operations = [
             migrations.AddField(
                 model_name='sessionindex',
                 name='created',
                 field=models.DateTimeField(
                     auto_now_add=True, default=django.utils.timezone.now, verbose_name='created'
                 ),
                 preserve_default=False,
             ),
             migrations.AddField(
                 model_name='sessionindex',
                 name='logout_timestamp',
                 field=models.DateTimeField(null=True, verbose_name='Timestamp of the last logout'),
             ),
+        ]

     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import datetime
     from importlib import import_module
     from django.conf import settings
     from django.db import models
     from django.utils.timezone import now
     from django.utils.translation import gettext_lazy as _
-...
         saml_identifier = models.ForeignKey(
             verbose_name=_('SAML identifier'), to=UserSAMLIdentifier, on_delete=models.CASCADE
+        )
         created = models.DateTimeField(verbose_name=_('created'), auto_now_add=True)
         logout_timestamp = models.DateTimeField(verbose_name=_('Timestamp of the last logout'), null=True)
         @staticmethod
         def cleanup(cls):
         @classmethod
         def clean_session_indexes_after_logout(cls, delay_in_minutes=5, chunk_size=1000):
             session_engine = import_module(settings.SESSION_ENGINE)
             store = session_engine.SessionStore()
             ids = []
             for si in cls.objects.all():
                 if not store.exists(si.session_key):
                     ids.append(si.id)
             cls.objects.filter(id__in=ids).delete()
             try:
                 Session = store.model
             except AttributeError:
                 Session = None
             candidates = cls.objects.filter(
                 models.Q(logout_timestamp__lt=now() - datetime.timedelta(minutes=delay_in_minutes))
                 | models.Q(created__lt=now() - datetime.timedelta(days=1))
             )[:chunk_size]
             candidates_session_keys = candidates.values_list('session_key', flat=True)
             if Session is not None:
                 # fast path
                 existing_session_keys = Session.objects.filter(
                     session_key__in=candidates_session_keys
                 ).values_list('session_key', flat=True)
                 dead_session_keys = candidates_session_keys.difference(existing_session_keys)
             else:
                 dead_session_keys = []
                 for session_key in candidates_session_keys:
                     if not store.exists(session_key):
                         dead_session_keys.append(session_key)
             cls.objects.filter(session_key__in=dead_session_keys).delete()
         class Meta:
             verbose_name = _('SAML SessionIndex')

     from django.urls import reverse
     from django.utils.encoding import force_str
     from django.utils.http import urlencode
     from django.utils.timezone import now
     from django.utils.translation import gettext as _
     from django.views.decorators.csrf import csrf_exempt
     from django.views.generic import View
-...
                             try:
                                 session_indexes = models.SessionIndex.objects.filter(
                                     saml_identifier__user=request.user, saml_identifier__issuer__entity_id=issuer
                                 ).order_by('-id')[:1]
                                 ).order_by('-id')
                                 if not session_indexes:
                                     self.log.error('unable to find lasso session dump')
                                 else:
                                     session_dump = utils.make_session_dump(session_indexes)
                                     session_dump = utils.make_session_dump(session_indexes[:1])
                                     logout.setSessionFromDump(session_dump)
                                 session_indexes.update(logout_timestamp=now())
                                 logout.initRequest(issuer, lasso.HTTP_METHOD_REDIRECT)
                                 logout.buildRequestMsg()
                             except lasso.Error as e:
-...
             response = HttpResponseRedirect(next_url)
             if cookie_name in request.COOKIES:
                 response.delete_cookie(cookie_name)
             models.SessionIndex.clean_session_indexes_after_logout()
             return response
         TOKEN_SALT = 'mellon-logout-token'
-...
                 return None
             session_indexes = models.SessionIndex.objects.filter(
                 saml_identifier__user=request.user, saml_identifier__issuer__entity_id=issuer
             ).order_by('-id')[:1]
             ).order_by('-id')
             if not session_indexes:
                 return None
-...
                 'session_index_pk': session_indexes[0].pk,
+            }
             token = signing.dumps(token_content, salt=cls.TOKEN_SALT)
             session_indexes.update(logout_timestamp=now())
             return reverse('mellon_logout') + '?' + urlencode({'token': token})

         assert response.location == '/'
     def test_sso_slo_token(db, app, rf, idp, caplog, django_user_model):
     def test_sso_slo_token(db, app, rf, idp, caplog, django_user_model, freezer):
         from mellon.views import LogoutView
         caplog.set_level(logging.WARNING)
-...
         url, body, relay_state = idp.process_authn_request_redirect(response['Location'])
         response = app.post('/login/', params={'SAMLResponse': body, 'RelayState': relay_state})
         assert models.SessionIndex.objects.count() == 1
         assert models.SessionIndex.objects.filter(logout_timestamp__isnull=True).count() == 1
         request = rf.get('/whatever/')
         request.session = app.session
         request.user = django_user_model.objects.get()
         token_logout_url = LogoutView.make_logout_token_url(request, next_url='/somepath/')
         assert models.SessionIndex.objects.count() == 1
         assert models.SessionIndex.objects.filter(logout_timestamp__isnull=False).count() == 1
         assert token_logout_url
         app.session.flush()
         assert '_auth_user_id' not in app.session
-...
         assert urlparse.urlparse(response['Location']).path == '/singleLogout'
         url = idp.process_logout_request_redirect(response.location)
         caplog.clear()
         freezer.move_to(datetime.timedelta(minutes=6))
         response = app.get(url)
         assert len(caplog.records) == 0, 'logout failed'
         assert response.location == '/somepath/'
         assert models.SessionIndex.objects.count() == 0
+    -

Projet

Général

Profil

Produits Entr'ouvert » django-mellon

0008-misc-clean-SessionIndex-during-logout-69740.patch