0002-views-improve-handling-of-next_url-for-sp-initiated-.patch
| mellon/views.py | ||
|---|---|---|
| 723 | 723 | |
| 724 | 724 |
def sp_logout_request(self, request): |
| 725 | 725 |
'''Launch a logout request to the identity provider''' |
| 726 |
next_url = request.GET.get(REDIRECT_FIELD_NAME) |
|
| 727 | 726 |
referer = request.headers.get('Referer')
|
| 727 |
field_next_url = request.GET.get(REDIRECT_FIELD_NAME) |
|
| 728 |
next_url = None |
|
| 729 |
if field_next_url and utils.same_origin(request.build_absolute_uri(), field_next_url): |
|
| 730 |
next_url = field_next_url |
|
| 731 |
next_url = next_url or '/' |
|
| 728 | 732 |
if not referer or utils.same_origin(request.build_absolute_uri(), referer): |
| 729 | 733 |
if hasattr(request, 'user') and request.user.is_authenticated: |
| 730 | 734 |
logout = None |
| ... | ... | |
| 754 | 758 |
self.log.info('user logged out, SLO request sent to IdP')
|
| 755 | 759 |
else: |
| 756 | 760 |
# anonymous user: if next_url is None redirect to referer |
| 757 |
return HttpResponseRedirect(next_url or referer)
|
|
| 761 |
return HttpResponseRedirect(next_url) |
|
| 758 | 762 |
else: |
| 759 | 763 |
self.log.warning('logout refused referer %r is not of the same origin', referer)
|
| 760 | 764 |
return HttpResponseRedirect(next_url) |
| ... | ... | |
| 774 | 778 |
self.log.warning('partial logout')
|
| 775 | 779 |
except lasso.Error as e: |
| 776 | 780 |
self.log.warning('unable to process a logout response: %s', e)
|
| 777 |
return HttpResponseRedirect(resolve_url(settings.LOGIN_REDIRECT_URL)) |
|
| 778 |
next_url = self.get_next_url(default=resolve_url(settings.LOGIN_REDIRECT_URL)) |
|
| 779 |
return HttpResponseRedirect(next_url) |
|
| 781 |
return HttpResponseRedirect(self.get_next_url() or '/') |
|
| 780 | 782 | |
| 781 | 783 | |
| 782 | 784 |
logout = csrf_exempt(LogoutView.as_view()) |
| tests/test_sso_slo.py | ||
|---|---|---|
| 254 | 254 | |
| 255 | 255 |
# again, user is already logged out |
| 256 | 256 |
response = app.get(reverse('mellon_logout'), extra_environ={'HTTP_REFERER': '/some/path'})
|
| 257 |
assert urlparse.urlparse(response['Location']).path == '/some/path'
|
|
| 257 |
assert urlparse.urlparse(response['Location']).path == '/' |
|
| 258 | 258 | |
| 259 | 259 | |
| 260 | 260 |
def test_sso_slo_next(db, app, idp, caplog, sp_settings): |
| 261 | 261 |
response = app.get(reverse('mellon_login'))
|
| 262 | 262 |
url, body, relay_state = idp.process_authn_request_redirect(response['Location']) |
| 263 | 263 |
response = app.post(reverse('mellon_login'), params={'SAMLResponse': body, 'RelayState': relay_state})
|
| 264 |
response = app.get(reverse('mellon_logout') + '?next=/some/path/')
|
|
| 264 |
response = app.get( |
|
| 265 |
reverse('mellon_logout') + '?next=/some/path/', extra_environ={'HTTP_REFERER': '/other/path'}
|
|
| 266 |
) |
|
| 265 | 267 |
assert urlparse.urlparse(response['Location']).path == '/singleLogout' |
| 266 | 268 |
url = idp.process_logout_request_redirect(response.location) |
| 267 | 269 |
response = app.get(url) |
| 268 |
- |
|