0001-adapters-update-new-UserSAMLIdentifier-fields-on-eac.patch
mellon/adapters.py | ||
---|---|---|
331 | 331 |
name_id = saml_attributes['name_id_content'] |
332 | 332 |
entity_id = saml_attributes['issuer'] |
333 | 333 |
try: |
334 |
to_update = { |
|
335 |
'nid_format': saml_attributes['name_id_format'], |
|
336 |
'nid_name_qualifier': saml_attributes.get('name_id_name_qualifier'), |
|
337 |
'nid_sp_name_qualifier': saml_attributes.get('name_id_sp_name_qualifier'), |
|
338 |
'nid_sp_provided_id': saml_attributes.get('name_id_sp_provided_id'), |
|
339 |
} |
|
334 | 340 |
saml_identifier = models.UserSAMLIdentifier.objects.select_related('user').get( |
335 | 341 |
name_id=name_id, issuer=models_utils.get_issuer(entity_id) |
336 | 342 |
) |
343 |
# nid_* attributes are new, we must update them if they are not initialized, eventually |
|
344 |
for key in to_update: |
|
345 |
if getattr(saml_identifier, key) != to_update[key]: |
|
346 |
models.UserSAMLIdentifier.objects.filter(pk=saml_identifier.pk).update(**to_update) |
|
347 |
break |
|
337 | 348 |
user = saml_identifier.user |
338 | 349 |
user.saml_identifier = saml_identifier |
339 | 350 |
logger.info('mellon: looked up user %s with name_id %s from issuer %s', user, name_id, entity_id) |
... | ... | |
463 | 474 |
name_id_content = saml_attributes['name_id_content'] |
464 | 475 |
if saml_attributes['name_id_format'] == lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT: |
465 | 476 |
name_id_content = saml_attributes['transient_name_id_content'] |
477 |
to_update = { |
|
478 |
'nid_format': saml_attributes['name_id_format'], |
|
479 |
'nid_name_qualifier': saml_attributes.get('name_id_name_qualifier'), |
|
480 |
'nid_sp_name_qualifier': saml_attributes.get('name_id_sp_name_qualifier'), |
|
481 |
'nid_sp_provided_id': saml_attributes.get('name_id_sp_provided_id'), |
|
482 |
} |
|
466 | 483 |
saml_id, created = models.UserSAMLIdentifier.objects.get_or_create( |
467 | 484 |
name_id=name_id_content, |
468 | 485 |
issuer=models_utils.get_issuer(saml_attributes['issuer']), |
469 | 486 |
defaults={ |
470 | 487 |
'user': user, |
471 |
'nid_format': saml_attributes['name_id_format'], |
|
472 |
'nid_name_qualifier': saml_attributes.get('name_id_name_qualifier'), |
|
473 |
'nid_sp_name_qualifier': saml_attributes.get('name_id_sp_name_qualifier'), |
|
474 |
'nid_sp_provided_id': saml_attributes.get('name_id_sp_provided_id'), |
|
488 |
**to_update, |
|
475 | 489 |
}, |
476 | 490 |
) |
491 |
# nid_* attributes are new, we must update them eventually |
|
492 |
for key in to_update: |
|
493 |
if getattr(saml_id, key) != to_update[key]: |
|
494 |
models.UserSAMLIdentifier.objects.filter(pk=saml_id.pk).update(**to_update) |
|
495 |
break |
|
477 | 496 |
if created: |
478 | 497 |
user.saml_identifier = saml_id |
479 | 498 |
return user |
mellon/views.py | ||
---|---|---|
753 | 753 |
self.get_relay_state(create=True) |
754 | 754 |
try: |
755 | 755 |
session_indexes = models.SessionIndex.objects.filter( |
756 |
saml_identifier__user=request.user, saml_identifier__issuer__entity_id=issuer |
|
757 |
).order_by('-id') |
|
756 |
saml_identifier__user=request.user, |
|
757 |
saml_identifier__issuer__entity_id=issuer, |
|
758 |
session_key=request.session.session_key, |
|
759 |
) |
|
758 | 760 |
if not session_indexes: |
759 | 761 |
self.log.error('unable to find lasso session dump') |
760 | 762 |
else: |
761 |
session_dump = utils.make_session_dump(session_indexes[:1])
|
|
763 |
session_dump = utils.make_session_dump(session_indexes) |
|
762 | 764 |
logout.setSessionFromDump(session_dump) |
763 | 765 |
session_indexes.update(logout_timestamp=now()) |
764 | 766 |
logout.initRequest(issuer, lasso.HTTP_METHOD_REDIRECT) |
... | ... | |
812 | 814 |
token_content = signing.loads(token, salt=self.TOKEN_SALT) |
813 | 815 |
next_url = token_content['next_url'] or logout_next_url |
814 | 816 |
session_index_pk = token_content['session_index_pk'] |
815 |
session_indexes = models.SessionIndex.objects.filter(pk=session_index_pk) |
|
817 |
session_index = models.SessionIndex.objects.filter(pk=session_index_pk).first() |
|
818 |
session_indexes = models.SessionIndex.objects.filter( |
|
819 |
saml_identifier=session_index.saml_identifier, session_key=session_index.session_key |
|
820 |
) |
|
816 | 821 |
if session_indexes: |
817 | 822 |
session_dump = utils.make_session_dump(session_indexes) |
818 | 823 |
logout = utils.create_logout(request) |
tests/test_sso_slo.py | ||
---|---|---|
894 | 894 |
assert len(caplog.records) == 0, 'logout failed' |
895 | 895 |
assert response.location == '/somepath/' |
896 | 896 |
assert models.SessionIndex.objects.count() == 0 |
897 | ||
898 | ||
899 |
def test_sso_slo_update_of_new_fields(db, app, idp, caplog, sp_settings): |
|
900 |
response = app.get('/login/') |
|
901 |
url, body, relay_state = idp.process_authn_request_redirect(response['Location']) |
|
902 |
response = app.post( |
|
903 |
reverse('mellon_login'), params={'SAMLResponse': body, 'RelayState': relay_state} |
|
904 |
).follow() |
|
905 |
# violent logout |
|
906 |
app.session.flush() |
|
907 | ||
908 |
# remove existing fields |
|
909 |
models.UserSAMLIdentifier.objects.all().update( |
|
910 |
nid_format=None, nid_name_qualifier=None, nid_sp_name_qualifier=None, nid_sp_provided_id=None |
|
911 |
) |
|
912 | ||
913 |
response = app.get('/login/') |
|
914 |
url, body, relay_state = idp.process_authn_request_redirect(response['Location']) |
|
915 |
response = app.post( |
|
916 |
reverse('mellon_login'), params={'SAMLResponse': body, 'RelayState': relay_state} |
|
917 |
).follow() |
|
918 | ||
919 |
# check logout works |
|
920 |
response = app.get('/logout/') |
|
921 |
url = idp.process_logout_request_redirect(response.location) |
|
922 |
caplog.clear() |
|
923 |
response = app.get(url) |
|
924 |
assert len(caplog.records) == 0, 'logout failed' |
|
897 |
- |