From 4282a9509f40f618049dd5eded853eb217c2496d Mon Sep 17 00:00:00 2001
From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date: Wed, 22 Apr 2020 04:13:01 +0200
Subject: [PATCH 2/4] misc: add support for IDP-initiated SOAP SLO (#41949)

---
 mellon/templates/mellon/metadata.xml |  3 +++
 mellon/views.py                      | 18 ++++++++++++------
 2 files changed, 15 insertions(+), 6 deletions(-)

diff --git mellon/templates/mellon/metadata.xml mellon/templates/mellon/metadata.xml
index c67283e..333f98e 100644
--- mellon/templates/mellon/metadata.xml
+++ mellon/templates/mellon/metadata.xml
@@ -26,6 +26,9 @@
    <SingleLogoutService
      Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
      Location="{{ logout_url }}" />
+   <SingleLogoutService
+     Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
+     Location="{{ logout_url }}" />
    {% for name_id_format in name_id_formats %}
        <NameIDFormat>{{ name_id_format }}</NameIDFormat>
    {% endfor %}
diff --git mellon/views.py mellon/views.py
index 9ebf645..1a77819 100644
--- mellon/views.py
+++ mellon/views.py
@@ -33,7 +33,7 @@ from django.shortcuts import render, resolve_url
 from django.urls import reverse
 from django.utils.http import urlencode
 from django.utils import six
-from django.utils.encoding import force_text
+from django.utils.encoding import force_text, force_str
 from django.contrib.auth import REDIRECT_FIELD_NAME
 from django.db import transaction
 from django.utils.translation import ugettext as _
@@ -505,17 +505,20 @@ login = transaction.non_atomic_requests(csrf_exempt(LoginView.as_view()))
 class LogoutView(ProfileMixin, LogMixin, View):
     def get(self, request, *args, **kwargs):
         if 'SAMLRequest' in request.GET:
-            return self.idp_logout(request)
+            return self.idp_logout(request, request.META['QUERY_STRING'])
         elif 'SAMLResponse' in request.GET:
             return self.sp_logout_response(request)
         else:
             return self.sp_logout_request(request)
 
-    def idp_logout(self, request):
+    def post(self, request, *args, **kwargs):
+        return self.idp_logout(request, force_str(request.body))
+
+    def idp_logout(self, request, msg):
         '''Handle logout request emitted by the IdP'''
         self.profile = logout = utils.create_logout(request)
         try:
-            logout.processRequestMsg(request.META['QUERY_STRING'])
+            logout.processRequestMsg(msg)
         except lasso.Error as e:
             return HttpResponseBadRequest('error processing logout request: %r' % e)
         try:
@@ -530,7 +533,10 @@ class LogoutView(ProfileMixin, LogMixin, View):
             logout.buildResponseMsg()
         except lasso.Error as e:
             return HttpResponseBadRequest('error processing logout request: %r' % e)
-        return HttpResponseRedirect(logout.msgUrl)
+        if logout.msgBody:
+            return HttpResponse(force_text(logout.msgBody), content_type='text/xml')
+        else:
+            return HttpResponseRedirect(logout.msgUrl)
 
     def sp_logout_request(self, request):
         '''Launch a logout request to the identity provider'''
@@ -586,7 +592,7 @@ class LogoutView(ProfileMixin, LogMixin, View):
         return HttpResponseRedirect(next_url)
 
 
-logout = LogoutView.as_view()
+logout = csrf_exempt(LogoutView.as_view())
 
 
 def metadata(request, **kwargs):
-- 
2.26.0