From 32ca7a53d6ad3972110fb22b3cd643ccb47375e6 Mon Sep 17 00:00:00 2001
From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date: Mon, 7 Nov 2022 15:53:34 +0100
Subject: [PATCH] misc: do not send logout requests if SingleLogout profile is
 not supported (#71041)

---
 mellon/utils.py | 17 ++++++++++++++---
 mellon/views.py |  5 ++++-
 2 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/mellon/utils.py b/mellon/utils.py
index 04c2caa..68296d9 100644
--- a/mellon/utils.py
+++ b/mellon/utils.py
@@ -68,7 +68,7 @@ def create_metadata(request):
     return render_to_string('mellon/metadata.xml', ctx)
 
 
-def create_server(request):
+def create_server(request, remote_provider_id=None):
     root = request.build_absolute_uri('/')
     cache = getattr(settings, '_MELLON_SERVER_CACHE', {})
     if root not in cache:
@@ -109,6 +109,8 @@ def create_server(request):
                 key = key[0]
             server.setEncryptionPrivateKeyWithPassword(key, password)
         for idp in get_idps():
+            if remote_provider_id and idp.get('ENTITY_ID') != remote_provider_id:
+                continue
             if idp and idp.get('METADATA'):
                 try:
                     server.addProviderFromBuffer(lasso.PROVIDER_ROLE_IDP, idp['METADATA'])
@@ -215,8 +217,8 @@ def make_session_dump(session_indexes):
     return render_to_string('mellon/session_dump.xml', {'session_indexes': session_indexes})
 
 
-def create_logout(request):
-    server = create_server(request)
+def create_logout(request, remote_provider_id=None):
+    server = create_server(request, remote_provider_id=remote_provider_id)
     logout = lasso.Logout(server)
     if not app_settings.PRIVATE_KEY and not app_settings.PRIVATE_KEYS:
         logout.setSignatureHint(lasso.PROFILE_SIGNATURE_HINT_FORBID)
@@ -344,3 +346,12 @@ def get_local_path(request, url):
     if request.META.get('SCRIPT_NAME'):
         path = path[len(request.META['SCRIPT_NAME']) :]
     return path
+
+
+def is_slo_supported(request, issuer):
+    server = create_server(request, remote_provider_id=issuer)
+    # verify that at least one logout method is supported
+    return (
+        server.getFirstHttpMethod(server.providers[issuer], lasso.MD_PROTOCOL_TYPE_SINGLE_SIGN_ON)
+        != lasso.HTTP_METHOD_NONE
+    )
diff --git a/mellon/views.py b/mellon/views.py
index d6b80fd..69f9b9c 100644
--- a/mellon/views.py
+++ b/mellon/views.py
@@ -748,7 +748,7 @@ class LogoutView(ProfileMixin, LogMixin, View):
                 logout = None
                 try:
                     issuer = request.session.get('mellon_session', {}).get('issuer')
-                    if issuer:
+                    if issuer and utils.is_slo_supported(request, issuer=issuer):
                         self.profile = logout = utils.create_logout(request)
                         self.get_relay_state(create=True)
                         try:
@@ -851,6 +851,9 @@ class LogoutView(ProfileMixin, LogMixin, View):
         issuer = request.session.get('mellon_session', {}).get('issuer')
         if not issuer:
             return None
+        # verify that at least one binding the logout profile is supported
+        if not utils.is_slo_supported(request, issuer=issuer):
+            return None
         session_indexes = models.SessionIndex.objects.filter(
             saml_identifier__user=request.user, saml_identifier__issuer__entity_id=issuer
         ).order_by('-id')
-- 
2.37.2