From df9dd5364f8d9cba793da2d523270c17a4e8fe07 Mon Sep 17 00:00:00 2001 From: Valentin Samir Date: Sat, 14 Nov 2015 00:17:31 +0100 Subject: [PATCH] On logout first invalidate all PGTs --- cas_server/models.py | 27 ++++++++++++++++----------- cas_server/views.py | 3 ++- 2 files changed, 18 insertions(+), 12 deletions(-) diff --git a/cas_server/models.py b/cas_server/models.py index 6a21d12..6543cdc 100644 --- a/cas_server/models.py +++ b/cas_server/models.py @@ -68,14 +68,14 @@ class User(models.Model): """Sending SLO request to all services the user logged in""" async_list = [] session = FuturesSession(executor=ThreadPoolExecutor(max_workers=10)) - ticket_classes = [ServiceTicket, ProxyTicket, ProxyGrantingTicket] + # first invalidate all PGTs + ticket_classes = [ProxyGrantingTicket, ProxyTicket, ServiceTicket] for ticket_class in ticket_classes: for ticket in ticket_class.objects.filter( user=self, validate=True if ticket_class != ProxyGrantingTicket else False, - single_log_out=True ): - async_list.append(ticket.logout(request, session)) + ticket.logout(request, session, async_list) ticket.delete() for future in async_list: if future: @@ -361,12 +361,11 @@ class Ticket(models.Model): async_list = [] session = FuturesSession(executor=ThreadPoolExecutor(max_workers=10)) queryset = cls.objects.filter( - single_log_out=True, - validate=True, + validate=True if cls != ProxyGrantingTicket else False, creation__lt=(timezone.now() - timedelta(seconds=cls.TIMEOUT)) ) for ticket in queryset: - async_list.append(ticket.logout(None, session)) + ticket.logout(None, session, async_list) queryset.delete() for future in async_list: if future: @@ -375,9 +374,13 @@ class Ticket(models.Model): except Exception as error: sys.stderr.write("%r\n" % error) - def logout(self, request, session): + def logout(self, request, session, async_list=None): """Send a SLO request to the ticket service""" - if (self.validate or isinstance(self, ProxyGrantingTicket)) and self.single_log_out: + if isinstance(self, ProxyGrantingTicket): + # On logout invalidate the PGT + self.validate = True + self.save() + if self.validate and self.single_log_out: try: xml = u""" @@ -393,9 +396,11 @@ class Ticket(models.Model): url = self.service_pattern.single_log_out_callback else: url = self.service - return session.post( - url.encode('utf-8'), - data={'logoutRequest': xml.encode('utf-8')}, + async_list.append( + session.post( + url.encode('utf-8'), + data={'logoutRequest': xml.encode('utf-8')}, + ) ) except Exception as error: if request is not None: diff --git a/cas_server/views.py b/cas_server/views.py index d0c4cbe..31e672c 100644 --- a/cas_server/views.py +++ b/cas_server/views.py @@ -623,7 +623,8 @@ class Proxy(View): # is the proxy granting ticket valid ticket = ProxyGrantingTicket.objects.get( value=self.pgt, - creation__gt=(timezone.now() - timedelta(seconds=ProxyGrantingTicket.VALIDITY)) + creation__gt=(timezone.now() - timedelta(seconds=ProxyGrantingTicket.VALIDITY)), + validate=False ) # is the pgt user allowed on the target service pattern.check_user(ticket.user)