saml: create a new session if expired during passive SSO (#72898) #14
|
@ -674,3 +674,34 @@ def test_no_opened_session_cookie(pub):
|
||||||
assert resp.status_int == 200
|
assert resp.status_int == 200
|
||||||
cookie_name = '%s-passive-auth-tried' % pub.config.session_cookie_name
|
cookie_name = '%s-passive-auth-tried' % pub.config.session_cookie_name
|
||||||
assert cookie_name not in app.cookies
|
assert cookie_name not in app.cookies
|
||||||
|
|
||||||
|
|
||||||
|
def test_expired_opened_session_cookie_menu_json(pub):
|
||||||
|
app = get_app(pub)
|
||||||
|
app.get('/') # init pub, set app_dir, etc.
|
||||||
|
|
||||||
|
pub.site_options.set('options', 'idp_session_cookie_name', 'IDP_OPENED_SESSION')
|
||||||
|
with open(os.path.join(pub.app_dir, 'site-options.cfg'), 'w') as fd:
|
||||||
|
pub.site_options.write(fd)
|
||||||
|
|
||||||
|
app.set_cookie('IDP_OPENED_SESSION', '1')
|
||||||
|
|
||||||
|
# simulate a saml login
|
||||||
|
user = pub.user_class()
|
||||||
|
user.store()
|
||||||
|
request = mock.Mock()
|
||||||
|
request.get_environ.return_value = '1.1.1.1'
|
||||||
|
with mock.patch('quixote.session.get_request', return_value=request), mock.patch(
|
||||||
|
'wcs.qommon.saml2', return_value=mock.Mock(cookies={'IDP_OPENED_SESSION': '2'})
|
||||||
|
):
|
||||||
|
session = get_session_manager().session_class(id=None)
|
||||||
|
session.set_user(user.id)
|
||||||
|
session.opened_session_value = '2'
|
||||||
|
session.id = 'abcd'
|
||||||
|
session.store()
|
||||||
|
app.set_cookie(pub.config.session_cookie_name, session.id)
|
||||||
|
app.set_cookie(pub.config.session_cookie_name + '-passive-auth-tried', '3')
|
||||||
|
|
||||||
|
# access to a restricted page with no session on the idp or passive sso already tried
|
||||||
|
app.set_cookie('IDP_OPENED_SESSION', '3')
|
||||||
|
app.get('/backoffice/menu.json', status=302)
|
||||||
|
|
|
@ -347,7 +347,13 @@ class RootDirectory(Directory):
|
||||||
if idp_session_cookie_name not in cookies or cookies.get(idp_session_cookie_name) == cookies.get(
|
if idp_session_cookie_name not in cookies or cookies.get(idp_session_cookie_name) == cookies.get(
|
||||||
passive_tried_cookie_name
|
passive_tried_cookie_name
|
||||||
):
|
):
|
||||||
# no session on the idp or passive sso already tried, stop here.
|
# no session on the idp or passive sso already tried, init a new session if necessary
|
||||||
|
# (because it was explicitly expired just above), then let the flow continue and the
|
||||||
|
# expected page be served.
|
||||||
|
if get_session() is None:
|
||||||
|
# init a new session
|
||||||
|
get_publisher().session_manager.start_request()
|
||||||
|
get_publisher().session_manager.maintain_session(get_session())
|
||||||
return
|
return
|
||||||
response.set_cookie(
|
response.set_cookie(
|
||||||
passive_tried_cookie_name,
|
passive_tried_cookie_name,
|
||||||
|
|
Loading…
Reference in New Issue