Skip to content
Snippets Groups Projects
Unverified Commit 0c1892d4 authored by metabase-bot[bot]'s avatar metabase-bot[bot] Committed by GitHub
Browse files

Often SLO won't be setup on the IdP but we should still delete the session. (#40459) (#40471) 


* Often slo won't be setup, but we should still delete the session

* test that we delete the session even when "/handle_slo" is not called

* cleanup test

* take the cookie from the session, not as a parameter

Co-authored-by: default avatarbryan <bryan.maass@gmail.com>
parent b523d0fa
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
enterprise/backend/src/metabase_enterprise/sso/api/sso.clj
+ 23
16
View file @ 0c1892d4
......@@ -10,10 +10,12 @@
[metabase-enterprise.sso.integrations.saml]
[metabase-enterprise.sso.integrations.sso-settings :as sso-settings]
[metabase.api.common :as api]
[metabase.server.middleware.session :as mw.session]
[metabase.util :as u]
[metabase.util.i18n :refer [trs]]
[metabase.util.log :as log]
[metabase.util.malli :as mu]
[metabase.util.malli.schema :as ms]
[metabase.util.urls :as urls]
[saml20-clj.core :as saml]
[saml20-clj.encode-decode :as encode-decode]
......@@ -68,22 +70,27 @@
;; POST /auth/sso/logout
(api/defendpoint POST "/logout"
"Logout."
[:as {:keys [metabase-session-id]}]
(api/check-exists? :model/Session metabase-session-id)
(let [{:keys [email sso_source]}
(t2/query-one {:select [:u.email :u.sso_source]
:from [[:core_user :u]]
:join [[:core_session :session] [:= :u.id :session.user_id]]
:where [:= :session.id metabase-session-id]})]
{:saml-logout-url
(when (and (sso-settings/saml-enabled)
(= sso_source "saml"))
(saml/logout-redirect-location
:idp-url (sso-settings/saml-identity-provider-uri)
:issuer (sso-settings/saml-application-name)
:user-email email
:relay-state (encode-decode/str->base64
(str (urls/site-url) metabase-slo-redirect-url))))}))
[:as {cookies :cookies}]
{cookies [:map [mw.session/metabase-session-cookie [:map [:value ms/NonBlankString]]]]}
(let [metabase-session-id (get-in cookies [mw.session/metabase-session-cookie :value])]
(api/check-exists? :model/Session metabase-session-id)
(let [{:keys [email sso_source]}
(t2/query-one {:select [:u.email :u.sso_source]
:from [[:core_user :u]]
:join [[:core_session :session] [:= :u.id :session.user_id]]
:where [:= :session.id metabase-session-id]})]
;; If a user doesn't have SLO setup on their IdP,
;; they will never hit "/handle_slo" so we must delete the session here:
(t2/delete! :model/Session :id metabase-session-id)
{:saml-logout-url
(when (and (sso-settings/saml-enabled)
(= sso_source "saml"))
(saml/logout-redirect-location
:idp-url (sso-settings/saml-identity-provider-uri)
:issuer (sso-settings/saml-application-name)
:user-email email
:relay-state (encode-decode/str->base64
(str (urls/site-url) metabase-slo-redirect-url))))})))
;; POST /auth/sso/handle_slo
(api/defendpoint POST "/handle_slo"
......
enterprise/backend/test/metabase_enterprise/sso/integrations/saml_test.clj
+ 13
0
View file @ 0c1892d4
......@@ -671,3 +671,16 @@
"After a successful log-out, you don't have a session")
(is (not (t2/exists? :model/Session :id session-id))
"After a successful log-out, the session is deleted")))))))
(deftest logout-should-delete-session-when-idp-slo-conf-missing-test
(testing "Missing SAML SLO config logouts should still delete the user's session."
(let [session-id (str (random-uuid))]
(mt/with-temp [:model/User user {:email "saml_test@metabase.com" :sso_source "saml"}
:model/Session _ {:user_id (:id user) :id session-id}]
(is (t2/exists? :model/Session :id session-id))
(let [req-options (-> (saml-post-request-options
(saml-test-response)
(saml/str->base64 default-redirect-uri))
(assoc-in [:request-options :cookies mw.session/metabase-session-cookie :value] session-id))]
(client :post "/auth/sso/logout" req-options)
(is (not (t2/exists? :model/Session :id session-id))))))))
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment