Make backchannel SLO a configurable feature

Backchannel SLO introduces new dependencies and is perhaps not needed /
wanted by everyone.
Disable it by default.

Author: egroeper

shibboleth/app_settings.py

@@ -26,3 +26,6 @@
 #LOGOUT_REDIRECT_URL specifies a default logout page that will always be used when
 #users logout from Shibboleth.
 LOGOUT_REDIRECT_URL = getattr(settings, 'SHIBBOLETH_LOGOUT_REDIRECT_URL', None)
+
+# back-channel SLO
+SINGLE_LOGOUT_BACKCHANNEL = getattr(settings, 'SHIBBOLETH_SINGLE_LOGOUT_BACKCHANNEL', False)

shibboleth/tests/test_shib.py

@@ -60,6 +60,7 @@
 
 settings.SHIBBOLETH_LOGOUT_URL = 'https://sso.school.edu/logout?next=%s'
 settings.SHIBBOLETH_LOGOUT_REDIRECT_URL = 'http://school.edu/'
+settings.SHIBBOLETH_SINGLE_LOGOUT_BACKCHANNEL = True
 
 # MUST be imported after the settings above
 from shibboleth import app_settings

shibboleth/urls.py

@@ -1,17 +1,25 @@
 import django
 from django.conf.urls import url
-from spyne.protocol.soap import Soap11
-from spyne.server.django import DjangoView
+from shibboleth.app_settings import SINGLE_LOGOUT_BACKCHANNEL
 
-from .views import ShibbolethView, ShibbolethLogoutView, ShibbolethLoginView, LogoutNotificationService
+from .views import ShibbolethView, ShibbolethLogoutView, ShibbolethLoginView
 
 urlpatterns = [
     url(r'^login/$', ShibbolethLoginView.as_view(), name='login'),
     url(r'^logout/$', ShibbolethLogoutView.as_view(), name='logout'),
     url(r'^$', ShibbolethView.as_view(), name='info'),
-    url(r'^logoutNotification/', DjangoView.as_view(
-        services=[LogoutNotificationService], tns='urn:mace:shibboleth:2.0:sp:notify',
-        in_protocol=Soap11(), out_protocol=Soap11())),
-        #cache_wsdl=False)),
-        #FIXME Soap11(validator='lxml') - validation would be nice, but needs adjusted model to support logout type attribute
 ]
+
+if SINGLE_LOGOUT_BACKCHANNEL:
+    from spyne.protocol.soap import Soap11
+    from spyne.server.django import DjangoView
+    from .slo_view import LogoutNotificationService
+
+    urlpatterns += [
+        url(r'^logoutNotification/', DjangoView.as_view(
+            services=[LogoutNotificationService],
+            tns='urn:mace:shibboleth:2.0:sp:notify',
+            in_protocol=Soap11(), out_protocol=Soap11())),
+        #FIXME Soap11(validator='lxml') - validation would be nice,
+        # but needs adjusted model to support logout type attribute
+    ]

shibboleth/views.py

@@ -6,7 +6,6 @@
 from django.shortcuts import redirect
 from django.utils.decorators import method_decorator
 from django.views.generic import TemplateView
-from django.contrib.sessions.models import Session
 
 try:
     from django.utils.six.moves.urllib.parse import quote
@@ -15,19 +14,6 @@
 
 #Logout settings.
 from shibboleth.app_settings import LOGOUT_URL, LOGOUT_REDIRECT_URL
-from shibboleth.models import ShibSession
-
-#SLO (back-channel) / spyne stuff
-from spyne.model.primitive import Unicode
-#from spyne.model import XmlAttribute
-try:
-    from spyne.service import Service
-except ImportError:
-    from spyne.service import ServiceBase as Service
-
-from spyne.decorator import rpc
-from spyne import ComplexModel
-from spyne.model.fault import Fault
 
 
 class ShibbolethView(TemplateView):
@@ -90,31 +76,3 @@ def get(self, request, *args, **kwargs):
                  quote(request.build_absolute_uri())
         logout = LOGOUT_URL % target
         return redirect(logout)
-
-
-class OKType(ComplexModel):
-    pass
-
-
-class MandatoryUnicode(Unicode):
-    class Attributes(Unicode.Attributes):
-        nullable = False
-        min_occurs = 1
-
-
-class LogoutNotificationService(Service):
-    @rpc(MandatoryUnicode, _returns=OKType,
-         _in_variable_names={'sessionid': 'SessionID'},
-         _out_variable_name='OK',
-         )
-    def LogoutNotification(ctx, sessionid):
-        # delete user session based on shib session
-        try:
-            session_mapping = ShibSession.objects.get(shib=sessionid)
-        except:
-            # Can't delete session
-            raise Fault(faultcode='Client', faultstring='Invalid session id')
-        else:
-            # Deleting session
-            Session.objects.filter(session_key=session_mapping.session_id).delete()
-            return True