diff --git a/app/models.py b/app/models.py index 5e65808..c8adecd 100644 --- a/app/models.py +++ b/app/models.py @@ -366,7 +366,9 @@ class User(db.Model): if self.role.name == "Administrator": return True - query = self.get_domain_query().filter(Domain.name == domain_name) + query = db.session.query(User, DomainUser, Domain).filter(User.id == self.id).filter( + User.id == DomainUser.user_id).filter(Domain.id == DomainUser.domain_id).filter( + Domain.name == domain_name) return query.count() >= 1 def delete(self): diff --git a/app/views.py b/app/views.py index 09071f1..254bf74 100644 --- a/app/views.py +++ b/app/views.py @@ -380,15 +380,45 @@ def login(): error = e.message['desc'] if 'desc' in e.message else e return render_template('register.html', error=error) -@app.route('/logout') -def logout(): +def clear_session(): session.pop('user_id', None) session.pop('github_token', None) session.pop('google_token', None) session.clear() logout_user() + +@app.route('/logout') +def logout(): + if app.config.get('SAML_ENABLED') and 'samlSessionIndex' in session and app.config.get('SAML_LOGOUT'): + req = utils.prepare_flask_request(request) + auth = utils.init_saml_auth(req) + if app.config.get('SAML_LOGOUT_URL'): + return redirect(auth.logout(name_id_format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", + return_to = app.config.get('SAML_LOGOUT_URL'), + session_index = session['samlSessionIndex'], name_id=session['samlNameId'])) + return redirect(auth.logout(name_id_format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", + session_index = session['samlSessionIndex'], + name_id=session['samlNameId'])) + clear_session() + redirect_url = url_for('login') return redirect(url_for('login')) +@app.route('/saml/sls') +def saml_logout(): + req = utils.prepare_flask_request(request) + auth = utils.init_saml_auth(req) + url = auth.process_slo() + errors = auth.get_errors() + if len(errors) == 0: + clear_session() + if url is not None: + return redirect(url) + elif app.config.get('SAML_LOGOUT_URL'): + return redirect(app.config.get('SAML_LOGOUT_URL')) + else: + return redirect(url_for('index')) + else: + return render_template('errors/SAML.html', errors=errors) @app.route('/dashboard', methods=['GET', 'POST']) @login_required diff --git a/config_template.py b/config_template.py index 0e79766..73496fd 100644 --- a/config_template.py +++ b/config_template.py @@ -92,6 +92,13 @@ SAML_METADATA_CACHE_LIFETIME = 1 SAML_SP_ENTITY_ID = 'http://' SAML_SP_CONTACT_NAME = '' SAML_SP_CONTACT_MAIL = '' +#Use SAML standard logout mechanism retreived from idp metadata +#If configured false don't care about SAML session on logout. +#Logout from PowerDNS-Admin only and keep SAML session authenticated. +SAML_LOGOUT = False +#Configure to redirect to a different url then PowerDNS-Admin login after SAML logout +#for example redirect to google.com after successful saml logout +#SAML_LOGOUT_URL = 'https://google.com' #Default Auth BASIC_ENABLED = True