Merge pull request #13 from nomennesc-io/master

fixed access check for non-administrators

app/models.py

@@ -366,7 +366,9 @@ class User(db.Model):
         if self.role.name == "Administrator":
             return True
 
-        query = self.get_domain_query().filter(Domain.name == domain_name)
+        query = db.session.query(User, DomainUser, Domain).filter(User.id == self.id).filter(
+            User.id == DomainUser.user_id).filter(Domain.id == DomainUser.domain_id).filter(
+            Domain.name == domain_name)
         return query.count() >= 1
 
     def delete(self):

app/views.py

@@ -380,15 +380,45 @@ def login():
             error = e.message['desc'] if 'desc' in e.message else e
             return render_template('register.html', error=error)
 
-@app.route('/logout')
+def clear_session():
-def logout():
     session.pop('user_id', None)
     session.pop('github_token', None)
     session.pop('google_token', None)
     session.clear()
     logout_user()
+
+@app.route('/logout')
+def logout():
+    if app.config.get('SAML_ENABLED') and 'samlSessionIndex' in session and app.config.get('SAML_LOGOUT'):
+        req = utils.prepare_flask_request(request)
+        auth = utils.init_saml_auth(req)
+        if app.config.get('SAML_LOGOUT_URL'):
+            return redirect(auth.logout(name_id_format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
+                                        return_to = app.config.get('SAML_LOGOUT_URL'),
+                            session_index = session['samlSessionIndex'], name_id=session['samlNameId']))
+        return redirect(auth.logout(name_id_format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
+                        session_index = session['samlSessionIndex'],
+                                    name_id=session['samlNameId']))
+    clear_session()
+    redirect_url = url_for('login')
     return redirect(url_for('login'))
 
+@app.route('/saml/sls')
+def saml_logout():
+    req = utils.prepare_flask_request(request)
+    auth = utils.init_saml_auth(req)
+    url = auth.process_slo()
+    errors = auth.get_errors()
+    if len(errors) == 0:
+        clear_session()
+        if url is not None:
+            return redirect(url)
+	elif app.config.get('SAML_LOGOUT_URL'):
+	    return redirect(app.config.get('SAML_LOGOUT_URL'))
+        else:
+            return redirect(url_for('index'))
+    else:
+        return render_template('errors/SAML.html', errors=errors)
 
 @app.route('/dashboard', methods=['GET', 'POST'])
 @login_required

config_template.py

@@ -92,6 +92,13 @@ SAML_METADATA_CACHE_LIFETIME = 1
 SAML_SP_ENTITY_ID = 'http://<SAML SP Entity ID>'
 SAML_SP_CONTACT_NAME = '<contact name>'
 SAML_SP_CONTACT_MAIL = '<contact mail>'
+#Use SAML standard logout mechanism retreived from idp metadata
+#If configured false don't care about SAML session on logout.
+#Logout from PowerDNS-Admin only and keep SAML session authenticated.
+SAML_LOGOUT = False
+#Configure to redirect to a different url then PowerDNS-Admin login after SAML logout
+#for example redirect to google.com after successful saml logout
+#SAML_LOGOUT_URL = 'https://google.com'
 
 #Default Auth
 BASIC_ENABLED = True