Introduce SAML SP-initiated Logout to SATOSA proxy

src/satosa/backends/base.py

@@ -10,13 +10,14 @@ class BackendModule(object):
     Base class for a backend module.
     """
 
-    def __init__(self, auth_callback_func, internal_attributes, base_url, name):
+    def __init__(self, auth_callback_func, internal_attributes, base_url, name, logout_callback_func=None):
         """
         :type auth_callback_func:
         (satosa.context.Context, satosa.internal.InternalData) -> satosa.response.Response
         :type internal_attributes: dict[string, dict[str, str | list[str]]]
         :type base_url: str
         :type name: str
+        :type logout_callback_func:
 
         :param auth_callback_func: Callback should be called by the module after
                                    the authorization in the backend is done.
@@ -25,8 +26,11 @@ def __init__(self, auth_callback_func, internal_attributes, base_url, name):
         RP's expects namevice.
         :param base_url: base url of the service
         :param name: name of the plugin
+        :param logout_callback_func: Callback should be called by the module after
+                                     the logout in the backend is complete
         """
         self.auth_callback_func = auth_callback_func
+        self.logout_callback_func = logout_callback_func
         self.internal_attributes = internal_attributes
         self.converter = AttributeMapper(internal_attributes)
         self.base_url = base_url
@@ -46,6 +50,20 @@ def start_auth(self, context, internal_request):
         """
         raise NotImplementedError()
 
+    def start_logout(self, context, internal_request):
+        """
+        This is the start up function of the backend logout.
+
+        :type context: satosa.context.Context
+        :type internal_request: satosa.internal.InternalData
+        :rtype
+
+        :param context: the request context
+        :param internal_request: Information about the logout request
+        :return:
+        """
+        raise NotImplementedError()
+
     def register_endpoints(self):
         """
         Register backend functions to endpoint urls.

src/satosa/backends/reflector.py

@@ -21,6 +21,7 @@ def __init__(self, outgoing, internal_attributes, config, base_url, name):
         """
         :type outgoing:
         (satosa.context.Context, satosa.internal.InternalData) -> satosa.response.Response
+
         :type internal_attributes: dict[str, dict[str, list[str] | str]]
         :type config: dict[str, Any]
         :type base_url: str

src/satosa/backends/saml2.py

@@ -17,6 +17,7 @@
 from saml2.authn_context import requested_authn_context
 from saml2.samlp import RequesterID
 from saml2.samlp import Scoping
+from saml2.saml import NameID
 
 import satosa.logging_util as lu
 import satosa.util as util
@@ -25,10 +26,12 @@
 from satosa.base import STATE_KEY as STATE_KEY_BASE
 from satosa.context import Context
 from satosa.internal import AuthenticationInformation
+from satosa.internal import LogoutInformation
 from satosa.internal import InternalData
 from satosa.exception import SATOSAAuthenticationError
 from satosa.exception import SATOSAMissingStateError
 from satosa.exception import SATOSAAuthenticationFlowError
+from satosa.exception import SATOSAUnknownError
 from satosa.response import SeeOther, Response
 from satosa.saml_util import make_saml_response
 from satosa.metadata_creation.description import (
@@ -92,23 +95,25 @@ class SAMLBackend(BackendModule, SAMLBaseModule):
 
     VALUE_ACR_COMPARISON_DEFAULT = 'exact'
 
-    def __init__(self, outgoing, internal_attributes, config, base_url, name):
+    def __init__(self, outgoing, internal_attributes, config, base_url, name, logout):
         """
         :type outgoing:
         (satosa.context.Context, satosa.internal.InternalData) -> satosa.response.Response
         :type internal_attributes: dict[str, dict[str, list[str] | str]]
         :type config: dict[str, Any]
         :type base_url: str
         :type name: str
+        :type logout:
 
         :param outgoing: Callback should be called by the module after
                                    the authorization in the backend is done.
         :param internal_attributes: Internal attribute map
         :param config: The module config
         :param base_url: base url of the service
         :param name: name of the plugin
+        :param logout: Logout callback
         """
-        super().__init__(outgoing, internal_attributes, base_url, name)
+        super().__init__(outgoing, internal_attributes, base_url, name, logout)
         self.config = self.init_config(config)
 
         self.discosrv = config.get(SAMLBackend.KEY_DISCO_SRV)
@@ -196,6 +201,26 @@ def start_auth(self, context, internal_req):
 
         return self.authn_request(context, entity_id)
 
+    def start_logout(self, context, internal_req, internal_authn_resp):
+        """
+        See super class method satosa.backends.base.BackendModule#start_logout
+
+        :type context: satosa.context.Context
+        :type internal_req: satosa.internal.InternalData
+        :rtype: satosa.response.Response
+        """
+
+        if internal_authn_resp is None:
+            message = "Session Information Deleted"
+            status = "500 FAILED"
+            return Response(message=message, status=status)
+        entity_id = internal_authn_resp["auth_info"]["issuer"]
+        if entity_id is None:
+            message = "Logout Failed"
+            status = "500 FAILED"
+            return Response(message=message, status=status)
+        return self.logout_request(context, entity_id, internal_authn_resp)
+
     def disco_query(self, context):
         """
         Makes a request to the discovery server
@@ -471,6 +496,83 @@ def authn_response(self, context, binding):
         context.state.pop(Context.KEY_FORCE_AUTHN, None)
         return self.auth_callback_func(context, self._translate_response(authn_response, context.state))
 
+    def logout_request(self, context, entity_id, internal_authn_resp):
+        """
+        Perform Logout request on idp with given entity_id.
+        This is the start of single logout.
+
+        :type context: satosa.context.Context
+        :type entity_id: str
+        :rtype: satosa.response.Response
+
+        :param context: The current context
+        :param entity_id: Target IDP entity id
+        :return: response to the user agent
+        """
+        try:
+            binding, destination = self.sp.pick_binding(
+                    "single_logout_service", None, "idpsso", entity_id=entity_id
+            )
+            msg = "binding: {}, destination: {}".format(binding, destination)
+            logline = lu.LOG_FMT.format(id=lu.get_session_id(context.state), message=msg)
+            logger.debug(logline)
+
+            slo_endp, response_binding = self.sp.config.getattr("endpoints", "sp")["single_logout_service"][0]
+            name_id_format = self.sp.config.getattr("name_id_format", "sp")
+            name_id = internal_authn_resp["subject_id"]
+            name_id = NameID(format=name_id_format, text=name_id)
+            session_indexes = internal_authn_resp["auth_info"]["session_index"]
+            sign = self.sp.config.getattr("logout_requests_signed", "sp")
+            req_id, req = self.sp.create_logout_request(
+                destination, issuer_entity_id=entity_id, name_id=name_id,
+                session_indexes=session_indexes, sign=sign
+            )
+            msg = "req_id: {}, req: {}".format(req_id, req)
+            logline = lu.LOG_FMT.format(id=lu.get_session_id(context.state), message=msg)
+            logger.debug(logline)
+            relay_state = util.rndstr()
+            ht_args = self.sp.apply_binding(binding, "%s" % req, destination, relay_state=relay_state)
+            msg = "ht_args: {}".format(ht_args)
+            logline = lu.LOG_FMT.format(id=lu.get_session_id(context.state), message=msg)
+            logger.debug(logline)
+        except Exception as exc:
+            msg = "Failed to construct the LogoutRequest for state"
+            logline = lu.LOG_FMT.format(id=lu.get_session_id(context.state), message=msg)
+            logger.debug(logline, exc_info=True)
+            status = "500 FAILED"
+            return Response(message=msg, status=status)
+        return make_saml_response(binding, ht_args)
+
+    def logout_response(self, context, binding):
+        """
+        Endpoint for the idp logout response
+
+        :type context: satosa.context.Context
+        :type binding: str
+        :rtype: satosa.response.Response
+
+        :param context: The current context
+        :param binding: SAML binding type
+        :return Response
+        """
+        if not context.request.get("SAMLResponse"):
+            msg = "Missing Response for state"
+            logline = lu.LOG_FMT.format(id=lu.get_session_id(context.state), message=msg)
+            logger.debug(logline)
+            raise SATOSAUnknownError(context.state, "Missing Response")
+
+        try:
+            logout_response = self.sp.parse_logout_request_response(
+                    context.request["SAMLResponse"], binding)
+        except Exception as err:
+            msg = "Failed to parse logout response for state"
+            logline = lu.LOG_FMT.format(id=lu.get_session_id(context.state), message=msg)
+            logger.debug(logline, exc_info=True)
+            message = "Logout Failed"
+            status = "500 FAILED"
+            return Response(message=message, status=status)
+        return self.logout_callback_func(context)
+
     def disco_response(self, context):
         """
         Endpoint for the discovery server response
@@ -523,11 +625,14 @@ def _translate_response(self, response, state):
             if authenticating_authorities
             else None
         )
+        session_indexes = []
+        session_indexes.append(response.session_info()['session_index'])
         auth_info = AuthenticationInformation(
             auth_class_ref=authn_context_ref,
             timestamp=authn_instant,
             authority=authenticating_authority,
             issuer=issuer,
+            session_index=session_indexes,
         )
 
         # The SAML response may not include a NameID.
@@ -562,6 +667,25 @@ def _translate_response(self, response, state):
 
         return internal_resp
 
+    def _translate_logout_response(self, response, state):
+        timestamp = response.response.issue_instant
+        issuer = response.response.issuer.text
+
+        status = {
+            "status_code": response.response.status.status_code.value,
+        }
+
+        logout_info = LogoutInformation(
+            timestamp=timestamp,
+            issuer=issuer,
+            status=status
+        )
+
+        msg = "logout response content"
+        logline = lu.LOG_FMT.format(id=lu.get_session_id(state), message=msg)
+        logger.debug(logline)
+        return logout_info
+
     def _metadata_endpoint(self, context):
         """
         Endpoint for retrieving the backend metadata
@@ -621,6 +745,11 @@ def register_endpoints(self):
             url_map.append(
                 ("^%s/%s$" % (self.name, "reload-metadata"), self._reload_metadata))
 
+        for endp, binding in sp_endpoints["single_logout_service"]:
+            parsed_endp = urlparse(endp)
+            url_map.append(("^%s$" % parsed_endp.path[1:],
+                functools.partial(self.logout_response, binding=binding)))
+
         return url_map
 
     def _reload_metadata(self, context):

src/satosa/base.py

@@ -12,6 +12,12 @@
 from satosa.response import NotFound
 from satosa.response import Redirect
 from .context import Context
+from .exception import SATOSAError, SATOSAAuthenticationError, SATOSAUnknownError
+from .plugin_loader import load_backends, load_frontends
+from .plugin_loader import load_request_microservices, load_response_microservices
+from .plugin_loader import load_database
+from .routing import ModuleRouter, SATOSANoBoundEndpointError
+from .state import cookie_to_state, SATOSAStateError, State, state_to_cookie
 from .exception import SATOSAAuthenticationError
 from .exception import SATOSAAuthenticationFlowError
 from .exception import SATOSABadRequestError
@@ -54,10 +60,14 @@ def __init__(self, config):
 
         logger.info("Loading backend modules...")
         backends = load_backends(self.config, self._auth_resp_callback_func,
-                                 self.config["INTERNAL_ATTRIBUTES"])
+                                 self.config["INTERNAL_ATTRIBUTES"],
+                                 self._logout_resp_callback_func
+                                 )
         logger.info("Loading frontend modules...")
         frontends = load_frontends(self.config, self._auth_req_callback_func,
-                                   self.config["INTERNAL_ATTRIBUTES"])
+                                   self.config["INTERNAL_ATTRIBUTES"],
+                                   self._logout_req_callback_func
+                                   )
 
         self.response_micro_services = []
         self.request_micro_services = []
@@ -77,6 +87,11 @@ def __init__(self, config):
                                             self.config["BASE"]))
             self._link_micro_services(self.response_micro_services, self._auth_resp_finish)
 
+        load_db = self.config.get("LOGOUT_ENABLED", False)
+        if load_db:
+            logger.info("Loading database...")
+            self.db = load_database(self.config)
+
         self.module_router = ModuleRouter(frontends, backends,
                                           self.request_micro_services + self.response_micro_services)
 
@@ -115,23 +130,63 @@ def _auth_req_callback_func(self, context, internal_request):
 
         return self._auth_req_finish(context, internal_request)
 
+    def _logout_req_callback_func(self, context, internal_request):
+        """
+        This function is called by a frontend module when a logout request has been processed.
+
+        :type context: satosa.context.Context
+        :typr internal_request:
+        :rtype:
+
+        :param context: The request context
+        :param internal_request: request processed by the frontend
+        :return Response
+        """
+        state = context.state
+        state[STATE_KEY] = {"requester": internal_request.requester}
+        msg = "Requesting provider: {}".format(internal_request.requester)
+        logline = lu.LOG_FMT.format(id=lu.get_session_id(state), message=msg)
+        logger.info(logline)
+        return self._logout_req_finish(context, internal_request)
+
     def _auth_req_finish(self, context, internal_request):
         backend = self.module_router.backend_routing(context)
         context.request = None
         return backend.start_auth(context, internal_request)
 
+    def _logout_req_finish(self, context, internal_request):
+        backend = self.module_router.backend_routing(context)
+        context.request = None
+        if hasattr(self, "db"):
+            internal_authn_resp = self.db.get_authn_resp(context.state)
+            self.db.delete_session(context.state)
+        else:
+            internal_authn_resp = None
+            context.state.delete = self.config.get("CONTEXT_STATE_DELETE", True)
+        return backend.start_logout(context, internal_request, internal_authn_resp)
+
     def _auth_resp_finish(self, context, internal_response):
         user_id_to_attr = self.config["INTERNAL_ATTRIBUTES"].get("user_id_to_attr", None)
         if user_id_to_attr:
             internal_response.attributes[user_id_to_attr] = [internal_response.subject_id]
 
         # remove all session state unless CONTEXT_STATE_DELETE is False
-        context.state.delete = self.config.get("CONTEXT_STATE_DELETE", True)
         context.request = None
+        if hasattr(self, "db"):
+            self.db.store_authn_resp(context.state, internal_response)
+            self.db.get_authn_resp(context.state)
+        else:
+            context.state.delete = self.config.get("CONTEXT_STATE_DELETE", True)
 
         frontend = self.module_router.frontend_routing(context)
         return frontend.handle_authn_response(context, internal_response)
 
+    def _logout_resp_finish(self, context):
+        context.request = None
+
+        frontend = self.module_router.frontend_routing(context)
+        return frontend.handle_logout_response(context)
+
     def _auth_resp_callback_func(self, context, internal_response):
         """
         This function is called by a backend module when the authorization is
@@ -163,6 +218,21 @@ def _auth_resp_callback_func(self, context, internal_response):
 
         return self._auth_resp_finish(context, internal_response)
 
+    def _logout_resp_callback_func(self, context):
+        """
+        This function is called by a backend module when logout is complete
+
+        :type context: satosa.context.Context
+        :type internal_response: satosa.internal.LogoutInformation
+        :rtype: satosa.response.Response
+
+        :param context: The request context
+        :param internal_response: The logout response
+        """
+        context.request = None
+        context.state["ROUTER"] = "idp"
+        return self._logout_resp_finish(context)
+
     def _handle_satosa_authentication_error(self, error):
         """
         Sends a response to the requester about the error