saml: Support storing logout associations in database.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2499 44740490-163a-0410-bde0-09ae8108e29a

saml: Support storing logout associations in database.
git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2499 44740490-163a-0410-bde0-09ae8108e29a
2ee81086 · Olav Morken · a4d59b20 · 2ee81086 · 2ee81086 · 2ee81086
Commit 2ee81086 authored 14 years ago by Olav Morken
--- a/modules/saml/lib/SP/LogoutStore.php
+++ b/modules/saml/lib/SP/LogoutStore.php
+<?php
+
+/**
+ * A directory over logout information.
+ *
+ * @package simpleSAMLphp
+ * @version $Id$
+ */
+class sspmod_saml_SP_LogoutStore {
+
+	/**
+	 * Create logout table in SQL, if it is missing.
+	 *
+	 * @param SimpleSAML_Store_SQL $store  The datastore.
+	 */
+	private static function createLogoutTable(SimpleSAML_Store_SQL $store) {
+
+		if ($store->getTableVersion('saml_LogoutStore') === 1) {
+			return;
+		}
+
+		$query = 'CREATE TABLE ' . $store->prefix . '_saml_LogoutStore (
+			_authSource VARCHAR(30) NOT NULL,
+			_nameId VARCHAR(40) NOT NULL,
+			_sessionIndex VARCHAR(50) NOT NULL,
+			_expire TIMESTAMP NOT NULL,
+			_sessionId VARCHAR(50) NOT NULL,
+			UNIQUE (_authSource, _nameID, _sessionIndex)
+		)';
+		$store->pdo->exec($query);
+
+		$query = 'CREATE INDEX ' . $store->prefix . '_saml_LogoutStore_expire ON '  . $store->prefix . '_saml_LogoutStore (_expire)';
+		$store->pdo->exec($query);
+
+		$query = 'CREATE INDEX ' . $store->prefix . '_saml_LogoutStore_nameId ON '  . $store->prefix . '_saml_LogoutStore (_authSource, _nameId)';
+		$store->pdo->exec($query);
+
+		$store->setTableVersion('saml_LogoutStore', 1);
+	}
+
+
+	/**
+	 * Clean the logout table of expired entries.
+	 *
+	 * @param SimpleSAML_Store_SQL $store  The datastore.
+	 */
+	private static function cleanLogoutStore(SimpleSAML_Store_SQL $store) {
+
+		SimpleSAML_Logger::debug('saml.LogoutStore: Cleaning logout store.');
+
+		$query = 'DELETE FROM ' . $store->prefix . '_saml_LogoutStore WHERE _expire < :now';
+		$params = array('now' => gmdate('Y-m-d H:i:s'));
+
+		$query = $store->pdo->prepare($query);
+		$query->execute($params);
+	}
+
+
+	/**
+	 * Register a session in the SQL datastore.
+	 *
+	 * @param SimpleSAML_Store_SQL $store  The datastore.
+	 * @param string $authId  The authsource ID.
+	 * @param string $nameId  The hash of the users NameID.
+	 * @param string $sessionIndex  The SessionIndex of the user.
+	 */
+	private static function addSessionSQL(SimpleSAML_Store_SQL $store, $authId, $nameId, $sessionIndex, $expire, $sessionId) {
+		assert('is_string($authId)');
+		assert('is_string($nameId)');
+		assert('is_string($sessionIndex)');
+		assert('is_string($sessionId)');
+		assert('is_int($expire)');
+
+		self::createLogoutTable($store);
+
+		if (rand(0, 1000) < 10) {
+			self::cleanLogoutStore($store);
+		}
+
+		$data = array(
+			'_authSource' => $authId,
+			'_nameId' => $nameId,
+			'_sessionIndex' => $sessionIndex,
+			'_expire' => gmdate('Y-m-d H:i:s', $expire),
+			'_sessionId' => $sessionId,
+		);
+		$store->insertOrUpdate($store->prefix . '_saml_LogoutStore', array('_authSource', '_nameId', '_sessionIndex'), $data);
+	}
+
+
+	/**
+	 * Retrieve sessions from the SQL datastore.
+	 *
+	 * @param SimpleSAML_Store_SQL $store  The datastore.
+	 * @param string $authId  The authsource ID.
+	 * @param string $nameId  The hash of the users NameID.
+	 * @return array  Associative array of SessionIndex =>  SessionId.
+	 */
+	private static function getSessionsSQL(SimpleSAML_Store_SQL $store, $authId, $nameId) {
+		assert('is_string($authId)');
+		assert('is_string($nameId)');
+
+		self::createLogoutTable($store);
+
+		$params = array(
+			'_authSource' => $authId,
+			'_nameId' => $nameId,
+			'now' => gmdate('Y-m-d H:i:s'),
+		);
+
+		$query = 'SELECT _sessionIndex, _sessionId FROM ' . $store->prefix . '_saml_LogoutStore' .
+			' WHERE _authSource = :_authSource AND _nameId = :_nameId AND _expire >= :now';
+		$query = $store->pdo->prepare($query);
+		$query->execute($params);
+
+		$res = array();
+		while ( ($row = $query->fetch(PDO::FETCH_ASSOC)) !== FALSE) {
+			$res[$row['_sessionIndex']] = $row['_sessionId'];
+		}
+
+		return $res;
+	}
+
+
+	/**
+	 * Retrieve all session IDs from a key-value store.
+	 *
+	 * @param SimpleSAML_Store_SQL $store  The datastore.
+	 * @param string $authId  The authsource ID.
+	 * @param string $nameId  The hash of the users NameID.
+	 * @param array $sessionIndexes  The session indexes.
+	 * @return array  Associative array of SessionIndex =>  SessionId.
+	 */
+	private static function getSessionsStore(SimpleSAML_Store $store, $authId, $nameId, array $sessionIndexes) {
+		assert('is_string($authId)');
+		assert('is_string($nameId)');
+
+		$res = array();
+		foreach ($sessionIndexes as $sessionIndex) {
+			$sessionId = $store->get('saml.LogoutStore', $strNameId . ':' . $sessionIndex);
+			if ($sessionId === NULL) {
+				continue;
+			}
+			assert('is_string($sessionId)');
+			$res[$sessionIndex] = $sessionId;
+		}
+
+		return $res;
+	}
+
+
+	/**
+	 * Register a new session in the datastore.
+	 *
+	 * @param string $authId  The authsource ID.
+	 * @param array $nameId  The NameID of the user.
+	 * @param string|NULL $sessionIndex  The SessionIndex of the user.
+	 */
+	public static function addSession($authId, array $nameId, $sessionIndex, $expire) {
+		assert('is_string($authId)');
+		assert('is_string($sessionIndex)');
+		assert('is_int($expire)');
+
+		$store = SimpleSAML_Store::getInstance();
+		if ($store === FALSE) {
+			/* We don't have a datastore. */
+			return;
+		}
+
+		/* Normalize NameID. */
+		ksort($nameId);
+		$strNameId = serialize($nameId);
+		$strNameId = sha1($strNameId);
+
+		/* Normalize SessionIndex. */
+		if (strlen($sessionIndex) > 50) {
+			$sessionIndex = sha1($sessionIndex);
+		}
+
+		$session = SimpleSAML_Session::getInstance();
+		$sessionId = $session->getSessionId();
+
+		if ($store instanceof SimpleSAML_Store_SQL) {
+			self::addSessionSQL($store, $authId, $strNameId, $sessionIndex, $expire, $sessionId);
+		} else {
+			$store->set('saml.LogoutStore', $strNameId . ':' . $sessionIndex, $sessionId, $expire);
+		}
+	}
+
+
+	/**
+	 * Log out of the given sessions.
+	 *
+	 * @param string $authId  The authsource ID.
+	 * @param array $nameId  The NameID of the user.
+	 * @param array $sessionIndexes  The SessionIndexes we should log out of. Logs out of all if this is empty.
+	 * @returns bool  TRUE if OK, FALSE if not supported.
+	 */
+	public static function logoutSessions($authId, array $nameId, array $sessionIndexes) {
+		assert('is_string($authId)');
+
+		$store = SimpleSAML_Store::getInstance();
+		if ($store === FALSE) {
+			/* We don't have a datastore. */
+			return FALSE;
+		}
+
+		/* Normalize NameID. */
+		ksort($nameId);
+		$strNameId = serialize($nameId);
+		$strNameId = sha1($strNameId);
+
+		/* Normalize SessionIndexes. */
+		foreach ($sessionIndexes as &$sessionIndex) {
+			assert('is_string($sessionIndex)');
+			if (strlen($sessionIndex) > 50) {
+				$sessionIndex = sha1($sessionIndex);
+			}
+		}
+		unset($sessionIndex); // Remove reference
+
+		if ($store instanceof SimpleSAML_Store_SQL) {
+			$sessions = self::getSessionsSQL($store, $authId, $strNameId);
+		} elseif (empty($sessionIndexes)) {
+			/* We cannot fetch all sessions without a SQL store. */
+			return FALSE;
+		} else {
+			$sessions = self::getSessionsStore($store, $authId, $strNameId, $sessionIndexes);
+
+		}
+
+		if (empty($sessionIndexes)) {
+			$sessionIndexes = array_keys($sessions);
+		}
+
+		$sessionHandler = SimpleSAML_SessionHandler::getSessionHandler();
+
+		foreach ($sessionIndexes as $sessionIndex) {
+			if (!isset($sessions[$sessionIndex])) {
+				SimpleSAML_Logger::info('saml.LogoutStore: Logout requested for unknown SessionIndex.');
+				continue;
+			}
+
+			$sessionId = $sessions[$sessionIndex];
+
+			$session = SimpleSAML_Session::getSession($sessionId);
+			if ($session === NULL) {
+				SimpleSAML_Logger::info('saml.LogoutStore: Skipping logout of missing session.');
+				continue;
+			}
+
+			if (!$session->isValid($authId)) {
+				SimpleSAML_Logger::info('saml.LogoutStore: Skipping logout of session because it isn\'t authenticated.');
+				continue;
+			}
+
+			SimpleSAML_Logger::info('saml.LogoutStore: Logging out of session with trackId [' . $session->getTrackId() . '].');
+			$session->doLogout();
+		}
+
+		return TRUE;
+	}
+
+}
--- a/modules/saml/www/sp/saml2-acs.php
+++ b/modules/saml/www/sp/saml2-acs.php
@@ -57,6 +57,15 @@ try {
 $nameId = $assertion->getNameId();
 $sessionIndex = $assertion->getSessionIndex();

+$expire = $assertion->getSessionNotOnOrAfter();
+if ($expire === NULL) {
+	/* Just expire the logout associtaion 24 hours into the future. */
+	$expire = time() + 24*60*60;
+}
+
+/* Register this session in the logout store. */
+sspmod_saml_SP_LogoutStore::addSession($sourceId, $nameId, $sessionIndex, $expire);
+
 /* We need to save the NameID and SessionIndex for logout. */
 $logoutState = array(
 	'saml:logout:Type' => 'saml2',

--- a/modules/saml/www/sp/saml2-logout.php
+++ b/modules/saml/www/sp/saml2-logout.php
@@ -57,8 +57,13 @@ if ($message instanceof SAML2_LogoutResponse) {
 	SimpleSAML_Logger::debug('module/saml2/sp/logout: Request from ' . $idpEntityId);
 	SimpleSAML_Logger::stats('saml20-idp-SLO idpinit ' . $spEntityId . ' ' . $idpEntityId);

-	/* Notify source of logout, so that it may call logout callbacks. */
-	$source->handleLogout($idpEntityId);
+	$nameId = $message->getNameId();
+	$sessionIndexes = $message->getSessionIndexes();
+
+	if (!sspmod_saml_SP_LogoutStore::logoutSessions($sourceId, $nameId, $sessionIndexes)) {
+		/* This type of logout was unsupported. Use the old method. */
+		$source->handleLogout($idpEntityId);
+	}

 	/* Create an send response. */
 	$lr = sspmod_saml_Message::buildLogoutResponse($spMetadata, $idpMetadata);