From patchwork Tue Jul 14 13:35:05 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Fr=C3=A9d=C3=A9ric_Mangano-Tarumi?=
 <fmang@mg0.fr>
X-Patchwork-Id: 1721
Return-Path: <aur-dev-bounces@archlinux.org>
Delivered-To: patchwork@archlinux.org
Received: from apollo.archlinux.org (localhost [127.0.0.1])
	by apollo.archlinux.org (Postfix) with ESMTP id 52CFC19ED3728
	for <patchwork@archlinux.org>; Tue, 14 Jul 2020 13:35:16 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on
 apollo.archlinux.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.4 required=5.0 tests=DKIM_SIGNED=0.1,
	DKIM_VALID=-0.1,DKIM_VALID_AU=-0.1,MAILING_LIST_MULTI=-1,
	RCVD_IN_DNSWL_MED=-2.3,SPF_HELO_NONE=0.001,T_DMARC_POLICY_NONE=0.01
	autolearn=ham autolearn_force=no version=3.4.4
X-Spam-BL-Results: 
 <dns:1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.8.0.6.0.6.1.0.8.f.4.0.1.0.a.2.list.dnswl.org>
	[127.0.9.2]
Received: from orion.archlinux.org (orion.archlinux.org
 [IPv6:2a01:4f8:160:6087::1])
	by apollo.archlinux.org (Postfix) with ESMTPS
	for <patchwork@archlinux.org>; Tue, 14 Jul 2020 13:35:16 +0000 (UTC)
Received: from orion.archlinux.org (localhost [127.0.0.1])
	by orion.archlinux.org (Postfix) with ESMTP id 2110F1D35CE48F;
	Tue, 14 Jul 2020 13:35:11 +0000 (UTC)
Received: from luna.archlinux.org (luna.archlinux.org [5.9.250.164])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	(Authenticated sender: luna)
	by orion.archlinux.org (Postfix) with ESMTPSA id C7FB51D35CE489;
	Tue, 14 Jul 2020 13:35:10 +0000 (UTC)
Authentication-Results: orion.archlinux.org;
	dkim=pass (1024-bit key) header.d=mg0.fr header.i=@mg0.fr header.b=tljbSN2A
Received: from luna.archlinux.org (luna.archlinux.org [127.0.0.1])
	by luna.archlinux.org (Postfix) with ESMTP id BB53229CB0;
	Tue, 14 Jul 2020 13:35:10 +0000 (UTC)
Authentication-Results: luna.archlinux.org;
	dkim=pass (1024-bit key) header.d=mg0.fr header.i=@mg0.fr header.b=tljbSN2A
Received: from luna.archlinux.org (luna.archlinux.org [127.0.0.1])
 by luna.archlinux.org (Postfix) with ESMTP id 9287029CAD
 for <aur-dev@lists.archlinux.org>; Tue, 14 Jul 2020 13:35:07 +0000 (UTC)
Received: from orion.archlinux.org (orion.archlinux.org
 [IPv6:2a01:4f8:160:6087::1])
 by luna.archlinux.org (Postfix) with ESMTPS
 for <aur-dev@lists.archlinux.org>; Tue, 14 Jul 2020 13:35:07 +0000 (UTC)
Received: from orion.archlinux.org (localhost [127.0.0.1])
 by orion.archlinux.org (Postfix) with ESMTP id B1D0D1D35CE485
 for <aur-dev@archlinux.org>; Tue, 14 Jul 2020 13:35:05 +0000 (UTC)
Received: from tsubame.mg0.fr (tsubame.mg0.fr [IPv6:2001:41d0:401:3100::402b])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest
 SHA256) (No client certificate requested)
 by orion.archlinux.org (Postfix) with ESMTPS
 for <aur-dev@archlinux.org>; Tue, 14 Jul 2020 13:35:05 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mg0.fr;
 s=tsubame; h=Message-ID:Subject:To:From:Date:cc;
 bh=gOPNgJ8DLy1xZsTGwqUQFOr1Q2H+Fy0gQSXcSyLR9Yc=; b=tljbSN2ASEcGFqEYImhJq8Ezmi
 /AK0Q9JOR2fHuTu+XOfKWhGOIDfMGtWb5Hw0IZNUVuugMQXcuUQ4h5LV1cP0uqJKeJvSx1fflYZaJ
 J+DKU69SoLDEwUAsNv/TMZSm2veOrVcbZDW/hH8cgsUjpicE8trjfj5chyCJIj22rs5Y=;
Received: from fmang by tsubame.mg0.fr with local (Exim 4.94)
 (envelope-from <fmang@mg0.fr>) id 1jvL5N-00ETuR-7I
 for aur-dev@archlinux.org; Tue, 14 Jul 2020 15:35:05 +0200
Date: Tue, 14 Jul 2020 15:35:05 +0200
From: =?utf-8?b?RnLDqWTDqXJpYw==?= Mangano-Tarumi <fmang@mg0.fr>
To: aur-dev@archlinux.org
Subject: [PATCH 3/4] Implement SSO logout
Message-ID: <20200714133505.GA3451342@tsubame.mg0.fr>
MIME-Version: 1.0
Content-Disposition: inline
X-BeenThere: aur-dev@archlinux.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: "Arch User Repository \(AUR\) Development" <aur-dev.archlinux.org>
List-Unsubscribe: <https://lists.archlinux.org/options/aur-dev>,
 <mailto:aur-dev-request@archlinux.org?subject=unsubscribe>
List-Archive: <https://lists.archlinux.org/pipermail/aur-dev/>
List-Post: <mailto:aur-dev@archlinux.org>
List-Help: <mailto:aur-dev-request@archlinux.org?subject=help>
List-Subscribe: <https://lists.archlinux.org/listinfo/aur-dev>,
 <mailto:aur-dev-request@archlinux.org?subject=subscribe>
Errors-To: aur-dev-bounces@archlinux.org
Sender: "aur-dev" <aur-dev-bounces@archlinux.org>

---
 aurweb/routers/sso.py | 18 ++++++++++++++++++
 web/html/logout.php   | 14 +++++++++++++-
 2 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/aurweb/routers/sso.py b/aurweb/routers/sso.py
index e1ec7efe..a8d4b141 100644
--- a/aurweb/routers/sso.py
+++ b/aurweb/routers/sso.py
@@ -1,6 +1,8 @@
 import time
 import uuid
 
+from urllib.parse import urlencode
+
 import fastapi
 
 from authlib.integrations.starlette_client import OAuth
@@ -82,3 +84,19 @@ async def authenticate(request: Request, conn=Depends(aurweb.db.connect)):
     else:
         # We’ve got a severe integrity violation.
         raise Exception("Multiple accounts found for SSO account " + sub)
+
+
+@router.get("/sso/logout")
+async def logout():
+    """
+    Disconnect the user from the SSO provider, potentially affecting every
+    other Arch service. AUR logout is performed by `/logout`, before it
+    redirects to `/sso/logout`.
+
+    Based on the OpenID Connect Session Management specification:
+    https://openid.net/specs/openid-connect-session-1_0.html#RPLogout
+    """
+    metadata = await oauth.sso.load_server_metadata()
+    # TODO Supply id_token_hint to the end session endpoint.
+    query = urlencode({'post_logout_redirect_uri': aurweb.config.get('options', 'aur_location')})
+    return RedirectResponse(metadata["end_session_endpoint"] + '?' + query)
diff --git a/web/html/logout.php b/web/html/logout.php
index 14022001..9fd63943 100644
--- a/web/html/logout.php
+++ b/web/html/logout.php
@@ -5,16 +5,28 @@ set_include_path(get_include_path() . PATH_SEPARATOR . '../lib');
 include_once("aur.inc.php");         # access AUR common functions
 include_once("acctfuncs.inc.php");         # access AUR common functions
 
+$redirect_uri = '/';
+
 # if they've got a cookie, log them out - need to do this before
 # sending any HTML output.
 #
 if (isset($_COOKIE["AURSID"])) {
+	$uid = uid_from_sid($_COOKIE['AURSID']);
 	delete_session_id($_COOKIE["AURSID"]);
 	# setting expiration to 1 means '1 second after midnight January 1, 1970'
 	setcookie("AURSID", "", 1, "/", null, !empty($_SERVER['HTTPS']), true);
 	unset($_COOKIE['AURSID']);
 	clear_expired_sessions();
+
+	# If the account is linked to an SSO account, disconnect the user from the SSO too.
+	if (isset($uid)) {
+		$dbh = DB::connect();
+		$sso_account_id = $dbh->query("SELECT SSOAccountID FROM Users WHERE ID = " . $dbh->quote($uid))
+		                      ->fetchColumn();
+		if ($sso_account_id)
+			$redirect_uri = '/sso/logout';
+	}
 }
 
-header('Location: /');
+header("Location: $redirect_uri");