Add per-service SLO configuration

mama_cas/cas.py

@@ -122,7 +122,10 @@ def logout_user(request):
         ProxyTicket.objects.consume_tickets(request.user)
         ProxyGrantingTicket.objects.consume_tickets(request.user)
 
-        if getattr(settings, 'MAMA_CAS_ENABLE_SINGLE_SIGN_OUT', False):
+        if getattr(settings, 'MAMA_CAS_ENABLE_SINGLE_SIGN_OUT', True):
+            warnings.warn(
+                'The MAMA_CAS_ENABLE_SINGLE_SIGN_OUT setting is deprecated. SLO '
+                'should be configured using MAMA_CAS_VALID_SERVICES.', DeprecationWarning)
             ServiceTicket.objects.request_sign_out(request.user)
 
         logger.info("Single sign-on session ended for %s" % request.user)

mama_cas/models.py

@@ -263,19 +263,20 @@ def is_primary(self):
 
     def request_sign_out(self):
         """
-        Send a POST request to the ``ServiceTicket``s service URL to
-        request sign-out. The remote session is identified by the
-        service ticket string that instantiated the session.
+        Send a POST request to the ``ServiceTicket``s logout URL to
+        request sign-out.
         """
+        if not get_config(self.service, 'LOGOUT_ALLOW'):
+            return
         request = SingleSignOutRequest(context={'ticket': self})
+        url = get_config(self.service, 'LOGOUT_URL') or self.service
         try:
-            resp = requests.post(self.service, data={'logoutRequest': request.render_content()})
+            resp = requests.post(url, data={'logoutRequest': request.render_content()})
             resp.raise_for_status()
         except requests.exceptions.RequestException as e:
-            logger.warning("Single sign-out request to %s returned %s" %
-                           (self.service, e))
+            logger.warning("Single sign-out request to %s returned %s" % (url, e))
         else:
-            logger.debug("Single sign-out request sent to %s" % self.service)
+            logger.debug("Single sign-out request sent to %s" % url)
 
 
 class ProxyTicket(Ticket):

mama_cas/tests/settings.py

@@ -43,9 +43,12 @@
         'CALLBACKS': [
             'mama_cas.callbacks.user_name_attributes',
         ],
+        'LOGOUT_ALLOW': True,
+        'LOGOUT_URL': 'https://example.com/logout',
     },
     {
         'SERVICE': 'http://example.com',
         'PROXY_ALLOW': False,
+        'LOGOUT_ALLOW': False,
     }
 ]

mama_cas/tests/test_models.py

@@ -4,6 +4,7 @@
 
 from django.core import management
 from django.test import TestCase
+from django.test.utils import modify_settings
 from django.test.utils import override_settings
 from django.utils.timezone import now
 
@@ -359,6 +360,17 @@ def test_request_sign_out_invalid_status(self):
             mock.return_value.status_code = 500
             st.request_sign_out()
 
+    def test_request_sign_out_logout_allow_false(self):
+        """
+        If SLO requests are disabled for a service, the logout
+        request should not be sent.
+        """
+        st = ServiceTicketFactory(service='http://example.com')
+        with patch('requests.post') as mock:
+            mock.return_value.status_code = 500
+            st.request_sign_out()
+            self.assertEqual(mock.call_count, 0)
+
 
 class ProxyTicketTests(TestCase):
     """

mama_cas/utils.py

@@ -23,6 +23,8 @@
 class ServiceConfig(object):
     PROXY_ALLOW_DEFAULT = False
     CALLBACKS_DEFAULT = []
+    LOGOUT_ALLOW_DEFAULT = False
+    LOGOUT_URL_DEFAULT = None
 
     @cached_property
     def services(self):
@@ -48,6 +50,8 @@ def services(self):
             # TODO For transitional backwards compatibility, this defaults to True.
             service.setdefault('PROXY_ALLOW', True)
             service.setdefault('CALLBACKS', self.CALLBACKS_DEFAULT)
+            service.setdefault('LOGOUT_ALLOW', self.LOGOUT_ALLOW_DEFAULT)
+            service.setdefault('LOGOUT_URL', self.LOGOUT_URL_DEFAULT)
             try:
                 service['PROXY_PATTERN'] = re.compile(service['PROXY_PATTERN'])
             except KeyError: