Improve logout

The persistence of the openstackid session causes issues where
when people log out, then click "Sign-In" again, they  aren't
prompted for their password. Instead they are logged in automatically
with the users they just logged out from because the openstackid endpoint
still has them as logged in. With this patch, the user will be logged
out of refstack as well as openstackid when signing out of RefStack.

This way a  user can sign into refstack with another openstackid
without having to delete cookies or navigate to the openstackid site
to manually log out.

Change-Id: I23936ba6b64b58e4f6a3f4d62ba89439c4ddee21
This commit is contained in:
Paul Van Eck 2015-10-20 15:20:47 -07:00
parent dfb32eb576
commit aa3966ea7a
8 changed files with 86 additions and 7 deletions

View File

@ -271,6 +271,9 @@
# OpenStackID Auth Server URI. (string value) # OpenStackID Auth Server URI. (string value)
#openstack_openid_endpoint = https://openstackid.org/accounts/openid2 #openstack_openid_endpoint = https://openstackid.org/accounts/openid2
# OpenStackID logout URI. (string value)
#openid_logout_endpoint = https://openstackid.org/accounts/user/logout
# Interaction mode. Specifies whether Openstack Id IdP may interact # Interaction mode. Specifies whether Openstack Id IdP may interact
# with the user to determine the outcome of the request. (string # with the user to determine the outcome of the request. (string
# value) # value)

View File

@ -73,6 +73,11 @@
url: '/auth_failure/:message', url: '/auth_failure/:message',
templateUrl: '/components/home/home.html', templateUrl: '/components/home/home.html',
controller: 'AuthFailureController as ctrl' controller: 'AuthFailureController as ctrl'
}).
state('logout', {
url: '/logout',
templateUrl: '/components/logout/logout.html',
controller: 'LogoutController as ctrl'
}); });
} }
@ -108,10 +113,6 @@
*/ */
function setup($http, $rootScope, $window, $state, refstackApiUrl) { function setup($http, $rootScope, $window, $state, refstackApiUrl) {
/**
* This function injects sign in function in all scopes
*/
$rootScope.auth = {}; $rootScope.auth = {};
$rootScope.auth.doSignIn = doSignIn; $rootScope.auth.doSignIn = doSignIn;
$rootScope.auth.doSignOut = doSignOut; $rootScope.auth.doSignOut = doSignOut;

View File

@ -0,0 +1 @@
<div cg-busy="{promise:ctrl.redirectWait,message:'Logging you out...'}"></div>

View File

@ -0,0 +1,44 @@
/*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
(function () {
'use strict';
angular
.module('refstackApp')
.controller('LogoutController', LogoutController);
LogoutController.$inject = [
'$location', '$window', '$timeout'
];
/**
* Refstack Logout Controller
* This controller handles logging out. In order to fully logout, the
* openstackid_session cookie must also be removed. The way to do that
* is to have the user's browser make a request to the openstackid logout
* page. We do this by placing the logout link as the src for an html
* image. After some time, the user is redirected home.
*/
function LogoutController($location, $window, $timeout) {
var ctrl = this;
ctrl.openid_logout_url = $location.search().openid_logout;
var img = new Image(0, 0);
img.src = ctrl.openid_logout_url;
ctrl.redirectWait = $timeout(function() {
$window.location.href = '/';
}, 500);
}
})();

View File

@ -45,6 +45,7 @@
<script src="components/results-report/resultsReportController.js"></script> <script src="components/results-report/resultsReportController.js"></script>
<script src="components/profile/profileController.js"></script> <script src="components/profile/profileController.js"></script>
<script src="components/auth-failure/authFailureController.js"></script> <script src="components/auth-failure/authFailureController.js"></script>
<script src="components/logout/logoutController.js"></script>
<!-- Filters --> <!-- Filters -->
<script src="shared/filters.js"></script> <script src="shared/filters.js"></script>

View File

@ -42,6 +42,22 @@ describe('Refstack controllers', function () {
}); });
}); });
describe('LogoutController', function () {
var $location, ctrl;
beforeEach(inject(function ($controller, _$location_) {
$location = _$location_;
$location.url('/logout?openid_logout=some_url');
ctrl = $controller('LogoutController', {});
}));
it('should set the openID logout URL based on query string',
function () {
expect($location.url()).toBe('/logout?openid_logout=some_url');
expect(ctrl.openid_logout_url).toBe('some_url');
});
});
describe('CapabilitiesController', function () { describe('CapabilitiesController', function () {
var ctrl; var ctrl;

View File

@ -33,6 +33,10 @@ OPENID_OPTS = [
default='https://openstackid.org/accounts/openid2', default='https://openstackid.org/accounts/openid2',
help='OpenStackID Auth Server URI.' help='OpenStackID Auth Server URI.'
), ),
cfg.StrOpt('openid_logout_endpoint',
default='https://openstackid.org/accounts/user/logout',
help='OpenStackID logout URI.'
),
cfg.StrOpt('openid_mode', cfg.StrOpt('openid_mode',
default='checkid_setup', default='checkid_setup',
help='Interaction mode. Specifies whether Openstack Id ' help='Interaction mode. Specifies whether Openstack Id '
@ -167,9 +171,15 @@ class AuthController(rest.RestController):
pecan.redirect(CONF.ui_url) pecan.redirect(CONF.ui_url)
@pecan.expose() @pecan.expose('json')
def signout(self): def signout(self):
"""Handle signout request.""" """Handle signout request."""
if api_utils.is_authenticated(): if api_utils.is_authenticated():
api_utils.delete_params_from_user_session([const.USER_OPENID]) api_utils.delete_params_from_user_session([const.USER_OPENID])
pecan.redirect(CONF.ui_url)
params = {
'openid_logout': CONF.osid.openid_logout_endpoint
}
url = parse.urljoin(CONF.ui_url,
'/#/logout?' + parse.urlencode(params))
pecan.redirect(url)

View File

@ -413,6 +413,8 @@ class AuthControllerTestCase(BaseControllerTestCase):
self.CONF = self.useFixture(self.config_fixture).conf self.CONF = self.useFixture(self.config_fixture).conf
self.CONF.set_override('app_dev_mode', True, 'api') self.CONF.set_override('app_dev_mode', True, 'api')
self.CONF.set_override('ui_url', 'http://127.0.0.1') self.CONF.set_override('ui_url', 'http://127.0.0.1')
self.CONF.set_override('openid_logout_endpoint', 'http://some-url',
'osid')
@mock.patch('refstack.api.utils.get_user_session') @mock.patch('refstack.api.utils.get_user_session')
@mock.patch('pecan.redirect', side_effect=webob.exc.HTTPRedirection) @mock.patch('pecan.redirect', side_effect=webob.exc.HTTPRedirection)
@ -527,7 +529,8 @@ class AuthControllerTestCase(BaseControllerTestCase):
const.CSRF_TOKEN: 42 const.CSRF_TOKEN: 42
} }
self.assertRaises(webob.exc.HTTPRedirection, self.controller.signout) self.assertRaises(webob.exc.HTTPRedirection, self.controller.signout)
mock_redirect.assert_called_with('http://127.0.0.1') mock_redirect.assert_called_with('http://127.0.0.1/#/logout?'
'openid_logout=http%3A%2F%2Fsome-url')
self.assertNotIn(const.CSRF_TOKEN, self.assertNotIn(const.CSRF_TOKEN,
mock_request.environ['beaker.session']) mock_request.environ['beaker.session'])