Allow graceful handling of auth_tkt cookies outliving saml clients cache

If for some reason the session cookie outlives the saml clients cache,
for instance if the webservice is restarted there could be an
inconsistent state where the user is authenticated but saml attributes
are missing and saml logout requests will fail. By using only saml2sp
as authenticator plugin and repoze.who 2.0 this little check will work
around that and require a new login in this case

Author: sigmunau

src/s2repoze/plugins/sp.py

@@ -560,6 +560,9 @@ def _service_url(self, environ, qstr=None):
     #noinspection PyUnusedLocal
     def authenticate(self, environ, identity=None):
         if identity:
+            tktuser = identity.get('repoze.who.plugins.auth_tkt.userid', None)
+            if tktuser and self.saml_client.is_logged_in(decode(tktuser)):
+                return tktuser
             return identity.get('login', None)
         else:
             return None

src/saml2/client.py

@@ -216,6 +216,14 @@ def local_logout(self, name_id):
         self.users.remove_person(name_id)
         return True
 
+    def is_logged_in(self, name_id):
+        """ Check if user is in the cache
+        
+        :param name_id: The identifier of the subject
+        """
+        identity = self.users.get_identity(name_id)[0]
+        return bool(identity)
+        
     def handle_logout_response(self, response):
         """ handles a Logout response