Skip to content

Commit dbf03dc

Browse files
pitbulkpitbulk
committed
Reject SAML Response if not signed and strict = false
1 parent 561047c commit dbf03dc

File tree

3 files changed

+69
-42
lines changed

3 files changed

+69
-42
lines changed

src/onelogin/saml2/response.py

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -207,6 +207,8 @@ def is_valid(self, request_data, request_id=None):
207207
document_to_validate = self.document
208208
if not OneLogin_Saml2_Utils.validate_sign(document_to_validate, cert, fingerprint):
209209
raise Exception('Signature validation failed. SAML Response rejected')
210+
else:
211+
raise Exception('No Signature found. SAML Response rejected')
210212

211213
return True
212214
except Exception as err:

tests/src/OneLogin/saml2_tests/auth_test.py

Lines changed: 8 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -166,15 +166,16 @@ def testProcessResponseInvalidRequestId(self):
166166
auth = OneLogin_Saml2_Auth(request_data, old_settings=self.loadSettingsJSON())
167167
request_id = 'invalid'
168168
auth.process_response(request_id)
169-
self.assertEqual(len(auth.get_errors()), 0)
169+
self.assertEqual('No Signature found. SAML Response rejected', auth.get_last_error_reason())
170170

171171
auth.set_strict(True)
172172
auth.process_response(request_id)
173173
self.assertEqual(auth.get_errors(), ['invalid_response'])
174+
self.assertEqual('The InResponseTo of the Response: _57bcbf70-7b1f-012e-c821-782bcb13bb38, does not match the ID of the AuthNRequest sent by the SP: invalid', auth.get_last_error_reason())
174175

175176
valid_request_id = '_57bcbf70-7b1f-012e-c821-782bcb13bb38'
176177
auth.process_response(valid_request_id)
177-
self.assertEqual(len(auth.get_errors()), 0)
178+
self.assertEqual('No Signature found. SAML Response rejected', auth.get_last_error_reason())
178179

179180
def testProcessResponseValid(self):
180181
"""
@@ -184,28 +185,22 @@ def testProcessResponseValid(self):
184185
the error array is empty
185186
"""
186187
request_data = self.get_request()
187-
message = self.file_contents(join(self.data_path, 'responses', 'unsigned_response.xml.base64'))
188-
plain_message = b64decode(message)
189-
current_url = OneLogin_Saml2_Utils.get_self_url_no_query(request_data)
190-
plain_message = plain_message.replace('http://stuff.com/endpoints/endpoints/acs.php', current_url)
188+
message = self.file_contents(join(self.data_path, 'responses', 'valid_response.xml.base64'))
191189
del request_data['get_data']
192190
request_data['post_data'] = {
193-
'SAMLResponse': b64encode(plain_message)
191+
'SAMLResponse': message
194192
}
195193
auth = OneLogin_Saml2_Auth(request_data, old_settings=self.loadSettingsJSON())
196194

197195
auth.process_response()
198-
199196
self.assertTrue(auth.is_authenticated())
200197
self.assertEqual(len(auth.get_errors()), 0)
201-
self.assertEqual('someone@example.com', auth.get_nameid())
198+
self.assertEqual('492882615acf31c8096b627245d76ae53036c090', auth.get_nameid())
202199
attributes = auth.get_attributes()
203200
self.assertNotEqual(len(attributes), 0)
204201
self.assertEqual(auth.get_attribute('mail'), attributes['mail'])
205-
206-
auth.set_strict(True)
207-
auth.process_response()
208-
self.assertEqual(len(auth.get_errors()), 0)
202+
session_index = auth.get_session_index()
203+
self.assertEqual('_6273d77b8cde0c333ec79d22a9fa0003b9fe2d75cb', session_index)
209204

210205
def testRedirectTo(self):
211206
"""

tests/src/OneLogin/saml2_tests/response_test.py

Lines changed: 59 additions & 29 deletions
Original file line numberDiff line numberDiff line change
@@ -314,11 +314,13 @@ def testIsInvalidXML(self):
314314
settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
315315

316316
response = OneLogin_Saml2_Response(settings, message)
317-
self.assertTrue(response.is_valid(request_data))
317+
response.is_valid(request_data)
318+
self.assertEqual('No Signature found. SAML Response rejected', response.get_error())
318319

319320
settings.set_strict(True)
320321
response_2 = OneLogin_Saml2_Response(settings, message)
321322
self.assertFalse(response_2.is_valid(request_data))
323+
self.assertEqual('Invalid SAML Response. Not match the saml-schema-protocol-2.0.xsd', response_2.get_error())
322324

323325
def testValidateNumAssertions(self):
324326
"""
@@ -408,7 +410,8 @@ def testIsInValidExpired(self):
408410
settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
409411
xml = self.file_contents(join(self.data_path, 'responses', 'expired_response.xml.base64'))
410412
response = OneLogin_Saml2_Response(settings, xml)
411-
self.assertTrue(response.is_valid(self.get_request_data()))
413+
response.is_valid(self.get_request_data())
414+
self.assertEqual('No Signature found. SAML Response rejected', response.get_error())
412415

413416
settings.set_strict(True)
414417
response_2 = OneLogin_Saml2_Response(settings, xml)
@@ -426,7 +429,8 @@ def testIsInValidNoStatement(self):
426429
settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
427430
xml = self.file_contents(join(self.data_path, 'responses', 'invalids', 'no_signature.xml.base64'))
428431
response = OneLogin_Saml2_Response(settings, xml)
429-
self.assertTrue(response.is_valid(self.get_request_data()))
432+
response.is_valid(self.get_request_data())
433+
self.assertEqual('No Signature found. SAML Response rejected', response.get_error())
430434

431435
settings.set_strict(True)
432436
response_2 = OneLogin_Saml2_Response(settings, xml)
@@ -473,7 +477,8 @@ def testIsInValidEncAttrs(self):
473477
settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
474478
xml = self.file_contents(join(self.data_path, 'responses', 'invalids', 'encrypted_attrs.xml.base64'))
475479
response = OneLogin_Saml2_Response(settings, xml)
476-
self.assertTrue(response.is_valid(self.get_request_data()))
480+
response.is_valid(self.get_request_data())
481+
self.assertEqual('No Signature found. SAML Response rejected', response.get_error())
477482

478483
settings.set_strict(True)
479484
response_2 = OneLogin_Saml2_Response(settings, xml)
@@ -491,7 +496,8 @@ def testIsInValidDestination(self):
491496
settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
492497
message = self.file_contents(join(self.data_path, 'responses', 'unsigned_response.xml.base64'))
493498
response = OneLogin_Saml2_Response(settings, message)
494-
self.assertTrue(response.is_valid(self.get_request_data()))
499+
response.is_valid(self.get_request_data())
500+
self.assertEqual('No Signature found. SAML Response rejected', response.get_error())
495501

496502
settings.set_strict(True)
497503
response_2 = OneLogin_Saml2_Response(settings, message)
@@ -524,7 +530,8 @@ def testIsInValidAudience(self):
524530
message = self.file_contents(join(self.data_path, 'responses', 'invalids', 'invalid_audience.xml.base64'))
525531

526532
response = OneLogin_Saml2_Response(settings, message)
527-
self.assertTrue(response.is_valid(request_data))
533+
response.is_valid(request_data)
534+
self.assertEqual('No Signature found. SAML Response rejected', response.get_error())
528535

529536
settings.set_strict(True)
530537
response_2 = OneLogin_Saml2_Response(settings, message)
@@ -554,10 +561,12 @@ def testIsInValidIssuer(self):
554561
message_2 = b64encode(plain_message_2)
555562

556563
response = OneLogin_Saml2_Response(settings, message)
557-
self.assertTrue(response.is_valid(request_data))
564+
response.is_valid(request_data)
565+
self.assertEqual('No Signature found. SAML Response rejected', response.get_error())
558566

559567
response_2 = OneLogin_Saml2_Response(settings, message_2)
560-
self.assertTrue(response_2.is_valid(request_data))
568+
response_2.is_valid(request_data)
569+
self.assertEqual('No Signature found. SAML Response rejected', response_2.get_error())
561570

562571
settings.set_strict(True)
563572
response_3 = OneLogin_Saml2_Response(settings, message)
@@ -591,7 +600,8 @@ def testIsInValidSessionIndex(self):
591600
message = b64encode(plain_message)
592601

593602
response = OneLogin_Saml2_Response(settings, message)
594-
self.assertTrue(response.is_valid(request_data))
603+
response.is_valid(request_data)
604+
self.assertEqual('No Signature found. SAML Response rejected', response.get_error())
595605

596606
settings.set_strict(True)
597607
response_2 = OneLogin_Saml2_Response(settings, message)
@@ -619,7 +629,8 @@ def testDatetimeWithMiliseconds(self):
619629
plain_message = plain_message.replace('http://stuff.com/endpoints/endpoints/acs.php', current_url)
620630
message = b64encode(plain_message)
621631
response = OneLogin_Saml2_Response(settings, message)
622-
self.assertTrue(response.is_valid(request_data))
632+
response.is_valid(request_data)
633+
self.assertEqual('No Signature found. SAML Response rejected', response.get_error())
623634

624635
def testIsInValidSubjectConfirmation(self):
625636
"""
@@ -663,22 +674,28 @@ def testIsInValidSubjectConfirmation(self):
663674
message_6 = b64encode(plain_message_6)
664675

665676
response = OneLogin_Saml2_Response(settings, message)
666-
self.assertTrue(response.is_valid(request_data))
677+
response.is_valid(request_data)
678+
self.assertEqual('No Signature found. SAML Response rejected', response.get_error())
667679

668680
response_2 = OneLogin_Saml2_Response(settings, message_2)
669-
self.assertTrue(response_2.is_valid(request_data))
681+
response_2.is_valid(request_data)
682+
self.assertEqual('No Signature found. SAML Response rejected', response_2.get_error())
670683

671684
response_3 = OneLogin_Saml2_Response(settings, message_3)
672-
self.assertTrue(response_3.is_valid(request_data))
685+
response_3.is_valid(request_data)
686+
self.assertEqual('No Signature found. SAML Response rejected', response_3.get_error())
673687

674688
response_4 = OneLogin_Saml2_Response(settings, message_4)
675-
self.assertTrue(response_4.is_valid(request_data))
689+
response_4.is_valid(request_data)
690+
self.assertEqual('No Signature found. SAML Response rejected', response_4.get_error())
676691

677692
response_5 = OneLogin_Saml2_Response(settings, message_5)
678-
self.assertTrue(response_5.is_valid(request_data))
693+
response_5.is_valid(request_data)
694+
self.assertEqual('No Signature found. SAML Response rejected', response_5.get_error())
679695

680696
response_6 = OneLogin_Saml2_Response(settings, message_6)
681-
self.assertTrue(response_6.is_valid(request_data))
697+
response_6.is_valid(request_data)
698+
self.assertEqual('No Signature found. SAML Response rejected', response_6.get_error())
682699

683700
settings.set_strict(True)
684701
response = OneLogin_Saml2_Response(settings, message)
@@ -735,7 +752,8 @@ def testIsInValidRequestId(self):
735752

736753
response = OneLogin_Saml2_Response(settings, message)
737754
request_id = 'invalid'
738-
self.assertTrue(response.is_valid(request_data, request_id))
755+
response.is_valid(request_data, request_id)
756+
self.assertEqual('No Signature found. SAML Response rejected', response.get_error())
739757

740758
settings.set_strict(True)
741759
response = OneLogin_Saml2_Response(settings, message)
@@ -745,7 +763,8 @@ def testIsInValidRequestId(self):
745763
self.assertEqual('The InResponseTo of the Response', e.message)
746764

747765
valid_request_id = '_57bcbf70-7b1f-012e-c821-782bcb13bb38'
748-
self.assertTrue(response.is_valid(request_data, valid_request_id))
766+
response.is_valid(request_data, valid_request_id)
767+
self.assertEqual('No Signature found. SAML Response rejected', response.get_error())
749768

750769
def testIsInValidSignIssues(self):
751770
"""
@@ -766,18 +785,21 @@ def testIsInValidSignIssues(self):
766785
settings_info['security']['wantAssertionsSigned'] = False
767786
settings = OneLogin_Saml2_Settings(settings_info)
768787
response = OneLogin_Saml2_Response(settings, message)
769-
self.assertTrue(response.is_valid(request_data))
788+
response.is_valid(request_data)
789+
self.assertEqual('No Signature found. SAML Response rejected', response.get_error())
770790

771791
settings_info['security']['wantAssertionsSigned'] = True
772792
settings_2 = OneLogin_Saml2_Settings(settings_info)
773793
response_2 = OneLogin_Saml2_Response(settings_2, message)
774-
self.assertTrue(response_2.is_valid(request_data))
794+
response_2.is_valid(request_data)
795+
self.assertEqual('No Signature found. SAML Response rejected', response_2.get_error())
775796

776797
settings_info['strict'] = True
777798
settings_info['security']['wantAssertionsSigned'] = False
778799
settings_3 = OneLogin_Saml2_Settings(settings_info)
779800
response_3 = OneLogin_Saml2_Response(settings_3, message)
780-
self.assertTrue(response_3.is_valid(request_data))
801+
response_3.is_valid(request_data)
802+
self.assertEqual('No Signature found. SAML Response rejected', response_3.get_error())
781803

782804
settings_info['security']['wantAssertionsSigned'] = True
783805
settings_4 = OneLogin_Saml2_Settings(settings_info)
@@ -793,18 +815,21 @@ def testIsInValidSignIssues(self):
793815
settings_info['security']['wantMessagesSigned'] = False
794816
settings_5 = OneLogin_Saml2_Settings(settings_info)
795817
response_5 = OneLogin_Saml2_Response(settings_5, message)
796-
self.assertTrue(response_5.is_valid(request_data))
818+
response_5.is_valid(request_data)
819+
self.assertEqual('No Signature found. SAML Response rejected', response_5.get_error())
797820

798821
settings_info['security']['wantMessagesSigned'] = True
799822
settings_6 = OneLogin_Saml2_Settings(settings_info)
800823
response_6 = OneLogin_Saml2_Response(settings_6, message)
801-
self.assertTrue(response_6.is_valid(request_data))
824+
response_6.is_valid(request_data)
825+
self.assertEqual('No Signature found. SAML Response rejected', response_6.get_error())
802826

803827
settings_info['strict'] = True
804828
settings_info['security']['wantMessagesSigned'] = False
805829
settings_7 = OneLogin_Saml2_Settings(settings_info)
806830
response_7 = OneLogin_Saml2_Response(settings_7, message)
807-
self.assertTrue(response_7.is_valid(request_data))
831+
response_7.is_valid(request_data)
832+
self.assertEqual('No Signature found. SAML Response rejected', response_7.get_error())
808833

809834
settings_info['security']['wantMessagesSigned'] = True
810835
settings_8 = OneLogin_Saml2_Settings(settings_info)
@@ -833,13 +858,15 @@ def testIsInValidEncIssues(self):
833858
settings_info['security']['wantAssertionsEncrypted'] = True
834859
settings = OneLogin_Saml2_Settings(settings_info)
835860
response = OneLogin_Saml2_Response(settings, message)
836-
self.assertTrue(response.is_valid(request_data))
861+
response.is_valid(request_data)
862+
self.assertEqual('No Signature found. SAML Response rejected', response.get_error())
837863

838864
settings_info['strict'] = True
839865
settings_info['security']['wantAssertionsEncrypted'] = False
840866
settings = OneLogin_Saml2_Settings(settings_info)
841867
response_2 = OneLogin_Saml2_Response(settings, message)
842-
self.assertTrue(response_2.is_valid(request_data))
868+
response_2.is_valid(request_data)
869+
self.assertEqual('No Signature found. SAML Response rejected', response_2.get_error())
843870

844871
settings_info['security']['wantAssertionsEncrypted'] = True
845872
settings = OneLogin_Saml2_Settings(settings_info)
@@ -853,7 +880,8 @@ def testIsInValidEncIssues(self):
853880
settings_info['strict'] = False
854881
settings = OneLogin_Saml2_Settings(settings_info)
855882
response_4 = OneLogin_Saml2_Response(settings, message)
856-
self.assertTrue(response_4.is_valid(request_data))
883+
response_4.is_valid(request_data)
884+
self.assertEqual('No Signature found. SAML Response rejected', response_4.get_error())
857885

858886
settings_info['strict'] = True
859887
settings = OneLogin_Saml2_Settings(settings_info)
@@ -916,7 +944,8 @@ def testIsValid(self):
916944

917945
xml = self.file_contents(join(self.data_path, 'responses', 'valid_unsigned_response.xml.base64'))
918946
response = OneLogin_Saml2_Response(settings, xml)
919-
self.assertTrue(response.is_valid(self.get_request_data()))
947+
response.is_valid(self.get_request_data())
948+
self.assertEqual('No Signature found. SAML Response rejected', response.get_error())
920949

921950
def testIsValid2(self):
922951
"""
@@ -992,7 +1021,8 @@ def testIsValidEnc(self):
9921021
plain_message = plain_message.replace('http://stuff.com/endpoints/endpoints/acs.php', current_url)
9931022
message = b64encode(plain_message)
9941023
response_7 = OneLogin_Saml2_Response(settings, message)
995-
self.assertTrue(response_7.is_valid(request_data))
1024+
response_7.is_valid(request_data)
1025+
self.assertEqual('No Signature found. SAML Response rejected', response_7.get_error())
9961026

9971027
def testIsValidSign(self):
9981028
"""

0 commit comments

Comments
 (0)