Merge pull request #400 from Adam21e/validate_with_cert

pitbulk · web-flow · commit ca0343546d14 · 2017-07-24T20:39:44.000+02:00
validate_document_with_cert uses local cert when no cert in response
diff --git a/lib/xml_security.rb b/lib/xml_security.rb
@@ -260,9 +260,11 @@ def validate_document_with_cert(idp_cert)
         # check saml response cert matches provided idp cert
         if idp_cert.to_pem != cert.to_pem
           return false
+        end
+      else
+        base64_cert = Base64.encode64(idp_cert.to_pem)
       end
-        validate_signature(base64_cert, true)
-      end
+      validate_signature(base64_cert, true)
     end
 
     def validate_signature(base64_cert, soft = true)
diff --git a/test/xml_security_test.rb b/test/xml_security_test.rb
@@ -393,5 +393,29 @@ class XmlSecurityTest < Minitest::Test
         end
       end
     end
+
+    describe '#validate_document_with_cert' do
+      describe 'with valid document ' do
+        describe 'when response has cert' do
+          let(:document_data) { read_response('response_with_signed_message_and_assertion.xml') }
+          let(:document) { OneLogin::RubySaml::Response.new(document_data).document }
+          let(:idp_cert) { OpenSSL::X509::Certificate.new(ruby_saml_cert_text) }
+          let(:fingerprint) { '4b68c453c7d994aad9025c99d5efcf566287fe8d' }
+
+          it 'is valid' do
+            assert document.validate_document_with_cert(idp_cert), 'Document should be valid'
+          end
+        end
+        
+        describe 'when response has no cert but you have local cert' do
+          let(:document) { OneLogin::RubySaml::Response.new(response_document_valid_signed_without_x509certificate).document }
+          let(:idp_cert) { OpenSSL::X509::Certificate.new(ruby_saml_cert_text) }
+
+          it 'is valid' do
+            assert document.validate_document_with_cert(idp_cert), 'Document should be valid'
+          end
+        end
+      end
+    end
   end
 end
