Suggested changes

pitbulk · pitbulk · commit 37788e233a33 · 2016-12-30T15:03:53.000+01:00
diff --git a/src/onelogin/saml2/errors.py b/src/onelogin/saml2/errors.py
@@ -25,6 +25,8 @@ class OneLogin_Saml2_Error(Exception):
     SETTINGS_INVALID_SYNTAX = 1
     SETTINGS_INVALID = 2
     METADATA_SP_INVALID = 3
+    # SP_CERTS_NOT_FOUND is deprecated, use CERT_NOT_FOUND instead
+    SP_CERTS_NOT_FOUND = 4
     CERT_NOT_FOUND = 4
     REDIRECT_INVALID_URL = 5
     PUBLIC_CERT_FILE_NOT_FOUND = 6
diff --git a/src/onelogin/saml2/logout_request.py b/src/onelogin/saml2/logout_request.py
@@ -166,7 +166,7 @@ def get_nameid_data(request, key=None):
 
         if name_id is None:
             raise OneLogin_Saml2_ValidationError(
-                'Not NameID found in the Logout Request',
+                'NameID not found in the Logout Request',
                 OneLogin_Saml2_ValidationError.NO_NAMEID
             )
 
diff --git a/src/onelogin/saml2/response.py b/src/onelogin/saml2/response.py
@@ -402,7 +402,7 @@ def get_nameid_data(self):
             security = self.__settings.get_security_data()
             if security.get('wantNameId', True):
                 raise OneLogin_Saml2_ValidationError(
-                    'Not NameID found in the assertion of the Response',
+                    'NameID not found in the assertion of the Response',
                     OneLogin_Saml2_ValidationError.NO_NAMEID
                 )
         else:
diff --git a/src/onelogin/saml2/utils.py b/src/onelogin/saml2/utils.py
@@ -909,7 +909,15 @@ def validate_node_sign(signature_node, elem, cert=None, fingerprint=None, finger
             dsig_ctx.key = xmlsec.Key.from_memory(cert, xmlsec.KeyFormat.CERT_PEM, None)
 
         dsig_ctx.set_enabled_key_data([xmlsec.KeyData.X509])
-        dsig_ctx.verify(signature_node)
+
+        try:
+            dsig_ctx.verify(signature_node)
+        except Exception as err:
+            raise OneLogin_Saml2_ValidationError(
+                'Signature validation failed. SAML Response rejected',
+                OneLogin_Saml2_ValidationError.INVALID_SIGNATURE,
+                str(err)
+            )
 
         return True
 
diff --git a/tests/src/OneLogin/saml2_tests/logout_request_test.py b/tests/src/OneLogin/saml2_tests/logout_request_test.py
@@ -138,11 +138,11 @@ def testGetNameIdData(self):
         encrypted_id_nodes = dom_2.getElementsByTagName('saml:EncryptedID')
         encrypted_data = encrypted_id_nodes[0].firstChild.nextSibling
         encrypted_id_nodes[0].removeChild(encrypted_data)
-        with self.assertRaisesRegexp(Exception, 'Not NameID found in the Logout Request'):
+        with self.assertRaisesRegexp(Exception, 'NameID not found in the Logout Request'):
             OneLogin_Saml2_Logout_Request.get_nameid(dom_2.toxml(), key)
 
         inv_request = self.file_contents(join(self.data_path, 'logout_requests', 'invalids', 'no_nameId.xml'))
-        with self.assertRaisesRegexp(Exception, 'Not NameID found in the Logout Request'):
+        with self.assertRaisesRegexp(Exception, 'NameID not found in the Logout Request'):
             OneLogin_Saml2_Logout_Request.get_nameid(inv_request)
 
     def testGetNameId(self):
diff --git a/tests/src/OneLogin/saml2_tests/response_test.py b/tests/src/OneLogin/saml2_tests/response_test.py
@@ -98,14 +98,14 @@ def testReturnNameId(self):
 
         xml_4 = self.file_contents(join(self.data_path, 'responses', 'invalids', 'no_nameid.xml.base64'))
         response_4 = OneLogin_Saml2_Response(settings, xml_4)
-        with self.assertRaisesRegexp(Exception, 'Not NameID found in the assertion of the Response'):
+        with self.assertRaisesRegexp(Exception, 'NameID not found in the assertion of the Response'):
             response_4.get_nameid()
 
         json_settings['security']['wantNameId'] = True
         settings = OneLogin_Saml2_Settings(json_settings)
 
         response_5 = OneLogin_Saml2_Response(settings, xml_4)
-        with self.assertRaisesRegexp(Exception, 'Not NameID found in the assertion of the Response'):
+        with self.assertRaisesRegexp(Exception, 'NameID not found in the assertion of the Response'):
             response_5.get_nameid()
 
         json_settings['security']['wantNameId'] = False
@@ -119,7 +119,7 @@ def testReturnNameId(self):
         settings = OneLogin_Saml2_Settings(json_settings)
 
         response_7 = OneLogin_Saml2_Response(settings, xml_4)
-        with self.assertRaisesRegexp(Exception, 'Not NameID found in the assertion of the Response'):
+        with self.assertRaisesRegexp(Exception, 'NameID not found in the assertion of the Response'):
             response_7.get_nameid()
 
         json_settings['strict'] = True
@@ -172,14 +172,14 @@ def testGetNameIdData(self):
 
         xml_4 = self.file_contents(join(self.data_path, 'responses', 'invalids', 'no_nameid.xml.base64'))
         response_4 = OneLogin_Saml2_Response(settings, xml_4)
-        with self.assertRaisesRegexp(Exception, 'Not NameID found in the assertion of the Response'):
+        with self.assertRaisesRegexp(Exception, 'NameID not found in the assertion of the Response'):
             response_4.get_nameid_data()
 
         json_settings['security']['wantNameId'] = True
         settings = OneLogin_Saml2_Settings(json_settings)
 
         response_5 = OneLogin_Saml2_Response(settings, xml_4)
-        with self.assertRaisesRegexp(Exception, 'Not NameID found in the assertion of the Response'):
+        with self.assertRaisesRegexp(Exception, 'NameID not found in the assertion of the Response'):
             response_5.get_nameid_data()
 
         json_settings['security']['wantNameId'] = False
@@ -193,7 +193,7 @@ def testGetNameIdData(self):
         settings = OneLogin_Saml2_Settings(json_settings)
 
         response_7 = OneLogin_Saml2_Response(settings, xml_4)
-        with self.assertRaisesRegexp(Exception, 'Not NameID found in the assertion of the Response'):
+        with self.assertRaisesRegexp(Exception, 'NameID not found in the assertion of the Response'):
             response_7.get_nameid_data()
 
         json_settings['security']['wantNameId'] = False
@@ -207,7 +207,7 @@ def testGetNameIdData(self):
         settings = OneLogin_Saml2_Settings(json_settings)
 
         response_7 = OneLogin_Saml2_Response(settings, xml_4)
-        with self.assertRaisesRegexp(Exception, 'Not NameID found in the assertion of the Response'):
+        with self.assertRaisesRegexp(Exception, 'NameID not found in the assertion of the Response'):
             response_7.get_nameid_data()
 
         json_settings['strict'] = True

Original file line number	Diff line number	Diff line change
`@@ -166,7 +166,7 @@ def get_nameid_data(request, key=None):`
`166`	`166`
`167`	`167`	`if name_id is None:`
`168`	`168`	`raise OneLogin_Saml2_ValidationError(`
`169`		`- 'Not NameID found in the Logout Request',`
	`169`	`+ 'NameID not found in the Logout Request',`
`170`	`170`	`OneLogin_Saml2_ValidationError.NO_NAMEID`
`171`	`171`	`)`
`172`	`172`
Original file line number	Diff line number	Diff line change
`@@ -402,7 +402,7 @@ def get_nameid_data(self):`
`402`	`402`	`security = self.__settings.get_security_data()`
`403`	`403`	`if security.get('wantNameId', True):`
`404`	`404`	`raise OneLogin_Saml2_ValidationError(`
`405`		`- 'Not NameID found in the assertion of the Response',`
	`405`	`+ 'NameID not found in the assertion of the Response',`
`406`	`406`	`OneLogin_Saml2_ValidationError.NO_NAMEID`
`407`	`407`	`)`
`408`	`408`	`else:`