Fixed hard and soft validation

SAML-Toolkits · Sep 17, 2014 · 4893b5d · 4893b5d
2 parents 5173f45 + a95f86a
commit 4893b5d
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 3 deletions.
diff --git a/lib/onelogin/ruby-saml/response.rb b/lib/onelogin/ruby-saml/response.rb
@@ -97,6 +97,13 @@ def success?
         end
       end
 
+      def status_message
+        @status_message ||= begin
+          node = REXML::XPath.first(document, "/p:Response/p:Status/p:StatusMessage", { "p" => PROTOCOL, "a" => ASSERTION })
+          node.text if node
+        end
+      end
+
       # Conditions (if any) for the assertion to run
       def conditions
         @conditions ||= xpath_first_from_signed_assertion('/a:Conditions')
@@ -129,7 +136,15 @@ def validate(soft = true)
         validate_response_state(soft) &&
         validate_conditions(soft)     &&
         document.validate_document(get_fingerprint, soft) &&
-        success?
+        validate_success_status(soft)
+      end
+
+      def validate_success_status(soft = true)
+        if success?
+          true
+        else
+          soft ? false : validation_error(status_message)
+        end
       end
 
       def validate_structure(soft = true)

diff --git a/lib/xml_security.rb b/lib/xml_security.rb
@@ -47,7 +47,13 @@ def initialize(response)
     def validate_document(idp_cert_fingerprint, soft = true)
       # get cert from response
       cert_element = REXML::XPath.first(self, "//ds:X509Certificate", { "ds"=>DSIG })
-      raise OneLogin::RubySaml::ValidationError.new("Certificate element missing in response (ds:X509Certificate)") unless cert_element
+      unless cert_element
+        if soft
+          return false
+        else
+          raise OneLogin::RubySaml::ValidationError.new("Certificate element missing in response (ds:X509Certificate)")
+        end
+      end
       base64_cert  = cert_element.text
       cert_text    = Base64.decode64(base64_cert)
       cert         = OpenSSL::X509::Certificate.new(cert_text)

diff --git a/test/test_helper.rb b/test/test_helper.rb
@@ -46,7 +46,7 @@ def r1_response_document_6
   end
 
   def ampersands_response
-    @ampersands_resposne ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'response_with_ampersands.xml.base64'))
+    @ampersands_response ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'response_with_ampersands.xml.base64'))
   end
 
   def response_document_6

diff --git a/test/xml_security_test.rb b/test/xml_security_test.rb
@@ -26,6 +26,15 @@ class XmlSecurityTest < Test::Unit::TestCase
       end
     end
 
+    should "not raise an error when softly validating the document and the X509Certificate is missing" do
+      response = Base64.decode64(response_document)
+      response.sub!(/<ds:X509Certificate>.*<\/ds:X509Certificate>/, "")
+      document = XMLSecurity::SignedDocument.new(response)
+      assert_nothing_raised do
+        assert !document.validate_document("a fingerprint", true) # The fingerprint isn't relevant to this test
+      end
+    end
+
     should "should raise Fingerprint mismatch" do
       exception = assert_raise(OneLogin::RubySaml::ValidationError) do
         @document.validate_document("no:fi:ng:er:pr:in:t", false)