From ed8bd53cdcd6ba84f5bed6fb21830b926d889cd6 Mon Sep 17 00:00:00 2001 From: Hans de Graaff Date: Tue, 13 Jun 2017 07:20:14 +0200 Subject: [PATCH] Allow responses to work with only an idp_cert_multi setting When the settings only contain an idp_cert_multi fingerprint the responses cannot be validated because it is wrongly assumes that the certificate cannot be checked. Include the idp_cert_multi setting in this check as well. --- lib/onelogin/ruby-saml/logoutresponse.rb | 2 +- lib/onelogin/ruby-saml/response.rb | 2 +- test/logoutresponse_test.rb | 1 + test/response_test.rb | 1 + 4 files changed, 4 insertions(+), 2 deletions(-) diff --git a/lib/onelogin/ruby-saml/logoutresponse.rb b/lib/onelogin/ruby-saml/logoutresponse.rb index dcc6af9ad..4fbab8232 100644 --- a/lib/onelogin/ruby-saml/logoutresponse.rb +++ b/lib/onelogin/ruby-saml/logoutresponse.rb @@ -168,7 +168,7 @@ def valid_state? return append_error("No issuer in settings of the logout response") if settings.issuer.nil? - if settings.idp_cert_fingerprint.nil? && settings.idp_cert.nil? + if settings.idp_cert_fingerprint.nil? && settings.idp_cert.nil? && settings.idp_cert_multi.nil? return append_error("No fingerprint or certificate on settings of the logout response") end diff --git a/lib/onelogin/ruby-saml/response.rb b/lib/onelogin/ruby-saml/response.rb index 6ec8b6731..49e6fd20a 100644 --- a/lib/onelogin/ruby-saml/response.rb +++ b/lib/onelogin/ruby-saml/response.rb @@ -412,7 +412,7 @@ def validate_response_state return append_error("No settings on response") if settings.nil? - if settings.idp_cert_fingerprint.nil? && settings.idp_cert.nil? + if settings.idp_cert_fingerprint.nil? && settings.idp_cert.nil? && settings.idp_cert_multi.nil? return append_error("No fingerprint or certificate on settings") end diff --git a/test/logoutresponse_test.rb b/test/logoutresponse_test.rb index a730216fa..d47b53da6 100644 --- a/test/logoutresponse_test.rb +++ b/test/logoutresponse_test.rb @@ -90,6 +90,7 @@ class RubySamlTest < Minitest::Test it "invalidate logout response when initiated with no idp cert or fingerprint" do settings.idp_cert_fingerprint = nil settings.idp_cert = nil + settings.idp_cert_multi = nil logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_logout_response_document, settings) assert !logoutresponse.validate assert_includes logoutresponse.errors, "No fingerprint or certificate on settings of the logout response" diff --git a/test/response_test.rb b/test/response_test.rb index 55d0b9a31..4de2fcd14 100644 --- a/test/response_test.rb +++ b/test/response_test.rb @@ -138,6 +138,7 @@ class RubySamlTest < Minitest::Test it "raise when No fingerprint or certificate on settings" do settings.idp_cert_fingerprint = nil settings.idp_cert = nil + settings.idp_cert_multi = nil response.settings = settings error_msg = "No fingerprint or certificate on settings" assert_raises(OneLogin::RubySaml::ValidationError, error_msg) do