Add option to raise exceptions on SAML message validation

Author: pitbulk

src/onelogin/saml2/logout_request.py

@@ -260,12 +260,13 @@ def get_session_indexes(request):
             session_indexes.append(session_index_node.text)
         return session_indexes
 
-    def is_valid(self, request_data):
+    def is_valid(self, request_data, raise_exceptions=False):
         """
         Checks if the Logout Request received is valid
         :param request_data: Request Data
         :type request_data: dict
-
+        :param raise_exceptions: Whether to return false on failure or raise an exception
+        :type raise_exceptions: Boolean
         :return: If the Logout Request is or not valid
         :rtype: boolean
         """
@@ -348,6 +349,8 @@ def is_valid(self, request_data):
             debug = self.__settings.is_debug_active()
             if debug:
                 print err.__str__()
+            if raise_exceptions:
+                raise err
             return False
 
     def get_error(self):

src/onelogin/saml2/logout_response.py

@@ -68,11 +68,13 @@ def get_status(self):
         status = entries[0].attrib['Value']
         return status
 
-    def is_valid(self, request_data, request_id=None):
+    def is_valid(self, request_data, request_id=None, raise_exceptions=False):
         """
         Determines if the SAML LogoutResponse is valid
         :param request_id: The ID of the LogoutRequest sent by this SP to the IdP
         :type request_id: string
+        :param raise_exceptions: Whether to return false on failure or raise an exception
+        :type raise_exceptions: Boolean
         :return: Returns if the SAML LogoutResponse is or not valid
         :rtype: boolean
         """
@@ -89,7 +91,7 @@ def is_valid(self, request_data, request_id=None):
             if self.__settings.is_strict():
                 res = OneLogin_Saml2_Utils.validate_xml(self.document, 'saml-schema-protocol-2.0.xsd', self.__settings.is_debug_active())
                 if not isinstance(res, Document):
-                    raise Exception('Invalid SAML Logout Request. Not match the saml-schema-protocol-2.0.xsd')
+                    raise Exception('Invalid SAML Logout Response. Not match the saml-schema-protocol-2.0.xsd')
 
                 security = self.__settings.get_security_data()
 
@@ -142,6 +144,8 @@ def is_valid(self, request_data, request_id=None):
             debug = self.__settings.is_debug_active()
             if debug:
                 print err.__str__()
+            if raise_exceptions:
+                raise err
             return False
 
     def __query(self, query):

src/onelogin/saml2/response.py

@@ -51,7 +51,7 @@ def __init__(self, settings, response):
             self.encrypted = True
             self.decrypted_document = self.__decrypt_assertion(decrypted_document)
 
-    def is_valid(self, request_data, request_id=None):
+    def is_valid(self, request_data, request_id=None, raise_exceptions=False):
         """
         Validates the response object.
 
@@ -239,6 +239,8 @@ def is_valid(self, request_data, request_id=None):
             debug = self.__settings.is_debug_active()
             if debug:
                 print err.__str__()
+            if raise_exceptions:
+                raise err
             return False
 
     def check_status(self):

tests/src/OneLogin/saml2_tests/logout_request_test.py

@@ -312,6 +312,22 @@ def testIsValid(self):
         logout_request5 = OneLogin_Saml2_Logout_Request(settings, b64encode(request))
         self.assertTrue(logout_request5.is_valid(request_data))
 
+    def testIsValidRaisesExceptionWhenRaisesArgumentIsTrue(self):
+        request = OneLogin_Saml2_Utils.deflate_and_base64_encode('<xml>invalid</xml>')
+        request_data = {
+            'http_host': 'example.com',
+            'script_name': 'index.html'
+        }
+        settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
+        settings.set_strict(True)
+
+        logout_request = OneLogin_Saml2_Logout_Request(settings, request)
+
+        self.assertFalse(logout_request.is_valid(request_data))
+
+        with self.assertRaisesRegexp(Exception, "Invalid SAML Logout Request. Not match the saml-schema-protocol-2.0.xsd"):
+            logout_request.is_valid(request_data, raise_exceptions=True)
+
     def testIsValidSign(self):
         """
         Tests the is_valid method of the OneLogin_Saml2_LogoutRequest

tests/src/OneLogin/saml2_tests/logout_response_test.py

@@ -228,6 +228,23 @@ def testIsInValidDestination(self):
         response_4 = OneLogin_Saml2_Logout_Response(settings, message_4)
         self.assertTrue(response_4.is_valid(request_data))
 
+    def testIsValidRaisesExceptionWhenRaisesArgumentIsTrue(self):
+        message = OneLogin_Saml2_Utils.deflate_and_base64_encode('<xml>invalid</xml>')
+        request_data = {
+            'http_host': 'example.com',
+            'script_name': 'index.html',
+            'get_data': {}
+        }
+        settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
+        settings.set_strict(True)
+
+        response = OneLogin_Saml2_Logout_Response(settings, message)
+
+        self.assertFalse(response.is_valid(request_data))
+
+        with self.assertRaisesRegexp(Exception, "Invalid SAML Logout Response. Not match the saml-schema-protocol-2.0.xsd"):
+            response.is_valid(request_data, raise_exceptions=True)
+
     def testIsInValidSign(self):
         """
         Tests the is_valid method of the OneLogin_Saml2_LogoutResponse

tests/src/OneLogin/saml2_tests/response_test.py

@@ -1227,6 +1227,18 @@ def testIsValidEnc(self):
         response_7.is_valid(request_data)
         self.assertEqual('No Signature found. SAML Response rejected', response_7.get_error())
 
+    def testIsValidRaisesExceptionWhenRaisesArgumentIsTrue(self):
+        message = b64encode('<xml>invalid</xml>')
+        settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
+        settings.set_strict(True)
+
+        response = OneLogin_Saml2_Response(settings, message)
+
+        self.assertFalse(response.is_valid(self.get_request_data()))
+
+        with self.assertRaisesRegexp(Exception, "Unsupported SAML version"):
+            response.is_valid(self.get_request_data(), raise_exceptions=True)
+
     def testIsValidSign(self):
         """
         Tests the is_valid method of the OneLogin_Saml2_Response