Merge pull request #191 from thejuan/master

Checking the status of response before assertion count

Author: pitbulk

src/onelogin/saml2/response.py

@@ -84,16 +84,16 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False):
                     OneLogin_Saml2_ValidationError.MISSING_ID
                 )
 
+            # Checks that the response has the SUCCESS status
+            self.check_status()
+
             # Checks that the response only has one assertion
             if not self.validate_num_assertions():
                 raise OneLogin_Saml2_ValidationError(
                     'SAML Response must contain 1 assertion',
                     OneLogin_Saml2_ValidationError.WRONG_NUMBER_OF_ASSERTIONS
                 )
 
-            # Checks that the response has the SUCCESS status
-            self.check_status()
-
             idp_data = self.__settings.get_idp_data()
             idp_entity_id = idp_data.get('entityId', '')
             sp_data = self.__settings.get_sp_data()

tests/src/OneLogin/saml2_tests/response_test.py

@@ -1390,6 +1390,16 @@ def testIsValidWithoutInResponseTo(self):
                 'script_name': 'newonelogin/demo1/index.php?acs'
             }))
 
+    def testStatusCheckBeforeAssertionCheck(self):
+        """
+        Tests the status of a response is checked before the assertion count. As failed statuses will have no assertions
+        """
+        settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
+        xml = self.file_contents(join(self.data_path, 'responses', 'invalids', 'status_code_responder.xml.base64'))
+        response = OneLogin_Saml2_Response(settings, xml)
+        with self.assertRaisesRegexp(OneLogin_Saml2_ValidationError, 'The status code of the Response was not Success, was Responder'):
+            response.is_valid(self.get_request_data(), raise_exceptions=True)
+
 
 if __name__ == '__main__':
     if is_running_under_teamcity():