Fixed tests

Author: Tessa Bloomer

src/onelogin/saml2/logout_response.py

@@ -118,7 +118,7 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False):
 
                 # Check destination
                 destination = self.document.get('Destination', None)
-                if destination and OneLogin_Saml2_Utils.normalize_url(current_url) not in OneLogin_Saml2_Utils.normalize_url(destination):
+                if destination and OneLogin_Saml2_Utils.normalize_url(url=current_url) not in OneLogin_Saml2_Utils.normalize_url(url=destination):
                     raise OneLogin_Saml2_ValidationError(
                         'The LogoutResponse was received at %s instead of %s' % (current_url, destination),
                         OneLogin_Saml2_ValidationError.WRONG_DESTINATION

src/onelogin/saml2/response.py

@@ -192,7 +192,7 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False):
                 # Checks destination
                 destination = self.document.get('Destination', None)
                 if destination:
-                    if not OneLogin_Saml2_Utils.normalize_url(destination).startswith(OneLogin_Saml2_Utils.normalize_url(current_url)):
+                    if not OneLogin_Saml2_Utils.normalize_url(url=destination).startswith(OneLogin_Saml2_Utils.normalize_url(url=current_url)):
                         # TODO: Review if following lines are required, since we can control the
                         # request_data
                         #  current_url_routed = OneLogin_Saml2_Utils.get_self_routed_url_no_query(request_data)

src/onelogin/saml2/utils.py

@@ -20,7 +20,7 @@
 from functools import wraps
 from uuid import uuid4
 from xml.dom.minidom import Element
-
+from urllib.parse import urlsplit, urlunsplit
 import zlib
 import xmlsec
 
@@ -1063,8 +1063,8 @@ def validate_binary_sign(signed_query, signature, cert=None, algorithm=OneLogin_
                 print(e)
             return False
 
-        @staticmethod
-        def normalize_url(self, url):
+    @staticmethod
+    def normalize_url(url):
         """
         Returns normalized URL for comparison. 
         This method converts the netloc to lowercase, as it should be case-insensitive (per RFC 4343, RFC 7617)

tests/src/OneLogin/saml2_tests/response_test.py

@@ -1063,12 +1063,12 @@ def testIsValidDestinationCapitalizationOfHost(self):
         """
         settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
         message = self.file_contents(join(self.data_path, 'responses', 'unsigned_response.xml.base64'))
-        
         #Test domain capitalized
         settings.set_strict(True)
         response = OneLogin_Saml2_Response(settings, message)
         self.assertFalse(response.is_valid(self.get_request_data_domain_capitalized()))
         self.assertNotIn('The response was received at', response.get_error())
+
         #Assert we got past the destination check, which appears later
         self.assertIn('A valid SubjectConfirmation was not found', response.get_error())
 

tests/src/OneLogin/saml2_tests/utils_test.py

@@ -917,3 +917,15 @@ def testValidateSign(self):
         # Signature Wrapping attack
         wrapping_attack1 = b64decode(self.file_contents(join(self.data_path, 'responses', 'invalids', 'signature_wrapping_attack.xml.base64')))
         self.assertFalse(OneLogin_Saml2_Utils.validate_sign(wrapping_attack1, cert))
+
+    def testNormalizeUrl(self):
+        base_url = 'https://blah.com/path'
+        capital_scheme = 'hTTps://blah.com/path'
+        capital_domain = 'https://blAH.Com/path'
+        capital_path = 'https://blah.com/PAth'
+        capital_all = 'HTTPS://BLAH.COM/PATH'
+
+        self.assertIn(base_url, OneLogin_Saml2_Utils.normalize_url(capital_scheme))
+        self.assertIn(base_url, OneLogin_Saml2_Utils.normalize_url(capital_domain))
+        self.assertNotIn(base_url, OneLogin_Saml2_Utils.normalize_url(capital_path))
+        self.assertNotIn(base_url, OneLogin_Saml2_Utils.normalize_url(capital_all))