Merge pull request #574 from rectalogic/error-status

c00kiemon5ter · web-flow · commit 12a01b6d54bb · 2018-12-04T14:03:29.000+01:00
Raise status exception when parsing an error status response
diff --git a/src/saml2/entity.py b/src/saml2/entity.py
@@ -1207,8 +1207,6 @@ def _parse_response(self, xmlstr, response_cls, service, binding,
             else:
                 response.require_signature = require_signature
                 response = response.verify(keys)
-        except Exception as err:
-            logger.error("Exception verifying assertion: %s" % err)
         else:
             assertions_are_signed = True
         finally:
diff --git a/tests/test_51_client.py b/tests/test_51_client.py
@@ -28,7 +28,7 @@
 from saml2.authn_context import INTERNETPROTOCOLPASSWORD
 from saml2.client import Saml2Client
 from saml2.pack import parse_soap_enveloped_saml
-from saml2.response import LogoutResponse
+from saml2.response import LogoutResponse, StatusInvalidNameidPolicy
 from saml2.saml import NAMEID_FORMAT_PERSISTENT, EncryptedAssertion, Advice
 from saml2.saml import NAMEID_FORMAT_TRANSIENT
 from saml2.saml import NameID
@@ -2294,6 +2294,37 @@ def test_response_no_name_id(self):
         # A successful test is parsing the response.
         assert authn_response is not None
 
+    def test_response_error_status(self):
+        """ Test that the SP client can parse an authentication response
+        from an IdP that contains an error status."""
+
+        conf = config.SPConfig()
+        conf.load_file("server_conf")
+        client = Saml2Client(conf)
+
+        resp = self.server.create_error_response(
+            in_response_to="id1",
+            destination="http://lingon.catalogix.se:8087/",
+            info=(samlp.STATUS_INVALID_NAMEID_POLICY, None),
+        )
+
+        # Cast the response to a string and encode it to mock up the payload
+        # the SP client is expected to receive via HTTP POST binding.
+        if six.PY2:
+            resp_str = encode_fn(str(resp))
+        else:
+            resp_str = encode_fn(bytes(str(resp), 'utf-8'))
+
+        # We do not need the client to verify a signature for this test.
+        client.want_assertions_signed = False
+        client.want_response_signed = False
+
+        # Parse the authentication error response
+        with raises(StatusInvalidNameidPolicy):
+            client.parse_authn_request_response(
+                resp_str, BINDING_HTTP_POST,
+                {"id1": "http://foo.example.com/service"})
+
     def setup_verify_authn_response(self):
         idp = "urn:mace:example.com:saml:roland:idp"
         ava = {"givenName": ["Dave"], "sn": ["Concepción"],
