Validate the audience of assertions regardless of a response being unsolicited

c00kiemon5ter · c00kiemon5ter · commit 2c3c426c7f43 · 2019-08-24T19:53:59.000+03:00
Fixes #609 Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
diff --git a/src/saml2/response.py b/src/saml2/response.py
@@ -611,10 +611,9 @@ def condition_ok(self, lax=False):
             else:
                 self.not_on_or_after = 0
 
-        if not self.allow_unsolicited:
-            if not for_me(conditions, self.entity_id):
-                if not lax:
-                    raise Exception("Not for me!!!")
+        if not for_me(conditions, self.entity_id):
+            if not lax:
+                raise Exception("Not for me!!!")
 
         if conditions.condition:  # extra conditions
             for cond in conditions.condition:
diff --git a/tests/test_44_authnresp.py b/tests/test_44_authnresp.py
@@ -162,7 +162,7 @@ def test_unpack_nested_eptid(self):
                 </saml:Subject>
                 <saml:Conditions NotBefore="2016-09-23T14:00:44Z">
                     <saml:AudienceRestriction>
-                        <saml:Audience>https://sp.example.com</saml:Audience>
+                        <saml:Audience>urn:mace:example.com:saml:roland:sp</saml:Audience>
                     </saml:AudienceRestriction>
                 </saml:Conditions>
                 <saml:AuthnStatement AuthnInstant="2016-09-23T13:55:40Z"
@@ -222,7 +222,7 @@ def test_multiple_attribute_statement(self):
                 </saml:Subject>
                 <saml:Conditions NotBefore="2016-09-23T14:00:44Z">
                     <saml:AudienceRestriction>
-                        <saml:Audience>https://sp.example.com</saml:Audience>
+                        <saml:Audience>urn:mace:example.com:saml:roland:sp</saml:Audience>
                     </saml:AudienceRestriction>
                 </saml:Conditions>
                 <saml:AuthnStatement AuthnInstant="2016-09-23T13:55:40Z"
