Implement a more specific exception class for handling some validation errors. Improve tests

Author: pitbulk

src/onelogin/saml2/auth.py

@@ -432,7 +432,7 @@ def __build_signature(self, saml_data, relay_state, saml_type, sign_algorithm=On
         if not key:
             raise OneLogin_Saml2_Error(
                 "Trying to sign the %s but can't load the SP private key" % saml_type,
-                OneLogin_Saml2_Error.SP_CERTS_NOT_FOUND
+                OneLogin_Saml2_Error.PRIVATE_KEY_NOT_FOUND
             )
 
         dsig_ctx = xmlsec.DSigCtx()

src/onelogin/saml2/errors.py

@@ -25,7 +25,7 @@ class OneLogin_Saml2_Error(Exception):
     SETTINGS_INVALID_SYNTAX = 1
     SETTINGS_INVALID = 2
     METADATA_SP_INVALID = 3
-    SP_CERTS_NOT_FOUND = 4
+    CERT_NOT_FOUND = 4
     REDIRECT_INVALID_URL = 5
     PUBLIC_CERT_FILE_NOT_FOUND = 6
     PRIVATE_KEY_FILE_NOT_FOUND = 7
@@ -34,6 +34,8 @@ class OneLogin_Saml2_Error(Exception):
     SAML_LOGOUTREQUEST_INVALID = 10
     SAML_LOGOUTRESPONSE_INVALID = 11
     SAML_SINGLE_LOGOUT_NOT_SUPPORTED = 12
+    PRIVATE_KEY_NOT_FOUND = 13
+    UNSUPPORTED_SETTINGS_OBJECT = 14
 
     def __init__(self, message, code=0, errors=None):
         """
@@ -51,3 +53,76 @@ def __init__(self, message, code=0, errors=None):
 
         Exception.__init__(self, message)
         self.code = code
+
+
+class OneLogin_Saml2_ValidationError(Exception):
+    """
+
+    This class implements another custom Exception handler, related
+    to exceptions that happens during validation process.
+    Defines custom error codes .
+
+    """
+
+    # Validation Errors
+    UNSUPPORTED_SAML_VERSION = 0
+    MISSING_ID = 1
+    WRONG_NUMBER_OF_ASSERTIONS = 2
+    MISSING_STATUS = 3
+    MISSING_STATUS_CODE = 4
+    STATUS_CODE_IS_NOT_SUCCESS = 5
+    WRONG_SIGNED_ELEMENT = 6
+    ID_NOT_FOUND_IN_SIGNED_ELEMENT = 7
+    DUPLICATED_ID_IN_SIGNED_ELEMENTS = 8
+    INVALID_SIGNED_ELEMENT = 9
+    DUPLICATED_REFERENCE_IN_SIGNED_ELEMENTS = 10
+    UNEXPECTED_SIGNED_ELEMENTS = 11
+    WRONG_NUMBER_OF_SIGNATURES_IN_RESPONSE = 12
+    WRONG_NUMBER_OF_SIGNATURES_IN_ASSERTION = 13
+    INVALID_XML_FORMAT = 14
+    WRONG_INRESPONSETO = 15
+    NO_ENCRYPTED_ASSERTION = 16
+    NO_ENCRYPTED_NAMEID = 17
+    MISSING_CONDITIONS = 18
+    ASSERTION_TOO_EARLY = 19
+    ASSERTION_EXPIRED = 20
+    WRONG_NUMBER_OF_AUTHSTATEMENTS = 21
+    NO_ATTRIBUTESTATEMENT = 22
+    ENCRYPTED_ATTRIBUTES = 23
+    WRONG_DESTINATION = 24
+    EMPTY_DESTINATION = 25
+    WRONG_AUDIENCE = 26
+    ISSUER_NOT_FOUND_IN_RESPONSE = 27
+    ISSUER_NOT_FOUND_IN_ASSERTION = 28
+    WRONG_ISSUER = 29
+    SESSION_EXPIRED = 30
+    WRONG_SUBJECTCONFIRMATION = 31
+    NO_SIGNED_RESPONSE = 32
+    NO_SIGNED_ASSERTION = 33
+    NO_SIGNATURE_FOUND = 34
+    KEYINFO_NOT_FOUND_IN_ENCRYPTED_DATA = 35
+    CHILDREN_NODE_NOT_FOIND_IN_KEYINFO = 36
+    UNSUPPORTED_RETRIEVAL_METHOD = 37
+    NO_NAMEID = 38
+    EMPTY_NAMEID = 39
+    SP_NAME_QUALIFIER_NAME_MISMATCH = 40
+    DUPLICATED_ATTRIBUTE_NAME_FOUND = 41
+    INVALID_SIGNATURE = 42
+    WRONG_NUMBER_OF_SIGNATURES = 43
+
+    def __init__(self, message, code=0, errors=None):
+        """
+        Initializes the Exception instance.
+
+        Arguments are:
+            * (str)   message.   Describes the error.
+            * (int)   code.      The code error (defined in the error class).
+        """
+        assert isinstance(message, basestring)
+        assert isinstance(code, int)
+
+        if errors is not None:
+            message = message % errors
+
+        Exception.__init__(self, message)
+        self.code = code

src/onelogin/saml2/logout_request.py

@@ -17,6 +17,7 @@
 
 from onelogin.saml2.constants import OneLogin_Saml2_Constants
 from onelogin.saml2.utils import OneLogin_Saml2_Utils
+from onelogin.saml2.errors import OneLogin_Saml2_Error, OneLogin_Saml2_ValidationError
 
 
 class OneLogin_Saml2_Logout_Request(object):
@@ -179,7 +180,10 @@ def get_nameid_data(request, key=None):
 
         if len(encrypted_entries) == 1:
             if key is None:
-                raise Exception('Key is required in order to decrypt the NameID')
+                raise OneLogin_Saml2_Error(
+                    'Private Key is required in order to decrypt the NameID, check settings',
+                    OneLogin_Saml2_Error.PRIVATE_KEY_NOT_FOUND
+                )
 
             encrypted_data_nodes = OneLogin_Saml2_Utils.query(elem, '/samlp:LogoutRequest/saml:EncryptedID/xenc:EncryptedData')
             if len(encrypted_data_nodes) == 1:
@@ -191,7 +195,10 @@ def get_nameid_data(request, key=None):
                 name_id = entries[0]
 
         if name_id is None:
-            raise Exception('Not NameID found in the Logout Request')
+            raise OneLogin_Saml2_ValidationError(
+                'Not NameID found in the Logout Request',
+                OneLogin_Saml2_ValidationError.NO_NAMEID
+            )
 
         name_id_data = {
             'Value': name_id.text
@@ -289,7 +296,10 @@ def is_valid(self, request_data, raise_exceptions=False):
             if self.__settings.is_strict():
                 res = OneLogin_Saml2_Utils.validate_xml(dom, 'saml-schema-protocol-2.0.xsd', self.__settings.is_debug_active())
                 if not isinstance(res, Document):
-                    raise Exception('Invalid SAML Logout Request. Not match the saml-schema-protocol-2.0.xsd')
+                    raise OneLogin_Saml2_ValidationError(
+                        'Invalid SAML Logout Request. Not match the saml-schema-protocol-2.0.xsd',
+                        OneLogin_Saml2_ValidationError.INVALID_XML_FORMAT
+                    )
 
                 security = self.__settings.get_security_data()
 
@@ -318,11 +328,17 @@ def is_valid(self, request_data, raise_exceptions=False):
                 # Check issuer
                 issuer = OneLogin_Saml2_Logout_Request.get_issuer(dom)
                 if issuer is not None and issuer != idp_entity_id:
-                    raise Exception('Invalid issuer in the Logout Request')
+                    raise OneLogin_Saml2_ValidationError(
+                        'Invalid issuer in the Logout Request',
+                        OneLogin_Saml2_ValidationError.WRONG_ISSUER
+                    )
 
                 if security['wantMessagesSigned']:
                     if 'Signature' not in get_data:
-                        raise Exception('The Message of the Logout Request is not signed and the SP require it')
+                        raise OneLogin_Saml2_ValidationError(
+                            'The Message of the Logout Request is not signed and the SP require it',
+                            OneLogin_Saml2_ValidationError.NO_SIGNED_RESPONSE
+                        )
 
             if 'Signature' in get_data:
                 if 'SigAlg' not in get_data:
@@ -336,11 +352,17 @@ def is_valid(self, request_data, raise_exceptions=False):
                 signed_query = '%s&SigAlg=%s' % (signed_query, OneLogin_Saml2_Utils.get_encoded_parameter(get_data, 'SigAlg', OneLogin_Saml2_Constants.RSA_SHA1, lowercase_urlencoding=lowercase_urlencoding))
 
                 if 'x509cert' not in idp_data or not idp_data['x509cert']:
-                    raise Exception('In order to validate the sign on the Logout Request, the x509cert of the IdP is required')
+                    raise OneLogin_Saml2_Error(
+                        'In order to validate the sign on the Logout Request, the x509cert of the IdP is required',
+                        OneLogin_Saml2_Error.CERT_NOT_FOUND
+                    )
                 cert = idp_data['x509cert']
 
                 if not OneLogin_Saml2_Utils.validate_binary_sign(signed_query, b64decode(get_data['Signature']), cert, sign_alg):
-                    raise Exception('Signature validation failed. Logout Request rejected')
+                    raise OneLogin_Saml2_ValidationError(
+                        'Signature validation failed. Logout Request rejected',
+                        OneLogin_Saml2_ValidationError.INVALID_SIGNATURE
+                    )
 
             return True
         except Exception as err:

src/onelogin/saml2/logout_response.py

@@ -17,6 +17,7 @@
 
 from onelogin.saml2.constants import OneLogin_Saml2_Constants
 from onelogin.saml2.utils import OneLogin_Saml2_Utils
+from onelogin.saml2.errors import OneLogin_Saml2_Error, OneLogin_Saml2_ValidationError
 
 
 class OneLogin_Saml2_Logout_Response(object):
@@ -91,20 +92,29 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False):
             if self.__settings.is_strict():
                 res = OneLogin_Saml2_Utils.validate_xml(self.document, 'saml-schema-protocol-2.0.xsd', self.__settings.is_debug_active())
                 if not isinstance(res, Document):
-                    raise Exception('Invalid SAML Logout Response. Not match the saml-schema-protocol-2.0.xsd')
+                    raise OneLogin_Saml2_ValidationError(
+                        'Invalid SAML Logout Response. Not match the saml-schema-protocol-2.0.xsd',
+                        OneLogin_Saml2_ValidationError.INVALID_XML_FORMAT
+                    )
 
                 security = self.__settings.get_security_data()
 
                 # Check if the InResponseTo of the Logout Response matches the ID of the Logout Request (requestId) if provided
                 if request_id is not None and self.document.documentElement.hasAttribute('InResponseTo'):
                     in_response_to = self.document.documentElement.getAttribute('InResponseTo')
                     if request_id != in_response_to:
-                        raise Exception('The InResponseTo of the Logout Response: %s, does not match the ID of the Logout request sent by the SP: %s' % (in_response_to, request_id))
+                        raise OneLogin_Saml2_ValidationError(
+                            'The InResponseTo of the Logout Response: %s, does not match the ID of the Logout request sent by the SP: %s' % (in_response_to, request_id),
+                            OneLogin_Saml2_ValidationError.WRONG_INRESPONSETO
+                        )
 
                 # Check issuer
                 issuer = self.get_issuer()
                 if issuer is not None and issuer != idp_entity_id:
-                    raise Exception('Invalid issuer in the Logout Request')
+                    raise OneLogin_Saml2_ValidationError(
+                        'Invalid issuer in the Logout Request',
+                        OneLogin_Saml2_ValidationError.WRONG_ISSUER
+                    )
 
                 current_url = OneLogin_Saml2_Utils.get_self_url_no_query(request_data)
 
@@ -113,11 +123,17 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False):
                     destination = self.document.documentElement.getAttribute('Destination')
                     if destination != '':
                         if current_url not in destination:
-                            raise Exception('The LogoutRequest was received at $currentURL instead of $destination')
+                            raise OneLogin_Saml2_ValidationError(
+                                'The LogoutResponse was received at %s instead of %s' % (current_url, destination),
+                                OneLogin_Saml2_ValidationError.WRONG_DESTINATION
+                            )
 
                 if security['wantMessagesSigned']:
                     if 'Signature' not in get_data:
-                        raise Exception('The Message of the Logout Response is not signed and the SP require it')
+                        raise OneLogin_Saml2_ValidationError(
+                            'The Message of the Logout Response is not signed and the SP require it',
+                            OneLogin_Saml2_ValidationError.NO_SIGNED_RESPONSE
+                        )
 
             if 'Signature' in get_data:
                 if 'SigAlg' not in get_data:
@@ -131,11 +147,17 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False):
                 signed_query = '%s&SigAlg=%s' % (signed_query, OneLogin_Saml2_Utils.get_encoded_parameter(get_data, 'SigAlg', OneLogin_Saml2_Constants.RSA_SHA1, lowercase_urlencoding=lowercase_urlencoding))
 
                 if 'x509cert' not in idp_data or not idp_data['x509cert']:
-                    raise Exception('In order to validate the sign on the Logout Response, the x509cert of the IdP is required')
+                    raise OneLogin_Saml2_Error(
+                        'In order to validate the sign on the Logout Response, the x509cert of the IdP is required',
+                        OneLogin_Saml2_Error.CERT_NOT_FOUND
+                    )
                 cert = idp_data['x509cert']
 
                 if not OneLogin_Saml2_Utils.validate_binary_sign(signed_query, b64decode(get_data['Signature']), cert, sign_alg):
-                    raise Exception('Signature validation failed. Logout Response rejected')
+                    raise OneLogin_Saml2_ValidationError(
+                        'Signature validation failed. Logout Response rejected',
+                        OneLogin_Saml2_ValidationError.INVALID_SIGNATURE
+                    )
 
             return True
         # pylint: disable=R0801