Merge pull request #127 from OP-Lamminen/slo-with-xml-encoding

Fix for SLO when XML specifies encoding

Author: pitbulk

src/onelogin/saml2/compat.py

@@ -22,6 +22,7 @@
 
 if isinstance(b'', type('')):  # py 2.x
     text_types = (basestring,)  # noqa
+    bytes_type = bytes
     str_type = basestring  # noqa
 
     def utf8(data):
@@ -42,6 +43,7 @@ def to_bytes(data):
 
 else:  # py 3.x
     text_types = (bytes, str)
+    bytes_type = bytes
     str_type = str
 
     def utf8(data):

src/onelogin/saml2/xml_utils.py

@@ -25,6 +25,7 @@ class OneLogin_Saml2_XML(object):
     _parse_etree = staticmethod(fromstring)
     _schema_class = etree.XMLSchema
     _text_class = compat.text_types
+    _bytes_class = compat.bytes_type
     _unparse_etree = staticmethod(tostring)
 
     dump = staticmethod(etree.dump)
@@ -61,8 +62,10 @@ def to_etree(xml):
         """
         if isinstance(xml, OneLogin_Saml2_XML._element_class):
             return xml
-        if isinstance(xml, OneLogin_Saml2_XML._text_class):
+        if isinstance(xml, OneLogin_Saml2_XML._bytes_class):
             return OneLogin_Saml2_XML._parse_etree(xml, forbid_dtd=True)
+        if isinstance(xml, OneLogin_Saml2_XML._text_class):
+            return OneLogin_Saml2_XML._parse_etree(compat.to_bytes(xml), forbid_dtd=True)
 
         raise ValueError('unsupported type %r' % type(xml))
 

tests/data/logout_requests/logout_request_with_encoding.xml

@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
+                     xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+                     ID="ONELOGIN_21584ccdfaca36a145ae990442dcd96bfe60151e"
+                     Version="2.0"
+                     IssueInstant="2013-12-10T04:39:31Z"
+                     Destination="http://stuff.com/endpoints/endpoints/sls.php"
+                     >
+    <saml:Issuer>http://idp.example.com/</saml:Issuer>
+    <saml:NameID SPNameQualifier="http://idp.example.com/"
+                 Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
+                 >ONELOGIN_1e442c129e1f822c8096086a1103c5ee2c7cae1c</saml:NameID>
+</samlp:LogoutRequest>

tests/data/logout_responses/logout_response_with_encoding.xml

@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
+                      xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+                      ID="_f9ee61bd9dbf63606faa9ae3b10548d5b3656fb859"
+                      Version="2.0"
+                      IssueInstant="2013-12-10T04:39:31Z"
+                      Destination="http://stuff.com/endpoints/endpoints/sls.php"
+                      InResponseTo="ONELOGIN_21584ccdfaca36a145ae990442dcd96bfe60151e"
+                      >
+    <saml:Issuer>http://idp.example.com/</saml:Issuer>
+    <samlp:Status>
+        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
+    </samlp:Status>
+</samlp:LogoutResponse>

tests/data/logout_responses/logout_response_with_encoding_deflated.xml.base64

@@ -0,0 +1 @@
+fVLdS8MwEH8X/B9K3tcmaxvWsFbELwZzAzd98EXS5KqFNgm9VPbnO6pjm1jzFO5+X8nd/GrXNsEndFhbkxMWUhKAUVbX5j0nz9v7yYxcFZcXc5Rt48TSvtvePwE6axCCPdegGFo56TsjrMQahZEtoPBKbK4fl2IaUuE6662yDbm8CP48R6X/hSQidH6fdVRpcZuTtyoD4KzUmS4rHnPKKykzCXHJaJrMdFrGPOVVOUuzUZ2Xw5/sbcfNEHtYGPTS+D2SsnjCphNGtzQRcSZi9jpKvQX0tZF+8Pjw3okoQt9XVahsG4HRztbG48kNGwzdhxsPYw6D2dqcrFd3y/XDYvU2ZeksUUpXUsmYS5akErKMJslUK53xsgJOWcpgVLf4bgwrIIYXd8VP4Fq7EHaydQ0MsefRKeiE58TGS99jcTQ5q99YDcGLbHr4f/44oMWmVwoQSRAdTKJfLofC+cYWXw==

tests/data/metadata/testshib-providers.xml

@@ -37,28 +37,23 @@
                 <ds:KeyInfo>
                     <ds:X509Data>
                         <ds:X509Certificate>
-                            MIIEDjCCAvagAwIBAgIBADANBgkqhkiG9w0BAQUFADBnMQswCQYDVQQGEwJVUzEV
-                            MBMGA1UECBMMUGVubnN5bHZhbmlhMRMwEQYDVQQHEwpQaXR0c2J1cmdoMREwDwYD
-                            VQQKEwhUZXN0U2hpYjEZMBcGA1UEAxMQaWRwLnRlc3RzaGliLm9yZzAeFw0wNjA4
-                            MzAyMTEyMjVaFw0xNjA4MjcyMTEyMjVaMGcxCzAJBgNVBAYTAlVTMRUwEwYDVQQI
-                            EwxQZW5uc3lsdmFuaWExEzARBgNVBAcTClBpdHRzYnVyZ2gxETAPBgNVBAoTCFRl
-                            c3RTaGliMRkwFwYDVQQDExBpZHAudGVzdHNoaWIub3JnMIIBIjANBgkqhkiG9w0B
-                            AQEFAAOCAQ8AMIIBCgKCAQEArYkCGuTmJp9eAOSGHwRJo1SNatB5ZOKqDM9ysg7C
-                            yVTDClcpu93gSP10nH4gkCZOlnESNgttg0r+MqL8tfJC6ybddEFB3YBo8PZajKSe
-                            3OQ01Ow3yT4I+Wdg1tsTpSge9gEz7SrC07EkYmHuPtd71CHiUaCWDv+xVfUQX0aT
-                            NPFmDixzUjoYzbGDrtAyCqA8f9CN2txIfJnpHE6q6CmKcoLADS4UrNPlhHSzd614
-                            kR/JYiks0K4kbRqCQF0Dv0P5Di+rEfefC6glV8ysC8dB5/9nb0yh/ojRuJGmgMWH
-                            gWk6h0ihjihqiu4jACovUZ7vVOCgSE5Ipn7OIwqd93zp2wIDAQABo4HEMIHBMB0G
-                            A1UdDgQWBBSsBQ869nh83KqZr5jArr4/7b+QazCBkQYDVR0jBIGJMIGGgBSsBQ86
-                            9nh83KqZr5jArr4/7b+Qa6FrpGkwZzELMAkGA1UEBhMCVVMxFTATBgNVBAgTDFBl
-                            bm5zeWx2YW5pYTETMBEGA1UEBxMKUGl0dHNidXJnaDERMA8GA1UEChMIVGVzdFNo
-                            aWIxGTAXBgNVBAMTEGlkcC50ZXN0c2hpYi5vcmeCAQAwDAYDVR0TBAUwAwEB/zAN
-                            BgkqhkiG9w0BAQUFAAOCAQEAjR29PhrCbk8qLN5MFfSVk98t3CT9jHZoYxd8QMRL
-                            I4j7iYQxXiGJTT1FXs1nd4Rha9un+LqTfeMMYqISdDDI6tv8iNpkOAvZZUosVkUo
-                            93pv1T0RPz35hcHHYq2yee59HJOco2bFlcsH8JBXRSRrJ3Q7Eut+z9uo80JdGNJ4
-                            /SJy5UorZ8KazGj16lfJhOBXldgrhppQBb0Nq6HKHguqmwRfJ+WkxemZXzhediAj
-                            Geka8nz8JjwxpUjAiSWYKLtJhGEaTqCYxCCX2Dw+dOTqUzHOZ7WKv4JXPK5G/Uhr
-                            8K/qhmFT2nIQi538n6rVYLeWj8Bbnl+ev0peYzxFyF5sQA==
+                            MIIDAzCCAeugAwIBAgIVAPX0G6LuoXnKS0Muei006mVSBXbvMA0GCSqGSIb3DQEB
+                            CwUAMBsxGTAXBgNVBAMMEGlkcC50ZXN0c2hpYi5vcmcwHhcNMTYwODIzMjEyMDU0
+                            WhcNMzYwODIzMjEyMDU0WjAbMRkwFwYDVQQDDBBpZHAudGVzdHNoaWIub3JnMIIB
+                            IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAg9C4J2DiRTEhJAWzPt1S3ryh
+                            m3M2P3hPpwJwvt2q948vdTUxhhvNMuc3M3S4WNh6JYBs53R+YmjqJAII4ShMGNEm
+                            lGnSVfHorex7IxikpuDPKV3SNf28mCAZbQrX+hWA+ann/uifVzqXktOjs6DdzdBn
+                            xoVhniXgC8WCJwKcx6JO/hHsH1rG/0DSDeZFpTTcZHj4S9MlLNUtt5JxRzV/MmmB
+                            3ObaX0CMqsSWUOQeE4nylSlp5RWHCnx70cs9kwz5WrflnbnzCeHU2sdbNotBEeTH
+                            ot6a2cj/pXlRJIgPsrL/4VSicPZcGYMJMPoLTJ8mdy6mpR6nbCmP7dVbCIm/DQID
+                            AQABoz4wPDAdBgNVHQ4EFgQUUfaDa2mPi24x09yWp1OFXmZ2GPswGwYDVR0RBBQw
+                            EoIQaWRwLnRlc3RzaGliLm9yZzANBgkqhkiG9w0BAQsFAAOCAQEASKKgqTxhqBzR
+                            OZ1eVy++si+eTTUQZU4+8UywSKLia2RattaAPMAcXUjO+3cYOQXLVASdlJtt+8QP
+                            dRkfp8SiJemHPXC8BES83pogJPYEGJsKo19l4XFJHPnPy+Dsn3mlJyOfAa8RyWBS
+                            80u5lrvAcr2TJXt9fXgkYs7BOCigxtZoR8flceGRlAZ4p5FPPxQR6NDYb645jtOT
+                            MVr3zgfjP6Wh2dt+2p04LG7ENJn8/gEwtXVuXCsPoSCDx9Y0QmyXTJNdV1aB0AhO
+                            RkWPlFYwp+zOyOIR+3m1+pqWFpn0eT/HrxpdKa74FA3R2kq4R7dXe4G0kUgXTdqX
+                            MLRKhDgdmA==
                         </ds:X509Certificate>
                     </ds:X509Data>
                 </ds:KeyInfo>

tests/src/OneLogin/saml2_tests/logout_request_test.py

@@ -414,6 +414,38 @@ def testIsValid(self):
         logout_request5 = OneLogin_Saml2_Logout_Request(settings, OneLogin_Saml2_Utils.b64encode(request))
         self.assertTrue(logout_request5.is_valid(request_data))
 
+    def testIsValidWithXMLEncoding(self):
+        """
+        Tests the is_valid method of the OneLogin_Saml2_LogoutRequest
+        """
+        request_data = {
+            'http_host': 'example.com',
+            'script_name': 'index.html'
+        }
+        request = self.file_contents(join(self.data_path, 'logout_requests', 'logout_request_with_encoding.xml'))
+        settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
+
+        logout_request = OneLogin_Saml2_Logout_Request(settings, OneLogin_Saml2_Utils.b64encode(request))
+        self.assertTrue(logout_request.is_valid(request_data))
+
+        settings.set_strict(True)
+        logout_request2 = OneLogin_Saml2_Logout_Request(settings, OneLogin_Saml2_Utils.b64encode(request))
+        self.assertFalse(logout_request2.is_valid(request_data))
+
+        settings.set_strict(False)
+        dom = parseString(request)
+        logout_request3 = OneLogin_Saml2_Logout_Request(settings, OneLogin_Saml2_Utils.b64encode(dom.toxml()))
+        self.assertTrue(logout_request3.is_valid(request_data))
+
+        settings.set_strict(True)
+        logout_request4 = OneLogin_Saml2_Logout_Request(settings, OneLogin_Saml2_Utils.b64encode(dom.toxml()))
+        self.assertFalse(logout_request4.is_valid(request_data))
+
+        current_url = OneLogin_Saml2_Utils.get_self_url_no_query(request_data)
+        request = request.replace('http://stuff.com/endpoints/endpoints/sls.php', current_url)
+        logout_request5 = OneLogin_Saml2_Logout_Request(settings, OneLogin_Saml2_Utils.b64encode(request))
+        self.assertTrue(logout_request5.is_valid(request_data))
+
     def testIsValidRaisesExceptionWhenRaisesArgumentIsTrue(self):
         request = OneLogin_Saml2_Utils.b64encode('<xml>invalid</xml>')
         request_data = {

tests/src/OneLogin/saml2_tests/logout_response_test.py

@@ -276,6 +276,34 @@ def testIsValid(self):
         response_3 = OneLogin_Saml2_Logout_Response(settings, message_3)
         self.assertTrue(response_3.is_valid(request_data))
 
+    def testIsValidWithXMLEncoding(self):
+        """
+        Tests the is_valid method of the OneLogin_Saml2_LogoutResponse
+        """
+        request_data = {
+            'http_host': 'example.com',
+            'script_name': 'index.html',
+            'get_data': {}
+        }
+        settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
+        message = self.file_contents(join(self.data_path, 'logout_responses', 'logout_response_with_encoding_deflated.xml.base64'))
+
+        response = OneLogin_Saml2_Logout_Response(settings, message)
+        self.assertTrue(response.is_valid(request_data))
+
+        settings.set_strict(True)
+        response_2 = OneLogin_Saml2_Logout_Response(settings, message)
+        with self.assertRaisesRegex(Exception, 'The LogoutResponse was received at'):
+            response_2.is_valid(request_data, raise_exceptions=True)
+
+        plain_message = compat.to_string(OneLogin_Saml2_Utils.decode_base64_and_inflate(message))
+        current_url = OneLogin_Saml2_Utils.get_self_url_no_query(request_data)
+        plain_message = plain_message.replace('http://stuff.com/endpoints/endpoints/sls.php', current_url)
+        message_3 = OneLogin_Saml2_Utils.deflate_and_base64_encode(plain_message)
+
+        response_3 = OneLogin_Saml2_Logout_Response(settings, message_3)
+        self.assertTrue(response_3.is_valid(request_data))
+
     def testIsValidRaisesExceptionWhenRaisesArgumentIsTrue(self):
         message = OneLogin_Saml2_Utils.deflate_and_base64_encode('<xml>invalid</xml>')
         request_data = {