Fix for lxml issues parsing SLO XML messages specifying encoding.

op-codento · op-codento · commit b0e7046cf9dc · 2019-02-20T15:06:03.000+02:00
- Adding bytes_type to compat
- Changing OneLogin_Saml2_XML.to_etree() to always pass bytes to _parse_etree()
- Adding test cases for SLO messages with XML encoding specified
diff --git a/src/onelogin/saml2/compat.py b/src/onelogin/saml2/compat.py
@@ -22,6 +22,7 @@
 
 if isinstance(b'', type('')):  # py 2.x
     text_types = (basestring,)  # noqa
+    bytes_type = bytes
     str_type = basestring  # noqa
 
     def utf8(data):
@@ -42,6 +43,7 @@ def to_bytes(data):
 
 else:  # py 3.x
     text_types = (bytes, str)
+    bytes_type = bytes
     str_type = str
 
     def utf8(data):
diff --git a/src/onelogin/saml2/xml_utils.py b/src/onelogin/saml2/xml_utils.py
@@ -25,6 +25,7 @@ class OneLogin_Saml2_XML(object):
     _parse_etree = staticmethod(fromstring)
     _schema_class = etree.XMLSchema
     _text_class = compat.text_types
+    _bytes_class = compat.bytes_type
     _unparse_etree = staticmethod(tostring)
 
     dump = staticmethod(etree.dump)
@@ -61,8 +62,10 @@ def to_etree(xml):
         """
         if isinstance(xml, OneLogin_Saml2_XML._element_class):
             return xml
-        if isinstance(xml, OneLogin_Saml2_XML._text_class):
+        if isinstance(xml, OneLogin_Saml2_XML._bytes_class):
             return OneLogin_Saml2_XML._parse_etree(xml, forbid_dtd=True)
+        if isinstance(xml, OneLogin_Saml2_XML._text_class):
+            return OneLogin_Saml2_XML._parse_etree(compat.to_bytes(xml), forbid_dtd=True)
 
         raise ValueError('unsupported type %r' % type(xml))
 
diff --git a/tests/data/logout_requests/logout_request_with_encoding.xml b/tests/data/logout_requests/logout_request_with_encoding.xml
@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
+                     xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+                     ID="ONELOGIN_21584ccdfaca36a145ae990442dcd96bfe60151e"
+                     Version="2.0"
+                     IssueInstant="2013-12-10T04:39:31Z"
+                     Destination="http://stuff.com/endpoints/endpoints/sls.php"
+                     >
+    <saml:Issuer>http://idp.example.com/</saml:Issuer>
+    <saml:NameID SPNameQualifier="http://idp.example.com/"
+                 Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
+                 >ONELOGIN_1e442c129e1f822c8096086a1103c5ee2c7cae1c</saml:NameID>
+</samlp:LogoutRequest>
diff --git a/tests/data/logout_responses/logout_response_with_encoding.xml b/tests/data/logout_responses/logout_response_with_encoding.xml
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
+                      xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+                      ID="_f9ee61bd9dbf63606faa9ae3b10548d5b3656fb859"
+                      Version="2.0"
+                      IssueInstant="2013-12-10T04:39:31Z"
+                      Destination="http://stuff.com/endpoints/endpoints/sls.php"
+                      InResponseTo="ONELOGIN_21584ccdfaca36a145ae990442dcd96bfe60151e"
+                      >
+    <saml:Issuer>http://idp.example.com/</saml:Issuer>
+    <samlp:Status>
+        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
+    </samlp:Status>
+</samlp:LogoutResponse>
diff --git a/tests/data/logout_responses/logout_response_with_encoding_deflated.xml.base64 b/tests/data/logout_responses/logout_response_with_encoding_deflated.xml.base64
@@ -0,0 +1 @@
+fVLdS8MwEH8X/B9K3tcmaxvWsFbELwZzAzd98EXS5KqFNgm9VPbnO6pjm1jzFO5+X8nd/GrXNsEndFhbkxMWUhKAUVbX5j0nz9v7yYxcFZcXc5Rt48TSvtvePwE6axCCPdegGFo56TsjrMQahZEtoPBKbK4fl2IaUuE6662yDbm8CP48R6X/hSQidH6fdVRpcZuTtyoD4KzUmS4rHnPKKykzCXHJaJrMdFrGPOVVOUuzUZ2Xw5/sbcfNEHtYGPTS+D2SsnjCphNGtzQRcSZi9jpKvQX0tZF+8Pjw3okoQt9XVahsG4HRztbG48kNGwzdhxsPYw6D2dqcrFd3y/XDYvU2ZeksUUpXUsmYS5akErKMJslUK53xsgJOWcpgVLf4bgwrIIYXd8VP4Fq7EHaydQ0MsefRKeiE58TGS99jcTQ5q99YDcGLbHr4f/44oMWmVwoQSRAdTKJfLofC+cYWXw==
diff --git a/tests/src/OneLogin/saml2_tests/logout_request_test.py b/tests/src/OneLogin/saml2_tests/logout_request_test.py
@@ -414,6 +414,38 @@ def testIsValid(self):
         logout_request5 = OneLogin_Saml2_Logout_Request(settings, OneLogin_Saml2_Utils.b64encode(request))
         self.assertTrue(logout_request5.is_valid(request_data))
 
+    def testIsValidWithXMLEncoding(self):
+        """
+        Tests the is_valid method of the OneLogin_Saml2_LogoutRequest
+        """
+        request_data = {
+            'http_host': 'example.com',
+            'script_name': 'index.html'
+        }
+        request = self.file_contents(join(self.data_path, 'logout_requests', 'logout_request_with_encoding.xml'))
+        settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
+
+        logout_request = OneLogin_Saml2_Logout_Request(settings, OneLogin_Saml2_Utils.b64encode(request))
+        self.assertTrue(logout_request.is_valid(request_data))
+
+        settings.set_strict(True)
+        logout_request2 = OneLogin_Saml2_Logout_Request(settings, OneLogin_Saml2_Utils.b64encode(request))
+        self.assertFalse(logout_request2.is_valid(request_data))
+
+        settings.set_strict(False)
+        dom = parseString(request)
+        logout_request3 = OneLogin_Saml2_Logout_Request(settings, OneLogin_Saml2_Utils.b64encode(dom.toxml()))
+        self.assertTrue(logout_request3.is_valid(request_data))
+
+        settings.set_strict(True)
+        logout_request4 = OneLogin_Saml2_Logout_Request(settings, OneLogin_Saml2_Utils.b64encode(dom.toxml()))
+        self.assertFalse(logout_request4.is_valid(request_data))
+
+        current_url = OneLogin_Saml2_Utils.get_self_url_no_query(request_data)
+        request = request.replace('http://stuff.com/endpoints/endpoints/sls.php', current_url)
+        logout_request5 = OneLogin_Saml2_Logout_Request(settings, OneLogin_Saml2_Utils.b64encode(request))
+        self.assertTrue(logout_request5.is_valid(request_data))
+
     def testIsValidRaisesExceptionWhenRaisesArgumentIsTrue(self):
         request = OneLogin_Saml2_Utils.b64encode('<xml>invalid</xml>')
         request_data = {
diff --git a/tests/src/OneLogin/saml2_tests/logout_response_test.py b/tests/src/OneLogin/saml2_tests/logout_response_test.py
@@ -276,6 +276,34 @@ def testIsValid(self):
         response_3 = OneLogin_Saml2_Logout_Response(settings, message_3)
         self.assertTrue(response_3.is_valid(request_data))
 
+    def testIsValidWithXMLEncoding(self):
+        """
+        Tests the is_valid method of the OneLogin_Saml2_LogoutResponse
+        """
+        request_data = {
+            'http_host': 'example.com',
+            'script_name': 'index.html',
+            'get_data': {}
+        }
+        settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
+        message = self.file_contents(join(self.data_path, 'logout_responses', 'logout_response_with_encoding_deflated.xml.base64'))
+
+        response = OneLogin_Saml2_Logout_Response(settings, message)
+        self.assertTrue(response.is_valid(request_data))
+
+        settings.set_strict(True)
+        response_2 = OneLogin_Saml2_Logout_Response(settings, message)
+        with self.assertRaisesRegex(Exception, 'The LogoutResponse was received at'):
+            response_2.is_valid(request_data, raise_exceptions=True)
+
+        plain_message = compat.to_string(OneLogin_Saml2_Utils.decode_base64_and_inflate(message))
+        current_url = OneLogin_Saml2_Utils.get_self_url_no_query(request_data)
+        plain_message = plain_message.replace('http://stuff.com/endpoints/endpoints/sls.php', current_url)
+        message_3 = OneLogin_Saml2_Utils.deflate_and_base64_encode(plain_message)
+
+        response_3 = OneLogin_Saml2_Logout_Response(settings, message_3)
+        self.assertTrue(response_3.is_valid(request_data))
+
     def testIsValidRaisesExceptionWhenRaisesArgumentIsTrue(self):
         message = OneLogin_Saml2_Utils.deflate_and_base64_encode('<xml>invalid</xml>')
         request_data = {

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+fVLdS8MwEH8X/B9K3tcmaxvWsFbELwZzAzd98EXS5KqFNgm9VPbnO6pjm1jzFO5+X8nd/GrXNsEndFhbkxMWUhKAUVbX5j0nz9v7yYxcFZcXc5Rt48TSvtvePwE6axCCPdegGFo56TsjrMQahZEtoPBKbK4fl2IaUuE6662yDbm8CP48R6X/hSQidH6fdVRpcZuTtyoD4KzUmS4rHnPKKykzCXHJaJrMdFrGPOVVOUuzUZ2Xw5/sbcfNEHtYGPTS+D2SsnjCphNGtzQRcSZi9jpKvQX0tZF+8Pjw3okoQt9XVahsG4HRztbG48kNGwzdhxsPYw6D2dqcrFd3y/XDYvU2ZeksUUpXUsmYS5akErKMJslUK53xsgJOWcpgVLf4bgwrIIYXd8VP4Fq7EHaydQ0MsefRKeiE58TGS99jcTQ5q99YDcGLbHr4f/44oMWmVwoQSRAdTKJfLofC+cYWXw==`