Fix failOnAuthnContextMismatch code

Author: pitbulk

README.md

@@ -410,7 +410,7 @@ In addition to the required settings data (idp, sp), extra settings can be defin
         "requestedAuthnContext": true,
 	// Allows the authn comparison parameter to be set, defaults to 'exact' if the setting is not present.
         "requestedAuthnContextComparison": "exact",
-        // Set to true to check that the AuthnContext received matches the one requested.
+        // Set to true to check that the AuthnContext(s) received match(es) the requested.
         "failOnAuthnContextMismatch": false,
 
         // In some environment you will need to set how long the published metadata of the Service Provider gonna be valid.

src/onelogin/saml2/authn_request.py

@@ -95,9 +95,7 @@ def __init__(self, settings, force_authn=False, is_passive=False, set_nameid_pol
 
         requested_authn_context_str = ''
         if security['requestedAuthnContext'] is not False:
-            authn_comparison = 'exact'
-            if 'requestedAuthnContextComparison' in security.keys():
-                authn_comparison = security['requestedAuthnContextComparison']
+            authn_comparison = security['requestedAuthnContextComparison']
 
             if security['requestedAuthnContext'] is True:
                 requested_authn_context_str = """    <samlp:RequestedAuthnContext Comparison="%s">

src/onelogin/saml2/response.py

@@ -166,10 +166,10 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False):
                 requested_authn_contexts = security['requestedAuthnContext']
                 if security['failOnAuthnContextMismatch'] and requested_authn_contexts and requested_authn_contexts is not True:
                     authn_contexts = self.get_authn_contexts()
-                    unmatched_contexts = set(requested_authn_contexts).difference(authn_contexts)
+                    unmatched_contexts = set(authn_contexts).difference(requested_authn_contexts)
                     if unmatched_contexts:
                         raise OneLogin_Saml2_ValidationError(
-                            'The AuthnContext "%s" didn\'t include requested context "%s"' % (', '.join(authn_contexts), ', '.join(unmatched_contexts)),
+                            'The AuthnContext "%s" was not a requested context "%s"' % (', '.join(unmatched_contexts), ', '.join(requested_authn_contexts)),
                             OneLogin_Saml2_ValidationError.AUTHN_CONTEXT_MISMATCH
                         )
 

src/onelogin/saml2/settings.py

@@ -310,6 +310,7 @@ def __add_default_values(self):
         self.__sp.setdefault('privateKey', '')
 
         self.__security.setdefault('requestedAuthnContext', True)
+        self.__security.setdefault('requestedAuthnContextComparison', 'exact')
         self.__security.setdefault('failOnAuthnContextMismatch', False)
 
     def check_settings(self, settings):

tests/src/OneLogin/saml2_tests/response_test.py

@@ -1056,7 +1056,7 @@ def testIsInValidAuthenticationContext(self):
         # check that we catch when the contexts don't match
         response = OneLogin_Saml2_Response(settings, message)
         self.assertFalse(response.is_valid(request_data))
-        self.assertIn('The AuthnContext "%s" didn\'t include requested context "%s"' % (password_context, two_factor_context), response.get_error())
+        self.assertIn('The AuthnContext "%s" was not a requested context "%s"' % (password_context, two_factor_context), response.get_error())
 
         # now drop in the expected AuthnContextClassRef and see that it passes
         original_message = compat.to_string(OneLogin_Saml2_Utils.b64decode(message))