Support collect_errors, add tests

Author: pitbulk

lib/onelogin/ruby-saml/error_handling.rb

@@ -0,0 +1,27 @@
+require "onelogin/ruby-saml/validation_error"
+
+module OneLogin
+  module RubySaml
+    module ErrorHandling
+      attr_accessor :errors
+
+      # Append the cause to the errors array, and based on the value of soft, return false or raise
+      # an exception. soft_override is provided as a means of overriding the object's notion of
+      # soft for just this invocation.
+      def append_error(error_msg, soft_override = nil)
+        @errors << error_msg
+
+        unless soft_override.nil? ? soft : soft_override
+          raise ValidationError.new(error_msg)
+        end
+
+        false
+      end
+
+      # Reset the errors array
+      def reset_errors!
+        @errors = []
+      end
+    end
+  end
+end

lib/onelogin/ruby-saml/logoutresponse.rb

@@ -10,13 +10,11 @@ module RubySaml
     # SAML2 Logout Response (SLO IdP initiated, Parser)
     #
     class Logoutresponse < SamlMessage
+      include ErrorHandling
 
       # OneLogin::RubySaml::Settings Toolkit settings
       attr_accessor :settings
 
-      # Array with the causes
-      attr_accessor :errors
-
       attr_reader :document
       attr_reader :response
       attr_reader :options
@@ -47,18 +45,6 @@ def initialize(response, settings = nil, options = {})
         @document = XMLSecurity::SignedDocument.new(@response)
       end
 
-      # Append the cause to the errors array, and based on the value of soft, return false or raise
-      # an exception
-      def append_error(error_msg)
-        @errors << error_msg
-        return soft ? false : validation_error(error_msg)
-      end
-
-      # Reset the errors array
-      def reset_errors!
-        @errors = []
-      end
-
       # Checks if the Status has the "Success" code
       # @return [Boolean] True if the StatusCode is Sucess
       # @raise [ValidationError] if soft == false and validation fails
@@ -117,18 +103,30 @@ def status_message
       end
 
       # Aux function to validate the Logout Response
+      # @param collect_errors [Boolean] Stop validation when first error appears or keep validating. (if soft=true)
       # @return [Boolean] TRUE if the SAML Response is valid
       # @raise [ValidationError] if soft == false and validation fails
       #
-      def validate
+      def validate(collect_errors = false)
         reset_errors!
 
-        valid_state? &&
-        validate_success_status &&
-        validate_structure &&
-        valid_in_response_to? &&
-        valid_issuer? &&
-        validate_signature
+        if collect_errors
+          valid_state?
+          validate_success_status
+          validate_structure
+          valid_in_response_to?
+          valid_issuer?
+          validate_signature
+
+          @errors.empty?
+        else
+          valid_state? &&
+          validate_success_status &&
+          validate_structure &&
+          valid_in_response_to? &&
+          valid_issuer? &&
+          validate_signature
+        end
       end
 
       private

lib/onelogin/ruby-saml/response.rb

@@ -11,6 +11,8 @@ module RubySaml
     # SAML2 Authentication Response. SAML Response
     #
     class Response < SamlMessage
+      include ErrorHandling
+
       ASSERTION = "urn:oasis:names:tc:SAML:2.0:assertion"
       PROTOCOL  = "urn:oasis:names:tc:SAML:2.0:protocol"
       DSIG      = "http://www.w3.org/2000/09/xmldsig#"
@@ -21,9 +23,6 @@ class Response < SamlMessage
       # OneLogin::RubySaml::Settings Toolkit settings
       attr_accessor :settings
 
-      # Array with the causes [Array of strings]
-      attr_accessor :errors
-
       attr_reader :document
       attr_reader :decrypted_document
       attr_reader :response
@@ -39,11 +38,10 @@ class Response < SamlMessage
       #                          or :matches_request_id that will validate that the response matches the ID of the request,
       #                          or skip the subject confirmation validation with the :skip_subject_confirmation option
       def initialize(response, options = {})
-        @errors = []
-
         raise ArgumentError.new("Response cannot be nil") if response.nil?
-        @options = options
 
+        @errors = []
+        @options = options
         @soft = true
         unless options[:settings].nil?
           @settings = options[:settings]
@@ -60,23 +58,12 @@ def initialize(response, options = {})
         end
       end
 
-      # Append the cause to the errors array, and based on the value of soft, return false or raise
-      # an exception
-      def append_error(error_msg)
-        @errors << error_msg
-        return soft ? false : validation_error(error_msg)
-      end
-
-      # Reset the errors array
-      def reset_errors!
-        @errors = []
-      end
-
       # Validates the SAML Response with the default values (soft = true)
+      # @param collect_errors [Boolean] Stop validation when first error appears or keep validating. (if soft=true)
       # @return [Boolean] TRUE if the SAML Response is valid
       #
-      def is_valid?
-        validate
+      def is_valid?(collect_errors = false)
+        validate(collect_errors)
       end
 
       # @return [String] the NameID provided by the SAML response from the IdP.
@@ -297,28 +284,48 @@ def allowed_clock_drift
       private
 
       # Validates the SAML Response (calls several validation methods)
+      # @param collect_errors [Boolean] Stop validation when first error appears or keep validating. (if soft=true)
       # @return [Boolean] True if the SAML Response is valid, otherwise False if soft=True
       # @raise [ValidationError] if soft == false and validation fails
       #
-      def validate
+      def validate(collect_errors = false)
         reset_errors!
 
-        validate_response_state &&
-        validate_version &&
-        validate_id &&
-        validate_success_status &&
-        validate_num_assertion &&
-        validate_no_encrypted_attributes &&
-        validate_signed_elements &&
-        validate_structure &&
-        validate_in_response_to &&
-        validate_conditions &&
-        validate_audience &&
-        validate_destination &&
-        validate_issuer &&
-        validate_session_expiration &&
-        validate_subject_confirmation &&
-        validate_signature
+        if collect_errors
+          return false unless validate_response_state
+          validate_version
+          validate_id
+          validate_success_status
+          validate_num_assertion
+          validate_no_encrypted_attributes
+          validate_signed_elements
+          validate_structure
+          validate_in_response_to
+          validate_conditions
+          validate_audience
+          validate_issuer
+          validate_session_expiration
+          validate_subject_confirmation
+          validate_signature
+          @errors.empty?
+        else
+          validate_response_state &&
+          validate_version &&
+          validate_id &&
+          validate_success_status &&
+          validate_num_assertion &&
+          validate_no_encrypted_attributes &&
+          validate_signed_elements &&
+          validate_structure &&
+          validate_in_response_to &&
+          validate_conditions &&
+          validate_audience &&
+          validate_destination &&
+          validate_issuer &&
+          validate_session_expiration &&
+          validate_subject_confirmation &&
+          validate_signature
+        end
       end
 
 
@@ -708,7 +715,7 @@ def xpath_from_signed_assertion(subelt=nil)
       #
       def generate_decrypted_document
         if settings.nil? || !settings.get_sp_key
-          validation_error('An EncryptedAssertion found and no SP private key found on the settings to decrypt it. Be sure you provided the :settings parameter at the initialize method')
+          raise ValidationError.new('An EncryptedAssertion found and no SP private key found on the settings to decrypt it. Be sure you provided the :settings parameter at the initialize method')
         end
 
         # Marshal at Ruby 1.8.7 throw an Exception
@@ -774,7 +781,7 @@ def decrypt_nameid(encryptedid_node)
       #
       def decrypt_element(encrypt_node, rgrex)
         if settings.nil? || !settings.get_sp_key
-          return validation_error('An ' + encrypt_node.name + ' found and no SP private key found on the settings to decrypt it')
+          raise ValidationError.new('An ' + encrypt_node.name + ' found and no SP private key found on the settings to decrypt it')
         end
 
         elem_plaintext = OneLogin::RubySaml::Utils.decrypt_data(encrypt_node, settings.get_sp_key)

lib/onelogin/ruby-saml/saml_message.rb

@@ -5,6 +5,7 @@
 require 'rexml/document'
 require 'rexml/xpath'
 require 'thread'
+require "onelogin/ruby-saml/error_handling"
 
 # Only supports SAML 2.0
 module OneLogin
@@ -69,23 +70,15 @@ def valid_saml?(document, soft = true)
           end
         rescue Exception => error
           return false if soft
-          validation_error("XML load failed: #{error.message}")
+          raise ValidationError.new("XML load failed: #{error.message}")
         end
 
         SamlMessage.schema.validate(xml).map do |error|
           return false if soft
-          validation_error("#{error.message}\n\n#{xml.to_s}")
+          raise ValidationError.new("#{error.message}\n\n#{xml.to_s}")
         end
       end
 
-      # Raise a ValidationError with the provided message
-      # @param message [String] Message of the exception
-      # @raise [ValidationError]
-      #
-      def validation_error(message)
-        raise ValidationError.new(message)
-      end
-
       private
 
       # Base64 decode and try also to inflate a SAML Message

lib/onelogin/ruby-saml/slo_logoutrequest.rb

@@ -11,13 +11,11 @@ module RubySaml
     # SAML2 Logout Request (SLO IdP initiated, Parser)
     #
     class SloLogoutrequest < SamlMessage
+      include ErrorHandling
 
       # OneLogin::RubySaml::Settings Toolkit settings
       attr_accessor :settings
 
-      # Array with the causes [Array of strings]
-      attr_accessor :errors
-
       attr_reader :document
       attr_reader :request
       attr_reader :options
@@ -32,10 +30,10 @@ class SloLogoutrequest < SamlMessage
       # @raise [ArgumentError] If Request is nil
       #
       def initialize(request, options = {})
-        @errors = []
         raise ArgumentError.new("Request cannot be nil") if request.nil?
-        @options  = options
 
+        @errors = []
+        @options = options
         @soft = true
         unless options[:settings].nil?
           @settings = options[:settings]
@@ -48,23 +46,12 @@ def initialize(request, options = {})
         @document = REXML::Document.new(@request)
       end
 
-      # Append the cause to the errors array, and based on the value of soft, return false or raise
-      # an exception
-      def append_error(error_msg)
-        @errors << error_msg
-        return soft ? false : validation_error(error_msg)
-      end
-
-      # Reset the errors array
-      def reset_errors!
-        @errors = []
-      end
-
       # Validates the Logout Request with the default values (soft = true)
+      # @param collect_errors [Boolean] Stop validation when first error appears or keep validating.
       # @return [Boolean] TRUE if the Logout Request is valid
       #
-      def is_valid?
-        validate
+      def is_valid?(collect_errors = false)
+        validate(collect_errors)
       end
 
       # @return [String] Gets the NameID of the Logout Request.
@@ -132,19 +119,32 @@ def session_indexes
       private
 
       # Hard aux function to validate the Logout Request
+      # @param collect_errors [Boolean] Stop validation when first error appears or keep validating. (if soft=true)
       # @return [Boolean] TRUE if the Logout Request is valid
       # @raise [ValidationError] if soft == false and validation fails
       #
-      def validate
+      def validate(collect_errors = false)
         reset_errors!
 
-        validate_request_state &&
-        validate_id &&
-        validate_version &&        
-        validate_structure &&
-        validate_not_on_or_after &&
-        validate_issuer &&
-        validate_signature
+        if collect_errors
+          validate_request_state
+          validate_id
+          validate_version
+          validate_structure
+          validate_not_on_or_after
+          validate_issuer
+          validate_signature
+
+          @errors.empty?
+        else
+          validate_request_state &&
+          validate_id &&
+          validate_version &&
+          validate_structure &&
+          validate_not_on_or_after &&
+          validate_issuer &&
+          validate_signature
+        end
       end
 
       # Validates that the Logout Request contains an ID
@@ -230,7 +230,7 @@ def validate_signature
         return true if options.nil?
         return true unless options.has_key? :get_params
         return true unless options[:get_params].has_key? 'Signature'
-        return true if settings.nil? || settings.get_idp_cert.nil?
+        return true if settings.get_idp_cert.nil?
 
         query_string = OneLogin::RubySaml::Utils.build_query(
           :type        => 'SAMLRequest',