Improved inResponse validation on SAMLResponses and LogoutResponses

pitbulk · pitbulk · commit 25a44ea34f3b · 2016-12-02T02:10:42.000+01:00
diff --git a/lib/onelogin/ruby-saml/logoutresponse.rb b/lib/onelogin/ruby-saml/logoutresponse.rb
@@ -180,12 +180,11 @@ def valid_state?
       #
       def valid_in_response_to?
         return true unless options.has_key? :matches_request_id
+        return true if options[:matches_request_id].nil?
+        return true unless options[:matches_request_id] != in_response_to
 
-        unless options[:matches_request_id] == in_response_to
-          return append_error("Response does not match the request ID, expected: <#{options[:matches_request_id]}>, but was: <#{in_response_to}>")
-        end
-
-        true
+        error_msg = "The InResponseTo of the Logout Response: #{in_response_to}, does not match the ID of the Logout Request sent by the SP: #{options[:matches_request_id]}"
+        append_error(error_msg)
       end
 
       # Validates the Issuer of the Logout Response
diff --git a/lib/onelogin/ruby-saml/response.rb b/lib/onelogin/ruby-saml/response.rb
@@ -563,7 +563,7 @@ def validate_signed_elements
       #
       def validate_in_response_to
         return true unless options.has_key? :matches_request_id
-        return true if options[:matches_request_id].nil? || options[:matches_request_id].empty?
+        return true if options[:matches_request_id].nil?
         return true unless options[:matches_request_id] != in_response_to
 
         error_msg = "The InResponseTo of the Response: #{in_response_to}, does not match the ID of the AuthNRequest sent by the SP: #{options[:matches_request_id]}"
diff --git a/test/logoutresponse_test.rb b/test/logoutresponse_test.rb
@@ -103,7 +103,7 @@ class RubySamlTest < Minitest::Test
 
           assert !logoutresponse.validate
           refute_equal expected_request_id, logoutresponse.in_response_to
-          assert_includes logoutresponse.errors, "Response does not match the request ID, expected: <#{expected_request_id}>, but was: <#{logoutresponse.in_response_to}>"
+          assert_includes logoutresponse.errors, "The InResponseTo of the Logout Response: #{logoutresponse.in_response_to}, does not match the ID of the Logout Request sent by the SP: #{expected_request_id}"
         end
 
         it "invalidate logout response with wrong request status" do
@@ -177,7 +177,7 @@ class RubySamlTest < Minitest::Test
 
           logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_logout_response_document, settings, opts)
           assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.validate }          
-          assert_includes logoutresponse.errors, "Response does not match the request ID, expected: <#{expected_request_id}>, but was: <#{logoutresponse.in_response_to}>"
+          assert_includes logoutresponse.errors, "The InResponseTo of the Logout Response: #{logoutresponse.in_response_to}, does not match the ID of the Logout Request sent by the SP: #{expected_request_id}"
         end
 
         it "raise validation error for wrong request status" do

Original file line number	Diff line number	Diff line change
`@@ -563,7 +563,7 @@ def validate_signed_elements`
`563`	`563`	`#`
`564`	`564`	`def validate_in_response_to`
`565`	`565`	`return true unless options.has_key? :matches_request_id`
`566`		`- return true if options[:matches_request_id].nil? \|\| options[:matches_request_id].empty?`
	`566`	`+ return true if options[:matches_request_id].nil?`
`567`	`567`	`return true unless options[:matches_request_id] != in_response_to`
`568`	`568`
`569`	`569`	`error_msg = "The InResponseTo of the Response: #{in_response_to}, does not match the ID of the AuthNRequest sent by the SP: #{options[:matches_request_id]}"`