diff options
author | Ivan Kanakarakis <ivan.kanak@gmail.com> | 2019-08-24 19:53:29 +0300 |
---|---|---|
committer | Ivan Kanakarakis <ivan.kanak@gmail.com> | 2019-08-24 19:53:59 +0300 |
commit | 2c3c426c7f431fe0f31cc2f67145acec31348530 (patch) | |
tree | 11d97d8c0c4cb604bc603c39914376f7e2b00650 | |
parent | 2f2b02d4711674a4dc63980b52ba652aba716a09 (diff) | |
download | pysaml2-2c3c426c7f431fe0f31cc2f67145acec31348530.tar.gz |
Validate the audience of assertions regardless of a response being unsolicited
Fixes #609
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
-rw-r--r-- | src/saml2/response.py | 7 | ||||
-rw-r--r-- | tests/test_44_authnresp.py | 4 |
2 files changed, 5 insertions, 6 deletions
diff --git a/src/saml2/response.py b/src/saml2/response.py index 4c884c30..f61a376f 100644 --- a/src/saml2/response.py +++ b/src/saml2/response.py @@ -611,10 +611,9 @@ class AuthnResponse(StatusResponse): else: self.not_on_or_after = 0 - if not self.allow_unsolicited: - if not for_me(conditions, self.entity_id): - if not lax: - raise Exception("Not for me!!!") + if not for_me(conditions, self.entity_id): + if not lax: + raise Exception("Not for me!!!") if conditions.condition: # extra conditions for cond in conditions.condition: diff --git a/tests/test_44_authnresp.py b/tests/test_44_authnresp.py index 02cc9ace..3ee37753 100644 --- a/tests/test_44_authnresp.py +++ b/tests/test_44_authnresp.py @@ -162,7 +162,7 @@ class TestAuthnResponse: </saml:Subject> <saml:Conditions NotBefore="2016-09-23T14:00:44Z"> <saml:AudienceRestriction> - <saml:Audience>https://sp.example.com</saml:Audience> + <saml:Audience>urn:mace:example.com:saml:roland:sp</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2016-09-23T13:55:40Z" @@ -222,7 +222,7 @@ class TestAuthnResponse: </saml:Subject> <saml:Conditions NotBefore="2016-09-23T14:00:44Z"> <saml:AudienceRestriction> - <saml:Audience>https://sp.example.com</saml:Audience> + <saml:Audience>urn:mace:example.com:saml:roland:sp</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2016-09-23T13:55:40Z" |