diff options
-rw-r--r-- | tests/test_51_client.py | 33 |
1 files changed, 32 insertions, 1 deletions
diff --git a/tests/test_51_client.py b/tests/test_51_client.py index 45b858bd..3dad6d9f 100644 --- a/tests/test_51_client.py +++ b/tests/test_51_client.py @@ -28,7 +28,7 @@ from saml2.extension.requested_attributes import RequestedAttribute from saml2.authn_context import INTERNETPROTOCOLPASSWORD from saml2.client import Saml2Client from saml2.pack import parse_soap_enveloped_saml -from saml2.response import LogoutResponse +from saml2.response import LogoutResponse, StatusInvalidNameidPolicy from saml2.saml import NAMEID_FORMAT_PERSISTENT, EncryptedAssertion, Advice from saml2.saml import NAMEID_FORMAT_TRANSIENT from saml2.saml import NameID @@ -2294,6 +2294,37 @@ class TestClientNonAsciiAva: # A successful test is parsing the response. assert authn_response is not None + def test_response_error_status(self): + """ Test that the SP client can parse an authentication response + from an IdP that contains an error status.""" + + conf = config.SPConfig() + conf.load_file("server_conf") + client = Saml2Client(conf) + + resp = self.server.create_error_response( + in_response_to="id1", + destination="http://lingon.catalogix.se:8087/", + info=(samlp.STATUS_INVALID_NAMEID_POLICY, None), + ) + + # Cast the response to a string and encode it to mock up the payload + # the SP client is expected to receive via HTTP POST binding. + if six.PY2: + resp_str = encode_fn(str(resp)) + else: + resp_str = encode_fn(bytes(str(resp), 'utf-8')) + + # We do not need the client to verify a signature for this test. + client.want_assertions_signed = False + client.want_response_signed = False + + # Parse the authentication error response + with raises(StatusInvalidNameidPolicy): + client.parse_authn_request_response( + resp_str, BINDING_HTTP_POST, + {"id1": "http://foo.example.com/service"}) + def setup_verify_authn_response(self): idp = "urn:mace:example.com:saml:roland:idp" ava = {"givenName": ["Dave"], "sn": ["ConcepciĆ³n"], |