Merge pull request #555 from appbot/multi-cert-validation-error

Define 'soft' variable to prevent exception when doc cert is invalid
SAML-Toolkits · Nov 9, 2020 · 5322d19 · 5322d19
2 parents 24e90a3 + d0e117a
commit 5322d19
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 1 deletion.
diff --git a/lib/xml_security.rb b/lib/xml_security.rb
@@ -241,7 +241,7 @@ def validate_document(idp_cert_fingerprint, soft = true, options = {})
       validate_signature(base64_cert, soft)
     end
 
-    def validate_document_with_cert(idp_cert)
+    def validate_document_with_cert(idp_cert, soft = true)
       # get cert from response
       cert_element = REXML::XPath.first(
         self,

diff --git a/test/xml_security_test.rb b/test/xml_security_test.rb
@@ -395,6 +395,19 @@ class XmlSecurityTest < Minitest::Test
     end
 
     describe '#validate_document_with_cert' do
+      describe 'with invalid document ' do
+        describe 'when certificate is invalid' do
+          let(:document_data) { read_response('response_with_signed_message_and_assertion.xml')
+            .sub(/<ds:X509Certificate>.*<\/ds:X509Certificate>/, "<ds:X509Certificate>invalid<\/ds:X509Certificate>") }
+          let(:document) { OneLogin::RubySaml::Response.new(document_data).document }
+          let(:idp_cert) { OpenSSL::X509::Certificate.new(ruby_saml_cert_text) }
+
+          it 'is invalid' do
+            refute document.validate_document_with_cert(idp_cert), 'Document should be invalid'
+          end
+        end
+      end
+
       describe 'with valid document ' do
         describe 'when response has cert' do
           let(:document_data) { read_response('response_with_signed_message_and_assertion.xml') }