fixup improve coverage with signature errors

OCA · Dec 19, 2024 · aa1f1e1 · aa1f1e1
1 parent ed616d7
commit aa1f1e1
Show file tree

Hide file tree

Showing 2 changed files with 46 additions and 2 deletions.
diff --git a/auth_saml/tests/fake_idp.py b/auth_saml/tests/fake_idp.py
@@ -38,7 +38,7 @@
             "endpoints": {
                 "single_sign_on_service": [
                     ("%s/sso/redirect" % BASE, BINDING_HTTP_REDIRECT),
-                    ("%s/sso/post" % BASE, BINDING_HTTP_POST),
+                   ("%s/sso/post" % BASE, BINDING_HTTP_POST),
                 ],
             },
             "policy": {
@@ -165,3 +165,13 @@ def authn_request_endpoint(self, req, binding, relay_state):
         )
 
         return DummyResponse(**_dict)
+
+
+class UnsignedFakeIDP(FakeIDP):
+    def create_authn_response(
+        self,
+        *args,
+        **kwargs,
+    ):
+        kwargs["sign_assertion"] = False
+        return super().create_authn_response(*args, **kwargs)
diff --git a/auth_saml/tests/test_pysaml.py b/auth_saml/tests/test_pysaml.py
@@ -7,11 +7,13 @@
 from unittest.mock import patch
 
 import responses
+from saml2.sigver import SignatureError
 
 from odoo.exceptions import AccessDenied, UserError, ValidationError
 from odoo.tests import HttpCase, tagged
+from odoo.tools import mute_logger
 
-from .fake_idp import CONFIG, FakeIDP
+from .fake_idp import CONFIG, FakeIDP, UnsignedFakeIDP
 
 
 @tagged("saml", "post_install", "-at_install")
@@ -452,3 +454,35 @@ def test_login_with_saml_metadata_key_changed(self):
             body=up_to_date_metadata,
         )
         self.test_login_with_saml()
+
+    @responses.activate
+    def test_login_with_saml_unsigned_response(self):
+        self.add_provider_to_user()
+        self.saml_provider.idp_metadata_url = "http://localhost:8000/metadata"
+        unsigned_idp = UnsignedFakeIDP([self.saml_provider._metadata_string()])
+        redirect_url = self.saml_provider._get_auth_request()
+        self.assertIn("http://localhost:8000/sso/redirect?SAMLRequest=", redirect_url)
+
+        response = unsigned_idp.fake_login(redirect_url)
+        self.assertEqual(200, response.status_code)
+        unpacked_response = response._unpack()
+
+        responses.add(
+            responses.GET,
+            "http://localhost:8000/metadata",
+            status=200,
+            content_type="text/xml",
+            body=self.saml_provider.idp_metadata,
+        )
+        with (
+            self.assertRaises(SignatureError),
+            mute_logger("saml2.entity"),
+            mute_logger("saml2.client_base"),
+        ):
+            (database, login, token) = (
+                self.env["res.users"]
+                .sudo()
+                .auth_saml(
+                    self.saml_provider.id, unpacked_response.get("SAMLResponse"), None
+                )
+            )