From aa1f1e1bac4d197e6171a507db4625f50dea9c43 Mon Sep 17 00:00:00 2001
From: "Cyril Dutrieux (cydu)" <cydu@odoo.com>
Date: Thu, 19 Dec 2024 11:19:49 +0100
Subject: [PATCH] fixup improve coverage with signature errors

---
 auth_saml/tests/fake_idp.py    | 12 +++++++++++-
 auth_saml/tests/test_pysaml.py | 36 +++++++++++++++++++++++++++++++++-
 2 files changed, 46 insertions(+), 2 deletions(-)

diff --git a/auth_saml/tests/fake_idp.py b/auth_saml/tests/fake_idp.py
index 3eb7d6c67..a73b57d40 100644
--- a/auth_saml/tests/fake_idp.py
+++ b/auth_saml/tests/fake_idp.py
@@ -38,7 +38,7 @@
             "endpoints": {
                 "single_sign_on_service": [
                     ("%s/sso/redirect" % BASE, BINDING_HTTP_REDIRECT),
-                    ("%s/sso/post" % BASE, BINDING_HTTP_POST),
+                   ("%s/sso/post" % BASE, BINDING_HTTP_POST),
                 ],
             },
             "policy": {
@@ -165,3 +165,13 @@ def authn_request_endpoint(self, req, binding, relay_state):
         )
 
         return DummyResponse(**_dict)
+
+
+class UnsignedFakeIDP(FakeIDP):
+    def create_authn_response(
+        self,
+        *args,
+        **kwargs,
+    ):
+        kwargs["sign_assertion"] = False
+        return super().create_authn_response(*args, **kwargs)
diff --git a/auth_saml/tests/test_pysaml.py b/auth_saml/tests/test_pysaml.py
index 80d8368a4..5246b50a3 100644
--- a/auth_saml/tests/test_pysaml.py
+++ b/auth_saml/tests/test_pysaml.py
@@ -7,11 +7,13 @@
 from unittest.mock import patch
 
 import responses
+from saml2.sigver import SignatureError
 
 from odoo.exceptions import AccessDenied, UserError, ValidationError
 from odoo.tests import HttpCase, tagged
+from odoo.tools import mute_logger
 
-from .fake_idp import CONFIG, FakeIDP
+from .fake_idp import CONFIG, FakeIDP, UnsignedFakeIDP
 
 
 @tagged("saml", "post_install", "-at_install")
@@ -452,3 +454,35 @@ def test_login_with_saml_metadata_key_changed(self):
             body=up_to_date_metadata,
         )
         self.test_login_with_saml()
+
+    @responses.activate
+    def test_login_with_saml_unsigned_response(self):
+        self.add_provider_to_user()
+        self.saml_provider.idp_metadata_url = "http://localhost:8000/metadata"
+        unsigned_idp = UnsignedFakeIDP([self.saml_provider._metadata_string()])
+        redirect_url = self.saml_provider._get_auth_request()
+        self.assertIn("http://localhost:8000/sso/redirect?SAMLRequest=", redirect_url)
+
+        response = unsigned_idp.fake_login(redirect_url)
+        self.assertEqual(200, response.status_code)
+        unpacked_response = response._unpack()
+
+        responses.add(
+            responses.GET,
+            "http://localhost:8000/metadata",
+            status=200,
+            content_type="text/xml",
+            body=self.saml_provider.idp_metadata,
+        )
+        with (
+            self.assertRaises(SignatureError),
+            mute_logger("saml2.entity"),
+            mute_logger("saml2.client_base"),
+        ):
+            (database, login, token) = (
+                self.env["res.users"]
+                .sudo()
+                .auth_saml(
+                    self.saml_provider.id, unpacked_response.get("SAMLResponse"), None
+                )
+            )