Same behaviour on java-saml InResponse LogoutResponse validation than SAMLResponse

pitbulk · pitbulk · commit 09d1e6ab2eda · 2016-12-02T01:55:44.000+01:00
diff --git a/core/src/main/java/com/onelogin/saml2/logout/LogoutResponse.java b/core/src/main/java/com/onelogin/saml2/logout/LogoutResponse.java
@@ -6,6 +6,7 @@
 import java.util.Calendar;
 import java.util.HashMap;
 import java.util.Map;
+import java.util.Objects;
 
 import javax.xml.xpath.XPathExpressionException;
 
@@ -174,13 +175,16 @@ public Boolean isValid(String requestId) {
 					}
 				}
 
-				// Check if the InResponseTo of the Logout Response matches the ID of the Logout Request (requestId) if provided
-				if (requestId != null && rootElement.hasAttribute("InResponseTo")) {
-					String responseInResponseTo = rootElement.getAttribute("InResponseTo");
-					if (!responseInResponseTo.equals(requestId)) {
+				String responseInResponseTo = rootElement.hasAttribute("InResponseTo") ? rootElement.getAttribute("InResponseTo") : null;
+				if (requestId == null && responseInResponseTo != null && settings.isRejectUnsolicitedResponsesWithInResponseTo()) {
+					throw new Exception("The Response has an InResponseTo attribute: " + responseInResponseTo +
+							" while no InResponseTo was expected");
+				}
+
+				// Check if the InResponseTo of the Response matches the ID of the AuthNRequest (requestId) if provided
+				if (requestId != null && !Objects.equals(responseInResponseTo, requestId)) {
 						throw new Exception("The InResponseTo of the Logout Response: " + responseInResponseTo
-								+ ", does not match the ID of the Logout request sent by the SP:: " + requestId);
-					}
+								+ ", does not match the ID of the Logout request sent by the SP: " + requestId);
 				}
 
 				// Check issuer
diff --git a/toolkit/src/test/java/com/onelogin/saml2/test/AuthTest.java b/toolkit/src/test/java/com/onelogin/saml2/test/AuthTest.java
@@ -661,7 +661,7 @@ public void testProcessSLOResponseWrongRequestId() throws Exception {
 		auth.processSLO(false, "wrong_request_id");
 		verify(session, times(0)).invalidate();
 		assertTrue(auth.getErrors().contains("invalid_logout_response"));
-		assertEquals("The InResponseTo of the Logout Response: ONELOGIN_21584ccdfaca36a145ae990442dcd96bfe60151e, does not match the ID of the Logout request sent by the SP:: wrong_request_id", auth.getLastErrorReason());
+		assertEquals("The InResponseTo of the Logout Response: ONELOGIN_21584ccdfaca36a145ae990442dcd96bfe60151e, does not match the ID of the Logout request sent by the SP: wrong_request_id", auth.getLastErrorReason());
 	}
 
 	/**

Original file line number	Diff line number	Diff line change
`@@ -661,7 +661,7 @@ public void testProcessSLOResponseWrongRequestId() throws Exception {`
`661`	`661`	`auth.processSLO(false, "wrong_request_id");`
`662`	`662`	`verify(session, times(0)).invalidate();`
`663`	`663`	`assertTrue(auth.getErrors().contains("invalid_logout_response"));`
`664`		`- assertEquals("The InResponseTo of the Logout Response: ONELOGIN_21584ccdfaca36a145ae990442dcd96bfe60151e, does not match the ID of the Logout request sent by the SP:: wrong_request_id", auth.getLastErrorReason());`
	`664`	`+ assertEquals("The InResponseTo of the Logout Response: ONELOGIN_21584ccdfaca36a145ae990442dcd96bfe60151e, does not match the ID of the Logout request sent by the SP: wrong_request_id", auth.getLastErrorReason());`
`665`	`665`	`}`
`666`	`666`
`667`	`667`	`/**`