Checking the status of response before assertion count

Author: pitbulk

src/onelogin/saml2/response.py

@@ -79,16 +79,16 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False):
                     OneLogin_Saml2_ValidationError.MISSING_ID
                 )
 
+            # Checks that the response has the SUCCESS status
+            self.check_status()
+
             # Checks that the response only has one assertion
             if not self.validate_num_assertions():
                 raise OneLogin_Saml2_ValidationError(
                     'SAML Response must contain 1 assertion',
                     OneLogin_Saml2_ValidationError.WRONG_NUMBER_OF_ASSERTIONS
                 )
 
-            # Checks that the response has the SUCCESS status
-            self.check_status()
-
             idp_data = self.__settings.get_idp_data()
             idp_entity_id = idp_data['entityId']
             sp_data = self.__settings.get_sp_data()

tests/src/OneLogin/saml2_tests/response_test.py

@@ -1402,3 +1402,13 @@ def testIsValidRaisesExceptionWhenRaisesArgumentIsTrue(self):
 
         with self.assertRaises(Exception):
             response.is_valid(self.get_request_data(), raise_exceptions=True)
+
+    def testStatusCheckBeforeAssertionCheck(self):
+        """
+        Tests the status of a response is checked before the assertion count. As failed statuses will have no assertions
+        """
+        settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
+        xml = self.file_contents(join(self.data_path, 'responses', 'invalids', 'status_code_responder.xml.base64'))
+        response = OneLogin_Saml2_Response(settings, xml)
+        with self.assertRaisesRegexp(Exception, 'The status code of the Response was not Success, was Responder'):
+            response.is_valid(self.get_request_data(), raise_exceptions=True)