Fix #258. Fix failOnAuthnContextMismatch code

pitbulk · pitbulk · commit 102e3683c295 · 2019-11-19T19:37:25.000+01:00
diff --git a/README.md b/README.md
@@ -440,7 +440,7 @@ In addition to the required settings data (idp, sp), extra settings can be defin
         // Allows the authn comparison parameter to be set, defaults to 'exact' if the setting is not present.
         "requestedAuthnContextComparison": "exact",
 
-        // Set to true to check that the AuthnContext received matches the one requested.
+        // Set to true to check that the AuthnContext(s) received match(es) the requested.
         "failOnAuthnContextMismatch": false,
 
         // In some environment you will need to set how long the published metadata of the Service Provider gonna be valid.
diff --git a/src/onelogin/saml2/authn_request.py b/src/onelogin/saml2/authn_request.py
@@ -93,9 +93,7 @@ def __init__(self, settings, force_authn=False, is_passive=False, set_nameid_pol
 
         requested_authn_context_str = ''
         if 'requestedAuthnContext' in security.keys() and security['requestedAuthnContext'] is not False:
-            authn_comparison = 'exact'
-            if 'requestedAuthnContextComparison' in security.keys():
-                authn_comparison = security['requestedAuthnContextComparison']
+            authn_comparison = security['requestedAuthnContextComparison']
 
             if security['requestedAuthnContext'] is True:
                 requested_authn_context_str = "\n" + """    <samlp:RequestedAuthnContext Comparison="%s">
diff --git a/src/onelogin/saml2/response.py b/src/onelogin/saml2/response.py
@@ -184,10 +184,10 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False):
 
                 if security.get('failOnAuthnContextMismatch', False) and requested_authn_contexts and requested_authn_contexts is not True:
                     authn_contexts = self.get_authn_contexts()
-                    unmatched_contexts = set(requested_authn_contexts).difference(authn_contexts)
+                    unmatched_contexts = set(authn_contexts).difference(requested_authn_contexts)
                     if unmatched_contexts:
                         raise OneLogin_Saml2_ValidationError(
-                            'The AuthnContext "%s" didn\'t include requested context "%s"' % (', '.join(authn_contexts), ', '.join(unmatched_contexts)),
+                            'The AuthnContext "%s" was not a requested context "%s"' % (', '.join(unmatched_contexts), ', '.join(requested_authn_contexts)),
                             OneLogin_Saml2_ValidationError.AUTHN_CONTEXT_MISMATCH
                         )
 
diff --git a/src/onelogin/saml2/settings.py b/src/onelogin/saml2/settings.py
@@ -304,6 +304,7 @@ def __add_default_values(self):
         self.__sp.setdefault('privateKey', '')
 
         self.__security.setdefault('requestedAuthnContext', True)
+        self.__security.setdefault('requestedAuthnContextComparison', 'exact')
         self.__security.setdefault('failOnAuthnContextMismatch', False)
 
     def check_settings(self, settings):
diff --git a/tests/src/OneLogin/saml2_tests/response_test.py b/tests/src/OneLogin/saml2_tests/response_test.py
@@ -1084,7 +1084,7 @@ def testIsInValidAuthenticationContext(self):
         # check that we catch when the contexts don't match
         response = OneLogin_Saml2_Response(settings, message)
         self.assertFalse(response.is_valid(request_data))
-        self.assertIn('The AuthnContext "%s" didn\'t include requested context "%s"' % (password_context, two_factor_context), response.get_error())
+        self.assertIn('The AuthnContext "%s" was not a requested context "%s"' % (password_context, two_factor_context), response.get_error())
 
         # now drop in the expected AuthnContextClassRef and see that it passes
         original_message = b64decode(message)
