From 2b5091c91c5d8b3841bea66953d22ae974109b8a Mon Sep 17 00:00:00 2001
From: adam <adam@koalasafe.com>
Date: Fri, 21 Apr 2017 18:11:07 +1000
Subject: [PATCH] #190 Checking the status of response before assertion count
 Failed Responses don't have assertions and the error hides that the status is
 not success

---
 src/onelogin/saml2/response.py                  |  6 +++---
 tests/src/OneLogin/saml2_tests/response_test.py | 11 +++++++++++
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/src/onelogin/saml2/response.py b/src/onelogin/saml2/response.py
index 93f650a3..ba524c2b 100644
--- a/src/onelogin/saml2/response.py
+++ b/src/onelogin/saml2/response.py
@@ -84,6 +84,9 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False):
                     OneLogin_Saml2_ValidationError.MISSING_ID
                 )
 
+            # Checks that the response has the SUCCESS status
+            self.check_status()
+
             # Checks that the response only has one assertion
             if not self.validate_num_assertions():
                 raise OneLogin_Saml2_ValidationError(
@@ -91,9 +94,6 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False):
                     OneLogin_Saml2_ValidationError.WRONG_NUMBER_OF_ASSERTIONS
                 )
 
-            # Checks that the response has the SUCCESS status
-            self.check_status()
-
             idp_data = self.__settings.get_idp_data()
             idp_entity_id = idp_data.get('entityId', '')
             sp_data = self.__settings.get_sp_data()
diff --git a/tests/src/OneLogin/saml2_tests/response_test.py b/tests/src/OneLogin/saml2_tests/response_test.py
index 8c499e9e..cea605d1 100644
--- a/tests/src/OneLogin/saml2_tests/response_test.py
+++ b/tests/src/OneLogin/saml2_tests/response_test.py
@@ -1391,6 +1391,17 @@ def testIsValidWithoutInResponseTo(self):
             }))
 
 
+    def testStatusCheckBeforeAssertionCheck(self):
+        """
+        Tests the status of a response is checked before the assertion count. As failed statuses will have no assertions
+        """
+        settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
+        xml_2 = self.file_contents(join(self.data_path, 'responses', 'invalids', 'status_code_responder.xml.base64'))
+        response_2 = OneLogin_Saml2_Response(settings, xml_2)
+        with self.assertRaisesRegexp(OneLogin_Saml2_ValidationError, 'The status code of the Response was not Success, was Responder'):
+            response_2.is_valid(self.get_request_data(), raise_exceptions=True)
+
+
 if __name__ == '__main__':
     if is_running_under_teamcity():
         runner = TeamcityTestRunner()