Add an alert about the monkey-patch of pysaml2

brunato · brunato · commit 94f56c95f1b1 · 2021-07-20T16:10:31.000+02:00
- Include fix IdentityPython/pysaml2#812
diff --git a/README.md b/README.md
@@ -58,6 +58,12 @@ source env/bin/activate
 pip install djangosaml2-spid
 ````
 
+⚠️ djangosaml2-spid uses a *monkey-patch* version of the pysaml2 library that fixes 
+some limitations or small bugs that can affect SPID data. Patches are applied only 
+once after the app is ready to run. Take a look at module `djangosaml2_spid._saml2` 
+for patches code and references.
+
+
 Your example saml2 configuration is in `spid_config/spid_settings.py`.
 See djangosaml2 and pysaml2 official docs for clarifications.
 
diff --git a/src/djangosaml2_spid/_saml2.py b/src/djangosaml2_spid/_saml2.py
@@ -3,7 +3,7 @@
 #
 DISABLE_WEAK_XMLSEC_ALGORITHMS = True  # https://github.com/IdentityPython/pysaml2/pull/628
 ADD_XSD_DATE_TYPE = True  # https://github.com/IdentityPython/pysaml2/pull/602
-PATCH_RESPONSE_VERIFY = True  # https://github.com/peppelinux/pysaml2/commit/8bdbbdf41ce63a37d3ba02c8f48a3dba0217d463
+PATCH_RESPONSE_VERIFY = True  # https://github.com/IdentityPython/pysaml2/pull/812
 
 
 def pysaml2_patch():
@@ -167,27 +167,28 @@ def _wrong_type_value(xsd, value):
         AttributeValueBase.set_text = set_text
 
     if PATCH_RESPONSE_VERIFY:
-        logger = logging.getLogger(__name__)
+        logger = logging.getLogger(StatusResponse.__module__)
 
         def _verify(self):
             if self.request_id and self.in_response_to and \
                     self.in_response_to != self.request_id:
                 logger.error("Not the id I expected: %s != %s",
                              self.in_response_to, self.request_id)
                 return None
+
             if self.response.version != "2.0":
-                _ver = float(self.response.version)
-                if _ver < 2.0:
+                if float(self.response.version) < 2.0:
                     raise RequestVersionTooLow()
                 else:
                     raise RequestVersionTooHigh()
 
-            destination = self.response.destination
-            if self.asynchop and destination:
-                # Destination must be present
-                if destination not in self.return_addrs:
+            if self.asynchop:
+                if not getattr(self.response, 'destination'):
+                    logger.error("Invalid response destination in asynchop")
+                    return None
+                elif self.response.destination not in self.return_addrs:
                     logger.error(
-                        f"{destination} not in {self.return_addrs}"
+                        f"{self.response.destination} not in {self.return_addrs}"
                     )
                     return None
 
