response_spec.rb in saml2-3.0.0

- old
+ new

@@ -102,12 +102,11 @@
       response = Response.parse(fixture("test7-response.xml"))
       # this file is a copy of test6-response.xml, with a comment inserted into the NameID
 
       # the signature is still valid (we have to set a weird verification time because the response
       # was signed with an expired signature)
-      expect(response.validate_signature(fingerprint: 'afe71c28ef740bc87425be13a2263d37971da1f9',
-                                         verification_time: Time.parse("2007-07-14 12:01:34Z"))).to eq []
+      expect(response.validate_signature(fingerprint: 'afe71c28ef740bc87425be13a2263d37971da1f9')).to eq []
 
       # the comment is ignored, but doesn't truncate the nameid
       expect(response.assertions.first.subject.name_id.id).to eq 'testuser@example.com'
     end
 
@@ -173,12 +172,11 @@
         idp_entity.identity_providers.first.keys.clear
         idp_entity.identity_providers.first.fingerprints << "afe71c28ef740bc87425be13a2263d37971da1f9"
 
         response = Response.parse(fixture("response_tampered_certificate.xml"))
         sp_entity.valid_response?(response, idp_entity,
-                                  verification_time: Time.parse('2015-02-12T22:51:30Z'),
-                                  allow_expired_certificate: true)
+                                  verification_time: Time.parse('2015-02-12T22:51:30Z'))
         expect(response.errors).to eq ["signature is invalid"]
       end
 
       it "complains when we don't have any trusted keys" do
         response = Response.parse(fixture("response_signed.xml"))
@@ -191,11 +189,11 @@
         response = Response.parse(fixture("response_signed.xml"))
         idp_entity.identity_providers.first.keys.clear
         idp_entity.identity_providers.first.keys << KeyDescriptor.new(fixture("othercertificate.pem"))
         sp_entity.valid_response?(response, idp_entity, verification_time: Time.parse('2015-02-12T22:51:30Z'))
         expect(response.errors.length).to eq 1
-        expect(response.errors.first).to start_with('error occurred during signature verification')
+        expect(response.errors.first).to eq("no trusted signing key found")
       end
 
       it "validates signature by fingerprint" do
         response = Response.parse(fixture("response_signed.xml"))
         idp_entity.identity_providers.first.keys.clear
@@ -209,11 +207,11 @@
         response = Response.parse(fixture("response_signed.xml"))
         idp_entity.identity_providers.first.keys.clear
         idp_entity.identity_providers.first.fingerprints << "1c:37:7d:30:c1:83:18:ea:20:8b:dc:d5:35:b6:16:85:17:58:f7:ca"
 
         sp_entity.valid_response?(response, idp_entity, verification_time: Time.parse('2015-02-12T22:51:30Z'))
-        expect(response.errors).to eq ["no trusted certificate found"]
+        expect(response.errors).to eq ["no trusted signing key found"]
       end
 
       it "protects against xml signature wrapping attacks targeting nameid" do
         response = Response.parse(fixture("xml_signature_wrapping_attack_response_nameid.xml"))
         idp_entity.identity_providers.first.keys.clear
@@ -250,46 +248,9 @@
         idp_entity.identity_providers.first.fingerprints << "c38e789fcfbbd4727bd8ff7fc365b44fc3596bda"
 
         sp_entity.valid_response?(response, idp_entity, verification_time: Time.parse('2015-02-27T19:12:52Z'))
         expect(response.errors.map(&:to_s)).to eq ["2:0: ERROR: Element '{http://www.w3.org/2000/09/xmldsig#}Signature': This element is not expected.",
                                                   "43:0: ERROR: Element '{http://www.w3.org/2000/09/xmldsig#}Signature': This element is not expected."]
-      end
-
-      it "errors on expired certificate" do
-        response = Response.parse(fixture("test6-response.xml"))
-        idp_entity.entity_id = 'http://simplesamlphp.dev/simplesaml/saml2/idp/metadata.php'
-        idp_entity.identity_providers.first.keys.clear
-        idp_entity.identity_providers.first.fingerprints << "afe71c28ef740bc87425be13a2263d37971da1f9"
-
-        sp_entity.valid_response?(response, idp_entity, verification_time: Time.parse("2012-08-03T20:07:15Z"))
-        expect(response.errors.length).to eq 1
-        expect(response.errors.first).to match(/certificate has expired/)
-      end
-
-      it "ignores expired certificate when requested" do
-        response = Response.parse(fixture("test6-response.xml"))
-        sp_entity.entity_id = 'http://shard-2.canvas.dev/saml2'
-        idp_entity.entity_id = 'http://simplesamlphp.dev/simplesaml/saml2/idp/metadata.php'
-        idp_entity.identity_providers.first.keys.clear
-        idp_entity.identity_providers.first.fingerprints << "afe71c28ef740bc87425be13a2263d37971da1f9"
-
-        sp_entity.valid_response?(response, idp_entity,
-                                  verification_time: Time.parse("2014-09-16T22:15:53Z"),
-                                  allow_expired_certificate: true)
-        expect(response.errors).to eq []
-      end
-
-      it "ignores invalid certificate when requested" do
-        response = Response.parse(fixture("test6-response.xml"))
-        sp_entity.entity_id = 'http://shard-2.canvas.dev/saml2'
-        idp_entity.entity_id = 'http://simplesamlphp.dev/simplesaml/saml2/idp/metadata.php'
-        idp_entity.identity_providers.first.keys.clear
-        idp_entity.identity_providers.first.fingerprints << "afe71c28ef740bc87425be13a2263d37971da1f9"
-
-        sp_entity.valid_response?(response, idp_entity,
-                                  verification_time: Time.parse("2014-09-16T22:15:53Z"),
-                                  verify_certificate: false)
-        expect(response.errors).to eq []
       end
 
       it "doesn't break the signature by decrypting elements first" do
         response = Response.parse(fixture("response_with_signed_assertion_and_encrypted_subject.xml"))
         sp_entity.valid_response?(response, idp_entity, verification_time: Time.parse('2015-02-12T22:51:30Z'))