OM-349 Added leeway in timestamp checks

openimis · Oct 22, 2024 · 92f9e4a · 92f9e4a
1 parent febdab4
commit 92f9e4a
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/msystems/xml_utils.py b/msystems/xml_utils.py
@@ -17,6 +17,10 @@
 created_xpath = f"./{{{ns_envelope}}}Header/{{{ns_wss_s}}}Security/{{{ns_wss_util}}}Timestamp/{{{ns_wss_util}}}Created"
 expires_xpath = f"./{{{ns_envelope}}}Header/{{{ns_wss_s}}}Security/{{{ns_wss_util}}}Timestamp/{{{ns_wss_util}}}Expires"
 
+# Amount of time allowed over the limit for timestamp checks
+# Without it the check can fail when the client and server time doesn't align
+allowed_dt_delta = datetime.datetimedelta(seconds=1)
+
 
 def add_signature(root, key, cert):
     key = _make_sign_key(key, cert, None)
@@ -64,9 +68,9 @@ def verify_timestamp(root):
         raise ValueError('Expires timestamp not found')
     dt_expires = datetime.datetime.fromisoformat(replace_utc_timezone_with_offset(expires.text))
 
-    if dt_created > dt_now:
+    if dt_created - allowed_dt_delta > dt_now:
         logger.debug("Created timestamp is in the future: dt_created=%s dt_now=%s", dt_created, dt_now)
         raise ValueError('Created timestamp is in the future')
-    if dt_expires < dt_now:
+    if dt_expires + allowed_dt_delta < dt_now:
         logger.debug("Envelope has expired: dt_expires=%s dt_now=%s", dt_expires, dt_now)
         raise ValueError('Envelope has expired')