From 92f9e4a61e2ae9da436c5423f25d3779d977d501 Mon Sep 17 00:00:00 2001
From: Kamil Malinowski <kmalinowski@soldevelo.com>
Date: Tue, 22 Oct 2024 18:44:19 +0200
Subject: [PATCH] OM-349 Added leeway in timestamp checks

---
 msystems/xml_utils.py | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/msystems/xml_utils.py b/msystems/xml_utils.py
index b4e5e45..ad85a6c 100644
--- a/msystems/xml_utils.py
+++ b/msystems/xml_utils.py
@@ -17,6 +17,10 @@
 created_xpath = f"./{{{ns_envelope}}}Header/{{{ns_wss_s}}}Security/{{{ns_wss_util}}}Timestamp/{{{ns_wss_util}}}Created"
 expires_xpath = f"./{{{ns_envelope}}}Header/{{{ns_wss_s}}}Security/{{{ns_wss_util}}}Timestamp/{{{ns_wss_util}}}Expires"
 
+# Amount of time allowed over the limit for timestamp checks
+# Without it the check can fail when the client and server time doesn't align
+allowed_dt_delta = datetime.datetimedelta(seconds=1)
+
 
 def add_signature(root, key, cert):
     key = _make_sign_key(key, cert, None)
@@ -64,9 +68,9 @@ def verify_timestamp(root):
         raise ValueError('Expires timestamp not found')
     dt_expires = datetime.datetime.fromisoformat(replace_utc_timezone_with_offset(expires.text))
 
-    if dt_created > dt_now:
+    if dt_created - allowed_dt_delta > dt_now:
         logger.debug("Created timestamp is in the future: dt_created=%s dt_now=%s", dt_created, dt_now)
         raise ValueError('Created timestamp is in the future')
-    if dt_expires < dt_now:
+    if dt_expires + allowed_dt_delta < dt_now:
         logger.debug("Envelope has expired: dt_expires=%s dt_now=%s", dt_expires, dt_now)
         raise ValueError('Envelope has expired')