From cf5e1b676ced3826053ed1ec7f649b626dbf3167 Mon Sep 17 00:00:00 2001 From: Kamil Malinowski Date: Thu, 24 Oct 2024 13:53:28 +0200 Subject: [PATCH] OM-349 Mconnect signature issue (#37) * OM-349 Added logging to xml utils * OM-349 Added leeway in timestamp checks --- msystems/xml_utils.py | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/msystems/xml_utils.py b/msystems/xml_utils.py index 5b38084..ad85a6c 100644 --- a/msystems/xml_utils.py +++ b/msystems/xml_utils.py @@ -1,3 +1,4 @@ +import logging import re import datetime as py_datetime @@ -7,6 +8,8 @@ from core import datetime from msystems.apps import MsystemsConfig +logger = logging.getLogger(__name__) + ns_envelope = "http://schemas.xmlsoap.org/soap/envelope/" ns_wss_util = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" ns_wss_s = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" @@ -14,6 +17,10 @@ created_xpath = f"./{{{ns_envelope}}}Header/{{{ns_wss_s}}}Security/{{{ns_wss_util}}}Timestamp/{{{ns_wss_util}}}Created" expires_xpath = f"./{{{ns_envelope}}}Header/{{{ns_wss_s}}}Security/{{{ns_wss_util}}}Timestamp/{{{ns_wss_util}}}Expires" +# Amount of time allowed over the limit for timestamp checks +# Without it the check can fail when the client and server time doesn't align +allowed_dt_delta = datetime.datetimedelta(seconds=1) + def add_signature(root, key, cert): key = _make_sign_key(key, cert, None) @@ -61,7 +68,9 @@ def verify_timestamp(root): raise ValueError('Expires timestamp not found') dt_expires = datetime.datetime.fromisoformat(replace_utc_timezone_with_offset(expires.text)) - if dt_created > dt_now: + if dt_created - allowed_dt_delta > dt_now: + logger.debug("Created timestamp is in the future: dt_created=%s dt_now=%s", dt_created, dt_now) raise ValueError('Created timestamp is in the future') - if dt_expires < dt_now: + if dt_expires + allowed_dt_delta < dt_now: + logger.debug("Envelope has expired: dt_expires=%s dt_now=%s", dt_expires, dt_now) raise ValueError('Envelope has expired')