From febdab41c79e667a179c2f87c3599bf86737a59a Mon Sep 17 00:00:00 2001
From: Kamil Malinowski <kmalinowski@soldevelo.com>
Date: Tue, 22 Oct 2024 17:56:49 +0200
Subject: [PATCH 1/2] OM-349 Added logging to xml utils

---
 msystems/xml_utils.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/msystems/xml_utils.py b/msystems/xml_utils.py
index 5b38084..b4e5e45 100644
--- a/msystems/xml_utils.py
+++ b/msystems/xml_utils.py
@@ -1,3 +1,4 @@
+import logging
 import re
 import datetime as py_datetime
 
@@ -7,6 +8,8 @@
 from core import datetime
 from msystems.apps import MsystemsConfig
 
+logger = logging.getLogger(__name__)
+
 ns_envelope = "http://schemas.xmlsoap.org/soap/envelope/"
 ns_wss_util = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
 ns_wss_s = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
@@ -62,6 +65,8 @@ def verify_timestamp(root):
     dt_expires = datetime.datetime.fromisoformat(replace_utc_timezone_with_offset(expires.text))
 
     if dt_created > dt_now:
+        logger.debug("Created timestamp is in the future: dt_created=%s dt_now=%s", dt_created, dt_now)
         raise ValueError('Created timestamp is in the future')
     if dt_expires < dt_now:
+        logger.debug("Envelope has expired: dt_expires=%s dt_now=%s", dt_expires, dt_now)
         raise ValueError('Envelope has expired')

From 92f9e4a61e2ae9da436c5423f25d3779d977d501 Mon Sep 17 00:00:00 2001
From: Kamil Malinowski <kmalinowski@soldevelo.com>
Date: Tue, 22 Oct 2024 18:44:19 +0200
Subject: [PATCH 2/2] OM-349 Added leeway in timestamp checks

---
 msystems/xml_utils.py | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/msystems/xml_utils.py b/msystems/xml_utils.py
index b4e5e45..ad85a6c 100644
--- a/msystems/xml_utils.py
+++ b/msystems/xml_utils.py
@@ -17,6 +17,10 @@
 created_xpath = f"./{{{ns_envelope}}}Header/{{{ns_wss_s}}}Security/{{{ns_wss_util}}}Timestamp/{{{ns_wss_util}}}Created"
 expires_xpath = f"./{{{ns_envelope}}}Header/{{{ns_wss_s}}}Security/{{{ns_wss_util}}}Timestamp/{{{ns_wss_util}}}Expires"
 
+# Amount of time allowed over the limit for timestamp checks
+# Without it the check can fail when the client and server time doesn't align
+allowed_dt_delta = datetime.datetimedelta(seconds=1)
+
 
 def add_signature(root, key, cert):
     key = _make_sign_key(key, cert, None)
@@ -64,9 +68,9 @@ def verify_timestamp(root):
         raise ValueError('Expires timestamp not found')
     dt_expires = datetime.datetime.fromisoformat(replace_utc_timezone_with_offset(expires.text))
 
-    if dt_created > dt_now:
+    if dt_created - allowed_dt_delta > dt_now:
         logger.debug("Created timestamp is in the future: dt_created=%s dt_now=%s", dt_created, dt_now)
         raise ValueError('Created timestamp is in the future')
-    if dt_expires < dt_now:
+    if dt_expires + allowed_dt_delta < dt_now:
         logger.debug("Envelope has expired: dt_expires=%s dt_now=%s", dt_expires, dt_now)
         raise ValueError('Envelope has expired')