Close #89 Allow clock drift when validating NotBefore and NotOnOrAfter attributes

pitbulk · pitbulk · commit 3272ed447ada · 2017-02-14T18:14:24.000+01:00
diff --git a/core/src/main/java/com/onelogin/saml2/authn/SamlResponse.java b/core/src/main/java/com/onelogin/saml2/authn/SamlResponse.java
@@ -271,6 +271,7 @@ public boolean isValid(String requestId) {
 				// Check the session Expiration
 				DateTime sessionExpiration = this.getSessionNotOnOrAfter();
 				if (sessionExpiration != null) {
+					sessionExpiration = sessionExpiration.plus(Constants.ALOWED_CLOCK_DRIFT * 1000);
 					if (sessionExpiration.isEqualNow() || sessionExpiration.isBeforeNow()) {
 						throw new ValidationError("The attributes have expired, based on the SessionNotOnOrAfter of the AttributeStatement of this Response", ValidationError.SESSION_EXPIRED);
 					}
@@ -364,6 +365,7 @@ private void validateSubjectConfirmation(String responseInResponseTo) throws XPa
 					}
 
 					DateTime noa = Util.parseDateTime(notOnOrAfter.getNodeValue());
+					noa = noa.plus(Constants.ALOWED_CLOCK_DRIFT * 1000);
 					if (noa.isEqualNow() || noa.isBeforeNow()) {
 						validationIssues.add(new SubjectConfirmationIssue(i, "SubjectConfirmationData is no longer valid"));
 						continue;
@@ -372,6 +374,7 @@ private void validateSubjectConfirmation(String responseInResponseTo) throws XPa
 					Node notBefore = subjectConfirmationDataNodes.item(c).getAttributes().getNamedItem("NotBefore");
 					if (notBefore != null) {
 						DateTime nb = Util.parseDateTime(notBefore.getNodeValue());
+						nb = nb.minus(Constants.ALOWED_CLOCK_DRIFT * 1000);
 						if (nb.isAfterNow()) {
 							validationIssues.add(new SubjectConfirmationIssue(i, "SubjectConfirmationData is not yet valid"));
 							continue;
@@ -900,14 +903,16 @@ public boolean validateTimestamps() throws ValidationError {
 				Node naAttribute = attrName.getNamedItem("NotOnOrAfter");
 				// validate NotOnOrAfter
 				if (naAttribute != null) {
-					final DateTime notOnOrAfterDate = Util.parseDateTime(naAttribute.getNodeValue());
+					DateTime notOnOrAfterDate = Util.parseDateTime(naAttribute.getNodeValue());
+					notOnOrAfterDate = notOnOrAfterDate.plus(Constants.ALOWED_CLOCK_DRIFT * 1000);
 					if (notOnOrAfterDate.isEqualNow() || notOnOrAfterDate.isBeforeNow()) {
 						throw new ValidationError("Could not validate timestamp: expired. Check system clock.", ValidationError.ASSERTION_EXPIRED);
 					}
 				}
 				// validate NotBefore
 				if (nbAttribute != null) {
-					final DateTime notBeforeDate = Util.parseDateTime(nbAttribute.getNodeValue());
+					DateTime notBeforeDate = Util.parseDateTime(nbAttribute.getNodeValue());
+					notBeforeDate = notBeforeDate.minus(Constants.ALOWED_CLOCK_DRIFT * 1000);
 					if (notBeforeDate.isAfterNow()) {
 						throw new ValidationError("Could not validate timestamp: not yet valid. Check system clock.", ValidationError.ASSERTION_TOO_EARLY);
 					}
