Apply clock drift to SubjectConfirmationData and AuthnStatement (#385)

tvuotila · web-flow · commit 27372cee6a4d · 2024-10-01T09:23:21.000+02:00
* Apply clock drift to SubjectConfirmationData
* Apply clock drift to AuthnStatement
diff --git a/src/onelogin/saml2/response.py b/src/onelogin/saml2/response.py
@@ -180,7 +180,7 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False):
 
                 # Checks the session Expiration
                 session_expiration = self.get_session_not_on_or_after()
-                if session_expiration and session_expiration <= OneLogin_Saml2_Utils.now():
+                if session_expiration and session_expiration + OneLogin_Saml2_Constants.ALLOWED_CLOCK_DRIFT <= OneLogin_Saml2_Utils.now():
                     raise OneLogin_Saml2_ValidationError(
                         "The attributes have expired, based on the SessionNotOnOrAfter of the AttributeStatement of this Response", OneLogin_Saml2_ValidationError.SESSION_EXPIRED
                     )
@@ -206,12 +206,12 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False):
                         nooa = sc_data.get("NotOnOrAfter", None)
                         if nooa:
                             parsed_nooa = OneLogin_Saml2_Utils.parse_SAML_to_time(nooa)
-                            if parsed_nooa <= OneLogin_Saml2_Utils.now():
+                            if parsed_nooa + OneLogin_Saml2_Constants.ALLOWED_CLOCK_DRIFT <= OneLogin_Saml2_Utils.now():
                                 continue
                         nb = sc_data.get("NotBefore", None)
                         if nb:
                             parsed_nb = OneLogin_Saml2_Utils.parse_SAML_to_time(nb)
-                            if parsed_nb > OneLogin_Saml2_Utils.now():
+                            if parsed_nb > OneLogin_Saml2_Utils.now() + OneLogin_Saml2_Constants.ALLOWED_CLOCK_DRIFT:
                                 continue
 
                         if nooa:
