Add specs for clock drift

johnnyshields · johnnyshields · commit fca3f512206f · 2021-08-17T21:00:24.000+09:00
diff --git a/lib/onelogin/ruby-saml/response.rb b/lib/onelogin/ruby-saml/response.rb
@@ -339,7 +339,7 @@ def audiences
       # returns the allowed clock drift on timing validation
       # @return [Float]
       def allowed_clock_drift
-        options[:allowed_clock_drift].to_f.abs
+        options[:allowed_clock_drift].to_f.abs + Float::EPSILON
       end
 
       # Checks if the SAML Response contains or not an EncryptedAssertion element
diff --git a/lib/onelogin/ruby-saml/slo_logoutrequest.rb b/lib/onelogin/ruby-saml/slo_logoutrequest.rb
@@ -133,7 +133,7 @@ def session_indexes
       # returns the allowed clock drift on timing validation
       # @return [Float]
       def allowed_clock_drift
-        options[:allowed_clock_drift].to_f.abs
+        options[:allowed_clock_drift].to_f.abs + Float::EPSILON
       end
 
       # Hard aux function to validate the Logout Request
diff --git a/test/response_test.rb b/test/response_test.rb
@@ -1107,44 +1107,71 @@ def generate_audience_error(expected, actual)
         end
       end
 
-      it "optionally allows for clock drift" do
+      it "optionally allows for clock drift on NotBefore" do
+        settings.soft = true
+
         # The NotBefore condition in the document is 2011-06-14T18:21:01.516Z
         Timecop.freeze(Time.parse("2011-06-14T18:21:01Z")) do
-          settings.soft = true
           special_response_with_saml2_namespace = OneLogin::RubySaml::Response.new(
             response_document_with_saml2_namespace,
             :allowed_clock_drift => 0.515,
             :settings => settings
           )
           assert !special_response_with_saml2_namespace.send(:validate_conditions)
-        end
 
-        Timecop.freeze(Time.parse("2011-06-14T18:21:01Z")) do
           special_response_with_saml2_namespace = OneLogin::RubySaml::Response.new(
             response_document_with_saml2_namespace,
             :allowed_clock_drift => 0.516
           )
           assert special_response_with_saml2_namespace.send(:validate_conditions)
-        end
 
-        Timecop.freeze(Time.parse("2011-06-14T18:21:01Z")) do
-          settings.soft = true
           special_response_with_saml2_namespace = OneLogin::RubySaml::Response.new(
             response_document_with_saml2_namespace,
             :allowed_clock_drift => '0.515',
             :settings => settings
           )
           assert !special_response_with_saml2_namespace.send(:validate_conditions)
-        end
 
-        Timecop.freeze(Time.parse("2011-06-14T18:21:01Z")) do
           special_response_with_saml2_namespace = OneLogin::RubySaml::Response.new(
             response_document_with_saml2_namespace,
             :allowed_clock_drift => '0.516'
           )
           assert special_response_with_saml2_namespace.send(:validate_conditions)
         end
       end
+
+      it "optionally allows for clock drift on NotOnOrAfter" do
+        settings.soft = true
+
+        # The NotBefore condition in the document is 2011-06-1418:31:01.516Z
+        Timecop.freeze(Time.parse("2011-06-14T18:31:02Z")) do
+          special_response_with_saml2_namespace = OneLogin::RubySaml::Response.new(
+              response_document_with_saml2_namespace,
+              :allowed_clock_drift => 0.483,
+              :settings => settings
+          )
+          assert !special_response_with_saml2_namespace.send(:validate_conditions)
+
+          special_response_with_saml2_namespace = OneLogin::RubySaml::Response.new(
+              response_document_with_saml2_namespace,
+              :allowed_clock_drift => 0.484
+          )
+          assert special_response_with_saml2_namespace.send(:validate_conditions)
+
+          special_response_with_saml2_namespace = OneLogin::RubySaml::Response.new(
+              response_document_with_saml2_namespace,
+              :allowed_clock_drift => '0.483',
+              :settings => settings
+          )
+          assert !special_response_with_saml2_namespace.send(:validate_conditions)
+
+          special_response_with_saml2_namespace = OneLogin::RubySaml::Response.new(
+              response_document_with_saml2_namespace,
+              :allowed_clock_drift => '0.484'
+          )
+          assert special_response_with_saml2_namespace.send(:validate_conditions)
+        end
+      end
     end
 
     describe "#attributes" do
diff --git a/test/slo_logoutrequest_test.rb b/test/slo_logoutrequest_test.rb
@@ -109,7 +109,7 @@ class RubySamlTest < Minitest::Test
       end
     end
 
-   describe "#not_on_or_after" do
+    describe "#not_on_or_after" do
       it "extract the value of the NotOnOrAfter attribute" do
         time_value = '2014-07-17T01:01:48Z'
         assert_nil logout_request.not_on_or_after
@@ -158,25 +158,49 @@ class RubySamlTest < Minitest::Test
       it "return true when the logout request has a valid NotOnOrAfter or does not contain any" do
         assert logout_request.send(:validate_not_on_or_after)
         assert_empty logout_request.errors
-        Timecop.freeze Time.parse('2011-06-14T18:25:01.516Z') do
-          time_value = '2014-07-17T01:01:48Z'
-          logout_request.document.root.attributes['NotOnOrAfter'] = time_value
+
+        Timecop.freeze Time.parse('2014-07-17T01:01:47Z') do
+          logout_request.document.root.attributes['NotOnOrAfter'] = '2014-07-17T01:01:48Z'
           assert logout_request.send(:validate_not_on_or_after)
           assert_empty logout_request.errors
         end
       end
 
       it "return false when the logout request has an invalid NotOnOrAfter" do
-        logout_request.document.root.attributes['NotOnOrAfter'] = '2014-07-17T01:01:48Z'
-        assert !logout_request.send(:validate_not_on_or_after)
-        assert /Current time is on or after NotOnOrAfter/.match(logout_request.errors[0])
+        Timecop.freeze Time.parse('2014-07-17T01:01:49Z') do
+          logout_request.document.root.attributes['NotOnOrAfter'] = '2014-07-17T01:01:48Z'
+          assert !logout_request.send(:validate_not_on_or_after)
+          assert /Current time is on or after NotOnOrAfter/.match(logout_request.errors[0])
+        end
       end
 
       it "raise when the logout request has an invalid NotOnOrAfter" do
-        logout_request.document.root.attributes['NotOnOrAfter'] = '2014-07-17T01:01:48Z'
-        logout_request.soft = false
-        assert_raises(OneLogin::RubySaml::ValidationError, "Current time is on or after NotOnOrAfter") do
-          logout_request.send(:validate_not_on_or_after)
+        Timecop.freeze Time.parse('2014-07-17T01:01:49Z') do
+          logout_request.document.root.attributes['NotOnOrAfter'] = '2014-07-17T01:01:48Z'
+          logout_request.soft = false
+          assert_raises(OneLogin::RubySaml::ValidationError, "Current time is on or after NotOnOrAfter") do
+            logout_request.send(:validate_not_on_or_after)
+          end
+        end
+      end
+
+      it "optionally allows for clock drift" do
+        logout_request.soft = true
+        logout_request.document.root.attributes['NotOnOrAfter'] = '2011-06-14T18:31:01.516Z'
+
+        # The NotBefore condition in the document is 2011-06-1418:31:01.516Z
+        Timecop.freeze(Time.parse("2011-06-14T18:31:02Z")) do
+          logout_request.options[:allowed_clock_drift] = 0.483
+          assert !logout_request.send(:validate_not_on_or_after)
+
+          logout_request.options[:allowed_clock_drift] = 0.484
+          assert logout_request.send(:validate_not_on_or_after)
+
+          logout_request.options[:allowed_clock_drift] = '0.483'
+          assert !logout_request.send(:validate_not_on_or_after)
+
+          logout_request.options[:allowed_clock_drift] = '0.484'
+          assert logout_request.send(:validate_not_on_or_after)
         end
       end
     end
