Skip to content

Commit fca3f51

Browse files
committed
Add specs for clock drift
1 parent 9fc2e66 commit fca3f51

4 files changed

Lines changed: 73 additions & 22 deletions

File tree

lib/onelogin/ruby-saml/response.rb

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -339,7 +339,7 @@ def audiences
339339
# returns the allowed clock drift on timing validation
340340
# @return [Float]
341341
def allowed_clock_drift
342-
options[:allowed_clock_drift].to_f.abs
342+
options[:allowed_clock_drift].to_f.abs + Float::EPSILON
343343
end
344344

345345
# Checks if the SAML Response contains or not an EncryptedAssertion element

lib/onelogin/ruby-saml/slo_logoutrequest.rb

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -133,7 +133,7 @@ def session_indexes
133133
# returns the allowed clock drift on timing validation
134134
# @return [Float]
135135
def allowed_clock_drift
136-
options[:allowed_clock_drift].to_f.abs
136+
options[:allowed_clock_drift].to_f.abs + Float::EPSILON
137137
end
138138

139139
# Hard aux function to validate the Logout Request

test/response_test.rb

Lines changed: 36 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1107,44 +1107,71 @@ def generate_audience_error(expected, actual)
11071107
end
11081108
end
11091109

1110-
it "optionally allows for clock drift" do
1110+
it "optionally allows for clock drift on NotBefore" do
1111+
settings.soft = true
1112+
11111113
# The NotBefore condition in the document is 2011-06-14T18:21:01.516Z
11121114
Timecop.freeze(Time.parse("2011-06-14T18:21:01Z")) do
1113-
settings.soft = true
11141115
special_response_with_saml2_namespace = OneLogin::RubySaml::Response.new(
11151116
response_document_with_saml2_namespace,
11161117
:allowed_clock_drift => 0.515,
11171118
:settings => settings
11181119
)
11191120
assert !special_response_with_saml2_namespace.send(:validate_conditions)
1120-
end
11211121

1122-
Timecop.freeze(Time.parse("2011-06-14T18:21:01Z")) do
11231122
special_response_with_saml2_namespace = OneLogin::RubySaml::Response.new(
11241123
response_document_with_saml2_namespace,
11251124
:allowed_clock_drift => 0.516
11261125
)
11271126
assert special_response_with_saml2_namespace.send(:validate_conditions)
1128-
end
11291127

1130-
Timecop.freeze(Time.parse("2011-06-14T18:21:01Z")) do
1131-
settings.soft = true
11321128
special_response_with_saml2_namespace = OneLogin::RubySaml::Response.new(
11331129
response_document_with_saml2_namespace,
11341130
:allowed_clock_drift => '0.515',
11351131
:settings => settings
11361132
)
11371133
assert !special_response_with_saml2_namespace.send(:validate_conditions)
1138-
end
11391134

1140-
Timecop.freeze(Time.parse("2011-06-14T18:21:01Z")) do
11411135
special_response_with_saml2_namespace = OneLogin::RubySaml::Response.new(
11421136
response_document_with_saml2_namespace,
11431137
:allowed_clock_drift => '0.516'
11441138
)
11451139
assert special_response_with_saml2_namespace.send(:validate_conditions)
11461140
end
11471141
end
1142+
1143+
it "optionally allows for clock drift on NotOnOrAfter" do
1144+
settings.soft = true
1145+
1146+
# The NotBefore condition in the document is 2011-06-1418:31:01.516Z
1147+
Timecop.freeze(Time.parse("2011-06-14T18:31:02Z")) do
1148+
special_response_with_saml2_namespace = OneLogin::RubySaml::Response.new(
1149+
response_document_with_saml2_namespace,
1150+
:allowed_clock_drift => 0.483,
1151+
:settings => settings
1152+
)
1153+
assert !special_response_with_saml2_namespace.send(:validate_conditions)
1154+
1155+
special_response_with_saml2_namespace = OneLogin::RubySaml::Response.new(
1156+
response_document_with_saml2_namespace,
1157+
:allowed_clock_drift => 0.484
1158+
)
1159+
assert special_response_with_saml2_namespace.send(:validate_conditions)
1160+
1161+
special_response_with_saml2_namespace = OneLogin::RubySaml::Response.new(
1162+
response_document_with_saml2_namespace,
1163+
:allowed_clock_drift => '0.483',
1164+
:settings => settings
1165+
)
1166+
assert !special_response_with_saml2_namespace.send(:validate_conditions)
1167+
1168+
special_response_with_saml2_namespace = OneLogin::RubySaml::Response.new(
1169+
response_document_with_saml2_namespace,
1170+
:allowed_clock_drift => '0.484'
1171+
)
1172+
assert special_response_with_saml2_namespace.send(:validate_conditions)
1173+
end
1174+
end
11481175
end
11491176

11501177
describe "#attributes" do

test/slo_logoutrequest_test.rb

Lines changed: 35 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -109,7 +109,7 @@ class RubySamlTest < Minitest::Test
109109
end
110110
end
111111

112-
describe "#not_on_or_after" do
112+
describe "#not_on_or_after" do
113113
it "extract the value of the NotOnOrAfter attribute" do
114114
time_value = '2014-07-17T01:01:48Z'
115115
assert_nil logout_request.not_on_or_after
@@ -158,25 +158,49 @@ class RubySamlTest < Minitest::Test
158158
it "return true when the logout request has a valid NotOnOrAfter or does not contain any" do
159159
assert logout_request.send(:validate_not_on_or_after)
160160
assert_empty logout_request.errors
161-
Timecop.freeze Time.parse('2011-06-14T18:25:01.516Z') do
162-
time_value = '2014-07-17T01:01:48Z'
163-
logout_request.document.root.attributes['NotOnOrAfter'] = time_value
161+
162+
Timecop.freeze Time.parse('2014-07-17T01:01:47Z') do
163+
logout_request.document.root.attributes['NotOnOrAfter'] = '2014-07-17T01:01:48Z'
164164
assert logout_request.send(:validate_not_on_or_after)
165165
assert_empty logout_request.errors
166166
end
167167
end
168168

169169
it "return false when the logout request has an invalid NotOnOrAfter" do
170-
logout_request.document.root.attributes['NotOnOrAfter'] = '2014-07-17T01:01:48Z'
171-
assert !logout_request.send(:validate_not_on_or_after)
172-
assert /Current time is on or after NotOnOrAfter/.match(logout_request.errors[0])
170+
Timecop.freeze Time.parse('2014-07-17T01:01:49Z') do
171+
logout_request.document.root.attributes['NotOnOrAfter'] = '2014-07-17T01:01:48Z'
172+
assert !logout_request.send(:validate_not_on_or_after)
173+
assert /Current time is on or after NotOnOrAfter/.match(logout_request.errors[0])
174+
end
173175
end
174176

175177
it "raise when the logout request has an invalid NotOnOrAfter" do
176-
logout_request.document.root.attributes['NotOnOrAfter'] = '2014-07-17T01:01:48Z'
177-
logout_request.soft = false
178-
assert_raises(OneLogin::RubySaml::ValidationError, "Current time is on or after NotOnOrAfter") do
179-
logout_request.send(:validate_not_on_or_after)
178+
Timecop.freeze Time.parse('2014-07-17T01:01:49Z') do
179+
logout_request.document.root.attributes['NotOnOrAfter'] = '2014-07-17T01:01:48Z'
180+
logout_request.soft = false
181+
assert_raises(OneLogin::RubySaml::ValidationError, "Current time is on or after NotOnOrAfter") do
182+
logout_request.send(:validate_not_on_or_after)
183+
end
184+
end
185+
end
186+
187+
it "optionally allows for clock drift" do
188+
logout_request.soft = true
189+
logout_request.document.root.attributes['NotOnOrAfter'] = '2011-06-14T18:31:01.516Z'
190+
191+
# The NotBefore condition in the document is 2011-06-1418:31:01.516Z
192+
Timecop.freeze(Time.parse("2011-06-14T18:31:02Z")) do
193+
logout_request.options[:allowed_clock_drift] = 0.483
194+
assert !logout_request.send(:validate_not_on_or_after)
195+
196+
logout_request.options[:allowed_clock_drift] = 0.484
197+
assert logout_request.send(:validate_not_on_or_after)
198+
199+
logout_request.options[:allowed_clock_drift] = '0.483'
200+
assert !logout_request.send(:validate_not_on_or_after)
201+
202+
logout_request.options[:allowed_clock_drift] = '0.484'
203+
assert logout_request.send(:validate_not_on_or_after)
180204
end
181205
end
182206
end

0 commit comments

Comments
 (0)