From 0dea2f4a51d6044eb16602a4ebe0446c6886e612 Mon Sep 17 00:00:00 2001 From: Alan Shea Anderson-Priddy Date: Wed, 24 Nov 2021 09:40:53 -0800 Subject: [PATCH] Return false for non-sequential assertion dates. Log the times to help when troubleshooting clock drift between the cas client and cas server. --- DotNetCasClient/Validation/SamlUtils.cs | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/DotNetCasClient/Validation/SamlUtils.cs b/DotNetCasClient/Validation/SamlUtils.cs index 558621c..eb3c236 100644 --- a/DotNetCasClient/Validation/SamlUtils.cs +++ b/DotNetCasClient/Validation/SamlUtils.cs @@ -57,18 +57,27 @@ public static bool IsValidAssertion(DateTime notBefore, DateTime notOnOrAfter, l ProtoLogger.Debug("Assertion has no bounding dates. Will not process."); return false; } - ProtoLogger.Debug("Assertion validity window: {0} - {1} +/- {2}ms", notBefore, notOnOrAfter, toleranceTicks / 10000); - + + ProtoLogger.Debug("Assertion validity window: {0} - {1} +/- {2}ms", notBefore, notOnOrAfter, toleranceTicks / 10000); + long utcNowTicks = DateTime.UtcNow.Ticks; - if (utcNowTicks + toleranceTicks < notBefore.Ticks) + ProtoLogger.Debug("Current time: {0}", new DateTime(utcNowTicks)); + + if (notOnOrAfter < notBefore) { - ProtoLogger.Debug("Assertion is not yet valid."); + ProtoLogger.Debug("Assertion has non-sequential bounding dates."); return false; } - - if (notOnOrAfter.Ticks <= utcNowTicks - toleranceTicks) + + if ((utcNowTicks + toleranceTicks) < notBefore.Ticks) + { + ProtoLogger.Debug("Assertion is not yet valid: ( {0} + {1} ) < {2}", utcNowTicks, toleranceTicks, notBefore.Ticks); + return false; + } + + if (notOnOrAfter.Ticks <= (utcNowTicks - toleranceTicks)) { - ProtoLogger.Debug("Assertion is expired."); + ProtoLogger.Debug("Assertion is expired: {2} <= ( {0} + {1} )", utcNowTicks, toleranceTicks, notOnOrAfter.Ticks); return false; }