Add support to allow for clock skew

Stummi · Stummi · commit c0cb3010b07f · 2025-05-16T12:51:22.000+02:00
diff --git a/saml.go b/saml.go
@@ -92,6 +92,8 @@ type SAMLServiceProvider struct {
 
 	signingContextMu sync.RWMutex
 	signingContext   *dsig.SigningContext
+
+	AllowClockSkew time.Duration
 }
 
 // SetSPKeyStore sets the encryption key to be used.
diff --git a/validate.go b/validate.go
@@ -21,9 +21,9 @@ import (
 	"github.com/russellhaering/gosaml2/types"
 )
 
-//ErrParsing indicates that the value present in an assertion could not be
-//parsed. It can be inspected for the specific tag name, the contents, and the
-//intended type.
+// ErrParsing indicates that the value present in an assertion could not be
+// parsed. It can be inspected for the specific tag name, the contents, and the
+// intended type.
 type ErrParsing struct {
 	Tag, Value, Type string
 }
@@ -32,14 +32,14 @@ func (ep ErrParsing) Error() string {
 	return fmt.Sprintf("Error parsing %s tag value as type %s", ep.Tag, ep.Value)
 }
 
-//Oft-used messages
+// Oft-used messages
 const (
 	ReasonUnsupported = "Unsupported"
 	ReasonExpired     = "Expired"
 )
 
-//ErrInvalidValue indicates that the expected value did not match the received
-//value.
+// ErrInvalidValue indicates that the expected value did not match the received
+// value.
 type ErrInvalidValue struct {
 	Key, Expected, Actual string
 	Reason                string
@@ -52,13 +52,13 @@ func (e ErrInvalidValue) Error() string {
 	return fmt.Sprintf("%s %s value, Expected: %s, Actual: %s", e.Reason, e.Key, e.Expected, e.Actual)
 }
 
-//Well-known methods of subject confirmation
+// Well-known methods of subject confirmation
 const (
 	SubjMethodBearer = "urn:oasis:names:tc:SAML:2.0:cm:bearer"
 )
 
-//VerifyAssertionConditions inspects an assertion element and makes sure that
-//all SAML2 contracts are upheld.
+// VerifyAssertionConditions inspects an assertion element and makes sure that
+// all SAML2 contracts are upheld.
 func (sp *SAMLServiceProvider) VerifyAssertionConditions(assertion *types.Assertion) (*WarningInfo, error) {
 	warningInfo := &WarningInfo{}
 	now := sp.Clock.Now()
@@ -77,7 +77,9 @@ func (sp *SAMLServiceProvider) VerifyAssertionConditions(assertion *types.Assert
 		return nil, ErrParsing{Tag: NotBeforeAttr, Value: conditions.NotBefore, Type: "time.RFC3339"}
 	}
 
-	if now.Before(notBefore) {
+	allowedSkew := sp.AllowClockSkew
+
+	if now.Before(notBefore.Add(-allowedSkew)) {
 		warningInfo.InvalidTime = true
 	}
 
@@ -90,7 +92,7 @@ func (sp *SAMLServiceProvider) VerifyAssertionConditions(assertion *types.Assert
 		return nil, ErrParsing{Tag: NotOnOrAfterAttr, Value: conditions.NotOnOrAfter, Type: "time.RFC3339"}
 	}
 
-	if now.After(notOnOrAfter) {
+	if now.After(notOnOrAfter.Add(allowedSkew)) {
 		warningInfo.InvalidTime = true
 	}
 
@@ -131,8 +133,8 @@ func (sp *SAMLServiceProvider) VerifyAssertionConditions(assertion *types.Assert
 	return warningInfo, nil
 }
 
-//Validate ensures that the assertion passed is valid for the current Service
-//Provider.
+// Validate ensures that the assertion passed is valid for the current Service
+// Provider.
 func (sp *SAMLServiceProvider) Validate(response *types.Response) error {
 	err := sp.validateResponseAttributes(response)
 	if err != nil {

Original file line number	Diff line number	Diff line change
`@@ -92,6 +92,8 @@ type SAMLServiceProvider struct {`
`92`	`92`
`93`	`93`	`signingContextMu sync.RWMutex`
`94`	`94`	`signingContext *dsig.SigningContext`
	`95`	`+`
	`96`	`+ AllowClockSkew time.Duration`
`95`	`97`	`}`
`96`	`98`
`97`	`99`	`// SetSPKeyStore sets the encryption key to be used.`