Commit 94877793 authored by Maxime Besson's avatar Maxime Besson

increase clock tolerance during rest secret check (#1923)

parent 00e91f37
......@@ -238,9 +238,10 @@ sub defaultValues {
'http://auth.example.com/Lemonldap/NG/Common/PSGI/SOAPService',
'proxy' => 'http://auth.example.com/sessions'
},
'requireToken' => 1,
'rest2fActivation' => 0,
'restAuthnLevel' => 2,
'requireToken' => 1,
'rest2fActivation' => 0,
'restAuthnLevel' => 2,
'restClockTolerance' => 15,
'samlAttributeAuthorityDescriptorAttributeServiceSOAP' =>
'urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/AA/SOAP;',
'samlAuthnContextMapKerberos' => 4,
......
......@@ -2626,6 +2626,10 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
'restAuthUrl' => {
'type' => 'url'
},
'restClockTolerance' => {
'default' => 15,
'type' => 'int'
},
'restConfigServer' => {
'default' => 0,
'type' => 'bool'
......
......@@ -1811,6 +1811,12 @@ sub attributes {
documentation =>
'Allow to export secret keys in REST session server',
},
restClockTolerance => {
default => 15,
type => 'int',
documentation =>
'How tolerant the REST session server will be to clock dift',
},
restConfigServer => {
default => 0,
type => 'bool',
......
......@@ -581,9 +581,9 @@ sub tree {
form => 'simpleInputContainer',
nodes => [
'wsdlServer', 'restSessionServer',
'restExportSecretKeys', 'restConfigServer',
'soapSessionServer', 'soapConfigServer',
'exportedAttr',
'restExportSecretKeys', 'restClockTolerance',
'restConfigServer', 'soapSessionServer',
'soapConfigServer', 'exportedAttr',
]
},
{
......
......@@ -740,6 +740,7 @@
"restPwdConfirmUrl":"عنوان اليو آر إل لتأكيد كلمة المرور",
"restPwdModifyUrl":"عنوان اليو آر إل لتغيير كلمة المرور",
"restSessionServer":"خادم جلسة ريست",
"restClockTolerance":"REST server clock tolerance",
"restUserDBUrl":"عنوان يو آر إل لبيانات المستخدم",
"returnUrl":"إرجاع اليو آر إل",
"rp":"Relying Party",
......
......@@ -740,6 +740,7 @@
"restPwdConfirmUrl":"Password confirmation URL",
"restPwdModifyUrl":"Password change URL",
"restSessionServer":"REST session server",
"restClockTolerance":"REST server clock tolerance",
"restUserDBUrl":"User data URL",
"returnUrl":"Return URL",
"rp":"Relying Party",
......
......@@ -740,6 +740,7 @@
"restPwdConfirmUrl":"Password confirmation URL",
"restPwdModifyUrl":"Password change URL",
"restSessionServer":"REST session server",
"restClockTolerance":"REST server clock tolerance",
"restUserDBUrl":"User data URL",
"returnUrl":"Return URL",
"rp":"Relying Party",
......
......@@ -740,6 +740,7 @@
"restPwdConfirmUrl":"URL de confirmation de mot-de-passe",
"restPwdModifyUrl":"URL de modification de mot-de-passe",
"restSessionServer":"Serveur de sessions REST",
"restClockTolerance":"Tolérance aux écarts d'horloge",
"restUserDBUrl":"URL de données utilisateurs",
"returnUrl":"URL de retour",
"rp":"Client",
......
......@@ -740,6 +740,7 @@
"restPwdConfirmUrl":"URL di conferma password",
"restPwdModifyUrl":"URL di modifica password",
"restSessionServer":"Server di sessione REST",
"restClockTolerance":"REST server clock tolerance",
"restUserDBUrl":"URL dei dati utente",
"returnUrl":"URL di ritorno",
"rp":"Parte facente affidamento",
......
......@@ -740,6 +740,7 @@
"restPwdConfirmUrl":"URL xác nhận mật khẩu",
"restPwdModifyUrl":"URL thay đổi mật khẩu",
"restSessionServer":"Máy chủ phiên REST",
"restClockTolerance":"REST server clock tolerance",
"restUserDBUrl":"URL dữ liệu người dùng",
"returnUrl":"Trả lại URL",
"rp":"Relying Party",
......
......@@ -740,6 +740,7 @@
"restPwdConfirmUrl":"Password confirmation URL",
"restPwdModifyUrl":"Password change URL",
"restSessionServer":"REST session server",
"restClockTolerance":"REST server clock tolerance",
"restUserDBUrl":"User data URL",
"returnUrl":"Return URL",
"rp":"Relying Party",
......
This source diff could not be displayed because it is too large. You can view the blob instead.
......@@ -213,8 +213,8 @@ sub newSession {
my $t;
if ( $t =
$self->conf->{cipher}->decrypt($s)
and $t <= time
and $t > time - 15 )
and $t <= time + $self->conf->{restClockTolerance}
and $t > time - $self->conf->{restClockTolerance} )
{
$force = 1;
}
......@@ -308,8 +308,8 @@ sub updateSession {
my $t;
if ( $t =
$self->conf->{cipher}->decrypt($s)
and $t <= time
and $t > time - 30 )
and $t <= time + $self->conf->{restClockTolerance}
and $t > time - $self->conf->{restClockTolerance} )
{
$force = 1;
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment