diff options
| author | Jozef Knaperek <jknaperek@gmail.com> | 2016-02-03 13:41:48 +0100 |
|---|---|---|
| committer | Jozef Knaperek <jknaperek@gmail.com> | 2016-02-03 13:41:48 +0100 |
| commit | 9a3b3849df2b8a337f9d130de68024fec13363ee (patch) | |
| tree | bc9d26ba52410979006557c48c0fc31706dece95 | |
| parent | 0e4f5fa48b1965b269f69bd383bbfbde6b41ac63 (diff) | |
| download | pysaml2-9a3b3849df2b8a337f9d130de68024fec13363ee.tar.gz | |
Fix timestamp validation error message
This fixes 2 things:
1.) First, the values were exchanged according to the comparison order
2.) Second, the slack was not included in the messages, leaving the possibility of printing
confusing message. I decided to add or substract (respectively) the slack from "now" instead
of nooa/nbefore, since "now" is more volatile and there's a better chance that people could
try to search for the nooa/nbefore numbers in the dumps (encapsulated in SAML messages) rather
then for the ever-changing value of "now".
| -rw-r--r-- | src/saml2/validate.py | 5 |
1 files changed, 2 insertions, 3 deletions
diff --git a/src/saml2/validate.py b/src/saml2/validate.py index 93b50f61..b7497731 100644 --- a/src/saml2/validate.py +++ b/src/saml2/validate.py @@ -91,7 +91,7 @@ def validate_on_or_after(not_on_or_after, slack): nooa = calendar.timegm(time_util.str_to_time(not_on_or_after)) if now > nooa + slack: raise ResponseLifetimeExceed( - "Can't use it, it's too old %d > %d".format(nooa, now)) + "Can't use it, it's too old %d > %d".format(now - slack, nooa)) return nooa else: return False @@ -102,8 +102,7 @@ def validate_before(not_before, slack): now = time_util.utc_now() nbefore = calendar.timegm(time_util.str_to_time(not_before)) if nbefore > now + slack: - raise ToEarly("Can't use it yet %d <= %d" % (nbefore, - now)) + raise ToEarly("Can't use it yet %d <= %d" % (now + slack, nbefore)) return True |