Merge pull request #72 from wellnet/clock_skew

Add a new accepted_clock_skew_seconds settings

README.md

@@ -148,7 +148,10 @@ $settings = array(
         ["fiscalNumber"],
         ["name", "familyName", "fiscalNumber", "email", "spidCode"],
         ...
-    ]
+    ],
+    // Time in seconds of skew that is acceptable between client and server when checking OnBefore and NotOnOrAfter
+    // assertion condition validity timestamps. Default is 0
+    'accepted_clock_skew_seconds' => 3600
 );
 ```
 

src/Spid/Saml/In/Response.php

@@ -18,6 +18,8 @@ public function __construct(Saml $saml)
 
     public function validate($xml, $hasAssertion): bool
     {
+        $accepted_clock_skew_seconds = isset($this->saml->settings['accepted_clock_skew_seconds']) ? $this->saml->settings['accepted_clock_skew_seconds'] : 0;
+
         $root = $xml->getElementsByTagName('Response')->item(0);
 
         if ($root->getAttribute('Version') == "") {
@@ -51,9 +53,9 @@ public function validate($xml, $hasAssertion): bool
             }
             if ($xml->getElementsByTagName('Conditions')->length == 0) {
                 throw new \Exception("Missing Conditions attribute");
-            } elseif ($xml->getElementsByTagName('Conditions')->item(0)->getAttribute('NotBefore') == "" || strtotime($xml->getElementsByTagName('Conditions')->item(0)->getAttribute('NotBefore')) > strtotime('now')) {
+            } elseif ($xml->getElementsByTagName('Conditions')->item(0)->getAttribute('NotBefore') == "" || strtotime($xml->getElementsByTagName('Conditions')->item(0)->getAttribute('NotBefore')) > strtotime('now') + $accepted_clock_skew_seconds) {
                 throw new \Exception("Invalid NotBefore attribute");
-            } elseif ($xml->getElementsByTagName('Conditions')->item(0)->getAttribute('NotOnOrAfter') == "" || strtotime($xml->getElementsByTagName('Conditions')->item(0)->getAttribute('NotOnOrAfter')) < strtotime('now')) {
+            } elseif ($xml->getElementsByTagName('Conditions')->item(0)->getAttribute('NotOnOrAfter') == "" || strtotime($xml->getElementsByTagName('Conditions')->item(0)->getAttribute('NotOnOrAfter')) <= strtotime('now') - $accepted_clock_skew_seconds) {
                 throw new \Exception("Invalid NotOnOrAfter attribute");
             }
             if ($xml->getElementsByTagName('AudienceRestriction')->length == 0) {
@@ -75,7 +77,7 @@ public function validate($xml, $hasAssertion): bool
                 throw new \Exception("Missing SubjectConfirmationData attribute");
             } elseif ($xml->getElementsByTagName('SubjectConfirmationData')->item(0)->getAttribute('InResponseTo') != $_SESSION['RequestID']) {
                 throw new \Exception("Invalid SubjectConfirmationData attribute, expected " . $_SESSION['RequestID'] . " but received " . $xml->getElementsByTagName('SubjectConfirmationData')->item(0)->getAttribute('InResponseTo'));
-            } elseif (strtotime($xml->getElementsByTagName('SubjectConfirmationData')->item(0)->getAttribute('NotOnOrAfter')) < strtotime('now')) {
+            } elseif (strtotime($xml->getElementsByTagName('SubjectConfirmationData')->item(0)->getAttribute('NotOnOrAfter')) <= strtotime('now') - $accepted_clock_skew_seconds) {
                 throw new \Exception("Invalid NotOnOrAfter attribute");
             } elseif ($xml->getElementsByTagName('SubjectConfirmationData')->item(0)->getAttribute('Recipient') != $_SESSION['acsUrl']) {
                 throw new \Exception("Invalid Recipient attribute, expected " . $_SESSION['acsUrl'] . " but received " . $xml->getElementsByTagName('SubjectConfirmationData')->item(0)->getAttribute('Recipient'));

src/Spid/Saml/Settings.php

@@ -28,7 +28,8 @@ class Settings
                 'emailAddress' => self::REQUIRED
             ]
         ],
-        'idp_metadata_folder' => self::REQUIRED
+        'idp_metadata_folder' => self::REQUIRED,
+        'accepted_clock_skew_seconds' => self::NOT_REQUIRED
     ];
 
     private static $validAttributeFields = [
@@ -211,5 +212,13 @@ private static function checkSettingsValues($settings)
                 throw new \Exception('sp_key_cert_values countryName should be a 2 characters country code');
             }
         }
+        if (isset($settings['accepted_clock_skew_seconds'])) {
+          if (!is_numeric($settings['accepted_clock_skew_seconds'])) {
+            throw new \Exception('accepted_clock_skew_seconds should be a number');
+          }
+          if ($settings['accepted_clock_skew_seconds'] < 0) {
+            throw new \Exception('accepted_clock_skew_seconds should be greater than 0');
+          }
+        }
     }
 }