increase clock tolerance during rest secret check (#1923)

lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/DefaultValues.pm

@@ -238,9 +238,10 @@ sub defaultValues {
               'http://auth.example.com/Lemonldap/NG/Common/PSGI/SOAPService',
             'proxy' => 'http://auth.example.com/sessions'
         },
-        'requireToken'     => 1,
-        'rest2fActivation' => 0,
-        'restAuthnLevel'   => 2,
+        'requireToken'       => 1,
+        'rest2fActivation'   => 0,
+        'restAuthnLevel'     => 2,
+        'restClockTolerance' => 15,
         'samlAttributeAuthorityDescriptorAttributeServiceSOAP' =>
           'urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/AA/SOAP;',
         'samlAuthnContextMapKerberos'                   => 4,

lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm

@@ -2626,6 +2626,10 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
         'restAuthUrl' => {
             'type' => 'url'
         },
+        'restClockTolerance' => {
+            'default' => 15,
+            'type'    => 'int'
+        },
         'restConfigServer' => {
             'default' => 0,
             'type'    => 'bool'

lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm

@@ -1811,6 +1811,12 @@ sub attributes {
             documentation =>
               'Allow to export secret keys in REST session server',
         },
+        restClockTolerance => {
+            default => 15,
+            type    => 'int',
+            documentation =>
+              'How tolerant the REST session server will be to clock dift',
+        },
         restConfigServer => {
             default       => 0,
             type          => 'bool',

lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Tree.pm

@@ -581,9 +581,9 @@ sub tree {
                             form  => 'simpleInputContainer',
                             nodes => [
                                 'wsdlServer',           'restSessionServer',
-                                'restExportSecretKeys', 'restConfigServer',
-                                'soapSessionServer',    'soapConfigServer',
-                                'exportedAttr',
+                                'restExportSecretKeys', 'restClockTolerance',
+                                'restConfigServer',     'soapSessionServer',
+                                'soapConfigServer',     'exportedAttr',
                             ]
                         },
                         {

lemonldap-ng-manager/site/htdocs/static/languages/ar.json

@@ -740,6 +740,7 @@
 "restPwdConfirmUrl":"عنوان اليو آر إل لتأكيد كلمة المرور",
 "restPwdModifyUrl":"عنوان اليو آر إل لتغيير كلمة المرور",
 "restSessionServer":"خادم جلسة ريست",
+"restClockTolerance":"REST server clock tolerance",
 "restUserDBUrl":"عنوان يو آر إل لبيانات المستخدم",
 "returnUrl":"إرجاع اليو آر إل",
 "rp":"Relying Party",

lemonldap-ng-manager/site/htdocs/static/languages/de.json

@@ -740,6 +740,7 @@
 "restPwdConfirmUrl":"Password confirmation URL",
 "restPwdModifyUrl":"Password change URL",
 "restSessionServer":"REST session server",
+"restClockTolerance":"REST server clock tolerance",
 "restUserDBUrl":"User data URL",
 "returnUrl":"Return URL",
 "rp":"Relying Party",

lemonldap-ng-manager/site/htdocs/static/languages/en.json

@@ -740,6 +740,7 @@
 "restPwdConfirmUrl":"Password confirmation URL",
 "restPwdModifyUrl":"Password change URL",
 "restSessionServer":"REST session server",
+"restClockTolerance":"REST server clock tolerance",
 "restUserDBUrl":"User data URL",
 "returnUrl":"Return URL",
 "rp":"Relying Party",

lemonldap-ng-manager/site/htdocs/static/languages/fr.json

@@ -740,6 +740,7 @@
 "restPwdConfirmUrl":"URL de confirmation de mot-de-passe",
 "restPwdModifyUrl":"URL de modification de mot-de-passe",
 "restSessionServer":"Serveur de sessions REST",
+"restClockTolerance":"Tolérance aux écarts d'horloge",
 "restUserDBUrl":"URL de données utilisateurs",
 "returnUrl":"URL de retour",
 "rp":"Client",

lemonldap-ng-manager/site/htdocs/static/languages/it.json

@@ -740,6 +740,7 @@
 "restPwdConfirmUrl":"URL di conferma password",
 "restPwdModifyUrl":"URL di modifica password",
 "restSessionServer":"Server di sessione REST",
+"restClockTolerance":"REST server clock tolerance",
 "restUserDBUrl":"URL dei dati utente",
 "returnUrl":"URL di ritorno",
 "rp":"Parte facente affidamento",

lemonldap-ng-manager/site/htdocs/static/languages/vi.json

@@ -740,6 +740,7 @@
 "restPwdConfirmUrl":"URL xác nhận mật khẩu",
 "restPwdModifyUrl":"URL thay đổi mật khẩu",
 "restSessionServer":"Máy chủ phiên REST",
+"restClockTolerance":"REST server clock tolerance",
 "restUserDBUrl":"URL dữ liệu người dùng",
 "returnUrl":"Trả lại URL",
 "rp":"Relying Party",

lemonldap-ng-manager/site/htdocs/static/languages/zh.json

@@ -740,6 +740,7 @@
 "restPwdConfirmUrl":"Password confirmation URL",
 "restPwdModifyUrl":"Password change URL",
 "restSessionServer":"REST session server",
+"restClockTolerance":"REST server clock tolerance",
 "restUserDBUrl":"User data URL",
 "returnUrl":"Return URL",
 "rp":"Relying Party",

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm

@@ -213,8 +213,8 @@ sub newSession {
         my $t;
         if ( $t =
                 $self->conf->{cipher}->decrypt($s)
-            and $t <= time
-            and $t > time - 15 )
+            and $t <= time + $self->conf->{restClockTolerance}
+            and $t > time - $self->conf->{restClockTolerance} )
         {
             $force = 1;
         }
@@ -308,8 +308,8 @@ sub updateSession {
         my $t;
         if ( $t =
                 $self->conf->{cipher}->decrypt($s)
-            and $t <= time
-            and $t > time - 30 )
+            and $t <= time + $self->conf->{restClockTolerance}
+            and $t > time - $self->conf->{restClockTolerance} )
         {
             $force = 1;
         }