Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New Feature: Clockskew #84

Open
wants to merge 10 commits into
base: master
Choose a base branch
from
6 changes: 4 additions & 2 deletions DependencyInjection/Security/Factory/Factory.php
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,8 @@ public function create(ContainerBuilder $container, $id, $config, $userProviderI
->replaceArgument(3, new Reference($this->encoderId))
->replaceArgument(4, new Reference($this->nonceCacheId))
->replaceArgument(5, $config['lifetime'])
->replaceArgument(6, $config['date_format']);
->replaceArgument(6, $config['date_format'])
->replaceArgument(7, $config['clock_skew']);

$entryPointId = $this->createEntryPoint($container, $id, $config, $defaultEntryPoint);

Expand Down Expand Up @@ -99,7 +100,8 @@ public function addConfiguration(NodeDefinition $node)
->scalarNode('date_format')->defaultValue(
'/^([\+-]?\d{4}(?!\d{2}\b))((-?)((0[1-9]|1[0-2])(\3([12]\d|0[1-9]|3[01]))?|W([0-4]\d|5[0-2])(-?[1-7])?|(00[1-9]|0[1-9]\d|[12]\d{2}|3([0-5]\d|6[1-6])))([T\s]((([01]\d|2[0-3])((:?)[0-5]\d)?|24\:?00)([\.,]\d+(?!:))?)?(\17[0-5]\d([\.,]\d+)?)?([zZ]|([\+-])([01]\d|2[0-3]):?([0-5]\d)?)?)?)?$/'
)->end()
->arrayNode('encoder')
->scalarNode('clock_skew')->defaultValue(0)->end()
->arrayNode('encoder')
->children()
->scalarNode('algorithm')->end()
->scalarNode('encodeHashAsBase64')->end()
Expand Down
2 changes: 1 addition & 1 deletion Resources/config/services.yml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
services:
escape_wsse_authentication.provider:
class: '%escape_wsse_authentication.provider.class%'
arguments: ['@security.user_checker', null, null, null, null, 300, '/^([\+-]?\d{4}(?!\d{2}\b))((-?)((0[1-9]|1[0-2])(\3([12]\d|0[1-9]|3[01]))?|W([0-4]\d|5[0-2])(-?[1-7])?|(00[1-9]|0[1-9]\d|[12]\d{2}|3([0-5]\d|6[1-6])))([T\s]((([01]\d|2[0-3])((:?)[0-5]\d)?|24\:?00)([\.,]\d+(?!:))?)?(\17[0-5]\d([\.,]\d+)?)?([zZ]|([\+-])([01]\d|2[0-3]):?([0-5]\d)?)?)?)?$/']
arguments: ['@security.user_checker', null, null, null, null, 300, '/^([\+-]?\d{4}(?!\d{2}\b))((-?)((0[1-9]|1[0-2])(\3([12]\d|0[1-9]|3[01]))?|W([0-4]\d|5[0-2])(-?[1-7])?|(00[1-9]|0[1-9]\d|[12]\d{2}|3([0-5]\d|6[1-6])))([T\s]((([01]\d|2[0-3])((:?)[0-5]\d)?|24\:?00)([\.,]\d+(?!:))?)?(\17[0-5]\d([\.,]\d+)?)?([zZ]|([\+-])([01]\d|2[0-3]):?([0-5]\d)?)?)?)?$/',0]

escape_wsse_authentication.listener:
class: '%escape_wsse_authentication.listener.class%'
Expand Down
10 changes: 7 additions & 3 deletions Security/Core/Authentication/Provider/Provider.php
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ class Provider implements AuthenticationProviderInterface
private $nonceCache;
private $lifetime;
private $dateFormat;
private $clockSkew;

/**
* Constructor.
Expand All @@ -36,15 +37,17 @@ class Provider implements AuthenticationProviderInterface
* @param Cache $nonceCache The nonce cache
* @param int $lifetime The lifetime
* @param string $dateFormat The date format
*/
* @param int $clockSkew The margin in seconds to mitigate clock skew
*/
public function __construct(
UserCheckerInterface $userChecker,
UserProviderInterface $userProvider,
$providerKey,
PasswordEncoderInterface $encoder,
Cache $nonceCache,
$lifetime=300,
$dateFormat='/^([\+-]?\d{4}(?!\d{2}\b))((-?)((0[1-9]|1[0-2])(\3([12]\d|0[1-9]|3[01]))?|W([0-4]\d|5[0-2])(-?[1-7])?|(00[1-9]|0[1-9]\d|[12]\d{2}|3([0-5]\d|6[1-6])))([T\s]((([01]\d|2[0-3])((:?)[0-5]\d)?|24\:?00)([\.,]\d+(?!:))?)?(\17[0-5]\d([\.,]\d+)?)?([zZ]|([\+-])([01]\d|2[0-3]):?([0-5]\d)?)?)?)?$/'
$dateFormat='/^([\+-]?\d{4}(?!\d{2}\b))((-?)((0[1-9]|1[0-2])(\3([12]\d|0[1-9]|3[01]))?|W([0-4]\d|5[0-2])(-?[1-7])?|(00[1-9]|0[1-9]\d|[12]\d{2}|3([0-5]\d|6[1-6])))([T\s]((([01]\d|2[0-3])((:?)[0-5]\d)?|24\:?00)([\.,]\d+(?!:))?)?(\17[0-5]\d([\.,]\d+)?)?([zZ]|([\+-])([01]\d|2[0-3]):?([0-5]\d)?)?)?)?$/',
$clockSkew = 0
)
{
if(empty($providerKey))
Expand All @@ -59,6 +62,7 @@ public function __construct(
$this->nonceCache = $nonceCache;
$this->lifetime = $lifetime;
$this->dateFormat = $dateFormat;
$this->clockSkew = $clockSkew;
}

public function authenticate(TokenInterface $token)
Expand Down Expand Up @@ -154,7 +158,7 @@ protected function getCurrentTime()

protected function isTokenFromFuture($created)
{
return strtotime($created) > strtotime($this->getCurrentTime());
return strtotime($created) - $this->clockSkew > strtotime($this->getCurrentTime());
Copy link
Owner

@djoos djoos Sep 19, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we take clock skew (offset) into consideration upon determination whether the token is from the future (by subtracting the skew from the created time), shouldn't we also take the same clock skew (offset) into consideration when determining whether the token is valid (by adding the skew to the created time)?

Perhaps extracting https://github.com/hostage-nl/EscapeWSSEAuthenticationBundle/blob/0b1c36e8151049aba7beeaa27045dd19ca30d65d/Security/Core/Authentication/Provider/Provider.php#L125-L129 into a isTokenExpired-method, where clock skew is used as follows?
strtotime($this->getCurrentTime()) - strtotime($created) - $this->clockSkew > $this->lifetime

Copy link
Author

@hostage-nl hostage-nl Oct 19, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well, i initially implemented something like this, but the opposite. Your solution would limit the lifetime with correctly synced clocks. I considered the clock skew to be a margin of acceptable error, the allowed time difference between the client clock and the systems clock. So the clock skew would have to be added to the current time, so that a client clock which would be in de past, would have an extended lifetime of clock skew seconds.

Then i thought, is this really a nice to have feature? For a client clock being set to 29 secs in to the future and a clock skew setting of 30 secs, this would mean extending the lifetime by 59 seconds, which didn't feel like something that would be desirable.

I came to the conclusion it would be better to determine the clock skew automatically by determining the difference between the "Created" timestamp of the requesting WSSE header and the servers current time. I was confused about if it would be possible to create something like this, and because the project i was working on was fixed by my patch, i moved on and forgot about it.

So for now i would suggest not using the clock skew for expiration time and maybe file a feature request for dynamic determination of the clock skew.

}

protected function isFormattedCorrectly($created)
Expand Down
7 changes: 5 additions & 2 deletions Tests/DependencyInjection/Security/Factory/FactoryTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@ public function testCreate()
$profile = 'someprofile';
$lifetime = 300;
$date_format = '/^([\+-]?\d{4}(?!\d{2}\b))((-?)((0[1-9]|1[0-2])(\3([12]\d|0[1-9]|3[01]))?|W([0-4]\d|5[0-2])(-?[1-7])?|(00[1-9]|0[1-9]\d|[12]\d{2}|3([0-5]\d|6[1-6])))([T\s]((([01]\d|2[0-3])((:?)[0-5]\d)?|24\:?00)([\.,]\d+(?!:))?)?(\17[0-5]\d([\.,]\d+)?)?([zZ]|([\+-])([01]\d|2[0-3]):?([0-5]\d)?)?)?)?$/';
$clock_skew = 0;

$algorithm = 'sha1';
$encodeHashAsBase64 = true;
Expand All @@ -68,7 +69,8 @@ public function testCreate()
'profile' => $profile,
'encoder' => $encoder,
'lifetime' => $lifetime,
'date_format' => $date_format
'date_format' => $date_format,
'clock_skew' => $clock_skew
),
'user_provider',
'entry_point'
Expand Down Expand Up @@ -108,7 +110,8 @@ public function testCreate()
'index_3' => new Reference($encoderId),
'index_4' => new Reference($nonceCacheId),
'index_5' => $lifetime,
'index_6' => $date_format
'index_6' => $date_format,
'index_7' => $clock_skew
),
$definition->getArguments()
);
Expand Down