Added more iat/exp tests.

rohe · rohe · commit 068751ce7e3a · 2020-11-19T11:12:46.000+01:00
diff --git a/src/oidcmsg/oidc/__init__.py b/src/oidcmsg/oidc/__init__.py
@@ -824,6 +824,11 @@ def verify(self, **kwargs):
         else:
             if (_iat + _storage_time) < (_now - _skew):
                 raise IATError('Issued too long ago')
+            elif _iat > _now + _skew:
+                raise IATError('Issued sometime in the future')
+
+        if _exp < _iat:
+            raise IATError('Expiration time can not be earlier the issued at')
 
         if 'nonce' in kwargs and 'nonce' in self:
             if kwargs['nonce'] != self['nonce']:
diff --git a/tests/test_06_oidc.py b/tests/test_06_oidc.py
@@ -23,6 +23,8 @@
 from oidcmsg.exception import OidcMsgError
 from oidcmsg.oauth2 import ResponseMessage
 from oidcmsg.oauth2 import ROPCAccessTokenRequest
+from oidcmsg.oidc import EXPError
+from oidcmsg.oidc import IATError
 from oidcmsg.oidc import JRD
 from oidcmsg.oidc import AccessTokenRequest
 from oidcmsg.oidc import AccessTokenResponse
@@ -929,6 +931,68 @@ def test_id_token():
     idt.verify()
 
 
+def test_id_token_expired():
+    _now = time_util.utc_time_sans_frac()
+
+    idt = IdToken(**{
+        "sub": "553df2bcf909104751cfd8b2",
+        "aud": [
+            "5542958437706128204e0000",
+            "554295ce3770612820620000"
+        ],
+        "auth_time": 1441364872,
+        "azp": "554295ce3770612820620000",
+        "at_hash": "L4Ign7TCAD_EppRbHAuCyw",
+        "iat": _now - 200,
+        "exp": _now - 100,
+        "iss": "https://sso.qa.7pass.ctf.prosiebensat1.com"
+    })
+
+    with pytest.raises(EXPError):
+        idt.verify()
+
+
+def test_id_token_iat_in_the_future():
+    _now = time_util.utc_time_sans_frac()
+
+    idt = IdToken(**{
+        "sub": "553df2bcf909104751cfd8b2",
+        "aud": [
+            "5542958437706128204e0000",
+            "554295ce3770612820620000"
+        ],
+        "auth_time": 1441364872,
+        "azp": "554295ce3770612820620000",
+        "at_hash": "L4Ign7TCAD_EppRbHAuCyw",
+        "iat": _now + 600,
+        "exp": _now + 1200,
+        "iss": "https://sso.qa.7pass.ctf.prosiebensat1.com"
+    })
+
+    with pytest.raises(IATError):
+        idt.verify()
+
+
+def test_id_token_exp_before_iat():
+    _now = time_util.utc_time_sans_frac()
+
+    idt = IdToken(**{
+        "sub": "553df2bcf909104751cfd8b2",
+        "aud": [
+            "5542958437706128204e0000",
+            "554295ce3770612820620000"
+        ],
+        "auth_time": 1441364872,
+        "azp": "554295ce3770612820620000",
+        "at_hash": "L4Ign7TCAD_EppRbHAuCyw",
+        "iat": _now + 50,
+        "exp": _now,
+        "iss": "https://sso.qa.7pass.ctf.prosiebensat1.com"
+    })
+
+    with pytest.raises(IATError):
+        idt.verify(skew=100)
+
 class TestAccessTokenRequest(object):
     def test_example(self):
         _txt = 'grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA' \
