change MaxClockOffset (renamed) to 15 min and use duration type (#3438)

2019-11-04 11:39:43 +01:00 · 2019-11-04 11:39:43 +01:00 · 3a842bf53f
commit 3a842bf53f
parent 84fea5820f
4 changed files with 22 additions and 16 deletions
--- a/certificate/authorization/authorizations.go
+++ b/certificate/authorization/authorizations.go
@ -13,6 +13,7 @@ import (
 	"fmt"
 	"strconv"
 	"strings"
+	"time"

 	"github.com/btcsuite/btcutil/base58"
 	"github.com/zeebo/errs"
@ -26,12 +27,12 @@ import (
 const (
 	// Bucket is the bucket used with a bolt-backed authorizations DB.
 	Bucket = "authorizations"
-	// MaxClaimDelaySeconds is the max duration in seconds in the past or
+	// MaxClockOffset is the max duration in seconds in the past or
 	// future that a claim timestamp is allowed to have and still be valid.
-	MaxClaimDelaySeconds = 15
-	tokenDataLength      = 64 // 2^(64*8) =~ 1.34E+154
-	tokenDelimiter       = ":"
-	tokenVersion         = 0
+	MaxClockOffset  = 5 * time.Minute
+	tokenDataLength = 64 // 2^(64*8) =~ 1.34E+154
+	tokenDelimiter  = ":"
+	tokenVersion    = 0
 )

 var (
--- a/certificate/authorization/authorizations_test.go
+++ b/certificate/authorization/authorizations_test.go
@ -236,10 +236,10 @@ func TestAuthorizationDB_Claim_Valid(t *testing.T) {
 		},
 	}

-	now := time.Now().Unix()
+	now := time.Now()
 	req := &pb.SigningRequest{
 		AuthToken: auths[0].Token.String(),
-		Timestamp: now,
+		Timestamp: now.Unix(),
 	}
 	difficulty, err := ident.ID.Difficulty()
 	require.NoError(t, err)
@ -262,9 +262,11 @@ func TestAuthorizationDB_Claim_Valid(t *testing.T) {
 	claim := updatedAuths[0].Claim
 	assert.Equal(t, peer.Addr.String(), claim.Addr)
 	assert.Equal(t, [][]byte{ident.CA.Raw}, claim.SignedChainBytes)
+
+	claimTime := time.Unix(claim.Timestamp, 0)
 	assert.Condition(t, func() bool {
-		return now-MaxClaimDelaySeconds < claim.Timestamp &&
-			claim.Timestamp < now+MaxClaimDelaySeconds
+		return now.Sub(claimTime) < MaxClockOffset &&
+			claimTime.Sub(now) < MaxClockOffset
 	})
 }

--- a/certificate/authorization/db.go
+++ b/certificate/authorization/db.go
@ -170,9 +170,10 @@ func (authDB *DB) List(ctx context.Context) (auths Group, err error) {
 // Claim marks an authorization as claimed and records claim information.
 func (authDB *DB) Claim(ctx context.Context, opts *ClaimOpts) (err error) {
 	defer mon.Task()(&ctx)(&err)
-	now := time.Now().Unix()
-	if !(now-MaxClaimDelaySeconds < opts.Req.Timestamp) ||
-		!(opts.Req.Timestamp < now+MaxClaimDelaySeconds) {
+	now := time.Now()
+	reqTime := time.Unix(opts.Req.Timestamp, 0)
+	if (now.Sub(reqTime) > MaxClockOffset) ||
+		(reqTime.Sub(now) > MaxClockOffset) {
 		return Error.New("claim timestamp is outside of max delay window: %d", opts.Req.Timestamp)
 	}

@ -209,7 +210,7 @@ func (authDB *DB) Claim(ctx context.Context, opts *ClaimOpts) (err error) {
 			auths[i] = &Authorization{
 				Token: auth.Token,
 				Claim: &Claim{
-					Timestamp:        now,
+					Timestamp:        now.Unix(),
 					Addr:             opts.Peer.Addr.String(),
 					Identity:         ident,
 					SignedChainBytes: opts.ChainBytes,
--- a/certificate/peer_test.go
+++ b/certificate/peer_test.go
@ -196,13 +196,15 @@ func TestCertificateSigner_Sign(t *testing.T) {
 			require.NotEmpty(t, updatedAuths)
 			require.NotNil(t, updatedAuths[0].Claim)

-			now := time.Now().Unix()
 			claim := updatedAuths[0].Claim
 			assert.Equal(t, expectedAddr.String(), claim.Addr)
 			assert.Equal(t, res.Chain, claim.SignedChainBytes)
+
+			now := time.Now()
+			claimTime := time.Unix(claim.Timestamp, 0)
 			assert.Condition(t, func() bool {
-				return now-authorization.MaxClaimDelaySeconds < claim.Timestamp &&
-					claim.Timestamp < now+authorization.MaxClaimDelaySeconds
+				return now.Sub(claimTime) < authorization.MaxClockOffset &&
+					claimTime.Sub(now) < authorization.MaxClockOffset
 			})
 		})
 	})