HPCC-21267 Possible issue in Dali regarding timestamp comparison

When Dali checks the request timestamp to see if it is expired or from the future, it should ignore nanoseconds in order to eliminate occasional unexpected failures. Also, in the case of a failure, add logging of the given request time stamp and the actual Dali time stamp, both in UTC, which should help debug failures. Signed-off-by: Russ Whitehead <william.whitehead@lexisnexisrisk.com>
hpcc-systems · Jan 10, 2019 · a1cb8ce · a1cb8ce
1 parent 145cceb
commit a1cb8ce
Showing 1 changed file with 8 additions and 4 deletions.
diff --git a/dali/server/daldap.cpp b/dali/server/daldap.cpp
@@ -164,19 +164,23 @@ class CDaliLdapConnection: implements IDaliLdapConnection, public CInterface
 
                 CDateTime now;
                 now.setNow();
-                if (now.compare(reqUTCTimestamp) < 0)//timestamp from the future?
+                if (now.compare(reqUTCTimestamp, false) < 0)//timestamp from the future?
                 {
-                    ERRLOG("LDAP: getPermissions(%s) scope=%s user=%s Request digital signature timestamp %s from the future",key?key:"NULL",obj?obj:"NULL",username.str(), requestTimestamp.str());
+                    StringBuffer localDaliTimeUTC;
+                    now.getString(localDaliTimeUTC, false);//get UTC timestamp
+                    ERRLOG("LDAP: getPermissions(%s) scope=%s user=%s Request digital signature UTC timestamp %s from the future (Dali UTC time %s)",key?key:"NULL",obj?obj:"NULL",username.str(), requestTimestamp.str(), localDaliTimeUTC.str());
                     return SecAccess_None;//deny
                 }
 
                 CDateTime expiry;
                 expiry.set(now);
                 expiry.adjustTime(requestSignatureExpiryMinutes);//compute expiration timestamp
 
-                if (expiry.compare(reqUTCTimestamp) < 0)//timestamp too far in the past?
+                if (expiry.compare(reqUTCTimestamp, false) < 0)//timestamp too far in the past?
                 {
-                    ERRLOG("LDAP: getPermissions(%s) scope=%s user=%s Expired request digital signature timestamp %s",key?key:"NULL",obj?obj:"NULL",username.str(), requestTimestamp.str());
+                    StringBuffer localDaliTimeUTC;
+                    now.getString(localDaliTimeUTC, false);//get UTC timestamp
+                    ERRLOG("LDAP: getPermissions(%s) scope=%s user=%s Expired request digital signature UTC timestamp %s (Dali UTC time %s, configured expiry %d minutes)",key?key:"NULL",obj?obj:"NULL",username.str(), requestTimestamp.str(), localDaliTimeUTC.str(), requestSignatureExpiryMinutes);
                     return SecAccess_None;//deny
                 }