Fix OIDC client expires_at timestamp

fence/models.py

@@ -146,7 +146,9 @@ def get_client_expires_at(expires_in, grant_types):
 
         # for backwards compatibility, 0 means no expiration
         if expires_in != 0:
-            expires_at = (datetime.utcnow() + timedelta(days=expires_in)).timestamp()
+            # do not use `datetime.utcnow()` or the timestamp will be wrong,
+            # `timestamp()` already converts to UTC
+            expires_at = (datetime.now() + timedelta(days=expires_in)).timestamp()
 
     if "client_credentials" in grant_types.split("\n"):
         if not expires_in or expires_in <= 0 or expires_in > 366:

fence/scripting/fence_create.py

@@ -210,7 +210,7 @@ def split_uris(uris):
             return uris
         return uris.split("\n")
 
-    now = datetime.utcnow().timestamp()
+    now = datetime.now().timestamp()
     driver = SQLAlchemyDriver(DB)
     expired_messages = ["Some expired OIDC clients have been deleted!"]
     with driver.session as current_session:

tests/scripting/test_fence-create.py

@@ -223,7 +223,7 @@ def test_create_client_with_expiration(db_session, grant_type, expires_in):
     """
     client_name = "client_with_expiration"
     grant_types = [grant_type]
-    now = datetime.utcnow()
+    now = datetime.now()
 
     def to_test():
         saved_client = db_session.query(Client).filter_by(name=client_name).first()
@@ -1688,7 +1688,7 @@ def test_modify_client_expiration(db_session, expires_in, existing_expiration):
     original_expires_at = client.expires_at
 
     # modify the client's expiration
-    now = datetime.utcnow()
+    now = datetime.now()
     if expires_in in [-10, "not-valid"]:
         with pytest.raises(UserError):
             modify_client_action(