From 568c28d707e44b4f287d1e0bcf58f7c15e16a73f Mon Sep 17 00:00:00 2001
From: Maxime Besson <maxime.besson@worteks.com>
Date: Tue, 2 Jun 2020 20:36:05 +0200
Subject: [PATCH] Fix REST clock tolerance (#2225)

plus a bit of refactoring
---
 .../Lemonldap/NG/Portal/Plugins/RESTServer.pm | 76 +++++++++----------
 1 file changed, 34 insertions(+), 42 deletions(-)

diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm
index 16848f67a..e997b9f21 100644
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm
@@ -260,24 +260,8 @@ sub newSession {
       or return $self->p->sendError( $req, undef, 400 );
     $infos->{_utime} = time();
 
-    my $force = 0;
-    if ( my $s = delete $infos->{__secret} ) {
-        my $t;
-        if ( $t = $self->conf->{cipher}->decrypt($s) ) {
-            if (    $t <= time + $self->conf->{restClockTolerance}
-                and $t > time - $self->conf->{restClockTolerance} )
-            {
-                $force = 1;
-            }
-            else {
-                $self->userLogger->error( 'Clock drift between servers is'
-                      . ' beyond tolerance, force denied.' );
-            }
-        }
-        else {
-            $self->userLogger->error('Bad key, force denied');
-        }
-    }
+    my $secret = delete $infos->{__secret};
+    my $force  = $self->_checkSecret($secret);
 
     if ( $req->param('all') and not $id ) {
         return $self->p->sendError( $req,
@@ -315,14 +299,13 @@ sub newSession {
 
 sub newAuthSession {
     my ( $self, $req, $id ) = @_;
-    my $t;
-    unless ($t = $req->param('secret')
-        and $t = $self->conf->{cipher}->decrypt($t)
-        and $t <= time
-        and $t > time - 30 )
-    {
+
+    # Check secret
+    my $secret = $req->param('secret');
+    unless ( $self->_checkSecret($secret) ) {
         return $self->p->sendError( $req, 'Bad secret', 403 );
     }
+
     $req->{id}    = $id;
     $req->{force} = 1;
     $req->user( $req->param('user') );
@@ -359,24 +342,8 @@ sub updateSession {
       or return $self->p->sendError( $req, undef, 400 );
 
     # Get secret if given
-    my $force = 0;
-    if ( my $s = delete $infos->{__secret} ) {
-        my $t;
-        if ( $t = $self->conf->{cipher}->decrypt($s) ) {
-            if (    $t <= time + $self->conf->{restClockTolerance}
-                and $t > time - $self->conf->{restClockTolerance} )
-            {
-                $force = 1;
-            }
-            else {
-                $self->userLogger->error( 'Clock drift between servers is'
-                      . ' beyond tolerance, force denied.' );
-            }
-        }
-        else {
-            $self->userLogger->error('Bad key, force denied');
-        }
-    }
+    my $secret = delete $infos->{__secret};
+    my $force  = $self->_checkSecret($secret);
 
     # Get session and store info
     my $session = $self->getApacheSession( $mod, $id, $infos, $force )
@@ -775,4 +742,29 @@ sub getUser {
     }
 }
 
+sub _checkSecret {
+    my ( $self, $secret ) = @_;
+    my $isValid = 0;
+
+    if ($secret) {
+        my $t;
+        if ( $t = $self->conf->{cipher}->decrypt($secret) ) {
+            if (    $t <= time + $self->conf->{restClockTolerance}
+                and $t > time - $self->conf->{restClockTolerance} )
+            {
+                $isValid = 1;
+            }
+            else {
+                $self->logger->error( 'Clock drift between servers is'
+                      . ' beyond tolerance, force denied.' );
+            }
+        }
+        else {
+            $self->logger->error('Bad key, force denied');
+        }
+    }
+    return $isValid;
+
+}
+
 1;