pyatls: make max clock skew configurable, version 0.0.6 (#16)

* pyatls: make max clock skew configurable Make the maximum tolerable clock skew configurable to account for the large skews observed in Azure services. This change introduces the following environment variable: - PYATLS_CLOCK_SKEW_SECONDS_MAX * pyatls: version 0.0.6
opaque-systems · May 24, 2024 · ccba326 · ccba326
1 parent 8f86719
commit ccba326
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 3 deletions.
diff --git a/python-package/pyproject.toml b/python-package/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "pyatls"
-version = "0.0.5"
+version = "0.0.6"
 description = "A Python package that implements Attested TLS (aTLS)."
 readme = "README.md"
 authors = [{ name = "Opaque Systems", email = "[email protected]" }]

diff --git a/python-package/src/atls/validators/azure/aas/aci_validator.py b/python-package/src/atls/validators/azure/aas/aci_validator.py
@@ -2,6 +2,7 @@
 import hashlib
 import json
 import logging
+import os
 from datetime import timedelta
 from typing import Any, Dict, List, Optional
 
@@ -251,10 +252,14 @@ def _verify_and_decode_token(
     """
     hdr = jwt.get_unverified_header(token)
 
+    max_skew: int = int(os.getenv("PYATLS_CLOCK_SKEW_SECONDS_MAX", 5))
+    delta = timedelta(seconds=max_skew)
+
+    logger.debug("Max allowed clock skew is %s", delta)
+
     return jwt.decode(
         token,
         _get_key_by_header(hdr, jkus),
         [hdr["alg"]],
-        # Account for clock skew
-        leeway=timedelta(seconds=5),
+        leeway=delta,
     )