python: Fix ticket timestamp conversion when local timezone is not UTC

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py
index d8193ae9cdc303583196d7c44edb59a04e4549a2..e345f739e1c0d2b43504c1b7d9affc0ee554cc45 100644 (file)
--- a/python/samba/tests/krb5/kdc_base_test.py
+++ b/python/samba/tests/krb5/kdc_base_test.py
@@ -18,7 +18,7 @@
 
 import sys
 import os
-from datetime import datetime
+from datetime import datetime, timezone
 import tempfile
 
 sys.path.insert(0, "bin/python")
@@ -519,11 +519,26 @@ class KDCBaseTest(RawKerberosTest):
         cred.server = sprincipal
         cred.keyblock = keyblock
         cred.authtime = int(datetime.strptime(authtime.decode(),
-                                              "%Y%m%d%H%M%SZ").timestamp())
+                                              "%Y%m%d%H%M%SZ")
+                            .replace(tzinfo=timezone.utc).timestamp())
         cred.starttime = int(datetime.strptime(starttime.decode(),
-                                               "%Y%m%d%H%M%SZ").timestamp())
+                                               "%Y%m%d%H%M%SZ")
+                            .replace(tzinfo=timezone.utc).timestamp())
         cred.endtime = int(datetime.strptime(endtime.decode(),
-                                             "%Y%m%d%H%M%SZ").timestamp())
+                                             "%Y%m%d%H%M%SZ")
+                            .replace(tzinfo=timezone.utc).timestamp())
+
+        # Account for clock skew of up to five minutes.
+        self.assertLess(cred.authtime - 5*60,
+                        datetime.now(timezone.utc).timestamp(),
+                        "Ticket not yet valid - clocks may be out of sync.")
+        self.assertLess(cred.starttime - 5*60,
+                        datetime.now(timezone.utc).timestamp(),
+                        "Ticket not yet valid - clocks may be out of sync.")
+        self.assertGreater(cred.endtime - 60*60,
+                           datetime.now(timezone.utc).timestamp(),
+                           "Ticket already expired/about to expire - clocks may be out of sync.")
+
         cred.renew_till = cred.endtime
         cred.is_skey = 0
         cred.ticket_flags = int(enc_part['flags'], 2)