commit 7af9f6655121ef747a890daeac942f315069ef46
author Jon Wayne Parrott <jonwayne@google.com> Mon May 08 09:40:56 2017 -0700
committer GitHub <noreply@github.com> Mon May 08 09:40:56 2017 -0700
tree 6428c28dda625fefb5a7c1d9cd2e50973292e048
parent 709953d34c0c93744606a38e84abce557e73dfcb

Fix clock skew calculations (#158)

Previously, the clock skew adjusted in the wrong direction. It would cause us to consider credentials whose expiration time had already pass according to the system clock to still be sent to the server. This is the opposite of what we wanted to happen. This fixes it so that we report that credentials are expired slightly before the system clock thinks they've expired.

tests/test_credentials.py

diff --git a/tests/test_credentials.py b/tests/test_credentials.py
index c2ff844..b5a540d 100644
--- a/tests/test_credentials.py
+++ b/tests/test_credentials.py
@@ -38,21 +38,19 @@
     assert credentials.valid
     assert not credentials.expired
 
-    # Set the expiration in the past, but because of clock skew accomodation
-    # the credentials should still be valid.
+    # Set the expiration to one second more than now plus the clock skew
+    # accomodation. These credentials should be valid.
     credentials.expiry = (
-        datetime.datetime.utcnow() -
+        datetime.datetime.utcnow() +
+        _helpers.CLOCK_SKEW +
         datetime.timedelta(seconds=1))
 
     assert credentials.valid
     assert not credentials.expired
 
-    # Set the credentials far enough in the past to exceed the clock skew
-    # accomodation. They should now be expired.
-    credentials.expiry = (
-        datetime.datetime.utcnow() -
-        _helpers.CLOCK_SKEW -
-        datetime.timedelta(seconds=1))
+    # Set the credentials expiration to now. Because of the clock skew
+    # accomodation, these credentials should report as expired.
+    credentials.expiry = datetime.datetime.utcnow()
 
     assert not credentials.valid
     assert credentials.expired