-
-
Notifications
You must be signed in to change notification settings - Fork 567
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
v2.0: Remove settings.compress_request and compess_response parameters #689
v2.0: Remove settings.compress_request and compess_response parameters #689
Conversation
Im worried about other libraries using settings.compress_request and settings.compress_response for building its own bindings, not covered by RubySaml. Can we instead of removing the settings, give the "default" binding behavior if no settings.compress_request and settings.compress_response was set? |
@pitbulk how about we keep the parameters methods but remove their functionality and simply have them display a "deprecated" message if you attempt to access or set them?
The problem with these parameters is that POST binding MUST NOT be compressed, and Redirect binding MUST always be compressed. Any other configuration is invalid, so continuing to support these will only cause issues. See this answer: https://stackoverflow.com/a/21578282 The reason we have these parameters is that they pre-date the introduction of the (Another option is to do the above deprecation on 1.7.0, and remove entirely in 2.0.0) |
…arameters. Set their behavior automatically based on settings.idp_sso_service_binding and settings.idp_slo_service_binding respectively. HTTP-Redirect will always use compression, while HTTP-POST will not.
75c8dc2
to
0df35e6
Compare
My proposal: At settings.rb, set the default values as:
Create at utils.rb an auxiliary like:
Then in authrequest.rb for example:
Or at slo_logoutresponse.rb
Also, Leave but add a deprecation warning to:
And create a new
That way, we don't break code using encode_raw_saml, and we don't break code that extends this library and, for example, implements HTTP-Artifact binding and uses settings.compress_request and settings.compress_response. We are introducing a lot of refactoring in 2.X and I guess people will like to jump to this branch, but if we introduce a lot of changes and do not maintain backward compatibility, we will have the risk of not having the right adoption and project with low maintenance will stay forever in 1.X |
@pitbulk Is your concern is specifically about the If so, how about this:
def encode_raw_saml(saml, settings_or_compress)
saml = deflate(saml) if settings_or_compress.is_a?(TrueClass)
unless settings_or_compress.respond_to?(:compress_request) && settings_or_compress.compress_request.nil?
log_deprecation_warning("[DEPRECATION WARNING] Please change the second argument of `encode_raw_saml_message` to a boolean indicating whether or not to use compression. Using a boolean will be required in RubySaml 2.1.0.")
saml = deflate(saml) if settings_or_compress.compress_request
end
CGI.escape(encode(saml))
end
(It should be noted that I am going to insist that aside from preserving the behavior of |
My concern is that people could be using Settings.compress_request and Settings.compress_response at its code. Are you against using the aux may_compress_message? In 2.1, if we remove compress_request and compress_response, we can refactor this aux method without touching the rest of the code. I'm ok with the encode_raw_saml idea you proposed, but maybe:
And later in 2.1, we simply:
|
I really think it's not needed. We should simply inform people to properly use the existing
Your code raises a dep message if def encode_raw_saml(saml, settings_or_compress)
if settings_or_compress.is_a?(TrueClass)
saml = deflate(saml)
elsif settings_or_compress.respond_to?(:compress_request)
log_deprecation_warning("[DEPRECATION WARNING] Please change the second argument of `encode_raw_saml_message` to a boolean indicating whether or not to use compression. Using a boolean will be required in RubySaml 2.1.0.")
saml = deflate(saml) if settings_or_compress.compress_request
end
CGI.escape(encode(saml))
end
Yes agreed to this |
Moved to #695 |
Fixes #676
Remove the
settings.compress_request
andsettings.compress_response
parameters. Set their behavior automatically based onsettings.idp_sso_service_binding
andsettings.idp_slo_service_binding
respectively.HTTP-Redirect
will always use compression, whileHTTP-POST
will not.(Compressing HTTP-POST is non-sensical, while most SAML services will fail if you don't compress redirects, and you may even hit the 2048 char URL limit.)