Skip to content

Update dependencies - add new option flags, clean up code #264

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 35 commits into
base: master
Choose a base branch
from
Open

Update dependencies - add new option flags, clean up code #264

wants to merge 35 commits into from

Conversation

sylido
Copy link

@sylido sylido commented Oct 26, 2022

This PR contains a lot of changes

  • updates to dependencies as made in the master branch as well as my fork and @darioackermann's branch that was being updated
  • 3 new options were added to require the NotOnAfter, NotBefore attributes and OneTimeUse element in the Conditions
  • the 3 new options default to false, so that we can keep the current behavior
  • both saml2.coffee files were reformatted for better readability
  • underscore.js was replaced with lodash.js - code has been updated to reflect this change
  • tests have been added for the new flags, with a couple of new XML files derived from the existing ones
  • some PR fixes that were previously not merged in, but I've used for a couple of years now are present - haven't added tests for them, but am open to it
  • added a new testing command "win-test" as I was testing under Windows
  • all 102 tests pass correctly

sylido and others added 30 commits August 2, 2017 17:10
@sylido
Made same changes from PR Clever#109
3d3842d 
Clever#109

This PR is simply to update dependencies. Primarily it is to update xml-encryption, to get this other update included: auth0/node-xml-encryption#28

This is to avoid https://snyk.io/vuln/npm:ejs:20161130
@sylido
Merging in pull request 74
d956fb8 
Clever#74

Also added an extra ? before checking the length of the signed_data_from_complete_saml_response, as per @mgduk's comment.
@sylido
Fixing index.js
c9b3004 
Seems like index.js is supposed to build the coffeescript file, but that never happens with Meteor...
@sylido
Allow multiple authentication statements
53f302a 
In some cases we get multiple authentication statements, as they are not being considered, we will just continue as normal and still use just the first one.
@sylido
Added some logging
dd59d37 
For cases where we have more than 1 authnStatements for whatever reason, we want to log both of them to see why that is happening.
Made some changes that add a new test for the case of having multiple…
7a1f427 
… auth statements.

Added a sample xml file based on the good assertion xml file.
@danailgabenski
Merge remote-tracking branch 'remotes/Clever-origin/master' into Clev…
bf4d5e7 
…er-master-2-9-2022

# Conflicts:
#	Makefile
#	index.js
#	package.json

Resolved all of them in favor of the original package.
@darioackermann
Update saml2.coffee
aedc897
@darioackermann
Update package.json
55fc0c9
@darioackermann
Merge pull request #1 from darioackermann/update-dependencies-and-vul…
da8e801 
…nerabilities

Update saml2.coffee
@darioackermann
Update README.md
3678222
@darioackermann
Create dependabot.yml
88fb4f9
@dependabot
Bump @xmldom/xmldom from 0.7.5 to 0.8.2
7814bc5 
Bumps [@xmldom/xmldom](https://github.com/xmldom/xmldom) from 0.7.5 to 0.8.2.
- [Release notes](https://github.com/xmldom/xmldom/releases)
- [Changelog](https://github.com/xmldom/xmldom/blob/master/CHANGELOG.md)
- [Commits](xmldom/xmldom@0.7.5...0.8.2)

---
updated-dependencies:
- dependency-name: "@xmldom/xmldom"
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot
Bump mocha from 8.4.0 to 10.0.0
acac5ba 
Bumps [mocha](https://github.com/mochajs/mocha) from 8.4.0 to 10.0.0.
- [Release notes](https://github.com/mochajs/mocha/releases)
- [Changelog](https://github.com/mochajs/mocha/blob/master/CHANGELOG.md)
- [Commits](mochajs/mocha@v8.4.0...v10.0.0)

---
updated-dependencies:
- dependency-name: mocha
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
@darioackermann
Create codeql-analysis.yml
3b9582b
@darioackermann
Merge pull request #2 from darioackermann/dependabot/npm_and_yarn/xml…
c4739b0 
…dom/xmldom-0.8.2

Bump @xmldom/xmldom from 0.7.5 to 0.8.2
@dependabot
Bump xmlbuilder2 from 2.4.1 to 3.0.2
ce667d5 
Bumps [xmlbuilder2](https://github.com/oozcitak/xmlbuilder2) from 2.4.1 to 3.0.2.
- [Release notes](https://github.com/oozcitak/xmlbuilder2/releases)
- [Changelog](https://github.com/oozcitak/xmlbuilder2/blob/master/CHANGELOG.md)
- [Commits](oozcitak/xmlbuilder2@v2.4.1...v3.0.2)

---
updated-dependencies:
- dependency-name: xmlbuilder2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
@darioackermann
Merge pull request #4 from darioackermann/dependabot/npm_and_yarn/xml…
11e280e 
…builder2-3.0.2

Bump xmlbuilder2 from 2.4.1 to 3.0.2
@darioackermann
Merge pull request #3 from darioackermann/dependabot/npm_and_yarn/moc…
740c8f4 
…ha-10.0.0

Bump mocha from 8.4.0 to 10.0.0
@darioackermann
Update package.json
544fd9b
Change npmignore, package.json
a5d9711
@darioackermann
Merge pull request Clever#5 from darioackermann/prepare-npm-publish
ea89e07 
Change npmignore, package.json
package.json and README hiccup
51fe067
Update Docu in regard of changed namespace
24e532f
@sylido
Merge branch 'Clever:master' into Clever-master-2-9-2022
f42d69e
@dependabot
Bump xml-crypto from 2.1.4 to 3.0.0
4d922cd 
Bumps [xml-crypto](https://github.com/yaronn/xml-crypto) from 2.1.4 to 3.0.0.
- [Release notes](https://github.com/yaronn/xml-crypto/releases)
- [Commits](node-saml/xml-crypto@v2.1.4...v3.0.0)

---
updated-dependencies:
- dependency-name: xml-crypto
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
@danailgabenski
Merge remote-tracking branch 'remotes/dario/master' into dario-master…
e6f423f 
…-10-17-2022

# Conflicts:
#	package.json

Manually resolved conflicts, kept saml2js designation for the name of the package as it's being used through github.
@danailgabenski
Merge remote-tracking branch 'remotes/dario/dependabot/npm_and_yarn/x…
751fcc1 
…ml-crypto-3.0.0' into dario-master-10-17-2022

# Conflicts:
#	package.json
@danailgabenski
Cleaned up code - formatting, spacing, aligned by = or :
d8a84a7
@danailgabenski
Added log for testing.
dd0f84d
@danailgabenski
Merge remote-tracking branch 'remotes/Clever/master' into dario-maste…
2861284 
…r-10-17-2022

# Conflicts:
#	.npmignore
#	README.md
#	lib/saml2.coffee
#	package.json

Resolved conflicts manually in favor of newer libraries and new code from the Clever/master branch.
@danailgabenski
Misformatted try catch.
6c57a1a
@danailgabenski
Correcting package versions.
67a858d
@danailgabenski
Formatted both saml2.coffee files - one that is the library and the o…
e1aa3ad 
…ne that deals with the tests.

Added 2 new options for the post and redirect assert
  - notonorafter_required - defaults to false (current behavior)
  - notbefore_required    - defaults to false (current behavior)

Added 4 new test xml files to test the new options that check for the two tags in the Conditions element.
One of the tests checks if the Conditions tag is defined, but one or more of the two new options are set to true - in that case the Conditions tag is required by default.
@danailgabenski
Added a new option to require the onetimeuse element in the condition…
262a078 
…s, defaults to false.

Renamed flags to be more consistent with previous options present.

Updated tests and organized them a bit better for easier reading.
Added 3 new test files for the new flag.
@mcab
Copy link
Member

mcab commented Oct 31, 2022

As is, this PR is very hard to merge in. The large changes stem from five different goals:

  • adding new features
  • dependency bumps
  • replacing libraries
  • reformatting
  • build issues

To bring forks to parity, we should focus on one area at a time. If you can cherry pick commits that focus on feature differences, we can see if they're appropriately tested and maintainable.

@sylido
Copy link
Author

sylido commented Nov 1, 2022

@mcab as this library wasn't maintained for a while it's kind of hard to separate from older commits - wouldn't the fact that all the unit tests pass be enough to conclude that there were no changes in logic that were unintended ?

I can add more tests if you have specific concerns, maybe some parts weren't being tested properly previously.

@mcab
Copy link
Member

mcab commented Nov 8, 2022

wouldn't the fact that all the unit tests pass be enough to conclude that there were no changes in logic that were unintended ?

No, because it has new functionality that changes how this library was used before, and how it's used by you now. These include the new features:

If you wish to contribute these features to Clever's branch, then it makes sense to cut commits and PRs for each separate one. As a whole, it's very hard to classify what this single branch should be considered. Fundamentally, there are some function signature changes, which should be considered a new major version. I believe that if it's working well for you, there's nothing wrong with maintaining a fork.

All these commits can be dropped or reconsidered, given their purposes.

Dependency drift:

Tools that are unused upstream:

Changes that affect publishing the package:

Formatting changes that should be standardized in tooling:

@sylido
Copy link
Author

sylido commented Nov 17, 2022

The optional ignore signature and multiple authn statements do affect functionality - they were originally PR's/Fixes suggested on this fork - but were never merged as there weren't tests for them. For some reason I remember the authn part was throwing an error that it shouldn't have been in some cases - so that was an intentional addition. They might be working together with the ignore signature addition to properly parse responses. #74 @mgduk 's comment
At this point I think I can add more test cases and put the multiple authn_statements under their own optional parameter defaulting to false - if that would get them accepted - maybe a separate PR just for that.

The two new parameters for the NotBefore/NotOnOrAfter and OneTimeUse default to false so they shouldn't affect the functionality.

As far as the dependency drift commits - I think I can get those to be the latest committed to this main repo - with the only change being that I think lodash works better than underscore - maybe limit the import of it to just the functions used to keep it lightweight.

The tools would be removed and changes affecting the publishing would be reverted to the current master branch.

Then the formatting changes although manual in nature bring a bit more readability to the library - would be nice if they were adopted and maintained - coffeescript is hard 😅

Let me know if these sound alright, I can try making another 2 branches and PRs with these changes in mind.

@darioackermann
Copy link

Hey, I am gladly accepting PRs (again) on the revived fork

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@sylido @mcab @darioackermann @danailgabenski