-
-
Notifications
You must be signed in to change notification settings - Fork 571
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Refactor error handling; allow multiple error messages with soft #269
Conversation
Thanks for this contribution, I will review and try to improve. Right now we have an urgent release to support better signature handle, but this will be introduced in other release. |
ping. i also think that this change hugely improves the experience of debugging with ruby-saml |
The idea of stopping validation after find the first error is based on speed, also rest of the SAML toolkits has this behavior. If you want to validate a SAMLResponse, LogoutRequest or LogoutResponse you can use samltool.com There is a logic followed in order to store a error on errors or raise an exception. |
The default rails behavior for
samltool.com does not function exactly as the toolkit does, as we both know very well at this point. As for creating a "validator" method - isn't that what this PR does?
I don't really understand your English here but if you look at what |
* onelogin/master: Explictly state Ruby 2.0.x support Related to PR SAML-Toolkits#269 Fix SAML-Toolkits#299 Fix SAML-Toolkits#306. Support WantAssertionsSigned Use settings.idp_cert_fingerprint_algorithm in idp_metadata_parser for fingerprint instead of SHA1 Implement binding parsing in idp_metadata_parser
Thank you for being an active contributor of the ruby-saml toolkit.
But is a SAML validator, you can detect any issue at any SAMLResponse, LogoutRequest or LogoutResponse, but I understand you want to validate it with the ruby-saml toolkit. I'm not comfortable with your proposal that change the current behavior of the validate method since it can break some current environments, but if you think that collecting errors makes totally sense to you, what do you think about adding a new parameter to the validate method (collect_errors, by default set to false)
As you know there are some errors that may stop the validation process and are not related to the SAML message validation itself. For example, use as SAMLResponse an invalid XML I see that you noticed that, that why you set the
are you ok with this approach? |
I sincerely believe that all users of your library expect, because you name your errors variable If it's not possible to always collect every conceivable error, or if some errors need to early-return, that is totally okay. I simply expect my libraries to make a best-effort guess at returning all possible errors, just as samltool.com does. |
Merged, I will release a new gem today. |
When
soft
was introduced, it allowed business logic to examine failure without having to go through crazyrescue
blocks. This was awesome.However, what was not awesome was that debugging invalid responses in prod was tedious - if your server just output the
errors
on an object, you'd only see the first error that tripped the validator. Most of the time, there are other screwups too. This change allows errors to accumulate on an object when safe mode is set. It also centralizes some very repeated error handling code.There are unfortunately a couple of rough spots where assumptions baked into test order right now - like nil derefs that aren't checked in later tests. I had to hack around a couple.
Also,
Response
's use ofdoc.validate_document
was out of date -options
is now the third parameter, but the options hash was being passed as the value forsoft
.