XML::Enc v0.12 kills Net::SAML2 tests
Closed this issue · 7 comments
We have a system that uses Net::SAML2, and today's update to XML::Enc has killed the build.
We use Debian system Perl (5.36) and most of the modules are from Debian's apt repo, but there's a handful that need to be manually built (XML::Enc and Net::SAML2 are two of them). Here's a Dockerfile for testing - can install XML::Enc v0.12 'the usual way' (for us), and v0.11 with either cpanm or dh-make-perl. Yes, pretty much all those dependencies are required for Net::SAML2...
Sorry, I'm not a Perl bloke, so apologies if I've missed something obvious to Perl aficionados.
The errors we're getting with the v0.12 XML::Enc release are basically a series of these namespace errors when building Net::SAML2:
#0 14.22 :1: namespace error : Namespace prefix saml on Assertion is not defined
#0 14.22 6b-4ad0-a1a0-ea85ee839dbc" IssueInstant="2022-03-27T12:06:56.740Z" Version="2.0"
#0 14.22 ^
#0 14.22 :1: namespace error : Namespace prefix saml on Issuer is not defined
#0 14.22 ea85ee839dbc" IssueInstant="2022-03-27T12:06:56.740Z" Version="2.0"><saml:Issuer
#0 14.22 ^
#0 14.22 :1: namespace error : Namespace prefix saml on Subject is not defined
#0 14.22 </dsig:RSAKeyValue></dsig:KeyValue></dsig:KeyInfo></dsig:Signature><saml:Subject
#0 14.22 ^
In the Dockerfile linked above, I've done a rollback to XML::Enc v0.11 and it works correctly. Switch it to v0.12 and the above errors appear when building Net::SAML2
Looking at the changelog for XML::Enc, it says "Major refactoring", which sounds like there's fun afoot.
No idea about how to fix this at any deeper level, sorry. Have done a workaround to keep us on 0.11 for now.
Thanks
prove -lv t/16-encrypted-assertion.t fails in Net::SAML2. The XML hardly differs between the two of them.
I think I found the issue.
If you checkout tag 0.11 of XML::Enc and cherry-pick commit e2b7efd from my remote and run prove -lv t/10-asserted-encryption.t you'll see the following in your terminal after the decryption of the assertion XML:
<saml:Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ID_af2d76cb-6e6b-4ad0-a1a0-ea85ee839dbc" IssueInstant="2022-03-27T12:06:56.740Z" Version="2.0">
If you checkout 0.12 and cherry-pick commit e2b7efd and run prove -lv t/10-asserted-encryption.t you'll see this:
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="ID_af2d76cb-6e6b-4ad0-a1a0-ea85ee839dbc" IssueInstant="2022-03-27T12:06:56.740Z" Version="2.0">
This than leads to Net::SAML2 using this string with XML::Enc 0.11:
<saml:Assertion
xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="ID_af2d76cb-6e6b-4ad0-a1a0-ea85ee839dbc"
IssueInstant="2022-03-27T12:06:56.740Z"
Version="2.0"
>
And the following with XML::Enc 0.12
<saml:Assertion
xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
ID="ID_af2d76cb-6e6b-4ad0-a1a0-ea85ee839dbc"
IssueInstant="2022-03-27T12:06:56.740Z"
Version="2.0"
>
Now the xmlns:saml is gone which is the error message in Net::SAML2 when you run prove -lv t/16-encrypted-assertion.t.
This than get's passed to XML::Sig which emits the error message.
I think this may be a bug in XML::LibXML, see shlomif/perl-XML-LibXML#78 which I opened because of this bug report.
Have confirmed 0.13 is working for us when I revert to the usual build commands that pull in $latest, thanks for the quick turnaround!
www-data@6b2b10e63228:~$ perl -MXML::Enc -e 'print $XML::Enc::VERSION;' ; echo
0.13
www-data@6b2b10e63228:~$ perl -MNet::SAML2 -e 'print $Net::SAML2::VERSION;' ; echo
0.69
Happy for the ticket to be closed, ta.