New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix encryption for @xmldom/xmldom 0.8.6 upgrade #511
Merged
tngan
merged 3 commits into
tngan:master
from
mastermatt:fix-encryption-for-latest-xmldom
Feb 26, 2023
Merged
Fix encryption for @xmldom/xmldom 0.8.6 upgrade #511
tngan
merged 3 commits into
tngan:master
from
mastermatt:fix-encryption-for-latest-xmldom
Feb 26, 2023
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
`@xmldom/xmldom` 0.8.6 included: fix: Properly check nodes before replacement. xmldom/xmldom#457 Which caused the `.replaceChild` calls in `encryptAssertion` and `decryptAssertion` to error with: > "Not found: child not in parent" The root cause is a subtle difference in `@xmldom/xmldom` `Document` vs `Element` instances. The previous code was asking xmldom to replace an element from a top-level Document with another top-level Document. The patch to xmldom 0.8.6 started the enforcement of `.replaceChild` being passed `Nodes` who share a common parent Node. e.g. in the case of `encryptAssertion`: `doc.replaceChild(encryptAssertionNode, rawAssertionNode)`. It's important to distinguish that neither `doc` nor `encryptAssertionNode` are `Element` nodes, but instead `Document` Nodes. Meaning `doc` does _not_ refer to the `<samlp:Response>` node, but instead a meta object one level up. To reference the Response tag, you instead use the `Document#documentElement` attribute. Changing that line to the following as the same intended affect using the correct node references. `doc.documentElement.replaceChild(encryptAssertionNode.documentElement, rawAssertionNode)` I renamed a few of the variables in an attempt to clarify which are `Documents`. Also fixes an issue where the `ERR_NO_ASSERTION` and `ERR_UNDEFINED_ENCRYPTED_ASSERTION` errors were not being thrown if exactly zero nodes were found. fixes: tngan#495
Seems to have been accidentally added in tngan#501, these never worked because `sessionIndex` is not part of the default logout request template, so whether the extractor works or not, the creation of the request will not include the value. And with this, the test suite passes again!
KuSh
reviewed
Feb 15, 2023
@mastermatt I will review it within hours. |
tngan
requested changes
Feb 25, 2023
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the change looks fine though, but why taking out the seesionIndex
from test
a patch release will be prepared later today |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
@xmldom/xmldom
0.8.6 included: "fix: Properly check nodes before replacement."xmldom/xmldom#457
Which caused the
.replaceChild
calls inencryptAssertion
anddecryptAssertion
to error with:The root cause is a subtle difference in
@xmldom/xmldom
Document
vsElement
instances.The previous code was asking xmldom to replace an element from a top-level Document with another top-level Document. The patch to xmldom 0.8.6 started the enforcement of
.replaceChild
being passedNodes
who share a common parent Node.e.g. in the case of
encryptAssertion
:doc.replaceChild(encryptAssertionNode, rawAssertionNode)
.It's important to distinguish that neither
doc
norencryptAssertionNode
areElement
nodes, but insteadDocument
Nodes. Meaningdoc
does not refer to the<samlp:Response>
node, but instead a meta object one level up. To reference the Response tag, you instead use theDocument#documentElement
attribute.Changing that line to the following as the same intended affect using the correct node references.
doc.documentElement.replaceChild(encryptAssertionNode.documentElement, rawAssertionNode)
I renamed a few of the variables in an attempt to clarify which are
Documents
.Also fixes an issue where the
ERR_NO_ASSERTION
andERR_UNDEFINED_ENCRYPTED_ASSERTION
errors were not being thrown if exactly zero nodes were found.fixes: #495