Fix fetching of SAML metadata for large aggregate endpoints#23531
Conversation
9266765 to
59b1e58
Compare
59b1e58 to
4beb426
Compare
NobodysNightmare
left a comment
There was a problem hiding this comment.
Found two typos and have two questions regarding the implementation.
The general concept looks sound to me.
| include ActionView::Helpers::NumberHelper | ||
|
|
||
| READ_TIMEOUT = 120 | ||
| OPEN_TIMEOUT = 15 |
There was a problem hiding this comment.
Another surprise: Why do we need to deviate from default timeouts here?
I'd expect that opening a connection would take as long as always. And if I understand the concept of a read timeout correctly, it's for "silence" between received bytes, not for the total transfer duration of all the bytes, so I am surprised that we'd want to wait up to two minutes.
There was a problem hiding this comment.
I'll remove them for now, but shouldn't we use the httpx defaults which specify read/timeouts in the SSRF helper explicitly? I know they are worded specifically for httpx, but they shouldn't be different?
There was a problem hiding this comment.
True, that would make sense. Ideally we'd be able to call those settings "HTTP connect timeout" and use them everywhere. (assuming that other clients support the same kinds of timeouts)
7982b3d to
fb8da3c
Compare
5b03a19 to
786e63f
Compare
786e63f to
01cb4a5
Compare
We used ruby samls own metadata fetching instead of parsing the XML ourselves. This fails when trying to fetch large aggregated entities descriptors (such as the one linked in the ticket), for example when one idp manages a lot of
EntitiesDescriptor.Then it's useful to be able to locate the relevant descriptor for our service using the
idp_entity_id. This field was added to the form to allow fetching only a subset of the data.While we're at it, also use the SSRF protection helpers to fetch the request, rather than ruby-saml directly
https://community.openproject.org/work_packages/OP-19420