SimpleSAMLphp Autoloader overriding available TWIG Version

  • Resolved cleverington

    (@cleverington)


    3 years, 9 months ago

    ## Background

    Our sites are built using the 1.x version of the Timber Starter Theme.

    We have not upgraded because it is still ‘in development’. Thus, the ‘recommended’ version of TWIG to use for the Timber theme is 1.x.

    ## Issue

    Recently when updating private/simplesamlphp/composer.json, it downloaded and installed the 2.x version of TWIG, which triggered a number of errors.

    The reason for this is because the twig/twig available site-wide is being provided by private/simplesamlphp/ instead of wp-content/plugins/timber-library/.

    The root-cause for these errors is via simplesamlphp_autoload within wp-saml-auth.php and inc/class-wp-saml-auth-cli.php are both calling the entire /simplesamlphp/lib/_autoload.php and associated classes/vendor-files.

    I understand that private/ is available to themes/plugins (but not web), but it seems counter-intuitive that the available theme-engine for TWIG should be provided (and overridden) by the SSO tooling.

    ## Potential Solution(s)

    1. It is noted within the code/documentation that this plugin will work if it can find the SimpleSAML_Auth_Simple class, but additional instructions are not provided in the documentation *how* to nullify the need for the simplesamlphp_autoload $option_name when configuring the plugin. Perhaps the documentation could be updated to reflect ‘if using Timber theme, do this’?

    2. As the Timber theme is a popular WordPress theme, simplesamlphp intends to maintain backwards compatibility, and twig/twig:1.x does not currently have a planned deprecation, perhaps the plugin should be configured to look for the current theme and (if using Timber), only load cli-based classes?

    ## Final Question

    As an interim solution, I ensured that the 1.x TWIG files were being loaded, but I would ask this:

    Should the available twig/twig engine be loading from the private/ directory? I’m not familiar enough with WordPress to know if this is concern or not.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author Daniel Bachhuber

    (@danielbachhuber)

    Hey @cleverington,

    Thanks for the report, and sorry to hear you’re running into an issue.

    > Recently when updating private/simplesamlphp/composer.json, it downloaded and installed the 2.x version of TWIG, which triggered a number of errors.

    It seems like the fundamental problem is that this behavior shouldn’t have occurred. Updating private/simplesamlphp/composer.json should have only updated SimpleSAMLphp. Can you share the contents of this composer.json file?

    Thread Starter cleverington

    (@cleverington)

    Hey @danielbachhuber,

    Thanks for following up.

    So I tracked it down that our Upstream devs were actually grabbing the package precompiled and offered via the Download option at https://simplesamlphp.org/download (which matches Pantheon.io’s instructions here). They have not yet configured true Composer-based workflows.

    The composer.json file lists "twig/twig": "~1.0 || ~2.0",, but the ~2.0 files are already downloaded within the package.

    To remediate, I altered the composer.json file, recompiled, committed the changes, and pushed up to Pantheon.

    Note

    I think, though, that you might have misunderstood the root (possible) issue.

    When you think about it, the issue already existed that the TWIG template files were being pulled from the simplesamlphp library (instead of the timber-library plugin), I was just unaware of it.

    It feels like even if simplesamlphp loaded the Twig 2.x files, those files should only be loaded for simplesamlphp (or not loaded at all, if currently unneeded).

    Instead, the wp-saml-auth plugin is overriding the TWIG library provided by the timber-library plugin.

    Plugin Author Daniel Bachhuber

    (@danielbachhuber)

    Ah, your explanation of the problem makes sense to me. I didn’t realize SimpleSAMLphp uses Twig as well.

    It feels like even if simplesamlphp loaded the Twig 2.x files, those files should only be loaded for simplesamlphp (or not loaded at all, if currently unneeded).

    I wish this was the behavior too ?? Unfortunately, whichever version of the library is loaded first is the one that will be used.

    Also, it’s worth noting that our recommendation is to use the “internal” version of SAML authentication (which is OneLogin’s PHP SAML library) instead of SimpleSAMLphp. I recognize you might be using SimpleSAMLphp for some specific reason, though.

    Nice work tracking the problem down!

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘SimpleSAMLphp Autoloader overriding available TWIG Version’ is closed to new replies.