Attempting composer require drupal/samlauth on DrupalVM running PHP 7.1 results in a number of errors along these lines onelogin/php-saml 2.10.0 requires ext-mcrypt * -> the requested PHP extension mcrypt is missing from your system.. What's odd is that mcrypt seemed to be installed correctly according to PHPinfo. (later:) This seems to be due to the php extensions installed on my local being different than those on the vm.

However, according to the PHP manual mcrypt is deprecated in PHP 7.1 and will be removed completely from 7.2. onelogin/php-saml has identified this and has two open branches that remove the dependency as detailed in this comment.

To get samlauth installed successfully I was able to do the following:

composer require onelogin/php-saml:"dev-remove_mcrypt as 2.11.0"
composer require drupal/samlauth

So, I'm not sure if it's kosher to do composer alias voodoo in the module's composer.json or if this should just be made clear in docs, but I'm open to guidance from the maintainers and could do either.

Comments

froboy created an issue. See original summary.

froboy’s picture

Title: Samlauth and PHP 7.1 » Remove mcrypt dependency
Issue summary: View changes
cweagans’s picture

Status: Active » Closed (won't fix)

https://github.com/phpseclib/mcrypt_compat might also be of interest here if you don't have mcrypt installed.

Unfortunately (or fortunately, depending on your viewpoint), there's nothing we can do about this because the mcrypt dependency is in the upstream dependencies, not here. The ideal case is to simply wait for the onelogin toolkit to not depend on mcrypt anymore.

froboy’s picture

@cweagans got it. Thanks for the quick follow-up!

Chris Gillis’s picture

For those interested in the status of this: https://github.com/onelogin/php-saml/issues/255

mpp’s picture

@cweagans, can't we foresee a 3.x branch for samlauth on d.o with the dependency version updated from "onelogin/php-saml": "^2.10.6" to "onelogin/php-saml": "^3.0"? Or you could allow both: "onelogin/php-saml": "^2.10.6|^3.0".

mpp’s picture

Status: Closed (won't fix) » Needs review
StatusFileSize
new291 bytes

The onelogin toolkit now has a 3.0 release that no longer depends on mcrypt.

Note: The patch alone in composer.json won't be enough, as long as it hasn't been released you still need to do a composer require onelogin/php-saml:^3.0

daften’s picture

The proposed solution seems perfect IMO. It allows the dependency on php-mcrypt to be removed, but won't cause breakage for anybody.
Since Drupal 8.5.0 is released and PHP7.2 compatible, this seems like something that could/should be done quickly :)

danepowell’s picture

Status: Needs review » Reviewed & tested by the community

Looks good, could we please get this merged? Unfortunately this is one of those changes that is impossible to patch for downstream (sites can't patch samlauth's composer.json file to allow for the changed dependency)

Edit: I guess not strictly impossible, you can still use the alias voodoo mentioned in the OP.

cweagans’s picture

This looks fine. Has anyone actually tested against the 3.x branch of the onelogin toolkit though? If there are API changes, we'll have to make sure samlauth can actually work with both.

danepowell’s picture

I haven't extensively tested it or research what might have changed, but I can tell you that the 3.x branch of onelogin is working fine for our samlauth setup, and I haven't seen any errors.

jasonlttl’s picture

> Has anyone actually tested against the 3.x branch of the onelogin toolkit though?

They converted the 3.0.0 branch to using namespaces yesterday so there are now some incompatibilities.

  $auth = new OneLogin_Saml2_Auth($settingsInfo);
  $auth = new OneLogin\Saml2\Auth($settingsInfo);

https://github.com/onelogin/php-saml/commit/72bcc7b03223d9df691e9951702d...

jasonlttl’s picture

Status: Reviewed & tested by the community » Needs work

There's also a namespaceless branch if anyone else is juggling this.
https://github.com/onelogin/php-saml/tree/3.0.0-namespaceless

Maybe the thing to do here is create a 3.x branch of samlauth to use the regular namespaced 3.0 branch of php-saml and then not give it a release until php-saml releases 3.x? Samlauth 2.x would remain recommended and go off php-saml 2.x. This way, there'd be a php72 option, and both 2.x and 3.x would be composer installable.

Marking needs work since I think the addition of namespaces in php-saml complicates the patch.

mpp’s picture

Indeed, 3.0.0-namespaceless fixes both the mcrypt as well as the PHP 7 notices.

Hereby also requesting a 3.x branch of samlauth to work with the 3.x version of php-saml.

lolandese’s picture

Adding a link that worked for me as a temporary workaround:
Install PHP 7.2 MCrypt extension (e.g. when on Ubuntu 18.04).

pmunch’s picture

@lolandese Excellent !
Allows to have mcrypt available on PHP 7.2 (U18.04)
Thanks a lot !

richardbporter’s picture

StatusFileSize
new310 bytes
new229 bytes

Yea, this patch doesn't work with samlauth 8.x-2.x and onelogin/php-saml:^3.0 because of the namespace changes (as mentioned in #12). The namespaceless branch does work, however. I've re-rolled the patch with that change (although I'm having trouble getting Composer to install it).

Starting an 8.x-3.x branch that depends on ^3.0 of onelogin/php-saml, like what was suggested in #13, seems logical. I'd be happy to contribute to that but maybe there is another option. Would a maintainer be able to weigh in here and provide some direction? Thanks!

lithiumlab’s picture

Im having hard time trying to apply this update to remove mcrypt dependency with composer.
What's the suggested way to update to onelogin/php-saml 3.0.0 namespaceless and also update drupal/samlauth playing nice with composer ?

applying the patch with composer trough composer patches seems to not work becase the package samlauth is already downloaded and never gets its composer.json updated. therefore the new onelogin/php-saml never gets required.

i have tried running first

composer require onelogin/php-saml:dev-3.0.0-namespaceless

but then i get this message:


    - Installation request for drupal/samlauth 2.x-dev -> satisfiable by drupal/samlauth[2.x-dev].
    - drupal/samlauth 2.x-dev requires onelogin/php-saml ^2.10.6 -> satisfiable by onelogin/php-saml[2.10.6, 2.10.7, 2.11.0, v2.12.0, v2.13.0, v2.14.0] but these conflict with your requirements or minimum-stability

i also have this settings in my composer.json at root level:


    "minimum-stability": "dev",
    "prefer-stable": true,

richardbporter’s picture

Yep, thats what I was running into. Sounds like it is not possible, judging by this conversation: https://github.com/cweagans/composer-patches/issues/233

A separate branch with updated requirements would work but we need a maintainer to start that, as far as I know.

Chris Gillis’s picture

Just to clarify. php-saml now has a v3.0.0 release (Oct 2 2018) that has no mcrypt dependency. We need to update this module to use this new release of the library in order to achieve compatibility with PHP 7.2.

FYI, other modules handling the same problem:
https://www.drupal.org/project/saml_sp/issues/2958585
https://www.drupal.org/project/onelogin_integration/issues/2979428

Library Release:
https://github.com/onelogin/php-saml/releases/tag/v3.0.0

Chris Gillis’s picture

Title: Remove mcrypt dependency » Upgrade to php-saml v3.0.0 for PHP 7.2
Category: Bug report » Task
roderik’s picture

Version: 8.x-2.x-dev » 8.x-3.x-dev

It's indeed best to just add a 8.x-3.x dev version that works with v3 of the library. If ever there is an issue with the 3.0.0-namespaceless branch, we cannot expect it to be updated. I'd like to prevent that. Also, there seems to be no downside or compatibility issues to switching to the newer library.

I've just created a 8.x-3.x dev version. I tested login/logout on my own setup, on php5.6 / 7.1 / 7.2; that works.

I'll probably tag a 8.x-3.0-alpha1 soon, while working on the rest of the issues - but want to wrap my head around one or two more outstanding issues.

roderik’s picture

Status: Needs work » Fixed

8.x-3.0-alpha1 out now. Closing this.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.