search

eXist-db / existdb-saml

XQuery module that implements SAML v2 single sign-on
GNU Lesser General Public License v2.1
4 stars 3 forks source link

Improve debug logging of SAML Response #16

Closed adamretter closed 1 year ago

adamretter commented 1 year ago
  1. Bugfix - previously only text nodes were logged.
  2. Feature - A Correlation ID to make debugging easier and enable to to correlate log lines and requests and responses.
adamretter commented 1 year ago

However, pls note that exactly that code is about to get removed in a debug logging overhaul.

Presumably there will be a PR for us all to review and comment on. If that is the case, and we all agree that the overhaul is an improvement and can be merged. Then I don't see that as a problem.

chakl commented 1 year ago

@adamretter may I solicit your opinion on debug logging of XML data? For debugging SAML, we may want to see the full XML structure of SAML messages, that's why there's fn:serialize() used in some places.

Serializing to one-line log messages still makes it hard to read. Pretty-printing would be nice, but it would mess up line-oriented exist.log files. I considered writing out XML data to filesystem files, or in-DB XML documents, instead of logging to the standard channels. Opinions or preferences? Thanks

adamretter commented 1 year ago

Serializing to one-line log messages still makes it hard to read. Pretty-printing would be nice, but it would mess up line-oriented exist.log files. I considered writing out XML data to filesystem files, or in-DB XML documents, instead of logging to the standard channels. Opinions or preferences? Thanks

@chakl I think the most sensible is to serialize the XML to a single-line in the log file (i.e. without indenting), when the XML is small it is easy to read, when it is not I simply copy-and-paste it to Oxygen XML Editor and have Oxygen auto-format it so I can easily read it.

adamretter commented 1 year ago

Might use the already existing request-id instead of generating one with uuid().

@chakl So it is not possible to use the request-id for correlation as it is not computed before the logging starts. Additionally you need to be able to pass such an ID to multiple exsaml functions from your controller.xq file.

I have updated this so that the Correlation ID is now used throughout and also forms part of the SAML Request ID. This allows you to easily correlate log lines, the SAML Request and the SAML Response.

Take a look at the updated controller.xql in the README.md for a simple overview