Update the dependencies error for ssphp

Here's the list of SimpleSAML php depedencies from their manual: https://simplesamlphp.org/docs/stable/simplesamlphp-install#section_3

    Some webserver capable of executing PHP scripts.
    PHP version >= 5.3.0.
    Support for the following PHP extensions:
        Always required: date, dom, hash, libxml, openssl, pcre, SPL, zlib
        When using encryption or digital signatures: mcrypt
        When authenticating against LDAP server: ldap
        When authenticating against RADIUS server: radius
        When saving session information to memcache-server: memcache
        When using database:
            Always: PDO
            Database driver: (mysql, pgsql, ...)

Because we're not using it as an identity provider, we don't need ldap or radius. We're currently using memcache as the session provider, so that's the "memcache" dependency. We're not using the database for sessions or IdP, so we don't need any of the DB libraries (including sqlite).

Although it might be a good idea to switch our simplesamlphp setup to use the DB for sessions instead of memcache, in order to reduce the number of dependencies? Or maybe to detect whether the Mahara site itself is using standard PHP sessions, or memcache sessions. I think Piers believed there was some kind of conflict with using PHP sessions, but I'm not sure if that was only a problem if you were doing it in a multi-hosted environment, or if it just didn't work at all...

That list may be incomplete, though, because it doesn't mention the GMP (GNU Multiple Precision Arithmetic Library) at all. Then again, maybe it's only used by one of the extensions?

The system is now being used as an IdP I thought - there is a screen where one can pick the IdP one wants to use to login with

ah no I'm thinking of IDP discovery page - ignore my earlier message

Okay, it looks like these dependencies come from when we run composer --update against the composer.json file at htdocs/auth/saml/extlib/simplesamlphp/composer.json. This file, (I think) comes from

One thing we can do is change the Makefile line to add "--no-dev". That will remove the "development-only" dependencies including sqlite. Since we're not doing development *on* SimpleSAMLPHP, we don't need the dev dependencies.

The need for GMP comes from openid/php-openid. That's not present in the composer.json from the SimpleSAMLPHP git repository, so it seems to be added by their build process. There is a build script in their repo, so maybe I'll check and see if I can figure out if it's fiddling with the composer.json. May be it's flattening the dependencies list or something, or aggregating multiple composer.json files in different directories?

Whoops, half-sentence in the above comment. The htdocs/auth/saml/extlib/simplesamlphp/composer.json file comes from the SimpleSamlPHP release tarball that we download.

We're sort of using a semi-composer method for managing SimpleSAMLPHP. We're not managing it as a proper composer dependency (in which case we'd just have "simplesamlphp" in our root-level composer.json file and do "composer --install"). Instead we download a specific release tarball, unzip it, and run composer --update against it.

Do we actually need to do that? I would have thought that the whole point of downloading a release tarball, is that we don't need to run any composer commands afterward?

Ok, if we can't get the dependency list shrunk down then we need to add the following to error message in Extensions -> Saml configuration page

sudo apt-get install php5-gmp
 sudo php5enmod gmp

sudo apt-get install php5-sqlite
 sudo php5enmod pdo_sqlite

On further research, since we are downloading the release tarball we do *not* need to run "composer --update".

The .tar.gz file that we download is built using the bin/build-release.sh script in the simplesamlphp git repo: https://github.com/simplesamlphp/simplesamlphp/blob/f5ff7c4643b9b784957f5e1fbf86fc740cd6b78a/bin/build-release.sh

The build script clones a new repo based on the tag for the release. Then it runs "composer install" to get all the basic simplesamlphp dependencies, *and* "composer require" to install a big list of optional plugins. "composer require" does two things. It downloads the actual packages and their dependency files to the specified location, and it updates the composer.json file.

So that means that, indeed, the tarball actually does contain all its PHP files already. So we can skip running "composer update" after upgrading it.

The SimpleSAMLPHP OpenID plugins are the only ones that need GMP. So we can change the listing for that to an optional depedency, only required if you want to use SimpleSAMLPHP as an OpenID IdP consumer.

Patch for "master" branch: https://reviews.mahara.org/6968

Reviewed: https://reviews.mahara.org/6968
Committed: https://git.mahara.org/mahara/mahara/commit/25e8324dade37e42af23986744d8655c8a8b3f53
Submitter: Robert Lyon (<email address hidden>)
Branch: master

commit 25e8324dade37e42af23986744d8655c8a8b3f53
Author: Aaron Wells <email address hidden>
Date: Tue Sep 13 12:51:18 2016 +1200

Bug 1622788: Composer step not needed for simplesamlphp

behatnotneeded: Covered by existing tests

Change-Id: I665a434470db4b2ecaf5db0f29b92380f49fe28c

Patch for "16.10_STABLE" branch: https://reviews.mahara.org/7006

Reviewed: https://reviews.mahara.org/7006
Committed: https://git.mahara.org/mahara/mahara/commit/ea36d14f5763621fbae43de1095169a3823567a3
Submitter: Robert Lyon (<email address hidden>)
Branch: 16.10_STABLE

commit ea36d14f5763621fbae43de1095169a3823567a3
Author: Aaron Wells <email address hidden>
Date: Tue Sep 13 12:51:18 2016 +1200

Bug 1622788: Composer step not needed for simplesamlphp

behatnotneeded: Covered by existing tests

Change-Id: I665a434470db4b2ecaf5db0f29b92380f49fe28c
(cherry picked from commit 25e8324dade37e42af23986744d8655c8a8b3f53)