Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

EntityDescriptor: allow multiple certificates in IDPSSODescriptor #65

Merged
merged 1 commit into from
Jul 19, 2024
Merged

EntityDescriptor: allow multiple certificates in IDPSSODescriptor #65

merged 1 commit into from
Jul 19, 2024

Conversation

fumieval
Copy link
Contributor

Summary

I realised that when an IdP is about to rotate their certificates, their IdP metadata may contain more than one certificate.
This PR changes the x509Certificate to x509Certificates :: [X509.SignedExact X509.Certificate] so that it doesn't drop extra certificates.

Checklist

  • All definitions are documented with Haddock-style comments.
  • All exported definitions have @since annotations.
  • Code is formatted in line with the existing code.
  • The changelog has been updated.

@github-actions github-actions bot requested a review from mbg July 17, 2024 09:34
mbg
mbg reviewed Jul 19, 2024
View reviewed changes
Copy link
Owner

@mbg mbg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for opening a PR for this! The contributions are always appreciated 🙇🏻‍♂️

I have a couple of minor comments to fix some typos in the comments, but otherwise this looks good to me!

CHANGELOG.md Outdated Show resolved Hide resolved
src/Network/Wai/SAML2/EntityDescriptor.hs Outdated
@@ -36,8 +36,8 @@ data IDPSSODescriptor
= IDPSSODescriptor {
-- | IdP Entity ID. 'Network.Wai.SAML2.Config.saml2ExpectedIssuer' should be compared against this identifier
entityID :: Text
-- | The X.509 certificate for signed assertions
, x509Certificate :: X509.SignedExact X509.Certificate
-- | The X.509 certificate for signed assertions -- @since 0.7
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor comment to make certificates plural since there can be several now:

Suggested change
-- | The X.509 certificate for signed assertions -- @since 0.7
-- | The X.509 certificates for signed assertions -- @since 0.7

Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, the @since annotation doesn't work at the end of that line -- it has to be on a separate line I think (and possibly separated by an empty comment line)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch, fixed

Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! That seems to work judging by the docs artifacts from the CI runs.

@mbg mbg merged commit e9ecc56 into mbg:master Jul 19, 2024
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mbg mbg mbg approved these changes

Assignees

@fumieval fumieval

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@fumieval @mbg