-
Notifications
You must be signed in to change notification settings - Fork 6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
EntityDescriptor: allow multiple certificates in IDPSSODescriptor #65
Conversation
89bcf67
to
3cd2924
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for opening a PR for this! The contributions are always appreciated 🙇🏻♂️
I have a couple of minor comments to fix some typos in the comments, but otherwise this looks good to me!
@@ -36,8 +36,8 @@ data IDPSSODescriptor | |||
= IDPSSODescriptor { | |||
-- | IdP Entity ID. 'Network.Wai.SAML2.Config.saml2ExpectedIssuer' should be compared against this identifier | |||
entityID :: Text | |||
-- | The X.509 certificate for signed assertions | |||
, x509Certificate :: X509.SignedExact X509.Certificate | |||
-- | The X.509 certificate for signed assertions -- @since 0.7 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Minor comment to make certificates
plural since there can be several now:
-- | The X.509 certificate for signed assertions -- @since 0.7 | |
-- | The X.509 certificates for signed assertions -- @since 0.7 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, the @since
annotation doesn't work at the end of that line -- it has to be on a separate line I think (and possibly separated by an empty comment line)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good catch, fixed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! That seems to work judging by the docs artifacts from the CI runs.
3cd2924
to
a15e96a
Compare
a15e96a
to
4a0f5f5
Compare
Summary
I realised that when an IdP is about to rotate their certificates, their IdP metadata may contain more than one certificate.
This PR changes the
x509Certificate
tox509Certificates :: [X509.SignedExact X509.Certificate]
so that it doesn't drop extra certificates.Checklist
@since
annotations.