Introduce idpCertFingerprintAllowList#5272
Open
supersven wants to merge 3 commits into
Open
Conversation
zebot
added
the
ok-to-test
Contributor
There was a problem hiding this comment.
Pull request overview
Adds an optional configuration (idpCertFingerprintAllowlist) to restrict which IdP descriptor signing certificates are accepted (by SHA-1 fingerprint), enforcing the check during IdP create/update and during SAML AuthnResponse processing.
Changes:
- Introduce config parsing for an IdP cert fingerprint allowlist and wire it into Spar options/Helm config.
- Enforce allowlist checks in Spar’s IdP create/update flows and in
authresp. - Extend
Data.X509.Extendedwith fingerprint utilities and add unit + integration tests covering allowlist behavior.
Reviewed changes
Copilot reviewed 17 out of 17 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| services/spar/test/Test/Spar/Saml/IdPSpec.hs | Adds unit tests for allowlist behavior across create/update/authresp and updates the Polysemy test harness to provide Input Opts. |
| services/spar/src/Spar/Options.hs | Adds idpCertFingerprintAllowlist :: Maybe CertFingerprintAllowlist and JSON/YAML parsing for the allowlist entries. |
| services/spar/src/Spar/Error.hs | Introduces SparIdPCertNotAllowed and maps it to HTTP 403 with label idp-cert-not-allowed. |
| services/spar/src/Spar/API.hs | Enforces allowlist checks via assertCertsAllowlisted in create/update and SAML auth response handling. |
| services/spar/spar.integration.yaml | Documents and sets the integration config key idpCertFingerprintAllowlist: [] (disabled). |
| services/spar/spar.cabal | Adds new test-suite dependencies needed by the updated specs. |
| services/spar/default.nix | Updates Nix derivation dependencies for Spar (but currently incomplete for test deps; see PR comments). |
| libs/saml2-web-sso/src/SAML2/WebSSO/Test/Arbitrary.hs | Adds deterministic certificate generation helper (mkArbitrarySignedCert) for tests. |
| libs/extended/test/Test/Data/X509/ExtendedSpec.hs | Expands tests for fingerprint parsing/rendering and SHA-1 computation. |
| libs/extended/src/Data/X509/Extended.hs | Adds Fingerprint type and SHA-1 fingerprint compute/parse/render helpers; uses them in certDescription. |
| libs/extended/extended.cabal | Adds test dependencies (QuickCheck, text) to support new tests. |
| libs/extended/default.nix | Aligns Nix test dependencies with updated extended.cabal. |
| integration/test/Test/Spar/CertFingerprintAllowlist.hs | Adds integration tests validating allowlist enforcement in create/update and successful finalize-login when allowlisted. |
| integration/integration.cabal | Registers the new integration test module. |
| charts/wire-server/values.yaml | Documents and exposes spar.config.idpCertFingerprintAllowlist Helm value. |
| charts/wire-server/templates/spar/configmap.yaml | Renders idpCertFingerprintAllowlist into Spar’s configmap. |
| changelog.d/2-features/idp-cert-fingerprint-allowlist | Documents the new configuration option (but currently uses a mismatched key casing; see PR comments). |
supersven
force-pushed
the
sventennie/idp-cert-allowlist
branch
2 times, most recently
from
5f742bc to
7ef9263
Compare
If set, only IdP certs with allow listed fingerprints can be used.
supersven
force-pushed
the
sventennie/idp-cert-allowlist
branch
from
c5f3994 to
642705f
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
If this list of fingerprints is set, only IdP certs with allow listed fingerprints can be used.
This was requested by security for multi-ingress, because there we're going to break the 1:1 relationship between users and IdPs and thus have to be a bit stricter regarding IdP configurations.
Ticket: https://wearezeta.atlassian.net/browse/WPB-26150
Checklist
changelog.d