Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

log whether "matching cert" is consistent with the bug fix #10765

Merged
merged 5 commits into from
Jun 10, 2024
Merged

log whether "matching cert" is consistent with the bug fix #10765

merged 5 commits into from
Jun 10, 2024

Conversation

Sgtpluck
Copy link
Member

@Sgtpluck Sgtpluck commented Jun 5, 2024

🎫 Ticket

Link to the relevant ticket:
Add SAML request validation matching certificate logging

🛠 Summary of changes

Adds logging so that we can determine which partners, if any, may experience breaking changes when we deploy the code that accurately finds the DigestMethod for SAML request assertions that are not using the ds namespace.
This change:

  • Adds a field to the Saml Auth event if the request is successful and signed. This field indicates whether the certificate that is being used to encrypt the response is the same certificate that is being found via the code that fixes a bug where the DigestMethod will be found.
  • Updates and adds tests
  • Updates the saml_idp version

@Sgtpluck Sgtpluck requested review from zachmargolis and a team June 5, 2024 16:47
zachmargolis
zachmargolis reviewed Jun 5, 2024
View reviewed changes
spec/controllers/saml_idp_controller_spec.rb Outdated Show resolved Hide resolved
spec/controllers/saml_idp_controller_spec.rb Outdated Show resolved Hide resolved
app/controllers/saml_idp_controller.rb Show resolved Hide resolved
app/controllers/saml_idp_controller.rb Show resolved Hide resolved
matthinz
matthinz approved these changes Jun 7, 2024
View reviewed changes
Copy link
Member

@matthinz matthinz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, barring the analytics param update. Other feedback is not blocking

app/services/analytics_events.rb Outdated
@@ -4931,6 +4931,8 @@ def rules_of_use_visit
# @param [Integer] requested_ial
# @param [Boolean] request_signed
# @param [String] matching_cert_serial
# @option extra [Boolean] encryption_cert_matches_matching_cert If the encryption certificate
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Change to @param and add as a... parameter

spec/controllers/saml_idp_controller_spec.rb Outdated
end

it 'notes that in the analytics event' do
IdentityLinker.new(user, service_provider).link_identity
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mayyyybe look into updating generate_saml_response to do this "and they have a verified email" dance

@Sgtpluck Sgtpluck merged commit 3d5c504 into main Jun 10, 2024
2 checks passed
@Sgtpluck Sgtpluck deleted the dmm/log-matching-cert branch June 10, 2024 15:29
@mitchellhenke mitchellhenke mentioned this pull request Jun 11, 2024
Merged
brandemix pushed a commit to brandemix/18F-identity-idp that referenced this pull request Jun 17, 2024
@Sgtpluck @brandemix
log whether "matching cert" is consistent with the bug fix (18F#10765)
621d809 
* Add logging to determine if bug fix will cause problems with partners
* changelog: Internal, Analytics, Add logging for SAML namespace fix
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zachmargolis zachmargolis zachmargolis left review comments

@matthinz matthinz matthinz approved these changes

@lmgeorge lmgeorge lmgeorge approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Sgtpluck @matthinz @zachmargolis @lmgeorge