Add a parser for IDPSSODescriptor a.k.a. IDP metadata #20
Conversation
There was a problem hiding this comment.
Thank you for the continuing contributions to this project!
Should it parse the contents of
x509Certificate?
I understand that, in your use case, you store the data in a database and so having it as Text is preferable, but I think that as much validation should be done while parsing the document as possible. Otherwise, you delay performing those checks and might have to implement them in a bunch of places / remember to carry them out in each of them, which is more error-prone.
Should there be a datatype for
NameIDFormat? If it should, It would affect the definition ofNameIDtoo
There probably should be, yes. I was thinking about this when reviewing #13, but wasn't sure how soon a need for this would arise. I'll leave it up to you whether you want to implement this as part of this PR or not though.
Some other comments:
-
As previously noted in Add a function that generates an SP initiated SSO request #19, it would be good if you could make sure that new source files align with the contribution guidelines with respect to documentation and style.
-
To make it easier for me to review these PRs, I would appreciate it if you could link to the relevant parts of the specification that you are implementing in the PR description or as part of the Haddock documentation going forward.
|
I updated the type of x509Certificate to |
|
I'll implement a datatype for NameIDFormat in a separate PR |
fumieval
force-pushed
the
idp-metadata
branch
from
afa1411
to
e08fd88
Compare
fumieval
force-pushed
the
idp-metadata
branch
from
e08fd88
to
684c422
Compare
|
I updated the code style a bit. It would be nice if you could document non-standard code style requirements (such as |
There was a problem hiding this comment.
Thanks for continuing to work on this and working on the formatting a bit. I have made some more suggestions about the formatting/documentation, as well as some questions to help me better understand the implementation with respect to the use of cryptostore, which should probably be documented somewhere.
| $ X509.readSignedObjectFromMemory | ||
| $ T.encodeUtf8 | ||
| $ T.unlines | ||
| [ "-----BEGIN CERTIFICATE-----" | ||
| , rawCertificate | ||
| , "-----END CERTIFICATE-----" | ||
| ] |
There was a problem hiding this comment.
There is a readSignedObjectFromMemory function in Data.X509.Memory fromx509-store as well. Why is the one from cryptostore needed? Both seem to be wrappers around decodeSignedObject from x509. I am wondering if it might be better to use one of those functions directly to avoid adding the BEGIN CERTIFICATE / dependency on cryptostore here?
There was a problem hiding this comment.
Yeah, this was an oversight; updated to use decodeSignedObject instead
No problem, if this is helpful I can add it explicitly to the contribution guidelines. |
fumieval
force-pushed
the
idp-metadata
branch
2 times, most recently
from
1ecdfe2
to
f675110
Compare
|
Rebased to use the NameIDFormat datatype |
fumieval
force-pushed
the
idp-metadata
branch
from
f675110
to
bb0be0a
Compare
I implemented a parser for IdP metadata. There are a few remaining design questions; I'm open to suggestions.
x509Certificate?NameIDFormat? If it should, It would affect the definition ofNameIDtoo