search

mbg / wai-saml2

WAI middleware implementing SAML2
MIT License
5 stars 6 forks source link

Fixes for Keycloak #11

Closed Philonous closed 2 years ago

Philonous commented 2 years ago

I'm tyring to use your library with keycloak, and made a few changes to accommodate that use case:

Take for example (from here): 

                oneOrFail "CanonicalizationMethod is required"
              $ cursor 
             $/ element (dsName "CanonicalizationMethod") 
            >=> parseXML

This parses as 

                oneOrFail "CanonicalizationMethod is required"
              ( cursor 
                 $/ element (dsName "CanonicalizationMethod") 
                 >=> parseXML)

Note how the oneOrFail applies the whole expression including the >=> parseXML. The problem arises when parseXML throws an error. The correct behaviour is that the error gets thrown according to the MonadFail instance of the outer expression. However, because oneOrFail expects a list, parseXML uses the MonadFail instance of list, which just discards the error and returns an empty list. oneOrFail then throws its own error. The result is that the error that parseXML threw is replaced, making debugging a lot harder.

I replaced it with the following code, which propagates errors correctly:

        canonicalisationMethod <- 
                oneOrFail "CanonicalizationMethod is required"
              ( cursor
             $/ element (dsName "CanonicalizationMethod") 
              ) >>= parseXML
mbg commented 2 years ago

Hey @Philonous, thanks for opening this PR!

I removed encryptedKeyData from EncryptedKey. It's not used anywhere and prevented the assertion from being parsed.

I have had a look over the specification for EncryptedKey which largely extends the specification for EncryptedType. It seems that the KeyInfo key is optional (minOccurs='0'), rather than required. Even though it is not currently used, I would probably prefer correctly implementing it as optional, rather than removing outright! Could you make that change?

The parsing code had a subtle bug: [..]

Well spotted! Thanks for fixing this.

Philonous commented 2 years ago

I updated the PR so the encryptedKeyData field is parsed optionally.

Sorry about the white space changes, I've configured my editor to automatically remove trailing white spaces. I've tried to leave them out of the commit, but some seem to have slipped through and I couldn't be bothered to remove them since they are an improvement anyway :sweat_smile:

mbg commented 2 years ago

This is now released as https://hackage.haskell.org/package/wai-saml2-0.3.0.0, thank you again!