Skip to content

multi-ingress: Remove single IdP special-case#5291

Open
supersven wants to merge 4 commits into
developfrom
sventennie/remove-single-idp-specialcase
Open

multi-ingress: Remove single IdP special-case#5291
supersven wants to merge 4 commits into
developfrom
sventennie/remove-single-idp-specialcase

Conversation

@supersven

@supersven supersven commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

Previously, POST /sso/get-by-email and GET /sso/initiate-login endpoints
treated an IdP as globally configured for all domains when there was only one
for a team. This led to information leakage and confusion, raising "Why do I endup at another domain's IdP when I'm on this one?" questions. Now, these endpoints
always treat IdPs as bound to a domain when multi-ingress is configured. I.e.
IdP domain and request domain must match, otherwise an error is returned.

The error resembles what would be returned if the IdP wouldn't exist.

To align with the others, this check is also added to the HEAD /sso/initiate-login pre-check endpoint.

Ticket: https://wearezeta.atlassian.net/browse/WPB-26244

Checklist

  • Add a new entry in an appropriate subdirectory of changelog.d
  • Read and follow the PR guidelines (Breaking behaviour, but currently no-one is using multi-ingress in prod)

@supersven supersven requested a review from Copilot June 25, 2026 14:32
@zebot zebot added the ok-to-test Approved for running tests in CI, overrides not-ok-to-test if both labels exist label Jun 25, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the IdP selection logic for /sso/get-by-email so that a single configured IdP is no longer automatically returned; instead, the IdP must match the requested domain (including the Nothing/unset case).

Changes:

  • Removed the “single IdP always matches” branch in getSsoCodeByEmailImpl, delegating all non-empty cases to domain-based matching.
  • Updated the unit property test to assert Just idpId only when the IdP’s configured domain matches the requested domain.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
libs/wire-subsystems/src/Wire/IdPSubsystem/Interpreter.hs Removes the singleton-IdP shortcut and always performs domain-based IdP selection for non-empty IdP lists.
libs/wire-subsystems/test/unit/Wire/IdPSubsystem/InterpreterSpec.hs Adjusts the property test expectations to align with the updated domain-matching behavior.

Comment thread libs/wire-subsystems/src/Wire/IdPSubsystem/Interpreter.hs Outdated
@supersven supersven force-pushed the sventennie/remove-single-idp-specialcase branch from bfdec8f to 3998b98 Compare June 29, 2026 14:13
@supersven supersven requested a review from Copilot June 29, 2026 14:14

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

Comment thread integration/test/Test/Spar/MultiIngressSSO.hs
Comment thread libs/wire-subsystems/src/Wire/IdPSubsystem/Interpreter.hs Outdated
@supersven supersven requested a review from Copilot June 29, 2026 16:45
@supersven supersven changed the title Remove single IdP special-case for /sso/get-by-email multi-ingress: Remove single IdP special-case Jun 29, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated 2 comments.

Comment thread services/spar/src/Spar/API.hs Outdated
Comment on lines +7 to +8
To align with the others, this check is also added to the `HEAD
/sso/initiate-login` pre-check endpoint.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot Your change seems to have the same issue. Please make better proposal.

Previously, we treated a single IdP as global (spanning all domains) in
multi-ingress. But, this leaks information about "something which all
ingresses have in in common". Also, it's hard to impossible to configure
a working setup for this on (some?) SaaS.

So, we now require that - when multi-ingress is configured - the IdP
used for a request must have the same domain as the ingress which
received the request.
@supersven supersven force-pushed the sventennie/remove-single-idp-specialcase branch from 19fc31c to d7114b3 Compare June 30, 2026 07:10
@supersven supersven requested a review from Copilot June 30, 2026 07:12
@supersven supersven marked this pull request as ready for review June 30, 2026 07:13
@supersven supersven requested review from a team as code owners June 30, 2026 07:13

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated 2 comments.

Comment thread libs/wire-subsystems/src/Wire/IdPSubsystem/Interpreter.hs
Comment on lines +46 to +48
let ernieZHost = "nginz-https.ernie.example.com"
bertZHost = "nginz-https.bert.example.com"
kermitZHost = "nginz-https.kermit.example.com"

@blackheaven blackheaven left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

some minor changes

initiateSamlLoginWithZHost :: (HasCallStack, MakesValue domain) => domain -> Maybe String -> String -> App Response
initiateSamlLoginWithZHost domain mbZHost idpId = initiateSamlLoginWithZHostAndLabel domain mbZHost Nothing idpId --

-- | https://staging-nginz-https.zinfra.io/v16/api/swagger-ui/#/default/auth-req-precheck

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you detail a bit this comment

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, I saw that there is a pattern in this module to add links to Swagger to these endpoint client functions. Then, I followed the pattern as well.

Comment on lines +103 to +104
resp.status `shouldMatchInt` 404
resp.json %. "label" `shouldMatch` "not-found"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think there is a helper like assertLabel?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I forgot about it 😅 But, you're right: It's better 👍

@supersven supersven requested a review from blackheaven June 30, 2026 16:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ok-to-test Approved for running tests in CI, overrides not-ok-to-test if both labels exist

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants