Skip to content

IdP change notification emails #4987

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
supersven wants to merge 8 commits into
base: develop
Choose a base branch
from
Draft

IdP change notification emails #4987

supersven wants to merge 8 commits into from

Conversation

@supersven
Copy link
Contributor

@supersven supersven commented Jan 28, 2026
edited
Loading

Ticket: https://wearezeta.atlassian.net/browse/WPB-22124

Checklist

  • Add a new entry in an appropriate subdirectory of changelog.d
  • Read and follow the PR guidelines

@supersven supersven force-pushed the sventennie/idp-change-notification-emails branch from 70ab96d to 6fc7af7 Compare January 28, 2026 16:35
@supersven supersven requested a review from Copilot January 28, 2026 17:54
@zebot zebot added the ok-to-test Approved for running tests in CI, overrides not-ok-to-test if both labels exist label Jan 28, 2026
Copilot AI reviewed Jan 28, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request implements IdP change notification emails for team admins and owners when SAML Identity Providers are created, updated, or deleted via the API. The feature is currently only enabled for multi-ingress setups as a safety precaution.

Changes:

  • Added a new SAMLEmailSubsystem subsystem to handle IdP change notifications
  • Implemented email templates in English and German with certificate details
  • Modified IdP CRUD operations in Spar to send notifications when multi-ingress is configured
  • Refactored template loading code from Brig to wire-subsystems for better reusability
  • Added comprehensive test coverage for the email notification functionality

Reviewed changes

Copilot reviewed 64 out of 64 changed files in this pull request and generated 8 comments.

Show a summary per file
File Description
libs/wire-subsystems/src/Wire/SAMLEmailSubsystem.hs New subsystem effect for SAML email notifications
libs/wire-subsystems/src/Wire/SAMLEmailSubsystem/Interpreter.hs Implementation that sends emails to team admins/owners with certificate changes
libs/wire-subsystems/src/Wire/EmailSubsystem.hs Added SendSAMLIdPChanged effect and IdPDetails data type
libs/wire-subsystems/src/Wire/EmailSubsystem/Interpreter.hs Email rendering logic for IdP change notifications
services/spar/src/Spar/API.hs Modified idpCreate, idpDelete, idpUpdate to send notifications
libs/wire-subsystems/test/unit/Wire/SAMLEmailSubsystem/InterpreterSpec.hs Comprehensive tests for email notifications with multiple locales
services/spar/test/Test/Spar/Saml/IdPSpec.hs Tests verifying notification sending behavior
libs/wire-subsystems/templates//team/email/ Email templates for IdP configuration changes
libs/wire-subsystems/src/Wire/EmailSubsystem/Template.hs Moved template loading utilities from Brig for reusability
libs/wire-api/src/Wire/API/Routes/Internal/Brig.hs Added IdpChangedNotification type and SAMLIdPAPI endpoint
libs/saml2-web-sso/src/SAML2/WebSSO/* Added schema instances for SAML types (Issuer, IdPMetadata, IdPId, IdPConfig)
libs/extended/src/Data/X509/Extended.hs Enhanced to provide structured certificate descriptions
changelog.d/2-features/send-email-on-idp-change Documented the new feature

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

services/spar/test/Test/Spar/Saml/IdPSpec.hs
SetStatus _userId _status -> undefined
GetDefaultUserLocale -> undefined
CheckAdminGetTeamId _userId -> undefined
SendSAMLIdPChangedEmail notif -> modify (notif :)
Copy link

Copilot AI Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The notifications list is accumulated in reverse order (using notif : at line 557 prepends to the list). This means when multiple operations occur (like create followed by delete), the notifications will be in reverse chronological order. The test at line 448 expects [IdPDeleted ..., IdPCreated ...], which confirms this behavior. However, this might be counterintuitive since the natural expectation would be chronological order (oldest first). Consider either reversing the list before returning it, or documenting this behavior clearly.

Copilot uses AI. Check for mistakes.
Copilot AI mentioned this pull request Jan 28, 2026
Closed
3 tasks
Copy link
Contributor

Copilot AI commented Jan 28, 2026

@supersven I've opened a new pull request, #4989, to work on those changes. Once the pull request is ready, I'll request review from you.

@supersven supersven force-pushed the sventennie/idp-change-notification-emails branch from 9b0666b to f47d6bc Compare January 28, 2026 18:45
@supersven supersven requested a review from Copilot January 28, 2026 18:46
Copilot AI reviewed Jan 28, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 65 out of 65 changed files in this pull request and generated 3 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@supersven supersven force-pushed the sventennie/idp-change-notification-emails branch from a3cb027 to 886b626 Compare January 29, 2026 15:31
@supersven
Add changelog entry
ca355d8
@supersven
Add call spar -> brig
4a9f826 
If multi-ingress is configured, call a brig endpoint on every IdP
change. Brig will then send an email to all team admins and owners.
@supersven supersven force-pushed the sventennie/idp-change-notification-emails branch 2 times, most recently from 4ec7105 to 6a987d3 Compare January 29, 2026 16:43
@supersven
Define ToSchema for IdP
5ff0240 
This replaces prior ToJSON/FromJSON and openapi3 ToSchema instances.

IdP will later be used in other entities that should get their
ToJSON/FromJSON instances via ToSchema.

There's a golden test on `master` which ensures we aren't breaking
anything with this.
@supersven
Implement brig endpoint
765742e
@supersven
Add email templates
6c73b97
@supersven
Move template read code to subsystems
0a17cb1 
Move team template readers to EmailSubsystem

Such that they can be re-used in unit tests.
@supersven
Implement test for SAMLEmailSubsystem
1c38dbd 
This ensures we can actually render templates with the data of the brig
endpoint.
@supersven supersven force-pushed the sventennie/idp-change-notification-emails branch from 6a987d3 to 1c38dbd Compare January 30, 2026 06:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

ok-to-test Approved for running tests in CI, overrides not-ok-to-test if both labels exist

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@supersven @zebot