<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Saml on DRM HSE</title><link>https://www.drmhse.com/tags/saml/</link><description>Recent content in Saml on DRM HSE</description><generator>Hugo</generator><language>en</language><lastBuildDate>Wed, 15 Jul 2026 22:13:24 +0300</lastBuildDate><atom:link href="https://www.drmhse.com/tags/saml/index.xml" rel="self" type="application/rss+xml"/><item><title>Serializing SAML Certificate Rotation with a PostgreSQL Row Lock</title><link>https://www.drmhse.com/posts/check-then-act-race-condition/</link><pubDate>Thu, 20 Nov 2025 05:20:09 +0000</pubDate><guid>https://www.drmhse.com/posts/check-then-act-race-condition/</guid><description>&lt;p>A concurrent integration test caught a failure in a SAML certificate-rotation endpoint. The API used Rust, &lt;code>axum&lt;/code>, SeaORM, and PostgreSQL. Each request followed a reasonable sequence: find the active signing key, deactivate it, then insert its replacement.&lt;/p>
&lt;p>That sequence was only correct while one request ran at a time.&lt;/p>
&lt;p>When the test sent two rotation requests together, one of them returned &lt;code>500 Internal Server Error&lt;/code> with a PostgreSQL &lt;code>UniqueViolation&lt;/code>. The database had protected the data, but the handler had not treated the read and the following writes as one concurrent operation.&lt;/p></description></item></channel></rss>