Fix saml bug unable to login

[vits-hugs]

Description

After setting a user to login using SAML, and then disabling the login by SAML for the user, he cannot access the account anymore, neither by saml nor by username and password. So this PRs adds and verification to let a user with SAML authentication disabled login with username and password.

Types of changes

• Breaking change (fix or feature that would cause existing functionality to change)
• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Enhancement (improves an existing feature and functionality)
• Cleanup (Code refactoring and cleanup, that may add test cases)
• build/CI
• test (unit or integration test code)

Bug Severity

• BLOCKER
• Critical
• Major
• Minor
• Trivial

How Has This Been Tested?

To test, i followed this process:

• With the config enable.login.saml.unathourized set to true:
  • Created a new user, and configured it to authenticate using SAML.
  • Login with SAML to test the new User.
  • Logout, and login with an Admin account.
  • Remove login with SAML of the user.
  • Login with the user using username and password.
• *With the config enable.login.saml.unathourized set to false:
  • Created a new user, and configured it to authenticate using SAML.
  • Login with SAML to test the new User.
  • Logout, and login with an Admin account.
  • Remove login with SAML of the user.
  • Verify that i couldn't login with the user, with SAML and with username and password.

[vits-hugs]

@blueorangutan package

[blueorangutan]

@vits-hugs a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 13387

[DaanHoogland]

clgtm, maybe this should be a setting allowing the operator to enable the ‘bypass’ login or not. What do you think @vits-hugs ?

[codecov]

Codecov Report

❌ Patch coverage is 20.00000% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 16.23%. Comparing base (e8200a0) to head (49266dd).

Files with missing lines	Patch %	Lines
...g/apache/cloudstack/saml/SAML2AuthManagerImpl.java	0.00%	4 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff            @@
##               4.20   #10868   +/-   ##
=========================================
  Coverage     16.23%   16.23%           
- Complexity    13371    13374    +3     
=========================================
  Files          5657     5657           
  Lines        498860   498864    +4     
  Branches      60543    60544    +1     
=========================================
+ Hits          81003    81004    +1     
- Misses       408824   408825    +1     
- Partials       9033     9035    +2     

Flag	Coverage Δ
uitests	4.00% <ø> (ø)
unittests	17.09% <20.00%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[rohityadavcloud]

Could be a security risk - perhaps wrap around a global setting. Some orgs may not want that?

[vits-hugs]

I think that displaying warning would make more sense, after you disable the SAML login, since if an admin would want to unable a user to access the application, it should disable the account. What do you think about that?

[DaanHoogland]

I think that displaying warning would make more sense, after you disable the SAML login, since if an admin would want to unable a user to access the application, it should disable the account. What do you think about that?

I think certain operators would want to be able to guarantee a user can only login via SSO. For some other operators your change makes sense. That is why we are asking to make the behaviour configurable.

[vits-hugs]

@DaanHoogland @rohityadavcloud, As requested i added a configuration to make the behaviour configurable, please review the changes.

[DaanHoogland]

clgtm

[vits-hugs]

@blueorangutan package

[blueorangutan]

@vits-hugs a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 13639

[DaanHoogland]

@blueorangutan test

[blueorangutan]

@DaanHoogland a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

[blueorangutan]

[SF] Trillian test result (tid-13483)
Environment: kvm-ol8 (x2), Advanced Networking with Mgmt server ol8
Total time taken: 56764 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr10868-t13483-kvm-ol8.zip
Smoke tests completed. 132 look OK, 1 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File
test_01_secure_vm_migration	Error	136.84	test_vm_life_cycle.py
test_01_secure_vm_migration	Error	136.85	test_vm_life_cycle.py

[weizhouapache]

I am not a SAML user, but I have two questions

• if the SAML user is disabled, should we allow it to log into cloudstack ?
• what the default value of new global settings should be ?

[DaanHoogland]

@vits-hugs , do you still want to move this forwards? It need addressing @weizhouapache ’s comments and a test/review.

[erikbocks]

Hello, @DaanHoogland and @weizhouapache

@vits-hugs , do you still want to move this forwards? It need addressing @weizhouapache ’s comments and a test/review.

Yes, I think we can move this PR forward. I will take care of it on behalf of Vitor.

if the SAML user is disabled, should we allow it to log into cloudstack ?

It's not the SAML user that is disabled, but the possibility of logging in with SAML SSO.

As an example, let's say the user used to log in with their own ACS credentials (username and password), and then SAML authentication was added to the environment by the operators. If, after a while, the operators decide to remove the SAML authentication from the environment, the user cannot log in anymore, neither with SAML (as it was removed), nor with their credentials.

Thus, this PR allows users in these scenarios to log in with their credentials again, even if their SAML login was disabled. If the operator wishes to actually disable the user, they should use lockUser or disableUser instead.

what the default value of new global settings should be ?

Personally, I think that the default value for the configuration should be true, as it doesn't make sense to disable all access when a dedicated API for it already exists, and the intuitive behavior would be to return to the state before it was enabled in the first place.

However, I also understand that this PR implements a sensitive change and it could take operators by surprise. Therefore, I propose the change of the default value to false and letting operators decide whether they want it to be possible or not. What do you think about it? @DaanHoogland @weizhouapache

[DaanHoogland]

I think your approach is sane @erikbocks . The only snag is that saml users may not have a local account at all.

[hsato03]

clgtm, I agree changing the new global setting to have the default value as false to keep the current behavior.

[weizhouapache]

clgtm, I agree changing the new global setting to have the default value as false to keep the current behavior.

yes, the default value should be false

@erikbocks
can you rebase with 4.20 ? we do not maintain 4.19 any more.
for the global setting name, enable.login.saml.unathourized implies the saml user is unathourized, not disabled. should it be changed ?