cloudstack Fix saml bug unable to login

Description

After setting a user to login using SAML, and then disabling the login by SAML for the user, he cannot access the account anymore, neither by saml nor by username and password. So this PRs adds and verification to let a user with SAML authentication disabled login with username and password.

Types of changes

[ ] Breaking change (fix or feature that would cause existing functionality to change)
[ ] New feature (non-breaking change which adds functionality)
[x] Bug fix (non-breaking change which fixes an issue)
[ ] Enhancement (improves an existing feature and functionality)
[ ] Cleanup (Code refactoring and cleanup, that may add test cases)
[ ] build/CI
[ ] test (unit or integration test code)

Bug Severity

[ ] BLOCKER
[ ] Critical
[ ] Major
[ ] Minor
[x] Trivial

How Has This Been Tested?

To test, i followed this process:

With the config enable.login.saml.unathourized set to true:
- Created a new user, and configured it to authenticate using SAML.
- Login with SAML to test the new User.
- Logout, and login with an Admin account.
- Remove login with SAML of the user.
- Login with the user using username and password.
*With the config enable.login.saml.unathourized set to false:
- Created a new user, and configured it to authenticate using SAML.
- Login with SAML to test the new User.
- Logout, and login with an Admin account.
- Remove login with SAML of the user.
- Verify that i couldn't login with the user, with SAML and with username and password.

May 14 '25 18:05 vits-hugs

@blueorangutan package

May 14 '25 19:05 vits-hugs

@vits-hugs a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

May 14 '25 19:05 blueorangutan

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 13387

May 14 '25 20:05 blueorangutan

Codecov Report

Attention: Patch coverage is 20.00000% with 4 lines in your changes missing coverage. Please review.

Project coverage is 15.18%. Comparing base (f0838cd) to head (a578d56). Report is 29 commits behind head on 4.19.

Files with missing lines	Patch %	Lines
...g/apache/cloudstack/saml/SAML2AuthManagerImpl.java	0.00%	4 Missing :warning:

Additional details and impacted files

@@            Coverage Diff             @@
##               4.19   #10868    +/-   ##
==========================================
  Coverage     15.17%   15.18%            
- Complexity    11339    11360    +21     
==========================================
  Files          5414     5416     +2     
  Lines        475185   475894   +709     
  Branches      57991    58094   +103     
==========================================
+ Hits          72105    72246   +141     
- Misses       395018   395564   +546     
- Partials       8062     8084    +22

Flag	Coverage Δ
uitests	`4.28% <ø> (-0.01%)`	:arrow_down:
unittests	`15.90% <20.00%> (+<0.01%)`	:arrow_up:

Flags with carried forward coverage won't be shown. Click here to find out more.

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

:rocket: New features to boost your workflow:

:snowflake: Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
:package: JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

May 15 '25 06:05 codecov[bot]

Could be a security risk - perhaps wrap around a global setting. Some orgs may not want that?

May 15 '25 11:05 rohityadavcloud

I think that displaying warning would make more sense, after you disable the SAML login, since if an admin would want to unable a user to access the application, it should disable the account. What do you think about that?

May 15 '25 18:05 vits-hugs

I think that displaying warning would make more sense, after you disable the SAML login, since if an admin would want to unable a user to access the application, it should disable the account. What do you think about that?

I think certain operators would want to be able to guarantee a user can only login via SSO. For some other operators your change makes sense. That is why we are asking to make the behaviour configurable.

May 16 '25 07:05 DaanHoogland

@DaanHoogland @rohityadavcloud, As requested i added a configuration to make the behaviour configurable, please review the changes.

Jun 03 '25 20:06 vits-hugs

@blueorangutan package

Jun 05 '25 17:06 vits-hugs

@vits-hugs a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

Jun 05 '25 17:06 blueorangutan

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 13639

Jun 05 '25 18:06 blueorangutan

@blueorangutan test

Jun 09 '25 14:06 DaanHoogland

@DaanHoogland a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

Jun 09 '25 14:06 blueorangutan

[SF] Trillian test result (tid-13483) Environment: kvm-ol8 (x2), Advanced Networking with Mgmt server ol8 Total time taken: 56764 seconds Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr10868-t13483-kvm-ol8.zip Smoke tests completed. 132 look OK, 1 have errors, 0 did not run Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File
test_01_secure_vm_migration	`Error`	136.84	test_vm_life_cycle.py
test_01_secure_vm_migration	`Error`	136.85	test_vm_life_cycle.py

Jun 10 '25 07:06 blueorangutan

I am not a SAML user, but I have two questions

if the SAML user is disabled, should we allow it to log into cloudstack ?
what the default value of new global settings should be ?

Jun 10 '25 07:06 weizhouapache