Add EncryptedElementType key resolver to SAML plugin

[mlsorensen]

Description

There are multiple ways in which a SAML response can be formatted, especially when encryption is enabled. This PR removes the hardcoding of EncryptedKeyResolver= InlineEncryptedKeyResolver in favor of using a ChainingEncryptedKeyResolver which will try multiple resolvers. It preserves the InlineEncryptedKeyResolver as the first option but adds EncryptedElementTypeEncryptedKeyResolver to the chain of resolvers to try.

ChainingEncryptedKeyResolver is a bit finicky in that you can't provide it a list of resolvers, you can only fetch its internal list and add to it.

Theoretically we could add all of the resolver types to the chain, but for now just preserving the ones known to be in use.

Types of changes

• Breaking change (fix or feature that would cause existing functionality to change)
• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Enhancement (improves an existing feature and functionality)
• Cleanup (Code refactoring and cleanup, that may add test cases)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

• Major
• Minor

Bug Severity

• BLOCKER
• Critical
• Major
• Minor
• Trivial

How Has This Been Tested?

Tested locally against an installed IDP that provides the EncryptedElementType of XML response.

[codecov]

Codecov Report

Merging #7268 (bf7b205) into main (dd51534) will increase coverage by 2.29%.
The diff coverage is n/a.

@@             Coverage Diff              @@
##               main    #7268      +/-   ##
============================================
+ Coverage     10.38%   12.67%   +2.29%     
- Complexity     6651     8641    +1990     
============================================
  Files          2453     2716     +263     
  Lines        242444   256114   +13670     
  Branches      37941    39926    +1985     
============================================
+ Hits          25168    32461    +7293     
- Misses       214159   219524    +5365     
- Partials       3117     4129    +1012     

Impacted Files	Coverage Δ
.../cloudstack/api/response/ApiDiscoveryResponse.java	0.00% <0.00%> (-100.00%)	⬇️
.../cloudstack/api/response/ApiParameterResponse.java	0.00% <0.00%> (-100.00%)	⬇️
...va/com/cloud/upgrade/dao/DatabaseAccessObject.java	0.00% <0.00%> (-97.50%)	⬇️
...ain/java/com/cloud/upgrade/dao/DbUpgradeUtils.java	0.00% <0.00%> (-92.31%)	⬇️
...e/cloudstack/api/response/ApiResponseResponse.java	0.00% <0.00%> (-80.00%)	⬇️
.../cloudstack/discovery/ApiDiscoveryServiceImpl.java	13.93% <0.00%> (-55.25%)	⬇️
...in/java/com/cloud/upgrade/dao/Upgrade444to450.java	0.00% <0.00%> (-50.00%)	⬇️
...in/java/com/cloud/upgrade/dao/Upgrade453to460.java	0.00% <0.00%> (-50.00%)	⬇️
...java/com/cloud/upgrade/DatabaseUpgradeChecker.java	0.00% <0.00%> (-46.67%)	⬇️
...in/java/com/cloud/upgrade/dao/Upgrade431to440.java	0.00% <0.00%> (-40.00%)	⬇️
... and 753 more

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

[sonarqubecloud]

Kudos, SonarCloud Quality Gate passed!   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

0.0% Coverage
0.0% Duplication

[mlsorensen]

I'm not sure what's going on with that Jenkins build. I can see that it is looking for org.opensaml:opensaml:pom:2.6.7-SNAPSHOT and not finding it. However I haven't changed the version (it is 2.6.6 in the pom), and it builds fine locally, so I'm not sure where it's coming up with 2.6.7-SNAPSHOT.

[WARNING] Unable to create Maven project for org.opensaml:opensaml:pom:2.6.7-SNAPSHOT from repository.
org.apache.maven.project.ProjectBuildingException: Error resolving project artifact: org.opensaml:opensaml:pom:2.6.7-SNAPSHOT was not found in https://repo.jenkins-ci.org/public/ during a previous attempt. This failure was cached in the local repository and resolution is not reattempted until the update interval of repo.jenkins-ci.org.public has elapsed or updates are forced for project org.opensaml:opensaml:pom:2.6.7-SNAPSHOT

[mlsorensen]

Ok looks like I'm not the only PR failing in the same way...

[yadvr]

That looks like a warning as it's trying to download/fetch opensaml dependency from a maven repo which doesn't have it. Ignorable as build works.

@blueorangutan package

[blueorangutan]

@rohityadavcloud a Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[yadvr]

code lgtm, this would need manual regression testing with a known SAML provide such as https://samltest.id etc.

[blueorangutan]

Packaging result: ✔️ el7 ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 5642

[DaanHoogland]

@blueorangutan test

[blueorangutan]

@DaanHoogland a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests

[blueorangutan]

Trillian test result (tid-6232)
Environment: kvm-centos7 (x2), Advanced Networking with Mgmt server 7
Total time taken: 40912 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr7268-t6232-kvm-centos7.zip
Smoke tests completed. 108 look OK, 0 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File

[DaanHoogland]

clgtm

[yadvr]

@blueorangutan package

[blueorangutan]

@rohityadavcloud a Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result: ✔️ el7 ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 5739

[yadvr]

@blueorangutan package

[blueorangutan]

@rohityadavcloud a Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[borisstoyanov]

@blueorangutan test keepEnv

[blueorangutan]

@borisstoyanov a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests

[blueorangutan]

Packaging result: ✔️ el7 ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 5824

[borisstoyanov]

@blueorangutan test keepEnv

[blueorangutan]

@borisstoyanov a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests

[blueorangutan]

Trillian test result (tid-6353)
Environment: kvm-centos7 (x2), Advanced Networking with Mgmt server 7
Total time taken: 41964 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr7268-t6353-kvm-centos7.zip
Smoke tests completed. 92 look OK, 0 have errors, 16 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File
all_test_accounts	Skipped	---	test_accounts.py
all_test_over_provisioning	Skipped	---	test_over_provisioning.py
all_test_affinity_groups	Skipped	---	test_affinity_groups.py
all_test_ipv6_infra	Skipped	---	test_ipv6_infra.py
all_test_usage	Skipped	---	test_usage.py
all_test_affinity_groups_projects	Skipped	---	test_affinity_groups_projects.py
all_test_resource_detail	Skipped	---	test_resource_detail.py
all_test_annotations	Skipped	---	test_annotations.py
all_test_router_dhcphosts	Skipped	---	test_router_dhcphosts.py
all_test_iso	Skipped	---	test_iso.py
all_test_staticroles	Skipped	---	test_staticroles.py
all_test_attach_multiple_volumes	Skipped	---	test_attach_multiple_volumes.py
all_test_kubernetes_clusters	Skipped	---	test_kubernetes_clusters.py
all_test_backup_recovery_dummy	Skipped	---	test_backup_recovery_dummy.py
all_test_password_server	Skipped	---	test_password_server.py
all_test_certauthority_root	Skipped	---	test_certauthority_root.py

[borisstoyanov]

LGTM,

Managed to manually regression test it with a simple saml server, didn't had any issues.

[yadvr]

Considering smoketests from #7268 (comment) and manual QA, LGTM, merging.