Fix resource leaks in SamlSettingsHolder, SamlValidator, and IndexResource

- SamlSettingsHolder: Wrap FileInputStream in try-with-resources in
  initDefaultSettings() to prevent file descriptor leak
- SamlValidator: Add try-finally with conn.disconnect() in
  validateIdpConnectivity() to prevent TCP socket leak; close
  InputStream in readResponseSnippet(); close DeflaterOutputStream
  and Deflater in createTestSamlRequest()
- IndexResource: Wrap InputStream/BufferedReader in try-with-resources
  in both constructor and getIndexFile(); add null check for missing
  classpath resource

Author: RajdeepKushwaha5

openmetadata-service/src/main/java/org/openmetadata/service/resources/system/IndexResource.java

@@ -18,11 +18,17 @@ public class IndexResource {
   private String indexHtml;
 
   public IndexResource() {
-    InputStream inputStream = getClass().getResourceAsStream("/assets/index.html");
-    indexHtml =
-        new BufferedReader(new InputStreamReader(inputStream))
-            .lines()
-            .collect(Collectors.joining("\n"));
+    try (InputStream inputStream = getClass().getResourceAsStream("/assets/index.html")) {
+      if (inputStream == null) {
+        throw new IllegalStateException("Resource /assets/index.html not found on classpath");
+      }
+      indexHtml =
+          new BufferedReader(new InputStreamReader(inputStream))
+              .lines()
+              .collect(Collectors.joining("\n"));
+    } catch (java.io.IOException e) {
+      throw new IllegalStateException("Failed to read /assets/index.html", e);
+    }
   }
 
   public void initialize(OpenMetadataApplicationConfig config) {
@@ -32,11 +38,18 @@ public void initialize(OpenMetadataApplicationConfig config) {
   public static String getIndexFile(String basePath) {
     LOG.info("IndexResource.getIndexFile called with basePath: [{}]", basePath);
 
-    InputStream inputStream = IndexResource.class.getResourceAsStream("/assets/index.html");
-    String indexHtml =
-        new BufferedReader(new InputStreamReader(inputStream))
-            .lines()
-            .collect(Collectors.joining("\n"));
+    String indexHtml;
+    try (InputStream inputStream = IndexResource.class.getResourceAsStream("/assets/index.html")) {
+      if (inputStream == null) {
+        throw new IllegalStateException("Resource /assets/index.html not found on classpath");
+      }
+      indexHtml =
+          new BufferedReader(new InputStreamReader(inputStream))
+              .lines()
+              .collect(Collectors.joining("\n"));
+    } catch (java.io.IOException e) {
+      throw new IllegalStateException("Failed to read /assets/index.html", e);
+    }
 
     String result = indexHtml.replace("${basePath}", basePath);
     String basePathLine =

openmetadata-service/src/main/java/org/openmetadata/service/security/auth/validator/SamlValidator.java

@@ -294,46 +294,50 @@ private FieldError validateIdpConnectivity(SamlSSOClientConfig samlConfig) {
 
       URL url = new URL(urlWithParams);
       HttpURLConnection conn = (HttpURLConnection) url.openConnection();
-      conn.setRequestMethod("GET");
-      conn.setConnectTimeout(5000);
-      conn.setReadTimeout(5000);
-      conn.setInstanceFollowRedirects(false);
-      int responseCode = conn.getResponseCode();
-      LOG.debug("IdP response code to SAML request: {}", responseCode);
-
-      // Analyze response
-      if (responseCode == 404) {
-        return ValidationErrorBuilder.createFieldError(
-            ValidationErrorBuilder.FieldPaths.SAML_IDP_SSO_URL,
-            "SSO Login URL not found (HTTP 404). The URL '" + ssoUrl + "' does not exist.");
-      } else if (responseCode == 405) {
-        return ValidationErrorBuilder.createFieldError(
-            ValidationErrorBuilder.FieldPaths.SAML_IDP_SSO_URL,
-            "SSO URL doesn't accept GET requests (HTTP 405). Please check the SSO URL configuration.");
-      } else if (responseCode >= 200 && responseCode < 400) {
-        // 200 or 302 means the IdP accepted our SAML request
-        return null; // Success - SSO Login URL validated
-      } else if (responseCode >= 400 && responseCode < 500) {
-        // 400-499 could mean wrong URL or IdP rejecting the request
-        // Read a bit of the response to check for specific errors
-        String responseSnippet = readResponseSnippet(conn);
-        if (responseSnippet.toLowerCase().contains("saml")
-            || responseSnippet.toLowerCase().contains("invalid")) {
-          // Warning case - treat as success
-          LOG.warn(
-              "SSO URL responded with client error (HTTP {}). This might be due to the test SAML request format.",
-              responseCode);
-          return null;
+      try {
+        conn.setRequestMethod("GET");
+        conn.setConnectTimeout(5000);
+        conn.setReadTimeout(5000);
+        conn.setInstanceFollowRedirects(false);
+        int responseCode = conn.getResponseCode();
+        LOG.debug("IdP response code to SAML request: {}", responseCode);
+
+        // Analyze response
+        if (responseCode == 404) {
+          return ValidationErrorBuilder.createFieldError(
+              ValidationErrorBuilder.FieldPaths.SAML_IDP_SSO_URL,
+              "SSO Login URL not found (HTTP 404). The URL '" + ssoUrl + "' does not exist.");
+        } else if (responseCode == 405) {
+          return ValidationErrorBuilder.createFieldError(
+              ValidationErrorBuilder.FieldPaths.SAML_IDP_SSO_URL,
+              "SSO URL doesn't accept GET requests (HTTP 405). Please check the SSO URL configuration.");
+        } else if (responseCode >= 200 && responseCode < 400) {
+          // 200 or 302 means the IdP accepted our SAML request
+          return null; // Success - SSO Login URL validated
+        } else if (responseCode >= 400 && responseCode < 500) {
+          // 400-499 could mean wrong URL or IdP rejecting the request
+          // Read a bit of the response to check for specific errors
+          String responseSnippet = readResponseSnippet(conn);
+          if (responseSnippet.toLowerCase().contains("saml")
+              || responseSnippet.toLowerCase().contains("invalid")) {
+            // Warning case - treat as success
+            LOG.warn(
+                "SSO URL responded with client error (HTTP {}). This might be due to the test SAML request format.",
+                responseCode);
+            return null;
+          }
+          return ValidationErrorBuilder.createFieldError(
+              ValidationErrorBuilder.FieldPaths.SAML_IDP_SSO_URL,
+              "SSO URL returned error (HTTP "
+                  + responseCode
+                  + "). Please verify the URL is correct.");
+        } else {
+          return ValidationErrorBuilder.createFieldError(
+              ValidationErrorBuilder.FieldPaths.SAML_IDP_SSO_URL,
+              "SSO URL is not accessible (HTTP " + responseCode + ")");
         }
-        return ValidationErrorBuilder.createFieldError(
-            ValidationErrorBuilder.FieldPaths.SAML_IDP_SSO_URL,
-            "SSO URL returned error (HTTP "
-                + responseCode
-                + "). Please verify the URL is correct.");
-      } else {
-        return ValidationErrorBuilder.createFieldError(
-            ValidationErrorBuilder.FieldPaths.SAML_IDP_SSO_URL,
-            "SSO URL is not accessible (HTTP " + responseCode + ")");
+      } finally {
+        conn.disconnect();
       }
     } catch (Exception e) {
       LOG.warn("SSO URL validation failed", e);
@@ -376,10 +380,13 @@ private String createTestSamlRequest(SamlSSOClientConfig samlConfig) {
       java.io.ByteArrayOutputStream bytesOut = new java.io.ByteArrayOutputStream();
       java.util.zip.Deflater deflater =
           new java.util.zip.Deflater(java.util.zip.Deflater.DEFLATED, true);
-      java.util.zip.DeflaterOutputStream deflaterStream =
-          new java.util.zip.DeflaterOutputStream(bytesOut, deflater);
-      deflaterStream.write(samlRequestXml.getBytes(StandardCharsets.UTF_8));
-      deflaterStream.finish();
+      try (java.util.zip.DeflaterOutputStream deflaterStream =
+          new java.util.zip.DeflaterOutputStream(bytesOut, deflater)) {
+        deflaterStream.write(samlRequestXml.getBytes(StandardCharsets.UTF_8));
+        deflaterStream.finish();
+      } finally {
+        deflater.end();
+      }
 
       // Base64 encode
       String base64Request = Base64.getEncoder().encodeToString(bytesOut.toByteArray());
@@ -400,10 +407,12 @@ private String readResponseSnippet(HttpURLConnection conn) {
         inputStream = conn.getInputStream();
       }
       if (inputStream != null) {
-        byte[] buffer = new byte[500];
-        int bytesRead = inputStream.read(buffer);
-        if (bytesRead > 0) {
-          return new String(buffer, 0, bytesRead, StandardCharsets.UTF_8);
+        try (inputStream) {
+          byte[] buffer = new byte[500];
+          int bytesRead = inputStream.read(buffer);
+          if (bytesRead > 0) {
+            return new String(buffer, 0, bytesRead, StandardCharsets.UTF_8);
+          }
         }
       }
     } catch (Exception e) {

openmetadata-service/src/main/java/org/openmetadata/service/security/saml/SamlSettingsHolder.java

@@ -118,9 +118,9 @@ public void initDefaultSettings(OpenMetadataApplicationConfig catalogApplication
           && !CommonUtil.nullOrEmpty(securityConfig.getKeyStorePassword())
           && !CommonUtil.nullOrEmpty(securityConfig.getKeyStoreAlias())) {
         KeyStore keyStore = KeyStore.getInstance("JKS");
-        keyStore.load(
-            new FileInputStream(securityConfig.getKeyStoreFilePath()),
-            securityConfig.getKeyStorePassword().toCharArray());
+        try (FileInputStream fis = new FileInputStream(securityConfig.getKeyStoreFilePath())) {
+          keyStore.load(fis, securityConfig.getKeyStorePassword().toCharArray());
+        }
         samlData.put(SettingsBuilder.KEYSTORE_KEY, keyStore);
         samlData.put(SettingsBuilder.KEYSTORE_ALIAS, securityConfig.getKeyStoreAlias());
         samlData.put(SettingsBuilder.KEYSTORE_KEY_PASSWORD, securityConfig.getKeyStorePassword());