Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent password updates for SAML and LDAP users #9999

Open
wants to merge 2 commits into
base: 4.19
Choose a base branch
from
Open

Prevent password updates for SAML and LDAP users #9999

wants to merge 2 commits into from

Conversation

bernardodemarco
Copy link
Collaborator

Description

Currently, CloudStack does not support dual authentication methods for SAML users. If their source is equal to SAML or SAMLDISABLED, then they're not able to login with a username and password. However, when executing the updateUser API to update their password, the password is changed in the database, even though username/password authentication is unsupported for these users.

Regarding LDAP users, password updates directly through CloudStack should also not be allowed. Therefore, this PR addresses these issues by providing a clear error message when SAML or LDAP users attempt to change their password via the updateUser API.

Fixes #9933

Types of changes

  • Breaking change (fix or feature that would cause existing functionality to change)
  • New feature (non-breaking change which adds functionality)
  • Bug fix (non-breaking change which fixes an issue)
  • Enhancement (improves an existing feature and functionality)
  • Cleanup (Code refactoring and cleanup, that may add test cases)
  • build/CI
  • test (unit or integration test code)

Feature/Enhancement Scale or Bug Severity

Bug Severity

  • BLOCKER
  • Critical
  • Major
  • Minor
  • Trivial

Screenshots (if appropriate):

image

How Has This Been Tested?

  • Verified that attempting to update a SAML or LDAP user's password results in an appropriate error message.
  • Verified that attempting to update a SAMLDISABLED user's password also triggers the error message.
  • Verified that non-SAML/LDAP users can update their passwords without any issues.

@codecov Codecov
Copy link

codecov bot commented Nov 27, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 4.30%. Comparing base (a2690e9) to head (89f13ac).

❗ There is a different number of reports uploaded between BASE (a2690e9) and HEAD (89f13ac). Click for more details.

HEAD has 1 upload less than BASE
Flag BASE (a2690e9) HEAD (89f13ac)
unittests 1 0
Additional details and impacted files 
@@             Coverage Diff              @@
##               4.19   #9999       +/-   ##
============================================
- Coverage     15.10%   4.30%   -10.81%     
============================================
  Files          5404     366     -5038     
  Lines        473502   29541   -443961     
  Branches      57733    5172    -52561     
============================================
- Hits          71543    1272    -70271     
+ Misses       393961   28125   -365836     
+ Partials       7998     144     -7854
Flag Coverage Δ
uitests 4.30% <ø> (ø)
unittests ?

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@bernardodemarco
Copy link
Collaborator Author

@blueorangutan package

@blueorangutan
Copy link

@bernardodemarco a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

@blueorangutan
Copy link

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 11612

DaanHoogland
DaanHoogland approved these changes Nov 28, 2024
View reviewed changes
Copy link
Contributor

@DaanHoogland DaanHoogland left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

clgtm

@DaanHoogland DaanHoogland added this to the 4.19.2 milestone Nov 28, 2024
kiranchavala
kiranchavala approved these changes Nov 29, 2024
View reviewed changes
Copy link
Contributor

@kiranchavala kiranchavala left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, Tested manually by creating saml user and ldap users

Exception is thrown then when the user's password is changed

Screenshot 2024-11-29 at 12 08 05 PM

sureshanaparti
sureshanaparti approved these changes Nov 29, 2024
View reviewed changes
Copy link
Contributor

@sureshanaparti sureshanaparti left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

clgtm

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sureshanaparti sureshanaparti sureshanaparti approved these changes

@DaanHoogland DaanHoogland DaanHoogland approved these changes

@kiranchavala kiranchavala kiranchavala approved these changes

@rohityadavcloud rohityadavcloud rohityadavcloud approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
4.19.2
Development

Successfully merging this pull request may close these issues.
6 participants
@bernardodemarco @blueorangutan @rohityadavcloud @kiranchavala @DaanHoogland @sureshanaparti