Bump SAML libs

[willyborankin]

Description

Bump SAML libs

• OpenSAML to version 4.3.0
• One login SAML to 2.9.0

Issues Resolved

Testing

[Please provide details of testing done: unit testing, integration testing and manual testing]

Check List

• New functionality includes testing
• New functionality has been documented
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[codecov]

Codecov Report

Merging #2927 (5c12d0a) into main (4eef662) will decrease coverage by 0.06%.
The diff coverage is 100.00%.

@@             Coverage Diff              @@
##               main    #2927      +/-   ##
============================================
- Coverage     62.31%   62.25%   -0.06%     
+ Complexity     3337     3332       -5     
============================================
  Files           266      266              
  Lines         19650    19648       -2     
  Branches       3329     3329              
============================================
- Hits          12244    12231      -13     
- Misses         5779     5786       +7     
- Partials       1627     1631       +4     

Impacted Files	Coverage Δ
...dlic/auth/http/saml/AuthTokenProcessorHandler.java	46.48% <100.00%> (-0.58%)	⬇️
...zon/dlic/auth/http/saml/Saml2SettingsProvider.java	60.18% <100.00%> (ø)
.../dlic/auth/http/saml/SamlHTTPMetadataResolver.java	62.96% <100.00%> (ø)

... and 5 files with indirect coverage changes

[stephen-crawford]

Thanks for this @willyborankin, looks great!

[cwperks]

Back when I migrated the main branch from Apache HttpClient 4 -> Apache HttpClient 5, I needed to retain the dependency on HttpClient 4 because of this class. Is there any version of OpenSAML available with Apache HttpClient 5 so that we can remove this last remaining dependeny on HttpClient 4?

This PR looks good to me.

[willyborankin]

Ahhh I will take a look for sure. Beside found out that Shibboleth has its own repository for OpenSAML and the latest version is 4.3.0. I will push changes

[willyborankin]

So 4.3.0 uses HTTP commons version 4. to exclude it completely I could try to prepare PR to the Shibboleth git repo (not sure how it works) or just implement our own soultion with HTTP commons 5 instead of 4. AFAU we need to extend org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver class for that. Wdyt?

[willyborankin]

I pushed 4.3.0 version

[willyborankin]

@cwperks added issue #2932

[cwperks]

Thank you for filing an issue to track this @willyborankin! From the Shibboleth git, it looks like the HttpMetadataResolver class is using HttpClient 5 on their main branch: https://git.shibboleth.net/view/?p=java-opensaml.git;a=blob;f=opensaml-saml-impl/src/main/java/org/opensaml/saml/metadata/resolver/impl/HTTPMetadataResolver.java;hb=0d8f395fcca7923cb4d4cc5a98730b5f3fca3aa9

I'm looking to see if there is a release schedule to see when its expected that a published version of the jar will have the update.

[cwperks]

4.3.0 is the way to go. 4.0.1 was published February 11, 2021 and 4.3.0 on January 17, 2023. It looks like they are only publishing new artifacts to the shibboleth repo.

[willyborankin]

@cwperks OK found https://shibboleth.atlassian.net/browse/JSSH-16 they are going to release it in version 9.0.0 of net.shibboleth.utilities:java-support. AFAIU this is part of IDP v5 release

[opensearch-trigger-bot]

The backport to 2.x failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-2.x 2.x
# Navigate to the new working tree
cd .worktrees/backport-2.x
# Create a new branch
git switch --create backport/backport-2927-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 092e8f53e641fd09c1a7689edaaad1dadf5b1282
# Push it to GitHub
git push --set-upstream origin backport/backport-2927-to-2.x
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-2.x

Then, create a pull request where the base branch is 2.x and the compare/head branch is backport/backport-2927-to-2.x.

[cwperks]

The automatic backport failed :/. @willyborankin Would you be able to create a manual backport for this change? Let me know if you'd like any help with the creation of a manual backport.

[cwperks]

@willyborankin I think this PR is causing errors in the tests for the security-dashboards-plugin here: https://github.com/opensearch-project/security-dashboards-plugin/actions/runs/5510435982/jobs/10068087285?pr=1482

In testing locally, I am getting the following errors:

[2023-07-11T10:59:03,088][WARN ][o.o.s.s.ReflectionHelper ] [smoketestnode] Unable to enable 'com.amazon.dlic.auth.http.saml.HTTPSamlAuthenticator' due to java.lang.reflect.InvocationTargetException
[2023-07-11T10:59:03,089][ERROR][o.o.s.s.DynamicConfigModelV7] [smoketestnode] Unable to initialize auth domain saml_auth_domain=AuthcDomain [http_enabled=true, transport_enabled=false, order=5, http_authenticator=HttpAuthenticator [challenge=true, type=saml, config={idp={metadata_url=http://localhost:7000/metadata, entity_id=urn:example:idp}, sp={entity_id=https://localhost:9200/}, kibana_url=http://localhost:5601/, exchange_key=6aff3042-1327-4f3d-82f0-40a157ac4464}], authentication_backend=AuthcBackend [type=noop, config={}], description=null] due to OpenSearchException[java.lang.reflect.InvocationTargetException]; nested: InvocationTargetException; nested: RuntimeException[java.security.AccessControlException: access denied ("java.util.PropertyPermission" "*" "read,write")]; nested: AccessControlException[access denied ("java.util.PropertyPermission" "*" "read,write")];
org.opensearch.OpenSearchException: java.lang.reflect.InvocationTargetException

but after I wrap the call to ReflectionHelper.instantiateAAA with AccessController.doPrivileged I end up getting a ClassNotFoundException:

Metadata Resolver SamlHTTPMetadataResolver com.amazon.dlic.auth.http.saml.HTTPSamlAuthenticator_2: Error occurred while attempting to refresh metadata from 'http://localhost:7000/metadata'
java.lang.NoClassDefFoundError: Could not initialize class org.opensaml.xmlsec.signature.impl.X509CertificateImpl

[willyborankin]

@willyborankin I think this PR is causing errors in the tests for the security-dashboards-plugin here: https://github.com/opensearch-project/security-dashboards-plugin/actions/runs/5510435982/jobs/10068087285?pr=1482

In testing locally, I am getting the following errors:

[2023-07-11T10:59:03,088][WARN ][o.o.s.s.ReflectionHelper ] [smoketestnode] Unable to enable 'com.amazon.dlic.auth.http.saml.HTTPSamlAuthenticator' due to java.lang.reflect.InvocationTargetException
[2023-07-11T10:59:03,089][ERROR][o.o.s.s.DynamicConfigModelV7] [smoketestnode] Unable to initialize auth domain saml_auth_domain=AuthcDomain [http_enabled=true, transport_enabled=false, order=5, http_authenticator=HttpAuthenticator [challenge=true, type=saml, config={idp={metadata_url=http://localhost:7000/metadata, entity_id=urn:example:idp}, sp={entity_id=https://localhost:9200/}, kibana_url=http://localhost:5601/, exchange_key=6aff3042-1327-4f3d-82f0-40a157ac4464}], authentication_backend=AuthcBackend [type=noop, config={}], description=null] due to OpenSearchException[java.lang.reflect.InvocationTargetException]; nested: InvocationTargetException; nested: RuntimeException[java.security.AccessControlException: access denied ("java.util.PropertyPermission" "*" "read,write")]; nested: AccessControlException[access denied ("java.util.PropertyPermission" "*" "read,write")];
org.opensearch.OpenSearchException: java.lang.reflect.InvocationTargetException

but after I wrap the call to ReflectionHelper.instantiateAAA with AccessController.doPrivileged I end up getting a ClassNotFoundException:

Metadata Resolver SamlHTTPMetadataResolver com.amazon.dlic.auth.http.saml.HTTPSamlAuthenticator_2: Error occurred while attempting to refresh metadata from 'http://localhost:7000/metadata'
java.lang.NoClassDefFoundError: Could not initialize class org.opensaml.xmlsec.signature.impl.X509CertificateImpl

@cwperks Ok I will investigate. Is it part of 2.9?

[willyborankin]

Ahhh it is simple fix

[cwperks]

@willyborankin Yes, it is blocking PRs in the security-dashboards-plugin repo that ideally go into 2.9.