[AAP-51570] Fix SAML security config validation error message formatting (#800)

This commit fixes a syntax error in the SAML authenticator plugin's
validation error message for invalid security configuration keys.

Changes:
- Fixed string formatting syntax in ValidationError for SECURITY_CONFIG
- Added comprehensive test case to validate the error message format
- Test ensures proper error message: 'Invalid keys: key1, key2'

The error occurred when users provided invalid SECURITY_CONFIG keys that
aren't recognized by the underlying python-saml library. Now the
validation properly catches these invalid keys and provides a clear,
properly formatted error message.

## Description
<!-- Mandatory: Provide a clear, concise description of the changes and
their purpose -->
- What is being changed? (see above)
- Why is this change needed?
The initial string was f formated but missing the f. However, the string
was marked for translation and we can't do that with f strings so I
altered it to use the % formatting notation.
- How does this change address the issue?
The string will now properly display the bad fields.

## Type of Change
<!-- Mandatory: Check one or more boxes that apply -->
- [X] Bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Breaking change (fix or feature that would cause existing
functionality to not work as expected)
- [ ] Documentation update
- [ ] Test update
- [ ] Refactoring (no functional changes)
- [ ] Development environment change
- [ ] Configuration change

## Self-Review Checklist
<!-- These items help ensure quality - they complement our automated CI
checks -->
- [x] I have performed a self-review of my code
- [x] I have added relevant comments to complex code sections
- [x] I have updated documentation where needed
- [x] I have considered the security impact of these changes
- [x] I have considered performance implications
- [x] I have thought about error handling and edge cases
- [x] I have tested the changes in my local environment

## Testing Instructions
<!-- Optional for test-only changes. Mandatory for all other changes -->
<!-- Must be detailed enough for reviewers to reproduce -->
### Prerequisites
<!-- List any specific setup required -->

### Steps to Test
1. See JIRA
2. 
3. 

### Expected Results
<!-- Describe what should happen after following the steps -->

## Additional Context
<!-- Optional but helpful information -->

### Required Actions
<!-- Check if changes require work in other areas -->
<!-- Remove section if no external actions needed -->
- [ ] Requires documentation updates
  <!-- API docs, feature docs, deployment guides -->
- [ ] Requires downstream repository changes
  <!-- Specify repos: django-ansible-base, eda-server, etc. -->
- [ ] Requires infrastructure/deployment changes
  <!-- CI/CD, installer updates, new services -->
- [ ] Requires coordination with other teams
  <!-- UI team, platform services, infrastructure -->
- [ ] Blocked by PR/MR: #XXX
  <!-- Reference blocking PRs/MRs with brief context -->

### Screenshots/Logs
<!-- Add if relevant to demonstrate the changes -->

---------

Co-authored-by: Claude (Assistant) <[email protected]>
Co-authored-by: Claude (Anthropic AI Assistant) <[email protected]>

Author: 3 people

ansible_base/authentication/authenticator_plugins/saml.py

@@ -208,7 +208,12 @@ def validate(self, attrs):
             raise ValidationError(_("Failed to load config: %(e)s") % {"e": e})
 
         if invalid_security_settings:
-            raise ValidationError({'SECURITY_CONFIG': _("Invalid keys:) {', '.join(invalid_security_settings)}")})
+            raise ValidationError(
+                {
+                    'SECURITY_CONFIG': _("Invalid keys: %(keys)s, Valid keys: %(valid_keys)s")
+                    % {"keys": ', '.join(sorted(invalid_security_settings)), "valid_keys": ', '.join(sorted(valid_security_settings))}
+                }
+            )
 
         response = super().validate(attrs)
         return response

test_app/tests/authentication/authenticator_plugins/test_saml.py

@@ -4,14 +4,47 @@
 import pytest
 from django.conf import settings
 from django.test.utils import override_settings
+from onelogin.saml2.settings import OneLogin_Saml2_Settings
+from social_core.backends.saml import SAMLAuth, SAMLIdentityProvider
 
 from ansible_base.authentication.authenticator_plugins.saml import AuthenticatorPlugin
 from ansible_base.authentication.session import SessionAuthentication
+from ansible_base.authentication.social_auth import AuthenticatorConfigTestStrategy, AuthenticatorStorage
 from ansible_base.lib.utils.encryption import ENCRYPTED_STRING
 from ansible_base.lib.utils.response import get_fully_qualified_url, get_relative_url
 
 authenticated_test_page = "authenticator-list"
 
+idp_string = 'IdP'
+
+
+def get_valid_saml_security_settings(saml_configuration):
+    """
+    Helper function to get valid SAML security settings dynamically.
+    This mirrors the logic in SAMLConfiguration.validate() method.
+    """
+    # Create a minimal configuration for getting valid security settings
+    attrs = saml_configuration.copy()
+    attrs['ENABLED_IDPS'] = {
+        idp_string: {
+            'url': 'https://example.com/sso',
+            'x509cert': attrs.get('IDP_X509_CERT', ''),
+            'entity_id': 'https://example.com/entity',
+            'attr_username': 'username',
+            'attr_user_permanent_id': 'uid',
+        }
+    }
+
+    saml_auth = SAMLAuth(AuthenticatorConfigTestStrategy(AuthenticatorStorage(), additional_settings=attrs))
+    saml_auth.redirect_uri = attrs['CALLBACK_URL']
+    idp = SAMLIdentityProvider(idp_string, **attrs['ENABLED_IDPS'][idp_string])
+    config = saml_auth.generate_saml_config(idp=idp)
+
+    settings = OneLogin_Saml2_Settings(settings=config)
+    settings._security = {}
+    settings._add_default_values()
+    return sorted(settings._security.keys())
+
 
 @mock.patch("rest_framework.views.APIView.authentication_classes", [SessionAuthentication])
 @mock.patch("ansible_base.authentication.authenticator_plugins.saml.AuthenticatorPlugin.authenticate")
@@ -58,6 +91,26 @@ def test_saml_auth_successful(authenticate, unauthenticated_api_client, saml_aut
             {"IDP_ATTR_USERNAME": "This field is required.", "IDP_ATTR_USER_PERMANENT_ID": "This field is required."},
             id="missing IDP_ATTR_USERNAME and IDP_ATTR_USER_PERMANENT_ID",
         ),
+        pytest.param(
+            {"SECURITY_CONFIG": {"invalidKey1": "value1", "invalidKey2": "value2"}},
+            {
+                "SECURITY_CONFIG": (
+                    "Invalid keys: invalidKey1, invalidKey2, "
+                    "Valid keys: allowRepeatAttributeName, authnRequestsSigned, digestAlgorithm, "
+                    "failOnAuthnContextMismatch, logoutRequestSigned, logoutResponseSigned, "
+                    "metadataCacheDuration, metadataValidUntil, nameIdEncrypted, rejectDeprecatedAlgorithm, "
+                    "requestedAuthnContext, requestedAuthnContextComparison, signMetadata, signatureAlgorithm, "
+                    "wantAssertionsEncrypted, wantAssertionsSigned, wantAttributeStatement, wantMessagesSigned, "
+                    "wantNameId, wantNameIdEncrypted"
+                )
+            },
+            id="invalid security config keys",
+        ),
+        pytest.param(
+            {"SECURITY_CONFIG": {"zebra": "value1", "alpha": "value2", "beta": "value3"}},
+            {"SECURITY_CONFIG": ("Invalid keys: alpha, beta, zebra")},
+            id="invalid security config keys are sorted alphabetically",
+        ),
     ],
 )
 def test_saml_create_authenticator_error_handling(
@@ -99,6 +152,50 @@ def test_saml_create_authenticator_error_handling(
                 assert value in response.data[key]
 
 
+def test_saml_security_config_validation_with_dynamic_keys(admin_api_client, saml_configuration):
+    """
+    Test that SAML security config validation uses dynamically obtained valid keys
+    and that invalid keys are sorted alphabetically in error messages.
+    """
+    # Get the valid security settings dynamically
+    valid_keys = get_valid_saml_security_settings(saml_configuration)
+
+    # Test with invalid keys that should be sorted alphabetically
+    invalid_keys = ["zebra", "alpha", "beta"]
+    security_config = {key: f"value_{key}" for key in invalid_keys}
+
+    saml_configuration["SECURITY_CONFIG"] = security_config
+
+    url = get_relative_url("authenticator-list")
+    data = {
+        "name": "SAML authenticator with invalid security config",
+        "enabled": True,
+        "create_objects": True,
+        "remove_users": True,
+        "configuration": saml_configuration,
+        "type": "ansible_base.authentication.authenticator_plugins.saml",
+    }
+
+    response = admin_api_client.post(url, data=data, format="json")
+    assert response.status_code == 400
+
+    # Verify the response contains security config errors
+    assert "SECURITY_CONFIG" in response.data
+    error_message = str(response.data["SECURITY_CONFIG"][0])
+
+    # Verify invalid keys are sorted alphabetically
+    expected_invalid_keys = "alpha, beta, zebra"
+    assert f"Invalid keys: {expected_invalid_keys}" in error_message
+
+    # Verify valid keys are included and sorted
+    expected_valid_keys = ", ".join(valid_keys)
+    assert f"Valid keys: {expected_valid_keys}" in error_message
+
+    # Verify that the valid keys we got dynamically match what's in the error message
+    # This ensures our helper function works correctly
+    assert expected_valid_keys in error_message
+
+
 def test_saml_create_authenticator_does_not_leak_private_key_on_error(
     admin_api_client,
     saml_configuration,