Prevent password updates for SAML and LDAP users

[bernardodemarco]

Description

Currently, CloudStack does not support dual authentication methods for SAML users. If their source is equal to SAML or SAMLDISABLED, then they're not able to login with a username and password. However, when executing the updateUser API to update their password, the password is changed in the database, even though username/password authentication is unsupported for these users.

Regarding LDAP users, password updates directly through CloudStack should also not be allowed. Therefore, this PR addresses these issues by providing a clear error message when SAML or LDAP users attempt to change their password via the updateUser API.

---

Fixes #9933

Types of changes

• Breaking change (fix or feature that would cause existing functionality to change)
• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Enhancement (improves an existing feature and functionality)
• Cleanup (Code refactoring and cleanup, that may add test cases)
• build/CI
• test (unit or integration test code)

Feature/Enhancement Scale or Bug Severity

Bug Severity

• BLOCKER
• Critical
• Major
• Minor
• Trivial

Screenshots (if appropriate):

How Has This Been Tested?

• Verified that attempting to update a SAML or LDAP user's password results in an appropriate error message.
• Verified that attempting to update a SAMLDISABLED user's password also triggers the error message.
• Verified that non-SAML/LDAP users can update their passwords without any issues.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 4.30%. Comparing base (a2690e9) to head (89f13ac).
Report is 11 commits behind head on 4.19.

❗ There is a different number of reports uploaded between BASE (a2690e9) and HEAD (89f13ac). Click for more details.

HEAD has 1 upload less than BASE

Flag	BASE (a2690e9)	HEAD (89f13ac)
unittests	1	0

Additional details and impacted files

@@             Coverage Diff              @@
##               4.19   #9999       +/-   ##
============================================
- Coverage     15.10%   4.30%   -10.81%     
============================================
  Files          5404     366     -5038     
  Lines        473502   29541   -443961     
  Branches      57733    5172    -52561     
============================================
- Hits          71543    1272    -70271     
+ Misses       393961   28125   -365836     
+ Partials       7998     144     -7854     

Flag	Coverage Δ
uitests	4.30% <ø> (ø)
unittests	?

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[bernardodemarco]

@blueorangutan package

[blueorangutan]

@bernardodemarco a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 11612

[DaanHoogland]

clgtm

[kiranchavala]

LGTM, Tested manually by creating saml user and ldap users

Exception is thrown then when the user's password is changed

[sureshanaparti]

clgtm

[rohityadavcloud]

@blueorangutan test

[blueorangutan]

@rohityadavcloud a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

[blueorangutan]

[SF] Trillian test result (tid-11830)
Environment: kvm-ol8 (x2), Advanced Networking with Mgmt server ol8
Total time taken: 46108 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr9999-t11830-kvm-ol8.zip
Smoke tests completed. 132 look OK, 1 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File
test_04_nonsecured_to_secured_vm_migration	Error	393.99	test_vm_life_cycle.py

[DaanHoogland]

I am merging forward 4.19 on 4.20 and will merge this as soon as the conflicts are taken care of.