From 5d5fa04c8ba848b57511f07139f968ba253f5167 Mon Sep 17 00:00:00 2001
From: Marcus Sorensen <marcus_sorensen@apple.com>
Date: Mon, 3 Apr 2023 03:46:03 -0600
Subject: [PATCH 1/3] saml: Add EncryptedElementType key resolver to SAML
 plugin (#7268)

There are multiple ways in which a SAML response can be formatted, especially when encryption is enabled. This PR removes the hardcoding of EncryptedKeyResolver= InlineEncryptedKeyResolver in favor of using a ChainingEncryptedKeyResolver which will try multiple resolvers. It preserves the InlineEncryptedKeyResolver as the first option but adds EncryptedElementTypeEncryptedKeyResolver to the chain of resolvers to try.

ChainingEncryptedKeyResolver is a bit finicky in that you can't provide it a list of resolvers, you can only fetch its internal list and add to it.

Theoretically we could add all of the resolver types to the chain, but for now just preserving the ones known to be in use.

Co-authored-by: Marcus Sorensen <mls@apple.com>
---
 .../api/command/SAML2LoginAPIAuthenticatorCmd.java         | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/api/command/SAML2LoginAPIAuthenticatorCmd.java b/plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/api/command/SAML2LoginAPIAuthenticatorCmd.java
index 4dd9fdf278e..6bb3e788a95 100644
--- a/plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/api/command/SAML2LoginAPIAuthenticatorCmd.java
+++ b/plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/api/command/SAML2LoginAPIAuthenticatorCmd.java
@@ -55,9 +55,10 @@ import org.opensaml.saml2.core.Issuer;
 import org.opensaml.saml2.core.Response;
 import org.opensaml.saml2.core.StatusCode;
 import org.opensaml.saml2.encryption.Decrypter;
+import org.opensaml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver;
 import org.opensaml.xml.ConfigurationException;
+import org.opensaml.xml.encryption.ChainingEncryptedKeyResolver;
 import org.opensaml.xml.encryption.DecryptionException;
-import org.opensaml.xml.encryption.EncryptedKeyResolver;
 import org.opensaml.xml.encryption.InlineEncryptedKeyResolver;
 import org.opensaml.xml.io.UnmarshallingException;
 import org.opensaml.xml.security.SecurityHelper;
@@ -253,7 +254,9 @@ public class SAML2LoginAPIAuthenticatorCmd extends BaseCmd implements APIAuthent
                     Credential credential = SecurityHelper.getSimpleCredential(idpMetadata.getEncryptionCertificate().getPublicKey(),
                             spMetadata.getKeyPair().getPrivate());
                     StaticKeyInfoCredentialResolver keyInfoResolver = new StaticKeyInfoCredentialResolver(credential);
-                    EncryptedKeyResolver keyResolver = new InlineEncryptedKeyResolver();
+                    ChainingEncryptedKeyResolver keyResolver = new ChainingEncryptedKeyResolver();
+                    keyResolver.getResolverChain().add(new InlineEncryptedKeyResolver());
+                    keyResolver.getResolverChain().add(new EncryptedElementTypeEncryptedKeyResolver());
                     Decrypter decrypter = new Decrypter(null, keyInfoResolver, keyResolver);
                     decrypter.setRootInNewDocument(true);
                     List<EncryptedAssertion> encryptedAssertions = processedSAMLResponse.getEncryptedAssertions();

From ec3698dfbe178e0d5334255279edf6e8ddaf5961 Mon Sep 17 00:00:00 2001
From: Harikrishna <harikrishna.patnala@gmail.com>
Date: Tue, 4 Apr 2023 12:20:16 +0530
Subject: [PATCH 2/3] Added details about account/domain to which network will
 be assigned during creation (#7387)

---
 .../api/command/user/network/CreateNetworkCmd.java           | 5 +++--
 .../src/main/java/com/cloud/network/NetworkServiceImpl.java  | 1 +
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/api/src/main/java/org/apache/cloudstack/api/command/user/network/CreateNetworkCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/user/network/CreateNetworkCmd.java
index bc26a47ae71..8b8ce104076 100644
--- a/api/src/main/java/org/apache/cloudstack/api/command/user/network/CreateNetworkCmd.java
+++ b/api/src/main/java/org/apache/cloudstack/api/command/user/network/CreateNetworkCmd.java
@@ -111,13 +111,14 @@ public class CreateNetworkCmd extends BaseCmd implements UserCmd {
         + " - Account. Account means that only the account owner can use the network, domain - all accounts in the domain can use the network")
     private String aclType;
 
-    @Parameter(name = ApiConstants.ACCOUNT, type = CommandType.STRING, description = "account that will own the network")
+    @Parameter(name = ApiConstants.ACCOUNT, type = CommandType.STRING, description = "Account that will own the network. Account should be under the selected domain")
     private String accountName;
 
     @Parameter(name = ApiConstants.PROJECT_ID, type = CommandType.UUID, entityType = ProjectResponse.class, description = "an optional project for the network")
     private Long projectId;
 
-    @Parameter(name = ApiConstants.DOMAIN_ID, type = CommandType.UUID, entityType = DomainResponse.class, description = "domain ID of the account owning a network")
+    @Parameter(name = ApiConstants.DOMAIN_ID, type = CommandType.UUID, entityType = DomainResponse.class, description = "domain ID of the account owning a network. " +
+            "If no account is provided then network will be assigned to the caller account and domain")
     private Long domainId;
 
     @Parameter(name = ApiConstants.SUBDOMAIN_ACCESS,
diff --git a/server/src/main/java/com/cloud/network/NetworkServiceImpl.java b/server/src/main/java/com/cloud/network/NetworkServiceImpl.java
index d27b8bc2c42..746e4365e1b 100644
--- a/server/src/main/java/com/cloud/network/NetworkServiceImpl.java
+++ b/server/src/main/java/com/cloud/network/NetworkServiceImpl.java
@@ -1402,6 +1402,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService, C
         if ((cmd.getAccountName() != null && domainId != null) || cmd.getProjectId() != null) {
             owner = _accountMgr.finalizeOwner(caller, cmd.getAccountName(), domainId, cmd.getProjectId());
         } else {
+            s_logger.info(String.format("Assigning the network to caller:%s because either projectId or accountname and domainId are not provided", caller.getAccountName()));
             owner = caller;
         }
 

From c35d7ac9356e7cdc83a9f1edd57143aee0bc4506 Mon Sep 17 00:00:00 2001
From: Abhishek Kumar <abhishek.mrt22@gmail.com>
Date: Tue, 4 Apr 2023 13:30:05 +0530
Subject: [PATCH 3/3] ui: show static-nat tag for public ip (#7395)

Fixes #7246

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>
---
 ui/src/components/view/ListView.vue | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/ui/src/components/view/ListView.vue b/ui/src/components/view/ListView.vue
index fcd94008d88..7ccb028f986 100644
--- a/ui/src/components/view/ListView.vue
+++ b/ui/src/components/view/ListView.vue
@@ -167,6 +167,10 @@
         &nbsp;
         <a-tag>source-nat</a-tag>
       </span>
+      <span v-if="record.isstaticnat">
+        &nbsp;
+        <a-tag>static-nat</a-tag>
+      </span>
     </template>
     <template #ip6address="{ text, record }" href="javascript:;">
       <span>{{ ipV6Address(text, record) }}</span>