Fix pysaml2 dependency.

[pdelboca]

We have a problem in the pysaml2 dependency of ckanext-saml2auth.

Root Cause

• _lib.GEN_EMAIL has been removed pyopenssl in version 49.0 (pyca/pyopenssl@55653a5)
• PyOpenssl is calling _lib.GEN_EMAIL from cryptography version 48.0 but version 49.0 is installed
• Installed version of pyOpenSSL==24.2.1
• Installed version pysaml2==7.5.4
• pysaml2 does not pin upper version "cryptography >=3.1",

pysaml2 dependencies are wrong since pyopenssl<24.3.0 will not work with latest cryptography:
https://github.com/IdentityPython/pysaml2/blob/master/pyproject.toml

dependencies = [
  "cryptography >=3.1",
  "defusedxml",
  "pyopenssl <24.3.0",
  "python-dateutil",
  "requests >=2.0.0,<3.0.0",  # ^2 means compatible with 2.x
  "xmlschema >=2.0.0,<3.0.0"
]

Possible Fix

Looks like this has been addressed in IdentityPython/pysaml2#1021 but it is waiting to be merged.

It has been tested here (look at the pyproject.toml file) : italia/iam-proxy-italia@v3.1.1...v3.2.0

Error

ckan_bcie  | CKAN DB already initialized, skipping db init
ckan_bcie  | CKAN db upgrade
ckan_bcie  | Traceback (most recent call last):
ckan_bcie  |   File "/app/venv/bin/ckan", line 10, in <module>
ckan_bcie  |     sys.exit(ckan())
ckan_bcie  |              ^^^^^^
ckan_bcie  |   File "/app/venv/lib/python3.11/site-packages/click/core.py", line 1157, in __call__
ckan_bcie  |     return self.main(*args, **kwargs)
ckan_bcie  |            ^^^^^^^^^^^^^^^^^^^^^^^^^^
ckan_bcie  |   File "/app/venv/lib/python3.11/site-packages/click/core.py", line 1077, in main
ckan_bcie  |     with self.make_context(prog_name, args, **extra) as ctx:
ckan_bcie  |          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ckan_bcie  |   File "/app/venv/lib/python3.11/site-packages/click/core.py", line 943, in make_context
ckan_bcie  |     self.parse_args(ctx, args)
ckan_bcie  |   File "/app/venv/lib/python3.11/site-packages/ckan/cli/cli.py", line 120, in parse_args
ckan_bcie  |     result = super().parse_args(ctx, args)
ckan_bcie  |              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ckan_bcie  |   File "/app/venv/lib/python3.11/site-packages/click/core.py", line 1644, in parse_args
ckan_bcie  |     rest = super().parse_args(ctx, args)
ckan_bcie  |            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ckan_bcie  |   File "/app/venv/lib/python3.11/site-packages/click/core.py", line 1408, in parse_args
ckan_bcie  |     value, args = param.handle_parse_result(ctx, opts, args)
ckan_bcie  |                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ckan_bcie  |   File "/app/venv/lib/python3.11/site-packages/click/core.py", line 2400, in handle_parse_result
ckan_bcie  |     value = self.process_value(ctx, value)
ckan_bcie  |             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ckan_bcie  |   File "/app/venv/lib/python3.11/site-packages/click/core.py", line 2362, in process_value
ckan_bcie  |     value = self.callback(ctx, self, value)
ckan_bcie  |             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ckan_bcie  |   File "/app/venv/lib/python3.11/site-packages/ckan/cli/cli.py", line 130, in _init_ckan_config
ckan_bcie  |     _add_ctx_object(ctx, value)
ckan_bcie  |   File "/app/venv/lib/python3.11/site-packages/ckan/cli/cli.py", line 139, in _add_ctx_object
ckan_bcie  |     ctx.obj = CtxObject(path)
ckan_bcie  |               ^^^^^^^^^^^^^^^
ckan_bcie  |   File "/app/venv/lib/python3.11/site-packages/ckan/cli/cli.py", line 56, in __init__
ckan_bcie  |     self.app = make_app(raw_config)
ckan_bcie  |                ^^^^^^^^^^^^^^^^^^^^
ckan_bcie  |   File "/app/venv/lib/python3.11/site-packages/ckan/config/middleware/__init__.py", line 29, in make_app
ckan_bcie  |     load_environment(conf)
ckan_bcie  |   File "/app/venv/lib/python3.11/site-packages/ckan/config/environment.py", line 68, in load_environment
ckan_bcie  |     p.load_all()
ckan_bcie  |   File "/app/venv/lib/python3.11/site-packages/ckan/plugins/core.py", line 148, in load_all
ckan_bcie  |     load(*plugins)
ckan_bcie  |   File "/app/venv/lib/python3.11/site-packages/ckan/plugins/core.py", line 164, in load
ckan_bcie  |     service = _get_service(plugin)
ckan_bcie  |               ^^^^^^^^^^^^^^^^^^^^
ckan_bcie  |   File "/app/venv/lib/python3.11/site-packages/ckan/plugins/core.py", line 298, in _get_service
ckan_bcie  |     return ep.load()(name=plugin_name)
ckan_bcie  |            ^^^^^^^^^
ckan_bcie  |   File "/home/ckan/.local/share/uv/python/cpython-3.11.15-linux-x86_64-gnu/lib/python3.11/importlib/metadata/__init__.py", line 202, in load
ckan_bcie  |     module = import_module(match.group('module'))
ckan_bcie  |              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ckan_bcie  |   File "/home/ckan/.local/share/uv/python/cpython-3.11.15-linux-x86_64-gnu/lib/python3.11/importlib/__init__.py", line 126, in import_module
ckan_bcie  |     return _bootstrap._gcd_import(name[level:], package, level)
ckan_bcie  |            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ckan_bcie  |   File "<frozen importlib._bootstrap>", line 1204, in _gcd_import
ckan_bcie  |   File "<frozen importlib._bootstrap>", line 1176, in _find_and_load
ckan_bcie  |   File "<frozen importlib._bootstrap>", line 1147, in _find_and_load_unlocked
ckan_bcie  |   File "<frozen importlib._bootstrap>", line 690, in _load_unlocked
ckan_bcie  |   File "<frozen importlib._bootstrap_external>", line 940, in exec_module
ckan_bcie  |   File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed
ckan_bcie  |   File "/app/venv/lib/python3.11/site-packages/ckanext/saml2auth/plugin.py", line 21, in <module>
ckan_bcie  |     from saml2.client_base import LogoutError
ckan_bcie  |   File "/app/venv/lib/python3.11/site-packages/saml2/client_base.py", line 25, in <module>
ckan_bcie  |     from saml2.entity import Entity
ckan_bcie  |   File "/app/venv/lib/python3.11/site-packages/saml2/entity.py", line 22, in <module>
ckan_bcie  |     from saml2 import request as saml_request
ckan_bcie  |   File "/app/venv/lib/python3.11/site-packages/saml2/request.py", line 6, in <module>
ckan_bcie  |     from saml2.response import IncorrectlySigned
ckan_bcie  |   File "/app/venv/lib/python3.11/site-packages/saml2/response.py", line 44, in <module>
ckan_bcie  |     from saml2.sigver import DecryptError
ckan_bcie  |   File "/app/venv/lib/python3.11/site-packages/saml2/sigver.py", line 21, in <module>
ckan_bcie  |     from OpenSSL import crypto
ckan_bcie  |   File "/app/venv/lib/python3.11/site-packages/OpenSSL/__init__.py", line 8, in <module>
ckan_bcie  |     from OpenSSL import SSL, crypto
ckan_bcie  |   File "/app/venv/lib/python3.11/site-packages/OpenSSL/SSL.py", line 42, in <module>
ckan_bcie  |     from OpenSSL.crypto import (
ckan_bcie  |   File "/app/venv/lib/python3.11/site-packages/OpenSSL/crypto.py", line 787, in <module>
ckan_bcie  |     class X509Extension:
ckan_bcie  |   File "/app/venv/lib/python3.11/site-packages/OpenSSL/crypto.py", line 871, in X509Extension
ckan_bcie  |     _lib.GEN_EMAIL: "email",
ckan_bcie  |     ^^^^^^^^^^^^^^
ckan_bcie  | AttributeError: module 'lib' has no attribute 'GEN_EMAIL'
ckan_bcie exited with code 1
           ⦿ Watch disabled

[avdata99]

It looks like they are more error is we upgrade. We cover the CVE but we get new errors in tests.
I update tests here to generate test certificates in a way that avoid the new error.
Also, CKAN 2.11 requires 3.10 so I propose to update test envs in GH actions
I need this to be merged to release a new version and test it with other projects
Sorry i get in your PR @pdelboca