feat: add saml model & controller [CW-2958] (#12289)

This PR adds the foundation for account-level SAML SSO configuration in
Chatwoot Enterprise. It introduces a new `AccountSamlSettings` model and
management API that allows accounts to configure their own SAML identity
providers independently, this also includes the certificate generation
flow

The implementation includes a new controller
(`Api::V1::Accounts::SamlSettingsController`) that provides CRUD
operations for SAML configuration

The feature is properly gated behind the 'saml' feature flag and
includes administrator-only authorization via Pundit policies.

enterprise/app/controllers/api/v1/accounts/saml_settings_controller.rb

@@ -0,0 +1,48 @@
+class Api::V1::Accounts::SamlSettingsController < Api::V1::Accounts::BaseController
+  before_action :check_saml_feature_enabled
+  before_action :check_authorization
+  before_action :set_saml_settings
+
+  def show; end
+
+  def create
+    @saml_settings = Current.account.build_saml_settings(saml_settings_params)
+    @saml_settings.save!
+  end
+
+  def update
+    @saml_settings.update!(saml_settings_params)
+  end
+
+  def destroy
+    @saml_settings.destroy!
+    head :no_content
+  end
+
+  private
+
+  def set_saml_settings
+    @saml_settings = Current.account.saml_settings ||
+                     Current.account.build_saml_settings
+  end
+
+  def saml_settings_params
+    params.require(:saml_settings).permit(
+      :sso_url,
+      :certificate,
+      :idp_entity_id,
+      :sp_entity_id,
+      role_mappings: {}
+    )
+  end
+
+  def check_authorization
+    authorize(AccountSamlSettings)
+  end
+
+  def check_saml_feature_enabled
+    return if Current.account.feature_enabled?('saml')
+
+    render json: { error: I18n.t('errors.saml.feature_not_enabled') }, status: :forbidden
+  end
+end

enterprise/app/models/account_saml_settings.rb

@@ -0,0 +1,59 @@
+# == Schema Information
+#
+# Table name: account_saml_settings
+#
+#  id            :bigint           not null, primary key
+#  certificate   :text
+#  role_mappings :json
+#  sso_url       :string
+#  created_at    :datetime         not null
+#  updated_at    :datetime         not null
+#  account_id    :bigint           not null
+#  idp_entity_id :string
+#  sp_entity_id  :string
+#
+# Indexes
+#
+#  index_account_saml_settings_on_account_id  (account_id)
+#
+class AccountSamlSettings < ApplicationRecord
+  belongs_to :account
+
+  validates :account_id, presence: true
+  validates :sso_url, presence: true
+  validates :certificate, presence: true
+  validates :idp_entity_id, presence: true
+
+  before_validation :set_sp_entity_id, if: :sp_entity_id_needs_generation?
+
+  def saml_enabled?
+    sso_url.present? && certificate.present?
+  end
+
+  def certificate_fingerprint
+    return nil if certificate.blank?
+
+    begin
+      cert = OpenSSL::X509::Certificate.new(certificate)
+      OpenSSL::Digest::SHA1.new(cert.to_der).hexdigest
+                           .upcase.gsub(/(.{2})(?=.)/, '\1:')
+    rescue OpenSSL::X509::CertificateError
+      nil
+    end
+  end
+
+  private
+
+  def set_sp_entity_id
+    base_url = GlobalConfigService.load('FRONTEND_URL', 'http://localhost:3000')
+    self.sp_entity_id = "#{base_url}/saml/sp/#{account_id}"
+  end
+
+  def sp_entity_id_needs_generation?
+    sp_entity_id.blank?
+  end
+
+  def installation_name
+    GlobalConfigService.load('INSTALLATION_NAME', 'Chatwoot')
+  end
+end

enterprise/app/models/enterprise/account.rb

@@ -27,4 +27,8 @@ module Enterprise::Account
   def unmark_for_deletion
     custom_attributes.delete('marked_for_deletion_at') && custom_attributes.delete('marked_for_deletion_reason') && save
   end
+
+  def saml_enabled?
+    saml_settings&.saml_enabled? || false
+  end
 end

enterprise/app/models/enterprise/concerns/account.rb

@@ -13,5 +13,7 @@ module Enterprise::Concerns::Account
 
     has_many :copilot_threads, dependent: :destroy_async
     has_many :voice_channels, dependent: :destroy_async, class_name: '::Channel::Voice'
+
+    has_one :saml_settings, dependent: :destroy_async, class_name: 'AccountSamlSettings'
   end
 end

enterprise/app/policies/account_saml_settings_policy.rb

@@ -0,0 +1,17 @@
+class AccountSamlSettingsPolicy < ApplicationPolicy
+  def show?
+    @account_user.administrator?
+  end
+
+  def create?
+    @account_user.administrator?
+  end
+
+  def update?
+    @account_user.administrator?
+  end
+
+  def destroy?
+    @account_user.administrator?
+  end
+end

enterprise/app/views/api/v1/accounts/saml_settings/create.json.jbuilder

@@ -0,0 +1 @@
+json.partial! 'api/v1/models/account_saml_settings', account_saml_settings: @saml_settings

enterprise/app/views/api/v1/accounts/saml_settings/show.json.jbuilder

@@ -0,0 +1 @@
+json.partial! 'api/v1/models/account_saml_settings', account_saml_settings: @saml_settings

enterprise/app/views/api/v1/accounts/saml_settings/update.json.jbuilder

@@ -0,0 +1 @@
+json.partial! 'api/v1/models/account_saml_settings', account_saml_settings: @saml_settings

enterprise/app/views/api/v1/models/_account_saml_settings.json.jbuilder

@@ -0,0 +1,10 @@
+json.id account_saml_settings.id
+json.account_id account_saml_settings.account_id
+json.sso_url account_saml_settings.sso_url
+json.certificate account_saml_settings.certificate
+json.fingerprint account_saml_settings.certificate_fingerprint
+json.idp_entity_id account_saml_settings.idp_entity_id
+json.sp_entity_id account_saml_settings.sp_entity_id
+json.role_mappings account_saml_settings.role_mappings || {}
+json.created_at account_saml_settings.created_at
+json.updated_at account_saml_settings.updated_at