feat: SAML authentication controllers [CW-2958] (#12319)

2025-09-10 20:02:27 +05:30
parent 257df30589
commit 79b93bed77
18 changed files with 653 additions and 27 deletions
--- a/enterprise/app/controllers/enterprise/devise_overrides/omniauth_callbacks_controller.rb
+++ b/enterprise/app/controllers/enterprise/devise_overrides/omniauth_callbacks_controller.rb
@@ -0,0 +1,64 @@
+module Enterprise::DeviseOverrides::OmniauthCallbacksController
+  def saml
+    # Call parent's omniauth_success which handles the auth
+    omniauth_success
+  end
+
+  def redirect_callbacks
+    # derive target redirect route from 'resource_class' param, which was set
+    # before authentication.
+    devise_mapping = get_devise_mapping
+    redirect_route = get_redirect_route(devise_mapping)
+
+    # preserve omniauth info for success route. ignore 'extra' in twitter
+    # auth response to avoid CookieOverflow.
+    session['dta.omniauth.auth'] = request.env['omniauth.auth'].except('extra')
+    session['dta.omniauth.params'] = request.env['omniauth.params']
+
+    # For SAML, use 303 See Other to convert POST to GET and preserve session
+    if params[:provider] == 'saml'
+      redirect_to redirect_route, { status: 303 }.merge(redirect_options)
+    else
+      super
+    end
+  end
+
+  def omniauth_success
+    case auth_hash&.dig('provider')
+    when 'saml'
+      handle_saml_auth
+    else
+      super
+    end
+  end
+
+  private
+
+  def handle_saml_auth
+    account_id = extract_saml_account_id
+    return redirect_to login_page_url(error: 'saml-not-enabled') unless saml_enabled_for_account?(account_id)
+
+    @resource = SamlUserBuilder.new(auth_hash, account_id).perform
+
+    if @resource.persisted?
+      sign_in_user
+    else
+      redirect_to login_page_url(error: 'saml-authentication-failed')
+    end
+  end
+
+  def extract_saml_account_id
+    params[:account_id] || session[:saml_account_id] || request.env['omniauth.params']&.dig('account_id')
+  end
+
+  def saml_enabled_for_account?(account_id)
+    return false if account_id.blank?
+
+    account = Account.find_by(id: account_id)
+
+    return false if account.nil?
+    return false unless account.feature_enabled?('saml')
+
+    AccountSamlSettings.find_by(account_id: account_id).present?
+  end
+end
--- a/enterprise/app/controllers/enterprise/devise_overrides/passwords_controller.rb
+++ b/enterprise/app/controllers/enterprise/devise_overrides/passwords_controller.rb
@@ -0,0 +1,15 @@
+module Enterprise::DeviseOverrides::PasswordsController
+  include SamlAuthenticationHelper
+
+  def create
+    if saml_user_attempting_password_auth?(params[:email])
+      render json: {
+        success: false,
+        errors: [I18n.t('messages.reset_password_saml_user')]
+      }, status: :forbidden
+      return
+    end
+
+    super
+  end
+end
--- a/enterprise/app/controllers/enterprise/devise_overrides/sessions_controller.rb
+++ b/enterprise/app/controllers/enterprise/devise_overrides/sessions_controller.rb
@@ -1,4 +1,18 @@
 module Enterprise::DeviseOverrides::SessionsController
+  include SamlAuthenticationHelper
+
+  def create
+    if saml_user_attempting_password_auth?(params[:email], sso_auth_token: params[:sso_auth_token])
+      render json: {
+        success: false,
+        errors: [I18n.t('messages.login_saml_user')]
+      }, status: :unauthorized
+      return
+    end
+
+    super
+  end
+
  def render_create_success
    create_audit_event('sign_in')
    super