fix: Creating User via SSO Does Not Respect ETAC - BED-7761

[Flake85]

Description

We need to update SSO and OIDC account creation to respect ETAC controls

When ETAC is enabled, handle account creation with respect to the roles in the claims

If a user is a privileged user, set AllEnvironments to true

If a user is a regular user then set AllEnvironments to false

When ETAC is disabled, always set AllEnvironments to true

Motivation and Context

Resolves BED-7761

Why is this change required? What problem does it solve?
all_environments is always set to false when creating an account via SSO and it doesn't respect ETAC.

How Has This Been Tested?

Authentik was used locally so we can have an SSO provider. I set the default user role using BHE's admin SSO configuration for testing the created user via SSO and setting the different default roles to each of the different roles provided. I also manually enabled/disabled ETAC in the parameters table. After each test, I would confirm that all_environments was set to the correct value.

Please describe in detail how you tested your changes.
Include details of your testing environment, and the tests you ran to
see how your change affects other areas of the code, etc.

I tested this on BHE using my local environment. As mentioned above, I used authentik for my provider.

Screenshots (optional):

ETAC Disabled:

read only:

regular user:

admin:

power user:

ETAC Enabled:

read only:

regular user:

admin:

power user:

Types of changes

• Bug fix (non-breaking change which fixes an issue)

Checklist:

• I have met the contributing prerequisites
  • Assigned myself to this PR
  • Added the appropriate labels
  • Associated an issue: Issues and Pull Requests README #672
  • Read the Contributing guide: https://github.com/SpecterOps/BloodHound/wiki/Contributing
• I have ensured that related documentation is up-to-date
  • Open API docs
  • Code comments (GoDocs / JSDocs)
• I have followed proper test practices
  • Added/updated tests to cover my changes
  • All new and existing tests passed

Summary by CodeRabbit

• New Features

  • JIT provisioning for OIDC and SAML now respects an ETAC feature flag: when enabled, new users’ environment access is determined by their roles; when disabled, full environment access is granted.
  • Provisioning now consults the environment-flagging service to evaluate ETAC behavior.

• Tests

  • Added tests covering ETAC-enabled provisioning with both admin and non-admin outcomes, plus session creation and redirects; test harness supports feature-flag overrides.

[coderabbitai]

📝 Walkthrough

Walkthrough

Injects the DogTags service into JIT OIDC and SAML provisioning flows; JIT upsert/create functions gain a dogtags.Service parameter and set user.AllEnvironments based on dogtags.ETAC_ENABLED and hasValidRolesForETAC(roles). SAML tests were updated to use a test DogTags service and cover ETAC scenarios.

Changes

Cohort / File(s)	Summary
JIT OIDC Provisioning cmd/api/src/api/v2/auth/oidc.go	Pass s.DogTags into the OIDC callback JIT flow. jitOIDCUserUpsert and jitOIDCUserCreate signatures now accept dogTagsService dogtags.Service. user.AllEnvironments is set to !hasValidRolesForETAC(roles) when dogtags.ETAC_ENABLED is true, otherwise true.
JIT SAML Provisioning cmd/api/src/api/v2/auth/saml.go	Import dogtags and pass s.DogTags into the SAML callback JIT flow. Update jitSAMLUserUpsert and jitSAMLUserCreate to accept dogTagsService dogtags.Service. Conditional user.AllEnvironments logic added based on ETAC_ENABLED and role validation.
SAML Tests cmd/api/src/api/v2/auth/saml_test.go	Add dogTagsOverrides dogtags.TestOverrides to test cases and inject dogtags.NewTestService(...) into NewManagementResource. Add ETAC-enabled test scenarios asserting user.AllEnvironments true/false. Minor test struct formatting changes.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant API_Handler as Auth Callback Handler
    participant DogTags as dogtags.Service
    participant UserStore as User creation/upsert

    Client->>API_Handler: OAuth/SAML callback (auth data, roles)
    API_Handler->>DogTags: GetFlag(ETAC_ENABLED)
    API_Handler->>API_Handler: determine roles, hasValidRolesForETAC(roles)
    alt ETAC enabled
        API_Handler->>UserStore: jitUserCreate/upsert(..., dogTagsService)
        Note right of UserStore: user.AllEnvironments = !hasValidRolesForETAC
    else ETAC disabled
        API_Handler->>UserStore: jitUserCreate/upsert(..., dogTagsService)
        Note right of UserStore: user.AllEnvironments = true
    end
    UserStore-->>API_Handler: created/updated user + session
    API_Handler-->>Client: redirect with session cookie

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: fixing SSO user creation to respect ETAC settings (BED-7761).
Description check	✅ Passed	The description covers all required template sections: detailed description of changes, motivation/context with Jira ticket reference, testing methodology with environment details and screenshots, type of change (bug fix), and completed checklist items.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch BED-7761

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

cmd/api/src/api/v2/auth/saml.go (1)

537-556: Consider: propagating dogTagsService via context or struct rather than plumbing through signatures.

Threading dogtags.Service through jitSAMLUserUpsert → jitSAMLUserCreate works, but as more feature flags get added the signature will continue to grow. An alternative is to attach it to a small provisioning struct (or keep it on ManagementResource and make these methods rather than free functions). Non-blocking.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@cmd/api/src/api/v2/auth/saml.go` around lines 537 - 556, The current issue is
that dogTagsService is being passed through function signatures
(jitSAMLUserUpsert -> jitSAMLUserCreate), which will bloat signatures as more
dependencies are added; refactor by grouping provisioning dependencies into a
small struct (e.g., Provisioner or attach to ManagementResource) and convert
jitSAMLUserUpsert and jitSAMLUserCreate into receiver methods (or accept the new
Provisioner) so they read the dogTagsService from that struct instead of a
parameter; update callers to construct/pass the Provisioner or use the
ManagementResource receiver and remove dogTagsService from the free function
signatures (keep SanitizeAndGetRoles, LookupUser, UpdateUser uses intact).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@cmd/api/src/api/v2/auth/saml.go`:
- Around line 537-556: The current issue is that dogTagsService is being passed
through function signatures (jitSAMLUserUpsert -> jitSAMLUserCreate), which will
bloat signatures as more dependencies are added; refactor by grouping
provisioning dependencies into a small struct (e.g., Provisioner or attach to
ManagementResource) and convert jitSAMLUserUpsert and jitSAMLUserCreate into
receiver methods (or accept the new Provisioner) so they read the dogTagsService
from that struct instead of a parameter; update callers to construct/pass the
Provisioner or use the ManagementResource receiver and remove dogTagsService
from the free function signatures (keep SanitizeAndGetRoles, LookupUser,
UpdateUser uses intact).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 0408ded2-5405-4a4f-9f91-f92f23512ebf

📥 Commits

Reviewing files that changed from the base of the PR and between b363f9c and 5aae70f.

📒 Files selected for processing (3)

• cmd/api/src/api/v2/auth/oidc.go
• cmd/api/src/api/v2/auth/saml.go
• cmd/api/src/api/v2/auth/saml_test.go

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@cmd/api/src/api/v2/auth/saml_test.go`:
- Around line 3061-3139: The test currently enables ETAC but stubs LookupUser to
return an existing user so JIT provisioning isn't exercised; change this case
(or add a new one) to simulate JIT creation by making
mock.mockDatabase.EXPECT().LookupUser(...) return database.ErrNotFound, then
expect mock.mockDatabase.EXPECT().CreateUser(...) to be called and capture the
created model.User to assert its AllEnvironments field (and role handling for
regular vs admin/power) when dogtags.TestOverrides enables ETAC; keep the rest
of the flow (ParseResponse, CreateUserSession, CreateAuditLog, response
assertions) but replace the LookupUser return and add the CreateUser expectation
and assertion against AllEnvironments.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 29fa744e-d4d4-45eb-a61a-bcbefbcd894d

📥 Commits

Reviewing files that changed from the base of the PR and between c7410a5 and efae17c.

📒 Files selected for processing (1)

• cmd/api/src/api/v2/auth/saml_test.go

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@cmd/api/src/api/v2/auth/saml_test.go`:
- Around line 3101-3251: The ETAC tests currently set
SSOProvider.Config.AutoProvision.RoleProvision=false and both mocked roles
include the auth:ManageUsers permission, so claim-driven role resolution and the
regular-user branch aren’t exercised; update the fixtures used in the two test
cases (the SSOProvider returned by GetSSOProviderBySlug and the roles returned
by GetAllRoles) to set AutoProvision.RoleProvision=true so SAML role attributes
are used, and change the regular-user role (the model.Role with Name
auth.RoleUser in the GetAllRoles mock) to omit the ManageUsers permission (give
it a distinct, non-admin permission) while keeping the admin role with
ManageUsers, so ParseResponse-driven role assignment in the SAML assertion paths
(and the CreateUser gomock.Cond checks on AllEnvironments) are actually
validated.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: b054d8e5-9a79-42c5-8ca4-45c7b94707aa

📥 Commits

Reviewing files that changed from the base of the PR and between efae17c and bcd0ff0.

📒 Files selected for processing (1)

• cmd/api/src/api/v2/auth/saml_test.go

[mvlipka]

I reviewed Flechas' code and verified the testing

I wrote the unit tests, though, so will wait for another engineer's approval before merging.