From c29170cf26f4984dc3e490a7a345bedd28ca3904 Mon Sep 17 00:00:00 2001
From: Daryl Lim <5508348+daryllimyt@users.noreply.github.com>
Date: Thu, 9 Jan 2025 20:04:28 +0000
Subject: [PATCH] feat(app+ui): Make `saml_sp_acs_url` read only (#724)

---
 .../organization/org-settings-sso.tsx         | 19 ++++++++++++-------
 tests/unit/test_organization_settings.py      |  2 --
 tracecat/settings/models.py                   | 10 ++++++----
 tracecat/settings/router.py                   |  8 ++++++--
 4 files changed, 24 insertions(+), 15 deletions(-)

diff --git a/frontend/src/components/organization/org-settings-sso.tsx b/frontend/src/components/organization/org-settings-sso.tsx
index d9ed322c3..aaa3cc395 100644
--- a/frontend/src/components/organization/org-settings-sso.tsx
+++ b/frontend/src/components/organization/org-settings-sso.tsx
@@ -18,6 +18,7 @@ import {
 } from "@/components/ui/form"
 import { Input } from "@/components/ui/input"
 import { Switch } from "@/components/ui/switch"
+import { TooltipProvider } from "@/components/ui/tooltip"
 import { CopyButton } from "@/components/copy-button"
 import { CenteredSpinner } from "@/components/loading/spinner"
 import { AlertNotification } from "@/components/notifications"
@@ -128,13 +129,17 @@ export function OrgSettingsSsoForm() {
           name="saml_sp_acs_url"
           render={({ field }) => (
             <FormItem className="flex flex-col">
-              <FormLabel>Service Provider ACS URL</FormLabel>
-              {field.value && (
-                <CopyButton
-                  value={field.value}
-                  toastMessage="Copied Service Provider ACS URL to clipboard"
-                />
-              )}
+              <FormLabel className="flex items-center gap-2">
+                <span>Service Provider ACS URL</span>
+                <TooltipProvider>
+                  {field.value && (
+                    <CopyButton
+                      value={field.value}
+                      toastMessage="Copied Service Provider ACS URL to clipboard"
+                    />
+                  )}
+                </TooltipProvider>
+              </FormLabel>
               <FormControl>
                 <Input
                   placeholder="http://localhost/api/auth/saml/acs"
diff --git a/tests/unit/test_organization_settings.py b/tests/unit/test_organization_settings.py
index bbda5c8c0..9c872f433 100644
--- a/tests/unit/test_organization_settings.py
+++ b/tests/unit/test_organization_settings.py
@@ -221,7 +221,6 @@ async def test_update_saml_settings(
     test_params = SAMLSettingsUpdate(
         saml_enabled=True,
         saml_idp_metadata_url="https://test-idp.com",
-        saml_sp_acs_url="https://test-sp.com",
     )
     await service.update_saml_settings(test_params)
 
@@ -231,7 +230,6 @@ async def test_update_saml_settings(
     }
     assert settings_dict["saml_enabled"] is True
     assert settings_dict["saml_idp_metadata_url"] == "https://test-idp.com"
-    assert settings_dict["saml_sp_acs_url"] == "https://test-sp.com"
 
 
 @pytest.mark.anyio
diff --git a/tracecat/settings/models.py b/tracecat/settings/models.py
index b0bcbc0a9..f588ec48a 100644
--- a/tracecat/settings/models.py
+++ b/tracecat/settings/models.py
@@ -8,9 +8,12 @@ class BaseSettingsGroup(BaseModel):
     """Base class for configurable settings."""
 
     @classmethod
-    def keys(cls) -> set[str]:
+    def keys(cls, *, exclude: set[str] | None = None) -> set[str]:
         """Get the setting keys as a set."""
-        return set(cls.model_fields.keys())
+        all_keys = set(cls.model_fields.keys())
+        if exclude:
+            all_keys -= exclude
+        return all_keys
 
 
 class GitSettingsRead(BaseSettingsGroup):
@@ -32,7 +35,7 @@ class SAMLSettingsRead(BaseSettingsGroup):
     saml_enabled: bool
     saml_enforced: bool
     saml_idp_metadata_url: str | None = Field(default=None)
-    saml_sp_acs_url: str | None = Field(default=None)
+    saml_sp_acs_url: str  # Read only
 
     @field_validator("saml_enforced", mode="before")
     @classmethod
@@ -51,7 +54,6 @@ class SAMLSettingsUpdate(BaseSettingsGroup):
         " Requires SAML to be enabled.",
     )
     saml_idp_metadata_url: str | None = Field(default=None)
-    saml_sp_acs_url: str | None = Field(default=None)
 
 
 class AuthSettingsRead(BaseSettingsGroup):
diff --git a/tracecat/settings/router.py b/tracecat/settings/router.py
index fd5ef7274..1310ed5f3 100644
--- a/tracecat/settings/router.py
+++ b/tracecat/settings/router.py
@@ -2,6 +2,7 @@
 
 from fastapi import APIRouter, HTTPException, status
 
+from tracecat import config
 from tracecat.auth.credentials import RoleACL
 from tracecat.auth.dependencies import Role
 from tracecat.auth.enums import AuthType
@@ -85,10 +86,13 @@ async def get_saml_settings(
     session: AsyncDBSession,
 ) -> SAMLSettingsRead:
     service = SettingsService(session, role)
-    keys = SAMLSettingsRead.keys()
+
+    # Exclude read-only keys
+    keys = SAMLSettingsRead.keys(exclude={"saml_sp_acs_url"})
     settings = await service.list_org_settings(keys=keys)
     settings_dict = {setting.key: service.get_value(setting) for setting in settings}
-    return SAMLSettingsRead(**settings_dict)
+
+    return SAMLSettingsRead(**settings_dict, saml_sp_acs_url=config.SAML_SP_ACS_URL)
 
 
 @router.patch("/saml", status_code=status.HTTP_204_NO_CONTENT)