첫 커밋: 로컬 프로젝트 업로드

2026-06-10 15:51:34 +09:00
commit 6a8dbeb2e9
1211 changed files with 312864 additions and 0 deletions
--- a/baron-sso/adminfront/tests/security_roles.spec.ts
+++ b/baron-sso/adminfront/tests/security_roles.spec.ts
@@ -0,0 +1,294 @@
+import { expect, test } from "@playwright/test";
+
+test.describe("보안 및 접근 제어: 시스템 관리자 vs 일반 사용자", () => {
+  test.beforeEach(async ({ page }) => {
+    page.on("console", (msg) => console.log(`[PAGE] ${msg.text()}`));
+  });
+
+  const setupAuth = async (
+    page,
+    role: string,
+    profileOverrides: Record<string, unknown> = {},
+  ) => {
+    // 1. Inject initial state and mock tokens
+    await page.addInitScript(
+      ({ role }) => {
+        const authority = `${window.location.origin}/oidc`;
+        const client_id = "adminfront";
+        const key = `oidc.user:${authority}:${client_id}`;
+        const authData = {
+          id_token: "fake-id-token",
+          access_token: "fake-token",
+          token_type: "Bearer",
+          scope: "openid profile email",
+          profile: {
+            sub: "test-user",
+            name: "테스트 사용자",
+            email: "test@example.com",
+            role: role,
+          },
+          expires_at: Math.floor(Date.now() / 1000) + 36000,
+        };
+        window.localStorage.setItem(key, JSON.stringify(authData));
+        window.localStorage.setItem("admin_session", "fake-token");
+        window.localStorage.setItem("locale", "ko");
+        window.localStorage.setItem("oidc.state", "dummy");
+
+        (
+          window as Window & typeof globalThis & { _IS_TEST_MODE?: boolean }
+        )._IS_TEST_MODE = true;
+      },
+      { role },
+    );
+
+    // 2. OIDC Configuration Mocking
+    await page.route("**/oidc/**", async (route) => {
+      const url = route.request().url();
+      if (url.includes("/.well-known/openid-configuration")) {
+        const origin = new URL(url).origin;
+        await route.fulfill({
+          json: {
+            issuer: `${origin}/oidc`,
+            authorization_endpoint: `${origin}/oidc/auth`,
+            token_endpoint: `${origin}/oidc/token`,
+            jwks_uri: `${origin}/oidc/jwks`,
+            userinfo_endpoint: `${origin}/oidc/userinfo`,
+            end_session_endpoint: `${origin}/oidc/session/end`,
+            response_types_supported: ["code", "id_token"],
+            subject_types_supported: ["public"],
+            id_token_signing_alg_values_supported: ["RS256"],
+          },
+          headers: { "Access-Control-Allow-Origin": "*" },
+        });
+      } else {
+        await route.fulfill({
+          status: 200,
+          json: {},
+          headers: { "Access-Control-Allow-Origin": "*" },
+        });
+      }
+    });
+
+    // 3. API Mocking
+    await page.route("**/api/v1/**", async (route) => {
+      const url = route.request().url();
+      if (url.includes("/user/me")) {
+        await route.fulfill({
+          json: {
+            id: "test-user",
+            name: "테스트 사용자",
+            email: "test@example.com",
+            role: role,
+            manageableTenants: [],
+            ...profileOverrides,
+          },
+          headers: { "Access-Control-Allow-Origin": "*" },
+        });
+      } else if (url.includes("/tenants")) {
+        await route.fulfill({
+          json: {
+            items: [
+              {
+                id: "t1",
+                name: "테넌트 1",
+                slug: "t1",
+                status: "active",
+                type: "COMPANY",
+              },
+            ],
+            total: 1,
+          },
+          headers: { "Access-Control-Allow-Origin": "*" },
+        });
+      } else if (url.match(/\/admin\/users\/u1$/)) {
+        await route.fulfill({
+          json: {
+            id: "u1",
+            name: "사용자 1",
+            email: "u1@example.com",
+            role: "user",
+            status: "active",
+            tenantId: "t1",
+            tenantSlug: "t1",
+            tenant: {
+              id: "t1",
+              name: "테넌트 1",
+              slug: "t1",
+              status: "active",
+              type: "COMPANY",
+            },
+            createdAt: new Date().toISOString(),
+            updatedAt: new Date().toISOString(),
+          },
+          headers: { "Access-Control-Allow-Origin": "*" },
+        });
+      } else if (url.includes("/rp-history")) {
+        await route.fulfill({
+          json: [],
+          headers: { "Access-Control-Allow-Origin": "*" },
+        });
+      } else if (url.includes("/users")) {
+        await route.fulfill({
+          json: {
+            items: [
+              {
+                id: "u1",
+                name: "사용자 1",
+                email: "u1@example.com",
+                role: "user",
+                status: "active",
+                createdAt: new Date().toISOString(),
+              },
+            ],
+            total: 1,
+          },
+          headers: { "Access-Control-Allow-Origin": "*" },
+        });
+      } else if (url.includes("/admin/integrity")) {
+        await route.fulfill({
+          json: {
+            status: "pass",
+            checkedAt: new Date().toISOString(),
+            summary: { failures: 0, warnings: 0, pass: 10 },
+            sections: [],
+          },
+          headers: { "Access-Control-Allow-Origin": "*" },
+        });
+      } else if (url.includes("/password-policy")) {
+        await route.fulfill({
+          json: { minLength: 8, minCharacterTypes: 2 },
+          headers: { "Access-Control-Allow-Origin": "*" },
+        });
+      } else {
+        await route.fulfill({
+          json: { items: [], total: 0 },
+          headers: { "Access-Control-Allow-Origin": "*" },
+        });
+      }
+    });
+  };
+
+  test.describe("시스템 관리자 (Super Admin) 권한", () => {
+    test.beforeEach(async ({ page }) => {
+      await setupAuth(page, "super_admin");
+      await page.goto("/");
+      await expect(page.locator("aside")).toBeVisible({ timeout: 10000 });
+    });
+
+    test("모든 행정 메뉴가 보여야 함", async ({ page }) => {
+      await expect(page.locator('a[href="/tenants"]')).toBeVisible();
+      await expect(page.locator('a[href="/api-keys"]')).toBeVisible();
+      await expect(page.locator('a[href="/audit-logs"]')).toBeVisible();
+      await expect(page.locator('a[href="/system/ory-ssot"]')).toBeVisible();
+      await expect(
+        page.locator('a[href="/system/data-integrity"]'),
+      ).toBeVisible();
+    });
+
+    test("테넌트 관리 기능에 접근 가능해야 함", async ({ page }) => {
+      await page.goto("/tenants");
+      // "테넌트 추가" 버튼 확인
+      await expect(
+        page.getByRole("link", { name: /테넌트 추가/i }),
+      ).toBeVisible();
+      // "데이터 관리" 드롭다운 확인
+      await expect(page.getByTestId("tenant-data-mgmt-btn")).toBeVisible();
+    });
+  });
+
+  test.describe("일반 사용자 (Tenant Member) 제한", () => {
+    test.beforeEach(async ({ page }) => {
+      await setupAuth(page, "user");
+      await page.goto("/");
+      await expect(page.locator("aside")).toBeVisible({ timeout: 10000 });
+    });
+
+    test("관리자 전용 메뉴가 숨겨져야 함", async ({ page }) => {
+      await expect(page.locator('a[href="/tenants"]')).not.toBeVisible();
+      await expect(page.locator('a[href="/api-keys"]')).not.toBeVisible();
+      await expect(
+        page.locator('a[href="/system/ory-ssot"]'),
+      ).not.toBeVisible();
+      await expect(
+        page.locator('a[href="/system/data-integrity"]'),
+      ).not.toBeVisible();
+
+      // 일반 사용자가 볼 수 있는 메뉴 확인
+      await expect(page.locator('a[href="/audit-logs"]')).toBeVisible();
+    });
+
+    test("테넌트 목록 페이지 접근 시 차단되어야 함", async ({ page }) => {
+      await page.goto("/tenants");
+      // AppLayout.tsx에서 profileRole !== 'super_admin'일 때 보여주는 메시지 확인
+      await expect(
+        page.getByText(
+          /접근 권한이 없습니다|이 작업을 수행할 권한이 없습니다/i,
+        ),
+      ).toBeVisible();
+    });
+
+    test("다른 사용자 상세 페이지 직접 접근 시 차단되어야 함", async ({
+      page,
+    }) => {
+      await page.goto("/users/other-user");
+      await expect(
+        page.getByText(/이 작업을 수행할 권한이 없습니다/i),
+      ).toBeVisible();
+    });
+
+    test("사용자 생성 페이지 직접 접근 시 차단되어야 함", async ({ page }) => {
+      await page.goto("/users/new");
+      await expect(
+        page.getByText(/이 작업을 수행할 권한이 없습니다/i),
+      ).toBeVisible();
+    });
+  });
+
+  test.describe("테넌트 관리자 권한", () => {
+    test.beforeEach(async ({ page }) => {
+      await setupAuth(page, "tenant_admin", {
+        tenantId: "t1",
+        tenantSlug: "t1",
+        manageableTenants: [
+          {
+            id: "t1",
+            name: "테넌트 1",
+            slug: "t1",
+            status: "active",
+            type: "COMPANY",
+          },
+        ],
+      });
+      await page.goto("/");
+      await expect(page.locator("aside")).toBeVisible({ timeout: 10000 });
+    });
+
+    test("사용자 관리 목록에 접근 가능해야 함", async ({ page }) => {
+      await page.goto("/users");
+
+      await expect(
+        page.getByTestId("page-title").filter({ hasText: /사용자 관리/i }),
+      ).toBeVisible();
+      await expect(page.getByText("사용자 1")).toBeVisible();
+    });
+
+    test("사용자 생성 화면에 접근 가능해야 함", async ({ page }) => {
+      await page.goto("/users/new");
+
+      await expect(
+        page.getByRole("heading", { name: "사용자 추가" }),
+      ).toBeVisible();
+    });
+
+    test("관리 대상 테넌트 사용자 상세에 접근 가능해야 함", async ({
+      page,
+    }) => {
+      await page.goto("/users/u1");
+
+      await expect(page.getByText("사용자 1")).toBeVisible();
+      await expect(
+        page.getByText(/이 작업을 수행할 권한이 없습니다/i),
+      ).not.toBeVisible();
+    });
+  });
+});