첫 커밋: 로컬 프로젝트 업로드

2026-06-10 15:51:34 +09:00
commit 6a8dbeb2e9
1211 changed files with 312864 additions and 0 deletions
--- a/baron-sso/backend/internal/handler/auth_handler_consent_test.go
+++ b/baron-sso/backend/internal/handler/auth_handler_consent_test.go
@@ -0,0 +1,515 @@
+package handler
+
+import (
+	"baron-sso-backend/internal/domain"
+	"baron-sso-backend/internal/service"
+	"baron-sso-backend/internal/utils"
+	"bytes"
+	"context"
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/gofiber/fiber/v2"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/mock"
+)
+
+// --- Mocks ---
+
+type MockKratosAdminServiceForConsent struct {
+	mock.Mock
+}
+
+func (m *MockKratosAdminServiceForConsent) FindIdentityIDByIdentifier(ctx context.Context, identifier string) (string, error) {
+	args := m.Called(ctx, identifier)
+	return args.String(0), args.Error(1)
+}
+
+func (m *MockKratosAdminServiceForConsent) GetIdentity(ctx context.Context, id string) (*service.KratosIdentity, error) {
+	args := m.Called(ctx, id)
+	if args.Get(0) == nil {
+		return nil, args.Error(1)
+	}
+	return args.Get(0).(*service.KratosIdentity), args.Error(1)
+}
+
+func (m *MockKratosAdminServiceForConsent) ListIdentities(ctx context.Context) ([]service.KratosIdentity, error) {
+	return nil, nil
+}
+
+func (m *MockKratosAdminServiceForConsent) UpdateIdentity(ctx context.Context, identityID string, traits map[string]any, state string) (*service.KratosIdentity, error) {
+	return nil, nil
+}
+
+func (m *MockKratosAdminServiceForConsent) CreateIdentity(ctx context.Context, traits map[string]any) (*service.KratosIdentity, error) {
+	return nil, nil
+}
+
+func (m *MockKratosAdminServiceForConsent) DeleteIdentity(ctx context.Context, identityID string) error {
+	return nil
+}
+
+func (m *MockKratosAdminServiceForConsent) UpdateIdentityPassword(ctx context.Context, identityID, newPassword string) error {
+	return nil
+}
+
+func (m *MockKratosAdminServiceForConsent) ListIdentitySessions(ctx context.Context, identityID string) ([]service.KratosSession, error) {
+	return nil, nil
+}
+
+func (m *MockKratosAdminServiceForConsent) GetSession(ctx context.Context, sessionID string) (*service.KratosSession, error) {
+	return nil, nil
+}
+
+func (m *MockKratosAdminServiceForConsent) DeleteSession(ctx context.Context, sessionID string) error {
+	return nil
+}
+
+func (m *MockKratosAdminServiceForConsent) CreateUser(ctx context.Context, user *domain.BrokerUser, password string) (string, error) {
+	return "", nil
+}
+
+type MockTenantServiceForConsent struct {
+	mock.Mock
+}
+
+func (m *MockTenantServiceForConsent) GetTenant(ctx context.Context, id string) (*domain.Tenant, error) {
+	args := m.Called(ctx, id)
+	if args.Get(0) == nil {
+		return nil, args.Error(1)
+	}
+	return args.Get(0).(*domain.Tenant), args.Error(1)
+}
+
+func (m *MockTenantServiceForConsent) GetTenantBySlug(ctx context.Context, slug string) (*domain.Tenant, error) {
+	return nil, nil
+}
+
+func (m *MockTenantServiceForConsent) GetTenantByDomain(ctx context.Context, domainName string) (*domain.Tenant, error) {
+	return nil, nil
+}
+
+func (m *MockTenantServiceForConsent) ListTenants(ctx context.Context, limit, offset int, parentID string, search string) ([]domain.Tenant, int64, error) {
+	return nil, 0, nil
+}
+
+func (m *MockTenantServiceForConsent) RegisterTenant(ctx context.Context, name, slug, tenantType, description string, domains []string, parentID *string, creatorID string) (*domain.Tenant, error) {
+	return nil, nil
+}
+
+func (m *MockTenantServiceForConsent) RequestRegistration(ctx context.Context, name, slug, description string, domainName string, adminEmail string) (*domain.Tenant, error) {
+	return nil, nil
+}
+
+func (m *MockTenantServiceForConsent) ApproveTenant(ctx context.Context, id string) error {
+	return nil
+}
+
+func (m *MockTenantServiceForConsent) ListManageableTenants(ctx context.Context, userID string) ([]domain.Tenant, error) {
+	args := m.Called(ctx, userID)
+	return args.Get(0).([]domain.Tenant), args.Error(1)
+}
+
+func (m *MockTenantServiceForConsent) ListJoinedTenants(ctx context.Context, userID string) ([]domain.Tenant, error) {
+	args := m.Called(ctx, userID)
+	return args.Get(0).([]domain.Tenant), args.Error(1)
+}
+
+func (m *MockTenantServiceForConsent) IsDomainAllowed(ctx context.Context, domainName string) (bool, error) {
+	return false, nil
+}
+
+func (m *MockTenantServiceForConsent) ProvisionTenantByDomain(ctx context.Context, domainName string) (*domain.Tenant, error) {
+	return nil, nil
+}
+
+func (m *MockTenantServiceForConsent) SetKetoService(keto service.KetoService) {}
+
+func (m *MockTenantServiceForConsent) DeleteTenantsBulk(ctx context.Context, ids []string) error {
+	return nil
+}
+
+// --- Test Helpers ---
+
+func newConsentTestApp(h *AuthHandler) *fiber.App {
+	app := fiber.New()
+	app.Get("/api/v1/auth/consent", h.GetConsentRequest)
+	app.Post("/api/v1/auth/consent/accept", h.AcceptConsentRequest)
+	return app
+}
+
+// --- Tests ---
+
+func TestGetConsentRequest_Normal(t *testing.T) {
+	// Mock Hydra transport
+	transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
+		if r.URL.Path == "/oauth2/auth/requests/consent" && r.URL.Query().Get("consent_challenge") == "challenge-123" {
+			return httpJSONAny(r, http.StatusOK, map[string]any{
+				"challenge":       "challenge-123",
+				"requested_scope": []string{"openid", "profile"},
+				"skip":            false,
+				"subject":         "user-123",
+				"client": map[string]any{
+					"client_id":   "client-app",
+					"client_name": "Test App",
+				},
+			}), nil
+		}
+		return httpResponse(r, http.StatusNotFound, "not found"), nil
+	})
+
+	client := &http.Client{Transport: transport}
+
+	origDefault := http.DefaultClient
+	http.DefaultClient = client
+	defer func() { http.DefaultClient = origDefault }()
+
+	h := &AuthHandler{
+		Hydra: &service.HydraAdminService{
+			AdminURL:   "http://hydra.test",
+			HTTPClient: client,
+		},
+	}
+	app := newConsentTestApp(h)
+
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/auth/consent?consent_challenge=challenge-123", nil)
+	resp, err := app.Test(req)
+
+	assert.NoError(t, err)
+	assert.Equal(t, http.StatusOK, resp.StatusCode)
+
+	var body map[string]any
+	json.NewDecoder(resp.Body).Decode(&body)
+
+	assert.Equal(t, "challenge-123", body["challenge"])
+	assert.Equal(t, false, body["skip"])
+}
+
+func TestGetConsentRequest_AddsMandatoryTenantScope(t *testing.T) {
+	transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
+		if r.URL.Path == "/oauth2/auth/requests/consent" && r.URL.Query().Get("consent_challenge") == "challenge-tenant-scope" {
+			return httpJSONAny(r, http.StatusOK, map[string]any{
+				"challenge":       "challenge-tenant-scope",
+				"requested_scope": []string{"openid", "profile"},
+				"skip":            false,
+				"subject":         "user-123",
+				"client": map[string]any{
+					"client_id":   "client-app",
+					"client_name": "Test App",
+					"metadata": map[string]any{
+						"tenant_access_restricted": true,
+						"allowed_tenants":          []string{"tenant-allow"},
+						"structured_scopes": []map[string]any{
+							{"name": "openid", "mandatory": true},
+							{"name": "tenant", "mandatory": true, "locked": true},
+							{"name": "profile", "mandatory": false},
+						},
+					},
+				},
+			}), nil
+		}
+		return httpResponse(r, http.StatusNotFound, "not found"), nil
+	})
+
+	client := &http.Client{Transport: transport}
+	origDefault := http.DefaultClient
+	http.DefaultClient = client
+	defer func() { http.DefaultClient = origDefault }()
+
+	mockTenantSvc := &MockTenantServiceForConsent{}
+	mockKratosAdmin := &MockKratosAdminServiceForConsent{}
+
+	// Mock profile resolution to allow tenant access
+	mockKratosAdmin.On("GetIdentity", mock.Anything, "user-123").Return(&service.KratosIdentity{
+		ID: "user-123",
+		Traits: map[string]any{
+			"email": "user@example.com",
+		},
+	}, nil)
+
+	mockTenantSvc.On("GetTenant", mock.Anything, "tenant-allow").Return(&domain.Tenant{
+		ID:   "tenant-allow",
+		Slug: "tenant-allow",
+		Name: "Allowed Tenant",
+	}, nil)
+
+	// Mock hydration calls
+	mockTenantSvc.On("ListJoinedTenants", mock.Anything, mock.Anything).Return([]domain.Tenant{
+		{ID: "tenant-allow", Slug: "tenant-allow", Name: "Allowed Tenant"},
+	}, nil)
+	mockTenantSvc.On("ListManageableTenants", mock.Anything, mock.Anything).Return([]domain.Tenant{}, nil)
+
+	h := &AuthHandler{
+		Hydra: &service.HydraAdminService{
+			AdminURL:   "http://hydra.test",
+			HTTPClient: client,
+		},
+		TenantService: mockTenantSvc,
+		KratosAdmin:   mockKratosAdmin,
+	}
+	app := newConsentTestApp(h)
+
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/auth/consent?consent_challenge=challenge-tenant-scope", nil)
+	req.Header.Set("X-Mock-Role", "user")
+	req.Header.Set("X-Tenant-ID", "tenant-allow")
+	resp, err := app.Test(req)
+
+	assert.NoError(t, err)
+	assert.Equal(t, http.StatusOK, resp.StatusCode)
+
+	var body map[string]any
+	json.NewDecoder(resp.Body).Decode(&body)
+
+	assert.Equal(t, []any{"openid", "tenant", "profile"}, body["requested_scope"])
+	scopeDetails := body["scope_details"].(map[string]any)
+	tenantDetail := scopeDetails["tenant"].(map[string]any)
+	assert.Equal(t, true, tenantDetail["mandatory"])
+}
+
+func TestGetConsentRequest_Skip_AutoAccept(t *testing.T) {
+	transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
+		// Hydra: Get Consent Request
+		if r.URL.Path == "/oauth2/auth/requests/consent" && r.URL.Query().Get("consent_challenge") == "challenge-skip" {
+			return httpJSONAny(r, http.StatusOK, map[string]any{
+				"challenge":       "challenge-skip",
+				"requested_scope": []string{"openid"},
+				"skip":            true,
+				"subject":         "user-123",
+				"client": map[string]any{
+					"client_id": "client-app",
+				},
+			}), nil
+		}
+		// Kratos: Get Identity
+		if r.URL.Path == "/admin/identities/user-123" {
+			return httpJSONAny(r, http.StatusOK, map[string]any{
+				"id": "user-123",
+				"traits": map[string]any{
+					"email": "user@test.com",
+				},
+			}), nil
+		}
+		// Hydra: Accept Consent Request
+		if r.URL.Path == "/oauth2/auth/requests/consent/accept" && r.URL.Query().Get("consent_challenge") == "challenge-skip" {
+			return httpJSONAny(r, http.StatusOK, map[string]any{
+				"redirect_to": "http://rp/cb",
+			}), nil
+		}
+		return httpResponse(r, http.StatusNotFound, "not found"), nil
+	})
+
+	client := &http.Client{Transport: transport}
+	origDefault := http.DefaultClient
+	http.DefaultClient = client
+	defer func() { http.DefaultClient = origDefault }()
+
+	consentRepo := &mockConsentRepo{}
+	rpUsageSink := &mockRPUsageEventSink{}
+	mockKratosAdmin := &MockKratosAdminServiceForConsent{}
+
+	h := &AuthHandler{
+		Hydra: &service.HydraAdminService{
+			AdminURL:   "http://hydra.test",
+			HTTPClient: client,
+		},
+		KratosAdmin: mockKratosAdmin,
+		ConsentRepo: consentRepo,
+		RPUsageSink: rpUsageSink,
+	}
+	mockKratosAdmin.On("GetIdentity", mock.Anything, "user-123").Return(&service.KratosIdentity{
+		ID: "user-123",
+		Traits: map[string]any{
+			"email": "user@test.com",
+		},
+	}, nil)
+
+	app := newConsentTestApp(h)
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/auth/consent?consent_challenge=challenge-skip", nil)
+
+	resp, err := app.Test(req)
+	assert.NoError(t, err)
+	assert.Equal(t, http.StatusOK, resp.StatusCode)
+
+	var body map[string]any
+	json.NewDecoder(resp.Body).Decode(&body)
+	assert.Equal(t, "http://rp/cb", body["redirectTo"])
+	assert.Equal(t, 1, len(rpUsageSink.events))
+	assert.Equal(t, domain.RPUsageEventTypeAuthorizationGranted, rpUsageSink.events[0].EventType)
+	assert.Equal(t, "client-app", rpUsageSink.events[0].ClientID)
+	assert.Equal(t, "challenge-skip", rpUsageSink.events[0].CorrelationID)
+	assert.Equal(t, true, rpUsageSink.events[0].Payload["auto_accepted"])
+}
+
+func TestAcceptConsentRequest_Normal(t *testing.T) {
+	transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
+		if r.URL.Path == "/oauth2/auth/requests/consent" && r.URL.Query().Get("consent_challenge") == "challenge-accept" {
+			return httpJSONAny(r, http.StatusOK, map[string]any{
+				"challenge":       "challenge-accept",
+				"requested_scope": []string{"openid", "profile"},
+				"subject":         "user-123",
+				"client": map[string]any{
+					"client_id":   "client-app",
+					"client_name": "Test App",
+				},
+			}), nil
+		}
+		if r.URL.Path == "/admin/identities/user-123" {
+			return httpJSONAny(r, http.StatusOK, map[string]any{
+				"id": "user-123",
+				"traits": map[string]any{
+					"email": "user@test.com",
+				},
+			}), nil
+		}
+		if r.URL.Path == "/oauth2/auth/requests/consent/accept" && r.URL.Query().Get("consent_challenge") == "challenge-accept" {
+			return httpJSONAny(r, http.StatusOK, map[string]any{
+				"redirect_to": "http://rp/cb",
+			}), nil
+		}
+		return httpResponse(r, http.StatusNotFound, "not found"), nil
+	})
+
+	client := &http.Client{Transport: transport}
+	origDefault := http.DefaultClient
+	http.DefaultClient = client
+	defer func() { http.DefaultClient = origDefault }()
+
+	auditRepo := &mockAuditRepo{}
+	consentRepo := &mockConsentRepo{}
+	rpUsageSink := &mockRPUsageEventSink{}
+	mockKratosAdmin := &MockKratosAdminServiceForConsent{}
+
+	h := &AuthHandler{
+		Hydra: &service.HydraAdminService{
+			AdminURL:   "http://hydra.test",
+			HTTPClient: client,
+		},
+		KratosAdmin: mockKratosAdmin,
+		AuditRepo:   auditRepo,
+		ConsentRepo: consentRepo,
+		RPUsageSink: rpUsageSink,
+	}
+	mockKratosAdmin.On("GetIdentity", mock.Anything, "user-123").Return(&service.KratosIdentity{
+		ID: "user-123",
+		Traits: map[string]any{
+			"email": "user@test.com",
+		},
+	}, nil)
+
+	app := newConsentTestApp(h)
+
+	body, _ := json.Marshal(map[string]any{
+		"consent_challenge": "challenge-accept",
+		"grant_scope":       []string{"openid"},
+	})
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/consent/accept", bytes.NewReader(body))
+	req.Header.Set("Content-Type", "application/json")
+
+	resp, err := app.Test(req)
+	assert.NoError(t, err)
+	assert.Equal(t, http.StatusOK, resp.StatusCode)
+
+	assert.Equal(t, 1, len(auditRepo.logs))
+	assert.Equal(t, "consent.granted", auditRepo.logs[0].EventType)
+	assert.Equal(t, "user-123", auditRepo.logs[0].UserID)
+	assert.Equal(t, "success", auditRepo.logs[0].Status)
+	auditDetails, err := utils.ParseAuditDetails(auditRepo.logs[0].Details)
+	assert.NoError(t, err)
+	assert.Equal(t, "client-app", auditDetails["client_id"])
+	assert.Equal(t, "Test App", auditDetails["client_name"])
+	assert.Equal(t, []any{"openid"}, auditDetails["scopes"])
+	assert.Equal(t, 1, len(rpUsageSink.events))
+	assert.Equal(t, domain.RPUsageEventTypeAuthorizationGranted, rpUsageSink.events[0].EventType)
+	assert.Equal(t, "user-123", rpUsageSink.events[0].Subject)
+	assert.Equal(t, "client-app", rpUsageSink.events[0].ClientID)
+	assert.Equal(t, "Test App", rpUsageSink.events[0].ClientName)
+	assert.Equal(t, []string{"openid"}, []string(rpUsageSink.events[0].Scopes))
+	assert.Equal(t, "hydra_consent", rpUsageSink.events[0].Source)
+}
+
+func TestAcceptConsentRequest_EnforcesMandatoryTenantScope(t *testing.T) {
+	t.Setenv("APP_ENV", "dev")
+
+	var capturedGrantScopes []string
+
+	transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
+		if r.URL.Path == "/oauth2/auth/requests/consent" && r.URL.Query().Get("consent_challenge") == "challenge-tenant-accept" {
+			return httpJSONAny(r, http.StatusOK, map[string]any{
+				"challenge":       "challenge-tenant-accept",
+				"requested_scope": []string{"openid", "profile"},
+				"subject":         "user-123",
+				"client": map[string]any{
+					"client_id": "client-app",
+					"metadata": map[string]any{
+						"tenant_id":                "tenant-abc",
+						"tenant_access_restricted": true,
+						"allowed_tenants":          []string{"tenant-abc"},
+						"structured_scopes": []map[string]any{
+							{"name": "openid", "mandatory": true},
+							{"name": "tenant", "mandatory": true, "locked": true},
+							{"name": "profile", "mandatory": false},
+						},
+					},
+				},
+			}), nil
+		}
+		if r.URL.Path == "/admin/identities/user-123" {
+			return httpJSONAny(r, http.StatusOK, map[string]any{
+				"id": "user-123",
+				"traits": map[string]any{
+					"email": "user@test.com",
+				},
+			}), nil
+		}
+		if r.URL.Path == "/oauth2/auth/requests/consent/accept" && r.URL.Query().Get("consent_challenge") == "challenge-tenant-accept" {
+			var payload map[string]any
+			assert.NoError(t, json.NewDecoder(r.Body).Decode(&payload))
+			for _, scope := range payload["grant_scope"].([]any) {
+				capturedGrantScopes = append(capturedGrantScopes, scope.(string))
+			}
+			return httpJSONAny(r, http.StatusOK, map[string]any{
+				"redirect_to": "http://rp/cb",
+			}), nil
+		}
+		return httpResponse(r, http.StatusNotFound, "not found"), nil
+	})
+
+	client := &http.Client{Transport: transport}
+	origDefault := http.DefaultClient
+	http.DefaultClient = client
+	defer func() { http.DefaultClient = origDefault }()
+
+	mockKratosAdmin := &MockKratosAdminServiceForConsent{}
+
+	h := &AuthHandler{
+		Hydra: &service.HydraAdminService{
+			AdminURL:   "http://hydra.test",
+			HTTPClient: client,
+		},
+		KratosAdmin: mockKratosAdmin,
+	}
+	mockKratosAdmin.On("GetIdentity", mock.Anything, "user-123").Return(&service.KratosIdentity{
+		ID: "user-123",
+		Traits: map[string]any{
+			"email": "user@test.com",
+		},
+	}, nil)
+
+	app := newConsentTestApp(h)
+
+	body, _ := json.Marshal(map[string]any{
+		"consent_challenge": "challenge-tenant-accept",
+		"grant_scope":       []string{"openid", "profile"},
+	})
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/consent/accept", bytes.NewReader(body))
+	req.Header.Set("Content-Type", "application/json")
+	req.Header.Set("X-Mock-Role", "user")
+	req.Header.Set("X-Tenant-ID", "tenant-abc")
+
+	resp, err := app.Test(req)
+	assert.NoError(t, err)
+	assert.Equal(t, http.StatusOK, resp.StatusCode)
+	assert.Equal(t, []string{"openid", "tenant", "profile"}, capturedGrantScopes)
+}