b24014/BaronSSO
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

첫 커밋: 로컬 프로젝트 업로드

Browse Source
This commit is contained in:
송대일
2026-06-10 15:51:34 +09:00
commit 6a8dbeb2e9
1211 changed files with 312864 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

258
baron-sso/devfront/tests/clients.spec.ts Normal file
View File

@@ -0,0 +1,258 @@
import { expect, test } from "@playwright/test";
import {
type AuditLog,
type Consent,
type DevAssignableUser,
installDevApiMock,
makeClient,
seedAuth,
} from "./helpers/devfront-fixtures";
import { captureEvidence } from "./helpers/evidence";
test.afterEach(async ({ page }, testInfo) => {
if (testInfo.status === "passed") {
await captureEvidence(page, testInfo, testInfo.title);
}
});
test("clients page loads correctly", async ({ page }) => {
await seedAuth(page, "super_admin");
await installDevApiMock(page, {
clients: [
makeClient("client-playwright", {
name: "Playwright Client",
createdAt: new Date().toISOString(),
redirectUris: ["http://localhost:5174/callback"],
}),
],
consents: [] as Consent[],
auditLogsByCursor: undefined,
});
await page.goto("/clients");
await expect(page).toHaveURL(/\/clients$/);
// 타이틀 확인
await expect(page).toHaveTitle(/바론 개발자 서비스/);
// 페이지 내 주요 텍스트 확인
await expect(page.getByText("연동 앱 목록")).toBeVisible();
await expect(
page.getByText("Total Applications", { exact: true }),
).toHaveCount(0);
// 테이블 헤더 확인
await expect(
page.locator("th").filter({ hasText: "애플리케이션" }),
).toBeVisible();
await expect(
page.locator("th").filter({ hasText: /클라이언트 ID|Client ID/i }),
).toBeVisible();
});
test("overview page shows recent RP changes", async ({ page }) => {
await seedAuth(page, "super_admin");
await installDevApiMock(page, {
clients: [
makeClient("client-recent", {
name: "Recent RP",
}),
],
consents: [] as Consent[],
auditLogs: [
{
event_id: "evt-1",
timestamp: "2026-03-03T09:00:00.000Z",
user_id: "actor-1",
event_type: "CLIENT_RELATION_CREATE",
status: "success",
ip_address: "127.0.0.1",
user_agent: "playwright",
details: JSON.stringify({
action: "ADD_RELATION",
target_id: "client-recent",
relation: "config_editor",
subject: "User:user-2",
}),
},
{
event_id: "evt-2",
timestamp: "2026-03-03T08:59:00.000Z",
user_id: "actor-2",
event_type: "CLIENT_ROTATE_SECRET",
status: "success",
ip_address: "127.0.0.1",
user_agent: "playwright",
details: JSON.stringify({
action: "ROTATE_SECRET",
target_id: "client-recent",
}),
},
] as AuditLog[],
auditLogsByCursor: undefined,
});
await page.goto("/");
await expect(
page.getByRole("heading", { name: "최근 변경된 앱" }),
).toBeVisible();
await expect(page.getByText("클라이언트 시크릿 재발급")).toBeVisible();
await expect(page.getByText("관계 추가")).toBeVisible();
await expect(
page.getByRole("link", { name: "Recent RP", exact: true }).first(),
).toBeVisible();
});
test("clients page shows only five apps by default and expands with more button", async ({
page,
}) => {
await seedAuth(page, "super_admin");
const clients = Array.from({ length: 6 }, (_, index) =>
makeClient(`client-${index + 1}`, {
name: `Preview App ${index + 1}`,
createdAt: new Date(Date.UTC(2026, 2, 3, 9, 10 - index, 0)).toISOString(),
}),
);
await installDevApiMock(page, {
clients,
consents: [] as Consent[],
auditLogs: [] as AuditLog[],
auditLogsByCursor: undefined,
});
await page.goto("/clients");
await expect(
page.getByRole("heading", { name: "연동 앱 목록" }),
).toBeVisible();
await expect(
page
.locator("table")
.first()
.locator("tbody tr")
.filter({
hasText: /Preview App \d/,
}),
).toHaveCount(5);
await expect(
page.getByText("Preview App 6", { exact: true }),
).not.toBeVisible();
const moreButton = page.getByRole("button", {
name: "연동 앱 목록 더보기",
});
await expect(moreButton).toBeVisible();
await expect(moreButton).toHaveCount(1);
await moreButton.click();
await expect(
page
.locator("table")
.first()
.locator("tbody tr")
.filter({
hasText: /Preview App \d/,
}),
).toHaveCount(6);
await expect(page.getByText("Preview App 6", { exact: true })).toBeVisible();
await expect(
page.getByRole("button", { name: "연동 앱 목록 더보기" }),
).toHaveCount(0);
});
test("overview page shows user-delete relation cleanup in recent changes", async ({
page,
}) => {
await seedAuth(page, "super_admin");
await installDevApiMock(page, {
clients: [
makeClient("client-cleanup", {
name: "Cleanup RP",
}),
],
consents: [] as Consent[],
users: [
{
id: "cleanup-actor",
name: "Cleanup Actor",
email: "cleanup.actor@example.com",
} satisfies DevAssignableUser,
],
auditLogs: [
{
event_id: "evt-cleanup-1",
timestamp: "2026-03-03T09:00:00.000Z",
user_id: "cleanup-actor",
event_type: "CLIENT_RELATION_DELETE",
status: "success",
ip_address: "127.0.0.1",
user_agent: "playwright",
details: JSON.stringify({
action: "REMOVE_RELATION",
target_id: "client-cleanup",
relation: "config_editor",
subject: "User:deleted-user",
before: {
relation: "config_editor",
subject: "User:deleted-user",
},
}),
},
] as AuditLog[],
auditLogsByCursor: undefined,
});
await page.goto("/");
await expect(
page.getByRole("heading", { name: "최근 변경된 앱" }),
).toBeVisible();
await expect(
page.getByRole("link", { name: "Cleanup RP", exact: true }),
).toBeVisible();
await expect(page.getByText("관계 삭제", { exact: true })).toBeVisible();
await expect(page.getByText(/관계:\s*config_editor/)).toBeVisible();
await expect(page.getByText(/주체:\s*User:deleted-user/)).toBeVisible();
await expect(
page.getByText("cleanup-actor", { exact: true }).first(),
).toBeVisible();
});
test("clients page no longer shows recent changes card", async ({ page }) => {
await seedAuth(page, "super_admin");
const clients = Array.from({ length: 6 }, (_, index) =>
makeClient(`client-${index + 1}`, {
name: `Recent App ${index + 1}`,
}),
);
const auditLogs = clients.map((client, index) => ({
event_id: `evt-recent-${index + 1}`,
timestamp: `2026-03-03T09:${String(10 - index).padStart(2, "0")}:00.000Z`,
user_id: `actor-${index + 1}`,
event_type: "CLIENT_CREATE",
status: "success" as const,
ip_address: "127.0.0.1",
user_agent: "playwright",
details: JSON.stringify({
action: "CREATE_CLIENT",
target_id: client.id,
after: {
name: client.name,
},
}),
}));
await installDevApiMock(page, {
clients,
consents: [] as Consent[],
auditLogs: auditLogs as AuditLog[],
auditLogsByCursor: undefined,
});
await page.goto("/clients");
await expect(
page.getByRole("heading", { name: "최근 변경된 앱" }),
).toHaveCount(0);
await expect(
page.getByRole("heading", { name: "연동 앱 목록" }),
).toBeVisible();
});

124
baron-sso/devfront/tests/devfront-audit.spec.ts Normal file
View File

@@ -0,0 +1,124 @@
import { expect, test } from "@playwright/test";
import {
type AuditLog,
type Consent,
installDevApiMock,
makeClient,
seedAuth,
} from "./helpers/devfront-fixtures";
import { captureEvidence } from "./helpers/evidence";
const appNamePlaceholder = /My Awesome Application|예: 멋진 애플리케이션/i;
test.describe("DevFront audit logs", () => {
test.afterEach(async ({ page }, testInfo) => {
if (testInfo.status === "passed") {
await captureEvidence(page, testInfo, testInfo.title);
}
});
test.beforeEach(async ({ page }) => {
page.on("dialog", async (dialog) => {
await dialog.accept().catch(() => {});
});
await seedAuth(page);
});
test("filtering and cursor pagination", async ({ page }) => {
const state = {
clients: [makeClient("client-audit", { name: "Audit app" })],
consents: [] as Consent[],
auditLogsByCursor: {
"": {
items: [
{
event_id: "evt-1",
timestamp: "2026-03-03T09:00:00.000Z",
user_id: "actor-a",
event_type: "CLIENT_UPDATE",
status: "success",
ip_address: "127.0.0.1",
user_agent: "playwright",
details: JSON.stringify({
action: "UPDATE_CLIENT",
target_id: "client-audit",
tenant_id: "tenant-a",
}),
},
],
next_cursor: "cursor-2",
},
"cursor-2": {
items: [
{
event_id: "evt-2",
timestamp: "2026-03-03T09:01:00.000Z",
user_id: "actor-b",
event_type: "CLIENT_ROTATE_SECRET",
status: "success",
ip_address: "127.0.0.1",
user_agent: "playwright",
details: JSON.stringify({
action: "ROTATE_SECRET",
target_id: "client-audit",
tenant_id: "tenant-a",
}),
},
],
},
},
};
await installDevApiMock(page, state);
await page.goto("/audit-logs");
await expect(page.getByText("UPDATE_CLIENT")).toBeVisible();
const filterInputs = page.locator("form input");
await filterInputs.nth(0).fill("client-audit");
await filterInputs.nth(1).fill("ROTATE_SECRET");
await page.getByRole("button", { name: /더 보기|Load more/i }).click();
await expect(page.getByText("ROTATE_SECRET")).toBeVisible();
});
test("realtime create/update actions should be recorded", async ({
page,
}) => {
const state = {
clients: [makeClient("client-realtime", { name: "Realtime app" })],
consents: [] as Consent[],
auditLogs: [] as AuditLog[],
auditLogsByCursor: undefined,
};
await installDevApiMock(page, state);
await page.goto("/clients/new");
await page.getByPlaceholder(appNamePlaceholder).fill("Realtime New App");
await page
.getByPlaceholder(/https:\/\/app\.example\.com\/callback/i)
.fill("https://realtime.example.com/callback");
await page.getByRole("button", { name: /앱 생성|Create/i }).click();
await expect.poll(() => state.auditLogs.length).toBeGreaterThanOrEqual(1);
await expect.poll(() => state.clients.at(-1)?.id).toMatch(/^client-/);
const createdClientId = state.clients.at(-1)?.id;
expect(createdClientId).toBeTruthy();
await page.goto(`/clients/${createdClientId}/settings`);
await page.getByPlaceholder(appNamePlaceholder).fill("Realtime Updated");
await page.getByRole("button", { name: /^저장$|^Save$/i }).click();
await expect.poll(() => state.auditLogs.length).toBeGreaterThanOrEqual(2);
const actions = state.auditLogs
.map((item) => {
try {
return JSON.parse(item.details)?.action as string | undefined;
} catch {
return undefined;
}
})
.filter((value): value is string => Boolean(value));
expect(actions).toContain("CREATE_CLIENT");
expect(actions).toContain("UPDATE_CLIENT");
});
});

68
baron-sso/devfront/tests/devfront-client-tabs.spec.ts Normal file
View File

@@ -0,0 +1,68 @@
import { expect, type Page, test } from "@playwright/test";
import {
type ClientRelation,
type Consent,
installDevApiMock,
makeClient,
seedAuth,
} from "./helpers/devfront-fixtures";
function expectClientTabsOrder(pagePath: string, expectedActive: RegExp) {
return async ({ page }: { page: Page }) => {
const state = {
clients: [makeClient("client-tabs", { name: "탭 테스트 앱" })],
consents: [] as Consent[],
relations: {
"client-tabs": [
{
relation: "config_editor",
subject: "User:user-1",
subjectType: "User",
subjectId: "user-1",
},
] satisfies ClientRelation[],
},
auditLogsByCursor: undefined,
};
await installDevApiMock(page, state);
await page.goto(pagePath);
const header = page
.locator("header")
.filter({ hasText: "탭 테스트 앱" })
.first();
const tabs = header.locator(
"div.border-b.border-border .whitespace-nowrap",
);
await expect(tabs).toHaveText([
"연동 설정",
"사용자 Claim",
"설정",
"관계",
]);
await expect(
header
.locator("div.border-b.border-border .text-primary")
.filter({ hasText: expectedActive }),
).toHaveCount(1);
};
}
test.describe("DevFront client detail tabs", () => {
test.beforeEach(async ({ page }) => {
await seedAuth(page, "rp_admin");
});
test(
"settings page keeps tab order and uses localized relationships label",
expectClientTabsOrder("/clients/client-tabs/settings", /^설정$/),
);
test(
"relationships page keeps tab order and uses localized relationships label",
expectClientTabsOrder("/clients/client-tabs/relationships", /^관계$/),
);
});

138
baron-sso/devfront/tests/devfront-client-tenant-access.spec.ts Normal file
View File

@@ -0,0 +1,138 @@
import { mkdir } from "node:fs/promises";
import path from "node:path";
import { expect, type Page, type TestInfo, test } from "@playwright/test";
import {
type Consent,
installDevApiMock,
makeClient,
seedAuth,
} from "./helpers/devfront-fixtures";
import { captureEvidence } from "./helpers/evidence";
const existingTenantId = "11111111-1111-4111-8111-111111111111";
const addedTenantId = "22222222-2222-4222-8222-222222222222";
async function captureTenantAccessEvidence(
page: Page,
testInfo: TestInfo,
name: string,
) {
await captureEvidence(page, testInfo, name);
const evidenceDir = path.join(process.cwd(), "e2e-evidence");
await mkdir(evidenceDir, { recursive: true });
await page.screenshot({
path: path.join(evidenceDir, `${name}.png`),
fullPage: true,
});
}
test.describe("DevFront client tenant access settings", () => {
test.beforeEach(async ({ page }) => {
page.on("dialog", async (dialog) => {
await dialog.accept();
});
await seedAuth(page);
});
test("adds and removes allowed tenants with UUID copy evidence", async ({
page,
}, testInfo) => {
await page.addInitScript(() => {
Object.defineProperty(window, "isSecureContext", {
configurable: true,
value: true,
});
Object.defineProperty(navigator, "clipboard", {
configurable: true,
value: {
writeText: async (value: string) => {
window.localStorage.setItem("__e2e_copied_text", value);
},
},
});
});
const state = {
clients: [
makeClient("client-tenant-access", {
name: "Tenant Access App",
scopes: ["openid", "profile", "email"],
metadata: {
tenant_access_restricted: true,
allowed_tenants: [existingTenantId],
},
}),
],
consents: [] as Consent[],
auditLogsByCursor: undefined,
tenants: [
{
id: existingTenantId,
name: "Alpha Tenant",
slug: "alpha",
description: "Existing allowed tenant",
type: "organization",
},
{
id: addedTenantId,
name: "Beta Tenant",
slug: "beta",
description: "Tenant added during E2E",
type: "organization",
},
],
};
await installDevApiMock(page, state);
await page.goto("/clients/client-tenant-access/settings");
await expect(
page.getByRole("heading", { name: /테넌트 접근 제한|Tenant access/i }),
).toBeVisible();
await expect(
page.getByTestId(`allowed-tenant-${existingTenantId}`),
).toContainText(existingTenantId);
await page.getByTestId(`allowed-tenant-copy-${existingTenantId}`).click();
await expect
.poll(() =>
page.evaluate(() => window.localStorage.getItem("__e2e_copied_text")),
)
.toBe(existingTenantId);
await page
.getByPlaceholder(/테넌트 이름 또는 슬러그로 검색|tenant name or slug/i)
.fill("beta");
await page.getByRole("button", { name: /Beta Tenant/i }).click();
await expect(
page.getByTestId(`allowed-tenant-${addedTenantId}`),
).toContainText(addedTenantId);
await captureTenantAccessEvidence(
page,
testInfo,
"tenant-access-allowed-tenant-added",
);
await page.getByRole("button", { name: /^저장$|^Save$/i }).click();
await expect
.poll(() => state.clients[0]?.metadata?.allowed_tenants)
.toEqual([existingTenantId, addedTenantId]);
await page.getByTestId(`allowed-tenant-remove-${addedTenantId}`).click();
await expect(
page.getByTestId(`allowed-tenant-${addedTenantId}`),
).toHaveCount(0);
await expect(
page.getByTestId(`allowed-tenant-${existingTenantId}`),
).toContainText(existingTenantId);
await captureTenantAccessEvidence(
page,
testInfo,
"tenant-access-allowed-tenant-deleted",
);
await page.getByRole("button", { name: /^저장$|^Save$/i }).click();
await expect
.poll(() => state.clients[0]?.metadata?.allowed_tenants)
.toEqual([existingTenantId]);
});
});

606
baron-sso/devfront/tests/devfront-clients-lifecycle.spec.ts Normal file
View File

@@ -0,0 +1,606 @@
import { expect, test } from "@playwright/test";
import {
type ClientStatus,
type Consent,
installDevApiMock,
makeClient,
seedAuth,
} from "./helpers/devfront-fixtures";
import { captureEvidence } from "./helpers/evidence";
const appNamePlaceholder = /My Awesome Application|예: 멋진 애플리케이션/i;
const jwksUri = "https://rp.example.com/.well-known/jwks.json";
test.describe("DevFront clients lifecycle", () => {
test.afterEach(async ({ page }, testInfo) => {
if (testInfo.status === "passed") {
await captureEvidence(page, testInfo, testInfo.title);
}
});
test.beforeEach(async ({ page }) => {
page.on("dialog", async (dialog) => {
await dialog.accept();
});
await seedAuth(page);
});
test("create, update status, and delete", async ({ page }) => {
const state = {
clients: [makeClient("existing-client", { name: "Existing app" })],
consents: [] as Consent[],
updatedStatus: "active" as ClientStatus,
auditLogsByCursor: undefined,
onUpdateStatus(status: ClientStatus) {
this.updatedStatus = status;
},
};
await installDevApiMock(page, state);
await page.goto("/clients");
await expect(page.getByText("Existing app")).toBeVisible();
await page
.getByRole("button", { name: /연동 앱 추가|새 클라이언트|Create/i })
.click();
await expect(page).toHaveURL(/\/clients\/new$/);
await page
.getByPlaceholder(appNamePlaceholder)
.fill("Playwright Created App");
await page
.getByPlaceholder(/https:\/\/app\.example\.com\/callback/i)
.fill("https://playwright.example.com/callback");
await page
.getByRole("button", { name: /앱 생성|클라이언트 생성|Create/i })
.click();
await expect(page).toHaveURL(/\/clients\/client-\d+\/settings$/);
await expect(
page.getByRole("heading", {
name: /연동 앱 설정|클라이언트 설정|Client Settings/i,
}),
).toBeVisible();
await page.getByRole("button", { name: /비활성|Inactive/i }).click();
await page.getByRole("button", { name: /^저장$|^Save$/i }).click();
await expect.poll(() => state.updatedStatus).toBe("inactive");
await page.getByRole("button", { name: /삭제|Delete/i }).click();
await expect(page).toHaveURL(/\/clients$/);
await expect(page.getByText("Playwright Created App")).not.toBeVisible();
});
test("rotate secret shows new value", async ({ page }) => {
let rotatedSecret = "";
const state = {
clients: [makeClient("client-rotate", { name: "Rotate app" })],
consents: [] as Consent[],
auditLogsByCursor: undefined,
onRotateSecret(newSecret: string) {
rotatedSecret = newSecret;
},
};
await installDevApiMock(page, state);
await page.goto("/clients/client-rotate");
await expect(
page.getByRole("heading", { name: "Rotate app", exact: true }),
).toBeVisible();
await page.getByTitle(/비밀키 재발급|Rotate/i).click();
await expect.poll(() => rotatedSecret).toBe("client-rotate-rotated-secret");
await expect(page.getByText("client-rotate-rotated-secret")).toBeVisible();
});
test("update name and redirect URI should be persisted", async ({ page }) => {
const state = {
clients: [
makeClient("client-edit", {
name: "Before Name",
redirectUris: ["https://before.example.com/callback"],
}),
],
consents: [] as Consent[],
auditLogsByCursor: undefined,
};
await installDevApiMock(page, state);
await page.goto("/clients/client-edit/settings");
await page.getByPlaceholder(appNamePlaceholder).fill("After Name");
await page.getByRole("button", { name: /^저장$|^Save$/i }).click();
await expect.poll(() => state.clients[0]?.name).toBe("After Name");
await page.goto("/clients/client-edit");
await page
.getByRole("textbox", { name: /인증 콜백 URL|Callback/i })
.fill("https://after.example.com/callback");
await page
.getByRole("button", { name: /Redirect URIs 저장|Save/i })
.click();
await expect
.poll(() => state.clients[0]?.redirectUris[0])
.toBe("https://after.example.com/callback");
await page.reload();
await expect(
page.getByRole("textbox", { name: /인증 콜백 URL|Callback/i }),
).toHaveValue(/https:\/\/after\.example\.com\/callback/);
});
test("id token claims should be persisted and restored", async ({ page }) => {
const state = {
clients: [
makeClient("client-claims", {
name: "Claims app",
metadata: {},
}),
],
consents: [] as Consent[],
auditLogsByCursor: undefined,
};
await installDevApiMock(page, state);
await page.goto("/clients/client-claims/settings");
await page.getByRole("button", { name: /Claim 추가|Add Claim/i }).click();
await expect(page.getByText("rp_claims").first()).toBeVisible();
await expect(
page.getByLabel(/Claim namespace|Claim 네임스페이스/i),
).toHaveCount(0);
await page
.getByPlaceholder(/e\.g\. locale|예: locale/i)
.fill("contract_date");
await page
.getByLabel(/Claim value type|Claim 값 타입/i)
.first()
.selectOption("date");
await page
.getByPlaceholder(/Claim 값을 입력하세요|Enter the claim value/i)
.first()
.fill("2026-06-09");
await page
.getByLabel(/읽기 권한|Read permission/i)
.first()
.selectOption("user_and_admin");
await page.getByRole("button", { name: /Claim 추가|Add Claim/i }).click();
await page
.getByPlaceholder(/e\.g\. locale|예: locale/i)
.nth(1)
.fill("tier");
await page
.getByLabel(/Claim value type|Claim 값 타입/i)
.nth(1)
.selectOption("number");
await page
.getByPlaceholder(/Claim 값을 입력하세요|Enter the claim value/i)
.nth(1)
.fill("2");
await page.getByRole("button", { name: /^저장$|^Save$/i }).click();
await expect
.poll(() => state.clients[0]?.metadata?.id_token_claims)
.toBeDefined();
await expect
.poll(
() =>
(
state.clients[0]?.metadata?.id_token_claims as
| Array<{
namespace?: string;
key?: string;
value?: string;
valueType?: string;
}>
| undefined
)?.length,
)
.toBe(2);
await expect
.poll(
() =>
(
state.clients[0]?.metadata?.id_token_claims as
| Array<{
namespace?: string;
key?: string;
value?: string;
valueType?: string;
}>
| undefined
)?.[0]?.namespace,
)
.toBe("rp_claims");
await expect
.poll(
() =>
(
state.clients[0]?.metadata?.id_token_claims as
| Array<{
namespace?: string;
key?: string;
value?: string;
valueType?: string;
}>
| undefined
)?.[0]?.key,
)
.toBe("contract_date");
await expect
.poll(
() =>
(
state.clients[0]?.metadata?.id_token_claims as
| Array<{
namespace?: string;
key?: string;
value?: string;
valueType?: string;
readPermission?: string;
writePermission?: string;
}>
| undefined
)?.[0]?.valueType,
)
.toBe("date");
await expect
.poll(
() =>
(
state.clients[0]?.metadata?.id_token_claims as
| Array<{
readPermission?: string;
writePermission?: string;
}>
| undefined
)?.[0]?.readPermission,
)
.toBe("user_and_admin");
await expect
.poll(
() =>
(
state.clients[0]?.metadata?.id_token_claims as
| Array<{
readPermission?: string;
writePermission?: string;
}>
| undefined
)?.[0]?.writePermission,
)
.toBe("admin_only");
await expect
.poll(
() =>
(
state.clients[0]?.metadata?.id_token_claims as
| Array<{
namespace?: string;
key?: string;
value?: string;
valueType?: string;
}>
| undefined
)?.[1]?.namespace,
)
.toBe("rp_claims");
await expect
.poll(
() =>
(
state.clients[0]?.metadata?.id_token_claims as
| Array<{
namespace?: string;
key?: string;
value?: string;
valueType?: string;
}>
| undefined
)?.[1]?.key,
)
.toBe("tier");
await page.reload();
await expect(
page.getByPlaceholder(/e\.g\. locale|예: locale/i),
).toHaveCount(2);
await expect(
page.getByPlaceholder(/e\.g\. locale|예: locale/i).first(),
).toHaveValue("contract_date");
await expect(
page.getByPlaceholder(/e\.g\. locale|예: locale/i).nth(1),
).toHaveValue("tier");
await expect(
page.getByPlaceholder(/Claim 값을 입력하세요|Enter the claim value/i),
).toHaveCount(2);
await expect(
page
.getByPlaceholder(/Claim 값을 입력하세요|Enter the claim value/i)
.first(),
).toHaveValue("2026-06-09");
await expect(
page
.getByPlaceholder(/Claim 값을 입력하세요|Enter the claim value/i)
.nth(1),
).toHaveValue("2");
});
test("headless login uses jwks uri only and shows cache actions", async ({
page,
}) => {
const state = {
clients: [
makeClient("client-headless-login", {
name: "Headless Login App",
type: "private",
metadata: {
headless_login_enabled: true,
headless_token_endpoint_auth_method: "private_key_jwt",
headless_jwks_uri: jwksUri,
},
headlessJwksCache: {
clientId: "client-headless-login",
jwksUri,
cachedAt: "2026-03-31T00:00:00.000Z",
expiresAt: "2026-04-01T00:00:00.000Z",
lastCheckedAt: "2026-03-31T12:00:00.000Z",
lastSuccessfulVerificationAt: "2026-03-31T12:00:00.000Z",
lastRefreshStatus: "success",
lastError: "",
consecutiveFailures: 0,
cachedKids: ["kid-1"],
etag: 'W/"cache-etag"',
lastModified: "Tue, 31 Mar 2026 00:00:00 GMT",
parsedKeys: [
{
kid: "kid-1",
kty: "RSA",
use: "sig",
alg: "RS256",
n: "voVbHlo_UHkjtT7Q_8owyjZ2omE8n8mbGlpraZziStHPfe08q_RGiEXO6Pyiz42NVi-Yo0c7qiaqRwB4h9s5phpT2wwcUxnkrQeRhe7BpigInZPzpwq1hsaB2zyhE7zTRCC3hinGtFdVpNzTVKYKGPbXfeEXaRL3P838vi-_iB4IN3WQk_pAakUQvajL2H-vcWSMSNslMGPDZxobqE9MHSWocNXemrcmtCeE7ruUND0qHZOb8k-hHUBqsNoJ63WKdapzGYF6e2qgDRveYrjgOCBigZPi8npN0xStQ0YcrH_RxeTogsdRZ8SuXmLqavryVDnrT8czPkkJ-EHb8PiTCQ",
},
],
},
}),
],
consents: [] as Consent[],
auditLogsByCursor: undefined,
onRefreshHeadlessJwks(clientId: string) {
if (this.clients[0].headlessJwksCache) {
this.clients[0].headlessJwksCache = {
...this.clients[0].headlessJwksCache,
lastRefreshStatus: "success",
lastCheckedAt: "2026-04-01T00:00:00.000Z",
};
}
expect(clientId).toBe("client-headless-login");
},
onRevokeHeadlessJwksCache(clientId: string) {
expect(clientId).toBe("client-headless-login");
},
};
await installDevApiMock(page, state);
await page.goto("/clients/client-headless-login/settings");
await expect(
page.getByRole("heading", {
name: /공개키 등록|Public Key Registration/i,
}),
).toBeVisible();
await expect(
page.getByText(/Request Object Signing Algorithm/i),
).toHaveCount(0);
await expect(
page.getByText(/Allowed algorithms|허용 알고리즘/i),
).toHaveCount(0);
await page
.getByPlaceholder(/https:\/\/rp\.example\.com\/\.well-known\/jwks\.json/i)
.fill(jwksUri);
await page.getByRole("button", { name: /^저장$|^Save$/i }).click();
await expect
.poll(() => state.clients[0]?.tokenEndpointAuthMethod)
.toBe("private_key_jwt");
await expect
.poll(() => state.clients[0]?.metadata?.headless_login_enabled)
.toBe(true);
await expect
.poll(
() => state.clients[0]?.metadata?.headless_token_endpoint_auth_method,
)
.toBe("private_key_jwt");
await expect
.poll(() => state.clients[0]?.metadata?.headless_jwks_uri)
.toBe(jwksUri);
await expect
.poll(() => state.clients[0]?.metadata?.request_object_signing_alg)
.toBeUndefined();
await expect(
page.getByText(/cached at|캐시됨|last refresh|마지막 갱신/i),
).toBeVisible();
await expect(page.getByText(/Parsed Keys|파싱된 키/i)).toBeVisible();
await expect(page.getByText(/^KID$/i)).toBeVisible();
await expect(page.getByText("kid-1", { exact: true }).last()).toBeVisible();
await expect(
page.getByText(
"voVbHlo_UHkjtT7Q_8owyjZ2omE8n8mbGlpraZziStHPfe08q_RGiEXO6Pyiz42NVi-Yo0c7qiaqRwB4h9s5phpT2wwcUxnkrQeRhe7BpigInZPzpwq1hsaB2zyhE7zTRCC3hinGtFdVpNzTVKYKGPbXfeEXaRL3P838vi-_iB4IN3WQk_pAakUQvajL2H-vcWSMSNslMGPDZxobqE9MHSWocNXemrcmtCeE7ruUND0qHZOb8k-hHUBqsNoJ63WKdapzGYF6e2qgDRveYrjgOCBigZPi8npN0xStQ0YcrH_RxeTogsdRZ8SuXmLqavryVDnrT8czPkkJ-EHb8PiTCQ",
{ exact: true },
),
).toBeVisible();
await expect(
page.getByRole("button", { name: /refresh|새로고침/i }),
).toBeVisible();
await expect(
page.getByRole("button", { name: /^(캐시 삭제|Revoke Cache)$/i }),
).toBeVisible();
await page.getByRole("button", { name: /refresh|새로고침/i }).click();
await expect
.poll(() => state.clients[0]?.headlessJwksCache?.lastCheckedAt)
.toBe("2026-04-01T00:00:00.000Z");
page.removeAllListeners("dialog");
page.once("dialog", async (dialog) => {
expect(dialog.message()).toMatch(/revoke|삭제|cache/i);
await dialog.accept();
});
await page
.getByRole("button", { name: /^(캐시 삭제|Revoke Cache)$/i })
.click();
await expect
.poll(() => state.clients[0]?.headlessJwksCache)
.toBeUndefined();
await page.reload();
await expect(
page.getByRole("heading", {
name: /공개키 등록|Public Key Registration/i,
}),
).toBeVisible();
await expect(
page.getByRole("textbox", { name: /JWKS URI|JWKS URI/i }),
).toHaveValue(jwksUri);
});
test("auto login settings are stored in client metadata", async ({
page,
}) => {
const autoLoginUrl = "https://rp.example.com/login?auto=1";
const state = {
clients: [makeClient("client-auto-login", { name: "Auto Login app" })],
consents: [] as Consent[],
auditLogsByCursor: undefined,
};
await installDevApiMock(page, state);
await page.goto("/clients/client-auto-login/settings");
await page
.getByRole("switch", { name: /자동 로그인 지원|Auto Login/i })
.click();
await page
.getByPlaceholder(/https:\/\/app\.example\.com\/login\?auto=1/i)
.fill(autoLoginUrl);
await page.getByRole("button", { name: /^저장$|^Save$/i }).click();
await expect
.poll(() => state.clients[0]?.metadata?.auto_login_supported)
.toBe(true);
await expect
.poll(() => state.clients[0]?.metadata?.auto_login_url)
.toBe(autoLoginUrl);
});
test("headless login blocks save when parsed jwks algorithm is unsupported", async ({
page,
}) => {
const state = {
clients: [
makeClient("client-headless-unsupported", {
name: "Unsupported Headless Login App",
type: "private",
metadata: {
headless_login_enabled: true,
headless_token_endpoint_auth_method: "private_key_jwt",
headless_jwks_uri: jwksUri,
},
headlessJwksCache: {
clientId: "client-headless-unsupported",
jwksUri,
cachedAt: "2026-03-31T00:00:00.000Z",
expiresAt: "2026-04-01T00:00:00.000Z",
lastCheckedAt: "2026-03-31T12:00:00.000Z",
lastSuccessfulVerificationAt: "2026-03-31T12:00:00.000Z",
lastRefreshStatus: "success",
lastError: "",
consecutiveFailures: 0,
cachedKids: ["kid-unsupported"],
parsedKeys: [
{
kid: "kid-unsupported",
kty: "RSA",
use: "sig",
alg: "HS256",
n: "unsupported-n-value",
},
],
},
}),
],
consents: [] as Consent[],
auditLogsByCursor: undefined,
};
await installDevApiMock(page, state);
await page.goto("/clients/client-headless-unsupported/settings");
await page
.getByPlaceholder(/https:\/\/rp\.example\.com\/\.well-known\/jwks\.json/i)
.fill(jwksUri);
await expect(
page.getByText("지원하지 않는 알고리즘이 감지되었습니다.", {
exact: true,
}),
).toBeVisible();
await expect(
page.getByRole("button", { name: /^저장$|^Save$/i }),
).toBeDisabled();
});
test("headless login blocks save when parsed jwks algorithm is missing", async ({
page,
}) => {
const state = {
clients: [
makeClient("client-headless-missing-alg", {
name: "Missing Alg Headless Login App",
type: "private",
metadata: {
headless_login_enabled: true,
headless_token_endpoint_auth_method: "private_key_jwt",
headless_jwks_uri: jwksUri,
},
headlessJwksCache: {
clientId: "client-headless-missing-alg",
jwksUri,
cachedAt: "2026-03-31T00:00:00.000Z",
expiresAt: "2026-04-01T00:00:00.000Z",
lastCheckedAt: "2026-03-31T12:00:00.000Z",
lastSuccessfulVerificationAt: "2026-03-31T12:00:00.000Z",
lastRefreshStatus: "success",
lastError: "",
consecutiveFailures: 0,
cachedKids: ["kid-missing-alg"],
parsedKeys: [
{
kid: "kid-missing-alg",
kty: "RSA",
use: "sig",
alg: "",
n: "missing-alg-n-value",
},
],
},
}),
],
consents: [] as Consent[],
auditLogsByCursor: undefined,
};
await installDevApiMock(page, state);
await page.goto("/clients/client-headless-missing-alg/settings");
await expect(
page.getByText(/알고리즘이 선언되지 않았습니다|algorithm is missing/i),
).toBeVisible();
await expect(
page.getByRole("button", { name: /^저장$|^Save$/i }),
).toBeDisabled();
});
});

109
baron-sso/devfront/tests/devfront-consents.spec.ts Normal file
View File

@@ -0,0 +1,109 @@
import { expect, test } from "@playwright/test";
import {
type Consent,
installDevApiMock,
makeClient,
seedAuth,
} from "./helpers/devfront-fixtures";
import { captureEvidence } from "./helpers/evidence";
test.describe("DevFront consents", () => {
test.afterEach(async ({ page }, testInfo) => {
if (testInfo.status === "passed") {
await captureEvidence(page, testInfo, testInfo.title);
}
});
test.beforeEach(async ({ page }) => {
page.on("dialog", async (dialog) => {
await dialog.accept();
});
await seedAuth(page);
});
test("consent list and revoke flow", async ({ page }) => {
const state = {
clients: [
makeClient("client-consent", {
name: "Consent app",
metadata: {
id_token_claims: [
{
namespace: "rp_claims",
key: "contract_date",
valueType: "date",
value: "2026-06-09",
},
{
namespace: "rp_claims",
key: "approved_at",
valueType: "datetime",
value: "2026-06-09T09:30",
},
],
},
}),
],
consents: [
{
subject: "user-1",
userName: "Alice",
clientId: "client-consent",
clientName: "Consent app",
grantedScopes: ["openid", "profile"],
authenticatedAt: "2026-03-03T08:00:00.000Z",
createdAt: "2026-03-02T08:00:00.000Z",
status: "active",
tenantId: "tenant-a",
tenantName: "Tenant A",
rpMetadata: {
approvalLevel: "A",
approvalLevel_permissions: {
readPermission: "admin_only",
writePermission: "admin_only",
},
},
},
] as Consent[],
auditLogsByCursor: undefined,
};
await installDevApiMock(page, state);
await page.goto("/clients/client-consent/consents");
await expect(page.getByText("Alice")).toBeVisible();
await expect(page.getByText("Tenant A")).toBeVisible();
await expect(page.getByText(/approvalLevel:\s*A/)).toBeVisible();
await page.getByRole("button", { name: /Claims|Claim/i }).click();
await expect(page.getByText("RP Custom Claims")).toBeVisible();
await expect(page.getByText("contract_date")).toBeVisible();
await expect(page.getByText("approved_at")).toBeVisible();
await expect(page.locator('input[type="date"]')).toHaveValue("2026-06-09");
await page.locator('input[type="date"]').fill("2026-06-10");
await page.locator('input[type="datetime-local"]').fill("2026-06-09T10:30");
await page
.getByLabel(/쓰기 권한|Write permission/i)
.first()
.selectOption("user_and_admin");
await page.getByRole("button", { name: /Claim 저장|Save Claim/i }).click();
await expect
.poll(() => state.consents[0]?.rpMetadata?.contract_date)
.toBe("2026-06-10");
await expect
.poll(() => state.consents[0]?.rpMetadata?.approved_at)
.toBe("2026-06-09T10:30");
await expect
.poll(
() =>
(
state.consents[0]?.rpMetadata?.contract_date_permissions as
| Record<string, unknown>
| undefined
)?.writePermission,
)
.toBe("user_and_admin");
await page.getByRole("button", { name: /권한 철회|철회|Revoke/i }).click();
await expect(page.getByText(/Revoked|철회/i).first()).toBeVisible();
});
});

169
baron-sso/devfront/tests/devfront-developer-request.spec.ts Normal file
View File

@@ -0,0 +1,169 @@
import { expect, test } from "@playwright/test";
import {
type DeveloperRequest,
installDevApiMock,
seedAuth,
} from "./helpers/devfront-fixtures";
import { captureEvidence } from "./helpers/evidence";
test.describe("DevFront developer request and management", () => {
test.afterEach(async ({ page }, testInfo) => {
if (testInfo.status === "passed") {
await captureEvidence(page, testInfo, testInfo.title);
}
});
test.beforeEach(async ({ page }) => {
page.on("dialog", async (dialog) => {
await dialog.accept();
});
});
test("user can request developer access when no RP exists", async ({
page,
}) => {
const state = {
clients: [],
consents: [],
developerRequests: [],
};
await seedAuth(page, "user");
await installDevApiMock(page, state);
await page.goto("/clients");
// Click request link and open the request modal on the dedicated page
const requestBtn = page.getByRole("button", {
name: /개발자 등록 신청하기|개발자 등록 신청/,
});
await requestBtn.waitFor({ state: "visible" });
await requestBtn.click();
await expect(page).toHaveURL(/\/developer-requests$/);
const openRequestBtn = page.getByRole("button", {
name: /신규 신청하기|Request|Apply/,
});
await openRequestBtn.click();
// Fill Form (organization is read-only and comes from the active tenant)
await page.locator("#reason").fill("Need to test OIDC integration");
// Submit
await page.getByRole("button", { name: "신청하기", exact: true }).click();
// Verify Status - Look for "Pending" or "대기" anywhere
await expect(page.locator("body")).toContainText(/대기|Pending/);
});
test("super admin can approve, reject and cancel developer requests", async ({
page,
}) => {
const request: DeveloperRequest = {
id: "req-admin-test",
userId: "user-1",
userName: "Requester User",
name: "Requester User",
userEmail: "user1@example.com",
organization: "Dev Team",
reason: "API Test",
status: "pending",
createdAt: new Date().toISOString(),
updatedAt: new Date().toISOString(),
};
const state = {
clients: [],
consents: [],
developerRequests: [request],
};
await seedAuth(page, "super_admin");
await installDevApiMock(page, state);
await page.goto("/developer-requests");
// Wait for data to load
await page.waitForLoadState("networkidle");
await expect(page.locator("table")).toContainText("Requester User", {
timeout: 10000,
});
// Approve
const approveBtn = page.getByRole("button", { name: "승인" }).first();
await approveBtn.click();
await expect(page.locator("table")).toContainText(/승인됨|Approved/);
// Cancel approval (Requires notes)
await page.locator("input.h-8").first().fill("Cancellation reason");
await page.getByRole("button", { name: "승인 취소" }).click();
await expect(page.locator("table")).toContainText(/대기|Pending/);
// Reject (Requires notes)
await page.locator("input.h-8").first().fill("Rejection reason");
await page.getByRole("button", { name: "반려" }).click();
await expect(page.locator("table")).toContainText(/반려됨|Rejected/);
});
test("approved user can see 'Add App' guidance and create RP", async ({
page,
}) => {
const request: DeveloperRequest = {
id: "req-approved",
userId: "playwright-user",
userName: "Playwright User",
name: "Playwright User",
userEmail: "playwright@example.com",
organization: "QA",
reason: "Test",
status: "approved",
createdAt: new Date().toISOString(),
updatedAt: new Date().toISOString(),
approvedAt: new Date().toISOString(),
};
const state = {
clients: [],
consents: [],
developerRequests: [request],
};
await seedAuth(page, "rp_admin");
await installDevApiMock(page, state);
await page.goto("/clients");
// Click Add App
const createBtn = page
.getByRole("button", { name: /연동 앱 추가/ })
.first();
await createBtn.click();
// Fill Form (Must fill all mandatory fields to enable Submit)
await expect(page).toHaveURL(/\/clients\/new$/);
const nameInput = page.getByPlaceholder(
/My Awesome Application|예: 멋진 애플리케이션/,
);
await nameInput.fill("E2E Test RP");
await nameInput.press("Tab");
const uriInput = page.getByRole("textbox", {
name: /Redirect URIs|인증 콜백 URL|Callback/i,
});
await uriInput.fill("https://example.com/callback");
await uriInput.press("Tab");
// Submit
const submitBtn = page
.getByRole("button", { name: /생성/ })
.filter({ hasNotText: "취소" });
await expect(submitBtn).toBeEnabled({ timeout: 10000 });
await submitBtn.click();
// Verification
await expect(page).toHaveURL(/\/clients\/client-\d+\/settings$/);
await expect(
page.getByRole("heading", { name: /연동 앱 설정|Settings/ }),
).toBeVisible();
});
});

36
baron-sso/devfront/tests/devfront-login.spec.ts Normal file
View File

@@ -0,0 +1,36 @@
import { expect, test } from "@playwright/test";
test.describe("DevFront login", () => {
test("shows a clear error instead of silently failing when PKCE cannot run", async ({
page,
}) => {
let authorizeRequested = false;
await page.route(
"**/oidc/.well-known/openid-configuration",
async (route) => {
await route.fulfill({
json: {
issuer: "http://localhost:5000/oidc",
authorization_endpoint: "http://localhost:5000/oidc/oauth2/auth",
token_endpoint: "http://localhost:5000/oidc/oauth2/token",
jwks_uri: "http://localhost:5000/oidc/.well-known/jwks.json",
},
headers: { "Access-Control-Allow-Origin": "*" },
});
},
);
await page.route("**/oidc/oauth2/auth**", async (route) => {
authorizeRequested = true;
await route.fulfill({
status: 500,
body: "unexpected authorize request",
});
});
await page.goto("/login");
await expect(
page.getByRole("button", { name: "SSO 계정으로 로그인" }),
).toBeVisible();
expect(authorizeRequested).toBe(false);
});
});

145
baron-sso/devfront/tests/devfront-relationships.spec.ts Normal file
View File

@@ -0,0 +1,145 @@
import { expect, test } from "@playwright/test";
import {
type ClientRelation,
type Consent,
installDevApiMock,
makeClient,
seedAuth,
} from "./helpers/devfront-fixtures";
import { captureEvidence } from "./helpers/evidence";
test.describe("DevFront relationships", () => {
test.afterEach(async ({ page }, testInfo) => {
if (testInfo.status === "passed") {
await captureEvidence(page, testInfo, testInfo.title);
}
});
test.beforeEach(async ({ page }) => {
page.on("dialog", async (dialog) => {
await dialog.accept();
});
await seedAuth(page, "rp_admin");
});
test("list add and remove direct RP relationships", async ({ page }) => {
const state = {
clients: [makeClient("client-rel", { name: "Relations app" })],
consents: [] as Consent[],
users: [
{
id: "user-2",
name: "홍길동",
email: "hong@example.com",
loginId: "hong01",
},
],
relations: {
"client-rel": [
{
relation: "admins",
subject: "User:playwright-user",
subjectType: "User",
subjectId: "playwright-user",
userName: "Playwright User",
userEmail: "playwright@example.com",
},
{
relation: "config_editor",
subject: "User:user-1",
subjectType: "User",
subjectId: "user-1",
userName: "기존 사용자",
userEmail: "existing@example.com",
},
] satisfies ClientRelation[],
},
auditLogsByCursor: undefined,
mockRole: "super_admin",
};
await installDevApiMock(page, state);
await page.goto("/clients/client-rel/relationships");
await expect(page.getByText("클라이언트 관계")).toBeVisible();
await expect(
page.getByRole("heading", { name: "관계 추가" }),
).toBeVisible();
await expect(
page.getByRole("heading", { name: "부여된 관계" }),
).toBeVisible();
await expect(page.getByText("기존 사용자")).toBeVisible();
await expect(page.getByText("User:user-1")).toBeVisible();
await page.getByLabel(/^사용자$/).fill("홍길동");
await page.getByRole("button", { name: /홍길동/ }).click();
await page.getByLabel(/시크릿 재발급/).check();
await page.getByLabel(/동의 조회/).check();
await page.getByRole("button", { name: /^추가$/ }).click();
await expect(
page.locator("tr").filter({ hasText: "User:user-2" }).first(),
).toBeVisible();
await expect.poll(() => state.relations["client-rel"]?.length ?? 0).toBe(4);
await page
.locator("tr")
.filter({ hasText: "User:user-2" })
.getByRole("button", { name: /Delete|삭제/i })
.first()
.click();
await expect
.poll(
() =>
state.relations["client-rel"]?.filter(
(item) => item.subject === "User:user-2",
).length ?? 0,
)
.toBe(1);
});
test("super_admin can add RP relationships even when profile role is missing", async ({
page,
}) => {
await seedAuth(page);
await page.addInitScript(() => {
window.localStorage.setItem("dev_role", "super_admin");
});
const state = {
clients: [makeClient("client-rel", { name: "Relations app" })],
consents: [] as Consent[],
users: [
{
id: "user-2",
name: "홍길동",
email: "hong@example.com",
loginId: "hong01",
},
],
relations: {
"client-rel": [
{
relation: "admins",
subject: "User:playwright-user",
subjectType: "User",
subjectId: "playwright-user",
userName: "Playwright User",
userEmail: "playwright@example.com",
},
] satisfies ClientRelation[],
},
auditLogsByCursor: undefined,
};
await installDevApiMock(page, state);
await page.goto("/clients/client-rel/relationships");
await expect(page.getByText("클라이언트 관계")).toBeVisible();
await page.getByLabel(/^사용자$/).fill("홍길동");
await page.getByRole("button", { name: /홍길동/ }).click();
await page.getByLabel(/시크릿 재발급/).check();
await expect(page.getByRole("button", { name: /^추가$/ })).toBeEnabled();
});
});

239
baron-sso/devfront/tests/devfront-role-switch-report.spec.ts Normal file
View File

@@ -0,0 +1,239 @@
import { expect, test } from "@playwright/test";
import {
type AuditLog,
type Consent,
installDevApiMock,
makeClient,
seedAuth,
} from "./helpers/devfront-fixtures";
import { captureEvidence } from "./helpers/evidence";
const appNamePlaceholder = /My Awesome Application|예: 멋진 애플리케이션/i;
test.describe("DevFront role report", () => {
test.beforeEach(async ({ page }) => {
page.on("dialog", async (dialog) => {
await dialog.accept();
});
});
test("user can enter and sees empty RP list", async ({ page }, testInfo) => {
await seedAuth(page, "user");
await installDevApiMock(page, {
clients: [],
consents: [] as Consent[],
auditLogs: [] as AuditLog[],
});
await page.goto("/clients");
await expect(
page.getByText(/조회 가능한 RP가 없습니다|No RPs are available/i),
).toBeVisible();
await expect(
page.getByRole("heading", {
name: /^연동 앱$|^Connected Application$/i,
}),
).toBeVisible();
await captureEvidence(page, testInfo, "role-user-empty-rps");
});
test("user sees developer request entry point on overview", async ({
page,
}, testInfo) => {
await seedAuth(page, "user");
await installDevApiMock(page, {
clients: [],
consents: [] as Consent[],
auditLogs: [] as AuditLog[],
auditLogsByCursor: undefined,
developerRequests: [],
});
await page.goto("/");
await expect(
page.getByText(
/대시보드는 개발자 권한이 있어야 볼 수 있습니다|개발자 권한 신청을 검토 중입니다./,
),
).toBeVisible();
const requestBtn = page.getByRole("button", {
name: /개발자 권한 신청/,
});
await expect(requestBtn).toBeVisible();
await requestBtn.click();
await expect(page).toHaveURL(/\/developer-requests$/);
await captureEvidence(page, testInfo, "role-user-overview-request-entry");
});
test("user with approved developer request sees overview without CTA", async ({
page,
}, testInfo) => {
await seedAuth(page, "user");
await installDevApiMock(page, {
clients: [],
consents: [] as Consent[],
auditLogs: [] as AuditLog[],
auditLogsByCursor: undefined,
developerRequests: [
{
id: "req-approved",
userId: "playwright-user",
userName: "Playwright User",
name: "Playwright User",
userEmail: "playwright@example.com",
organization: "Tenant A",
reason: "Need access",
status: "approved",
createdAt: "2026-05-29T00:00:00.000Z",
updatedAt: "2026-05-29T00:00:00.000Z",
approvedAt: "2026-05-29T00:10:00.000Z",
},
],
});
await page.goto("/");
await expect(
page.getByRole("heading", { name: /운영 현황/ }),
).toBeVisible();
await expect(
page.getByRole("button", { name: /개발자 권한 신청/ }),
).toHaveCount(0);
await captureEvidence(page, testInfo, "role-user-overview-approved");
});
test("rp_admin sees only assigned Gitea app and its logs", async ({
page,
}, testInfo) => {
await seedAuth(page, "rp_admin");
const state = {
clients: [makeClient("gitea-client", { name: "Gitea" })],
consents: [] as Consent[],
auditLogs: [
{
event_id: "evt-rp-1",
timestamp: "2026-03-04T01:00:00.000Z",
user_id: "rp-admin-user",
event_type: "CLIENT_UPDATE",
status: "success" as const,
ip_address: "127.0.0.1",
user_agent: "playwright",
details: JSON.stringify({
action: "UPDATE_CLIENT",
target_id: "gitea-client",
tenant_id: "tenant-a",
}),
},
] as AuditLog[],
};
await installDevApiMock(page, state);
await page.goto("/clients");
await expect(
page.getByRole("link", { name: "Gitea", exact: true }),
).toBeVisible();
await expect(
page.getByRole("cell", { name: "gitea-client" }),
).toBeVisible();
await captureEvidence(page, testInfo, "role-rp-admin-clients");
await page.goto("/audit-logs");
await expect(page.getByText("UPDATE_CLIENT")).toBeVisible();
await expect(page.getByText("gitea-client")).toBeVisible();
await captureEvidence(page, testInfo, "role-rp-admin-audit");
});
test("tenant_admin can manage tenant apps and see tenant logs", async ({
page,
}, testInfo) => {
await seedAuth(page, "tenant_admin");
const state = {
clients: [
makeClient("tenant-a-app-1", { name: "Tenant A CRM" }),
makeClient("tenant-a-app-2", { name: "Tenant A ERP" }),
],
consents: [] as Consent[],
auditLogs: [] as AuditLog[],
auditLogsByCursor: undefined,
};
await installDevApiMock(page, state);
await page.goto("/clients");
await expect(page.getByText("Tenant A CRM")).toBeVisible();
await expect(page.getByText("Tenant A ERP")).toBeVisible();
await captureEvidence(page, testInfo, "role-tenant-admin-clients");
await page.goto("/clients/tenant-a-app-1/settings");
await page
.getByPlaceholder(appNamePlaceholder)
.fill("Tenant A CRM Updated");
const updatePromise = page.waitForResponse(
(r) =>
r.url().includes("/api/v1/dev/clients") &&
r.request().method() === "PUT",
);
await page.getByRole("button", { name: /^저장$|^Save$/i }).click();
await updatePromise;
await page.goto("/audit-logs");
await expect(page.getByText("UPDATE_CLIENT")).toBeVisible({
timeout: 30000,
});
await expect(page.getByText("tenant-a-app-1")).toBeVisible();
await captureEvidence(page, testInfo, "role-tenant-admin-audit");
});
test("super_admin sees all and can generate log entries", async ({
page,
}, testInfo) => {
await seedAuth(page, "super_admin");
const state = {
clients: [
makeClient("tenant-a-app", { name: "Tenant A App" }),
makeClient("tenant-b-app", { name: "Tenant B App" }),
],
consents: [] as Consent[],
auditLogs: [] as AuditLog[],
auditLogsByCursor: undefined,
};
await installDevApiMock(page, state);
await page.goto("/clients");
await expect(page.getByText("Tenant A App")).toBeVisible();
await expect(page.getByText("Tenant B App")).toBeVisible();
await captureEvidence(page, testInfo, "role-super-admin-clients");
await page.goto("/clients/new");
await page
.getByPlaceholder(appNamePlaceholder)
.fill("Super Admin Created App");
await page
.getByPlaceholder(/https:\/\/app\.example\.com\/callback/i)
.fill("https://super-admin.example.com/callback");
const createPromise = page.waitForResponse(
(r) =>
r.url().includes("/api/v1/dev/clients") &&
r.request().method() === "POST",
);
await page.getByRole("button", { name: /앱 생성|Create/i }).click();
await createPromise;
await expect(page).toHaveURL(/\/clients\/client-\d+\/settings$/);
await expect
.poll(() =>
state.auditLogs.some((item) => {
try {
return JSON.parse(item.details)?.action === "CREATE_CLIENT";
} catch {
return false;
}
}),
)
.toBe(true);
await page.goto("/audit-logs");
await expect(page.getByText("CREATE_CLIENT")).toBeVisible({
timeout: 30000,
});
await captureEvidence(page, testInfo, "role-super-admin-audit");
});
});

222
baron-sso/devfront/tests/devfront-security.spec.ts Normal file
View File

@@ -0,0 +1,222 @@
import { expect, test } from "@playwright/test";
import {
type Consent,
installDevApiMock,
makeClient,
seedAuth,
} from "./helpers/devfront-fixtures";
import { captureEvidence } from "./helpers/evidence";
test.describe("DevFront security and isolation", () => {
test.afterEach(async ({ page }, testInfo) => {
if (testInfo.status === "passed") {
await captureEvidence(page, testInfo, testInfo.title);
}
});
test.beforeEach(async ({ page }) => {
page.on("dialog", async (dialog) => {
await dialog.accept();
});
await seedAuth(page);
});
test("tenant isolation: forbidden client shows blocked error", async ({
page,
}) => {
const state = {
clients: [makeClient("tenant-a-client", { name: "Tenant A app" })],
consents: [] as Consent[],
auditLogsByCursor: undefined,
};
await installDevApiMock(page, state);
await page.goto("/clients/tenant-b-client");
await expect(
page.getByText(
/Error loading (app|client)|앱 정보를 불러오지 못했습니다|클라이언트 정보를 불러오지 못했습니다/i,
),
).toBeVisible();
});
test("RBAC: user without manage_all permission should not see private apps", async ({
page,
}) => {
const state = {
clients: [
makeClient("pkce-client", {
name: "PKCE only app",
type: "pkce",
}),
],
consents: [] as Consent[],
auditLogsByCursor: undefined,
};
await installDevApiMock(page, state);
await page.goto("/clients");
await expect(page.getByText("PKCE only app")).toBeVisible();
await expect(page.getByText("Server side App")).not.toBeVisible();
});
test("tenant_member user can enter DevFront and sees empty RP list", async ({
page,
}) => {
await seedAuth(page, "tenant_member");
const state = {
clients: [] as ReturnType<typeof makeClient>[],
consents: [] as Consent[],
auditLogsByCursor: undefined,
};
await installDevApiMock(page, state);
await page.goto("/clients");
await expect(page).toHaveURL(/\/clients$/);
await expect(
page.getByText(/조회 가능한 RP가 없습니다|No RPs are available/i),
).toBeVisible();
await expect(
page.getByRole("button", { name: /연동 앱 추가|새 클라이언트|Create/i }),
).not.toBeVisible();
});
test("rp_admin receives 403 on clients list and sees ForbiddenMessage", async ({
page,
}) => {
await seedAuth(page, "rp_admin");
const state = {
clients: [] as ReturnType<typeof makeClient>[],
consents: [] as Consent[],
auditLogsByCursor: undefined,
};
await installDevApiMock(page, state);
await page.route("**/api/v1/dev/clients", async (route) => {
if (route.request().method() === "GET") {
return route.fulfill({
status: 403,
contentType: "application/json",
body: '{"error": "forbidden"}',
});
}
return route.fallback();
});
await page.goto("/clients");
await expect(
page.getByText(/RP 관리자는|RP administrators can only access/i),
).toBeVisible();
});
test("tenant_admin receives 403 on audit logs and sees ForbiddenMessage", async ({
page,
}) => {
await seedAuth(page, "tenant_admin");
const state = {
clients: [] as ReturnType<typeof makeClient>[],
consents: [] as Consent[],
auditLogsByCursor: undefined,
};
await installDevApiMock(page, state);
await page.route("**/api/v1/dev/audit-logs*", async (route) => {
if (route.request().method() === "GET") {
return route.fulfill({
status: 403,
contentType: "application/json",
body: '{"error": "forbidden"}',
});
}
return route.fallback();
});
await page.goto("/audit-logs");
await expect(
page.getByText(/테넌트 관리자 권한|Tenant administrator permissions/i),
).toBeVisible();
});
test("user sees audit log access CTA when access is blocked", async ({
page,
}, testInfo) => {
await seedAuth(page, "user");
const state = {
clients: [] as ReturnType<typeof makeClient>[],
consents: [] as Consent[],
auditLogsByCursor: undefined,
developerRequests: [],
};
await installDevApiMock(page, state);
await page.goto("/audit-logs");
await expect(
page.getByRole("heading", { name: /감사 로그|Audit Logs/ }),
).toBeVisible();
await expect(
page.getByText(
/감사 로그는 개발자 권한이 있어야 볼 수 있습니다|Audit logs are available only to users with developer access/i,
),
).toBeVisible();
const requestBtn = page.getByRole("button", {
name: /개발자 권한 신청/,
});
await expect(requestBtn).toBeVisible();
await requestBtn.click();
await expect(page).toHaveURL(/\/developer-requests$/);
await captureEvidence(page, testInfo, "security-user-audit-request-entry");
});
test("user with approved developer request can enter audit logs without CTA", async ({
page,
}, testInfo) => {
await seedAuth(page, "user");
const state = {
clients: [] as ReturnType<typeof makeClient>[],
consents: [] as Consent[],
auditLogs: [
{
event_id: "evt-audit-1",
timestamp: "2026-05-29T00:00:00.000Z",
user_id: "playwright-user",
event_type: "CLIENT_UPDATE",
status: "success" as const,
ip_address: "127.0.0.1",
user_agent: "playwright",
details: JSON.stringify({
action: "UPDATE_CLIENT",
target_id: "tenant-a-client",
tenant_id: "tenant-a",
}),
},
],
auditLogsByCursor: undefined,
developerRequests: [
{
id: "req-approved",
userId: "playwright-user",
userName: "Playwright User",
name: "Playwright User",
userEmail: "playwright@example.com",
organization: "Tenant A",
reason: "Need access",
status: "approved",
createdAt: "2026-05-29T00:00:00.000Z",
updatedAt: "2026-05-29T00:10:00.000Z",
approvedAt: "2026-05-29T00:10:00.000Z",
},
],
};
await installDevApiMock(page, state);
await page.goto("/audit-logs");
await expect(page.getByText("UPDATE_CLIENT")).toBeVisible();
await expect(
page.getByRole("button", { name: /개발자 권한 신청/ }),
).toHaveCount(0);
await captureEvidence(page, testInfo, "security-user-audit-approved");
});
});

123
baron-sso/devfront/tests/devfront-tenant-switch.spec.ts Normal file
View File

@@ -0,0 +1,123 @@
import { expect, test } from "@playwright/test";
import {
installDevApiMock,
makeClient,
seedAuth,
} from "./helpers/devfront-fixtures";
import { captureEvidence } from "./helpers/evidence";
test.describe("DevFront tenant switch", () => {
test.afterEach(async ({ page }, testInfo) => {
if (testInfo.status === "passed") {
await captureEvidence(page, testInfo, testInfo.title);
}
});
const MOCK_STATE = {
clients: [makeClient("client-a", { name: "Tenant A App" })],
consents: [],
auditLogs: [],
};
test.beforeEach(async ({ page }) => {
await page.route("**/api/v1/user/me", async (route) => {
if (route.request().method() === "GET") {
await route.fulfill({
status: 200,
contentType: "application/json",
body: JSON.stringify({
id: "playwright-user",
email: "playwright@example.com",
name: "Playwright User",
role: "tenant_admin",
tenantId: "tenant-a",
}),
});
} else {
await route.continue();
}
});
});
test("multiple tenants: user can switch tenant context", async ({ page }) => {
// Seed an admin user
await seedAuth(page, "tenant_admin");
await installDevApiMock(page, MOCK_STATE);
// Mock API to return multiple tenants
await page.route("**/api/v1/dev/my-tenants", async (route) => {
await route.fulfill({
status: 200,
contentType: "application/json",
body: JSON.stringify([
{ id: "tenant-a", name: "Tenant A", slug: "tenant-a" },
{ id: "tenant-b", name: "Tenant B", slug: "tenant-b" },
]),
});
});
// Navigate to profile page
await page.goto("/profile");
// Wait for the switcher to load
const switcherHeading = page.getByText("작업 테넌트 (컨텍스트)");
await expect(switcherHeading).toBeVisible();
// Verify initial state is selected (tenant-a comes from seedAuth)
const select = page.getByRole("combobox", { name: /테넌트/i });
await expect(select).toHaveValue("tenant-a");
// Change to Tenant B
await select.selectOption("tenant-b");
// Click Save
await page.getByRole("button", { name: /저장|Save/i }).click();
// Verify success toast
await expect(page.getByText("테넌트 전환 완료").first()).toBeVisible();
// Verify localStorage was updated
const savedTenantId = await page.evaluate(() =>
window.localStorage.getItem("dev_tenant_id"),
);
expect(savedTenantId).toBe("tenant-b");
});
test("single tenant: switcher is disabled with a notice", async ({
page,
}) => {
await seedAuth(page, "tenant_admin");
// Mock API to return only ONE tenant
await page.route("**/api/v1/dev/my-tenants", async (route) => {
await route.fulfill({
status: 200,
contentType: "application/json",
body: JSON.stringify([
{ id: "tenant-a", name: "Tenant A", slug: "tenant-a" },
]),
});
});
await installDevApiMock(page, MOCK_STATE);
await page.goto("/profile");
// Wait for the switcher to load
await expect(page.getByText("작업 테넌트 (컨텍스트)")).toBeVisible();
// Verify the select is disabled
const select = page.getByRole("combobox", { name: /테넌트/i });
await expect(select).toBeDisabled();
// Verify the save button is disabled
const saveButton = page.getByRole("button", { name: /저장|Save/i });
await expect(saveButton).toBeDisabled();
// Verify the notice message
await expect(
page.getByText("단일 테넌트에 소속되어 전환할 필요가 없습니다."),
).toBeVisible();
});
});

15
baron-sso/devfront/tests/example.spec.ts Normal file
View File

@@ -0,0 +1,15 @@
import { expect, test } from "@playwright/test";
import { captureEvidence } from "./helpers/evidence";
test.afterEach(async ({ page }, testInfo) => {
if (testInfo.status === "passed") {
await captureEvidence(page, testInfo, testInfo.title);
}
});
test("has title", async ({ page }) => {
await page.goto("/");
// Expect a title "to contain" a substring.
await expect(page).toHaveTitle(/바론 개발자 서비스/);
});

833
baron-sso/devfront/tests/helpers/devfront-fixtures.ts Normal file
View File

@@ -0,0 +1,833 @@
import type { Page, Route } from "@playwright/test";
export type ClientStatus = "active" | "inactive";
export type ClientType = "private" | "pkce";
export type Client = {
id: string;
name: string;
type: ClientType;
status: ClientStatus;
redirectUris: string[];
scopes: string[];
createdAt: string;
clientSecret?: string;
tokenEndpointAuthMethod?: string;
jwksUri?: string;
jwks?: Record<string, unknown> | string;
headlessJwksCache?: {
clientId: string;
jwksUri: string;
cachedAt: string;
expiresAt: string;
lastCheckedAt?: string;
lastSuccessfulVerificationAt?: string;
lastRefreshStatus?: "success" | "failure" | "pending";
lastError?: string;
consecutiveFailures?: number;
cachedKids?: string[];
etag?: string;
lastModified?: string;
parsedKeys?: Array<{
kid?: string;
kty?: string;
use?: string;
alg?: string;
n?: string;
}>;
};
metadata?: Record<string, unknown>;
};
export type Consent = {
subject: string;
userName: string;
clientId: string;
clientName: string;
grantedScopes: string[];
authenticatedAt?: string;
createdAt: string;
deletedAt?: string;
status: "active" | "revoked";
tenantId: string;
tenantName: string;
rpMetadata?: Record<string, unknown>;
};
export type DeveloperRequestStatus = "pending" | "approved" | "rejected";
export type DeveloperRequest = {
id: string;
userId: string;
userName: string;
name?: string; // 추가
userEmail: string;
organization: string;
reason: string;
status: DeveloperRequestStatus;
createdAt: string;
updatedAt: string;
approvedAt?: string;
rejectedAt?: string;
comment?: string;
adminNotes?: string; // 추가
};
export type ClientRelation = {
relation: string;
subject: string;
subjectType: string;
subjectId: string;
userName?: string;
userEmail?: string;
userLoginId?: string;
};
export type DevAssignableUser = {
id: string;
name: string;
email: string;
loginId?: string;
};
export type DevTenantSummary = {
id: string;
name: string;
slug: string;
description?: string;
type?: string;
};
export type AuditLog = {
event_id: string;
timestamp: string;
user_id: string;
event_type: string;
status: "success" | "failure";
ip_address: string;
user_agent: string;
details: string;
};
export type DevApiMockState = {
clients: Client[];
consents: Consent[];
developerRequests?: DeveloperRequest[];
relations?: Record<string, ClientRelation[]>;
users?: DevAssignableUser[];
tenants?: DevTenantSummary[];
auditLogsByCursor?: Record<
string,
{ items: AuditLog[]; next_cursor?: string }
>;
auditLogs?: AuditLog[];
onUpdateStatus?: (status: ClientStatus) => void;
onRotateSecret?: (newSecret: string) => void;
onRefreshHeadlessJwks?: (clientId: string) => void;
onRevokeHeadlessJwksCache?: (clientId: string) => void;
mockRole?: string;
};
const seededRoles = new WeakMap<Page, string>();
export function makeClient(
id: string,
overrides: Partial<Client> = {},
): Client {
return {
id,
name: `${id} app`,
type: "private",
status: "active",
redirectUris: [`https://${id}.example.com/callback`],
scopes: ["openid", "profile", "email"],
createdAt: "2026-03-03T00:00:00.000Z",
clientSecret: `${id}-secret`,
metadata: {},
...overrides,
};
}
export async function seedAuth(page: Page, role?: string) {
const nowInSeconds = Math.floor(Date.now() / 1000);
seededRoles.set(page, role || "rp_admin");
await page.addInitScript(
({ issuedAt, injectedRole }) => {
(
window as Window & typeof globalThis & { _IS_TEST_MODE?: boolean }
)._IS_TEST_MODE = true;
const mockOidcUser = {
id_token: "playwright-id-token",
session_state: "playwright-session",
access_token: "playwright-access-token",
refresh_token: "playwright-refresh-token",
token_type: "Bearer",
scope: "openid profile email",
profile: {
sub: "playwright-user",
email: "playwright@example.com",
name: "Playwright User",
...(injectedRole ? { role: injectedRole } : {}),
},
expires_at: issuedAt + 3600,
};
const storageKeys = [
"user:http://localhost:5000/oidc:devfront",
"user:http://localhost:5000/oidc/:devfront",
"user:https://sso.example.test/oidc:devfront",
"user:https://sso.example.test/oidc/:devfront",
"oidc.user:http://localhost:5000/oidc:devfront",
"oidc.user:http://localhost:5000/oidc/:devfront",
"oidc.user:https://sso.example.test/oidc:devfront",
"oidc.user:https://sso.example.test/oidc/:devfront",
];
for (const key of storageKeys) {
window.localStorage.setItem(key, JSON.stringify(mockOidcUser));
window.sessionStorage.setItem(key, JSON.stringify(mockOidcUser));
}
window.localStorage.setItem("dev_role", injectedRole || "rp_admin");
window.localStorage.setItem("dev_tenant_id", "tenant-a");
},
{ issuedAt: nowInSeconds, injectedRole: role ?? "" },
);
await page.route("**/oidc/**", async (route) => {
const url = route.request().url();
if (url.includes(".well-known/openid-configuration")) {
await route.fulfill({
json: {
issuer: "http://localhost:5000/oidc",
authorization_endpoint: "http://localhost:5000/oidc/auth",
token_endpoint: "http://localhost:5000/oidc/token",
jwks_uri: "http://localhost:5000/oidc/jwks",
userinfo_endpoint: "http://localhost:5000/oidc/userinfo",
end_session_endpoint: "http://localhost:5000/oidc/session/end",
},
headers: { "Access-Control-Allow-Origin": "*" },
});
} else if (url.includes("/jwks")) {
await route.fulfill({
json: { keys: [] },
headers: { "Access-Control-Allow-Origin": "*" },
});
} else {
await route.fulfill({
status: 200,
body: "ok",
headers: { "Access-Control-Allow-Origin": "*" },
});
}
});
}
function json(route: Route, payload: unknown, status = 200) {
return route.fulfill({
status,
contentType: "application/json",
body: JSON.stringify(payload),
});
}
function parseClientId(pathname: string): string {
const parts = pathname.split("/").filter(Boolean);
return parts[parts.length - 1] ?? "";
}
export async function installDevApiMock(page: Page, state: DevApiMockState) {
const readMockRole = () =>
(state.mockRole ?? seededRoles.get(page) ?? "rp_admin").trim();
const buildSelfConfigEditorRelation = (): ClientRelation => ({
relation: "config_editor",
subject: "User:playwright-user",
subjectType: "User",
subjectId: "playwright-user",
userName: "Playwright User",
userEmail: "playwright@example.com",
userLoginId: "playwright@example.com",
});
const shouldGrantDefaultEditRelation = (role: string) =>
role === "rp_admin" || role === "tenant_admin" || role === "super_admin";
const resolveClientRelations = async (clientId: string) => {
const explicitRelations = state.relations?.[clientId];
if (explicitRelations) {
return explicitRelations;
}
const role = readMockRole();
if (!shouldGrantDefaultEditRelation(role)) {
return [];
}
return [buildSelfConfigEditorRelation()];
};
const appendAuditLog = (
eventType: string,
action: string,
targetId: string,
status: "success" | "failure" = "success",
) => {
if (!state.auditLogs) return;
state.auditLogs.unshift({
event_id: `evt-${Date.now()}-${Math.random().toString(16).slice(2, 8)}`,
timestamp: new Date().toISOString(),
user_id: "playwright-user",
event_type: eventType,
status,
ip_address: "127.0.0.1",
user_agent: "playwright",
details: JSON.stringify({
action,
target_id: targetId,
tenant_id: "tenant-a",
}),
});
};
await page.route("**/api/v1/user/me", async (route) => {
const storedRole = readMockRole();
return json(route, {
id: "playwright-user",
loginId: "playwright@example.com",
email: "playwright@example.com",
name: "Playwright User",
phoneNumber: "",
department: "QA",
tenantId: "tenant-a",
tenantName: "Tenant A",
role: storedRole,
createdAt: "2026-03-03T00:00:00.000Z",
updatedAt: "2026-03-03T00:00:00.000Z",
});
});
await page.route("**/api/v1/dev/**", async (route) => {
const request = route.request();
const url = new URL(request.url());
const { pathname, searchParams } = url;
const method = request.method();
if (
(pathname === "/api/v1/dev/requests" ||
pathname === "/api/v1/dev/developer-request/list") &&
method === "GET"
) {
return json(route, state.developerRequests ?? []);
}
if (
(pathname === "/api/v1/dev/requests" ||
pathname === "/api/v1/dev/developer-request") &&
method === "POST"
) {
const payload =
(request.postDataJSON() as {
name?: string;
organization?: string;
reason?: string;
}) || {};
const created: DeveloperRequest = {
id: `req-${Date.now()}`,
userId: "playwright-user",
userName: payload.name ?? "Playwright User",
name: payload.name ?? "Playwright User",
userEmail: "playwright@example.com",
organization: payload.organization ?? "Unknown",
reason: payload.reason ?? "No reason",
status: "pending",
createdAt: new Date().toISOString(),
updatedAt: new Date().toISOString(),
};
if (!state.developerRequests) {
state.developerRequests = [];
}
state.developerRequests.push(created);
return json(route, created, 201);
}
if (
(pathname === "/api/v1/dev/requests/status" ||
pathname === "/api/v1/dev/developer-request/status") &&
method === "GET"
) {
const myRequest = (state.developerRequests ?? []).find(
(r) => r.userId === "playwright-user",
);
return json(route, myRequest || null);
}
if (
(pathname.startsWith("/api/v1/dev/requests/") ||
pathname.startsWith("/api/v1/dev/developer-request/")) &&
pathname.endsWith("/approve") &&
method === "POST"
) {
const reqId = pathname.split("/")[5] ?? pathname.split("/")[4] ?? "";
const found = state.developerRequests?.find((r) => r.id === reqId);
if (!found) return json(route, { error: "not found" }, 404);
found.status = "approved";
found.approvedAt = new Date().toISOString();
return json(route, found);
}
if (
(pathname.startsWith("/api/v1/dev/requests/") ||
pathname.startsWith("/api/v1/dev/developer-request/")) &&
pathname.endsWith("/reject") &&
method === "POST"
) {
const reqId = pathname.split("/")[5] ?? pathname.split("/")[4] ?? "";
const found = state.developerRequests?.find((r) => r.id === reqId);
if (!found) return json(route, { error: "not found" }, 404);
found.status = "rejected";
found.rejectedAt = new Date().toISOString();
return json(route, found);
}
if (
(pathname.startsWith("/api/v1/dev/requests/") ||
pathname.startsWith("/api/v1/dev/developer-request/")) &&
(pathname.endsWith("/cancel") || pathname.endsWith("/cancel-approval")) &&
method === "POST"
) {
const reqId = pathname.split("/")[5] ?? pathname.split("/")[4] ?? "";
const found = state.developerRequests?.find((r) => r.id === reqId);
if (!found) return json(route, { error: "not found" }, 404);
found.status = "pending";
found.approvedAt = undefined;
return json(route, found);
}
if (pathname === "/api/v1/dev/my-tenants" && method === "GET") {
return json(
route,
state.tenants ?? [
{ id: "tenant-a", name: "Tenant A", slug: "tenant-a" },
],
);
}
if (pathname === "/api/v1/dev/stats" && method === "GET") {
const total = state.clients.length;
return json(route, {
total_clients: total,
active_sessions: Math.max(1, total),
auth_failures_24h: 0,
});
}
if (pathname === "/api/v1/dev/rp-usage/daily" && method === "GET") {
return json(route, {
items: [],
days: Number.parseInt(searchParams.get("days") || "14", 10),
period:
(searchParams.get("period") as "day" | "week" | "month") || "day",
});
}
if (pathname === "/api/v1/dev/clients" && method === "GET") {
return json(route, {
items: state.clients.map((client) => ({
id: client.id,
name: client.name,
type: client.type,
status: client.status,
createdAt: client.createdAt,
redirectUris: client.redirectUris,
scopes: client.scopes,
})),
limit: 50,
offset: 0,
});
}
if (pathname === "/api/v1/dev/users" && method === "GET") {
const search = (searchParams.get("search") || "").toLowerCase();
const limit = Number.parseInt(searchParams.get("limit") || "10", 10);
const items = (state.users ?? [])
.filter((user) => {
if (!search) return true;
return [user.name, user.email, user.loginId ?? ""].some((value) =>
value.toLowerCase().includes(search),
);
})
.slice(0, Number.isFinite(limit) ? limit : 10);
return json(route, { items });
}
if (pathname === "/api/v1/dev/clients" && method === "POST") {
const payload = (request.postDataJSON() as {
name?: string;
type?: ClientType;
status?: ClientStatus;
redirectUris?: string[];
scopes?: string[];
tokenEndpointAuthMethod?: string;
jwksUri?: string;
jwks?: Record<string, unknown> | string;
metadata?: Record<string, unknown>;
}) || { name: "created app" };
const created = makeClient(`client-${state.clients.length + 1}`, {
name: payload.name ?? "created app",
type: payload.type ?? "private",
status: payload.status ?? "active",
redirectUris: payload.redirectUris ?? [],
scopes: payload.scopes ?? ["openid"],
tokenEndpointAuthMethod: payload.tokenEndpointAuthMethod,
jwksUri: payload.jwksUri,
jwks: payload.jwks,
metadata: payload.metadata ?? {},
});
state.clients.push(created);
if (!state.relations) {
state.relations = {};
}
state.relations[created.id] = [buildSelfConfigEditorRelation()];
appendAuditLog("CLIENT_CREATE", "CREATE_CLIENT", created.id);
return json(route, {
client: created,
endpoints: {
discovery: "https://issuer/.well-known/openid-configuration",
issuer: "https://issuer",
authorization: "https://issuer/oauth2/auth",
token: "https://issuer/oauth2/token",
userinfo: "https://issuer/userinfo",
},
});
}
if (
pathname.startsWith("/api/v1/dev/clients/") &&
pathname.endsWith("/relations") &&
method === "GET"
) {
const clientId = pathname.split("/")[5] ?? "";
return json(route, {
items: await resolveClientRelations(clientId),
});
}
if (
pathname.startsWith("/api/v1/dev/clients/") &&
pathname.endsWith("/relations") &&
method === "POST"
) {
const clientId = pathname.split("/")[5] ?? "";
const payload = (request.postDataJSON() as {
relation?: string;
subject?: string;
userId?: string;
}) || { relation: "config_editor" };
const subject =
payload.subject ||
(payload.userId ? `User:${payload.userId}` : "User:playwright-user");
const subjectId = subject.startsWith("User:")
? subject.slice("User:".length)
: subject;
const created: ClientRelation = {
relation: payload.relation ?? "config_editor",
subject,
subjectType: "User",
subjectId,
};
if (!state.relations) {
state.relations = {};
}
if (!state.relations[clientId]) {
state.relations[clientId] = [];
}
state.relations[clientId].push(created);
appendAuditLog("CLIENT_RELATION_CREATE", "ADD_RELATION", clientId);
return json(route, created, 201);
}
if (
pathname.startsWith("/api/v1/dev/clients/") &&
pathname.endsWith("/relations") &&
method === "DELETE"
) {
const clientId = pathname.split("/")[5] ?? "";
const relation = searchParams.get("relation") || "";
const subject = searchParams.get("subject") || "";
if (state.relations?.[clientId]) {
state.relations[clientId] = state.relations[clientId].filter(
(item) => !(item.relation === relation && item.subject === subject),
);
}
appendAuditLog("CLIENT_RELATION_DELETE", "REMOVE_RELATION", clientId);
return route.fulfill({ status: 204 });
}
if (
pathname.startsWith("/api/v1/dev/clients/") &&
pathname.endsWith("/status") &&
method === "PATCH"
) {
const clientId = pathname.split("/")[5] ?? "";
const payload = request.postDataJSON() as { status: ClientStatus };
const found = state.clients.find((client) => client.id === clientId);
if (!found) return json(route, { error: "not found" }, 404);
found.status = payload.status;
appendAuditLog("CLIENT_UPDATE_STATUS", "UPDATE_CLIENT_STATUS", clientId);
state.onUpdateStatus?.(payload.status);
return json(route, {
client: found,
endpoints: {
discovery: "https://issuer/.well-known/openid-configuration",
issuer: "https://issuer",
authorization: "https://issuer/oauth2/auth",
token: "https://issuer/oauth2/token",
userinfo: "https://issuer/userinfo",
},
});
}
if (
pathname.startsWith("/api/v1/dev/clients/") &&
pathname.endsWith("/secret/rotate") &&
method === "POST"
) {
const clientId = pathname.split("/")[5] ?? "";
const found = state.clients.find((client) => client.id === clientId);
if (!found) return json(route, { error: "not found" }, 404);
found.clientSecret = `${clientId}-rotated-secret`;
appendAuditLog("CLIENT_ROTATE_SECRET", "ROTATE_SECRET", clientId);
state.onRotateSecret?.(found.clientSecret);
return json(route, {
client: found,
endpoints: {
discovery: "https://issuer/.well-known/openid-configuration",
issuer: "https://issuer",
authorization: "https://issuer/oauth2/auth",
token: "https://issuer/oauth2/token",
userinfo: "https://issuer/userinfo",
},
});
}
if (
pathname.startsWith("/api/v1/dev/clients/") &&
pathname.includes("/users/") &&
pathname.endsWith("/metadata") &&
method === "GET"
) {
const parts = pathname.split("/").filter(Boolean);
const clientId = parts[4] ?? "";
const userId = parts[6] ?? "";
const target = state.consents.find(
(row) => row.clientId === clientId && row.subject === userId,
);
return json(route, {
clientId,
userId,
metadata: target?.rpMetadata ?? {},
});
}
if (
pathname.startsWith("/api/v1/dev/clients/") &&
pathname.includes("/users/") &&
pathname.endsWith("/metadata") &&
method === "PUT"
) {
const parts = pathname.split("/").filter(Boolean);
const clientId = parts[4] ?? "";
const userId = parts[6] ?? "";
const payload = (request.postDataJSON() as {
metadata?: Record<string, unknown>;
}) || { metadata: {} };
const target = state.consents.find(
(row) => row.clientId === clientId && row.subject === userId,
);
if (target) {
target.rpMetadata = payload.metadata ?? {};
}
return json(route, {
clientId,
userId,
metadata: payload.metadata ?? {},
});
}
if (pathname.startsWith("/api/v1/dev/clients/") && method === "PUT") {
const clientId = parseClientId(pathname);
const payload = (request.postDataJSON() as {
name?: string;
type?: ClientType;
scopes?: string[];
redirectUris?: string[];
tokenEndpointAuthMethod?: string;
jwksUri?: string;
jwks?: Record<string, unknown> | string;
metadata?: Record<string, unknown>;
}) || { name: "updated app" };
const found = state.clients.find((client) => client.id === clientId);
if (!found) return json(route, { error: "not found" }, 404);
if (payload.name) found.name = payload.name;
if (payload.type) found.type = payload.type;
if (payload.scopes) found.scopes = payload.scopes;
if (payload.redirectUris) found.redirectUris = payload.redirectUris;
if (payload.tokenEndpointAuthMethod !== undefined) {
found.tokenEndpointAuthMethod = payload.tokenEndpointAuthMethod;
}
if (payload.jwksUri !== undefined) {
found.jwksUri = payload.jwksUri;
}
if (payload.jwks !== undefined) {
found.jwks = payload.jwks;
}
if (payload.metadata) found.metadata = payload.metadata;
appendAuditLog("CLIENT_UPDATE", "UPDATE_CLIENT", clientId);
return json(route, {
client: found,
endpoints: {
discovery: "https://issuer/.well-known/openid-configuration",
issuer: "https://issuer",
authorization: "https://issuer/oauth2/auth",
token: "https://issuer/oauth2/token",
userinfo: "https://issuer/userinfo",
},
});
}
if (pathname.startsWith("/api/v1/dev/clients/") && method === "GET") {
const clientId = parseClientId(pathname);
const found = state.clients.find((client) => client.id === clientId);
if (!found) return json(route, { error: "forbidden" }, 403);
return json(route, {
client: found,
endpoints: {
discovery: "https://issuer/.well-known/openid-configuration",
issuer: "https://issuer",
authorization: "https://issuer/oauth2/auth",
token: "https://issuer/oauth2/token",
userinfo: "https://issuer/userinfo",
},
headlessJwksCache: found.headlessJwksCache,
});
}
if (
pathname.startsWith("/api/v1/dev/clients/") &&
pathname.endsWith("/headless-jwks/cache") &&
method === "DELETE"
) {
const clientId = pathname.split("/")[5] ?? "";
const found = state.clients.find((client) => client.id === clientId);
if (!found) return json(route, { error: "not found" }, 404);
found.headlessJwksCache = undefined;
state.onRevokeHeadlessJwksCache?.(clientId);
return route.fulfill({ status: 204 });
}
if (
pathname.startsWith("/api/v1/dev/clients/") &&
pathname.endsWith("/headless-jwks/refresh") &&
method === "POST"
) {
const clientId = pathname.split("/")[5] ?? "";
const found = state.clients.find((client) => client.id === clientId);
if (!found) return json(route, { error: "not found" }, 404);
state.onRefreshHeadlessJwks?.(clientId);
return json(route, {
client: found,
endpoints: {
discovery: "https://issuer/.well-known/openid-configuration",
issuer: "https://issuer",
authorization: "https://issuer/oauth2/auth",
token: "https://issuer/oauth2/token",
userinfo: "https://issuer/userinfo",
},
headlessJwksCache: found.headlessJwksCache,
});
}
if (
pathname.startsWith("/api/v1/dev/clients/") &&
!pathname.endsWith("/headless-jwks/cache") &&
method === "DELETE"
) {
const clientId = parseClientId(pathname);
state.clients = state.clients.filter((client) => client.id !== clientId);
appendAuditLog("CLIENT_DELETE", "DELETE_CLIENT", clientId);
return route.fulfill({ status: 204 });
}
if (pathname === "/api/v1/dev/consents" && method === "GET") {
const subject = searchParams.get("subject") || "";
const clientId = searchParams.get("client_id") || "";
const status = searchParams.get("status") || "";
const items = state.consents.filter((row) => {
const matchesSubject =
!subject ||
row.subject.includes(subject) ||
row.userName.includes(subject);
const matchesClientId = !clientId || row.clientId === clientId;
const matchesStatus = !status || row.status === status;
return matchesSubject && matchesClientId && matchesStatus;
});
return json(route, { items });
}
if (pathname === "/api/v1/dev/consents" && method === "DELETE") {
const subject = searchParams.get("subject") || "";
const clientId = searchParams.get("client_id") || "";
const target = state.consents.find(
(row) => row.subject === subject && row.clientId === clientId,
);
if (target) {
target.status = "revoked";
target.deletedAt = "2026-03-03T10:00:00.000Z";
}
return route.fulfill({ status: 204 });
}
if (pathname === "/api/v1/dev/audit-logs" && method === "GET") {
if (state.auditLogsByCursor) {
const cursor = searchParams.get("cursor") || "";
const pageSet = state.auditLogsByCursor[cursor] ?? { items: [] };
return json(route, {
items: pageSet.items,
limit: 50,
cursor: cursor || undefined,
next_cursor: pageSet.next_cursor,
});
}
if (state.auditLogs) {
const action = searchParams.get("action") || "";
const clientId = searchParams.get("client_id") || "";
const status = searchParams.get("status") || "";
const filtered = state.auditLogs.filter((item) => {
let parsedDetails: { action?: string; target_id?: string } = {};
try {
parsedDetails = JSON.parse(item.details) as {
action?: string;
target_id?: string;
};
} catch {}
const matchesAction = !action || parsedDetails.action === action;
const matchesClient =
!clientId || parsedDetails.target_id === clientId;
const matchesStatus = !status || item.status === status;
return matchesAction && matchesClient && matchesStatus;
});
return json(route, { items: filtered, limit: 50 });
}
return json(route, { items: [], limit: 50 });
}
return json(route, { error: `Unhandled ${method} ${pathname}` }, 404);
});
}

24
baron-sso/devfront/tests/helpers/evidence.ts Normal file
View File

@@ -0,0 +1,24 @@
import type { Page, TestInfo } from "@playwright/test";
function safeName(name: string): string {
return name
.trim()
.toLowerCase()
.replace(/[^a-z0-9-_]+/g, "-")
.replace(/-+/g, "-")
.replace(/^-|-$/g, "");
}
export async function captureEvidence(
page: Page,
testInfo: TestInfo,
name: string,
) {
const filename = `${safeName(name)}.png`;
const fullPath = testInfo.outputPath(filename);
await page.screenshot({ path: fullPath, fullPage: true });
await testInfo.attach(name, {
path: fullPath,
contentType: "image/png",
});
}