diff --git a/devfront/tests/devfront-audit.spec.ts b/devfront/tests/devfront-audit.spec.ts new file mode 100644 index 00000000..7f1cc18e --- /dev/null +++ b/devfront/tests/devfront-audit.spec.ts @@ -0,0 +1,108 @@ +import { expect, test } from "@playwright/test"; +import { + installDevApiMock, + makeClient, + seedAuth, + type AuditLog, + type Consent, +} from "./helpers/devfront-fixtures"; + +test.describe("DevFront audit logs", () => { + test.beforeEach(async ({ page }) => { + page.on("dialog", async (dialog) => { + await dialog.accept(); + }); + await seedAuth(page); + }); + + test("filtering and cursor pagination", async ({ page }) => { + const state = { + clients: [makeClient("client-audit", { name: "Audit app" })], + consents: [] as Consent[], + auditLogsByCursor: { + "": { + items: [ + { + event_id: "evt-1", + timestamp: "2026-03-03T09:00:00.000Z", + user_id: "actor-a", + event_type: "CLIENT_UPDATE", + status: "success", + ip_address: "127.0.0.1", + user_agent: "playwright", + details: JSON.stringify({ + action: "UPDATE_CLIENT", + target_id: "client-audit", + tenant_id: "tenant-a", + }), + }, + ], + next_cursor: "cursor-2", + }, + "cursor-2": { + items: [ + { + event_id: "evt-2", + timestamp: "2026-03-03T09:01:00.000Z", + user_id: "actor-b", + event_type: "CLIENT_ROTATE_SECRET", + status: "success", + ip_address: "127.0.0.1", + user_agent: "playwright", + details: JSON.stringify({ + action: "ROTATE_SECRET", + target_id: "client-audit", + tenant_id: "tenant-a", + }), + }, + ], + }, + }, + }; + await installDevApiMock(page, state); + + await page.goto("/audit-logs"); + await expect(page.getByText("UPDATE_CLIENT")).toBeVisible(); + + await page + .getByPlaceholder(/Client ID로 필터|Filter by Client ID/i) + .fill("client-audit"); + await page + .getByPlaceholder(/액션으로 필터|Filter by Action/i) + .fill("ROTATE_SECRET"); + + await page.getByRole("button", { name: /더 보기|Load more/i }).click(); + await expect(page.getByText("ROTATE_SECRET")).toBeVisible(); + }); + + test("realtime create/update actions should be visible", async ({ page }) => { + const state = { + clients: [makeClient("client-realtime", { name: "Realtime app" })], + consents: [] as Consent[], + auditLogs: [] as AuditLog[], + auditLogsByCursor: undefined, + }; + await installDevApiMock(page, state); + + await page.goto("/clients/new"); + await page.getByPlaceholder("My Awesome Application").fill("Realtime New App"); + await page + .getByPlaceholder(/https:\/\/app\.example\.com\/callback/i) + .fill("https://realtime.example.com/callback"); + await page.getByRole("button", { name: /앱 생성|Create/i }).click(); + await expect.poll(() => state.auditLogs.length).toBeGreaterThanOrEqual(1); + + await page.goto("/clients/client-realtime/settings"); + await page.getByPlaceholder("My Awesome Application").fill("Realtime Updated"); + await page.getByRole("button", { name: /^저장$|^Save$/i }).click(); + await expect.poll(() => state.auditLogs.length).toBeGreaterThanOrEqual(2); + + await page.goto("/audit-logs"); + await expect(page.getByText("CREATE_CLIENT")).toBeVisible({ + timeout: 30000, + }); + await expect(page.getByText("UPDATE_CLIENT")).toBeVisible({ + timeout: 30000, + }); + }); +}); diff --git a/devfront/tests/devfront-clients-lifecycle.spec.ts b/devfront/tests/devfront-clients-lifecycle.spec.ts new file mode 100644 index 00000000..d4a840be --- /dev/null +++ b/devfront/tests/devfront-clients-lifecycle.spec.ts @@ -0,0 +1,121 @@ +import { expect, test } from "@playwright/test"; +import { + installDevApiMock, + makeClient, + seedAuth, + type ClientStatus, + type Consent, +} from "./helpers/devfront-fixtures"; + +test.describe("DevFront clients lifecycle", () => { + test.beforeEach(async ({ page }) => { + page.on("dialog", async (dialog) => { + await dialog.accept(); + }); + await seedAuth(page); + }); + + test("create, update status, and delete", async ({ page }) => { + const state = { + clients: [makeClient("existing-client", { name: "Existing app" })], + consents: [] as Consent[], + updatedStatus: "active" as ClientStatus, + auditLogsByCursor: undefined, + onUpdateStatus(status: ClientStatus) { + this.updatedStatus = status; + }, + }; + await installDevApiMock(page, state); + + await page.goto("/clients"); + await expect(page.getByText("Existing app")).toBeVisible(); + + await page + .getByRole("button", { name: /연동 앱 추가|새 클라이언트|Create/i }) + .click(); + await expect(page).toHaveURL(/\/clients\/new$/); + + await page + .getByPlaceholder("My Awesome Application") + .fill("Playwright Created App"); + await page + .getByPlaceholder(/https:\/\/app\.example\.com\/callback/i) + .fill("https://playwright.example.com/callback"); + await page + .getByRole("button", { name: /앱 생성|클라이언트 생성|Create/i }) + .click(); + + await expect(page).toHaveURL(/\/clients\/client-2\/settings$/); + await expect( + page.getByRole("heading", { + name: /연동 앱 설정|클라이언트 설정|Client Settings/i, + }), + ).toBeVisible(); + + await page.getByRole("button", { name: /비활성|Inactive/i }).click(); + await page.getByRole("button", { name: /^저장$|^Save$/i }).click(); + await expect.poll(() => state.updatedStatus).toBe("inactive"); + + await page.getByRole("button", { name: /삭제|Delete/i }).click(); + await expect(page).toHaveURL(/\/clients$/); + await expect(page.getByText("Playwright Created App")).not.toBeVisible(); + }); + + test("rotate secret shows new value", async ({ page }) => { + let rotatedSecret = ""; + const state = { + clients: [makeClient("client-rotate", { name: "Rotate app" })], + consents: [] as Consent[], + auditLogsByCursor: undefined, + onRotateSecret(newSecret: string) { + rotatedSecret = newSecret; + }, + }; + await installDevApiMock(page, state); + + await page.goto("/clients/client-rotate"); + await expect( + page.getByRole("heading", { name: "Rotate app", exact: true }), + ).toBeVisible(); + + await page.getByTitle(/비밀키 재발급|Rotate/i).click(); + await expect.poll(() => rotatedSecret).toBe("client-rotate-rotated-secret"); + await expect(page.getByText("client-rotate-rotated-secret")).toBeVisible(); + }); + + test("update name and redirect URI should be persisted", async ({ page }) => { + const state = { + clients: [ + makeClient("client-edit", { + name: "Before Name", + redirectUris: ["https://before.example.com/callback"], + }), + ], + consents: [] as Consent[], + auditLogsByCursor: undefined, + }; + await installDevApiMock(page, state); + + await page.goto("/clients/client-edit/settings"); + await page.getByPlaceholder("My Awesome Application").fill("After Name"); + await page.getByRole("button", { name: /^저장$|^Save$/i }).click(); + await expect.poll(() => state.clients[0]?.name).toBe("After Name"); + + await page.goto("/clients/client-edit"); + await page + .getByRole("textbox", { name: /인증 콜백 URL|Callback/i }) + .fill("https://after.example.com/callback"); + await page + .getByRole("button", { name: /Redirect URIs 저장|Save/i }) + .click(); + + await expect.poll(() => state.clients[0]?.redirectUris[0]).toBe( + "https://after.example.com/callback", + ); + + await page.reload(); + await expect( + page.getByRole("textbox", { name: /인증 콜백 URL|Callback/i }), + ).toHaveValue(/https:\/\/after\.example\.com\/callback/); + }); +}); diff --git a/devfront/tests/devfront-consents.spec.ts b/devfront/tests/devfront-consents.spec.ts new file mode 100644 index 00000000..567419cb --- /dev/null +++ b/devfront/tests/devfront-consents.spec.ts @@ -0,0 +1,45 @@ +import { expect, test } from "@playwright/test"; +import { + installDevApiMock, + makeClient, + seedAuth, + type Consent, +} from "./helpers/devfront-fixtures"; + +test.describe("DevFront consents", () => { + test.beforeEach(async ({ page }) => { + page.on("dialog", async (dialog) => { + await dialog.accept(); + }); + await seedAuth(page); + }); + + test("consent list and revoke flow", async ({ page }) => { + const state = { + clients: [makeClient("client-consent", { name: "Consent app" })], + consents: [ + { + subject: "user-1", + userName: "Alice", + clientId: "client-consent", + clientName: "Consent app", + grantedScopes: ["openid", "profile"], + authenticatedAt: "2026-03-03T08:00:00.000Z", + createdAt: "2026-03-02T08:00:00.000Z", + status: "active", + tenantId: "tenant-a", + tenantName: "Tenant A", + }, + ] as Consent[], + auditLogsByCursor: undefined, + }; + await installDevApiMock(page, state); + + await page.goto("/clients/client-consent/consents"); + await expect(page.getByText("Alice")).toBeVisible(); + await expect(page.getByText("Tenant A")).toBeVisible(); + + await page.getByRole("button", { name: /권한 철회|Revoke/i }).click(); + await expect(page.getByText(/Revoked|철회/i).first()).toBeVisible(); + }); +}); diff --git a/devfront/tests/devfront-security.spec.ts b/devfront/tests/devfront-security.spec.ts new file mode 100644 index 00000000..75e684df --- /dev/null +++ b/devfront/tests/devfront-security.spec.ts @@ -0,0 +1,50 @@ +import { expect, test } from "@playwright/test"; +import { + installDevApiMock, + makeClient, + seedAuth, + type Consent, +} from "./helpers/devfront-fixtures"; + +test.describe("DevFront security and isolation", () => { + test.beforeEach(async ({ page }) => { + page.on("dialog", async (dialog) => { + await dialog.accept(); + }); + await seedAuth(page); + }); + + test("tenant isolation: forbidden client shows blocked error", async ({ + page, + }) => { + const state = { + clients: [makeClient("tenant-a-client", { name: "Tenant A app" })], + consents: [] as Consent[], + auditLogsByCursor: undefined, + }; + await installDevApiMock(page, state); + + await page.goto("/clients/tenant-b-client"); + await expect(page.getByText(/Error loading client|조회/i)).toBeVisible(); + }); + + test("RBAC: non-AppManager user should not see private apps", async ({ + page, + }) => { + const state = { + clients: [ + makeClient("pkce-client", { + name: "PKCE only app", + type: "pkce", + }), + ], + consents: [] as Consent[], + auditLogsByCursor: undefined, + }; + await installDevApiMock(page, state); + + await page.goto("/clients"); + await expect(page.getByText("PKCE only app")).toBeVisible(); + await expect(page.getByText("Server side App")).not.toBeVisible(); + }); +}); diff --git a/devfront/tests/helpers/devfront-fixtures.ts b/devfront/tests/helpers/devfront-fixtures.ts new file mode 100644 index 00000000..92b01ade --- /dev/null +++ b/devfront/tests/helpers/devfront-fixtures.ts @@ -0,0 +1,362 @@ +import type { Page, Route } from "@playwright/test"; + +export type ClientStatus = "active" | "inactive"; +export type ClientType = "private" | "pkce"; + +export type Client = { + id: string; + name: string; + type: ClientType; + status: ClientStatus; + redirectUris: string[]; + scopes: string[]; + createdAt: string; + clientSecret?: string; + metadata?: Record; +}; + +export type Consent = { + subject: string; + userName: string; + clientId: string; + clientName: string; + grantedScopes: string[]; + authenticatedAt?: string; + createdAt: string; + deletedAt?: string; + status: "active" | "revoked"; + tenantId: string; + tenantName: string; +}; + +export type AuditLog = { + event_id: string; + timestamp: string; + user_id: string; + event_type: string; + status: "success" | "failure"; + ip_address: string; + user_agent: string; + details: string; +}; + +export type DevApiMockState = { + clients: Client[]; + consents: Consent[]; + auditLogsByCursor?: Record; + auditLogs?: AuditLog[]; + onUpdateStatus?: (status: ClientStatus) => void; + onRotateSecret?: (newSecret: string) => void; +}; + +export function makeClient(id: string, overrides: Partial = {}): Client { + return { + id, + name: `${id} app`, + type: "private", + status: "active", + redirectUris: [`https://${id}.example.com/callback`], + scopes: ["openid", "profile", "email"], + createdAt: "2026-03-03T00:00:00.000Z", + clientSecret: `${id}-secret`, + metadata: {}, + ...overrides, + }; +} + +export async function seedAuth(page: Page) { + const nowInSeconds = Math.floor(Date.now() / 1000); + + await page.addInitScript((issuedAt) => { + const mockOidcUser = { + id_token: "playwright-id-token", + session_state: "playwright-session", + access_token: "playwright-access-token", + refresh_token: "playwright-refresh-token", + token_type: "Bearer", + scope: "openid profile email", + profile: { + sub: "playwright-user", + email: "playwright@example.com", + name: "Playwright User", + }, + expires_at: issuedAt + 3600, + }; + + window.localStorage.setItem( + "oidc.user:http://localhost:5000/oidc:devfront", + JSON.stringify(mockOidcUser), + ); + window.localStorage.setItem( + "oidc.user:http://localhost:5000/oidc/:devfront", + JSON.stringify(mockOidcUser), + ); + window.localStorage.setItem("dev_tenant_id", "tenant-a"); + }, nowInSeconds); +} + +function json(route: Route, payload: unknown, status = 200) { + return route.fulfill({ + status, + contentType: "application/json", + body: JSON.stringify(payload), + }); +} + +function parseClientId(pathname: string): string { + const parts = pathname.split("/").filter(Boolean); + return parts[parts.length - 1] ?? ""; +} + +export async function installDevApiMock(page: Page, state: DevApiMockState) { + const appendAuditLog = ( + eventType: string, + action: string, + targetId: string, + status: "success" | "failure" = "success", + ) => { + if (!state.auditLogs) return; + state.auditLogs.unshift({ + event_id: `evt-${Date.now()}-${Math.random().toString(16).slice(2, 8)}`, + timestamp: new Date().toISOString(), + user_id: "playwright-user", + event_type: eventType, + status, + ip_address: "127.0.0.1", + user_agent: "playwright", + details: JSON.stringify({ + action, + target_id: targetId, + tenant_id: "tenant-a", + }), + }); + }; + + await page.route("**/api/v1/dev/**", async (route) => { + const request = route.request(); + const url = new URL(request.url()); + const { pathname, searchParams } = url; + const method = request.method(); + + if (pathname === "/api/v1/dev/stats" && method === "GET") { + const total = state.clients.length; + return json(route, { + total_clients: total, + active_sessions: Math.max(1, total), + auth_failures_24h: 0, + }); + } + + if (pathname === "/api/v1/dev/clients" && method === "GET") { + return json(route, { + items: state.clients.map((client) => ({ + id: client.id, + name: client.name, + type: client.type, + status: client.status, + createdAt: client.createdAt, + redirectUris: client.redirectUris, + scopes: client.scopes, + })), + limit: 50, + offset: 0, + }); + } + + if (pathname === "/api/v1/dev/clients" && method === "POST") { + const payload = (request.postDataJSON() as { + name?: string; + type?: ClientType; + status?: ClientStatus; + redirectUris?: string[]; + scopes?: string[]; + metadata?: Record; + }) || { name: "created app" }; + + const created = makeClient(`client-${state.clients.length + 1}`, { + name: payload.name ?? "created app", + type: payload.type ?? "private", + status: payload.status ?? "active", + redirectUris: payload.redirectUris ?? [], + scopes: payload.scopes ?? ["openid"], + metadata: payload.metadata ?? {}, + }); + + state.clients.push(created); + appendAuditLog("CLIENT_CREATE", "CREATE_CLIENT", created.id); + return json(route, { + client: created, + endpoints: { + discovery: "https://issuer/.well-known/openid-configuration", + issuer: "https://issuer", + authorization: "https://issuer/oauth2/auth", + token: "https://issuer/oauth2/token", + userinfo: "https://issuer/userinfo", + }, + }); + } + + if ( + pathname.startsWith("/api/v1/dev/clients/") && + pathname.endsWith("/status") && + method === "PATCH" + ) { + const clientId = pathname.split("/")[5] ?? ""; + const payload = request.postDataJSON() as { status: ClientStatus }; + const found = state.clients.find((client) => client.id === clientId); + if (!found) return json(route, { error: "not found" }, 404); + found.status = payload.status; + appendAuditLog("CLIENT_UPDATE_STATUS", "UPDATE_CLIENT_STATUS", clientId); + state.onUpdateStatus?.(payload.status); + return json(route, { + client: found, + endpoints: { + discovery: "https://issuer/.well-known/openid-configuration", + issuer: "https://issuer", + authorization: "https://issuer/oauth2/auth", + token: "https://issuer/oauth2/token", + userinfo: "https://issuer/userinfo", + }, + }); + } + + if ( + pathname.startsWith("/api/v1/dev/clients/") && + pathname.endsWith("/secret/rotate") && + method === "POST" + ) { + const clientId = pathname.split("/")[5] ?? ""; + const found = state.clients.find((client) => client.id === clientId); + if (!found) return json(route, { error: "not found" }, 404); + found.clientSecret = `${clientId}-rotated-secret`; + appendAuditLog("CLIENT_ROTATE_SECRET", "ROTATE_SECRET", clientId); + state.onRotateSecret?.(found.clientSecret); + return json(route, { + client: found, + endpoints: { + discovery: "https://issuer/.well-known/openid-configuration", + issuer: "https://issuer", + authorization: "https://issuer/oauth2/auth", + token: "https://issuer/oauth2/token", + userinfo: "https://issuer/userinfo", + }, + }); + } + + if (pathname.startsWith("/api/v1/dev/clients/") && method === "PUT") { + const clientId = parseClientId(pathname); + const payload = (request.postDataJSON() as { + name?: string; + type?: ClientType; + scopes?: string[]; + redirectUris?: string[]; + metadata?: Record; + }) || { name: "updated app" }; + const found = state.clients.find((client) => client.id === clientId); + if (!found) return json(route, { error: "not found" }, 404); + if (payload.name) found.name = payload.name; + if (payload.type) found.type = payload.type; + if (payload.scopes) found.scopes = payload.scopes; + if (payload.redirectUris) found.redirectUris = payload.redirectUris; + if (payload.metadata) found.metadata = payload.metadata; + appendAuditLog("CLIENT_UPDATE", "UPDATE_CLIENT", clientId); + return json(route, { + client: found, + endpoints: { + discovery: "https://issuer/.well-known/openid-configuration", + issuer: "https://issuer", + authorization: "https://issuer/oauth2/auth", + token: "https://issuer/oauth2/token", + userinfo: "https://issuer/userinfo", + }, + }); + } + + if (pathname.startsWith("/api/v1/dev/clients/") && method === "DELETE") { + const clientId = parseClientId(pathname); + state.clients = state.clients.filter((client) => client.id !== clientId); + appendAuditLog("CLIENT_DELETE", "DELETE_CLIENT", clientId); + return route.fulfill({ status: 204 }); + } + + if (pathname.startsWith("/api/v1/dev/clients/") && method === "GET") { + const clientId = parseClientId(pathname); + const found = state.clients.find((client) => client.id === clientId); + if (!found) return json(route, { error: "forbidden" }, 403); + return json(route, { + client: found, + endpoints: { + discovery: "https://issuer/.well-known/openid-configuration", + issuer: "https://issuer", + authorization: "https://issuer/oauth2/auth", + token: "https://issuer/oauth2/token", + userinfo: "https://issuer/userinfo", + }, + }); + } + + if (pathname === "/api/v1/dev/consents" && method === "GET") { + const subject = searchParams.get("subject") || ""; + const clientId = searchParams.get("client_id") || ""; + const status = searchParams.get("status") || ""; + const items = state.consents.filter((row) => { + const matchesSubject = + !subject || row.subject.includes(subject) || row.userName.includes(subject); + const matchesClientId = !clientId || row.clientId === clientId; + const matchesStatus = !status || row.status === status; + return matchesSubject && matchesClientId && matchesStatus; + }); + return json(route, { items }); + } + + if (pathname === "/api/v1/dev/consents" && method === "DELETE") { + const subject = searchParams.get("subject") || ""; + const clientId = searchParams.get("client_id") || ""; + const target = state.consents.find( + (row) => row.subject === subject && row.clientId === clientId, + ); + if (target) { + target.status = "revoked"; + target.deletedAt = "2026-03-03T10:00:00.000Z"; + } + return route.fulfill({ status: 204 }); + } + + if (pathname === "/api/v1/dev/audit-logs" && method === "GET") { + if (state.auditLogsByCursor) { + const cursor = searchParams.get("cursor") || ""; + const pageSet = state.auditLogsByCursor[cursor] ?? { items: [] }; + return json(route, { + items: pageSet.items, + limit: 50, + cursor: cursor || undefined, + next_cursor: pageSet.next_cursor, + }); + } + + if (state.auditLogs) { + const action = searchParams.get("action") || ""; + const clientId = searchParams.get("client_id") || ""; + const status = searchParams.get("status") || ""; + const filtered = state.auditLogs.filter((item) => { + let parsedDetails: { action?: string; target_id?: string } = {}; + try { + parsedDetails = JSON.parse(item.details) as { + action?: string; + target_id?: string; + }; + } catch {} + const matchesAction = !action || parsedDetails.action === action; + const matchesClient = !clientId || parsedDetails.target_id === clientId; + const matchesStatus = !status || item.status === status; + return matchesAction && matchesClient && matchesStatus; + }); + return json(route, { items: filtered, limit: 50 }); + } + + return json(route, { items: [], limit: 50 }); + } + + return json(route, { error: `Unhandled ${method} ${pathname}` }, 404); + }); +}