chore: consolidate local integration changes

backend/internal/handler/dev_handler_rp_metadata_test.go

@@ -13,6 +13,7 @@ import (
 	"github.com/gofiber/fiber/v2"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
+	"github.com/stretchr/testify/require"
 )
 
 type devMockRPUserMetadataRepo struct {
@@ -40,6 +41,14 @@ func TestDevHandler_RPUserMetadataRoundTrip(t *testing.T) {
 				"client_name": "Client One",
 				"metadata": map[string]any{
 					"tenant_id": "tenant-1",
+					"id_token_claims": []map[string]any{
+						{
+							"namespace": "rp_claims",
+							"key":       "approvalLevel",
+							"valueType": "text",
+							"value":     "A",
+						},
+					},
 				},
 			}), nil
 		}
@@ -50,7 +59,9 @@ func TestDevHandler_RPUserMetadataRoundTrip(t *testing.T) {
 	repo.On("Upsert", mock.Anything, mock.MatchedBy(func(row *domain.RPUserMetadata) bool {
 		return row.ClientID == "client-1" &&
 			row.UserID == "user-1" &&
-			row.Metadata["approvalLevel"] == "A"
+			row.Metadata["approvalLevel"] == "A" &&
+			row.Metadata["approvalLevel_permissions"].(map[string]any)["readPermission"] == "admin_only" &&
+			row.Metadata["approvalLevel_permissions"].(map[string]any)["writePermission"] == "user_and_admin"
 	})).Return(nil).Once()
 	repo.On("Get", mock.Anything, "client-1", "user-1").Return(&domain.RPUserMetadata{
 		ClientID: "client-1",
@@ -74,7 +85,12 @@ func TestDevHandler_RPUserMetadataRoundTrip(t *testing.T) {
 	app.Get("/api/v1/dev/clients/:id/users/:userId/metadata", h.GetRPUserMetadata)
 
 	body, _ := json.Marshal(map[string]any{
-		"metadata": map[string]any{"approvalLevel": "A"},
+		"metadata": map[string]any{
+			"approvalLevel": "A",
+			"approvalLevel_permissions": map[string]any{
+				"writePermission": "user_and_admin",
+			},
+		},
 	})
 	putReq := httptest.NewRequest(http.MethodPut, "/api/v1/dev/clients/client-1/users/user-1/metadata", bytes.NewReader(body))
 	putReq.Header.Set("Content-Type", "application/json")
@@ -92,3 +108,171 @@ func TestDevHandler_RPUserMetadataRoundTrip(t *testing.T) {
 	assert.Equal(t, "A", got["metadata"].(map[string]any)["approvalLevel"])
 	repo.AssertExpectations(t)
 }
+
+func TestDevHandler_RPUserMetadataMirrorsToKratosTraits(t *testing.T) {
+	transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
+		if r.URL.Path == "/clients/client-1" {
+			return httpJSONAny(r, http.StatusOK, map[string]any{
+				"client_id":   "client-1",
+				"client_name": "Client One",
+				"metadata": map[string]any{
+					"tenant_id": "tenant-1",
+					"id_token_claims": []map[string]any{
+						{
+							"namespace":       "rp_claims",
+							"key":             "approvalLevel",
+							"valueType":       "text",
+							"value":           "A",
+							"readPermission":  "user_and_admin",
+							"writePermission": "admin_only",
+						},
+					},
+				},
+			}), nil
+		}
+		return httpJSONAny(r, http.StatusNotFound, nil), nil
+	})
+
+	repo := new(devMockRPUserMetadataRepo)
+	repo.On("Upsert", mock.Anything, mock.AnythingOfType("*domain.RPUserMetadata")).Return(nil).Once()
+	kratos := new(MockKratosAdmin)
+	kratos.On("GetIdentity", mock.Anything, "user-1").Return(&service.KratosIdentity{
+		ID:    "user-1",
+		State: "active",
+		Traits: map[string]any{
+			"email": "user@example.com",
+			"name":  "User One",
+		},
+	}, nil).Once()
+	var capturedTraits map[string]any
+	kratos.On("UpdateIdentity", mock.Anything, "user-1", mock.Anything, "active").Run(func(args mock.Arguments) {
+		capturedTraits = args.Get(2).(map[string]any)
+	}).Return(&service.KratosIdentity{ID: "user-1", State: "active", Traits: map[string]any{}}, nil).Once()
+
+	h := &DevHandler{
+		Hydra: &service.HydraAdminService{
+			AdminURL:   "http://hydra.test",
+			HTTPClient: &http.Client{Transport: transport},
+		},
+		KratosAdmin:        kratos,
+		RPUserMetadataRepo: repo,
+	}
+	app := fiber.New()
+	app.Use(func(c *fiber.Ctx) error {
+		c.Locals("user_profile", &domain.UserProfileResponse{ID: "admin", Role: domain.RoleSuperAdmin})
+		return c.Next()
+	})
+	app.Put("/api/v1/dev/clients/:id/users/:userId/metadata", h.UpsertRPUserMetadata)
+
+	body, _ := json.Marshal(map[string]any{
+		"metadata": map[string]any{"approvalLevel": "B"},
+	})
+	req := httptest.NewRequest(http.MethodPut, "/api/v1/dev/clients/client-1/users/user-1/metadata", bytes.NewReader(body))
+	req.Header.Set("Content-Type", "application/json")
+	resp, _ := app.Test(req, -1)
+
+	require.Equal(t, http.StatusOK, resp.StatusCode)
+	rpClaims := capturedTraits["rp_custom_claims"].(map[string]any)
+	clientClaims := rpClaims["client-1"].(domain.JSONMap)
+	require.Equal(t, "B", clientClaims["approvalLevel"])
+	require.Equal(t, map[string]any{
+		"readPermission":  "user_and_admin",
+		"writePermission": "admin_only",
+	}, clientClaims["approvalLevel_permissions"])
+	repo.AssertExpectations(t)
+	kratos.AssertExpectations(t)
+}
+
+func TestDevHandler_RPUserMetadataRejectsUndefinedClaimKey(t *testing.T) {
+	transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
+		if r.URL.Path == "/clients/client-1" {
+			return httpJSONAny(r, http.StatusOK, map[string]any{
+				"client_id":   "client-1",
+				"client_name": "Client One",
+				"metadata": map[string]any{
+					"id_token_claims": []map[string]any{
+						{
+							"namespace": "rp_claims",
+							"key":       "contract_date",
+							"valueType": "date",
+							"value":     "2026-06-09",
+						},
+					},
+				},
+			}), nil
+		}
+		return httpJSONAny(r, http.StatusNotFound, nil), nil
+	})
+
+	repo := new(devMockRPUserMetadataRepo)
+	h := &DevHandler{
+		Hydra: &service.HydraAdminService{
+			AdminURL:   "http://hydra.test",
+			HTTPClient: &http.Client{Transport: transport},
+		},
+		RPUserMetadataRepo: repo,
+	}
+	app := fiber.New()
+	app.Use(func(c *fiber.Ctx) error {
+		c.Locals("user_profile", &domain.UserProfileResponse{ID: "admin", Role: domain.RoleSuperAdmin})
+		return c.Next()
+	})
+	app.Put("/api/v1/dev/clients/:id/users/:userId/metadata", h.UpsertRPUserMetadata)
+
+	body, _ := json.Marshal(map[string]any{
+		"metadata": map[string]any{"unknown_claim": "A"},
+	})
+	req := httptest.NewRequest(http.MethodPut, "/api/v1/dev/clients/client-1/users/user-1/metadata", bytes.NewReader(body))
+	req.Header.Set("Content-Type", "application/json")
+	resp, _ := app.Test(req, -1)
+
+	assert.Equal(t, http.StatusBadRequest, resp.StatusCode)
+	repo.AssertNotCalled(t, "Upsert", mock.Anything, mock.Anything)
+}
+
+func TestDevHandler_RPUserMetadataRejectsInvalidTypedClaimValue(t *testing.T) {
+	transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
+		if r.URL.Path == "/clients/client-1" {
+			return httpJSONAny(r, http.StatusOK, map[string]any{
+				"client_id":   "client-1",
+				"client_name": "Client One",
+				"metadata": map[string]any{
+					"id_token_claims": []map[string]any{
+						{
+							"namespace": "rp_claims",
+							"key":       "contract_date",
+							"valueType": "date",
+							"value":     "2026-06-09",
+						},
+					},
+				},
+			}), nil
+		}
+		return httpJSONAny(r, http.StatusNotFound, nil), nil
+	})
+
+	repo := new(devMockRPUserMetadataRepo)
+	h := &DevHandler{
+		Hydra: &service.HydraAdminService{
+			AdminURL:   "http://hydra.test",
+			HTTPClient: &http.Client{Transport: transport},
+		},
+		RPUserMetadataRepo: repo,
+	}
+	app := fiber.New()
+	app.Use(func(c *fiber.Ctx) error {
+		c.Locals("user_profile", &domain.UserProfileResponse{ID: "admin", Role: domain.RoleSuperAdmin})
+		return c.Next()
+	})
+	app.Put("/api/v1/dev/clients/:id/users/:userId/metadata", h.UpsertRPUserMetadata)
+
+	body, _ := json.Marshal(map[string]any{
+		"metadata": map[string]any{"contract_date": "2026/06/09"},
+	})
+	req := httptest.NewRequest(http.MethodPut, "/api/v1/dev/clients/client-1/users/user-1/metadata", bytes.NewReader(body))
+	req.Header.Set("Content-Type", "application/json")
+	resp, _ := app.Test(req, -1)
+
+	assert.Equal(t, http.StatusBadRequest, resp.StatusCode)
+	repo.AssertNotCalled(t, "Upsert", mock.Anything, mock.Anything)
+}