chore: consolidate local integration changes

2026-06-09 21:03:05 +09:00
parent aa2848c3b6
commit 1341f07ef9
158 changed files with 10995 additions and 1490 deletions
--- a/backend/internal/handler/dev_handler_test.go
+++ b/backend/internal/handler/dev_handler_test.go
@@ -726,7 +726,7 @@ func TestUpdateClient_AuditDetailsIncludeGeneralSettingChanges(t *testing.T) {
 					"tenant_id":                           "tenant-1",
 					"tenant_access_restricted":            true,
 					"allowed_tenants":                     []any{"tenant-1", "tenant-2"},
-					"id_token_claims":                     []any{map[string]any{"namespace": "top_level", "key": "locale", "valueType": "text", "value": "ko-KR"}},
+					"id_token_claims":                     []any{map[string]any{"namespace": "rp_claims", "key": "locale", "valueType": "text", "value": "ko-KR"}},
 					"headless_login_enabled":              true,
 					"headless_jwks_uri":                   "https://rp.example.com/jwks.json",
 					"headless_token_endpoint_auth_method": "private_key_jwt",
@@ -766,7 +766,7 @@ func TestUpdateClient_AuditDetailsIncludeGeneralSettingChanges(t *testing.T) {
 			"allowed_tenants":          []string{"tenant-1", "tenant-2"},
 			"id_token_claims": []map[string]any{
 				{
-					"namespace": "top_level",
+					"namespace": "rp_claims",
 					"key":       "locale",
 					"valueType": "text",
 					"value":     "ko-KR",
@@ -2306,7 +2306,7 @@ func TestCreateClient_NormalizesIDTokenClaimsMetadata(t *testing.T) {
 			"id_token_claims": []map[string]any{
 				{
 					"id":        "claim-1",
-					"namespace": "top_level",
+					"namespace": "rp_claims",
 					"key":       "locale",
 					"value":     " ko-KR ",
 					"valueType": "text",
@@ -2331,7 +2331,7 @@ func TestCreateClient_NormalizesIDTokenClaimsMetadata(t *testing.T) {
 	if assert.True(t, ok) && assert.Len(t, claims, 2) {
 		first, ok := claims[0].(map[string]any)
 		if assert.True(t, ok) {
-			assert.Equal(t, "top_level", first["namespace"])
+			assert.Equal(t, "rp_claims", first["namespace"])
 			assert.Equal(t, "locale", first["key"])
 			assert.Equal(t, "ko-KR", first["value"])
 			assert.Equal(t, "text", first["valueType"])
@@ -2393,7 +2393,7 @@ func TestCreateClient_RejectsInvalidIDTokenClaimsMetadata(t *testing.T) {
 	defer resp.Body.Close()

 	bodyBytes, _ := io.ReadAll(resp.Body)
-	assert.Contains(t, string(bodyBytes), "top-level key rp_claims is reserved")
+	assert.Contains(t, string(bodyBytes), "top_level namespace is managed from admin user custom claims")
 	assert.False(t, hydraCalled)
 }

@@ -3134,6 +3134,147 @@ func TestListConsents_UserAllowedByRPAdminsRelation(t *testing.T) {
 	mockKeto.AssertExpectations(t)
 }

+func TestListConsents_IncludesRPUserMetadata(t *testing.T) {
+	transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
+		if r.Method == http.MethodGet && r.URL.Path == "/clients/client-1" {
+			return httpJSONAny(r, http.StatusOK, map[string]any{
+				"client_id":   "client-1",
+				"client_name": "App One",
+				"metadata": map[string]any{
+					"tenant_id": "tenant-1",
+					"status":    "active",
+				},
+			}), nil
+		}
+		return httpJSONAny(r, http.StatusNotFound, nil), nil
+	})
+
+	repo := new(devMockRPUserMetadataRepo)
+	repo.On("Get", mock.Anything, "client-1", "subject-1").Return(&domain.RPUserMetadata{
+		ClientID: "client-1",
+		UserID:   "subject-1",
+		Metadata: domain.JSONMap{
+			"approvalLevel": "A",
+			"reviewedAt":    "2026-06-09T09:30:00+09:00",
+		},
+	}, nil).Once()
+
+	h := &DevHandler{
+		Hydra: &service.HydraAdminService{
+			AdminURL:   "http://hydra.test",
+			HTTPClient: &http.Client{Transport: transport},
+		},
+		ConsentRepo: &mockConsentRepo{
+			consents: []domain.ClientConsent{
+				{
+					ClientID:      "client-1",
+					Subject:       "subject-1",
+					GrantedScopes: []string{"openid", "profile"},
+					CreatedAt:     time.Now().UTC(),
+				},
+			},
+		},
+		RPUserMetadataRepo: repo,
+	}
+
+	app := fiber.New()
+	app.Use(func(c *fiber.Ctx) error {
+		c.Locals("user_profile", &domain.UserProfileResponse{ID: "admin", Role: domain.RoleSuperAdmin})
+		return c.Next()
+	})
+	app.Get("/api/v1/dev/consents", h.ListConsents)
+
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/dev/consents?client_id=client-1", nil)
+	resp, _ := app.Test(req, -1)
+	assert.Equal(t, http.StatusOK, resp.StatusCode)
+
+	var result consentListResponse
+	_ = json.NewDecoder(resp.Body).Decode(&result)
+	if assert.Len(t, result.Items, 1) {
+		assert.Equal(t, domain.JSONMap{
+			"approvalLevel": "A",
+			"reviewedAt":    "2026-06-09T09:30:00+09:00",
+		}, result.Items[0].RPMetadata)
+	}
+	repo.AssertExpectations(t)
+}
+
+func TestNormalizeIDTokenClaimsMetadata_AllowsDateAndDatetime(t *testing.T) {
+	metadata, err := normalizeIDTokenClaimsMetadata(map[string]any{
+		domain.MetadataIDTokenClaims: []any{
+			map[string]any{
+				"namespace": "rp_claims",
+				"key":       "contract_date",
+				"value":     "2026-06-09",
+				"valueType": "date",
+			},
+			map[string]any{
+				"namespace": "rp_claims",
+				"key":       "approved_at",
+				"value":     "2026-06-09T09:30:00+09:00",
+				"valueType": "datetime",
+			},
+		},
+	})
+
+	assert.NoError(t, err)
+	claims := metadata[domain.MetadataIDTokenClaims].([]normalizedIDTokenClaim)
+	assert.Equal(t, "date", claims[0].ValueType)
+	assert.Equal(t, "datetime", claims[1].ValueType)
+}
+
+func TestUpdateClient_RejectsTopLevelIDTokenClaimsFromDevConsole(t *testing.T) {
+	transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
+		if r.Method == http.MethodGet && r.URL.Path == "/clients/client-1" {
+			return httpJSONAny(r, http.StatusOK, map[string]any{
+				"client_id":                  "client-1",
+				"client_name":                "App One",
+				"redirect_uris":              []string{"http://localhost/cb"},
+				"grant_types":                []string{"authorization_code"},
+				"response_types":             []string{"code"},
+				"scope":                      "openid profile",
+				"token_endpoint_auth_method": "none",
+				"metadata":                   map[string]any{"status": "active"},
+			}), nil
+		}
+		if r.Method == http.MethodPut && r.URL.Path == "/clients/client-1" {
+			t.Fatalf("hydra update should not be called for top-level id token claims")
+		}
+		return httpJSONAny(r, http.StatusNotFound, nil), nil
+	})
+
+	h := &DevHandler{
+		Hydra: &service.HydraAdminService{
+			AdminURL:   "http://hydra.test",
+			HTTPClient: &http.Client{Transport: transport},
+		},
+	}
+	app := fiber.New()
+	app.Use(func(c *fiber.Ctx) error {
+		c.Locals("user_profile", &domain.UserProfileResponse{ID: "admin", Role: domain.RoleSuperAdmin})
+		return c.Next()
+	})
+	app.Put("/api/v1/dev/clients/:id", h.UpdateClient)
+
+	body, _ := json.Marshal(map[string]any{
+		"metadata": map[string]any{
+			domain.MetadataIDTokenClaims: []any{
+				map[string]any{
+					"namespace": "top_level",
+					"key":       "employee_id",
+					"value":     "EMP001",
+					"valueType": "text",
+				},
+			},
+		},
+	})
+	req := httptest.NewRequest(http.MethodPut, "/api/v1/dev/clients/client-1", bytes.NewReader(body))
+	req.Header.Set("Content-Type", "application/json")
+
+	resp, _ := app.Test(req, -1)
+	assert.Equal(t, http.StatusBadRequest, resp.StatusCode)
+}
+
 func TestListClientRelations_RPAdminAllowedByViewRelationshipsPermission(t *testing.T) {
 	transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
 		if r.Method == http.MethodGet && r.URL.Path == "/clients/client-1" {