worksmobile 연동 & ory stack 26.2.0으로 업그레이드

backend/cmd/adminctl/main.go

@@ -0,0 +1,176 @@
+package main
+
+import (
+	"baron-sso-backend/internal/bootstrap"
+	"baron-sso-backend/internal/idp"
+	"baron-sso-backend/internal/logger"
+	"baron-sso-backend/internal/repository"
+	"baron-sso-backend/internal/service"
+	"context"
+	"flag"
+	"fmt"
+	"log"
+	"log/slog"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/joho/godotenv"
+	"gorm.io/driver/postgres"
+	"gorm.io/gorm"
+	gormLogger "gorm.io/gorm/logger"
+)
+
+type createSuperAdminConfig struct {
+	Email          string
+	Password       string
+	Name           string
+	UpdatePassword bool
+}
+
+func main() {
+	loadEnv()
+	logger.Init(logger.Config{
+		ServiceName:   "baron-sso-adminctl",
+		Environment:   getenv("APP_ENV", getenv("GO_ENV", "dev")),
+		LevelOverride: getenv("BACKEND_LOG_LEVEL", ""),
+	})
+
+	if len(os.Args) < 2 {
+		printUsage()
+		os.Exit(2)
+	}
+
+	switch os.Args[1] {
+	case "create-super-admin":
+		if err := runCreateSuperAdmin(os.Args[2:]); err != nil {
+			slog.Error("create-super-admin failed", "error", err)
+			os.Exit(1)
+		}
+	default:
+		printUsage()
+		os.Exit(2)
+	}
+}
+
+func runCreateSuperAdmin(args []string) error {
+	config, err := resolveCreateSuperAdminConfig(args)
+	if err != nil {
+		return err
+	}
+
+	db, err := openDB()
+	if err != nil {
+		return err
+	}
+	if err := bootstrap.Run(db); err != nil {
+		return err
+	}
+
+	provider, err := idp.InitializeProvider()
+	if err != nil {
+		return err
+	}
+	if provider == nil {
+		return fmt.Errorf("idp provider is required")
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
+	defer cancel()
+
+	result, err := bootstrap.EnsureSuperAdmin(
+		ctx,
+		service.NewKratosAdminService(),
+		bootstrap.NewGormSuperAdminStore(db, repository.NewKetoOutboxRepository(db)),
+		bootstrap.EnsureSuperAdminOptions{
+			Email:          config.Email,
+			Password:       config.Password,
+			Name:           config.Name,
+			Source:         "adminctl",
+			UpdatePassword: config.UpdatePassword,
+		},
+	)
+	if err != nil {
+		return err
+	}
+
+	fmt.Printf("super admin ensured: email=%s identity_id=%s user_id=%s identity_created=%t local_created=%t local_updated=%t password_updated=%t keto_relation_queued=%t\n",
+		result.Email,
+		result.IdentityID,
+		result.LocalUserID,
+		result.IdentityCreated,
+		result.LocalUserCreated,
+		result.LocalUserUpdated,
+		result.PasswordUpdated,
+		result.KetoRelationQueued,
+	)
+	return nil
+}
+
+func resolveCreateSuperAdminConfig(args []string) (createSuperAdminConfig, error) {
+	fs := flag.NewFlagSet("create-super-admin", flag.ContinueOnError)
+	fs.SetOutput(os.Stderr)
+
+	config := createSuperAdminConfig{}
+	fs.StringVar(&config.Email, "email", getenv("ADMIN_EMAIL", ""), "admin email")
+	fs.StringVar(&config.Password, "password", getenv("ADMIN_PASSWORD", ""), "admin password")
+	fs.StringVar(&config.Name, "name", getenv("ADMIN_NAME", "System Admin"), "admin display name")
+	fs.BoolVar(&config.UpdatePassword, "update-password", false, "update password when identity already exists")
+
+	if err := fs.Parse(args); err != nil {
+		return config, err
+	}
+
+	config.Email = strings.TrimSpace(config.Email)
+	config.Name = strings.TrimSpace(config.Name)
+	if config.Email == "" {
+		return config, fmt.Errorf("admin email is required; pass --email or set ADMIN_EMAIL")
+	}
+	if strings.TrimSpace(config.Password) == "" {
+		return config, fmt.Errorf("admin password is required; pass --password or set ADMIN_PASSWORD")
+	}
+	if config.Name == "" {
+		config.Name = "System Admin"
+	}
+	return config, nil
+}
+
+func openDB() (*gorm.DB, error) {
+	dsn := fmt.Sprintf(
+		"host=%s user=%s password=%s dbname=%s port=%s sslmode=disable TimeZone=Asia/Seoul",
+		getenv("DB_HOST", "localhost"),
+		getenv("DB_USER", "baron"),
+		getenv("DB_PASSWORD", "password"),
+		getenv("DB_NAME", "baron_sso"),
+		getenv("DB_PORT", "5432"),
+	)
+	return gorm.Open(postgres.Open(dsn), &gorm.Config{
+		Logger: gormLogger.New(
+			log.New(os.Stdout, "\r\n", log.LstdFlags),
+			gormLogger.Config{
+				SlowThreshold:             time.Second,
+				LogLevel:                  gormLogger.Warn,
+				IgnoreRecordNotFoundError: true,
+				Colorful:                  true,
+			},
+		),
+	})
+}
+
+func loadEnv() {
+	_ = godotenv.Load(".env")
+	_ = godotenv.Load("../.env")
+	_ = godotenv.Load("../../.env")
+}
+
+func getenv(key string, fallback string) string {
+	if value, ok := os.LookupEnv(key); ok {
+		return value
+	}
+	return fallback
+}
+
+func printUsage() {
+	fmt.Fprintln(os.Stderr, "usage:")
+	fmt.Fprintln(os.Stderr, "  adminctl create-super-admin [--email EMAIL] [--password PASSWORD] [--name NAME] [--update-password]")
+}

backend/cmd/adminctl/main_test.go

@@ -0,0 +1,62 @@
+package main
+
+import "testing"
+
+func TestResolveCreateSuperAdminConfigUsesEnvDefaults(t *testing.T) {
+	t.Setenv("ADMIN_EMAIL", "admin@example.com")
+	t.Setenv("ADMIN_PASSWORD", "Password!123")
+	t.Setenv("ADMIN_NAME", "Env Admin")
+
+	config, err := resolveCreateSuperAdminConfig([]string{})
+	if err != nil {
+		t.Fatalf("resolveCreateSuperAdminConfig returned error: %v", err)
+	}
+
+	if config.Email != "admin@example.com" {
+		t.Fatalf("email = %q", config.Email)
+	}
+	if config.Password != "Password!123" {
+		t.Fatal("password was not read from ADMIN_PASSWORD")
+	}
+	if config.Name != "Env Admin" {
+		t.Fatalf("name = %q", config.Name)
+	}
+}
+
+func TestResolveCreateSuperAdminConfigAllowsFlagOverrides(t *testing.T) {
+	t.Setenv("ADMIN_EMAIL", "admin@example.com")
+	t.Setenv("ADMIN_PASSWORD", "Password!123")
+	t.Setenv("ADMIN_NAME", "Env Admin")
+
+	config, err := resolveCreateSuperAdminConfig([]string{
+		"--email", "flag@example.com",
+		"--password", "FlagPassword!123",
+		"--name", "Flag Admin",
+		"--update-password",
+	})
+	if err != nil {
+		t.Fatalf("resolveCreateSuperAdminConfig returned error: %v", err)
+	}
+
+	if config.Email != "flag@example.com" {
+		t.Fatalf("email = %q", config.Email)
+	}
+	if config.Password != "FlagPassword!123" {
+		t.Fatal("password flag was not used")
+	}
+	if config.Name != "Flag Admin" {
+		t.Fatalf("name = %q", config.Name)
+	}
+	if !config.UpdatePassword {
+		t.Fatal("update password flag was not set")
+	}
+}
+
+func TestResolveCreateSuperAdminConfigRequiresEmailAndPassword(t *testing.T) {
+	t.Setenv("ADMIN_EMAIL", "")
+	t.Setenv("ADMIN_PASSWORD", "")
+
+	if _, err := resolveCreateSuperAdminConfig([]string{}); err == nil {
+		t.Fatal("expected error")
+	}
+}

backend/cmd/server/main.go

@@ -16,6 +16,7 @@ import (
 	"log/slog"
 	"net/url"
 	"os"
+	"path/filepath"
 	"strconv"
 	"strings"
 	"time"
@@ -39,6 +40,34 @@ func getEnv(key, fallback string) string {
 	return fallback
 }
 
+func getEnvFileOrValue(fileKey string, valueKey string, fallback string) (string, error) {
+	if path := strings.TrimSpace(getEnv(fileKey, "")); path != "" {
+		value, err := readEnvFileValue(path)
+		if err != nil {
+			return "", err
+		}
+		return value, nil
+	}
+	return getEnv(valueKey, fallback), nil
+}
+
+func readEnvFileValue(path string) (string, error) {
+	candidates := []string{path}
+	if !filepath.IsAbs(path) {
+		candidates = append(candidates, filepath.Join("..", path), filepath.Join("..", "..", path))
+	}
+
+	var lastErr error
+	for _, candidate := range candidates {
+		data, err := os.ReadFile(candidate)
+		if err == nil {
+			return string(data), nil
+		}
+		lastErr = err
+	}
+	return "", fmt.Errorf("read secret file %q: %w", path, lastErr)
+}
+
 func normalizeDocsPrefix(prefix string) string {
 	trimmed := strings.TrimSpace(prefix)
 	if trimmed == "" || trimmed == "/" {
@@ -268,11 +297,32 @@ func main() {
 	userGroupRepo := repository.NewUserGroupRepository(db)
 	userRepo := repository.NewUserRepository(db)
 	ketoOutboxRepo := repository.NewKetoOutboxRepository(db) // Reuse or re-init
+	worksmobileOutboxRepo := repository.NewWorksmobileOutboxRepository(db)
 	sharedLinkRepo := repository.NewSharedLinkRepository(db)
 	kratosAdminService := service.NewKratosAdminService()
 	oryAdminProvider := service.NewOryProvider()
 
 	tenantService := service.NewTenantService(tenantRepo, userRepo, userGroupRepo, ketoOutboxRepo)
+	worksmobilePrivateKey, err := getEnvFileOrValue("WORKS_ADMIN_OAUTH_CLIENT_PRIVATE_KEY_FILE", "WORKS_ADMIN_OAUTH_CLIENT_PRIVATE_KEY", "")
+	if err != nil {
+		slog.Error("Worksmobile private key file could not be loaded", "error", err)
+		os.Exit(1)
+	}
+	worksmobileClient := service.NewWorksmobileHTTPClientWithAuth(
+		getEnv("WORKS_ADMIN_ACCESS_TOKEN", getEnv("WORKS_ADMIN_OAUTH_ACCESS_TOKEN", "")),
+		getEnv("SAMAN_SCIM_LONGLIVE_TOKEN", ""),
+		service.WorksmobileOAuthConfig{
+			ClientID:       getEnv("WORKS_ADMIN_OAUTH_CLIENT_ID", ""),
+			ClientSecret:   getEnv("WORKS_ADMIN_OAUTH_CLIENT_SECRET", ""),
+			ServiceAccount: getEnv("WORKS_ADMIN_OAUTH_CLIENT_SERVICE_ACCOUNT", ""),
+			PrivateKey:     worksmobilePrivateKey,
+			Scope:          getEnv("WORKS_ADMIN_OAUTH_SCOPE", "directory"),
+		},
+	)
+	worksmobileService := service.NewWorksmobileSyncService(tenantService, userRepo, worksmobileOutboxRepo, worksmobileClient)
+	worksmobileRelayWorker := service.NewWorksmobileRelayWorker(worksmobileOutboxRepo, worksmobileClient)
+	go worksmobileRelayWorker.Start(context.Background())
+	slog.Info("✅ Worksmobile Relay Worker started")
 	sharedLinkService := service.NewSharedLinkService(sharedLinkRepo)
 	userGroupService := service.NewUserGroupService(userGroupRepo, userRepo, tenantRepo, ketoService, ketoOutboxRepo, kratosAdminService)
 	tenantService.SetKetoService(ketoService) // Keto 주입
@@ -301,6 +351,9 @@ func main() {
 	userGroupHandler := handler.NewUserGroupHandler(userGroupService)
 	relyingPartyHandler := handler.NewRelyingPartyHandler(relyingPartyService, kratosAdminService)
 	userHandler := handler.NewUserHandler(kratosAdminService, oryAdminProvider, tenantService, ketoService, ketoOutboxRepo, userRepo, userGroupRepo, auditRepo)
+	tenantHandler.SetWorksmobileSyncer(worksmobileService)
+	userHandler.SetWorksmobileSyncer(worksmobileService)
+	worksmobileHandler := handler.NewWorksmobileHandler(worksmobileService)
 	apiKeyHandler := handler.NewApiKeyHandler(db)
 
 	// 3. Initialize Fiber
@@ -532,6 +585,7 @@ func main() {
 
 	// Public Tenant Registration
 	api.Post("/tenants/registration", tenantHandler.RegisterTenantPublic)
+	api.Get("/admin/worksmobile/oauth/callback", worksmobileHandler.OAuthCallback)
 
 	// Tenant Context Middleware (identifies tenant from Host header)
 	api.Use(middleware.TenantContextMiddleware(middleware.TenantContextConfig{
@@ -643,6 +697,14 @@ func main() {
 	admin.Post("/tenants/:id/owners/:userId", requireAdmin, middleware.RequireKetoPermission(middleware.RBACConfig{AuthHandler: authHandler, KetoService: ketoService}, "Tenant", "manage"), tenantHandler.AddOwner)
 	admin.Delete("/tenants/:id/owners/:userId", requireAdmin, middleware.RequireKetoPermission(middleware.RBACConfig{AuthHandler: authHandler, KetoService: ketoService}, "Tenant", "manage"), tenantHandler.RemoveOwner)
 
+	admin.Get("/tenants/:tenantId/worksmobile", requireAdmin, middleware.RequireKetoPermission(middleware.RBACConfig{AuthHandler: authHandler, KetoService: ketoService}, "Tenant", "manage"), worksmobileHandler.GetOverview)
+	admin.Get("/tenants/:tenantId/worksmobile/comparison", requireAdmin, middleware.RequireKetoPermission(middleware.RBACConfig{AuthHandler: authHandler, KetoService: ketoService}, "Tenant", "manage"), worksmobileHandler.GetComparison)
+	admin.Get("/tenants/:tenantId/worksmobile/initial-passwords.csv", requireAdmin, middleware.RequireKetoPermission(middleware.RBACConfig{AuthHandler: authHandler, KetoService: ketoService}, "Tenant", "manage"), worksmobileHandler.DownloadInitialPasswordsCSV)
+	admin.Post("/tenants/:tenantId/worksmobile/backfill/dry-run", requireAdmin, middleware.RequireKetoPermission(middleware.RBACConfig{AuthHandler: authHandler, KetoService: ketoService}, "Tenant", "manage"), worksmobileHandler.BackfillDryRun)
+	admin.Post("/tenants/:tenantId/worksmobile/orgunits/:orgUnitId/sync", requireAdmin, middleware.RequireKetoPermission(middleware.RBACConfig{AuthHandler: authHandler, KetoService: ketoService}, "Tenant", "manage"), worksmobileHandler.SyncOrgUnit)
+	admin.Post("/tenants/:tenantId/worksmobile/users/:userId/sync", requireAdmin, middleware.RequireKetoPermission(middleware.RBACConfig{AuthHandler: authHandler, KetoService: ketoService}, "Tenant", "manage"), worksmobileHandler.SyncUser)
+	admin.Post("/tenants/:tenantId/worksmobile/jobs/:jobId/retry", requireAdmin, middleware.RequireKetoPermission(middleware.RBACConfig{AuthHandler: authHandler, KetoService: ketoService}, "Tenant", "manage"), worksmobileHandler.RetryJob)
+
 	// Organization & Org-Chart Management (Tenant Admin/Super Admin)
 	org := admin.Group("/tenants/:tenantId/organization")
 	org.Get("/", middleware.RequireKetoPermission(middleware.RBACConfig{AuthHandler: authHandler, KetoService: ketoService}, "Tenant", "view"), userGroupHandler.List)

backend/cmd/server/worksmobile_config_test.go

@@ -0,0 +1,39 @@
+package main
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+)
+
+func TestGetEnvFileOrValueReadsSecretFile(t *testing.T) {
+	t.Setenv("WORKS_ADMIN_OAUTH_CLIENT_PRIVATE_KEY", "inline-value")
+
+	secretPath := filepath.Join(t.TempDir(), "worksmobile-private-key.pem")
+	want := "-----BEGIN PRIVATE KEY-----\nsecret\n-----END PRIVATE KEY-----\n"
+	if err := os.WriteFile(secretPath, []byte(want), 0o600); err != nil {
+		t.Fatalf("failed to write secret file: %v", err)
+	}
+	t.Setenv("WORKS_ADMIN_OAUTH_CLIENT_PRIVATE_KEY_FILE", secretPath)
+
+	got, err := getEnvFileOrValue("WORKS_ADMIN_OAUTH_CLIENT_PRIVATE_KEY_FILE", "WORKS_ADMIN_OAUTH_CLIENT_PRIVATE_KEY", "")
+	if err != nil {
+		t.Fatalf("getEnvFileOrValue returned error: %v", err)
+	}
+	if got != want {
+		t.Fatalf("secret value = %q, want file content", got)
+	}
+}
+
+func TestGetEnvFileOrValueFallsBackToRawEnv(t *testing.T) {
+	t.Setenv("WORKS_ADMIN_OAUTH_CLIENT_PRIVATE_KEY", "inline-value")
+	t.Setenv("WORKS_ADMIN_OAUTH_CLIENT_PRIVATE_KEY_FILE", "")
+
+	got, err := getEnvFileOrValue("WORKS_ADMIN_OAUTH_CLIENT_PRIVATE_KEY_FILE", "WORKS_ADMIN_OAUTH_CLIENT_PRIVATE_KEY", "")
+	if err != nil {
+		t.Fatalf("getEnvFileOrValue returned error: %v", err)
+	}
+	if got != "inline-value" {
+		t.Fatalf("secret value = %q, want raw env value", got)
+	}
+}