super admin 일반설정 제한 문제 수정

2026-05-27 14:19:11 +09:00
parent 939bf68f85
commit 262c5959cf
3 changed files with 285 additions and 10 deletions
--- a/backend/internal/handler/dev_handler_test.go
+++ b/backend/internal/handler/dev_handler_test.go
@@ -2,6 +2,7 @@ package handler

 import (
 	"baron-sso-backend/internal/domain"
+	auditmw "baron-sso-backend/internal/middleware"
 	"baron-sso-backend/internal/service"
 	"bytes"
 	"context"
@@ -591,6 +592,199 @@ func TestUpdateClient_ManagedRPAdminRequiresEditConfigPermission(t *testing.T) {
 	mockKeto.AssertExpectations(t)
 }

+func TestUpdateClient_SuperAdminBypassesEditConfigPermission(t *testing.T) {
+	transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
+		if r.Method == http.MethodGet && r.URL.Path == "/clients/client-1" {
+			return httpJSONAny(r, http.StatusOK, map[string]any{
+				"client_id":   "client-1",
+				"client_name": "App One",
+				"redirect_uris": []string{
+					"http://localhost/cb",
+				},
+				"grant_types":                []string{"authorization_code", "refresh_token"},
+				"response_types":             []string{"code"},
+				"scope":                      "openid profile email offline_access",
+				"token_endpoint_auth_method": "client_secret_basic",
+				"metadata": map[string]any{
+					"status":    "active",
+					"tenant_id": "tenant-1",
+				},
+			}), nil
+		}
+		if r.Method == http.MethodPut && r.URL.Path == "/clients/client-1" {
+			return httpJSONAny(r, http.StatusOK, map[string]any{
+				"client_id":   "client-1",
+				"client_name": "App One Updated",
+				"redirect_uris": []string{
+					"http://localhost/cb",
+				},
+				"grant_types":                []string{"authorization_code", "refresh_token"},
+				"response_types":             []string{"code"},
+				"scope":                      "openid profile email offline_access",
+				"token_endpoint_auth_method": "client_secret_basic",
+				"metadata": map[string]any{
+					"status":    "active",
+					"tenant_id": "tenant-1",
+				},
+			}), nil
+		}
+		return httpJSONAny(r, http.StatusNotFound, nil), nil
+	})
+
+	h := &DevHandler{
+		Hydra: &service.HydraAdminService{
+			AdminURL:   "http://hydra.test",
+			HTTPClient: &http.Client{Transport: transport},
+		},
+	}
+
+	app := fiber.New()
+	tenantID := "tenant-1"
+	app.Use(func(c *fiber.Ctx) error {
+		c.Locals("user_profile", &domain.UserProfileResponse{
+			ID:       "user-1",
+			Role:     domain.RoleSuperAdmin,
+			TenantID: &tenantID,
+		})
+		return c.Next()
+	})
+	app.Put("/api/v1/dev/clients/:id", h.UpdateClient)
+
+	body, _ := json.Marshal(map[string]any{
+		"name": "App One Updated",
+	})
+	req := httptest.NewRequest(http.MethodPut, "/api/v1/dev/clients/client-1", bytes.NewReader(body))
+	req.Header.Set("Content-Type", "application/json")
+
+	resp, _ := app.Test(req, -1)
+	assert.Equal(t, http.StatusOK, resp.StatusCode)
+
+	var result clientDetailResponse
+	_ = json.NewDecoder(resp.Body).Decode(&result)
+	assert.Equal(t, "App One Updated", result.Client.Name)
+}
+
+func TestUpdateClient_AuditDetailsIncludeGeneralSettingChanges(t *testing.T) {
+	transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
+		if r.Method == http.MethodGet && r.URL.Path == "/clients/client-1" {
+			return httpJSONAny(r, http.StatusOK, map[string]any{
+				"client_id":   "client-1",
+				"client_name": "App One",
+				"redirect_uris": []string{
+					"http://localhost/cb",
+				},
+				"grant_types":                []string{"authorization_code", "refresh_token"},
+				"response_types":             []string{"code"},
+				"scope":                      "openid profile email",
+				"token_endpoint_auth_method": "client_secret_basic",
+				"metadata": map[string]any{
+					"status":                     "active",
+					"tenant_id":                  "tenant-1",
+					"tenant_access_restricted":    false,
+					"allowed_tenants":             []any{},
+					"id_token_claims":             []any{},
+					"headless_login_enabled":      false,
+					"headless_jwks_uri":           "",
+					"headless_token_endpoint_auth_method": "",
+				},
+			}), nil
+		}
+		if r.Method == http.MethodPut && r.URL.Path == "/clients/client-1" {
+			return httpJSONAny(r, http.StatusOK, map[string]any{
+				"client_id":   "client-1",
+				"client_name": "App One Updated",
+				"redirect_uris": []string{
+					"http://localhost/cb",
+				},
+				"grant_types":                []string{"authorization_code", "refresh_token"},
+				"response_types":             []string{"code"},
+				"scope":                      "openid profile email tenant",
+				"token_endpoint_auth_method": "private_key_jwt",
+				"metadata": map[string]any{
+					"status":                     "active",
+					"tenant_id":                  "tenant-1",
+					"tenant_access_restricted":    true,
+					"allowed_tenants":             []any{"tenant-1", "tenant-2"},
+					"id_token_claims":             []any{map[string]any{"namespace": "top_level", "key": "locale", "valueType": "text", "value": "ko-KR"}},
+					"headless_login_enabled":      true,
+					"headless_jwks_uri":           "https://rp.example.com/jwks.json",
+					"headless_token_endpoint_auth_method": "private_key_jwt",
+				},
+			}), nil
+		}
+		return httpJSONAny(r, http.StatusNotFound, nil), nil
+	})
+
+	auditRepo := &mockAuditRepo{}
+	h := &DevHandler{
+		Hydra: &service.HydraAdminService{
+			AdminURL:   "http://hydra.test",
+			HTTPClient: &http.Client{Transport: transport},
+		},
+		AuditRepo: auditRepo,
+	}
+
+	app := fiber.New()
+	app.Use(auditmw.AuditMiddleware(auditmw.AuditConfig{Repo: auditRepo}))
+	tenantID := "tenant-1"
+	app.Use(func(c *fiber.Ctx) error {
+		c.Locals("user_profile", &domain.UserProfileResponse{
+			ID:       "user-1",
+			Role:     domain.RoleSuperAdmin,
+			TenantID: &tenantID,
+		})
+		return c.Next()
+	})
+	app.Put("/api/v1/dev/clients/:id", h.UpdateClient)
+
+	body, _ := json.Marshal(map[string]any{
+		"name": "App One Updated",
+		"scopes": []string{"openid", "profile", "email", "tenant"},
+		"metadata": map[string]any{
+			"tenant_access_restricted": true,
+			"allowed_tenants":          []string{"tenant-1", "tenant-2"},
+			"id_token_claims": []map[string]any{
+				{
+					"namespace": "top_level",
+					"key":       "locale",
+					"valueType": "text",
+					"value":     "ko-KR",
+				},
+			},
+			"headless_login_enabled":               true,
+			"headless_jwks_uri":                    "https://rp.example.com/jwks.json",
+			"headless_token_endpoint_auth_method":   "private_key_jwt",
+			"backchannel_logout_uri":               "https://rp.example.com/logout",
+			"backchannel_logout_session_required":  true,
+		},
+		"tokenEndpointAuthMethod": "private_key_jwt",
+		"jwksUri":                 "https://rp.example.com/jwks.json",
+		"backchannelLogoutUri":    "https://rp.example.com/logout",
+		"backchannelLogoutSessionRequired": true,
+	})
+	req := httptest.NewRequest(http.MethodPut, "/api/v1/dev/clients/client-1", bytes.NewReader(body))
+	req.Header.Set("Content-Type", "application/json")
+
+	resp, _ := app.Test(req, -1)
+	assert.Equal(t, http.StatusOK, resp.StatusCode)
+	if assert.NotEmpty(t, auditRepo.logs) {
+		var details map[string]any
+		assert.NoError(t, json.Unmarshal([]byte(auditRepo.logs[0].Details), &details))
+		before, _ := details["before"].(map[string]any)
+		after, _ := details["after"].(map[string]any)
+		assert.NotNil(t, before)
+		assert.NotNil(t, after)
+		assert.Contains(t, after, "scopes")
+		assert.Contains(t, after, "tenant_access_restricted")
+		assert.Contains(t, after, "allowed_tenants")
+		assert.Contains(t, after, "id_token_claims")
+		assert.Contains(t, after, "headless_login_enabled")
+		assert.Contains(t, after, "headless_jwks_uri")
+		assert.Contains(t, after, "backchannel_logout_uri")
+		assert.Contains(t, after, "backchannel_logout_session_required")
+	}
+}
+
 func TestListClients_ProtectedSystemClientHidden(t *testing.T) {
 	transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
 		if r.URL.Path == "/clients" {