forked from baron/baron-sso
super admin 일반설정 제한 문제 수정
This commit is contained in:
@@ -1958,7 +1958,8 @@ func (h *DevHandler) UpdateClient(c *fiber.Ctx) error {
|
|||||||
return errorJSON(c, fiber.StatusForbidden, "forbidden")
|
return errorJSON(c, fiber.StatusForbidden, "forbidden")
|
||||||
}
|
}
|
||||||
|
|
||||||
if !h.canOperateClientByPermit(c, profile, currentSummary, "edit_config") {
|
isSuperAdmin := role == domain.RoleSuperAdmin
|
||||||
|
if !isSuperAdmin && !h.canOperateClientByPermit(c, profile, currentSummary, "edit_config") {
|
||||||
return errorJSON(c, fiber.StatusForbidden, "forbidden: edit_config permission is required")
|
return errorJSON(c, fiber.StatusForbidden, "forbidden: edit_config permission is required")
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1971,7 +1972,7 @@ func (h *DevHandler) UpdateClient(c *fiber.Ctx) error {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// [Security] Check permission for private clients (both current and new type)
|
// [Security] Check permission for private clients (both current and new type)
|
||||||
if currentSummary.Type == "private" || clientType == "private" {
|
if !isSuperAdmin && (currentSummary.Type == "private" || clientType == "private") {
|
||||||
if !h.canBypassPrivateClientRestriction(c, profile, currentSummary, "edit_config") {
|
if !h.canBypassPrivateClientRestriction(c, profile, currentSummary, "edit_config") {
|
||||||
return errorJSON(c, fiber.StatusForbidden, "forbidden: insufficient permissions for private client")
|
return errorJSON(c, fiber.StatusForbidden, "forbidden: insufficient permissions for private client")
|
||||||
}
|
}
|
||||||
@@ -2072,6 +2073,13 @@ func (h *DevHandler) UpdateClient(c *fiber.Ctx) error {
|
|||||||
}
|
}
|
||||||
tenantPolicyChanged := tenantAccessPolicyChanged(current.Metadata, updated.Metadata)
|
tenantPolicyChanged := tenantAccessPolicyChanged(current.Metadata, updated.Metadata)
|
||||||
|
|
||||||
|
beforeScopes := strings.Fields(current.Scope)
|
||||||
|
afterScopes := strings.Fields(updated.Scope)
|
||||||
|
beforeAllowedTenants := readStringSliceMetadata(current.Metadata, "allowed_tenants")
|
||||||
|
afterAllowedTenants := readStringSliceMetadata(metadata, "allowed_tenants")
|
||||||
|
beforeIDTokenClaims := readMetadataValueOrNil(current.Metadata, "id_token_claims")
|
||||||
|
afterIDTokenClaims := readMetadataValueOrNil(metadata, "id_token_claims")
|
||||||
|
|
||||||
h.setAuditDetailsExtra(c, map[string]any{
|
h.setAuditDetailsExtra(c, map[string]any{
|
||||||
"action": "UPDATE_CLIENT",
|
"action": "UPDATE_CLIENT",
|
||||||
"target_id": clientID,
|
"target_id": clientID,
|
||||||
@@ -2080,11 +2088,33 @@ func (h *DevHandler) UpdateClient(c *fiber.Ctx) error {
|
|||||||
"name": currentSummary.Name,
|
"name": currentSummary.Name,
|
||||||
"type": currentSummary.Type,
|
"type": currentSummary.Type,
|
||||||
"status": currentSummary.Status,
|
"status": currentSummary.Status,
|
||||||
|
"scopes": beforeScopes,
|
||||||
|
"tenant_access_restricted": readMetadataBoolValue(current.Metadata, "tenant_access_restricted"),
|
||||||
|
"allowed_tenants": beforeAllowedTenants,
|
||||||
|
"id_token_claims": beforeIDTokenClaims,
|
||||||
|
"token_endpoint_auth_method": current.TokenEndpointAuthMethod,
|
||||||
|
"jwks_uri": current.JWKSUri,
|
||||||
|
"backchannel_logout_uri": strings.TrimSpace(current.BackchannelLogoutURI()),
|
||||||
|
"backchannel_logout_session_required": current.BackchannelLogoutSessionRequiredValue(),
|
||||||
|
"headless_login_enabled": readMetadataBoolValue(current.Metadata, domain.MetadataHeadlessLoginEnabled),
|
||||||
|
"headless_token_endpoint_auth_method": readMetadataStringValue(current.Metadata, domain.MetadataHeadlessTokenEndpointAuthMethod),
|
||||||
|
"headless_jwks_uri": readMetadataStringValue(current.Metadata, domain.MetadataHeadlessJWKSURI),
|
||||||
},
|
},
|
||||||
"after": map[string]any{
|
"after": map[string]any{
|
||||||
"name": strings.TrimSpace(updated.ClientName),
|
"name": strings.TrimSpace(updated.ClientName),
|
||||||
"type": clientTypeOrDefault(updated.TokenEndpointAuthMethod),
|
"type": clientTypeOrDefault(updated.TokenEndpointAuthMethod),
|
||||||
"status": resolveStatusFromMetadata(updated.Metadata),
|
"status": resolveStatusFromMetadata(updated.Metadata),
|
||||||
|
"scopes": afterScopes,
|
||||||
|
"tenant_access_restricted": readMetadataBoolValue(metadata, "tenant_access_restricted"),
|
||||||
|
"allowed_tenants": afterAllowedTenants,
|
||||||
|
"id_token_claims": afterIDTokenClaims,
|
||||||
|
"token_endpoint_auth_method": resolvedTokenAuthMethod,
|
||||||
|
"jwks_uri": resolvedJWKSURI,
|
||||||
|
"backchannel_logout_uri": strings.TrimSpace(resolvedBackchannelLogoutURI),
|
||||||
|
"backchannel_logout_session_required": resolvedBackchannelLogoutSessionRequired,
|
||||||
|
"headless_login_enabled": readMetadataBoolValue(metadata, domain.MetadataHeadlessLoginEnabled),
|
||||||
|
"headless_token_endpoint_auth_method": readMetadataStringValue(metadata, domain.MetadataHeadlessTokenEndpointAuthMethod),
|
||||||
|
"headless_jwks_uri": readMetadataStringValue(metadata, domain.MetadataHeadlessJWKSURI),
|
||||||
},
|
},
|
||||||
})
|
})
|
||||||
|
|
||||||
@@ -2934,6 +2964,49 @@ func readMetadataBoolValue(metadata map[string]interface{}, key string) bool {
|
|||||||
return value
|
return value
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func readStringSliceMetadata(metadata map[string]interface{}, key string) []string {
|
||||||
|
if metadata == nil {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
raw, ok := metadata[key]
|
||||||
|
if !ok || raw == nil {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
switch typed := raw.(type) {
|
||||||
|
case []string:
|
||||||
|
result := make([]string, 0, len(typed))
|
||||||
|
for _, item := range typed {
|
||||||
|
if trimmed := strings.TrimSpace(item); trimmed != "" {
|
||||||
|
result = append(result, trimmed)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return result
|
||||||
|
case []interface{}:
|
||||||
|
result := make([]string, 0, len(typed))
|
||||||
|
for _, item := range typed {
|
||||||
|
if str, ok := item.(string); ok {
|
||||||
|
if trimmed := strings.TrimSpace(str); trimmed != "" {
|
||||||
|
result = append(result, trimmed)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return result
|
||||||
|
default:
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func readMetadataValueOrNil(metadata map[string]interface{}, key string) interface{} {
|
||||||
|
if metadata == nil {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
value, ok := metadata[key]
|
||||||
|
if !ok {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
return value
|
||||||
|
}
|
||||||
|
|
||||||
func normalizeBackchannelLogoutMetadata(metadata map[string]interface{}, logoutURI string, sessionRequired bool) (map[string]interface{}, error) {
|
func normalizeBackchannelLogoutMetadata(metadata map[string]interface{}, logoutURI string, sessionRequired bool) (map[string]interface{}, error) {
|
||||||
if metadata == nil {
|
if metadata == nil {
|
||||||
metadata = map[string]interface{}{}
|
metadata = map[string]interface{}{}
|
||||||
|
|||||||
@@ -2,6 +2,7 @@ package handler
|
|||||||
|
|
||||||
import (
|
import (
|
||||||
"baron-sso-backend/internal/domain"
|
"baron-sso-backend/internal/domain"
|
||||||
|
auditmw "baron-sso-backend/internal/middleware"
|
||||||
"baron-sso-backend/internal/service"
|
"baron-sso-backend/internal/service"
|
||||||
"bytes"
|
"bytes"
|
||||||
"context"
|
"context"
|
||||||
@@ -591,6 +592,199 @@ func TestUpdateClient_ManagedRPAdminRequiresEditConfigPermission(t *testing.T) {
|
|||||||
mockKeto.AssertExpectations(t)
|
mockKeto.AssertExpectations(t)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestUpdateClient_SuperAdminBypassesEditConfigPermission(t *testing.T) {
|
||||||
|
transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
|
||||||
|
if r.Method == http.MethodGet && r.URL.Path == "/clients/client-1" {
|
||||||
|
return httpJSONAny(r, http.StatusOK, map[string]any{
|
||||||
|
"client_id": "client-1",
|
||||||
|
"client_name": "App One",
|
||||||
|
"redirect_uris": []string{
|
||||||
|
"http://localhost/cb",
|
||||||
|
},
|
||||||
|
"grant_types": []string{"authorization_code", "refresh_token"},
|
||||||
|
"response_types": []string{"code"},
|
||||||
|
"scope": "openid profile email offline_access",
|
||||||
|
"token_endpoint_auth_method": "client_secret_basic",
|
||||||
|
"metadata": map[string]any{
|
||||||
|
"status": "active",
|
||||||
|
"tenant_id": "tenant-1",
|
||||||
|
},
|
||||||
|
}), nil
|
||||||
|
}
|
||||||
|
if r.Method == http.MethodPut && r.URL.Path == "/clients/client-1" {
|
||||||
|
return httpJSONAny(r, http.StatusOK, map[string]any{
|
||||||
|
"client_id": "client-1",
|
||||||
|
"client_name": "App One Updated",
|
||||||
|
"redirect_uris": []string{
|
||||||
|
"http://localhost/cb",
|
||||||
|
},
|
||||||
|
"grant_types": []string{"authorization_code", "refresh_token"},
|
||||||
|
"response_types": []string{"code"},
|
||||||
|
"scope": "openid profile email offline_access",
|
||||||
|
"token_endpoint_auth_method": "client_secret_basic",
|
||||||
|
"metadata": map[string]any{
|
||||||
|
"status": "active",
|
||||||
|
"tenant_id": "tenant-1",
|
||||||
|
},
|
||||||
|
}), nil
|
||||||
|
}
|
||||||
|
return httpJSONAny(r, http.StatusNotFound, nil), nil
|
||||||
|
})
|
||||||
|
|
||||||
|
h := &DevHandler{
|
||||||
|
Hydra: &service.HydraAdminService{
|
||||||
|
AdminURL: "http://hydra.test",
|
||||||
|
HTTPClient: &http.Client{Transport: transport},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
app := fiber.New()
|
||||||
|
tenantID := "tenant-1"
|
||||||
|
app.Use(func(c *fiber.Ctx) error {
|
||||||
|
c.Locals("user_profile", &domain.UserProfileResponse{
|
||||||
|
ID: "user-1",
|
||||||
|
Role: domain.RoleSuperAdmin,
|
||||||
|
TenantID: &tenantID,
|
||||||
|
})
|
||||||
|
return c.Next()
|
||||||
|
})
|
||||||
|
app.Put("/api/v1/dev/clients/:id", h.UpdateClient)
|
||||||
|
|
||||||
|
body, _ := json.Marshal(map[string]any{
|
||||||
|
"name": "App One Updated",
|
||||||
|
})
|
||||||
|
req := httptest.NewRequest(http.MethodPut, "/api/v1/dev/clients/client-1", bytes.NewReader(body))
|
||||||
|
req.Header.Set("Content-Type", "application/json")
|
||||||
|
|
||||||
|
resp, _ := app.Test(req, -1)
|
||||||
|
assert.Equal(t, http.StatusOK, resp.StatusCode)
|
||||||
|
|
||||||
|
var result clientDetailResponse
|
||||||
|
_ = json.NewDecoder(resp.Body).Decode(&result)
|
||||||
|
assert.Equal(t, "App One Updated", result.Client.Name)
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestUpdateClient_AuditDetailsIncludeGeneralSettingChanges(t *testing.T) {
|
||||||
|
transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
|
||||||
|
if r.Method == http.MethodGet && r.URL.Path == "/clients/client-1" {
|
||||||
|
return httpJSONAny(r, http.StatusOK, map[string]any{
|
||||||
|
"client_id": "client-1",
|
||||||
|
"client_name": "App One",
|
||||||
|
"redirect_uris": []string{
|
||||||
|
"http://localhost/cb",
|
||||||
|
},
|
||||||
|
"grant_types": []string{"authorization_code", "refresh_token"},
|
||||||
|
"response_types": []string{"code"},
|
||||||
|
"scope": "openid profile email",
|
||||||
|
"token_endpoint_auth_method": "client_secret_basic",
|
||||||
|
"metadata": map[string]any{
|
||||||
|
"status": "active",
|
||||||
|
"tenant_id": "tenant-1",
|
||||||
|
"tenant_access_restricted": false,
|
||||||
|
"allowed_tenants": []any{},
|
||||||
|
"id_token_claims": []any{},
|
||||||
|
"headless_login_enabled": false,
|
||||||
|
"headless_jwks_uri": "",
|
||||||
|
"headless_token_endpoint_auth_method": "",
|
||||||
|
},
|
||||||
|
}), nil
|
||||||
|
}
|
||||||
|
if r.Method == http.MethodPut && r.URL.Path == "/clients/client-1" {
|
||||||
|
return httpJSONAny(r, http.StatusOK, map[string]any{
|
||||||
|
"client_id": "client-1",
|
||||||
|
"client_name": "App One Updated",
|
||||||
|
"redirect_uris": []string{
|
||||||
|
"http://localhost/cb",
|
||||||
|
},
|
||||||
|
"grant_types": []string{"authorization_code", "refresh_token"},
|
||||||
|
"response_types": []string{"code"},
|
||||||
|
"scope": "openid profile email tenant",
|
||||||
|
"token_endpoint_auth_method": "private_key_jwt",
|
||||||
|
"metadata": map[string]any{
|
||||||
|
"status": "active",
|
||||||
|
"tenant_id": "tenant-1",
|
||||||
|
"tenant_access_restricted": true,
|
||||||
|
"allowed_tenants": []any{"tenant-1", "tenant-2"},
|
||||||
|
"id_token_claims": []any{map[string]any{"namespace": "top_level", "key": "locale", "valueType": "text", "value": "ko-KR"}},
|
||||||
|
"headless_login_enabled": true,
|
||||||
|
"headless_jwks_uri": "https://rp.example.com/jwks.json",
|
||||||
|
"headless_token_endpoint_auth_method": "private_key_jwt",
|
||||||
|
},
|
||||||
|
}), nil
|
||||||
|
}
|
||||||
|
return httpJSONAny(r, http.StatusNotFound, nil), nil
|
||||||
|
})
|
||||||
|
|
||||||
|
auditRepo := &mockAuditRepo{}
|
||||||
|
h := &DevHandler{
|
||||||
|
Hydra: &service.HydraAdminService{
|
||||||
|
AdminURL: "http://hydra.test",
|
||||||
|
HTTPClient: &http.Client{Transport: transport},
|
||||||
|
},
|
||||||
|
AuditRepo: auditRepo,
|
||||||
|
}
|
||||||
|
|
||||||
|
app := fiber.New()
|
||||||
|
app.Use(auditmw.AuditMiddleware(auditmw.AuditConfig{Repo: auditRepo}))
|
||||||
|
tenantID := "tenant-1"
|
||||||
|
app.Use(func(c *fiber.Ctx) error {
|
||||||
|
c.Locals("user_profile", &domain.UserProfileResponse{
|
||||||
|
ID: "user-1",
|
||||||
|
Role: domain.RoleSuperAdmin,
|
||||||
|
TenantID: &tenantID,
|
||||||
|
})
|
||||||
|
return c.Next()
|
||||||
|
})
|
||||||
|
app.Put("/api/v1/dev/clients/:id", h.UpdateClient)
|
||||||
|
|
||||||
|
body, _ := json.Marshal(map[string]any{
|
||||||
|
"name": "App One Updated",
|
||||||
|
"scopes": []string{"openid", "profile", "email", "tenant"},
|
||||||
|
"metadata": map[string]any{
|
||||||
|
"tenant_access_restricted": true,
|
||||||
|
"allowed_tenants": []string{"tenant-1", "tenant-2"},
|
||||||
|
"id_token_claims": []map[string]any{
|
||||||
|
{
|
||||||
|
"namespace": "top_level",
|
||||||
|
"key": "locale",
|
||||||
|
"valueType": "text",
|
||||||
|
"value": "ko-KR",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
"headless_login_enabled": true,
|
||||||
|
"headless_jwks_uri": "https://rp.example.com/jwks.json",
|
||||||
|
"headless_token_endpoint_auth_method": "private_key_jwt",
|
||||||
|
"backchannel_logout_uri": "https://rp.example.com/logout",
|
||||||
|
"backchannel_logout_session_required": true,
|
||||||
|
},
|
||||||
|
"tokenEndpointAuthMethod": "private_key_jwt",
|
||||||
|
"jwksUri": "https://rp.example.com/jwks.json",
|
||||||
|
"backchannelLogoutUri": "https://rp.example.com/logout",
|
||||||
|
"backchannelLogoutSessionRequired": true,
|
||||||
|
})
|
||||||
|
req := httptest.NewRequest(http.MethodPut, "/api/v1/dev/clients/client-1", bytes.NewReader(body))
|
||||||
|
req.Header.Set("Content-Type", "application/json")
|
||||||
|
|
||||||
|
resp, _ := app.Test(req, -1)
|
||||||
|
assert.Equal(t, http.StatusOK, resp.StatusCode)
|
||||||
|
if assert.NotEmpty(t, auditRepo.logs) {
|
||||||
|
var details map[string]any
|
||||||
|
assert.NoError(t, json.Unmarshal([]byte(auditRepo.logs[0].Details), &details))
|
||||||
|
before, _ := details["before"].(map[string]any)
|
||||||
|
after, _ := details["after"].(map[string]any)
|
||||||
|
assert.NotNil(t, before)
|
||||||
|
assert.NotNil(t, after)
|
||||||
|
assert.Contains(t, after, "scopes")
|
||||||
|
assert.Contains(t, after, "tenant_access_restricted")
|
||||||
|
assert.Contains(t, after, "allowed_tenants")
|
||||||
|
assert.Contains(t, after, "id_token_claims")
|
||||||
|
assert.Contains(t, after, "headless_login_enabled")
|
||||||
|
assert.Contains(t, after, "headless_jwks_uri")
|
||||||
|
assert.Contains(t, after, "backchannel_logout_uri")
|
||||||
|
assert.Contains(t, after, "backchannel_logout_session_required")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
func TestListClients_ProtectedSystemClientHidden(t *testing.T) {
|
func TestListClients_ProtectedSystemClientHidden(t *testing.T) {
|
||||||
transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
|
transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
|
||||||
if r.URL.Path == "/clients" {
|
if r.URL.Path == "/clients" {
|
||||||
|
|||||||
@@ -54,6 +54,7 @@ import {
|
|||||||
import { t } from "../../lib/i18n";
|
import { t } from "../../lib/i18n";
|
||||||
import { resolveProfileRole } from "../../lib/role";
|
import { resolveProfileRole } from "../../lib/role";
|
||||||
import { cn } from "../../lib/utils";
|
import { cn } from "../../lib/utils";
|
||||||
|
import { fetchMe, type UserProfile } from "../auth/authApi";
|
||||||
import { ClientDetailTabs } from "./ClientDetailTabs";
|
import { ClientDetailTabs } from "./ClientDetailTabs";
|
||||||
|
|
||||||
interface ScopeItem {
|
interface ScopeItem {
|
||||||
@@ -326,12 +327,19 @@ function ClientGeneralPage() {
|
|||||||
const params = useParams();
|
const params = useParams();
|
||||||
const navigate = useNavigate();
|
const navigate = useNavigate();
|
||||||
const queryClient = useQueryClient();
|
const queryClient = useQueryClient();
|
||||||
|
const hasAccessToken = Boolean(auth.user?.access_token);
|
||||||
const clientId = params.id;
|
const clientId = params.id;
|
||||||
const isCreate = !clientId;
|
const isCreate = !clientId;
|
||||||
const currentUserId = auth.user?.profile.sub;
|
|
||||||
const systemRole = resolveProfileRole(
|
const systemRole = resolveProfileRole(
|
||||||
auth.user?.profile as Record<string, unknown> | undefined,
|
auth.user?.profile as Record<string, unknown> | undefined,
|
||||||
);
|
);
|
||||||
|
const { data: me } = useQuery<UserProfile>({
|
||||||
|
queryKey: ["userMe"],
|
||||||
|
queryFn: fetchMe,
|
||||||
|
enabled: hasAccessToken,
|
||||||
|
});
|
||||||
|
const currentUserId = me?.id ?? auth.user?.profile.sub;
|
||||||
|
const effectiveSystemRole = me?.role?.trim() || systemRole;
|
||||||
const { data, isLoading, error } = useQuery({
|
const { data, isLoading, error } = useQuery({
|
||||||
queryKey: ["client", clientId],
|
queryKey: ["client", clientId],
|
||||||
queryFn: () => fetchClient(clientId as string),
|
queryFn: () => fetchClient(clientId as string),
|
||||||
@@ -569,7 +577,7 @@ function ClientGeneralPage() {
|
|||||||
const securityProfile: SecurityProfile =
|
const securityProfile: SecurityProfile =
|
||||||
clientType === "pkce" ? "pkce" : "private";
|
clientType === "pkce" ? "pkce" : "private";
|
||||||
const canEditExistingClientGeneralSettings =
|
const canEditExistingClientGeneralSettings =
|
||||||
systemRole === "super_admin" ||
|
effectiveSystemRole === "super_admin" ||
|
||||||
relationData?.items?.some(
|
relationData?.items?.some(
|
||||||
(item: ClientRelation) =>
|
(item: ClientRelation) =>
|
||||||
item.subject === `User:${currentUserId}` &&
|
item.subject === `User:${currentUserId}` &&
|
||||||
|
|||||||
Reference in New Issue
Block a user