Ory Keto ReBAC Policy & Relation Tuple Architecture

2026-02-20 17:56:05 +09:00
parent 226a236bf2
commit 2ec2653bfb
23 changed files with 980 additions and 396 deletions
--- a/backend/internal/handler/tenant_handler.go
+++ b/backend/internal/handler/tenant_handler.go
@@ -16,14 +16,16 @@ type TenantHandler struct {
 	DB          *gorm.DB
 	Service     service.TenantService
 	Keto        service.KetoService
+	KetoOutbox  repository.KetoOutboxRepository
 	KratosAdmin *service.KratosAdminService
 }

-func NewTenantHandler(db *gorm.DB, svc service.TenantService, keto service.KetoService, kratos *service.KratosAdminService) *TenantHandler {
+func NewTenantHandler(db *gorm.DB, svc service.TenantService, keto service.KetoService, outbox repository.KetoOutboxRepository, kratos *service.KratosAdminService) *TenantHandler {
 	return &TenantHandler{
 		DB:          db,
 		Service:     svc,
 		Keto:        keto,
+		KetoOutbox:  outbox,
 		KratosAdmin: kratos,
 	}
 }
@@ -324,7 +326,7 @@ func (h *TenantHandler) ListAdmins(c *fiber.Ctx) error {
 	}

 	// Fetch admins from Keto
-	relations, err := h.Keto.ListRelations(c.Context(), "Tenant", tenantID, "admin", "")
+	relations, err := h.Keto.ListRelations(c.Context(), "Tenant", tenantID, "admins", "")
 	if err != nil {
 		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
 	}
@@ -375,8 +377,14 @@ func (h *TenantHandler) AddAdmin(c *fiber.Ctx) error {
 		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "tenantId and userId are required"})
 	}

-	if err := h.Keto.CreateRelation(c.Context(), "Tenant", tenantID, "admin", "User:"+userID); err != nil {
-		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
+	if h.KetoOutbox != nil {
+		_ = h.KetoOutbox.Create(c.Context(), &domain.KetoOutbox{
+			Namespace: "Tenant",
+			Object:    tenantID,
+			Relation:  "admins",
+			Subject:   "User:" + userID,
+			Action:    domain.KetoOutboxActionCreate,
+		})
 	}

 	return c.SendStatus(fiber.StatusOK)
@@ -389,8 +397,14 @@ func (h *TenantHandler) RemoveAdmin(c *fiber.Ctx) error {
 		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "tenantId and userId are required"})
 	}

-	if err := h.Keto.DeleteRelation(c.Context(), "Tenant", tenantID, "admin", "User:"+userID); err != nil {
-		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
+	if h.KetoOutbox != nil {
+		_ = h.KetoOutbox.Create(c.Context(), &domain.KetoOutbox{
+			Namespace: "Tenant",
+			Object:    tenantID,
+			Relation:  "admins",
+			Subject:   "User:" + userID,
+			Action:    domain.KetoOutboxActionDelete,
+		})
 	}

 	return c.SendStatus(fiber.StatusNoContent)