forked from baron/baron-sso
테넌트 접속 제한 백엔드 로직 수정
This commit is contained in:
@@ -181,37 +181,27 @@ func TestGetConsentRequest_DeniesTenantAccess(t *testing.T) {
|
||||
}
|
||||
|
||||
app := fiber.New()
|
||||
tenantID := "tenant-a"
|
||||
app.Use(func(c *fiber.Ctx) error {
|
||||
c.Locals("user_profile", &domain.UserProfileResponse{
|
||||
ID: "user-123",
|
||||
Role: domain.RoleUser,
|
||||
TenantID: &tenantID,
|
||||
})
|
||||
return c.Next()
|
||||
})
|
||||
app.Get("/api/v1/auth/consent", h.GetConsentRequest)
|
||||
|
||||
req := httptest.NewRequest(http.MethodGet, "/api/v1/auth/consent?consent_challenge=challenge-tenant", nil)
|
||||
req.Header.Set("Cookie", "ory_kratos_session=session-1")
|
||||
req.Header.Set("X-Mock-Role", "user")
|
||||
req.Header.Set("X-Tenant-ID", "tenant-a")
|
||||
|
||||
resp, err := app.Test(req)
|
||||
assert.NoError(t, err)
|
||||
assert.Equal(t, http.StatusForbidden, resp.StatusCode)
|
||||
|
||||
bodyBytes, _ := io.ReadAll(resp.Body)
|
||||
var body map[string]any
|
||||
assert.NoError(t, json.Unmarshal(bodyBytes, &body))
|
||||
assert.Equal(t, "tenant_not_allowed", body["code"])
|
||||
}
|
||||
|
||||
func TestAcceptOidcLoginRequest_DeniesTenantAccess(t *testing.T) {
|
||||
func TestGetConsentRequest_DeniesRestrictedClientWhenProfileResolutionFails(t *testing.T) {
|
||||
acceptCalled := false
|
||||
transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
|
||||
switch {
|
||||
case r.URL.Path == "/oauth2/auth/requests/login" && r.URL.Query().Get("login_challenge") == "login-tenant":
|
||||
case r.URL.Path == "/oauth2/auth/requests/consent" && r.URL.Query().Get("consent_challenge") == "challenge-profile-missing":
|
||||
return httpJSONAny(r, http.StatusOK, map[string]any{
|
||||
"challenge": "login-tenant",
|
||||
"subject": "user-123",
|
||||
"challenge": "challenge-profile-missing",
|
||||
"requested_scope": []string{"openid", "profile"},
|
||||
"skip": false,
|
||||
"subject": "user-123",
|
||||
"client": map[string]any{
|
||||
"client_id": "client-tenant",
|
||||
"metadata": map[string]any{
|
||||
@@ -220,15 +210,10 @@ func TestAcceptOidcLoginRequest_DeniesTenantAccess(t *testing.T) {
|
||||
},
|
||||
},
|
||||
}), nil
|
||||
case r.URL.Host == "kratos.test" && r.URL.Path == "/sessions/whoami":
|
||||
case r.URL.Path == "/oauth2/auth/requests/consent/accept":
|
||||
acceptCalled = true
|
||||
return httpJSONAny(r, http.StatusOK, map[string]any{
|
||||
"identity": map[string]any{
|
||||
"id": "user-123",
|
||||
"traits": map[string]any{
|
||||
"email": "user@test.com",
|
||||
"tenant_id": "tenant-a",
|
||||
},
|
||||
},
|
||||
"redirect_to": "http://rp/cb",
|
||||
}), nil
|
||||
default:
|
||||
return httpJSONAny(r, http.StatusNotFound, nil), nil
|
||||
@@ -247,33 +232,50 @@ func TestAcceptOidcLoginRequest_DeniesTenantAccess(t *testing.T) {
|
||||
AdminURL: "http://hydra.test",
|
||||
HTTPClient: client,
|
||||
},
|
||||
ConsentRepo: &mockConsentRepo{
|
||||
consents: []domain.ClientConsent{
|
||||
{
|
||||
ClientID: "client-tenant",
|
||||
Subject: "user-123",
|
||||
GrantedScopes: []string{"openid", "profile"},
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
app := fiber.New()
|
||||
tenantID := "tenant-a"
|
||||
app.Use(func(c *fiber.Ctx) error {
|
||||
c.Locals("user_profile", &domain.UserProfileResponse{
|
||||
ID: "user-123",
|
||||
Role: domain.RoleUser,
|
||||
TenantID: &tenantID,
|
||||
})
|
||||
return c.Next()
|
||||
})
|
||||
app.Post("/api/v1/auth/oidc/login/accept", h.AcceptOidcLoginRequest)
|
||||
app.Get("/api/v1/auth/consent", h.GetConsentRequest)
|
||||
|
||||
reqBody, _ := json.Marshal(map[string]any{
|
||||
"login_challenge": "login-tenant",
|
||||
})
|
||||
req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/oidc/login/accept", bytes.NewReader(reqBody))
|
||||
req.Header.Set("Content-Type", "application/json")
|
||||
req.Header.Set("Cookie", "ory_kratos_session=session-1")
|
||||
req := httptest.NewRequest(http.MethodGet, "/api/v1/auth/consent?consent_challenge=challenge-profile-missing", nil)
|
||||
req.Header.Set("Cookie", "ory_kratos_session=invalid-session")
|
||||
|
||||
resp, err := app.Test(req)
|
||||
assert.NoError(t, err)
|
||||
assert.Equal(t, http.StatusForbidden, resp.StatusCode)
|
||||
|
||||
bodyBytes, _ := io.ReadAll(resp.Body)
|
||||
var body map[string]any
|
||||
assert.NoError(t, json.Unmarshal(bodyBytes, &body))
|
||||
assert.Equal(t, "tenant_not_allowed", body["code"])
|
||||
assert.False(t, acceptCalled)
|
||||
}
|
||||
|
||||
func TestAcceptOidcLoginRequest_DeniesTenantAccess(t *testing.T) {
|
||||
app := fiber.New()
|
||||
app.Get("/deny", func(c *fiber.Ctx) error {
|
||||
tenantID := "tenant-a"
|
||||
profile := &domain.UserProfileResponse{
|
||||
ID: "user-123",
|
||||
Role: domain.RoleUser,
|
||||
TenantID: &tenantID,
|
||||
}
|
||||
client := domain.HydraClient{
|
||||
ClientID: "client-tenant",
|
||||
Metadata: map[string]any{
|
||||
"tenant_access_restricted": true,
|
||||
"allowed_tenants": []string{"tenant-b"},
|
||||
},
|
||||
}
|
||||
return enforceClientTenantAccess(c, client, profile, nil)
|
||||
})
|
||||
|
||||
req := httptest.NewRequest(http.MethodGet, "/deny", nil)
|
||||
resp, err := app.Test(req)
|
||||
assert.NoError(t, err)
|
||||
assert.Equal(t, http.StatusForbidden, resp.StatusCode)
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user