kevin/baron-sso
1
0
Fork 0
forked from baron/baron-sso
Code Pull Requests Activity

RP 테넌트 접근 정책 변경 시 기존 consent 자동 폐기

Browse Source
This commit is contained in:
김용연
2026-04-24 17:59:54 +09:00
parent b9232687b5
commit 3f85f6cfe3
8 changed files with 500 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
backend/internal/handler/dev_handler.go
View File

@@ -618,6 +618,47 @@ func isProtectedSystemClientID(clientID string) bool {
return ok
}
func tenantAccessPolicyChanged(before, after map[string]interface{}) bool {
if clientTenantAccessRestricted(before) != clientTenantAccessRestricted(after) {
return true
}
beforeAllowed := clientAllowedTenants(before)
afterAllowed := clientAllowedTenants(after)
if len(beforeAllowed) != len(afterAllowed) {
return true
}
for i := range beforeAllowed {
if beforeAllowed[i] != afterAllowed[i] {
return true
}
}
return false
}
func (h *DevHandler) revokeClientConsentsForPolicyChange(ctx context.Context, clientID string) error {
if h.ConsentRepo == nil || h.Hydra == nil {
return nil
}
subjects, err := h.ConsentRepo.ListSubjectsByClient(ctx, clientID)
if err != nil {
return err
}
for _, subject := range subjects {
subject = strings.TrimSpace(subject)
if subject == "" {
continue
}
if err := h.Hydra.RevokeConsentSessions(ctx, subject, clientID); err != nil {
return err
}
}
return h.ConsentRepo.DeleteByClient(ctx, clientID)
}
func isProtectedSystemClient(client domain.HydraClient) bool {
return isProtectedSystemClientID(client.ClientID)
}
@@ -1767,6 +1808,7 @@ func (h *DevHandler) UpdateClient(c *fiber.Ctx) error {
if err := validateReservedSystemClientName(updated.ClientID, updated.ClientName); err != nil {
return errorJSON(c, fiber.StatusForbidden, err.Error())
}
tenantPolicyChanged := tenantAccessPolicyChanged(current.Metadata, updated.Metadata)
h.setAuditDetailsExtra(c, map[string]any{
"action": "UPDATE_CLIENT",
@@ -1788,6 +1830,11 @@ func (h *DevHandler) UpdateClient(c *fiber.Ctx) error {
if err != nil {
return errorJSON(c, fiber.StatusInternalServerError, err.Error())
}
if tenantPolicyChanged {
if err := h.revokeClientConsentsForPolicyChange(c.Context(), clientID); err != nil {
return errorJSON(c, fiber.StatusInternalServerError, "failed to revoke existing consents after tenant policy update: "+err.Error())
}
}
h.syncHeadlessJWKSCache(c.Context(), *updatedClient, "client_update")
if updatedClient.ClientSecret != "" {