개발자 신청 API 구현 및 RP 생성 시 Keto 권한 자동 부여 로직 추가

2026-04-22 11:41:44 +09:00
parent 18e9a2aa4a
commit 4139bb7064
3 changed files with 181 additions and 5 deletions
--- a/backend/internal/handler/dev_handler.go
+++ b/backend/internal/handler/dev_handler.go
@@ -34,6 +34,7 @@ type DevHandler struct {
 	KetoOutbox   repository.KetoOutboxRepository
 	RPSvc        service.RelyingPartyService
 	TenantSvc    service.TenantService
+	DeveloperSvc *service.DeveloperService
 	Auth         interface {
 		GetEnrichedProfile(c *fiber.Ctx) (*domain.UserProfileResponse, error)
 	}
@@ -47,6 +48,7 @@ func NewDevHandler(
 	keto service.KetoService,
 	ketoOutbox repository.KetoOutboxRepository,
 	tenantSvc service.TenantService,
+	developerSvc *service.DeveloperService,
 	auth ...interface {
 		GetEnrichedProfile(c *fiber.Ctx) (*domain.UserProfileResponse, error)
 	},
@@ -70,6 +72,7 @@ func NewDevHandler(
 		KetoOutbox:   ketoOutbox,
 		RPSvc:        rpSvc,
 		TenantSvc:    tenantSvc,
+		DeveloperSvc: developerSvc,
 		Auth:         authProvider,
 	}
 }
@@ -1551,6 +1554,22 @@ func (h *DevHandler) CreateClient(c *fiber.Ctx) error {
 	}
 	h.syncHeadlessJWKSCache(c.Context(), *created, "client_create")

+	// [New] Automatically grant admin permission to the creator in Keto
+	if h.KetoOutbox != nil && profile != nil {
+		err := h.KetoOutbox.Create(c.Context(), &domain.KetoOutbox{
+			Namespace: "RelyingParty",
+			Object:    created.ClientID,
+			Relation:  "admins",
+			Subject:   "User:" + profile.ID,
+			Action:    domain.KetoOutboxActionCreate,
+		})
+		if err != nil {
+			slog.Warn("failed to grant automatic admin permission to creator", "clientID", created.ClientID, "userID", profile.ID, "error", err)
+		} else {
+			slog.Info("granted automatic admin permission to creator", "clientID", created.ClientID, "userID", profile.ID)
+		}
+	}
+
 	// Store secret in metadata for later retrieval
 	if created.ClientSecret != "" {
 		// 1. Store in PostgreSQL (Source of Truth)
@@ -2781,3 +2800,68 @@ func (h *DevHandler) ListMyTenants(c *fiber.Ctx) error {

 	return c.JSON(tenants)
 }
+
+func (h *DevHandler) RequestDeveloperAccess(c *fiber.Ctx) error {
+	profile := h.getCurrentProfile(c)
+	if profile == nil {
+		return errorJSON(c, fiber.StatusUnauthorized, "unauthorized")
+	}
+
+	var req struct {
+		Name         string `json:"name"`
+		Organization string `json:"organization"`
+		Reason       string `json:"reason"`
+		TenantID     string `json:"tenantId"`
+	}
+	if err := c.BodyParser(&req); err != nil {
+		return errorJSON(c, fiber.StatusBadRequest, "invalid request body")
+	}
+
+	if req.TenantID == "" && profile.TenantID != nil {
+		req.TenantID = *profile.TenantID
+	}
+	if req.TenantID == "" {
+		return errorJSON(c, fiber.StatusBadRequest, "tenantId is required")
+	}
+
+	devReq := domain.DeveloperRequest{
+		UserID:       profile.ID,
+		TenantID:     req.TenantID,
+		Name:         req.Name,
+		Organization: req.Organization,
+		Reason:       req.Reason,
+		Status:       domain.DeveloperRequestStatusPending,
+	}
+
+	if err := h.DeveloperSvc.RequestAccess(c.Context(), devReq); err != nil {
+		return errorJSON(c, fiber.StatusInternalServerError, err.Error())
+	}
+
+	return c.Status(fiber.StatusCreated).JSON(fiber.Map{"status": "ok"})
+}
+
+func (h *DevHandler) GetDeveloperRequestStatus(c *fiber.Ctx) error {
+	profile := h.getCurrentProfile(c)
+	if profile == nil {
+		return errorJSON(c, fiber.StatusUnauthorized, "unauthorized")
+	}
+
+	tenantID := c.Query("tenantId")
+	if tenantID == "" && profile.TenantID != nil {
+		tenantID = *profile.TenantID
+	}
+	if tenantID == "" {
+		return errorJSON(c, fiber.StatusBadRequest, "tenantId is required")
+	}
+
+	status, err := h.DeveloperSvc.GetRequestStatus(c.Context(), profile.ID, tenantID)
+	if err != nil {
+		return errorJSON(c, fiber.StatusInternalServerError, err.Error())
+	}
+
+	if status == nil {
+		return c.JSON(fiber.Map{"status": "none"})
+	}
+
+	return c.JSON(status)
+}