1
0
forked from baron/baron-sso

fix(backend): prevent duplicate key constraint on empty login id when syncing users

This commit is contained in:
2026-03-31 13:11:32 +09:00
parent 4b34ab8161
commit 5029b8049b
6 changed files with 154 additions and 18 deletions

View File

@@ -213,10 +213,52 @@ func (s *userGroupService) List(ctx context.Context, tenantID string) ([]domain.
func (s *userGroupService) AddMember(ctx context.Context, groupID, userID string) error {
// Validate group exists
if _, err := s.repo.FindByID(ctx, groupID); err != nil {
group, err := s.repo.FindByID(ctx, groupID)
if err != nil {
return fmt.Errorf("user group not found: %w", err)
}
// [Fix] Sync Kratos Traits & Local DB when a user is added to an organization
if s.kratos != nil && s.tenantRepo != nil {
tenant, err := s.tenantRepo.FindByID(ctx, group.TenantID)
if err == nil && tenant != nil {
// Fetch Kratos Identity
identity, err := s.kratos.GetIdentity(ctx, userID)
if err == nil && identity != nil {
traits := identity.Traits
if traits == nil {
traits = make(map[string]interface{})
}
traits["companyCode"] = tenant.Slug
traits["tenant_id"] = tenant.ID
traits["department"] = group.Name
// Update Kratos
_, updateErr := s.kratos.UpdateIdentity(ctx, userID, traits, identity.State)
if updateErr != nil {
slog.Error("Failed to update identity traits during AddMember", "user", userID, "error", updateErr)
}
}
}
}
// Sync local user repo
if s.userRepo != nil && s.tenantRepo != nil {
tenant, _ := s.tenantRepo.FindByID(ctx, group.TenantID)
if tenant != nil {
localUser, err := s.userRepo.FindByID(ctx, userID)
if err == nil && localUser != nil {
localUser.CompanyCode = tenant.Slug
localUser.TenantID = &tenant.ID
localUser.Department = group.Name
if localUser.LoginID == "" {
localUser.LoginID = localUser.ID
}
_ = s.userRepo.Update(ctx, localUser)
}
}
}
// Keto via Outbox: Tenant:<groupID>#members@User:<userID>
if s.outboxRepo != nil {
_ = s.outboxRepo.Create(ctx, &domain.KetoOutbox{
@@ -226,6 +268,15 @@ func (s *userGroupService) AddMember(ctx context.Context, groupID, userID string
Subject: "User:" + userID,
Action: domain.KetoOutboxActionCreate,
})
// Also add direct Tenant membership to Keto for member counting
_ = s.outboxRepo.Create(ctx, &domain.KetoOutbox{
Namespace: "Tenant",
Object: group.TenantID,
Relation: "members",
Subject: "User:" + userID,
Action: domain.KetoOutboxActionCreate,
})
}
return nil

View File

@@ -189,21 +189,47 @@ func TestUserGroupService_AddMember(t *testing.T) {
mockOutbox := new(MockKetoOutboxRepositoryShared)
mockUserGroupRepo := new(MockUserGroupRepository)
mockUserRepo := new(MockUserRepository)
svc := NewUserGroupService(mockUserGroupRepo, mockUserRepo, nil, nil, mockOutbox, nil)
mockTenantRepo := new(MockTenantRepository)
mockKratos := new(MockKratosAdminServiceShared)
svc := NewUserGroupService(mockUserGroupRepo, mockUserRepo, mockTenantRepo, nil, mockOutbox, mockKratos)
groupID := "group-1"
userID := "user-1"
tenantID := "tenant-1"
tenantSlug := "tenant-slug"
mockUserGroupRepo.On("FindByID", mock.Anything, groupID).Return(&domain.UserGroup{ID: groupID}, nil)
mockUserGroupRepo.On("FindByID", mock.Anything, groupID).Return(&domain.UserGroup{ID: groupID, TenantID: tenantID, Name: "Sales"}, nil)
mockUserRepo.On("FindByID", mock.Anything, userID).Return(&domain.User{ID: userID}, nil)
mockTenantRepo.On("FindByID", mock.Anything, tenantID).Return(&domain.Tenant{ID: tenantID, Slug: tenantSlug}, nil)
// Mock Kratos
mockKratos.On("GetIdentity", mock.Anything, userID).Return(&KratosIdentity{
ID: userID,
Traits: map[string]interface{}{"email": "user@test.com"},
State: "active",
}, nil)
mockKratos.On("UpdateIdentity", mock.Anything, userID, mock.Anything, "active").Return(&KratosIdentity{}, nil)
// Mock local user repo update (Ignored since Update is hardcoded to return nil without calling m.Called)
// mockUserRepo.On("Update", mock.Anything, mock.MatchedBy(func(u *domain.User) bool {
// return u.CompanyCode == tenantSlug && *u.TenantID == tenantID && u.Department == "Sales"
// })).Return(nil)
// First Outbox Create for Group
mockOutbox.On("Create", mock.Anything, mock.MatchedBy(func(e *domain.KetoOutbox) bool {
return e.Namespace == "Tenant" && e.Object == groupID && e.Relation == "members" && e.Subject == "User:"+userID
})).Return(nil)
})).Return(nil).Once()
// Second Outbox Create for Tenant
mockOutbox.On("Create", mock.Anything, mock.MatchedBy(func(e *domain.KetoOutbox) bool {
return e.Namespace == "Tenant" && e.Object == tenantID && e.Relation == "members" && e.Subject == "User:"+userID
})).Return(nil).Once()
err := svc.AddMember(context.Background(), groupID, userID)
assert.NoError(t, err)
mockOutbox.AssertExpectations(t)
mockKratos.AssertExpectations(t)
// mockUserRepo.AssertExpectations(t)
}
func TestUserGroupService_AssignRoleToTenant(t *testing.T) {