테넌트 접근 제한/커스텀 클레임 관계 설정

2026-04-30 10:01:00 +09:00
parent 613d198690
commit 52936b2b88
7 changed files with 214 additions and 12 deletions
--- a/backend/internal/handler/dev_handler_test.go
+++ b/backend/internal/handler/dev_handler_test.go
@@ -453,6 +453,72 @@ func TestUpdateClient_PrivateClientAllowedByEditConfigPermission(t *testing.T) {
 	mockKeto.AssertExpectations(t)
 }

+func TestUpdateClient_ManagedRPAdminRequiresEditConfigPermission(t *testing.T) {
+	transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
+		if r.Method == http.MethodGet && r.URL.Path == "/clients/client-1" {
+			return httpJSONAny(r, http.StatusOK, map[string]any{
+				"client_id":   "client-1",
+				"client_name": "App One",
+				"redirect_uris": []string{
+					"http://localhost/cb",
+				},
+				"grant_types":                []string{"authorization_code", "refresh_token"},
+				"response_types":             []string{"code"},
+				"scope":                      "openid profile email offline_access",
+				"token_endpoint_auth_method": "none",
+				"metadata": map[string]any{
+					"status":    "active",
+					"tenant_id": "tenant-1",
+				},
+			}), nil
+		}
+		if r.Method == http.MethodPut && r.URL.Path == "/clients/client-1" {
+			t.Fatalf("hydra update should not be called without edit_config permission")
+		}
+		return httpJSONAny(r, http.StatusNotFound, nil), nil
+	})
+
+	mockKeto := new(devMockKetoService)
+	mockKeto.On("CheckPermission", mock.Anything, "User:user-1", "RelyingParty", "client-1", "edit_config").Return(false, nil)
+
+	h := &DevHandler{
+		Hydra: &service.HydraAdminService{
+			AdminURL:   "http://hydra.test",
+			HTTPClient: &http.Client{Transport: transport},
+		},
+		Keto: mockKeto,
+	}
+
+	app := fiber.New()
+	tenantID := "tenant-1"
+	app.Use(func(c *fiber.Ctx) error {
+		c.Locals("user_profile", &domain.UserProfileResponse{
+			ID:       "user-1",
+			Role:     domain.RoleRPAdmin,
+			TenantID: &tenantID,
+			Metadata: map[string]any{
+				"managed_client_ids": []any{"client-1"},
+			},
+		})
+		return c.Next()
+	})
+	app.Put("/api/v1/dev/clients/:id", h.UpdateClient)
+
+	body, _ := json.Marshal(map[string]any{
+		"name": "App One Updated",
+		"metadata": map[string]any{
+			"tenant_access_restricted": true,
+			"allowed_tenants":          []string{"tenant-1"},
+		},
+	})
+	req := httptest.NewRequest(http.MethodPut, "/api/v1/dev/clients/client-1", bytes.NewReader(body))
+	req.Header.Set("Content-Type", "application/json")
+
+	resp, _ := app.Test(req, -1)
+	assert.Equal(t, http.StatusForbidden, resp.StatusCode)
+	mockKeto.AssertExpectations(t)
+}
+
 func TestListClients_ProtectedSystemClientHidden(t *testing.T) {
 	transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
 		if r.URL.Path == "/clients" {
@@ -634,6 +700,67 @@ func TestUpdateClientStatus_UserAllowedByStatusPermission(t *testing.T) {

 	mockKeto := new(devMockKetoService)
 	mockKeto.On("CheckPermission", mock.Anything, "User:user-1", "RelyingParty", "client-1", "change_status").Return(true, nil)
+	mockKeto.On("CheckPermission", mock.Anything, "User:user-1", "RelyingParty", "client-1", "edit_config").Return(false, nil)
+
+	h := &DevHandler{
+		Hydra: &service.HydraAdminService{
+			AdminURL:   "http://hydra.test",
+			HTTPClient: &http.Client{Transport: transport},
+		},
+		Keto: mockKeto,
+	}
+	app := fiber.New()
+	tenantID := "tenant-1"
+	app.Use(func(c *fiber.Ctx) error {
+		c.Locals("user_profile", &domain.UserProfileResponse{
+			ID:       "user-1",
+			Role:     domain.RoleUser,
+			TenantID: &tenantID,
+		})
+		return c.Next()
+	})
+	app.Patch("/api/v1/dev/clients/:id/status", h.UpdateClientStatus)
+
+	body, _ := json.Marshal(map[string]interface{}{"status": "inactive"})
+	req := httptest.NewRequest(http.MethodPatch, "/api/v1/dev/clients/client-1/status", bytes.NewReader(body))
+	req.Header.Set("Content-Type", "application/json")
+	resp, _ := app.Test(req, -1)
+
+	assert.Equal(t, http.StatusOK, resp.StatusCode)
+	var res clientDetailResponse
+	_ = json.NewDecoder(resp.Body).Decode(&res)
+	assert.Equal(t, "inactive", res.Client.Status)
+	mockKeto.AssertExpectations(t)
+}
+
+func TestUpdateClientStatus_UserAllowedByEditConfigPermission(t *testing.T) {
+	transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
+		if r.Method == http.MethodGet && r.URL.Path == "/clients/client-1" {
+			return httpJSONAny(r, http.StatusOK, map[string]interface{}{
+				"client_id":   "client-1",
+				"client_name": "App One",
+				"metadata": map[string]interface{}{
+					"tenant_id": "tenant-1",
+					"status":    "active",
+				},
+			}), nil
+		}
+		if r.Method == http.MethodPatch && r.URL.Path == "/clients/client-1" {
+			return httpJSONAny(r, http.StatusOK, map[string]interface{}{
+				"client_id":   "client-1",
+				"client_name": "App One",
+				"metadata": map[string]interface{}{
+					"tenant_id": "tenant-1",
+					"status":    "inactive",
+				},
+			}), nil
+		}
+		return httpJSONAny(r, http.StatusNotFound, nil), nil
+	})
+
+	mockKeto := new(devMockKetoService)
+	mockKeto.On("CheckPermission", mock.Anything, "User:user-1", "RelyingParty", "client-1", "change_status").Return(false, nil)
+	mockKeto.On("CheckPermission", mock.Anything, "User:user-1", "RelyingParty", "client-1", "edit_config").Return(true, nil)

 	h := &DevHandler{
 		Hydra: &service.HydraAdminService{