forked from baron/baron-sso
RP 생성 admin 관계 중복 부여 수정
This commit is contained in:
@@ -752,6 +752,24 @@ func mapRelationTupleSummary(tuple service.RelationTuple, identity *service.Krat
|
|||||||
return summary
|
return summary
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func dedupeRelationTuples(tuples []service.RelationTuple) []service.RelationTuple {
|
||||||
|
if len(tuples) <= 1 {
|
||||||
|
return tuples
|
||||||
|
}
|
||||||
|
|
||||||
|
seen := make(map[string]struct{}, len(tuples))
|
||||||
|
deduped := make([]service.RelationTuple, 0, len(tuples))
|
||||||
|
for _, tuple := range tuples {
|
||||||
|
key := strings.TrimSpace(tuple.Relation) + "\x00" + strings.TrimSpace(tuple.SubjectID)
|
||||||
|
if _, exists := seen[key]; exists {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
seen[key] = struct{}{}
|
||||||
|
deduped = append(deduped, tuple)
|
||||||
|
}
|
||||||
|
return deduped
|
||||||
|
}
|
||||||
|
|
||||||
func (h *DevHandler) loadClientSummary(ctx context.Context, clientID string) (clientSummary, error) {
|
func (h *DevHandler) loadClientSummary(ctx context.Context, clientID string) (clientSummary, error) {
|
||||||
clientID = strings.TrimSpace(clientID)
|
clientID = strings.TrimSpace(clientID)
|
||||||
if clientID == "" {
|
if clientID == "" {
|
||||||
@@ -1210,6 +1228,7 @@ func (h *DevHandler) ListClientRelations(c *fiber.Ctx) error {
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return errorJSON(c, fiber.StatusInternalServerError, err.Error())
|
return errorJSON(c, fiber.StatusInternalServerError, err.Error())
|
||||||
}
|
}
|
||||||
|
tuples = dedupeRelationTuples(tuples)
|
||||||
for _, tuple := range tuples {
|
for _, tuple := range tuples {
|
||||||
var identity *service.KratosIdentity
|
var identity *service.KratosIdentity
|
||||||
if tuple.SubjectID != "" && h.KratosAdmin != nil {
|
if tuple.SubjectID != "" && h.KratosAdmin != nil {
|
||||||
@@ -1722,23 +1741,11 @@ func (h *DevHandler) CreateClient(c *fiber.Ctx) error {
|
|||||||
// [New] Automatically grant admin permission to the creator in Keto
|
// [New] Automatically grant admin permission to the creator in Keto
|
||||||
if h.KetoOutbox != nil && profile != nil {
|
if h.KetoOutbox != nil && profile != nil {
|
||||||
subject := "User:" + profile.ID
|
subject := "User:" + profile.ID
|
||||||
err := h.KetoOutbox.Create(c.Context(), &domain.KetoOutbox{
|
if err := h.grantCreatorAdminRelation(c, created.ClientID, subject); err != nil {
|
||||||
Namespace: "RelyingParty",
|
|
||||||
Object: created.ClientID,
|
|
||||||
Relation: "admins",
|
|
||||||
Subject: subject,
|
|
||||||
Action: domain.KetoOutboxActionCreate,
|
|
||||||
})
|
|
||||||
if err != nil {
|
|
||||||
slog.Warn("failed to grant automatic admin permission to creator", "clientID", created.ClientID, "userID", profile.ID, "error", err)
|
slog.Warn("failed to grant automatic admin permission to creator", "clientID", created.ClientID, "userID", profile.ID, "error", err)
|
||||||
} else {
|
} else {
|
||||||
slog.Info("granted automatic admin permission to creator", "clientID", created.ClientID, "userID", profile.ID)
|
slog.Info("granted automatic admin permission to creator", "clientID", created.ClientID, "userID", profile.ID)
|
||||||
}
|
}
|
||||||
if h.Keto != nil {
|
|
||||||
if err := h.Keto.CreateRelation(c.Context(), "RelyingParty", created.ClientID, "admins", subject); err != nil {
|
|
||||||
slog.Warn("failed to grant immediate admin permission to creator", "clientID", created.ClientID, "userID", profile.ID, "error", err)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// Store secret in metadata for later retrieval
|
// Store secret in metadata for later retrieval
|
||||||
@@ -3314,6 +3321,41 @@ func (h *DevHandler) ensureDeveloperGrantRelation(c *fiber.Ctx, userID, tenantID
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (h *DevHandler) grantCreatorAdminRelation(c *fiber.Ctx, clientID string, subject string) error {
|
||||||
|
clientID = strings.TrimSpace(clientID)
|
||||||
|
subject = strings.TrimSpace(subject)
|
||||||
|
if clientID == "" || subject == "" {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
if h.Keto != nil {
|
||||||
|
existing, err := h.Keto.ListRelations(c.Context(), "RelyingParty", clientID, "admins", subject)
|
||||||
|
if err == nil && len(existing) > 0 {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
if err == nil {
|
||||||
|
if createErr := h.Keto.CreateRelation(c.Context(), "RelyingParty", clientID, "admins", subject); createErr == nil {
|
||||||
|
return nil
|
||||||
|
} else {
|
||||||
|
slog.Warn("failed to grant immediate admin permission to creator; falling back to outbox", "clientID", clientID, "subject", subject, "error", createErr)
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
slog.Warn("failed to check existing admin relation for creator; falling back to outbox", "clientID", clientID, "subject", subject, "error", err)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if h.KetoOutbox == nil {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
return h.KetoOutbox.Create(c.Context(), &domain.KetoOutbox{
|
||||||
|
Namespace: "RelyingParty",
|
||||||
|
Object: clientID,
|
||||||
|
Relation: "admins",
|
||||||
|
Subject: subject,
|
||||||
|
Action: domain.KetoOutboxActionCreate,
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
func (h *DevHandler) revokeDeveloperGrantRelation(c *fiber.Ctx, userID, tenantID string) {
|
func (h *DevHandler) revokeDeveloperGrantRelation(c *fiber.Ctx, userID, tenantID string) {
|
||||||
if h.KetoOutbox == nil || strings.TrimSpace(userID) == "" || strings.TrimSpace(tenantID) == "" {
|
if h.KetoOutbox == nil || strings.TrimSpace(userID) == "" || strings.TrimSpace(tenantID) == "" {
|
||||||
return
|
return
|
||||||
|
|||||||
@@ -1053,17 +1053,9 @@ func TestCreateClient_ApprovedDeveloperCanCreatePrivateClient(t *testing.T) {
|
|||||||
|
|
||||||
mockKeto := new(devMockKetoService)
|
mockKeto := new(devMockKetoService)
|
||||||
mockKeto.On("CheckPermission", mock.Anything, "User:user-1", "Tenant", "tenant-a", "grant_dev_permissions").Return(true, nil)
|
mockKeto.On("CheckPermission", mock.Anything, "User:user-1", "Tenant", "tenant-a", "grant_dev_permissions").Return(true, nil)
|
||||||
|
mockKeto.On("ListRelations", mock.Anything, "RelyingParty", "client-1", "admins", "User:user-1").Return([]service.RelationTuple{}, nil)
|
||||||
mockKeto.On("CreateRelation", mock.Anything, "RelyingParty", "client-1", "admins", "User:user-1").Return(nil)
|
mockKeto.On("CreateRelation", mock.Anything, "RelyingParty", "client-1", "admins", "User:user-1").Return(nil)
|
||||||
|
|
||||||
mockOutbox := new(devMockKetoOutboxRepository)
|
|
||||||
mockOutbox.On("Create", mock.Anything, mock.MatchedBy(func(entry *domain.KetoOutbox) bool {
|
|
||||||
return entry.Namespace == "RelyingParty" &&
|
|
||||||
entry.Object == "client-1" &&
|
|
||||||
entry.Relation == "admins" &&
|
|
||||||
entry.Subject == "User:user-1" &&
|
|
||||||
entry.Action == domain.KetoOutboxActionCreate
|
|
||||||
})).Return(nil)
|
|
||||||
|
|
||||||
h := &DevHandler{
|
h := &DevHandler{
|
||||||
Hydra: &service.HydraAdminService{
|
Hydra: &service.HydraAdminService{
|
||||||
AdminURL: "http://hydra.test",
|
AdminURL: "http://hydra.test",
|
||||||
@@ -1072,7 +1064,7 @@ func TestCreateClient_ApprovedDeveloperCanCreatePrivateClient(t *testing.T) {
|
|||||||
SecretRepo: &mockSecretRepo{secrets: make(map[string]string)},
|
SecretRepo: &mockSecretRepo{secrets: make(map[string]string)},
|
||||||
Redis: &devMockRedisRepo{data: make(map[string]string)},
|
Redis: &devMockRedisRepo{data: make(map[string]string)},
|
||||||
Keto: mockKeto,
|
Keto: mockKeto,
|
||||||
KetoOutbox: mockOutbox,
|
KetoOutbox: new(devMockKetoOutboxRepository),
|
||||||
}
|
}
|
||||||
|
|
||||||
app := fiber.New()
|
app := fiber.New()
|
||||||
@@ -1099,6 +1091,37 @@ func TestCreateClient_ApprovedDeveloperCanCreatePrivateClient(t *testing.T) {
|
|||||||
resp, _ := app.Test(req, -1)
|
resp, _ := app.Test(req, -1)
|
||||||
assert.Equal(t, http.StatusCreated, resp.StatusCode)
|
assert.Equal(t, http.StatusCreated, resp.StatusCode)
|
||||||
mockKeto.AssertExpectations(t)
|
mockKeto.AssertExpectations(t)
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestGrantCreatorAdminRelation_FallsBackToOutboxOnImmediateFailure(t *testing.T) {
|
||||||
|
mockKeto := new(devMockKetoService)
|
||||||
|
mockKeto.On("ListRelations", mock.Anything, "RelyingParty", "client-1", "admins", "User:user-1").Return([]service.RelationTuple{}, nil).Once()
|
||||||
|
mockKeto.On("CreateRelation", mock.Anything, "RelyingParty", "client-1", "admins", "User:user-1").Return(assert.AnError).Once()
|
||||||
|
|
||||||
|
mockOutbox := new(devMockKetoOutboxRepository)
|
||||||
|
mockOutbox.On("Create", mock.Anything, mock.MatchedBy(func(entry *domain.KetoOutbox) bool {
|
||||||
|
return entry.Namespace == "RelyingParty" &&
|
||||||
|
entry.Object == "client-1" &&
|
||||||
|
entry.Relation == "admins" &&
|
||||||
|
entry.Subject == "User:user-1" &&
|
||||||
|
entry.Action == domain.KetoOutboxActionCreate
|
||||||
|
})).Return(nil).Once()
|
||||||
|
|
||||||
|
h := &DevHandler{
|
||||||
|
Keto: mockKeto,
|
||||||
|
KetoOutbox: mockOutbox,
|
||||||
|
}
|
||||||
|
|
||||||
|
app := fiber.New()
|
||||||
|
app.Get("/test", func(c *fiber.Ctx) error {
|
||||||
|
assert.NoError(t, h.grantCreatorAdminRelation(c, "client-1", "User:user-1"))
|
||||||
|
return c.SendStatus(fiber.StatusOK)
|
||||||
|
})
|
||||||
|
|
||||||
|
req := httptest.NewRequest(http.MethodGet, "/test", nil)
|
||||||
|
resp, _ := app.Test(req, -1)
|
||||||
|
assert.Equal(t, http.StatusOK, resp.StatusCode)
|
||||||
|
mockKeto.AssertExpectations(t)
|
||||||
mockOutbox.AssertExpectations(t)
|
mockOutbox.AssertExpectations(t)
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -2487,6 +2510,75 @@ func TestListClientRelations_RPAdminAllowedByViewRelationshipsPermission(t *test
|
|||||||
assert.Equal(t, "kyy01", result.Items[0].UserLoginID)
|
assert.Equal(t, "kyy01", result.Items[0].UserLoginID)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestListClientRelations_DedupesDuplicateRelations(t *testing.T) {
|
||||||
|
transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
|
||||||
|
if r.Method == http.MethodGet && r.URL.Path == "/clients/client-1" {
|
||||||
|
return httpJSONAny(r, http.StatusOK, map[string]any{
|
||||||
|
"client_id": "client-1",
|
||||||
|
"client_name": "App One",
|
||||||
|
"metadata": map[string]any{
|
||||||
|
"tenant_id": "tenant-1",
|
||||||
|
"status": "active",
|
||||||
|
},
|
||||||
|
}), nil
|
||||||
|
}
|
||||||
|
return httpJSONAny(r, http.StatusNotFound, nil), nil
|
||||||
|
})
|
||||||
|
|
||||||
|
mockKeto := new(devMockKetoService)
|
||||||
|
mockKeto.On("CheckPermission", mock.Anything, "User:user-1", "RelyingParty", "client-1", "view_relationships").Return(true, nil)
|
||||||
|
mockKeto.On("ListRelations", mock.Anything, "RelyingParty", "client-1", "admins", "").Return([]service.RelationTuple{
|
||||||
|
{Namespace: "RelyingParty", Object: "client-1", Relation: "admins", SubjectID: "User:user-1"},
|
||||||
|
{Namespace: "RelyingParty", Object: "client-1", Relation: "admins", SubjectID: "User:user-1"},
|
||||||
|
}, nil)
|
||||||
|
for _, relation := range []string{"creator", "config_editor", "secret_viewer", "secret_rotator", "jwks_viewer", "jwks_operator", "consent_viewer", "consent_revoker", "relationship_viewer", "audit_viewer", "status_operator"} {
|
||||||
|
mockKeto.On("ListRelations", mock.Anything, "RelyingParty", "client-1", relation, "").Return([]service.RelationTuple{}, nil)
|
||||||
|
}
|
||||||
|
|
||||||
|
mockKratos := new(devMockKratosAdmin)
|
||||||
|
mockKratos.On("GetIdentity", mock.Anything, "user-1").Return(&service.KratosIdentity{
|
||||||
|
ID: "user-1",
|
||||||
|
Traits: map[string]interface{}{
|
||||||
|
"name": "Tester",
|
||||||
|
"email": "tester@example.com",
|
||||||
|
},
|
||||||
|
}, nil).Once()
|
||||||
|
|
||||||
|
h := &DevHandler{
|
||||||
|
Hydra: &service.HydraAdminService{
|
||||||
|
AdminURL: "http://hydra.test",
|
||||||
|
HTTPClient: &http.Client{Transport: transport},
|
||||||
|
},
|
||||||
|
Keto: mockKeto,
|
||||||
|
KratosAdmin: mockKratos,
|
||||||
|
}
|
||||||
|
|
||||||
|
app := fiber.New()
|
||||||
|
app.Use(func(c *fiber.Ctx) error {
|
||||||
|
tenantID := "tenant-1"
|
||||||
|
c.Locals("user_profile", &domain.UserProfileResponse{
|
||||||
|
ID: "user-1",
|
||||||
|
Role: domain.RoleRPAdmin,
|
||||||
|
TenantID: &tenantID,
|
||||||
|
})
|
||||||
|
return c.Next()
|
||||||
|
})
|
||||||
|
app.Get("/api/v1/dev/clients/:id/relations", h.ListClientRelations)
|
||||||
|
|
||||||
|
req := httptest.NewRequest(http.MethodGet, "/api/v1/dev/clients/client-1/relations", nil)
|
||||||
|
resp, _ := app.Test(req, -1)
|
||||||
|
|
||||||
|
assert.Equal(t, http.StatusOK, resp.StatusCode)
|
||||||
|
var result clientRelationListResponse
|
||||||
|
_ = json.NewDecoder(resp.Body).Decode(&result)
|
||||||
|
if assert.Len(t, result.Items, 1) {
|
||||||
|
assert.Equal(t, "admins", result.Items[0].Relation)
|
||||||
|
assert.Equal(t, "User:user-1", result.Items[0].Subject)
|
||||||
|
}
|
||||||
|
mockKeto.AssertExpectations(t)
|
||||||
|
mockKratos.AssertExpectations(t)
|
||||||
|
}
|
||||||
|
|
||||||
func TestAddClientRelation_RPAdminAllowedByTenantGrantPermission(t *testing.T) {
|
func TestAddClientRelation_RPAdminAllowedByTenantGrantPermission(t *testing.T) {
|
||||||
transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
|
transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
|
||||||
if r.Method == http.MethodGet && r.URL.Path == "/clients/client-1" {
|
if r.Method == http.MethodGet && r.URL.Path == "/clients/client-1" {
|
||||||
|
|||||||
Reference in New Issue
Block a user