feat: 테넌트/RP 관리자 할당 UI 및 ReBAC 권한 검증 도구 구현 #244

2026-02-11 13:26:26 +09:00
parent 8856485265
commit 68df43f3a8
24 changed files with 1547 additions and 48 deletions
--- a/backend/internal/handler/admin_handler.go
+++ b/backend/internal/handler/admin_handler.go
@@ -1,22 +1,51 @@
 package handler

 import (
+	"baron-sso-backend/internal/service"
 	"runtime"
 	"time"

 	"github.com/gofiber/fiber/v2"
 )

-type AdminHandler struct{}
+type AdminHandler struct {
+	Keto service.KetoService
+}

-func NewAdminHandler() *AdminHandler {
-	return &AdminHandler{}
+func NewAdminHandler(keto service.KetoService) *AdminHandler {
+	return &AdminHandler{Keto: keto}
 }

 func (h *AdminHandler) CheckAuth(c *fiber.Ctx) error {
 	return c.Status(fiber.StatusOK).JSON(fiber.Map{"status": "ok"})
 }

+func (h *AdminHandler) CheckPermission(c *fiber.Ctx) error {
+	namespace := c.Query("namespace")
+	object := c.Query("object")
+	relation := c.Query("relation")
+	subject := c.Query("subject")
+
+	if namespace == "" || object == "" || relation == "" || subject == "" {
+		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "namespace, object, relation, and subject are required"})
+	}
+
+	allowed, err := h.Keto.CheckPermission(c.Context(), subject, namespace, object, relation)
+	if err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
+	}
+
+	return c.JSON(fiber.Map{
+		"allowed": allowed,
+		"query": fiber.Map{
+			"namespace": namespace,
+			"object":    object,
+			"relation":  relation,
+			"subject":   subject,
+		},
+	})
+}
+
 // GetSystemStats returns runtime statistics for monitoring
 func (h *AdminHandler) GetSystemStats(c *fiber.Ctx) error {
 	var m runtime.MemStats