feat: 테넌트/RP 관리자 할당 UI 및 ReBAC 권한 검증 도구 구현 #244

2026-02-11 13:26:26 +09:00
parent 8856485265
commit 68df43f3a8
24 changed files with 1547 additions and 48 deletions
--- a/backend/internal/handler/dev_handler.go
+++ b/backend/internal/handler/dev_handler.go
@@ -166,6 +166,11 @@ func (h *DevHandler) GetClient(c *fiber.Ctx) error {
 		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
 	}

+	// Set for audit logging
+	if tid, ok := client.Metadata["tenant_id"].(string); ok {
+		c.Locals("tenant_id", tid)
+	}
+
 	summary := h.mapClientSummary(*client)
 	return c.JSON(clientDetailResponse{
 		Client: summary,
@@ -239,6 +244,9 @@ func (h *DevHandler) CreateClient(c *fiber.Ctx) error {
 		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "X-Tenant-ID header is required"})
 	}

+	// Set for audit logging
+	c.Locals("tenant_id", targetTenantID)
+
 	// Validate Permission
 	isAllowed := false
 	if profile.Role == domain.RoleSuperAdmin {
@@ -371,6 +379,11 @@ func (h *DevHandler) UpdateClient(c *fiber.Ctx) error {
 		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
 	}

+	// Set for audit logging
+	if tid, ok := current.Metadata["tenant_id"].(string); ok {
+		c.Locals("tenant_id", tid)
+	}
+
 	clientType := ""
 	if req.Type != nil {
 		clientType = strings.ToLower(strings.TrimSpace(*req.Type))
@@ -446,6 +459,14 @@ func (h *DevHandler) DeleteClient(c *fiber.Ctx) error {
 		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "client id is required"})
 	}

+	// Fetch first for audit log tenant_id
+	client, err := h.Hydra.GetClient(c.Context(), clientID)
+	if err == nil {
+		if tid, ok := client.Metadata["tenant_id"].(string); ok {
+			c.Locals("tenant_id", tid)
+		}
+	}
+
 	if err := h.Hydra.DeleteClient(c.Context(), clientID); err != nil {
 		if errors.Is(err, service.ErrHydraNotFound) {
 			return c.Status(fiber.StatusNotFound).JSON(fiber.Map{"error": "client not found"})
@@ -625,6 +646,11 @@ func (h *DevHandler) RotateClientSecret(c *fiber.Ctx) error {
 		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
 	}

+	// Set for audit logging
+	if tid, ok := current.Metadata["tenant_id"].(string); ok {
+		c.Locals("tenant_id", tid)
+	}
+
 	// 3. Update Hydra
 	current.ClientSecret = newSecret
 	updated, err := h.Hydra.UpdateClient(c.Context(), clientID, *current)