feat: 테넌트/RP 관리자 할당 UI 및 ReBAC 권한 검증 도구 구현 #244

2026-02-11 13:26:26 +09:00
parent 8856485265
commit 68df43f3a8
24 changed files with 1547 additions and 48 deletions
--- a/backend/internal/service/relying_party_service.go
+++ b/backend/internal/service/relying_party_service.go
@@ -16,6 +16,9 @@ type RelyingPartyService interface {
 	Update(ctx context.Context, clientID string, client domain.HydraClient) (*domain.RelyingParty, error)
 	Delete(ctx context.Context, clientID string) error
 	CheckPermission(ctx context.Context, userID, clientID, relation string) (bool, error)
+	AddOwner(ctx context.Context, clientID, subject string) error
+	RemoveOwner(ctx context.Context, clientID, subject string) error
+	ListOwners(ctx context.Context, clientID string) ([]string, error)
 }

 type relyingPartyService struct {
@@ -163,6 +166,27 @@ func (s *relyingPartyService) CheckPermission(ctx context.Context, userID, clien
 	return s.ketoService.CheckPermission(ctx, userID, "RelyingParty", clientID, relation)
 }

+func (s *relyingPartyService) AddOwner(ctx context.Context, clientID, subject string) error {
+	return s.ketoService.CreateRelation(ctx, "RelyingParty", clientID, "owners", subject)
+}
+
+func (s *relyingPartyService) RemoveOwner(ctx context.Context, clientID, subject string) error {
+	return s.ketoService.DeleteRelation(ctx, "RelyingParty", clientID, "owners", subject)
+}
+
+func (s *relyingPartyService) ListOwners(ctx context.Context, clientID string) ([]string, error) {
+	tuples, err := s.ketoService.ListRelations(ctx, "RelyingParty", clientID, "owners", "")
+	if err != nil {
+		return nil, err
+	}
+
+	subjects := make([]string, 0, len(tuples))
+	for _, t := range tuples {
+		subjects = append(subjects, t.SubjectID)
+	}
+	return subjects, nil
+}
+
 func (s *relyingPartyService) mapHydraToDomain(client *domain.HydraClient) *domain.RelyingParty {
 	if client == nil {
 		return nil
--- a/backend/internal/service/tenant_group_service.go
+++ b/backend/internal/service/tenant_group_service.go
@@ -15,6 +15,9 @@ type TenantGroupService interface {
 	DeleteGroup(ctx context.Context, id string) error
 	AddTenantToGroup(ctx context.Context, groupID, tenantID string) error
 	RemoveTenantFromGroup(ctx context.Context, groupID, tenantID string) error
+	AddGroupAdmin(ctx context.Context, groupID, userID string) error
+	RemoveGroupAdmin(ctx context.Context, groupID, userID string) error
+	ListGroupAdmins(ctx context.Context, groupID string) ([]string, error)
 }

 type tenantGroupService struct {
@@ -92,3 +95,36 @@ func (s *tenantGroupService) RemoveTenantFromGroup(ctx context.Context, groupID,
 	}
 	return nil
 }
+
+func (s *tenantGroupService) AddGroupAdmin(ctx context.Context, groupID, userID string) error {
+	if s.keto == nil {
+		return nil
+	}
+	return s.keto.CreateRelation(ctx, "TenantGroup", groupID, "admins", "User:"+userID)
+}
+
+func (s *tenantGroupService) RemoveGroupAdmin(ctx context.Context, groupID, userID string) error {
+	if s.keto == nil {
+		return nil
+	}
+	return s.keto.DeleteRelation(ctx, "TenantGroup", groupID, "admins", "User:"+userID)
+}
+
+func (s *tenantGroupService) ListGroupAdmins(ctx context.Context, groupID string) ([]string, error) {
+	if s.keto == nil {
+		return []string{}, nil
+	}
+	tuples, err := s.keto.ListRelations(ctx, "TenantGroup", groupID, "admins", "")
+	if err != nil {
+		return nil, err
+	}
+
+	userIDs := make([]string, 0, len(tuples))
+	for _, t := range tuples {
+		// subject_id is "User:uuid"
+		if len(t.SubjectID) > 5 && t.SubjectID[:5] == "User:" {
+			userIDs = append(userIDs, t.SubjectID[5:])
+		}
+	}
+	return userIDs, nil
+}
--- a/backend/internal/service/tenant_service.go
+++ b/backend/internal/service/tenant_service.go
@@ -21,6 +21,9 @@ type TenantService interface {
 	ListManageableTenants(ctx context.Context, userID string) ([]domain.Tenant, error)
 	ApproveTenant(ctx context.Context, id string) error
 	SetKetoService(keto KetoService) // 추가
+	AddTenantAdmin(ctx context.Context, tenantID, userID string) error
+	RemoveTenantAdmin(ctx context.Context, tenantID, userID string) error
+	ListTenantAdmins(ctx context.Context, tenantID string) ([]string, error)
 }

 type tenantService struct {
@@ -208,3 +211,35 @@ func (s *tenantService) GetTenantByDomain(ctx context.Context, emailDomain strin
 func (s *tenantService) GetTenantBySlug(ctx context.Context, slug string) (*domain.Tenant, error) {
 	return s.repo.FindBySlug(ctx, slug)
 }
+
+func (s *tenantService) AddTenantAdmin(ctx context.Context, tenantID, userID string) error {
+	if s.keto == nil {
+		return errors.New("keto service not initialized")
+	}
+	return s.keto.CreateRelation(ctx, "Tenant", tenantID, "admins", "User:"+userID)
+}
+
+func (s *tenantService) RemoveTenantAdmin(ctx context.Context, tenantID, userID string) error {
+	if s.keto == nil {
+		return errors.New("keto service not initialized")
+	}
+	return s.keto.DeleteRelation(ctx, "Tenant", tenantID, "admins", "User:"+userID)
+}
+
+func (s *tenantService) ListTenantAdmins(ctx context.Context, tenantID string) ([]string, error) {
+	if s.keto == nil {
+		return nil, errors.New("keto service not initialized")
+	}
+	tuples, err := s.keto.ListRelations(ctx, "Tenant", tenantID, "admins", "")
+	if err != nil {
+		return nil, err
+	}
+
+	userIDs := make([]string, 0, len(tuples))
+	for _, t := range tuples {
+		if len(t.SubjectID) > 5 && t.SubjectID[:5] == "User:" {
+			userIDs = append(userIDs, t.SubjectID[5:])
+		}
+	}
+	return userIDs, nil
+}