adminfront: 탭별 세부 권한 격리 부여를 위한 독자적인 5번째 탭(세부 권한) 추가 및 연동 완료

backend/internal/handler/tenant_handler.go

@@ -3206,3 +3206,168 @@ func (h *TenantHandler) GetPublicOrgChart(c *fiber.Ctx) error {
 		"sharedWith": link.Name,
 	})
 }
+
+type tenantRelationRequest struct {
+	UserID   string `json:"userId"`
+	Relation string `json:"relation"`
+}
+
+func (h *TenantHandler) ListRelations(c *fiber.Ctx) error {
+	tenantID := c.Params("id")
+	if tenantID == "" {
+		return errorJSON(c, fiber.StatusBadRequest, "tenant id is required")
+	}
+
+	relations, err := h.Keto.ListRelations(c.Context(), "Tenant", tenantID, "", "")
+	if err != nil {
+		return errorJSON(c, fiber.StatusInternalServerError, err.Error())
+	}
+
+	allowedRelations := map[string]bool{
+		"profile_viewers":         true,
+		"profile_managers":        true,
+		"permissions_viewers":     true,
+		"permissions_managers":    true,
+		"organization_viewers":    true,
+		"organization_managers":   true,
+		"schema_viewers":          true,
+		"schema_managers":         true,
+	}
+
+	type userRelationInfo struct {
+		UserID    string   `json:"userId"`
+		Name      string   `json:"name"`
+		Email     string   `json:"email"`
+		Relations []string `json:"relations"`
+	}
+
+	userMap := make(map[string][]string)
+	for _, rel := range relations {
+		if !allowedRelations[rel.Relation] {
+			continue
+		}
+		if !strings.HasPrefix(rel.SubjectID, "User:") {
+			continue
+		}
+		userID := strings.TrimPrefix(rel.SubjectID, "User:")
+		userMap[userID] = append(userMap[userID], rel.Relation)
+	}
+
+	items := []userRelationInfo{}
+	for userID, rels := range userMap {
+		name := "Unknown"
+		email := "Unknown"
+
+		if h.KratosAdmin != nil {
+			identity, err := h.KratosAdmin.GetIdentity(c.Context(), userID)
+			if err == nil && identity != nil {
+				if n, ok := identity.Traits["name"].(string); ok {
+					name = n
+				}
+				if e, ok := identity.Traits["email"].(string); ok {
+					email = e
+				}
+			}
+		}
+		
+		if name == "Unknown" && email == "Unknown" && h.UserRepo != nil {
+			user, err := h.UserRepo.FindByID(c.Context(), userID)
+			if err == nil && user != nil {
+				name = user.Name
+				email = user.Email
+			} else if userID == "00000000-0000-0000-0000-000000000000" {
+				name = "Dev Mock User"
+				email = "mock@hmac.kr"
+			}
+		}
+
+		items = append(items, userRelationInfo{
+			UserID:    userID,
+			Name:      name,
+			Email:     email,
+			Relations: rels,
+		})
+	}
+
+	return c.JSON(fiber.Map{
+		"items": items,
+	})
+}
+
+func (h *TenantHandler) AddRelation(c *fiber.Ctx) error {
+	tenantID := c.Params("id")
+	if tenantID == "" {
+		return errorJSON(c, fiber.StatusBadRequest, "tenant id is required")
+	}
+
+	var req tenantRelationRequest
+	if err := c.BodyParser(&req); err != nil {
+		return errorJSON(c, fiber.StatusBadRequest, "invalid request body")
+	}
+
+	if req.UserID == "" || req.Relation == "" {
+		return errorJSON(c, fiber.StatusBadRequest, "userId and relation are required")
+	}
+
+	allowedRelations := map[string]bool{
+		"profile_viewers":         true,
+		"profile_managers":        true,
+		"permissions_viewers":     true,
+		"permissions_managers":    true,
+		"organization_viewers":    true,
+		"organization_managers":   true,
+		"schema_viewers":          true,
+		"schema_managers":         true,
+	}
+
+	if !allowedRelations[req.Relation] {
+		return errorJSON(c, fiber.StatusBadRequest, "invalid or unsupported relation")
+	}
+
+	if h.Keto != nil {
+		relations, err := h.Keto.ListRelations(c.Context(), "Tenant", tenantID, req.Relation, "User:"+req.UserID)
+		if err == nil && len(relations) > 0 {
+			return errorJSON(c, fiber.StatusConflict, "이미 해당 세부 권한이 등록된 사용자입니다.")
+		}
+	}
+
+	if h.KetoOutbox != nil {
+		_ = h.KetoOutbox.Create(c.Context(), &domain.KetoOutbox{
+			Namespace: "Tenant",
+			Object:    tenantID,
+			Relation:  req.Relation,
+			Subject:   "User:" + req.UserID,
+			Action:    domain.KetoOutboxActionCreate,
+		})
+	}
+
+	return c.SendStatus(fiber.StatusOK)
+}
+
+func (h *TenantHandler) RemoveRelation(c *fiber.Ctx) error {
+	tenantID := c.Params("id")
+	if tenantID == "" {
+		return errorJSON(c, fiber.StatusBadRequest, "tenant id is required")
+	}
+
+	var req tenantRelationRequest
+	if err := c.BodyParser(&req); err != nil {
+		return errorJSON(c, fiber.StatusBadRequest, "invalid request body")
+	}
+
+	if req.UserID == "" || req.Relation == "" {
+		return errorJSON(c, fiber.StatusBadRequest, "userId and relation are required")
+	}
+
+	if h.KetoOutbox != nil {
+		_ = h.KetoOutbox.Create(c.Context(), &domain.KetoOutbox{
+			Namespace: "Tenant",
+			Object:    tenantID,
+			Relation:  req.Relation,
+			Subject:   "User:" + req.UserID,
+			Action:    domain.KetoOutboxActionDelete,
+		})
+	}
+
+	return c.SendStatus(fiber.StatusOK)
+}

backend/internal/handler/tenant_handler_relations_test.go

@@ -0,0 +1,169 @@
+package handler
+
+import (
+	"baron-sso-backend/internal/domain"
+	"baron-sso-backend/internal/repository"
+	"baron-sso-backend/internal/service"
+	"baron-sso-backend/internal/testsupport"
+	"bytes"
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/gofiber/fiber/v2"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/mock"
+)
+
+func TestTenantHandler_Relations(t *testing.T) {
+	if !testsupport.DockerAvailable() {
+		t.Skip("Docker provider is unavailable in this environment")
+	}
+
+	db := newTenantHandlerSeedDeleteDB(t)
+	if err := db.AutoMigrate(&domain.TenantDomain{}, &domain.KetoOutbox{}); err != nil {
+		t.Fatalf("failed to migrate tenant domains or outbox: %v", err)
+	}
+
+	// Create a test tenant in DB with a valid UUID
+	tenantID := "00000000-0000-0000-0000-000000000030"
+	tenant := domain.Tenant{
+		ID:     tenantID,
+		Name:   "Relation Test Tenant",
+		Slug:   "relation-test-tenant",
+		Type:   domain.TenantTypeCompany,
+		Status: domain.TenantStatusActive,
+	}
+	if err := db.Create(&tenant).Error; err != nil {
+		t.Fatalf("failed to create tenant: %v", err)
+	}
+
+	mockSvc := new(MockTenantService)
+	mockKeto := new(devMockKetoService)
+	realOutbox := repository.NewKetoOutboxRepository(db)
+
+	h := &TenantHandler{
+		DB:         db,
+		Service:    mockSvc,
+		Keto:       mockKeto,
+		KetoOutbox: realOutbox,
+	}
+
+	userID := "user-relation-1"
+
+	t.Run("ListRelations - Returns correct relations aggregated by user", func(t *testing.T) {
+		app := fiber.New()
+		app.Get("/tenants/:id/relations", h.ListRelations)
+
+		mockKeto.On("ListRelations", mock.Anything, "Tenant", tenantID, "", "").Return([]service.RelationTuple{
+			{
+				Namespace: "Tenant",
+				Object:    tenantID,
+				Relation:  "schema_managers",
+				SubjectID: "User:" + userID,
+			},
+			{
+				Namespace: "Tenant",
+				Object:    tenantID,
+				Relation:  "profile_viewers",
+				SubjectID: "User:" + userID,
+			},
+			{
+				Namespace: "Tenant",
+				Object:    tenantID,
+				Relation:  "unrelated_relation", // Should be filtered out
+				SubjectID: "User:" + userID,
+			},
+		}, nil).Once()
+
+		req := httptest.NewRequest("GET", "/tenants/"+tenantID+"/relations", nil)
+		resp, err := app.Test(req)
+		if err != nil {
+			t.Fatalf("request failed: %v", err)
+		}
+
+		assert.Equal(t, http.StatusOK, resp.StatusCode)
+
+		var got struct {
+			Items []struct {
+				UserID    string   `json:"userId"`
+				Name      string   `json:"name"`
+				Email     string   `json:"email"`
+				Relations []string `json:"relations"`
+			} `json:"items"`
+		}
+		err = json.NewDecoder(resp.Body).Decode(&got)
+		if err != nil {
+			t.Fatalf("failed to decode response: %v", err)
+		}
+
+		assert.Len(t, got.Items, 1)
+		assert.Equal(t, userID, got.Items[0].UserID)
+		assert.Contains(t, got.Items[0].Relations, "schema_managers")
+		assert.Contains(t, got.Items[0].Relations, "profile_viewers")
+		assert.NotContains(t, got.Items[0].Relations, "unrelated_relation")
+		mockKeto.AssertExpectations(t)
+	})
+
+	t.Run("AddRelation - Inserts into KetoOutbox DB table", func(t *testing.T) {
+		app := fiber.New()
+		app.Post("/tenants/:id/relations", h.AddRelation)
+
+		mockKeto.On("ListRelations", mock.Anything, "Tenant", tenantID, "schema_managers", "User:"+userID).Return([]service.RelationTuple{}, nil).Once()
+
+		body, _ := json.Marshal(map[string]string{
+			"userId":   userID,
+			"relation": "schema_managers",
+		})
+		req := httptest.NewRequest("POST", "/tenants/"+tenantID+"/relations", bytes.NewReader(body))
+		req.Header.Set("Content-Type", "application/json")
+
+		resp, err := app.Test(req)
+		if err != nil {
+			t.Fatalf("request failed: %v", err)
+		}
+
+		assert.Equal(t, http.StatusOK, resp.StatusCode)
+
+		// Verify row was written to the keto_outboxes DB table
+		var outboxEntries []domain.KetoOutbox
+		if err := db.Where("object = ? AND relation = ? AND action = ?", tenantID, "schema_managers", domain.KetoOutboxActionCreate).Find(&outboxEntries).Error; err != nil {
+			t.Fatalf("failed to query outbox: %v", err)
+		}
+
+		assert.Len(t, outboxEntries, 1)
+		assert.Equal(t, "Tenant", outboxEntries[0].Namespace)
+		assert.Equal(t, "User:"+userID, outboxEntries[0].Subject)
+		mockKeto.AssertExpectations(t)
+	})
+
+	t.Run("RemoveRelation - Inserts delete action into KetoOutbox DB table", func(t *testing.T) {
+		app := fiber.New()
+		app.Delete("/tenants/:id/relations", h.RemoveRelation)
+
+		body, _ := json.Marshal(map[string]string{
+			"userId":   userID,
+			"relation": "schema_managers",
+		})
+		req := httptest.NewRequest("DELETE", "/tenants/"+tenantID+"/relations", bytes.NewReader(body))
+		req.Header.Set("Content-Type", "application/json")
+
+		resp, err := app.Test(req)
+		if err != nil {
+			t.Fatalf("request failed: %v", err)
+		}
+
+		assert.Equal(t, http.StatusOK, resp.StatusCode)
+
+		// Verify delete action row was written to the keto_outboxes DB table
+		var outboxEntries []domain.KetoOutbox
+		if err := db.Where("object = ? AND relation = ? AND action = ?", tenantID, "schema_managers", domain.KetoOutboxActionDelete).Find(&outboxEntries).Error; err != nil {
+			t.Fatalf("failed to query outbox: %v", err)
+		}
+
+		assert.Len(t, outboxEntries, 1)
+		assert.Equal(t, "Tenant", outboxEntries[0].Namespace)
+		assert.Equal(t, "User:"+userID, outboxEntries[0].Subject)
+	})
+}