kevin/baron-sso
1
0
Fork 0
forked from baron/baron-sso
Code Pull Requests Activity

ReBAC 고도화 및 애플리케이션 관리 시스템 통합 구현

Browse Source
This commit is contained in:
조찬영
2026-02-04 15:01:13 +09:00
parent 066ea86f46
commit 7e09764ad9
21 changed files with 1532 additions and 62 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
adminfront/src/app/routes.tsx
View File

@@ -15,6 +15,7 @@ import TenantRelyingPartyListPage from "../features/tenants/routes/TenantRelying
import TenantRelyingPartyCreatePage from "../features/tenants/routes/TenantRelyingPartyCreatePage";
import TenantRelyingPartyDetailPage from "../features/tenants/routes/TenantRelyingPartyDetailPage";
import RelyingPartyListPage from "../features/relying-parties/RelyingPartyListPage";
import RelyingPartyCreatePage from "../features/relying-parties/RelyingPartyCreatePage";
import UserCreatePage from "../features/users/UserCreatePage";
import UserDetailPage from "../features/users/UserDetailPage";
import UserListPage from "../features/users/UserListPage";
@@ -33,6 +34,7 @@ export const router = createBrowserRouter(
{ path: "users/new", element: <UserCreatePage /> },
{ path: "users/:id", element: <UserDetailPage /> },
{ path: "relying-parties", element: <RelyingPartyListPage /> },
{ path: "relying-parties/new", element: <RelyingPartyCreatePage /> },
{ path: "tenants", element: <TenantListPage /> },
{ path: "tenants/new", element: <TenantCreatePage /> },
{

6
adminfront/src/components/layout/RoleSwitcher.tsx
View File

@@ -22,7 +22,7 @@ const RoleSwitcher: React.FC = () => {
window.location.reload();
};
if (process.env.NODE_ENV === 'production') return null;
if (import.meta.env.MODE === 'production') return null;
return (
<div style={{
@@ -43,7 +43,7 @@ const RoleSwitcher: React.FC = () => {
<div style={{ fontWeight: 'bold', borderBottom: '1px solid #444', paddingBottom: '4px', marginBottom: '4px' }}>
🛠 DEV Role Switcher
</div>
{(['super_admin', 'tenant_admin', 'user'] as const).map(role => (
{(['super_admin', 'tenant_admin', 'rp_admin', 'tenant_member'] as const).map(role => (
<button
key={role}
onClick={() => switchRole(role)}
@@ -58,7 +58,7 @@ const RoleSwitcher: React.FC = () => {
transition: 'background 0.2s'
}}
>
{role.toUpperCase()} {currentRole === role ? '✅' : ''}
{role.toUpperCase().replace('_', ' ')} {currentRole === role ? '✅' : ''}
</button>
))}
</div>

2
adminfront/src/features/api-keys/ApiKeyCreatePage.tsx
View File

@@ -4,12 +4,10 @@ import { AlertCircle, Check, ChevronLeft, Copy, Loader2, Save, ShieldCheck } fro
import * as React from "react";
import { useForm } from "react-hook-form";
import { Link, useNavigate } from "react-router-dom";
import { Badge } from "../../components/ui/badge";
import { Button } from "../../components/ui/button";
import {
Card,
CardContent,
CardDescription,
CardHeader,
CardTitle,
} from "../../components/ui/card";

228
adminfront/src/features/relying-parties/RelyingPartyCreatePage.tsx Normal file
View File

@@ -0,0 +1,228 @@
import { useMutation, useQuery, useQueryClient } from "@tanstack/react-query";
import type { AxiosError } from "axios";
import { ArrowLeft, Save } from "lucide-react";
import { useState } from "react";
import { Link, useNavigate } from "react-router-dom";
import { Button } from "../../components/ui/button";
import {
Card,
CardContent,
CardDescription,
CardFooter,
CardHeader,
CardTitle,
} from "../../components/ui/card";
import { Input } from "../../components/ui/input";
import { Label } from "../../components/ui/label";
import {
createRelyingParty,
fetchTenants,
} from "../../lib/adminApi";
import type { HydraClientReq } from "../../lib/adminApi";
import { Badge } from "../../components/ui/badge";
function RelyingPartyCreatePage() {
const navigate = useNavigate();
const queryClient = useQueryClient();
const [selectedTenantId, setSelectedTenantId] = useState("");
const [formData, setFormData] = useState<HydraClientReq>({
client_name: "",
redirect_uris: [],
scope: "openid profile email",
grant_types: ["authorization_code", "refresh_token"],
response_types: ["code"],
token_endpoint_auth_method: "client_secret_basic",
});
const [redirectUriInput, setRedirectUriInput] = useState("");
// 테넌트 목록 조회 (선택용)
const { data: tenantsData } = useQuery({
queryKey: ["tenants", { limit: 100 }],
queryFn: () => fetchTenants(100, 0),
});
const tenants = tenantsData?.items ?? [];
const createMutation = useMutation({
mutationFn: (data: HydraClientReq) => createRelyingParty(selectedTenantId, data),
onSuccess: () => {
queryClient.invalidateQueries({ queryKey: ["relyingParties"] });
navigate("/relying-parties");
},
});
const errorMsg = (createMutation.error as AxiosError<{ error?: string }>)
?.response?.data?.error;
const handleSubmit = (e: React.FormEvent) => {
e.preventDefault();
if (!selectedTenantId) {
alert("소속될 테넌트를 선택해주세요.");
return;
}
createMutation.mutate(formData);
};
const addRedirectUri = () => {
if (!redirectUriInput.trim()) return;
setFormData((prev) => ({
...prev,
redirect_uris: [...prev.redirect_uris, redirectUriInput.trim()],
}));
setRedirectUriInput("");
};
const removeRedirectUri = (index: number) => {
setFormData((prev) => ({
...prev,
redirect_uris: prev.redirect_uris.filter((_, i) => i !== index),
}));
};
return (
<div className="space-y-8">
<header className="flex flex-wrap items-start justify-between gap-4">
<div className="space-y-2">
<div className="flex items-center gap-2 text-sm text-[var(--color-muted)]">
<Link to="/relying-parties" className="inline-flex items-center gap-2">
<ArrowLeft size={14} />
Applications
</Link>
<span>/</span>
<span className="text-foreground">New App</span>
</div>
<h2 className="text-3xl font-semibold"> </h2>
<p className="text-sm text-[var(--color-muted)]">
Relying Party를 .
</p>
</div>
</header>
<form onSubmit={handleSubmit} className="max-w-2xl">
<Card className="bg-[var(--color-panel)]">
<CardHeader>
<CardTitle>App & Tenant Assignment</CardTitle>
<CardDescription>
.
</CardDescription>
</CardHeader>
<CardContent className="space-y-6">
{errorMsg && (
<div className="rounded-lg border border-destructive/40 bg-destructive/10 px-3 py-2 text-sm text-destructive">
{errorMsg}
</div>
)}
{/* 테넌트 선택 추가 */}
<div className="space-y-1">
<Label htmlFor="tenant_select">Owner Tenant</Label>
<select
id="tenant_select"
className="flex h-10 w-full rounded-md border border-input bg-background px-3 py-2 text-sm ring-offset-background file:border-0 file:bg-transparent file:text-sm file:font-medium placeholder:text-muted-foreground focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-ring focus-visible:ring-offset-2 disabled:cursor-not-allowed disabled:opacity-50"
value={selectedTenantId}
onChange={(e) => setSelectedTenantId(e.target.value)}
required
>
<option value="">-- --</option>
{tenants.map(t => (
<option key={t.id} value={t.id}>{t.name} ({t.slug})</option>
))}
</select>
<p className="text-xs text-muted-foreground"> .</p>
</div>
<div className="space-y-1">
<Label htmlFor="client_name">Client Name</Label>
<Input
id="client_name"
value={formData.client_name}
onChange={(e) =>
setFormData({ ...formData, client_name: e.target.value })
}
placeholder="My Awesome App"
required
/>
</div>
<div className="space-y-1">
<Label>Redirect URIs</Label>
<div className="flex gap-2">
<Input
value={redirectUriInput}
onChange={(e) => setRedirectUriInput(e.target.value)}
placeholder="https://myapp.com/callback"
onKeyDown={(e) => {
if (e.key === "Enter") {
e.preventDefault();
addRedirectUri();
}
}}
/>
<Button type="button" variant="secondary" onClick={addRedirectUri}>
Add
</Button>
</div>
<div className="mt-2 flex flex-wrap gap-2">
{formData.redirect_uris.map((uri, idx) => (
<Badge key={idx} variant="secondary" className="gap-1 pr-1">
{uri}
<button
type="button"
onClick={() => removeRedirectUri(idx)}
className="ml-1 rounded-full p-0.5 hover:bg-muted-foreground/20"
>
&times;
</button>
</Badge>
))}
</div>
</div>
<div className="space-y-1">
<Label htmlFor="scope">Scope</Label>
<Input
id="scope"
value={formData.scope}
onChange={(e) =>
setFormData({ ...formData, scope: e.target.value })
}
placeholder="openid profile email"
/>
</div>
<div className="grid grid-cols-2 gap-4">
<div className="space-y-1">
<Label>Auth Method</Label>
<select
className="flex h-9 w-full rounded-md border border-input bg-transparent px-3 py-1 text-sm shadow-sm focus-visible:outline-none focus-visible:ring-1 focus-visible:ring-ring"
value={formData.token_endpoint_auth_method}
onChange={(e) => setFormData({...formData, token_endpoint_auth_method: e.target.value})}
>
<option value="client_secret_basic">client_secret_basic</option>
<option value="client_secret_post">client_secret_post</option>
<option value="none">none (Public Client)</option>
</select>
</div>
</div>
</CardContent>
<CardFooter className="justify-end gap-2">
<Button
type="button"
variant="ghost"
onClick={() => navigate("/relying-parties")}
>
</Button>
<Button type="submit" disabled={createMutation.isPending}>
<Save size={16} className="mr-2" />
</Button>
</CardFooter>
</Card>
</form>
</div>
);
}
export default RelyingPartyCreatePage;

175
adminfront/src/features/relying-parties/RelyingPartyListPage.tsx Normal file
View File

@@ -0,0 +1,175 @@
import { useMutation, useQuery } from "@tanstack/react-query";
import type { AxiosError } from "axios";
import { Pencil, Plus, RefreshCw, Trash2, Share2, Building2 } from "lucide-react";
import { useNavigate, Link } from "react-router-dom";
import { Button } from "../../components/ui/button";
import {
Card,
CardContent,
CardDescription,
CardHeader,
CardTitle,
} from "../../components/ui/card";
import {
Table,
TableBody,
TableCell,
TableHead,
TableHeader,
TableRow,
} from "../../components/ui/table";
import { deleteRelyingParty, fetchAllRelyingParties } from "../../lib/adminApi";
function RelyingPartyListPage() {
const navigate = useNavigate();
const query = useQuery({
queryKey: ["relyingParties", "all"],
queryFn: fetchAllRelyingParties,
});
const deleteMutation = useMutation({
mutationFn: (clientId: string) => deleteRelyingParty(clientId),
onSuccess: () => {
query.refetch();
},
});
const errorMsg = (query.error as AxiosError<{ error?: string }>)?.response
?.data?.error;
const fallbackError =
!errorMsg && query.isError ? "애플리케이션 목록 조회에 실패했습니다." : null;
const items = query.data ?? [];
const handleDelete = (clientId: string, name: string) => {
if (!window.confirm(`앱 "${name}"를 삭제할까요?`)) {
return;
}
deleteMutation.mutate(clientId);
};
return (
<div className="space-y-8">
<header className="flex flex-wrap items-start justify-between gap-4">
<div className="space-y-2">
<div className="flex items-center gap-2 text-sm text-[var(--color-muted)]">
<span>Applications</span>
<span>/</span>
<span className="text-foreground">List</span>
</div>
<h2 className="text-3xl font-semibold"> </h2>
<p className="text-sm text-[var(--color-muted)]">
Relying Party .
</p>
</div>
<div className="flex items-center gap-2">
<Button
variant="outline"
onClick={() => query.refetch()}
disabled={query.isFetching}
>
<RefreshCw size={16} />
</Button>
<Button asChild>
<Link to="/relying-parties/new">
<Plus size={16} />
</Link>
</Button>
</div>
</header>
<Card className="bg-[var(--color-panel)]">
<CardHeader className="flex flex-row items-center justify-between">
<div>
<CardTitle>Application Registry</CardTitle>
<CardDescription>
{items.length}
</CardDescription>
</div>
</CardHeader>
<CardContent>
{(errorMsg || fallbackError) && (
<div className="mb-4 rounded-lg border border-destructive/40 bg-destructive/10 px-3 py-2 text-sm text-destructive">
{errorMsg ?? fallbackError}
</div>
)}
<Table>
<TableHeader>
<TableRow>
<TableHead>NAME</TableHead>
<TableHead>TENANT ID</TableHead>
<TableHead>CLIENT ID</TableHead>
<TableHead>UPDATED</TableHead>
<TableHead className="text-right">ACTIONS</TableHead>
</TableRow>
</TableHeader>
<TableBody>
{query.isLoading && (
<TableRow>
<TableCell colSpan={5}> ...</TableCell>
</TableRow>
)}
{!query.isLoading && items.length === 0 && (
<TableRow>
<TableCell colSpan={5}>
.
</TableCell>
</TableRow>
)}
{items.map((rp) => (
<TableRow key={rp.clientId}>
<TableCell className="font-semibold">
<div className="flex items-center gap-2">
<Share2 size={14} className="text-primary" />
{rp.name}
</div>
</TableCell>
<TableCell>
<div className="flex items-center gap-1 text-xs text-muted-foreground">
<Building2 size={12} />
{rp.tenantId}
</div>
</TableCell>
<TableCell className="font-mono text-xs text-muted-foreground">
{rp.clientId}
</TableCell>
<TableCell>
{rp.updatedAt
? new Date(rp.updatedAt).toLocaleString("ko-KR")
: "-"}
</TableCell>
<TableCell className="text-right">
<div className="flex justify-end gap-2">
<Button
variant="outline"
size="sm"
onClick={() => navigate(`/tenants/${rp.tenantId}/relying-parties/${rp.clientId}`)}
>
<Pencil size={14} />
</Button>
<Button
variant="outline"
size="sm"
onClick={() => handleDelete(rp.clientId, rp.name)}
disabled={deleteMutation.isPending}
>
<Trash2 size={14} />
</Button>
</div>
</TableCell>
</TableRow>
))}
</TableBody>
</Table>
</CardContent>
</Card>
</div>
);
}
export default RelyingPartyListPage;

2
adminfront/src/features/tenants/routes/TenantProfilePage.tsx
View File

@@ -1,7 +1,7 @@
import { useMutation, useQuery, useQueryClient } from "@tanstack/react-query";
import type { AxiosError } from "axios";
import { Save, Trash2 } from "lucide-react";
import { useEffect, useMemo, useState } from "react";
import { useEffect, useState } from "react";
import { useNavigate, useParams } from "react-router-dom";
import { Button } from "../../../components/ui/button";
import {

239
adminfront/src/features/tenants/routes/TenantRelyingPartyCreatePage.tsx Normal file
View File

@@ -0,0 +1,239 @@
import { useMutation, useQueryClient } from "@tanstack/react-query";
import type { AxiosError } from "axios";
import { ArrowLeft, Save } from "lucide-react";
import { useState } from "react";
import { Link, useNavigate, useParams } from "react-router-dom";
import { Button } from "../../../components/ui/button";
import {
Card,
CardContent,
CardDescription,
CardFooter,
CardHeader,
CardTitle,
} from "../../../components/ui/card";
import { Input } from "../../../components/ui/input";
import { Label } from "../../../components/ui/label";
import {
createRelyingParty,
} from "../../../lib/adminApi";
import type { HydraClientReq } from "../../../lib/adminApi";
import { Badge } from "../../../components/ui/badge";
function TenantRelyingPartyCreatePage() {
const { tenantId } = useParams<{ tenantId: string }>();
const navigate = useNavigate();
const queryClient = useQueryClient();
const [formData, setFormData] = useState<HydraClientReq>({
client_name: "",
redirect_uris: [],
scope: "openid profile email",
grant_types: ["authorization_code", "refresh_token"],
response_types: ["code"],
token_endpoint_auth_method: "client_secret_basic",
});
const [redirectUriInput, setRedirectUriInput] = useState("");
const createMutation = useMutation({
mutationFn: (data: HydraClientReq) => createRelyingParty(tenantId!, data),
onSuccess: () => {
queryClient.invalidateQueries({ queryKey: ["relyingParties", tenantId] });
navigate(`/tenants/${tenantId}/relying-parties`);
},
});
const errorMsg = (createMutation.error as AxiosError<{ error?: string }>)
?.response?.data?.error;
const handleSubmit = (e: React.FormEvent) => {
e.preventDefault();
createMutation.mutate(formData);
};
const addRedirectUri = () => {
if (!redirectUriInput.trim()) return;
setFormData((prev) => ({
...prev,
redirect_uris: [...prev.redirect_uris, redirectUriInput.trim()],
}));
setRedirectUriInput("");
};
const removeRedirectUri = (index: number) => {
setFormData((prev) => ({
...prev,
redirect_uris: prev.redirect_uris.filter((_, i) => i !== index),
}));
};
return (
<div className="space-y-8">
<header className="flex flex-wrap items-start justify-between gap-4">
<div className="space-y-2">
<div className="flex items-center gap-2 text-sm text-[var(--color-muted)]">
<Link to={`/tenants/${tenantId}/relying-parties`} className="inline-flex items-center gap-2">
<ArrowLeft size={14} />
Back to List
</Link>
<span>/</span>
<span className="text-foreground">New App</span>
</div>
<h2 className="text-3xl font-semibold"> </h2>
<p className="text-sm text-[var(--color-muted)]">
Ory Hydra OAuth2 Client를 .
</p>
</div>
</header>
<form onSubmit={handleSubmit} className="max-w-2xl">
<Card className="bg-[var(--color-panel)]">
<CardHeader>
<CardTitle>Basic Information</CardTitle>
<CardDescription>
.
</CardDescription>
</CardHeader>
<CardContent className="space-y-4">
{errorMsg && (
<div className="rounded-lg border border-destructive/40 bg-destructive/10 px-3 py-2 text-sm text-destructive">
{errorMsg}
</div>
)}
<div className="space-y-1">
<Label htmlFor="client_name">Client Name</Label>
<Input
id="client_name"
value={formData.client_name}
onChange={(e) =>
setFormData({ ...formData, client_name: e.target.value })
}
placeholder="My Awesome App"
required
/>
</div>
<div className="space-y-1">
<Label>Redirect URIs</Label>
<div className="flex gap-2">
<Input
value={redirectUriInput}
onChange={(e) => setRedirectUriInput(e.target.value)}
placeholder="https://myapp.com/callback"
onKeyDown={(e) => {
if (e.key === "Enter") {
e.preventDefault();
addRedirectUri();
}
}}
/>
<Button type="button" variant="secondary" onClick={addRedirectUri}>
Add
</Button>
</div>
<div className="mt-2 flex flex-wrap gap-2">
{formData.redirect_uris.map((uri, idx) => (
<Badge key={idx} variant="secondary" className="gap-1 pr-1">
{uri}
<button
type="button"
onClick={() => removeRedirectUri(idx)}
className="ml-1 rounded-full p-0.5 hover:bg-muted-foreground/20"
>
&times;
</button>
</Badge>
))}
</div>
<p className="text-xs text-muted-foreground">
OAuth2 URI .
</p>
</div>
<div className="space-y-1">
<Label htmlFor="scope">Scope</Label>
<Input
id="scope"
value={formData.scope}
onChange={(e) =>
setFormData({ ...formData, scope: e.target.value })
}
placeholder="openid profile email"
/>
<p className="text-xs text-muted-foreground">
Space-separated scopes.
</p>
</div>
<div className="grid grid-cols-2 gap-4">
<div className="space-y-1">
<Label>Grant Types</Label>
<div className="flex flex-col gap-1 text-sm text-muted-foreground">
<label className="flex items-center gap-2">
<input
type="checkbox"
checked={formData.grant_types?.includes("authorization_code")}
disabled
/> authorization_code
</label>
<label className="flex items-center gap-2">
<input
type="checkbox"
checked={formData.grant_types?.includes("refresh_token")}
disabled
/> refresh_token
</label>
<label className="flex items-center gap-2">
<input
type="checkbox"
checked={formData.grant_types?.includes("client_credentials")}
onChange={(e) => {
const checked = e.target.checked;
setFormData(prev => ({
...prev,
grant_types: checked
? [...(prev.grant_types || []), "client_credentials"]
: (prev.grant_types || []).filter(t => t !== "client_credentials")
}))
}}
/> client_credentials
</label>
</div>
</div>
<div className="space-y-1">
<Label>Auth Method</Label>
<select
className="flex h-9 w-full rounded-md border border-input bg-transparent px-3 py-1 text-sm shadow-sm transition-colors file:border-0 file:bg-transparent file:text-sm file:font-medium placeholder:text-muted-foreground focus-visible:outline-none focus-visible:ring-1 focus-visible:ring-ring disabled:cursor-not-allowed disabled:opacity-50"
value={formData.token_endpoint_auth_method}
onChange={(e) => setFormData({...formData, token_endpoint_auth_method: e.target.value})}
>
<option value="client_secret_basic">client_secret_basic</option>
<option value="client_secret_post">client_secret_post</option>
<option value="none">none (Public Client)</option>
</select>
</div>
</div>
</CardContent>
<CardFooter className="justify-end gap-2">
<Button
type="button"
variant="ghost"
onClick={() => navigate(`/tenants/${tenantId}/relying-parties`)}
>
</Button>
<Button type="submit" disabled={createMutation.isPending}>
<Save size={16} className="mr-2" />
</Button>
</CardFooter>
</Card>
</form>
</div>
);
}
export default TenantRelyingPartyCreatePage;

126
adminfront/src/features/tenants/routes/TenantRelyingPartyDetailPage.tsx Normal file
View File

@@ -0,0 +1,126 @@
import { useQuery } from "@tanstack/react-query";
import { ArrowLeft, Copy, ShieldCheck } from "lucide-react";
import { Link, useParams } from "react-router-dom";
import { Badge } from "../../../components/ui/badge";
import { Button } from "../../../components/ui/button";
import {
Card,
CardContent,
CardDescription,
CardHeader,
CardTitle,
} from "../../../components/ui/card";
import { fetchRelyingParty } from "../../../lib/adminApi";
function TenantRelyingPartyDetailPage() {
const { tenantId, id } = useParams<{ tenantId: string; id: string }>();
const { data, isLoading, error } = useQuery({
queryKey: ["relyingParty", id],
queryFn: () => fetchRelyingParty(id!),
enabled: !!id,
});
const copyToClipboard = (text: string) => {
navigator.clipboard.writeText(text);
alert("복사되었습니다.");
};
if (isLoading) return <div>Loading...</div>;
if (error) return <div className="text-destructive">Error loading app details.</div>;
const { relyingParty, oauth2Config } = data!;
return (
<div className="space-y-8">
<header className="flex flex-wrap items-start justify-between gap-4">
<div className="space-y-2">
<div className="flex items-center gap-2 text-sm text-[var(--color-muted)]">
<Link to={`/tenants/${tenantId}/relying-parties`} className="inline-flex items-center gap-2">
<ArrowLeft size={14} />
Relying Parties
</Link>
<span>/</span>
<span className="text-foreground">{relyingParty.name}</span>
</div>
<h2 className="text-3xl font-semibold">{relyingParty.name}</h2>
<p className="text-sm text-[var(--color-muted)]">
{relyingParty.description || "상세 설정을 확인하고 관리합니다."}
</p>
</div>
<Badge variant="outline" className="bg-green-50 text-green-700 border-green-200">
<ShieldCheck size={14} className="mr-1" />
Keto Protected
</Badge>
</header>
<div className="grid gap-6 md:grid-cols-2">
<Card className="bg-[var(--color-panel)]">
<CardHeader>
<CardTitle>OAuth2 Credentials</CardTitle>
<CardDescription> .</CardDescription>
</CardHeader>
<CardContent className="space-y-4">
<div className="space-y-1">
<p className="text-xs font-medium text-muted-foreground uppercase">Client ID</p>
<div className="flex items-center gap-2">
<code className="flex-1 rounded bg-muted p-2 text-sm">{oauth2Config.client_id}</code>
<Button variant="ghost" size="sm" onClick={() => copyToClipboard(oauth2Config.client_id!)}>
<Copy size={14} />
</Button>
</div>
</div>
<div className="space-y-1">
<p className="text-xs font-medium text-muted-foreground uppercase">Client Secret</p>
<div className="flex items-center gap-2">
<code className="flex-1 rounded bg-muted p-2 text-sm">
{oauth2Config.client_secret || (oauth2Config.metadata?.client_secret as string) || "********"}
</code>
{(oauth2Config.client_secret || oauth2Config.metadata?.client_secret) && (
<Button variant="ghost" size="sm" onClick={() => copyToClipboard((oauth2Config.client_secret || oauth2Config.metadata?.client_secret) as string)}>
<Copy size={14} />
</Button>
)}
</div>
<p className="text-[10px] text-amber-600">
* Secret은 .
</p>
</div>
</CardContent>
</Card>
<Card className="bg-[var(--color-panel)]">
<CardHeader>
<CardTitle>Configuration</CardTitle>
<CardDescription>OAuth2 </CardDescription>
</CardHeader>
<CardContent className="space-y-4">
<div className="space-y-1">
<p className="text-xs font-medium text-muted-foreground uppercase">Redirect URIs</p>
<ul className="list-inside list-disc text-sm">
{(oauth2Config.redirect_uris || []).map((uri, i) => (
<li key={i}>{uri}</li>
))}
</ul>
</div>
<div className="space-y-1">
<p className="text-xs font-medium text-muted-foreground uppercase">Allowed Scopes</p>
<div className="flex flex-wrap gap-1">
{(oauth2Config.scope || "").split(" ").filter(Boolean).map(s => (
<Badge key={s} variant="secondary">{s}</Badge>
))}
</div>
</div>
<div className="space-y-1">
<p className="text-xs font-medium text-muted-foreground uppercase">Auth Method</p>
<span className="text-sm">{oauth2Config.token_endpoint_auth_method}</span>
</div>
</CardContent>
</Card>
</div>
</div>
);
}
export default TenantRelyingPartyDetailPage;

155
adminfront/src/features/tenants/routes/TenantRelyingPartyListPage.tsx Normal file
View File

@@ -0,0 +1,155 @@
import { useMutation, useQuery } from "@tanstack/react-query";
import type { AxiosError } from "axios";
import { Pencil, Plus, RefreshCw, Trash2, Share2 } from "lucide-react";
import { Link, useNavigate, useParams } from "react-router-dom";
import { Button } from "../../../components/ui/button";
import {
Card,
CardContent,
CardDescription,
CardHeader,
CardTitle,
} from "../../../components/ui/card";
import {
Table,
TableBody,
TableCell,
TableHead,
TableHeader,
TableRow,
} from "../../../components/ui/table";
import { deleteRelyingParty, fetchRelyingParties } from "../../../lib/adminApi";
function TenantRelyingPartyListPage() {
const { tenantId } = useParams<{ tenantId: string }>();
const navigate = useNavigate();
const query = useQuery({
queryKey: ["relyingParties", tenantId],
queryFn: () => fetchRelyingParties(tenantId!),
enabled: !!tenantId,
});
const deleteMutation = useMutation({
mutationFn: (clientId: string) => deleteRelyingParty(clientId),
onSuccess: () => {
query.refetch();
},
});
const errorMsg = (query.error as AxiosError<{ error?: string }>)?.response
?.data?.error;
const fallbackError =
!errorMsg && query.isError ? "앱 목록 조회에 실패했습니다." : null;
const items = query.data ?? [];
const handleDelete = (clientId: string, name: string) => {
if (!window.confirm(`앱 "${name}"를 삭제할까요?`)) {
return;
}
deleteMutation.mutate(clientId);
};
return (
<Card className="bg-[var(--color-panel)] mt-6">
<CardHeader className="flex flex-row items-center justify-between">
<div>
<CardTitle>Relying Parties (Apps)</CardTitle>
<CardDescription>
OAuth2/OIDC .
</CardDescription>
</div>
<div className="flex items-center gap-2">
<Button
variant="outline"
size="sm"
onClick={() => query.refetch()}
disabled={query.isFetching}
>
<RefreshCw size={14} />
</Button>
<Button size="sm" asChild>
<Link to={`/tenants/${tenantId}/relying-parties/new`}>
<Plus size={14} />
</Link>
</Button>
</div>
</CardHeader>
<CardContent>
{(errorMsg || fallbackError) && (
<div className="mb-4 rounded-lg border border-destructive/40 bg-destructive/10 px-3 py-2 text-sm text-destructive">
{errorMsg ?? fallbackError}
</div>
)}
<Table>
<TableHeader>
<TableRow>
<TableHead>CLIENT ID</TableHead>
<TableHead>NAME</TableHead>
<TableHead>DESCRIPTION</TableHead>
<TableHead>UPDATED</TableHead>
<TableHead className="text-right">ACTIONS</TableHead>
</TableRow>
</TableHeader>
<TableBody>
{query.isLoading && (
<TableRow>
<TableCell colSpan={5}> ...</TableCell>
</TableRow>
)}
{!query.isLoading && items.length === 0 && (
<TableRow>
<TableCell colSpan={5}>
.
</TableCell>
</TableRow>
)}
{items.map((rp) => (
<TableRow key={rp.clientId}>
<TableCell className="font-mono text-xs">{rp.clientId}</TableCell>
<TableCell className="font-semibold">
<div className="flex items-center gap-2">
<Share2 size={14} className="text-muted-foreground" />
{rp.name}
</div>
</TableCell>
<TableCell className="text-muted-foreground">{rp.description || "-"}</TableCell>
<TableCell>
{rp.updatedAt
? new Date(rp.updatedAt).toLocaleString("ko-KR")
: "-"}
</TableCell>
<TableCell className="text-right">
<div className="flex justify-end gap-2">
<Button
variant="outline"
size="sm"
onClick={() => navigate(`/tenants/${tenantId}/relying-parties/${rp.clientId}`)}
>
<Pencil size={14} />
</Button>
<Button
variant="outline"
size="sm"
onClick={() => handleDelete(rp.clientId, rp.name)}
disabled={deleteMutation.isPending}
>
<Trash2 size={14} />
</Button>
</div>
</TableCell>
</TableRow>
))}
</TableBody>
</Table>
</CardContent>
</Card>
);
}
export default TenantRelyingPartyListPage;

2
backend/internal/bootstrap/bootstrap.go
View File

@@ -36,7 +36,7 @@ func migrateSchemas(db *gorm.DB) error {
&domain.User{},
&domain.ApiKey{},
&domain.IdentityProviderConfig{},
// &domain.RelyingParty{}, // TODO: Uncomment when model is ready
&domain.RelyingParty{},
// &domain.UserConsent{}, // TODO: Uncomment when model is ready
)
}

52
backend/internal/bootstrap/keto_sync.go Normal file
View File

@@ -0,0 +1,52 @@
package bootstrap
import (
"baron-sso-backend/internal/domain"
"baron-sso-backend/internal/service"
"context"
"log/slog"
"gorm.io/gorm"
)
// SyncKetoRelations synchronizes all existing DB users and tenants to Ory Keto.
// This ensures data consistency for existing data when ReBAC is introduced.
func SyncKetoRelations(db *gorm.DB, keto service.KetoService) error {
slog.Info("🚀 Starting Keto ReBAC relation synchronization...")
ctx := context.Background()
// 1. Sync All Tenants (Ensure they exist in Keto if needed)
var tenants []domain.Tenant
if err := db.Find(&tenants).Error; err != nil {
return err
}
slog.Info("Syncing tenants to Keto", "count", len(tenants))
for _, t := range tenants {
if t.ParentID != nil {
_ = keto.CreateRelation(ctx, "Tenant", t.ID, "parent", *t.ParentID)
}
}
// 2. Sync All Users
var users []domain.User
if err := db.Find(&users).Error; err != nil {
return err
}
slog.Info("Syncing users to Keto", "count", len(users))
for _, u := range users {
// Membership
if u.TenantID != nil {
_ = keto.CreateRelation(ctx, "Tenant", *u.TenantID, "members", u.ID)
}
// Roles
if u.Role == domain.RoleSuperAdmin {
_ = keto.CreateRelation(ctx, "System", "global", "super_admins", u.ID)
} else if u.Role == domain.RoleTenantAdmin && u.TenantID != nil {
_ = keto.CreateRelation(ctx, "Tenant", *u.TenantID, "admins", u.ID)
}
}
slog.Info("✅ Keto ReBAC synchronization completed.")
return nil
}

38
backend/internal/domain/hydra_models.go Normal file
View File

@@ -0,0 +1,38 @@
package domain
import "time"
type HydraClient struct {
ClientID string `json:"client_id"`
ClientName string `json:"client_name,omitempty"`
ClientSecret string `json:"client_secret,omitempty"` // Added
RedirectURIs []string `json:"redirect_uris,omitempty"`
GrantTypes []string `json:"grant_types,omitempty"`
ResponseTypes []string `json:"response_types,omitempty"`
Scope string `json:"scope,omitempty"`
TokenEndpointAuthMethod string `json:"token_endpoint_auth_method,omitempty"`
Metadata map[string]interface{} `json:"metadata,omitempty"`
}
type HydraConsentRequest struct {
Challenge string `json:"challenge"`
RequestedScope []string `json:"requested_scope"`
RequestedAudience []string `json:"requested_access_token_audience"`
Skip bool `json:"skip"`
Subject string `json:"subject"`
Client HydraClient `json:"client"`
}
type HydraConsentSession struct {
ConsentRequestID string `json:"consent_request_id,omitempty"`
Subject string `json:"subject,omitempty"`
GrantedScope []string `json:"grant_scope,omitempty"`
GrantedAudience []string `json:"grant_access_token_audience,omitempty"`
Remember bool `json:"remember"`
RememberFor int `json:"remember_for,omitempty"`
AuthenticatedAt *time.Time `json:"authenticated_at,omitempty"`
RequestedAt *time.Time `json:"requested_at,omitempty"`
HandledAt *time.Time `json:"handled_at,omitempty"`
Client HydraClient `json:"client,omitempty"`
ConsentRequest *HydraConsentRequest `json:"consent_request,omitempty"`
}

26
backend/internal/domain/relying_party.go Normal file
View File

@@ -0,0 +1,26 @@
package domain
import (
"time"
"gorm.io/gorm"
)
// RelyingParty represents an OAuth2 Client owner by a Tenant.
// It maps 1:1 to a Hydra Client.
type RelyingParty struct {
ClientID string `gorm:"primaryKey" json:"clientId"` // Maps to Hydra Client ID
TenantID string `gorm:"index;not null" json:"tenantId"`
Name string `json:"name"` // Display name (can be same as Hydra Client Name)
Description string `json:"description"`
CreatedAt time.Time `json:"createdAt"`
UpdatedAt time.Time `json:"updatedAt"`
DeletedAt gorm.DeletedAt `gorm:"index" json:"-"`
// We don't store OAuth2 specific config here (redirect_uris, etc.)
// those are fetched from Hydra on demand.
}
func (rp *RelyingParty) TableName() string {
return "relying_parties"
}

49
backend/internal/handler/auth_handler.go
View File

@@ -3424,6 +3424,53 @@ func (h *AuthHandler) AcceptOidcLoginRequest(c *fiber.Ctx) error {
}
func (h *AuthHandler) resolveCurrentProfile(c *fiber.Ctx) (*domain.UserProfileResponse, error) {
slog.Info("🚨 [FATAL_DEBUG] ENVIRONMENT CHECK",
"APP_ENV", os.Getenv("APP_ENV"),
"GO_ENV", os.Getenv("GO_ENV"),
"X-Test-Role", c.Get("X-Test-Role"),
)
slog.Info("🚀 [TRACE] resolveCurrentProfile entry", "path", c.Path(), "method", c.Method())
// [Dev Only] Mock Role Bypass
appEnv := strings.ToLower(os.Getenv("APP_ENV"))
mockRole := c.Get("X-Test-Role")
if mockRole == "" {
mockRole = c.Get("X-Mock-Role")
}
// Always log in development to see what's happening
if appEnv == "dev" || appEnv == "development" || appEnv == "" {
slog.Info("🔍 [AUTH_DEBUG] Checking mock role",
"env", appEnv,
"mockRole", mockRole,
"X-Test-Role", c.Get("X-Test-Role"),
"X-Mock-Role", c.Get("X-Mock-Role"),
)
}
// If in dev mode and we have a mock role, bypass Kratos
if (appEnv == "dev" || appEnv == "development" || appEnv == "") && mockRole != "" {
slog.Info("🔑 [AUTH_DEBUG] Mock bypass SUCCESS", "role", mockRole)
mockProfile := &domain.UserProfileResponse{
ID: "00000000-0000-0000-0000-000000000000",
Email: "mock@hmac.kr",
Name: "Dev Mock User",
Role: mockRole,
}
if tid := c.Get("X-Tenant-ID"); tid != "" {
mockProfile.TenantID = &tid
}
return mockProfile, nil
}
// Mock bypass failed - log headers for debugging if in dev
if appEnv == "dev" || appEnv == "development" || appEnv == "" {
slog.Warn("⚠️ [DEBUG] Mock auth bypass failed",
"appEnv", appEnv,
"X-Test-Role", c.Get("X-Test-Role"),
"X-Mock-Role", c.Get("X-Mock-Role"),
"path", c.Path())
}
var profile *domain.UserProfileResponse
var err error
@@ -3438,7 +3485,7 @@ func (h *AuthHandler) resolveCurrentProfile(c *fiber.Ctx) (*domain.UserProfileRe
}
if err != nil || profile == nil {
return nil, errors.New("invalid session")
return nil, errors.New("invalid session (trace:resolve_profile)")
}
// [New] Enrich with Local DB (Roles, TenantID, etc.)

111
backend/internal/handler/relying_party_handler.go Normal file
View File

@@ -0,0 +1,111 @@
package handler
import (
"baron-sso-backend/internal/domain"
"baron-sso-backend/internal/service"
"github.com/gofiber/fiber/v2"
"log/slog"
)
type RelyingPartyHandler struct {
Service service.RelyingPartyService
}
func NewRelyingPartyHandler(s service.RelyingPartyService) *RelyingPartyHandler {
return &RelyingPartyHandler{Service: s}
}
func (h *RelyingPartyHandler) Create(c *fiber.Ctx) error {
tenantID := c.Params("tenantId")
if tenantID == "" {
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "tenantId is required"})
}
var req domain.HydraClient
if err := c.BodyParser(&req); err != nil {
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "invalid request body"})
}
rp, err := h.Service.Create(c.Context(), tenantID, req)
if err != nil {
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
}
return c.Status(fiber.StatusCreated).JSON(rp)
}
func (h *RelyingPartyHandler) ListAll(c *fiber.Ctx) error {
profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse)
if !ok {
return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "unauthorized: user profile not found in context"})
}
var rps []domain.RelyingParty
var err error
if profile.Role == domain.RoleSuperAdmin {
rps, err = h.Service.ListAll(c.Context())
} else if profile.Role == domain.RoleTenantAdmin && profile.TenantID != nil {
rps, err = h.Service.List(c.Context(), *profile.TenantID)
} else {
slog.Warn("Forbidden access to all applications", "userID", profile.ID, "role", profile.Role)
return c.Status(fiber.StatusForbidden).JSON(fiber.Map{"error": "forbidden: insufficient role to list all applications"})
}
if err != nil {
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
}
return c.JSON(rps)
}
func (h *RelyingPartyHandler) List(c *fiber.Ctx) error {
tenantID := c.Params("tenantId")
if tenantID == "" {
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "tenantId is required"})
}
rps, err := h.Service.List(c.Context(), tenantID)
if err != nil {
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
}
return c.JSON(rps)
}
func (h *RelyingPartyHandler) Get(c *fiber.Ctx) error {
id := c.Params("id")
rp, hydraClient, err := h.Service.Get(c.Context(), id)
if err != nil {
return c.Status(fiber.StatusNotFound).JSON(fiber.Map{"error": "relying party not found"})
}
return c.JSON(fiber.Map{
"relyingParty": rp,
"oauth2Config": hydraClient,
})
}
func (h *RelyingPartyHandler) Update(c *fiber.Ctx) error {
id := c.Params("id")
var req domain.HydraClient
if err := c.BodyParser(&req); err != nil {
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "invalid request body"})
}
rp, err := h.Service.Update(c.Context(), id, req)
if err != nil {
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
}
return c.JSON(rp)
}
func (h *RelyingPartyHandler) Delete(c *fiber.Ctx) error {
id := c.Params("id")
if err := h.Service.Delete(c.Context(), id); err != nil {
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
}
return c.SendStatus(fiber.StatusNoContent)
}

121
backend/internal/handler/user_handler.go
View File

@@ -55,12 +55,13 @@ type userListResponse struct {
}
func (h *UserHandler) ListUsers(c *fiber.Ctx) error {
if h.KratosAdmin == nil {
return c.Status(fiber.StatusServiceUnavailable).JSON(fiber.Map{"error": "identity provider not available"})
}
// [New] Get requester profile from middleware
requester, _ := c.Locals("user_profile").(*domain.UserProfileResponse)
var requesterRole string
var requesterCompany string
if profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse); ok {
requesterRole = profile.Role
requesterCompany = profile.CompanyCode
}
limit := c.QueryInt("limit", 50)
offset := c.QueryInt("offset", 0)
@@ -73,52 +74,82 @@ func (h *UserHandler) ListUsers(c *fiber.Ctx) error {
offset = 0
}
// 1. Try Kratos First
identities, err := h.KratosAdmin.ListIdentities(c.Context())
if err == nil {
filtered := make([]service.KratosIdentity, 0, len(identities))
searchLower := strings.ToLower(search)
for _, identity := range identities {
email := strings.ToLower(extractTraitString(identity.Traits, "email"))
name := strings.ToLower(extractTraitString(identity.Traits, "name"))
compCode := extractTraitString(identity.Traits, "companyCode")
// Tenant Admin filtering
if requesterRole == domain.RoleTenantAdmin {
if requesterCompany == "" || compCode != requesterCompany {
continue
}
}
// Search filtering
if search != "" {
if !strings.Contains(email, searchLower) && !strings.Contains(name, searchLower) {
continue
}
}
filtered = append(filtered, identity)
}
total := int64(len(filtered))
if offset > len(filtered) {
offset = len(filtered)
}
end := offset + limit
if end > len(filtered) {
end = len(filtered)
}
items := make([]userSummary, 0, end-offset)
for _, identity := range filtered[offset:end] {
summary := h.mapIdentitySummary(c.Context(), identity)
items = append(items, summary)
}
return c.JSON(userListResponse{Items: items, Limit: limit, Offset: offset, Total: total})
}
// 2. Fallback to Local DB if Kratos is down (Development only recommended)
slog.Warn("Kratos unavailable, falling back to local DB for user list", "error", err)
// Fetch from UserRepo
users, total, err := h.UserRepo.List(c.Context(), offset, limit, search)
if err != nil {
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "failed to fetch users from both kratos and local db"})
}
filtered := make([]service.KratosIdentity, 0, len(identities))
searchLower := strings.ToLower(search)
for _, identity := range identities {
email := strings.ToLower(extractTraitString(identity.Traits, "email"))
name := strings.ToLower(extractTraitString(identity.Traits, "name"))
compCode := extractTraitString(identity.Traits, "companyCode")
// 1. Tenant Admin filtering
if requester != nil && requester.Role == domain.RoleTenantAdmin {
if requester.CompanyCode == "" || compCode != requester.CompanyCode {
continue // Skip users from other tenants
}
}
// 2. Search filtering
if search != "" {
if !strings.Contains(email, searchLower) && !strings.Contains(name, searchLower) {
continue
}
}
filtered = append(filtered, identity)
items := make([]userSummary, 0, len(users))
for _, u := range users {
items = append(items, userSummary{
ID: u.ID,
Email: u.Email,
Name: u.Name,
Phone: u.Phone,
Role: u.Role,
Status: u.Status,
CompanyCode: u.CompanyCode,
Department: u.Department,
CreatedAt: u.CreatedAt.Format(time.RFC3339),
UpdatedAt: u.UpdatedAt.Format(time.RFC3339),
})
}
total := int64(len(filtered))
if offset > len(filtered) {
offset = len(filtered)
}
end := offset + limit
if end > len(filtered) {
end = len(filtered)
}
items := make([]userSummary, 0, end-offset)
for _, identity := range filtered[offset:end] {
summary := h.mapIdentitySummary(c.Context(), identity)
items = append(items, summary)
}
return c.JSON(userListResponse{Items: items, Limit: limit, Offset: offset, Total: total})
return c.JSON(userListResponse{
Items: items,
Total: total,
Limit: limit,
Offset: offset,
})
}
func (h *UserHandler) GetUser(c *fiber.Ctx) error {

2
backend/internal/middleware/api_key_auth.go
View File

@@ -101,7 +101,7 @@ func validateScope(method, path string, rawScopes string) bool {
}
// 3. 테넌트 관리 관련 (tenant:*)
if strings.Contains(path, "/admin/tenants") {
if strings.Contains(path, "/admin/tenants") || strings.Contains(path, "/admin/relying-parties") {
if method == fiber.MethodGet {
return scopeMap["tenant:read"]
}

20
backend/internal/middleware/rbac.go
View File

@@ -18,16 +18,14 @@ type RBACConfig struct {
// RequireKetoPermission enforces permissions using Ory Keto (ReBAC)
func RequireKetoPermission(config RBACConfig, namespace, relation string) fiber.Handler {
return func(c *fiber.Ctx) error {
// Bypass if already authenticated via API Key
if c.Locals("apiKeyName") != nil {
return c.Next()
}
profile, err := config.AuthHandler.GetEnrichedProfile(c)
if err != nil {
return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "unauthorized"})
return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "unauthorized (trace:rbac_keto)"})
}
// Store profile in locals for further use in handlers
c.Locals("user_profile", profile)
// Super Admin bypass
if profile.Role == domain.RoleSuperAdmin {
return c.Next()
@@ -65,10 +63,13 @@ func RequireRole(config RBACConfig) fiber.Handler {
profile, err := config.AuthHandler.GetEnrichedProfile(c)
if err != nil {
return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{
"error": "unauthorized: " + err.Error(),
"error": "unauthorized (trace:rbac_role): " + err.Error(),
})
}
// Store profile in locals for further use in handlers
c.Locals("user_profile", profile)
// Super Admin always has access
if profile.Role == domain.RoleSuperAdmin {
return c.Next()
@@ -112,9 +113,12 @@ func RequireTenantMatch(config RBACConfig) fiber.Handler {
profile, err := config.AuthHandler.GetEnrichedProfile(c)
if err != nil {
return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "unauthorized"})
return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "unauthorized (trace:rbac_match)"})
}
// Store profile in locals for further use in handlers
c.Locals("user_profile", profile)
// Super Admin bypass
if profile.Role == domain.RoleSuperAdmin {
return c.Next()

61
backend/internal/repository/relying_party_repository.go Normal file
View File

@@ -0,0 +1,61 @@
package repository
import (
"baron-sso-backend/internal/domain"
"context"
"gorm.io/gorm"
)
type RelyingPartyRepository interface {
Create(ctx context.Context, rp *domain.RelyingParty) error
Update(ctx context.Context, rp *domain.RelyingParty) error
Delete(ctx context.Context, clientID string) error
FindByID(ctx context.Context, clientID string) (*domain.RelyingParty, error)
ListByTenantID(ctx context.Context, tenantID string) ([]domain.RelyingParty, error)
ListAll(ctx context.Context) ([]domain.RelyingParty, error)
}
func (r *relyingPartyRepository) ListAll(ctx context.Context) ([]domain.RelyingParty, error) {
var rps []domain.RelyingParty
if err := r.db.WithContext(ctx).Find(&rps).Error; err != nil {
return nil, err
}
return rps, nil
}
type relyingPartyRepository struct {
db *gorm.DB
}
func NewRelyingPartyRepository(db *gorm.DB) RelyingPartyRepository {
return &relyingPartyRepository{db: db}
}
func (r *relyingPartyRepository) Create(ctx context.Context, rp *domain.RelyingParty) error {
return r.db.WithContext(ctx).Create(rp).Error
}
func (r *relyingPartyRepository) Update(ctx context.Context, rp *domain.RelyingParty) error {
return r.db.WithContext(ctx).Save(rp).Error
}
func (r *relyingPartyRepository) Delete(ctx context.Context, clientID string) error {
return r.db.WithContext(ctx).Delete(&domain.RelyingParty{}, "client_id = ?", clientID).Error
}
func (r *relyingPartyRepository) FindByID(ctx context.Context, clientID string) (*domain.RelyingParty, error) {
var rp domain.RelyingParty
if err := r.db.WithContext(ctx).First(&rp, "client_id = ?", clientID).Error; err != nil {
return nil, err
}
return &rp, nil
}
func (r *relyingPartyRepository) ListByTenantID(ctx context.Context, tenantID string) ([]domain.RelyingParty, error) {
var rps []domain.RelyingParty
if err := r.db.WithContext(ctx).Where("tenant_id = ?", tenantID).Find(&rps).Error; err != nil {
return nil, err
}
return rps, nil
}

22
backend/internal/repository/user_repository.go
View File

@@ -13,6 +13,7 @@ type UserRepository interface {
FindByEmail(ctx context.Context, email string) (*domain.User, error)
FindByID(ctx context.Context, id string) (*domain.User, error)
ListByTenant(ctx context.Context, tenantID string) ([]domain.User, error)
List(ctx context.Context, offset, limit int, search string) ([]domain.User, int64, error)
}
type userRepository struct {
@@ -54,3 +55,24 @@ func (r *userRepository) ListByTenant(ctx context.Context, tenantID string) ([]d
}
return users, nil
}
func (r *userRepository) List(ctx context.Context, offset, limit int, search string) ([]domain.User, int64, error) {
var users []domain.User
var total int64
db := r.db.WithContext(ctx).Model(&domain.User{})
if search != "" {
searchTerm := "%" + search + "%"
db = db.Where("email LIKE ? OR name LIKE ?", searchTerm, searchTerm)
}
if err := db.Count(&total).Error; err != nil {
return nil, 0, err
}
if err := db.Offset(offset).Limit(limit).Find(&users).Error; err != nil {
return nil, 0, err
}
return users, total, nil
}

155
backend/internal/service/relying_party_service.go Normal file
View File

@@ -0,0 +1,155 @@
package service
import (
"baron-sso-backend/internal/domain"
"baron-sso-backend/internal/repository"
"context"
"fmt"
"log/slog"
)
type RelyingPartyService interface {
Create(ctx context.Context, tenantID string, client domain.HydraClient) (*domain.RelyingParty, error)
Get(ctx context.Context, clientID string) (*domain.RelyingParty, *domain.HydraClient, error)
List(ctx context.Context, tenantID string) ([]domain.RelyingParty, error)
ListAll(ctx context.Context) ([]domain.RelyingParty, error)
ListByTenantIDs(ctx context.Context, tenantIDs []string) ([]domain.RelyingParty, error)
Update(ctx context.Context, clientID string, client domain.HydraClient) (*domain.RelyingParty, error)
Delete(ctx context.Context, clientID string) error
}
func (s *relyingPartyService) ListAll(ctx context.Context) ([]domain.RelyingParty, error) {
return s.repo.ListAll(ctx)
}
func (s *relyingPartyService) ListByTenantIDs(ctx context.Context, tenantIDs []string) ([]domain.RelyingParty, error) {
// Simple implementation for now, repository could be optimized with IN clause
var allRps []domain.RelyingParty
for _, tid := range tenantIDs {
rps, _ := s.repo.ListByTenantID(ctx, tid)
allRps = append(allRps, rps...)
}
return allRps, nil
}
type relyingPartyService struct {
repo repository.RelyingPartyRepository
hydraService *HydraAdminService
ketoService KetoService
}
func NewRelyingPartyService(
repo repository.RelyingPartyRepository,
hydraService *HydraAdminService,
ketoService KetoService,
) RelyingPartyService {
return &relyingPartyService{
repo: repo,
hydraService: hydraService,
ketoService: ketoService,
}
}
func (s *relyingPartyService) Create(ctx context.Context, tenantID string, client domain.HydraClient) (*domain.RelyingParty, error) {
// 1. Create Client in Hydra
// Ensure metadata contains tenant_id for reference
if client.Metadata == nil {
client.Metadata = make(map[string]interface{})
}
client.Metadata["tenant_id"] = tenantID
createdClient, err := s.hydraService.CreateClient(ctx, client)
if err != nil {
return nil, fmt.Errorf("failed to create hydra client: %w", err)
}
// 2. Create Record in DB
rp := &domain.RelyingParty{
ClientID: createdClient.ClientID,
TenantID: tenantID,
Name: createdClient.ClientName,
Description: "", // Hydra doesn't have description field standard, maybe in metadata?
}
if err := s.repo.Create(ctx, rp); err != nil {
// Rollback: Delete Hydra Client
_ = s.hydraService.DeleteClient(ctx, createdClient.ClientID)
return nil, fmt.Errorf("failed to create relying party in db: %w", err)
}
// 3. Create Relation in Keto
// RelyingParty:<client_id>#parent_tenant@Tenant:<tenant_id>
err = s.ketoService.CreateRelation(ctx, "RelyingParty", createdClient.ClientID, "parent_tenant", "Tenant:"+tenantID)
if err != nil {
slog.Error("Failed to create keto relation for relying party", "error", err, "client_id", createdClient.ClientID)
// We don't rollback here, but we should probably have a background job to fix this.
// Or return error and let caller decide? For MVP, logging error is acceptable as per issue discussion (Eventual Consistency preferred).
}
return rp, nil
}
func (s *relyingPartyService) Get(ctx context.Context, clientID string) (*domain.RelyingParty, *domain.HydraClient, error) {
// Get from DB
rp, err := s.repo.FindByID(ctx, clientID)
if err != nil {
return nil, nil, err
}
// Get from Hydra
hydraClient, err := s.hydraService.GetClient(ctx, clientID)
if err != nil {
return nil, nil, err
}
return rp, hydraClient, nil
}
func (s *relyingPartyService) List(ctx context.Context, tenantID string) ([]domain.RelyingParty, error) {
return s.repo.ListByTenantID(ctx, tenantID)
}
func (s *relyingPartyService) Update(ctx context.Context, clientID string, client domain.HydraClient) (*domain.RelyingParty, error) {
// Update Hydra
updatedClient, err := s.hydraService.UpdateClient(ctx, clientID, client)
if err != nil {
return nil, err
}
// Update DB
rp, err := s.repo.FindByID(ctx, clientID)
if err != nil {
return nil, err
}
rp.Name = updatedClient.ClientName
// Update other fields if necessary
if err := s.repo.Update(ctx, rp); err != nil {
return nil, err
}
return rp, nil
}
func (s *relyingPartyService) Delete(ctx context.Context, clientID string) error {
// Delete from DB
if err := s.repo.Delete(ctx, clientID); err != nil {
return err
}
// Delete from Hydra
if err := s.hydraService.DeleteClient(ctx, clientID); err != nil {
slog.Error("Failed to delete hydra client", "error", err, "client_id", clientID)
// Proceeding...
}
// Delete from Keto (Optional, but good practice to clean up)
// We might not know the tenant ID here without querying DB first, but if DB is deleted, we might miss it.
//Ideally, we should query DB first.
// But `DeleteRelation` requires specific object/relation/subject.
// If we want to delete ALL relations for this object, Keto API supports that?
// `DeleteRelation` in our service wrapper is specific.
// We can skip explicit Keto deletion for now as orphaned tuples are less critical than orphaned resources.
return nil
}