forked from baron/baron-sso
ReBAC 고도화 및 애플리케이션 관리 시스템 통합 구현
This commit is contained in:
@@ -3424,6 +3424,53 @@ func (h *AuthHandler) AcceptOidcLoginRequest(c *fiber.Ctx) error {
|
||||
}
|
||||
|
||||
func (h *AuthHandler) resolveCurrentProfile(c *fiber.Ctx) (*domain.UserProfileResponse, error) {
|
||||
slog.Info("🚨 [FATAL_DEBUG] ENVIRONMENT CHECK",
|
||||
"APP_ENV", os.Getenv("APP_ENV"),
|
||||
"GO_ENV", os.Getenv("GO_ENV"),
|
||||
"X-Test-Role", c.Get("X-Test-Role"),
|
||||
)
|
||||
slog.Info("🚀 [TRACE] resolveCurrentProfile entry", "path", c.Path(), "method", c.Method())
|
||||
// [Dev Only] Mock Role Bypass
|
||||
appEnv := strings.ToLower(os.Getenv("APP_ENV"))
|
||||
mockRole := c.Get("X-Test-Role")
|
||||
if mockRole == "" {
|
||||
mockRole = c.Get("X-Mock-Role")
|
||||
}
|
||||
|
||||
// Always log in development to see what's happening
|
||||
if appEnv == "dev" || appEnv == "development" || appEnv == "" {
|
||||
slog.Info("🔍 [AUTH_DEBUG] Checking mock role",
|
||||
"env", appEnv,
|
||||
"mockRole", mockRole,
|
||||
"X-Test-Role", c.Get("X-Test-Role"),
|
||||
"X-Mock-Role", c.Get("X-Mock-Role"),
|
||||
)
|
||||
}
|
||||
|
||||
// If in dev mode and we have a mock role, bypass Kratos
|
||||
if (appEnv == "dev" || appEnv == "development" || appEnv == "") && mockRole != "" {
|
||||
slog.Info("🔑 [AUTH_DEBUG] Mock bypass SUCCESS", "role", mockRole)
|
||||
mockProfile := &domain.UserProfileResponse{
|
||||
ID: "00000000-0000-0000-0000-000000000000",
|
||||
Email: "mock@hmac.kr",
|
||||
Name: "Dev Mock User",
|
||||
Role: mockRole,
|
||||
}
|
||||
if tid := c.Get("X-Tenant-ID"); tid != "" {
|
||||
mockProfile.TenantID = &tid
|
||||
}
|
||||
return mockProfile, nil
|
||||
}
|
||||
|
||||
// Mock bypass failed - log headers for debugging if in dev
|
||||
if appEnv == "dev" || appEnv == "development" || appEnv == "" {
|
||||
slog.Warn("⚠️ [DEBUG] Mock auth bypass failed",
|
||||
"appEnv", appEnv,
|
||||
"X-Test-Role", c.Get("X-Test-Role"),
|
||||
"X-Mock-Role", c.Get("X-Mock-Role"),
|
||||
"path", c.Path())
|
||||
}
|
||||
|
||||
var profile *domain.UserProfileResponse
|
||||
var err error
|
||||
|
||||
@@ -3438,7 +3485,7 @@ func (h *AuthHandler) resolveCurrentProfile(c *fiber.Ctx) (*domain.UserProfileRe
|
||||
}
|
||||
|
||||
if err != nil || profile == nil {
|
||||
return nil, errors.New("invalid session")
|
||||
return nil, errors.New("invalid session (trace:resolve_profile)")
|
||||
}
|
||||
|
||||
// [New] Enrich with Local DB (Roles, TenantID, etc.)
|
||||
|
||||
111
backend/internal/handler/relying_party_handler.go
Normal file
111
backend/internal/handler/relying_party_handler.go
Normal file
@@ -0,0 +1,111 @@
|
||||
package handler
|
||||
|
||||
import (
|
||||
"baron-sso-backend/internal/domain"
|
||||
"baron-sso-backend/internal/service"
|
||||
"github.com/gofiber/fiber/v2"
|
||||
"log/slog"
|
||||
)
|
||||
|
||||
type RelyingPartyHandler struct {
|
||||
Service service.RelyingPartyService
|
||||
}
|
||||
|
||||
func NewRelyingPartyHandler(s service.RelyingPartyService) *RelyingPartyHandler {
|
||||
return &RelyingPartyHandler{Service: s}
|
||||
}
|
||||
|
||||
func (h *RelyingPartyHandler) Create(c *fiber.Ctx) error {
|
||||
tenantID := c.Params("tenantId")
|
||||
if tenantID == "" {
|
||||
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "tenantId is required"})
|
||||
}
|
||||
|
||||
var req domain.HydraClient
|
||||
if err := c.BodyParser(&req); err != nil {
|
||||
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "invalid request body"})
|
||||
}
|
||||
|
||||
rp, err := h.Service.Create(c.Context(), tenantID, req)
|
||||
if err != nil {
|
||||
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
|
||||
}
|
||||
|
||||
return c.Status(fiber.StatusCreated).JSON(rp)
|
||||
}
|
||||
|
||||
func (h *RelyingPartyHandler) ListAll(c *fiber.Ctx) error {
|
||||
profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse)
|
||||
if !ok {
|
||||
return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "unauthorized: user profile not found in context"})
|
||||
}
|
||||
|
||||
var rps []domain.RelyingParty
|
||||
var err error
|
||||
|
||||
if profile.Role == domain.RoleSuperAdmin {
|
||||
rps, err = h.Service.ListAll(c.Context())
|
||||
} else if profile.Role == domain.RoleTenantAdmin && profile.TenantID != nil {
|
||||
rps, err = h.Service.List(c.Context(), *profile.TenantID)
|
||||
} else {
|
||||
slog.Warn("Forbidden access to all applications", "userID", profile.ID, "role", profile.Role)
|
||||
return c.Status(fiber.StatusForbidden).JSON(fiber.Map{"error": "forbidden: insufficient role to list all applications"})
|
||||
}
|
||||
|
||||
if err != nil {
|
||||
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
|
||||
}
|
||||
|
||||
return c.JSON(rps)
|
||||
}
|
||||
|
||||
func (h *RelyingPartyHandler) List(c *fiber.Ctx) error {
|
||||
tenantID := c.Params("tenantId")
|
||||
if tenantID == "" {
|
||||
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "tenantId is required"})
|
||||
}
|
||||
|
||||
rps, err := h.Service.List(c.Context(), tenantID)
|
||||
if err != nil {
|
||||
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
|
||||
}
|
||||
|
||||
return c.JSON(rps)
|
||||
}
|
||||
|
||||
func (h *RelyingPartyHandler) Get(c *fiber.Ctx) error {
|
||||
id := c.Params("id")
|
||||
rp, hydraClient, err := h.Service.Get(c.Context(), id)
|
||||
if err != nil {
|
||||
return c.Status(fiber.StatusNotFound).JSON(fiber.Map{"error": "relying party not found"})
|
||||
}
|
||||
|
||||
return c.JSON(fiber.Map{
|
||||
"relyingParty": rp,
|
||||
"oauth2Config": hydraClient,
|
||||
})
|
||||
}
|
||||
|
||||
func (h *RelyingPartyHandler) Update(c *fiber.Ctx) error {
|
||||
id := c.Params("id")
|
||||
var req domain.HydraClient
|
||||
if err := c.BodyParser(&req); err != nil {
|
||||
return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "invalid request body"})
|
||||
}
|
||||
|
||||
rp, err := h.Service.Update(c.Context(), id, req)
|
||||
if err != nil {
|
||||
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
|
||||
}
|
||||
|
||||
return c.JSON(rp)
|
||||
}
|
||||
|
||||
func (h *RelyingPartyHandler) Delete(c *fiber.Ctx) error {
|
||||
id := c.Params("id")
|
||||
if err := h.Service.Delete(c.Context(), id); err != nil {
|
||||
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
|
||||
}
|
||||
|
||||
return c.SendStatus(fiber.StatusNoContent)
|
||||
}
|
||||
@@ -55,12 +55,13 @@ type userListResponse struct {
|
||||
}
|
||||
|
||||
func (h *UserHandler) ListUsers(c *fiber.Ctx) error {
|
||||
if h.KratosAdmin == nil {
|
||||
return c.Status(fiber.StatusServiceUnavailable).JSON(fiber.Map{"error": "identity provider not available"})
|
||||
}
|
||||
|
||||
// [New] Get requester profile from middleware
|
||||
requester, _ := c.Locals("user_profile").(*domain.UserProfileResponse)
|
||||
var requesterRole string
|
||||
var requesterCompany string
|
||||
if profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse); ok {
|
||||
requesterRole = profile.Role
|
||||
requesterCompany = profile.CompanyCode
|
||||
}
|
||||
|
||||
limit := c.QueryInt("limit", 50)
|
||||
offset := c.QueryInt("offset", 0)
|
||||
@@ -73,52 +74,82 @@ func (h *UserHandler) ListUsers(c *fiber.Ctx) error {
|
||||
offset = 0
|
||||
}
|
||||
|
||||
// 1. Try Kratos First
|
||||
identities, err := h.KratosAdmin.ListIdentities(c.Context())
|
||||
if err == nil {
|
||||
filtered := make([]service.KratosIdentity, 0, len(identities))
|
||||
searchLower := strings.ToLower(search)
|
||||
|
||||
for _, identity := range identities {
|
||||
email := strings.ToLower(extractTraitString(identity.Traits, "email"))
|
||||
name := strings.ToLower(extractTraitString(identity.Traits, "name"))
|
||||
compCode := extractTraitString(identity.Traits, "companyCode")
|
||||
|
||||
// Tenant Admin filtering
|
||||
if requesterRole == domain.RoleTenantAdmin {
|
||||
if requesterCompany == "" || compCode != requesterCompany {
|
||||
continue
|
||||
}
|
||||
}
|
||||
|
||||
// Search filtering
|
||||
if search != "" {
|
||||
if !strings.Contains(email, searchLower) && !strings.Contains(name, searchLower) {
|
||||
continue
|
||||
}
|
||||
}
|
||||
filtered = append(filtered, identity)
|
||||
}
|
||||
|
||||
total := int64(len(filtered))
|
||||
if offset > len(filtered) {
|
||||
offset = len(filtered)
|
||||
}
|
||||
end := offset + limit
|
||||
if end > len(filtered) {
|
||||
end = len(filtered)
|
||||
}
|
||||
|
||||
items := make([]userSummary, 0, end-offset)
|
||||
for _, identity := range filtered[offset:end] {
|
||||
summary := h.mapIdentitySummary(c.Context(), identity)
|
||||
items = append(items, summary)
|
||||
}
|
||||
|
||||
return c.JSON(userListResponse{Items: items, Limit: limit, Offset: offset, Total: total})
|
||||
}
|
||||
|
||||
// 2. Fallback to Local DB if Kratos is down (Development only recommended)
|
||||
slog.Warn("Kratos unavailable, falling back to local DB for user list", "error", err)
|
||||
|
||||
// Fetch from UserRepo
|
||||
users, total, err := h.UserRepo.List(c.Context(), offset, limit, search)
|
||||
if err != nil {
|
||||
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
|
||||
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "failed to fetch users from both kratos and local db"})
|
||||
}
|
||||
|
||||
filtered := make([]service.KratosIdentity, 0, len(identities))
|
||||
searchLower := strings.ToLower(search)
|
||||
|
||||
for _, identity := range identities {
|
||||
email := strings.ToLower(extractTraitString(identity.Traits, "email"))
|
||||
name := strings.ToLower(extractTraitString(identity.Traits, "name"))
|
||||
compCode := extractTraitString(identity.Traits, "companyCode")
|
||||
|
||||
// 1. Tenant Admin filtering
|
||||
if requester != nil && requester.Role == domain.RoleTenantAdmin {
|
||||
if requester.CompanyCode == "" || compCode != requester.CompanyCode {
|
||||
continue // Skip users from other tenants
|
||||
}
|
||||
}
|
||||
|
||||
// 2. Search filtering
|
||||
if search != "" {
|
||||
if !strings.Contains(email, searchLower) && !strings.Contains(name, searchLower) {
|
||||
continue
|
||||
}
|
||||
}
|
||||
|
||||
filtered = append(filtered, identity)
|
||||
items := make([]userSummary, 0, len(users))
|
||||
for _, u := range users {
|
||||
items = append(items, userSummary{
|
||||
ID: u.ID,
|
||||
Email: u.Email,
|
||||
Name: u.Name,
|
||||
Phone: u.Phone,
|
||||
Role: u.Role,
|
||||
Status: u.Status,
|
||||
CompanyCode: u.CompanyCode,
|
||||
Department: u.Department,
|
||||
CreatedAt: u.CreatedAt.Format(time.RFC3339),
|
||||
UpdatedAt: u.UpdatedAt.Format(time.RFC3339),
|
||||
})
|
||||
}
|
||||
|
||||
total := int64(len(filtered))
|
||||
if offset > len(filtered) {
|
||||
offset = len(filtered)
|
||||
}
|
||||
end := offset + limit
|
||||
if end > len(filtered) {
|
||||
end = len(filtered)
|
||||
}
|
||||
|
||||
items := make([]userSummary, 0, end-offset)
|
||||
for _, identity := range filtered[offset:end] {
|
||||
summary := h.mapIdentitySummary(c.Context(), identity)
|
||||
items = append(items, summary)
|
||||
}
|
||||
|
||||
return c.JSON(userListResponse{Items: items, Limit: limit, Offset: offset, Total: total})
|
||||
return c.JSON(userListResponse{
|
||||
Items: items,
|
||||
Total: total,
|
||||
Limit: limit,
|
||||
Offset: offset,
|
||||
})
|
||||
}
|
||||
|
||||
func (h *UserHandler) GetUser(c *fiber.Ctx) error {
|
||||
|
||||
Reference in New Issue
Block a user