kevin/baron-sso
1
0
Fork 0
forked from baron/baron-sso
Code Pull Requests Activity

ReBAC 고도화 및 애플리케이션 관리 시스템 통합 구현

Browse Source
This commit is contained in:
조찬영
2026-02-04 15:01:13 +09:00
parent 066ea86f46
commit 7e09764ad9
21 changed files with 1532 additions and 62 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
backend/internal/middleware/api_key_auth.go
View File

@@ -101,7 +101,7 @@ func validateScope(method, path string, rawScopes string) bool {
}
// 3. 테넌트 관리 관련 (tenant:*)
if strings.Contains(path, "/admin/tenants") {
if strings.Contains(path, "/admin/tenants") || strings.Contains(path, "/admin/relying-parties") {
if method == fiber.MethodGet {
return scopeMap["tenant:read"]
}

20
backend/internal/middleware/rbac.go
View File

@@ -18,16 +18,14 @@ type RBACConfig struct {
// RequireKetoPermission enforces permissions using Ory Keto (ReBAC)
func RequireKetoPermission(config RBACConfig, namespace, relation string) fiber.Handler {
return func(c *fiber.Ctx) error {
// Bypass if already authenticated via API Key
if c.Locals("apiKeyName") != nil {
return c.Next()
}
profile, err := config.AuthHandler.GetEnrichedProfile(c)
if err != nil {
return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "unauthorized"})
return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "unauthorized (trace:rbac_keto)"})
}
// Store profile in locals for further use in handlers
c.Locals("user_profile", profile)
// Super Admin bypass
if profile.Role == domain.RoleSuperAdmin {
return c.Next()
@@ -65,10 +63,13 @@ func RequireRole(config RBACConfig) fiber.Handler {
profile, err := config.AuthHandler.GetEnrichedProfile(c)
if err != nil {
return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{
"error": "unauthorized: " + err.Error(),
"error": "unauthorized (trace:rbac_role): " + err.Error(),
})
}
// Store profile in locals for further use in handlers
c.Locals("user_profile", profile)
// Super Admin always has access
if profile.Role == domain.RoleSuperAdmin {
return c.Next()
@@ -112,9 +113,12 @@ func RequireTenantMatch(config RBACConfig) fiber.Handler {
profile, err := config.AuthHandler.GetEnrichedProfile(c)
if err != nil {
return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "unauthorized"})
return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "unauthorized (trace:rbac_match)"})
}
// Store profile in locals for further use in handlers
c.Locals("user_profile", profile)
// Super Admin bypass
if profile.Role == domain.RoleSuperAdmin {
return c.Next()