adminfront 조직 통계오류 보정. Kratos Projection용 통계테이블 구조 추가

2026-05-11 13:01:55 +09:00
parent 9a64a16cb9
commit 843b4100ad
36 changed files with 2022 additions and 169 deletions
--- a/test/auth_config_orgfront_callback_test.sh
+++ b/test/auth_config_orgfront_callback_test.sh
@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+OUTPUT_FILE="$ROOT_DIR/config/.generated/auth-config.env"
+
+bash "$ROOT_DIR/scripts/auth_config.sh" build >/tmp/baron-auth-config-orgfront-test.log
+
+orgfront_callbacks="$(grep -E '^ORGFRONT_CALLBACK_URLS=' "$OUTPUT_FILE" | cut -d= -f2- || true)"
+if [[ -z "$orgfront_callbacks" ]]; then
+  echo "ERROR: generated auth config must include ORGFRONT_CALLBACK_URLS." >&2
+  exit 1
+fi
+
+first_orgfront_callback="${orgfront_callbacks%%,*}"
+if [[ -z "$first_orgfront_callback" ]]; then
+  echo "ERROR: generated ORGFRONT_CALLBACK_URLS must not be empty." >&2
+  exit 1
+fi
+
+allowed_returns="$(grep -E '^KRATOS_ALLOWED_RETURN_URLS_JSON=' "$OUTPUT_FILE" | cut -d= -f2- || true)"
+if ! grep -Fq "$first_orgfront_callback" <<<"$allowed_returns"; then
+  echo "ERROR: KRATOS_ALLOWED_RETURN_URLS_JSON must include orgfront callback: $first_orgfront_callback" >&2
+  exit 1
+fi
+
+echo "OK: auth config includes OrgFront callback URLs"
--- a/test/oathkeeper_kratos_public_exposure_policy_test.sh
+++ b/test/oathkeeper_kratos_public_exposure_policy_test.sh
@@ -0,0 +1,53 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+repo_root="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+failures=0
+
+rule_files=()
+while IFS= read -r file; do
+  rule_files+=("$file")
+done < <(find \
+  "$repo_root/docker/ory/oathkeeper" \
+  "$repo_root/config/.generated/ory/oathkeeper" \
+  -maxdepth 1 -name 'rules*.json' -print | sort)
+
+for file in "${rule_files[@]}"; do
+  if grep -Eq '"id"[[:space:]]*:[[:space:]]*"kratos-public"' "$file"; then
+    echo "ERROR: $file must not define a public Kratos proxy rule." >&2
+    failures=$((failures + 1))
+  fi
+  if grep -Eq '"url"[[:space:]]*:[[:space:]]*"[^"]*/kratos/<\.\*>"' "$file"; then
+    echo "ERROR: $file must not expose Kratos under /kratos." >&2
+    failures=$((failures + 1))
+  fi
+  if grep -Eq '"url"[[:space:]]*:[[:space:]]*"http://kratos:4433"' "$file"; then
+    echo "ERROR: $file must not proxy public requests directly to kratos:4433." >&2
+    failures=$((failures + 1))
+  fi
+done
+
+for compose_file in \
+  "$repo_root/compose.ory.yaml" \
+  "$repo_root/docker/compose.ory.yaml" \
+  "$repo_root/docker/staging_pull_compose.template.yaml" \
+  "$repo_root/deploy/templates/docker-compose.yaml"
+do
+  kratos_block="$(
+    awk '
+      /^[[:space:]]+kratos:/ { in_block=1; print; next }
+      in_block && /^[[:space:]]+[A-Za-z0-9_-]+:/ { exit }
+      in_block { print }
+    ' "$compose_file"
+  )"
+  if grep -Eq '^[[:space:]]+ports:' <<<"$kratos_block"; then
+    echo "ERROR: $compose_file must not publish Kratos ports directly." >&2
+    failures=$((failures + 1))
+  fi
+done
+
+if [[ "$failures" -gt 0 ]]; then
+  exit 1
+fi
+
+echo "OK: Kratos public API is not exposed through Oathkeeper rules or compose ports."