테넌트 소유자, 관리자 분리

2026-03-03 12:38:27 +09:00
parent 7bb1f3f702
commit 86ef9c6f60
23 changed files with 1091 additions and 516 deletions
--- a/backend/internal/service/hydra_admin_service.go
+++ b/backend/internal/service/hydra_admin_service.go
@@ -596,3 +596,42 @@ func (s *HydraAdminService) AcceptLoginRequest(ctx context.Context, challenge st

 	return &AcceptLoginRequestResponse{RedirectTo: hydraResp.RedirectTo}, nil
 }
+
+type HydraIntrospectionResponse struct {
+	Active    bool                   `json:"active"`
+	Subject   string                 `json:"sub"`
+	ClientID  string                 `json:"client_id"`
+	Scope     string                 `json:"scope"`
+	ExpiresAt int64                  `json:"exp"`
+	IssuedAt  int64                  `json:"iat"`
+	Ext       map[string]interface{} `json:"ext"`
+}
+
+func (s *HydraAdminService) IntrospectToken(ctx context.Context, token string) (*HydraIntrospectionResponse, error) {
+	endpoint := fmt.Sprintf("%s/admin/oauth2/introspect", strings.TrimRight(s.AdminURL, "/"))
+	form := url.Values{}
+	form.Set("token", token)
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, endpoint, strings.NewReader(form.Encode()))
+	if err != nil {
+		return nil, err
+	}
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+
+	resp, err := s.httpClient().Do(req)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode >= 300 {
+		body, _ := io.ReadAll(io.LimitReader(resp.Body, 2048))
+		return nil, fmt.Errorf("hydra admin: introspection failed status=%d body=%s", resp.StatusCode, string(body))
+	}
+
+	var res HydraIntrospectionResponse
+	if err := json.NewDecoder(resp.Body).Decode(&res); err != nil {
+		return nil, err
+	}
+	return &res, nil
+}
--- a/backend/internal/service/tenant_service.go
+++ b/backend/internal/service/tenant_service.go
@@ -13,7 +13,7 @@ import (
 )

 type TenantService interface {
-	RegisterTenant(ctx context.Context, name, slug, tenantType, description string, domains []string, parentID *string) (*domain.Tenant, error)
+	RegisterTenant(ctx context.Context, name, slug, tenantType, description string, domains []string, parentID *string, creatorID string) (*domain.Tenant, error)
 	RequestRegistration(ctx context.Context, name, slug, description string, domainName string, adminEmail string) (*domain.Tenant, error)
 	GetTenantByDomain(ctx context.Context, emailDomain string) (*domain.Tenant, error)
 	GetTenantBySlug(ctx context.Context, slug string) (*domain.Tenant, error)
@@ -90,7 +90,7 @@ func (s *tenantService) ListManageableTenants(ctx context.Context, userID string
 	return s.repo.FindByIDs(ctx, allIDs)
 }

-func (s *tenantService) RegisterTenant(ctx context.Context, name, slug, tenantType, description string, domains []string, parentID *string) (*domain.Tenant, error) {
+func (s *tenantService) RegisterTenant(ctx context.Context, name, slug, tenantType, description string, domains []string, parentID *string, creatorID string) (*domain.Tenant, error) {
 	// Validate Slug
 	if ok, msg := utils.ValidateSlug(slug); !ok {
 		return nil, errors.New(msg)
@@ -119,15 +119,49 @@ func (s *tenantService) RegisterTenant(ctx context.Context, name, slug, tenantTy
 		return nil, err
 	}

-	// [Keto] Sync hierarchy via Outbox if ParentID exists
-	if s.outboxRepo != nil && tenant.ParentID != nil {
-		_ = s.outboxRepo.Create(ctx, &domain.KetoOutbox{
-			Namespace: "Tenant",
-			Object:    tenant.ID,
-			Relation:  "parents",
-			Subject:   "Tenant:" + *tenant.ParentID,
-			Action:    domain.KetoOutboxActionCreate,
-		})
+	// [Keto] Sync hierarchy and ownership via Outbox
+	if s.outboxRepo != nil {
+		// Sync hierarchy
+		if tenant.ParentID != nil {
+			if err := s.outboxRepo.Create(ctx, &domain.KetoOutbox{
+				Namespace: "Tenant",
+				Object:    tenant.ID,
+				Relation:  "parents",
+				Subject:   "Tenant:" + *tenant.ParentID,
+				Action:    domain.KetoOutboxActionCreate,
+			}); err != nil {
+				slog.Error("Failed to create outbox entry for tenant hierarchy", "tenant", tenant.ID, "error", err)
+			}
+		}
+
+		// Sync creator ownership
+		if creatorID != "" {
+			slog.Info("Creating outbox entries for tenant creator", "tenant", tenant.ID, "creator", creatorID)
+			// Add as owner
+			_ = s.outboxRepo.Create(ctx, &domain.KetoOutbox{
+				Namespace: "Tenant",
+				Object:    tenant.ID,
+				Relation:  "owners",
+				Subject:   "User:" + creatorID,
+				Action:    domain.KetoOutboxActionCreate,
+			})
+			// Add as admin
+			_ = s.outboxRepo.Create(ctx, &domain.KetoOutbox{
+				Namespace: "Tenant",
+				Object:    tenant.ID,
+				Relation:  "admins",
+				Subject:   "User:" + creatorID,
+				Action:    domain.KetoOutboxActionCreate,
+			})
+			// Add as member
+			_ = s.outboxRepo.Create(ctx, &domain.KetoOutbox{
+				Namespace: "Tenant",
+				Object:    tenant.ID,
+				Relation:  "members",
+				Subject:   "User:" + creatorID,
+				Action:    domain.KetoOutboxActionCreate,
+			})
+		}
 	}

 	// 3. Add Domains (Auto-verify for manual admin registration)
@@ -187,12 +221,20 @@ func (s *tenantService) ApproveTenant(ctx context.Context, id string) error {
 	// [Keto] Sync relation via Outbox
 	if s.outboxRepo != nil {
 		if adminEmail, ok := tenant.Config["adminEmail"].(string); ok && adminEmail != "" {
-			slog.Info("Queueing tenant admin sync to Keto", "tenant", tenant.Slug, "adminEmail", adminEmail)
+			slog.Info("Queueing tenant admin/owner sync to Keto", "tenant", tenant.Slug, "adminEmail", adminEmail)
 			// Check if user already exists in our Read-Model
 			if s.userRepo != nil {
 				user, err := s.userRepo.FindByEmail(ctx, adminEmail)
 				if err == nil && user != nil {
-					// User exists, assign Admin role in Keto via Outbox
+					// User exists, assign Admin, Owner, and Member roles in Keto via Outbox
+					slog.Info("Queueing tenant ownership/membership sync to Keto", "tenant", tenant.Slug, "userID", user.ID)
+					_ = s.outboxRepo.Create(ctx, &domain.KetoOutbox{
+						Namespace: "Tenant",
+						Object:    tenant.ID,
+						Relation:  "owners",
+						Subject:   "User:" + user.ID,
+						Action:    domain.KetoOutboxActionCreate,
+					})
 					_ = s.outboxRepo.Create(ctx, &domain.KetoOutbox{
 						Namespace: "Tenant",
 						Object:    tenant.ID,
@@ -200,6 +242,13 @@ func (s *tenantService) ApproveTenant(ctx context.Context, id string) error {
 						Subject:   "User:" + user.ID,
 						Action:    domain.KetoOutboxActionCreate,
 					})
+					_ = s.outboxRepo.Create(ctx, &domain.KetoOutbox{
+						Namespace: "Tenant",
+						Object:    tenant.ID,
+						Relation:  "members",
+						Subject:   "User:" + user.ID,
+						Action:    domain.KetoOutboxActionCreate,
+					})
 				} else {
 					slog.Info("Tenant admin user not found in local DB, will need manual sync or sync on signup", "email", adminEmail)
 				}
--- a/backend/internal/service/tenant_service_edge_test.go
+++ b/backend/internal/service/tenant_service_edge_test.go
@@ -21,7 +21,7 @@ func TestTenantService_RegisterTenant_DuplicateSlug(t *testing.T) {
 	// Mock: slug already exists
 	mockRepo.On("FindBySlug", ctx, slug).Return(&domain.Tenant{ID: "existing-id", Slug: slug}, nil)

-	tenant, err := svc.RegisterTenant(ctx, "New Name", slug, domain.TenantTypeCompany, "", nil, nil)
+	tenant, err := svc.RegisterTenant(ctx, "New Name", slug, domain.TenantTypeCompany, "", nil, nil, "")
 	assert.Error(t, err)
 	assert.Contains(t, err.Error(), "already exists")
 	assert.Nil(t, tenant)
@@ -32,11 +32,11 @@ func TestTenantService_RegisterTenant_InvalidSlug(t *testing.T) {
 	ctx := context.Background()

 	// Case 1: Too short
-	_, err := svc.RegisterTenant(ctx, "Name", "a", domain.TenantTypeCompany, "", nil, nil)
+	_, err := svc.RegisterTenant(ctx, "Name", "a", domain.TenantTypeCompany, "", nil, nil, "")
 	assert.Error(t, err)

 	// Case 2: Invalid characters
-	_, err = svc.RegisterTenant(ctx, "Name", "Invalid Slug!", domain.TenantTypeCompany, "", nil, nil)
+	_, err = svc.RegisterTenant(ctx, "Name", "Invalid Slug!", domain.TenantTypeCompany, "", nil, nil, "")
 	assert.Error(t, err)
 }

--- a/backend/internal/service/tenant_service_test.go
+++ b/backend/internal/service/tenant_service_test.go
@@ -162,13 +162,54 @@ func TestTenantService_RegisterTenant_AutoVerify(t *testing.T) {
 	mockRepo.On("AddDomain", ctx, mock.Anything, "example.com", true).Return(nil)
 	mockRepo.On("FindBySlug", ctx, slug).Return(&domain.Tenant{ID: "t1", Slug: slug}, nil).Once()

-	tenant, err := svc.RegisterTenant(ctx, name, slug, domain.TenantTypeCompany, "", domains, nil)
+	tenant, err := svc.RegisterTenant(ctx, name, slug, domain.TenantTypeCompany, "", domains, nil, "")
 	assert.NoError(t, err)
 	assert.NotNil(t, tenant)
 	assert.Equal(t, "t1", tenant.ID)
 	mockRepo.AssertExpectations(t)
 }

+func TestTenantService_RegisterTenant_WithCreator(t *testing.T) {
+	mockRepo := new(MockTenantRepoForSvc)
+	mockOutbox := new(MockKetoOutboxRepositoryShared)
+	svc := NewTenantService(mockRepo, nil, mockOutbox)
+
+	ctx := context.Background()
+	name := "Creator Tenant"
+	slug := "creator-tenant"
+	creatorID := "creator-uuid"
+	tenantID := "t-new"
+
+	mockRepo.On("FindBySlug", ctx, slug).Return(nil, nil).Once()
+	mockRepo.On("Create", ctx, mock.MatchedBy(func(t *domain.Tenant) bool {
+		return t.Slug == slug
+	})).Run(func(args mock.Arguments) {
+		t := args.Get(1).(*domain.Tenant)
+		t.ID = tenantID
+	}).Return(nil)
+
+	// Expect owners sync
+	mockOutbox.On("Create", ctx, mock.MatchedBy(func(e *domain.KetoOutbox) bool {
+		return e.Namespace == "Tenant" && e.Object == tenantID && e.Relation == "owners" && e.Subject == "User:"+creatorID
+	})).Return(nil)
+	// Expect admins sync
+	mockOutbox.On("Create", ctx, mock.MatchedBy(func(e *domain.KetoOutbox) bool {
+		return e.Namespace == "Tenant" && e.Object == tenantID && e.Relation == "admins" && e.Subject == "User:"+creatorID
+	})).Return(nil)
+	// Expect members sync
+	mockOutbox.On("Create", ctx, mock.MatchedBy(func(e *domain.KetoOutbox) bool {
+		return e.Namespace == "Tenant" && e.Object == tenantID && e.Relation == "members" && e.Subject == "User:"+creatorID
+	})).Return(nil)
+
+	mockRepo.On("FindBySlug", ctx, slug).Return(&domain.Tenant{ID: tenantID, Slug: slug}, nil).Once()
+
+	tenant, err := svc.RegisterTenant(ctx, name, slug, domain.TenantTypeCompany, "", nil, nil, creatorID)
+	assert.NoError(t, err)
+	assert.NotNil(t, tenant)
+	mockRepo.AssertExpectations(t)
+	mockOutbox.AssertExpectations(t)
+}
+
 func TestTenantService_RequestRegistration_NoVerify(t *testing.T) {
 	mockRepo := new(MockTenantRepoForSvc)
 	mockOutbox := new(MockKetoOutboxRepositoryShared)
@@ -215,9 +256,15 @@ func TestTenantService_ApproveTenant_SyncAdmin(t *testing.T) {
 	mockRepo.On("Update", ctx, mock.Anything).Return(nil)
 	mockUserRepo.On("FindByEmail", adminEmail).Return(&domain.User{ID: userID, Email: adminEmail}, nil)
 	// Now using Outbox instead of direct Keto call
+	mockOutbox.On("Create", ctx, mock.MatchedBy(func(e *domain.KetoOutbox) bool {
+		return e.Namespace == "Tenant" && e.Object == tenantID && e.Relation == "owners" && e.Subject == "User:"+userID
+	})).Return(nil)
 	mockOutbox.On("Create", ctx, mock.MatchedBy(func(e *domain.KetoOutbox) bool {
 		return e.Namespace == "Tenant" && e.Object == tenantID && e.Relation == "admins" && e.Subject == "User:"+userID
 	})).Return(nil)
+	mockOutbox.On("Create", ctx, mock.MatchedBy(func(e *domain.KetoOutbox) bool {
+		return e.Namespace == "Tenant" && e.Object == tenantID && e.Relation == "members" && e.Subject == "User:"+userID
+	})).Return(nil)

 	err := svc.ApproveTenant(ctx, tenantID)
 	assert.NoError(t, err)