조직도 M2M조회 추가, 자동로그인 보완

2026-05-13 13:44:30 +09:00
parent 72288f1d39
commit 8c2b2f71ef
29 changed files with 2985 additions and 81 deletions
--- a/backend/internal/handler/auth_handler_dynamic_claims_test.go
+++ b/backend/internal/handler/auth_handler_dynamic_claims_test.go
@@ -4,6 +4,7 @@ import (
 	"baron-sso-backend/internal/domain"
 	"baron-sso-backend/internal/service"
 	"bytes"
+	"context"
 	"encoding/json"
 	"io"
 	"net/http"
@@ -35,10 +36,11 @@ func TestBuildOidcClaimsFromTraits_DynamicClaims(t *testing.T) {
 		claims := buildOidcClaimsFromTraits(traits, scopes, "")
 		assert.Equal(t, "user@baron.com", claims["email"])
 		assert.Equal(t, "홍길동", claims["name"])
+		assert.Equal(t, "primary-tenant-999", claims["tenant_id"])
 		assert.Nil(t, claims["department"])
 		assert.Nil(t, claims["grade"])

-		assert.NotNil(t, claims["tenants"])
+		assert.Nil(t, claims["tenants"])
 		assert.Contains(t, claims["joined_tenants"], "tenant-1")
 		assert.Contains(t, claims["joined_tenants"], "tenant-2")
 		assert.Contains(t, claims["joined_tenants"], "primary-tenant-999") // Should contain primary
@@ -48,11 +50,11 @@ func TestBuildOidcClaimsFromTraits_DynamicClaims(t *testing.T) {
 		claims := buildOidcClaimsFromTraits(traits, scopes, "tenant-1")
 		assert.Equal(t, "user@baron.com", claims["email"])
 		assert.Equal(t, "홍길동", claims["name"])
-		assert.Equal(t, "tenant-1", claims["tenant_id"]) // Dynamic tenant injection overwrites top-level for this context
-		assert.Equal(t, "개발팀", claims["department"])
-		assert.Equal(t, "선임", claims["grade"])
+		assert.Equal(t, "tenant-1", claims["tenant_id"])
+		assert.Nil(t, claims["department"])
+		assert.Nil(t, claims["grade"])

-		assert.NotNil(t, claims["tenants"])
+		assert.Nil(t, claims["tenants"])
 		assert.Contains(t, claims["joined_tenants"], "tenant-1")
 		assert.Contains(t, claims["joined_tenants"], "tenant-2")
 		assert.Contains(t, claims["joined_tenants"], "primary-tenant-999")
@@ -63,10 +65,10 @@ func TestBuildOidcClaimsFromTraits_DynamicClaims(t *testing.T) {
 		assert.Equal(t, "user@baron.com", claims["email"])
 		assert.Equal(t, "홍길동", claims["name"])
 		assert.Equal(t, "tenant-2", claims["tenant_id"])
-		assert.Equal(t, "재무팀", claims["department"])
-		assert.Equal(t, "팀장", claims["grade"])
+		assert.Nil(t, claims["department"])
+		assert.Nil(t, claims["grade"])

-		assert.NotNil(t, claims["tenants"])
+		assert.Nil(t, claims["tenants"])
 		assert.Contains(t, claims["joined_tenants"], "primary-tenant-999")
 	})

@@ -78,10 +80,53 @@ func TestBuildOidcClaimsFromTraits_DynamicClaims(t *testing.T) {
 		assert.Nil(t, claims["department"])
 		assert.Nil(t, claims["grade"])

-		assert.NotNil(t, claims["tenants"])
+		assert.Nil(t, claims["tenants"])
 		assert.Contains(t, claims["joined_tenants"], "tenant-1")
 		assert.Contains(t, claims["joined_tenants"], "primary-tenant-999")
 	})
+
+	t.Run("Tenant scope includes detailed tenant metadata", func(t *testing.T) {
+		claims := buildOidcClaimsFromTraits(traits, []string{"openid", "profile", "tenant"}, "tenant-1")
+		assert.Equal(t, "tenant-1", claims["tenant_id"])
+		assert.Equal(t, "개발팀", claims["department"])
+		assert.Equal(t, "선임", claims["grade"])
+		assert.NotNil(t, claims["tenants"])
+		assert.Contains(t, claims["joined_tenants"], "tenant-1")
+		assert.Contains(t, claims["joined_tenants"], "tenant-2")
+		assert.Contains(t, claims["joined_tenants"], "primary-tenant-999")
+	})
+}
+
+func TestRepresentativeTenantIDFromTraits(t *testing.T) {
+	t.Run("explicit tenant_id wins", func(t *testing.T) {
+		traits := map[string]any{
+			"tenant_id": "01970f0a-5c28-74d8-a73a-f6e9e9a7b210",
+			"additionalAppointments": []any{
+				map[string]any{"tenantId": "01970f0b-3448-7bb8-bdc7-16b6a1d2e661", "isPrimary": true},
+			},
+		}
+		assert.Equal(t, "01970f0a-5c28-74d8-a73a-f6e9e9a7b210", representativeTenantIDFromTraits(traits))
+	})
+
+	t.Run("primary appointment wins when tenant_id is absent", func(t *testing.T) {
+		traits := map[string]any{
+			"additionalAppointments": []any{
+				map[string]any{"tenantId": "01970f0b-3448-7bb8-bdc7-16b6a1d2e661"},
+				map[string]any{"tenantId": "01970f0c-8c44-7069-9f20-7d28c0b8e630", "representative": true},
+			},
+		}
+		assert.Equal(t, "01970f0c-8c44-7069-9f20-7d28c0b8e630", representativeTenantIDFromTraits(traits))
+	})
+
+	t.Run("first appointment is fallback", func(t *testing.T) {
+		traits := map[string]any{
+			"additionalAppointments": []any{
+				map[string]any{"tenantId": "01970f0b-3448-7bb8-bdc7-16b6a1d2e661"},
+				map[string]any{"tenantId": "01970f0c-8c44-7069-9f20-7d28c0b8e630"},
+			},
+		}
+		assert.Equal(t, "01970f0b-3448-7bb8-bdc7-16b6a1d2e661", representativeTenantIDFromTraits(traits))
+	})
 }

 func TestAcceptConsentRequest_DynamicClaims(t *testing.T) {
@@ -92,7 +137,7 @@ func TestAcceptConsentRequest_DynamicClaims(t *testing.T) {
 		if r.URL.Path == "/oauth2/auth/requests/consent" && r.URL.Query().Get("consent_challenge") == "challenge-dynamic" {
 			return httpJSONAny(r, http.StatusOK, map[string]interface{}{
 				"challenge":       "challenge-dynamic",
-				"requested_scope": []string{"openid", "profile"},
+				"requested_scope": []string{"openid", "profile", "tenant"},
 				"subject":         "user-123",
 				"client": map[string]interface{}{
 					"client_id": "client-app",
@@ -162,7 +207,7 @@ func TestAcceptConsentRequest_DynamicClaims(t *testing.T) {

 	reqBody, _ := json.Marshal(map[string]interface{}{
 		"consent_challenge": "challenge-dynamic",
-		"grant_scope":       []string{"openid", "profile"},
+		"grant_scope":       []string{"openid", "profile", "tenant"},
 	})
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/consent/accept", bytes.NewReader(reqBody))
 	req.Header.Set("Content-Type", "application/json")
@@ -179,6 +224,293 @@ func TestAcceptConsentRequest_DynamicClaims(t *testing.T) {
 	assert.Equal(t, "Architect", capturedClaims["position"])
 }

+func TestAcceptConsentRequest_UsesRepresentativeTenantIDInsteadOfClientTenantContext(t *testing.T) {
+	var capturedClaims map[string]interface{}
+
+	representativeTenantID := "01970f0a-5c28-74d8-a73a-f6e9e9a7b210"
+	rpContextTenantID := "01970f0b-3448-7bb8-bdc7-16b6a1d2e661"
+
+	transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
+		if r.URL.Path == "/oauth2/auth/requests/consent" && r.URL.Query().Get("consent_challenge") == "challenge-representative-tenant" {
+			return httpJSONAny(r, http.StatusOK, map[string]interface{}{
+				"challenge":       "challenge-representative-tenant",
+				"requested_scope": []string{"openid", "profile", "tenant"},
+				"subject":         "user-representative",
+				"client": map[string]interface{}{
+					"client_id": "client-app",
+					"metadata": map[string]interface{}{
+						"tenant_id": rpContextTenantID,
+					},
+				},
+			}), nil
+		}
+		if r.URL.Path == "/oauth2/auth/requests/consent/accept" && r.URL.Query().Get("consent_challenge") == "challenge-representative-tenant" {
+			body, _ := io.ReadAll(r.Body)
+			var acceptReq map[string]interface{}
+			json.Unmarshal(body, &acceptReq)
+			if session, ok := acceptReq["session"].(map[string]interface{}); ok {
+				capturedClaims = session["id_token"].(map[string]interface{})
+			}
+
+			return httpJSONAny(r, http.StatusOK, map[string]interface{}{
+				"redirect_to": "http://rp/cb",
+			}), nil
+		}
+		return httpResponse(r, http.StatusNotFound, "not found"), nil
+	})
+
+	client := &http.Client{Transport: transport}
+	h := &AuthHandler{
+		Hydra: &service.HydraAdminService{
+			AdminURL:   "http://hydra.test",
+			HTTPClient: client,
+		},
+		KratosAdmin: new(MockKratosAdminService),
+	}
+	h.KratosAdmin.(*MockKratosAdminService).On("GetIdentity", mock.Anything, "user-representative").Return(&service.KratosIdentity{
+		ID: "user-representative",
+		Traits: map[string]interface{}{
+			"email": "user@test.com",
+			"name":  "Test User",
+			"additionalAppointments": []interface{}{
+				map[string]interface{}{"tenantId": representativeTenantID, "isPrimary": true},
+				map[string]interface{}{"tenantId": rpContextTenantID},
+			},
+		},
+	}, nil)
+
+	app := fiber.New()
+	app.Post("/api/v1/auth/consent/accept", h.AcceptConsentRequest)
+
+	reqBody, _ := json.Marshal(map[string]interface{}{
+		"consent_challenge": "challenge-representative-tenant",
+		"grant_scope":       []string{"openid", "profile"},
+	})
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/consent/accept", bytes.NewReader(reqBody))
+	req.Header.Set("Content-Type", "application/json")
+
+	resp, err := app.Test(req)
+	assert.NoError(t, err)
+	assert.Equal(t, http.StatusOK, resp.StatusCode)
+
+	assert.NotNil(t, capturedClaims)
+	assert.Equal(t, representativeTenantID, capturedClaims["tenant_id"])
+	assert.Contains(t, capturedClaims["joined_tenants"], representativeTenantID)
+	assert.Contains(t, capturedClaims["joined_tenants"], rpContextTenantID)
+	assert.Nil(t, capturedClaims["tenants"])
+}
+
+func TestAcceptConsentRequest_IncludesHanmacFamilyTenantClaimDetails(t *testing.T) {
+	var capturedClaims map[string]interface{}
+	deptID := "01970f0a-5c28-74d8-a73a-f6e9e9a7b210"
+	secondDeptID := "01970f0b-3448-7bb8-bdc7-16b6a1d2e661"
+	companyID := "01970f08-91da-7286-bd19-882fb98d1f2c"
+	rootID := "01970f07-4f01-7d9a-a71e-b53ad508f345"
+
+	transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
+		if r.URL.Path == "/oauth2/auth/requests/consent" && r.URL.Query().Get("consent_challenge") == "challenge-hanmac-tenant-claim" {
+			return httpJSONAny(r, http.StatusOK, map[string]interface{}{
+				"challenge":       "challenge-hanmac-tenant-claim",
+				"requested_scope": []string{"openid", "profile", "tenant"},
+				"subject":         "user-hanmac",
+				"client": map[string]interface{}{
+					"client_id": "hanmac-rp",
+					"metadata": map[string]interface{}{
+						"tenant_id": deptID,
+					},
+				},
+			}), nil
+		}
+		if r.URL.Path == "/oauth2/auth/requests/consent/accept" && r.URL.Query().Get("consent_challenge") == "challenge-hanmac-tenant-claim" {
+			body, _ := io.ReadAll(r.Body)
+			var acceptReq map[string]interface{}
+			json.Unmarshal(body, &acceptReq)
+			if session, ok := acceptReq["session"].(map[string]interface{}); ok {
+				capturedClaims = session["id_token"].(map[string]interface{})
+			}
+
+			return httpJSONAny(r, http.StatusOK, map[string]interface{}{
+				"redirect_to": "http://rp/cb",
+			}), nil
+		}
+		return httpResponse(r, http.StatusNotFound, "not found"), nil
+	})
+
+	client := &http.Client{Transport: transport}
+	h := &AuthHandler{
+		Hydra: &service.HydraAdminService{
+			AdminURL:   "http://hydra.test",
+			HTTPClient: client,
+		},
+		KratosAdmin: new(MockKratosAdminService),
+	}
+	h.KratosAdmin.(*MockKratosAdminService).On("GetIdentity", mock.Anything, "user-hanmac").Return(&service.KratosIdentity{
+		ID: "user-hanmac",
+		Traits: map[string]interface{}{
+			"email": "hanmac-user@example.com",
+			"name":  "한맥 사용자",
+			"additionalAppointments": []interface{}{
+				map[string]interface{}{
+					"tenantId":  deptID,
+					"isPrimary": true,
+					"isOwner":   true,
+					"grade":     "책임",
+					"jobTitle":  "기술기획",
+					"position":  "팀장",
+				},
+				map[string]interface{}{
+					"tenantId":  secondDeptID,
+					"isPrimary": false,
+					"isOwner":   false,
+					"grade":     "선임",
+					"jobTitle":  "품질관리",
+					"position":  "파트원",
+				},
+			},
+		},
+	}, nil)
+
+	mockTenantSvc := new(MockTenantService)
+	mockTenantSvc.On("ListJoinedTenants", mock.Anything, "user-hanmac").Return([]domain.Tenant{}, nil)
+	mockTenantSvc.On("GetTenant", mock.Anything, deptID).Return(&domain.Tenant{
+		ID:       deptID,
+		Slug:     "tech-planning",
+		Name:     "기술기획팀",
+		Type:     domain.TenantTypeUserGroup,
+		ParentID: &companyID,
+	}, nil)
+	mockTenantSvc.On("GetTenant", mock.Anything, secondDeptID).Return(&domain.Tenant{
+		ID:       secondDeptID,
+		Slug:     "quality",
+		Name:     "품질관리팀",
+		Type:     domain.TenantTypeUserGroup,
+		ParentID: &companyID,
+	}, nil)
+	mockTenantSvc.On("GetTenant", mock.Anything, companyID).Return(&domain.Tenant{
+		ID:       companyID,
+		Slug:     "hanmac",
+		Name:     "한맥기술",
+		Type:     domain.TenantTypeCompany,
+		ParentID: &rootID,
+	}, nil)
+	mockTenantSvc.On("GetTenant", mock.Anything, rootID).Return(&domain.Tenant{
+		ID:   rootID,
+		Slug: "hanmac-family",
+		Name: "한맥가족",
+		Type: domain.TenantTypeCompanyGroup,
+	}, nil)
+	h.TenantService = mockTenantSvc
+
+	app := fiber.New()
+	app.Post("/api/v1/auth/consent/accept", h.AcceptConsentRequest)
+
+	reqBody, _ := json.Marshal(map[string]interface{}{
+		"consent_challenge": "challenge-hanmac-tenant-claim",
+		"grant_scope":       []string{"openid", "profile", "tenant"},
+	})
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/consent/accept", bytes.NewReader(reqBody))
+	req.Header.Set("Content-Type", "application/json")
+
+	resp, err := app.Test(req)
+	assert.NoError(t, err)
+	assert.Equal(t, http.StatusOK, resp.StatusCode)
+
+	assert.NotNil(t, capturedClaims)
+	assert.Equal(t, []interface{}{deptID}, capturedClaims["lead_tenants"])
+	assert.ElementsMatch(t, []interface{}{deptID, secondDeptID}, capturedClaims["joined_tenants"])
+	tenants := capturedClaims["tenants"].(map[string]interface{})
+	dept := tenants[deptID].(map[string]interface{})
+	assert.Equal(t, true, dept["lead"])
+	assert.Equal(t, true, dept["representative"])
+	assert.Equal(t, "책임", dept["grade"])
+	assert.Equal(t, "기술기획", dept["jobTitle"])
+	assert.Equal(t, "팀장", dept["position"])
+	assert.Equal(t, companyID, dept["parentTenantId"])
+	assert.NotContains(t, dept, "parentTenant")
+
+	ancestors := dept["ancestors"].([]interface{})
+	assert.Len(t, ancestors, 2)
+	companyAncestor := ancestors[0].(map[string]interface{})
+	assert.Equal(t, companyID, companyAncestor["id"])
+	assert.Equal(t, "hanmac", companyAncestor["slug"])
+	assert.Equal(t, rootID, companyAncestor["parentTenantId"])
+	assert.NotContains(t, companyAncestor, "parentTenant")
+	rootAncestor := ancestors[1].(map[string]interface{})
+	assert.Equal(t, rootID, rootAncestor["id"])
+	assert.Equal(t, "hanmac-family", rootAncestor["slug"])
+	assert.Contains(t, rootAncestor, "parentTenantId")
+	assert.Nil(t, rootAncestor["parentTenantId"])
+	assert.NotContains(t, rootAncestor, "parentTenant")
+
+	secondDept := tenants[secondDeptID].(map[string]interface{})
+	assert.Equal(t, false, secondDept["lead"])
+	assert.Equal(t, false, secondDept["representative"])
+	assert.Equal(t, "선임", secondDept["grade"])
+	assert.Equal(t, "품질관리", secondDept["jobTitle"])
+	assert.Equal(t, "파트원", secondDept["position"])
+	assert.Equal(t, companyID, secondDept["parentTenantId"])
+}
+
+func TestWithHanmacFamilyTenantClaims_DefaultClaimsOnlyWithoutTenantScope(t *testing.T) {
+	deptID := "01970f0a-5c28-74d8-a73a-f6e9e9a7b210"
+	secondDeptID := "01970f0b-3448-7bb8-bdc7-16b6a1d2e661"
+	companyID := "01970f08-91da-7286-bd19-882fb98d1f2c"
+	rootID := "01970f07-4f01-7d9a-a71e-b53ad508f345"
+
+	mockTenantSvc := new(MockTenantService)
+	mockTenantSvc.On("GetTenant", mock.Anything, deptID).Return(&domain.Tenant{
+		ID:       deptID,
+		Slug:     "tech-planning",
+		Name:     "기술기획팀",
+		Type:     domain.TenantTypeUserGroup,
+		ParentID: &companyID,
+	}, nil)
+	mockTenantSvc.On("GetTenant", mock.Anything, secondDeptID).Return(&domain.Tenant{
+		ID:       secondDeptID,
+		Slug:     "quality",
+		Name:     "품질관리팀",
+		Type:     domain.TenantTypeUserGroup,
+		ParentID: &companyID,
+	}, nil)
+	mockTenantSvc.On("GetTenant", mock.Anything, companyID).Return(&domain.Tenant{
+		ID:       companyID,
+		Slug:     "hanmac",
+		Name:     "한맥기술",
+		Type:     domain.TenantTypeCompany,
+		ParentID: &rootID,
+	}, nil)
+	mockTenantSvc.On("GetTenant", mock.Anything, rootID).Return(&domain.Tenant{
+		ID:   rootID,
+		Slug: "hanmac-family",
+		Name: "한맥가족",
+		Type: domain.TenantTypeCompanyGroup,
+	}, nil)
+
+	h := &AuthHandler{TenantService: mockTenantSvc}
+	claims := map[string]any{"tenant_id": deptID}
+	traits := map[string]any{
+		"additionalAppointments": []any{
+			map[string]any{
+				"tenantId":  deptID,
+				"isPrimary": true,
+				"isOwner":   true,
+				"grade":     "책임",
+			},
+			map[string]any{
+				"tenantId": secondDeptID,
+				"grade":    "선임",
+			},
+		},
+	}
+
+	claims = h.withHanmacFamilyTenantClaims(context.Background(), claims, traits, []string{"openid", "profile"})
+
+	assert.Equal(t, deptID, claims["tenant_id"])
+	assert.ElementsMatch(t, []string{deptID, secondDeptID}, claims["joined_tenants"])
+	assert.NotContains(t, claims, "tenants")
+	assert.NotContains(t, claims, "lead_tenants")
+}
+
 func TestAcceptConsentRequest_IncludesRPProfileClaims(t *testing.T) {
 	var capturedClaims map[string]interface{}

@@ -186,7 +518,7 @@ func TestAcceptConsentRequest_IncludesRPProfileClaims(t *testing.T) {
 		if r.URL.Path == "/oauth2/auth/requests/consent" && r.URL.Query().Get("consent_challenge") == "challenge-rp-profile" {
 			return httpJSONAny(r, http.StatusOK, map[string]interface{}{
 				"challenge":       "challenge-rp-profile",
-				"requested_scope": []string{"openid", "profile"},
+				"requested_scope": []string{"openid", "profile", "tenant"},
 				"subject":         "user-123",
 				"client": map[string]interface{}{
 					"client_id": "client-app",
@@ -284,7 +616,7 @@ func TestGetConsentRequest_Skip_DynamicClaims(t *testing.T) {
 		if r.URL.Path == "/oauth2/auth/requests/consent" && r.URL.Query().Get("consent_challenge") == "challenge-skip-dynamic" {
 			return httpJSONAny(r, http.StatusOK, map[string]interface{}{
 				"challenge":       "challenge-skip-dynamic",
-				"requested_scope": []string{"openid", "profile"},
+				"requested_scope": []string{"openid", "profile", "tenant"},
 				"skip":            true,
 				"subject":         "user-456",
 				"client": map[string]interface{}{