forked from baron/baron-sso
dev/rp 권한 체크 permit 기준으로 변환
This commit is contained in:
@@ -254,6 +254,88 @@ func managedClientIDsFromProfile(profile *domain.UserProfileResponse) map[string
|
||||
return ids
|
||||
}
|
||||
|
||||
func ketoSubjectFromProfile(profile *domain.UserProfileResponse) string {
|
||||
if profile == nil {
|
||||
return ""
|
||||
}
|
||||
id := strings.TrimSpace(profile.ID)
|
||||
if id == "" {
|
||||
return ""
|
||||
}
|
||||
return "User:" + id
|
||||
}
|
||||
|
||||
func (h *DevHandler) checkProfileKetoPermission(c *fiber.Ctx, profile *domain.UserProfileResponse, namespace, object, relation string) (bool, error) {
|
||||
if profile == nil {
|
||||
return false, nil
|
||||
}
|
||||
if normalizeUserRole(profile.Role) == domain.RoleSuperAdmin {
|
||||
return true, nil
|
||||
}
|
||||
if h.Keto == nil {
|
||||
return false, nil
|
||||
}
|
||||
subject := ketoSubjectFromProfile(profile)
|
||||
if subject == "" {
|
||||
return false, nil
|
||||
}
|
||||
return h.Keto.CheckPermission(c.Context(), subject, namespace, object, relation)
|
||||
}
|
||||
|
||||
func (h *DevHandler) canViewClientByPermit(c *fiber.Ctx, profile *domain.UserProfileResponse, summary clientSummary) bool {
|
||||
if profile == nil {
|
||||
return false
|
||||
}
|
||||
if normalizeUserRole(profile.Role) == domain.RoleSuperAdmin {
|
||||
return true
|
||||
}
|
||||
|
||||
clientTenantID := resolveClientTenantID(summary)
|
||||
if clientTenantID != "" {
|
||||
if allowed, err := h.checkProfileKetoPermission(c, profile, "Tenant", clientTenantID, "view_dev_console"); err == nil && allowed {
|
||||
return true
|
||||
}
|
||||
}
|
||||
|
||||
allowed, err := h.checkProfileKetoPermission(c, profile, "RelyingParty", summary.ID, "view")
|
||||
return err == nil && allowed
|
||||
}
|
||||
|
||||
func (h *DevHandler) canManageTenantClientsByPermit(c *fiber.Ctx, profile *domain.UserProfileResponse, tenantID string) bool {
|
||||
if strings.TrimSpace(tenantID) == "" {
|
||||
return false
|
||||
}
|
||||
allowed, err := h.checkProfileKetoPermission(c, profile, "Tenant", tenantID, "grant_dev_permissions")
|
||||
return err == nil && allowed
|
||||
}
|
||||
|
||||
func (h *DevHandler) canOperateClientByPermit(c *fiber.Ctx, profile *domain.UserProfileResponse, summary clientSummary, relation string) bool {
|
||||
allowed, err := h.checkProfileKetoPermission(c, profile, "RelyingParty", summary.ID, relation)
|
||||
return err == nil && allowed
|
||||
}
|
||||
|
||||
func canAccessClientByLegacyScope(profile *domain.UserProfileResponse, summary clientSummary) bool {
|
||||
if profile == nil {
|
||||
return false
|
||||
}
|
||||
|
||||
role := normalizeUserRole(profile.Role)
|
||||
if role == domain.RoleSuperAdmin {
|
||||
return true
|
||||
}
|
||||
if !isDevConsoleRoleAllowed(role) {
|
||||
return false
|
||||
}
|
||||
|
||||
userTenantID := tenantIDFromProfile(profile)
|
||||
clientTenantID := resolveClientTenantID(summary)
|
||||
if userTenantID != "" && clientTenantID != "" && clientTenantID != userTenantID {
|
||||
return false
|
||||
}
|
||||
|
||||
return isRPAdminClientAllowed(profile, summary.ID)
|
||||
}
|
||||
|
||||
func resolveClientTenantID(summary clientSummary) string {
|
||||
if summary.Metadata == nil {
|
||||
return ""
|
||||
@@ -364,7 +446,7 @@ func (h *DevHandler) checkAppManagerPermission(c *fiber.Ctx) (bool, error) {
|
||||
}
|
||||
|
||||
// Check with Keto: System:global#manage_all
|
||||
allowed, err := h.Keto.CheckPermission(c.Context(), subject, "System", "global", "manage_all")
|
||||
allowed, err := h.Keto.CheckPermission(c.Context(), "User:"+subject, "System", "global", "manage_all")
|
||||
if err != nil {
|
||||
// Fail closed for dev private endpoints: deny on permission backend error.
|
||||
slog.Warn("Dev private permission check failed; denying access", "subject", subject, "error", err)
|
||||
@@ -443,7 +525,7 @@ func (h *DevHandler) checkAppManagerPermission(c *fiber.Ctx) (bool, error) {
|
||||
}
|
||||
|
||||
// Check with Keto: System:global#manage_all
|
||||
allowed, err := h.Keto.CheckPermission(c.Context(), tokenSubject, "System", "global", "manage_all")
|
||||
allowed, err := h.Keto.CheckPermission(c.Context(), "User:"+tokenSubject, "System", "global", "manage_all")
|
||||
if err != nil {
|
||||
// Fail closed for dev private endpoints: deny on permission backend error.
|
||||
slog.Warn("Dev private permission check failed; denying access", "subject", tokenSubject, "error", err)
|
||||
@@ -589,9 +671,6 @@ func (h *DevHandler) ListClients(c *fiber.Ctx) error {
|
||||
userTenantID := tenantIDFromProfile(profile)
|
||||
isSuperAdmin := role == domain.RoleSuperAdmin
|
||||
allowedClientIDs := managedClientIDsFromProfile(profile)
|
||||
if role == domain.RoleRPAdmin && len(allowedClientIDs) == 0 {
|
||||
return errorJSON(c, fiber.StatusForbidden, "forbidden: rp_admin has no managed clients")
|
||||
}
|
||||
|
||||
isAppManager, err := h.checkAppManagerPermission(c)
|
||||
if err != nil {
|
||||
@@ -626,18 +705,24 @@ func (h *DevHandler) ListClients(c *fiber.Ctx) error {
|
||||
// 2. [Isolation] If not SuperAdmin, only show clients belonging to the same tenant
|
||||
if !isSuperAdmin {
|
||||
clientTenantID, _ := summary.Metadata["tenant_id"].(string)
|
||||
if clientTenantID != userTenantID {
|
||||
if clientTenantID != userTenantID && !h.canViewClientByPermit(c, profile, summary) {
|
||||
continue
|
||||
}
|
||||
}
|
||||
|
||||
// 3. [Role Scope] RP Admin can only access managed RP IDs
|
||||
if role == domain.RoleRPAdmin {
|
||||
// 3. [Role Scope] RP Admin can only access managed RP IDs unless explicit Keto permit exists
|
||||
if role == domain.RoleRPAdmin && len(allowedClientIDs) > 0 {
|
||||
if _, ok := allowedClientIDs[summary.ID]; !ok {
|
||||
continue
|
||||
if !h.canViewClientByPermit(c, profile, summary) {
|
||||
continue
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if !isSuperAdmin && !canAccessClientByLegacyScope(profile, summary) && !h.canViewClientByPermit(c, profile, summary) {
|
||||
continue
|
||||
}
|
||||
|
||||
items = append(items, summary)
|
||||
}
|
||||
|
||||
@@ -677,16 +762,7 @@ func (h *DevHandler) GetClient(c *fiber.Ctx) error {
|
||||
return errorJSON(c, fiber.StatusForbidden, "forbidden")
|
||||
}
|
||||
|
||||
// [Tenant Isolation] Check if user has access to this client
|
||||
isSuperAdmin := role == domain.RoleSuperAdmin
|
||||
userTenantID := tenantIDFromProfile(profile)
|
||||
if !isSuperAdmin {
|
||||
clientTenantID := resolveClientTenantID(summary)
|
||||
if clientTenantID != userTenantID {
|
||||
return errorJSON(c, fiber.StatusForbidden, "forbidden: access denied to client in another tenant")
|
||||
}
|
||||
}
|
||||
if !isRPAdminClientAllowed(profile, summary.ID) {
|
||||
if !canAccessClientByLegacyScope(profile, summary) && !h.canViewClientByPermit(c, profile, summary) {
|
||||
return errorJSON(c, fiber.StatusForbidden, "forbidden: rp_admin scope does not include this client")
|
||||
}
|
||||
|
||||
@@ -784,16 +860,7 @@ func (h *DevHandler) UpdateClientStatus(c *fiber.Ctx) error {
|
||||
return errorJSON(c, fiber.StatusForbidden, "forbidden")
|
||||
}
|
||||
|
||||
// [Tenant Isolation]
|
||||
isSuperAdmin := role == domain.RoleSuperAdmin
|
||||
userTenantID := tenantIDFromProfile(profile)
|
||||
if !isSuperAdmin {
|
||||
clientTenantID := resolveClientTenantID(summary)
|
||||
if clientTenantID != userTenantID {
|
||||
return errorJSON(c, fiber.StatusForbidden, "forbidden: access denied to client in another tenant")
|
||||
}
|
||||
}
|
||||
if !isRPAdminClientAllowed(profile, summary.ID) {
|
||||
if !canAccessClientByLegacyScope(profile, summary) && !h.canOperateClientByPermit(c, profile, summary, "change_status") {
|
||||
return errorJSON(c, fiber.StatusForbidden, "forbidden: rp_admin scope does not include this client")
|
||||
}
|
||||
|
||||
@@ -847,6 +914,12 @@ func (h *DevHandler) CreateClient(c *fiber.Ctx) error {
|
||||
if !isDevConsoleRoleAllowed(role) {
|
||||
return errorJSON(c, fiber.StatusForbidden, "forbidden")
|
||||
}
|
||||
if tenantID == "" && profile.TenantID != nil {
|
||||
tenantID = *profile.TenantID
|
||||
}
|
||||
if role == domain.RoleRPAdmin && !h.canManageTenantClientsByPermit(c, profile, tenantID) {
|
||||
return errorJSON(c, fiber.StatusForbidden, "forbidden: tenant grant permission is required")
|
||||
}
|
||||
|
||||
var req clientUpsertRequest
|
||||
if err := c.BodyParser(&req); err != nil {
|
||||
@@ -1035,16 +1108,7 @@ func (h *DevHandler) UpdateClient(c *fiber.Ctx) error {
|
||||
return errorJSON(c, fiber.StatusForbidden, "forbidden")
|
||||
}
|
||||
|
||||
// [Tenant Isolation]
|
||||
isSuperAdmin := role == domain.RoleSuperAdmin
|
||||
userTenantID := tenantIDFromProfile(profile)
|
||||
if !isSuperAdmin {
|
||||
clientTenantID := resolveClientTenantID(currentSummary)
|
||||
if clientTenantID != userTenantID {
|
||||
return errorJSON(c, fiber.StatusForbidden, "forbidden: access denied to client in another tenant")
|
||||
}
|
||||
}
|
||||
if !isRPAdminClientAllowed(profile, currentSummary.ID) {
|
||||
if !canAccessClientByLegacyScope(profile, currentSummary) && !h.canOperateClientByPermit(c, profile, currentSummary, "edit_config") {
|
||||
return errorJSON(c, fiber.StatusForbidden, "forbidden: rp_admin scope does not include this client")
|
||||
}
|
||||
|
||||
@@ -1214,16 +1278,7 @@ func (h *DevHandler) DeleteClient(c *fiber.Ctx) error {
|
||||
return errorJSON(c, fiber.StatusForbidden, "forbidden")
|
||||
}
|
||||
|
||||
// [Tenant Isolation]
|
||||
isSuperAdmin := role == domain.RoleSuperAdmin
|
||||
userTenantID := tenantIDFromProfile(profile)
|
||||
if !isSuperAdmin {
|
||||
clientTenantID := resolveClientTenantID(summary)
|
||||
if clientTenantID != userTenantID {
|
||||
return errorJSON(c, fiber.StatusForbidden, "forbidden: access denied to client in another tenant")
|
||||
}
|
||||
}
|
||||
if !isRPAdminClientAllowed(profile, summary.ID) {
|
||||
if !canAccessClientByLegacyScope(profile, summary) && !h.canOperateClientByPermit(c, profile, summary, "manage") {
|
||||
return errorJSON(c, fiber.StatusForbidden, "forbidden: rp_admin scope does not include this client")
|
||||
}
|
||||
|
||||
@@ -1273,7 +1328,15 @@ func (h *DevHandler) ListConsents(c *fiber.Ctx) error {
|
||||
if !isDevConsoleRoleAllowed(role) {
|
||||
return errorJSON(c, fiber.StatusForbidden, "forbidden")
|
||||
}
|
||||
if !isRPAdminClientAllowed(profile, clientID) {
|
||||
client, err := h.Hydra.GetClient(c.Context(), clientID)
|
||||
if err != nil {
|
||||
if errors.Is(err, service.ErrHydraNotFound) {
|
||||
return errorJSON(c, fiber.StatusNotFound, "client not found")
|
||||
}
|
||||
return errorJSON(c, fiber.StatusInternalServerError, err.Error())
|
||||
}
|
||||
summary := h.mapClientSummary(*client)
|
||||
if !canAccessClientByLegacyScope(profile, summary) && !h.canOperateClientByPermit(c, profile, summary, "view_consents") {
|
||||
return errorJSON(c, fiber.StatusForbidden, "forbidden: rp_admin scope does not include this client")
|
||||
}
|
||||
|
||||
@@ -1390,8 +1453,18 @@ func (h *DevHandler) RevokeConsents(c *fiber.Ctx) error {
|
||||
if !isDevConsoleRoleAllowed(role) {
|
||||
return errorJSON(c, fiber.StatusForbidden, "forbidden")
|
||||
}
|
||||
if clientID != "" && !isRPAdminClientAllowed(profile, clientID) {
|
||||
return errorJSON(c, fiber.StatusForbidden, "forbidden: rp_admin scope does not include this client")
|
||||
if clientID != "" {
|
||||
client, err := h.Hydra.GetClient(c.Context(), clientID)
|
||||
if err != nil {
|
||||
if errors.Is(err, service.ErrHydraNotFound) {
|
||||
return errorJSON(c, fiber.StatusNotFound, "client not found")
|
||||
}
|
||||
return errorJSON(c, fiber.StatusInternalServerError, err.Error())
|
||||
}
|
||||
summary := h.mapClientSummary(*client)
|
||||
if !canAccessClientByLegacyScope(profile, summary) && !h.canOperateClientByPermit(c, profile, summary, "revoke_consents") {
|
||||
return errorJSON(c, fiber.StatusForbidden, "forbidden: rp_admin scope does not include this client")
|
||||
}
|
||||
}
|
||||
|
||||
// If subject is not a UUID, try to resolve it as an identifier (email/username)
|
||||
@@ -1454,15 +1527,7 @@ func (h *DevHandler) RotateClientSecret(c *fiber.Ctx) error {
|
||||
}
|
||||
|
||||
// [Tenant Isolation]
|
||||
isSuperAdmin := role == domain.RoleSuperAdmin
|
||||
userTenantID := tenantIDFromProfile(profile)
|
||||
if !isSuperAdmin {
|
||||
clientTenantID := resolveClientTenantID(summary)
|
||||
if clientTenantID != userTenantID {
|
||||
return errorJSON(c, fiber.StatusForbidden, "forbidden: access denied to client in another tenant")
|
||||
}
|
||||
}
|
||||
if !isRPAdminClientAllowed(profile, summary.ID) {
|
||||
if !canAccessClientByLegacyScope(profile, summary) && !h.canOperateClientByPermit(c, profile, summary, "rotate_secret") {
|
||||
return errorJSON(c, fiber.StatusForbidden, "forbidden: rp_admin scope does not include this client")
|
||||
}
|
||||
|
||||
@@ -1550,15 +1615,7 @@ func (h *DevHandler) RefreshHeadlessJWKSCache(c *fiber.Ctx) error {
|
||||
if !isDevConsoleRoleAllowed(role) {
|
||||
return errorJSON(c, fiber.StatusForbidden, "forbidden")
|
||||
}
|
||||
isSuperAdmin := role == domain.RoleSuperAdmin
|
||||
userTenantID := tenantIDFromProfile(profile)
|
||||
if !isSuperAdmin {
|
||||
clientTenantID := resolveClientTenantID(summary)
|
||||
if clientTenantID != userTenantID {
|
||||
return errorJSON(c, fiber.StatusForbidden, "forbidden: access denied to client in another tenant")
|
||||
}
|
||||
}
|
||||
if !isRPAdminClientAllowed(profile, summary.ID) {
|
||||
if !canAccessClientByLegacyScope(profile, summary) && !h.canOperateClientByPermit(c, profile, summary, "operate_jwks") {
|
||||
return errorJSON(c, fiber.StatusForbidden, "forbidden: rp_admin scope does not include this client")
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user