테넌트 접근 제한 로직 보강

2026-04-28 10:57:16 +09:00
parent 367368805a
commit 955128a25a
3 changed files with 375 additions and 48 deletions
--- a/backend/internal/handler/client_tenant_access_test.go
+++ b/backend/internal/handler/client_tenant_access_test.go
@@ -12,6 +12,7 @@ import (

 	"github.com/gofiber/fiber/v2"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/mock"
 )

 func TestCreateClient_NormalizesTenantAccessMetadata(t *testing.T) {
@@ -190,6 +191,18 @@ func TestGetConsentRequest_DeniesTenantAccess(t *testing.T) {
 	resp, err := app.Test(req)
 	assert.NoError(t, err)
 	assert.Equal(t, http.StatusForbidden, resp.StatusCode)
+
+	var body map[string]any
+	assert.NoError(t, json.NewDecoder(resp.Body).Decode(&body))
+	assert.Equal(t, "tenant_not_allowed", body["code"])
+	details, ok := body["details"].(map[string]any)
+	assert.True(t, ok)
+	account, ok := details["account"].(map[string]any)
+	assert.True(t, ok)
+	assert.NotEmpty(t, account["email"])
+	currentTenant, ok := details["current_tenant"].(map[string]any)
+	assert.True(t, ok)
+	assert.NotEmpty(t, currentTenant["identifier"])
 }

 func TestGetConsentRequest_DeniesRestrictedClientWhenProfileResolutionFails(t *testing.T) {
@@ -232,6 +245,37 @@ func TestGetConsentRequest_DeniesRestrictedClientWhenProfileResolutionFails(t *t
 			AdminURL:   "http://hydra.test",
 			HTTPClient: client,
 		},
+		KratosAdmin: func() service.KratosAdminService {
+			mockKratos := new(MockKratosAdminService)
+			mockKratos.On("GetIdentity", mock.Anything, "user-123").Return(&service.KratosIdentity{
+				ID: "user-123",
+				Traits: map[string]interface{}{
+					"email":       "user@test.com",
+					"tenant_id":   "tenant-a",
+					"companyCode": "tenant-a",
+				},
+			}, nil).Once()
+			return mockKratos
+		}(),
+		TenantService: func() service.TenantService {
+			tenantSvc := new(MockTenantService)
+			tenantSvc.On("GetTenant", mock.Anything, "tenant-a").Return(&domain.Tenant{
+				ID:   "tenant-a",
+				Slug: "tenant-a",
+				Name: "Tenant A",
+			}, nil).Twice()
+			tenantSvc.On("ListJoinedTenants", mock.Anything, "user-123").Return([]domain.Tenant{
+				{ID: "tenant-a", Slug: "tenant-a", Name: "Tenant A"},
+				{ID: "tenant-c", Slug: "tenant-c", Name: "Tenant C"},
+			}, nil).Once()
+			tenantSvc.On("GetTenant", mock.Anything, "tenant-b").Return(nil, assert.AnError).Once()
+			tenantSvc.On("GetTenantBySlug", mock.Anything, "tenant-b").Return(&domain.Tenant{
+				ID:   "tenant-b-id",
+				Slug: "tenant-b",
+				Name: "Tenant B",
+			}, nil).Once()
+			return tenantSvc
+		}(),
 		ConsentRepo: &mockConsentRepo{
 			consents: []domain.ClientConsent{
 				{
@@ -253,6 +297,22 @@ func TestGetConsentRequest_DeniesRestrictedClientWhenProfileResolutionFails(t *t
 	assert.NoError(t, err)
 	assert.Equal(t, http.StatusForbidden, resp.StatusCode)
 	assert.False(t, acceptCalled)
+
+	var body map[string]any
+	assert.NoError(t, json.NewDecoder(resp.Body).Decode(&body))
+	assert.Equal(t, "tenant_not_allowed", body["code"])
+
+	details, ok := body["details"].(map[string]any)
+	assert.True(t, ok)
+	account, ok := details["account"].(map[string]any)
+	assert.True(t, ok)
+	assert.Equal(t, "user@test.com", account["email"])
+	currentTenant, ok := details["current_tenant"].(map[string]any)
+	assert.True(t, ok)
+	assert.Equal(t, "Tenant A", currentTenant["name"])
+	affiliatedTenants, ok := details["affiliated_tenants"].([]any)
+	assert.True(t, ok)
+	assert.Len(t, affiliatedTenants, 2)
 }

 func TestAcceptOidcLoginRequest_DeniesTenantAccess(t *testing.T) {
@@ -260,9 +320,15 @@ func TestAcceptOidcLoginRequest_DeniesTenantAccess(t *testing.T) {
 	app.Get("/deny", func(c *fiber.Ctx) error {
 		tenantID := "tenant-a"
 		profile := &domain.UserProfileResponse{
-			ID:       "user-123",
-			Role:     domain.RoleUser,
-			TenantID: &tenantID,
+			ID:          "user-123",
+			Role:        domain.RoleUser,
+			Email:       "user@test.com",
+			TenantID:    &tenantID,
+			CompanyCode: "tenant-a",
+			JoinedTenants: []domain.Tenant{
+				{ID: "tenant-a", Slug: "tenant-a", Name: "Tenant A"},
+				{ID: "tenant-c", Slug: "tenant-c", Name: "Tenant C"},
+			},
 		}
 		client := domain.HydraClient{
 			ClientID: "client-tenant",
@@ -271,11 +337,49 @@ func TestAcceptOidcLoginRequest_DeniesTenantAccess(t *testing.T) {
 				"allowed_tenants":          []string{"tenant-b"},
 			},
 		}
-		return enforceClientTenantAccess(c, client, profile, nil)
+		tenantSvc := new(MockTenantService)
+		tenantSvc.On("GetTenant", mock.Anything, "tenant-a").Return(&domain.Tenant{
+			ID:   "tenant-a",
+			Slug: "tenant-a",
+			Name: "Tenant A",
+		}, nil).Twice()
+		tenantSvc.On("GetTenant", mock.Anything, "tenant-b").Return(nil, assert.AnError).Once()
+		tenantSvc.On("GetTenantBySlug", mock.Anything, "tenant-b").Return(&domain.Tenant{
+			ID:   "tenant-b-id",
+			Slug: "tenant-b",
+			Name: "Tenant B",
+		}, nil).Once()
+		enforceClientTenantAccess(c, tenantSvc, client, profile, nil)
+		return nil
 	})

 	req := httptest.NewRequest(http.MethodGet, "/deny", nil)
 	resp, err := app.Test(req)
 	assert.NoError(t, err)
 	assert.Equal(t, http.StatusForbidden, resp.StatusCode)
+
+	var body map[string]any
+	assert.NoError(t, json.NewDecoder(resp.Body).Decode(&body))
+	assert.Equal(t, "tenant_not_allowed", body["code"])
+
+	details, ok := body["details"].(map[string]any)
+	assert.True(t, ok)
+
+	account, ok := details["account"].(map[string]any)
+	assert.True(t, ok)
+	assert.Equal(t, "user@test.com", account["email"])
+
+	currentTenant, ok := details["current_tenant"].(map[string]any)
+	assert.True(t, ok)
+	assert.Equal(t, "Tenant A", currentTenant["name"])
+	affiliatedTenants, ok := details["affiliated_tenants"].([]any)
+	assert.True(t, ok)
+	assert.Len(t, affiliatedTenants, 2)
+
+	allowedTenants, ok := details["allowed_tenants"].([]any)
+	assert.True(t, ok)
+	assert.Len(t, allowedTenants, 1)
+	allowedTenant, ok := allowedTenants[0].(map[string]any)
+	assert.True(t, ok)
+	assert.Equal(t, "Tenant B", allowedTenant["name"])
 }