권한부여 및 정합성 검사 추가

backend/internal/handler/admin_handler.go

@@ -26,6 +26,7 @@ type AdminHandler struct {
 	AuditRepo            domain.AuditRepository
 	UserProjectionRepo   repository.UserProjectionRepository
 	UserProjectionSyncer service.UserProjectionReconciler
+	IntegrityChecker     repository.DataIntegrityChecker
 }
 
 func NewAdminHandler(keto service.KetoService, ketoOutbox repository.KetoOutboxRepository) *AdminHandler {
@@ -109,17 +110,18 @@ func (h *AdminHandler) CheckAuth(c *fiber.Ctx) error {
 	return c.Status(fiber.StatusOK).JSON(fiber.Map{"status": "ok"})
 }
 
-func requireSuperAdminProfile(c *fiber.Ctx) error {
+func requireSuperAdminProfile(c *fiber.Ctx) bool {
 	profile, _ := c.Locals("user_profile").(*domain.UserProfileResponse)
 	if profile == nil || domain.NormalizeRole(profile.Role) != domain.RoleSuperAdmin {
-		return c.Status(fiber.StatusForbidden).JSON(fiber.Map{"error": "forbidden: super_admin required"})
+		_ = c.Status(fiber.StatusForbidden).JSON(fiber.Map{"error": "forbidden: super_admin required"})
+		return false
 	}
-	return nil
+	return true
 }
 
 func (h *AdminHandler) GetUserProjectionStatus(c *fiber.Ctx) error {
-	if err := requireSuperAdminProfile(c); err != nil {
-		return err
+	if !requireSuperAdminProfile(c) {
+		return nil
 	}
 	if h == nil || h.UserProjectionRepo == nil {
 		return c.Status(fiber.StatusServiceUnavailable).JSON(fiber.Map{"error": "user projection service unavailable"})
@@ -132,8 +134,8 @@ func (h *AdminHandler) GetUserProjectionStatus(c *fiber.Ctx) error {
 }
 
 func (h *AdminHandler) ReconcileUserProjection(c *fiber.Ctx) error {
-	if err := requireSuperAdminProfile(c); err != nil {
-		return err
+	if !requireSuperAdminProfile(c) {
+		return nil
 	}
 	if h == nil || h.UserProjectionSyncer == nil {
 		return c.Status(fiber.StatusServiceUnavailable).JSON(fiber.Map{"error": "user projection sync service unavailable"})
@@ -153,6 +155,20 @@ func (h *AdminHandler) ResetUserProjection(c *fiber.Ctx) error {
 	return h.ReconcileUserProjection(c)
 }
 
+func (h *AdminHandler) GetDataIntegrity(c *fiber.Ctx) error {
+	if !requireSuperAdminProfile(c) {
+		return nil
+	}
+	if h == nil || h.IntegrityChecker == nil {
+		return c.Status(fiber.StatusServiceUnavailable).JSON(fiber.Map{"error": "data integrity checker unavailable"})
+	}
+	report, err := h.IntegrityChecker.CheckDataIntegrity(c.Context())
+	if err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
+	}
+	return c.JSON(report)
+}
+
 // GetSystemStats returns runtime statistics for monitoring
 func (h *AdminHandler) GetSystemStats(c *fiber.Ctx) error {
 	var m runtime.MemStats
@@ -161,6 +177,7 @@ func (h *AdminHandler) GetSystemStats(c *fiber.Ctx) error {
 
 	stats := fiber.Map{
 		"totalTenants":   h.countTenants(ctx),
+		"totalUsers":     h.countUsers(ctx),
 		"oidcClients":    h.countOIDCClients(ctx),
 		"auditEvents24h": h.countAuditEventsSince(ctx, time.Now().UTC().Add(-24*time.Hour)),
 		"goroutines":     runtime.NumGoroutine(),
@@ -188,6 +205,17 @@ func (h *AdminHandler) countTenants(ctx context.Context) int64 {
 	return total
 }
 
+func (h *AdminHandler) countUsers(ctx context.Context) int64 {
+	if h == nil || h.UserProjectionRepo == nil {
+		return 0
+	}
+	status, err := h.UserProjectionRepo.GetStatus(ctx)
+	if err != nil {
+		return 0
+	}
+	return status.ProjectedUsers
+}
+
 func (h *AdminHandler) countOIDCClients(ctx context.Context) int64 {
 	if h == nil || h.Hydra == nil {
 		return 0

backend/internal/handler/admin_handler_test.go

@@ -263,7 +263,17 @@ func TestAdminHandler_GetRPUsageDailyChecksTenantPermission(t *testing.T) {
 
 func TestAdminHandler_GetSystemStatsIncludesOverviewMetrics(t *testing.T) {
 	auditRepo := &fakeOverviewAuditRepo{count: 22}
-	h := &AdminHandler{AuditRepo: auditRepo}
+	h := &AdminHandler{
+		AuditRepo: auditRepo,
+		UserProjectionRepo: &fakeAdminUserProjectionRepo{
+			status: domain.UserProjectionStatus{
+				Name:           domain.UserProjectionNameKratos,
+				Status:         domain.UserProjectionStatusReady,
+				Ready:          true,
+				ProjectedUsers: 152,
+			},
+		},
+	}
 	app := fiber.New()
 	app.Get("/api/v1/admin/stats", h.GetSystemStats)
 
@@ -275,8 +285,10 @@ func TestAdminHandler_GetSystemStatsIncludesOverviewMetrics(t *testing.T) {
 	var body map[string]any
 	require.NoError(t, json.NewDecoder(resp.Body).Decode(&body))
 	require.Contains(t, body, "totalTenants")
+	require.Contains(t, body, "totalUsers")
 	require.Contains(t, body, "oidcClients")
 	require.Contains(t, body, "auditEvents24h")
+	require.Equal(t, float64(152), body["totalUsers"])
 	require.Equal(t, float64(22), body["auditEvents24h"])
 	require.Equal(t, time.UTC, auditRepo.since.Location())
 }

backend/internal/handler/admin_integrity_test.go

@@ -0,0 +1,92 @@
+package handler
+
+import (
+	"baron-sso-backend/internal/domain"
+	"context"
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/gofiber/fiber/v2"
+	"github.com/stretchr/testify/require"
+)
+
+type fakeDataIntegrityChecker struct {
+	calls  int
+	report domain.DataIntegrityReport
+	err    error
+}
+
+func (f *fakeDataIntegrityChecker) CheckDataIntegrity(ctx context.Context) (domain.DataIntegrityReport, error) {
+	f.calls++
+	return f.report, f.err
+}
+
+func TestAdminHandler_GetDataIntegrityRequiresSuperAdmin(t *testing.T) {
+	checker := &fakeDataIntegrityChecker{}
+	h := &AdminHandler{IntegrityChecker: checker}
+	app := fiber.New()
+	app.Use(func(c *fiber.Ctx) error {
+		c.Locals("user_profile", &domain.UserProfileResponse{ID: "tenant-admin", Role: domain.RoleTenantAdmin})
+		return c.Next()
+	})
+	app.Get("/api/v1/admin/integrity", h.GetDataIntegrity)
+
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/integrity", nil)
+	resp, err := app.Test(req)
+	require.NoError(t, err)
+	require.Equal(t, http.StatusForbidden, resp.StatusCode)
+	require.Equal(t, 0, checker.calls)
+}
+
+func TestAdminHandler_GetDataIntegrityReturnsReportForSuperAdmin(t *testing.T) {
+	checkedAt := time.Date(2026, 5, 14, 0, 0, 0, 0, time.UTC)
+	checker := &fakeDataIntegrityChecker{
+		report: domain.DataIntegrityReport{
+			Status:    domain.DataIntegrityStatusFail,
+			CheckedAt: checkedAt,
+			Summary: domain.DataIntegritySummary{
+				TotalChecks: 1,
+				Failures:    1,
+			},
+			Sections: []domain.DataIntegritySection{
+				{
+					Key:    "tenant_integrity",
+					Label:  "테넌트 정합성",
+					Status: domain.DataIntegrityStatusFail,
+					Checks: []domain.DataIntegrityCheck{
+						{
+							Key:      "duplicate_tenant_slugs",
+							Label:    "중복 테넌트 slug",
+							Status:   domain.DataIntegrityStatusFail,
+							Count:    1,
+							Severity: "error",
+						},
+					},
+				},
+			},
+		},
+	}
+	h := &AdminHandler{IntegrityChecker: checker}
+	app := fiber.New()
+	app.Use(func(c *fiber.Ctx) error {
+		c.Locals("user_profile", &domain.UserProfileResponse{ID: "super", Role: domain.RoleSuperAdmin})
+		return c.Next()
+	})
+	app.Get("/api/v1/admin/integrity", h.GetDataIntegrity)
+
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/integrity", nil)
+	resp, err := app.Test(req)
+	require.NoError(t, err)
+	require.Equal(t, http.StatusOK, resp.StatusCode)
+	require.Equal(t, 1, checker.calls)
+
+	var body domain.DataIntegrityReport
+	require.NoError(t, json.NewDecoder(resp.Body).Decode(&body))
+	require.Equal(t, domain.DataIntegrityStatusFail, body.Status)
+	require.Equal(t, int64(1), body.Summary.Failures)
+	require.Len(t, body.Sections, 1)
+	require.Equal(t, "tenant_integrity", body.Sections[0].Key)
+}