1
0
forked from baron/baron-sso

Merge pull request 'feature/df-authz' (#386) from feature/df-authz into dev

Reviewed-on: baron/baron-sso#386
This commit is contained in:
2026-03-16 17:00:23 +09:00
32 changed files with 1330 additions and 231 deletions

View File

@@ -741,6 +741,7 @@ view_audit_logs = "View Audit Logs"
rp_admin = "RP ADMIN" rp_admin = "RP ADMIN"
super_admin = "SUPER ADMIN" super_admin = "SUPER ADMIN"
tenant_admin = "TENANT ADMIN" tenant_admin = "TENANT ADMIN"
tenant_member = "TENANT MEMBER"
user = "TENANT MEMBER" user = "TENANT MEMBER"
[ui.admin.tenants] [ui.admin.tenants]
@@ -966,6 +967,10 @@ system = "System"
[ui.common.role] [ui.common.role]
admin = "Admin" admin = "Admin"
rp_admin = "RP Admin"
super_admin = "Super Admin"
tenant_admin = "Tenant Admin"
tenant_member = "Tenant Member"
user = "User" user = "User"
[ui.common.status] [ui.common.status]

View File

@@ -791,6 +791,7 @@ total_tenants = "전체 테넌트"
rp_admin = "서비스 관리자 (RP Admin)" rp_admin = "서비스 관리자 (RP Admin)"
super_admin = "시스템 관리자 (Super Admin)" super_admin = "시스템 관리자 (Super Admin)"
tenant_admin = "테넌트 관리자 (Tenant Admin)" tenant_admin = "테넌트 관리자 (Tenant Admin)"
tenant_member = "일반 사용자 (Tenant Member)"
user = "일반 사용자 (Tenant Member)" user = "일반 사용자 (Tenant Member)"
[ui.admin.tenants] [ui.admin.tenants]
@@ -1046,6 +1047,10 @@ system = "System"
[ui.common.role] [ui.common.role]
admin = "Admin" admin = "Admin"
rp_admin = "RP Admin"
super_admin = "Super Admin"
tenant_admin = "Tenant Admin"
tenant_member = "Tenant Member"
user = "User" user = "User"
[ui.common.status] [ui.common.status]

View File

@@ -714,6 +714,7 @@ rp_admin = ""
super_admin = "" super_admin = ""
tenant_admin = "" tenant_admin = ""
tenant_member = "" tenant_member = ""
user = ""
[ui.admin.tenants] [ui.admin.tenants]
add = "" add = ""
@@ -922,6 +923,10 @@ system = ""
[ui.common.role] [ui.common.role]
admin = "" admin = ""
rp_admin = ""
super_admin = ""
tenant_admin = ""
tenant_member = ""
user = "" user = ""
[ui.common.status] [ui.common.status]

View File

@@ -34,15 +34,16 @@ func SyncKetoRelations(db *gorm.DB, keto service.KetoService) error {
} }
slog.Info("Syncing users to Keto", "count", len(users)) slog.Info("Syncing users to Keto", "count", len(users))
for _, u := range users { for _, u := range users {
role := domain.NormalizeRole(u.Role)
// Membership // Membership
if u.TenantID != nil { if u.TenantID != nil {
_ = keto.CreateRelation(ctx, "Tenant", *u.TenantID, "members", "User:"+u.ID) _ = keto.CreateRelation(ctx, "Tenant", *u.TenantID, "members", "User:"+u.ID)
} }
// Roles // Roles
if u.Role == domain.RoleSuperAdmin { if role == domain.RoleSuperAdmin {
_ = keto.CreateRelation(ctx, "System", "global", "super_admins", "User:"+u.ID) _ = keto.CreateRelation(ctx, "System", "global", "super_admins", "User:"+u.ID)
} else if u.Role == domain.RoleTenantAdmin && u.TenantID != nil { } else if role == domain.RoleTenantAdmin && u.TenantID != nil {
_ = keto.CreateRelation(ctx, "Tenant", *u.TenantID, "admins", "User:"+u.ID) _ = keto.CreateRelation(ctx, "Tenant", *u.TenantID, "admins", "User:"+u.ID)
} }
} }

View File

@@ -1,6 +1,7 @@
package domain package domain
import ( import (
"strings"
"time" "time"
"github.com/google/uuid" "github.com/google/uuid"
@@ -15,6 +16,20 @@ const (
RoleUser = "user" // 일반 사용자 RoleUser = "user" // 일반 사용자
) )
// NormalizeRole maps legacy/synonym role values to canonical role keys.
func NormalizeRole(role string) string {
normalized := strings.ToLower(strings.TrimSpace(role))
switch normalized {
case "tenant_member":
return RoleUser
case "admin":
// Legacy admin is treated as tenant admin for least-privilege compatibility.
return RoleTenantAdmin
default:
return normalized
}
}
// User represents the user model stored in PostgreSQL // User represents the user model stored in PostgreSQL
type User struct { type User struct {
ID string `gorm:"primaryKey;type:uuid;default:gen_random_uuid()" json:"id"` ID string `gorm:"primaryKey;type:uuid;default:gen_random_uuid()" json:"id"`

View File

@@ -0,0 +1,29 @@
package domain
import "testing"
func TestNormalizeRole(t *testing.T) {
tests := []struct {
name string
in string
want string
}{
{name: "super admin unchanged", in: "super_admin", want: RoleSuperAdmin},
{name: "tenant admin unchanged", in: "tenant_admin", want: RoleTenantAdmin},
{name: "rp admin unchanged", in: "rp_admin", want: RoleRPAdmin},
{name: "user unchanged", in: "user", want: RoleUser},
{name: "legacy admin", in: "admin", want: RoleTenantAdmin},
{name: "legacy tenant member", in: "tenant_member", want: RoleUser},
{name: "trim and lower", in: " ADMIN ", want: RoleTenantAdmin},
{name: "unknown role pass-through", in: "custom_role", want: "custom_role"},
{name: "empty", in: " ", want: ""},
}
for _, tc := range tests {
t.Run(tc.name, func(t *testing.T) {
if got := NormalizeRole(tc.in); got != tc.want {
t.Fatalf("NormalizeRole(%q)=%q, want %q", tc.in, got, tc.want)
}
})
}
}

View File

@@ -4004,17 +4004,19 @@ func (h *AuthHandler) resolveCurrentProfile(c *fiber.Ctx) (*domain.UserProfileRe
// 2. Role Override for real profile or fallback to Mock Profile // 2. Role Override for real profile or fallback to Mock Profile
if profile != nil { if profile != nil {
if isDev && mockRole != "" { if isDev && mockRole != "" {
normalizedMockRole := domain.NormalizeRole(mockRole)
slog.Info("🔑 [AUTH] Overriding real profile role", slog.Info("🔑 [AUTH] Overriding real profile role",
"email", profile.Email, "originalRole", profile.Role, "overriddenRole", mockRole) "email", profile.Email, "originalRole", profile.Role, "overriddenRole", normalizedMockRole)
profile.Role = mockRole profile.Role = normalizedMockRole
} }
} else if isDev && mockRole != "" && token == "" && cookie == "" { } else if isDev && mockRole != "" && token == "" && cookie == "" {
normalizedMockRole := domain.NormalizeRole(mockRole)
slog.Info("🔑 [AUTH] Using full Mock Auth (no session)", "role", mockRole) slog.Info("🔑 [AUTH] Using full Mock Auth (no session)", "role", mockRole)
profile = &domain.UserProfileResponse{ profile = &domain.UserProfileResponse{
ID: "00000000-0000-0000-0000-000000000000", ID: "00000000-0000-0000-0000-000000000000",
Email: "mock@hmac.kr", Email: "mock@hmac.kr",
Name: "Dev Mock User", Name: "Dev Mock User",
Role: mockRole, Role: normalizedMockRole,
} }
if tid := c.Get("X-Tenant-ID"); tid != "" { if tid := c.Get("X-Tenant-ID"); tid != "" {
profile.TenantID = &tid profile.TenantID = &tid
@@ -4027,6 +4029,7 @@ func (h *AuthHandler) resolveCurrentProfile(c *fiber.Ctx) (*domain.UserProfileRe
} }
// 3. Post-Process (Defaults & Metadata Enrichment) // 3. Post-Process (Defaults & Metadata Enrichment)
profile.Role = domain.NormalizeRole(profile.Role)
if profile.Role == "" { if profile.Role == "" {
profile.Role = domain.RoleUser profile.Role = domain.RoleUser
} }
@@ -5115,6 +5118,7 @@ func (h *AuthHandler) mapKratosIdentityToProfile(identityID string, traits map[s
compCode, _ := traits["companyCode"].(string) compCode, _ := traits["companyCode"].(string)
role, _ := traits["role"].(string) role, _ := traits["role"].(string)
tenantID, _ := traits["tenant_id"].(string) tenantID, _ := traits["tenant_id"].(string)
relyingPartyID, _ := traits["relying_party_id"].(string)
profile := &domain.UserProfileResponse{ profile := &domain.UserProfileResponse{
ID: identityID, ID: identityID,
@@ -5124,18 +5128,22 @@ func (h *AuthHandler) mapKratosIdentityToProfile(identityID string, traits map[s
Department: dept, Department: dept,
AffiliationType: affType, AffiliationType: affType,
CompanyCode: compCode, CompanyCode: compCode,
Role: role, Role: domain.NormalizeRole(role),
Metadata: make(map[string]any), Metadata: make(map[string]any),
} }
if tenantID != "" { if tenantID != "" {
profile.TenantID = &tenantID profile.TenantID = &tenantID
} }
if strings.TrimSpace(relyingPartyID) != "" {
rpID := strings.TrimSpace(relyingPartyID)
profile.RelyingPartyID = &rpID
}
coreTraits := map[string]bool{ coreTraits := map[string]bool{
"email": true, "name": true, "phone_number": true, "email": true, "name": true, "phone_number": true,
"grade": true, "companyCode": true, "department": true, "grade": true, "companyCode": true, "department": true,
"affiliationType": true, "role": true, "tenant_id": true, "affiliationType": true, "role": true, "tenant_id": true, "relying_party_id": true,
} }
for k, v := range traits { for k, v := range traits {
if !coreTraits[k] { if !coreTraits[k] {

View File

@@ -140,6 +140,127 @@ type clientUpsertRequest struct {
Metadata *map[string]interface{} `json:"metadata"` Metadata *map[string]interface{} `json:"metadata"`
} }
func normalizeUserRole(role string) string {
return domain.NormalizeRole(role)
}
func isDevConsoleRoleAllowed(role string) bool {
switch normalizeUserRole(role) {
case domain.RoleSuperAdmin, domain.RoleTenantAdmin, domain.RoleRPAdmin:
return true
default:
return false
}
}
func (h *DevHandler) getCurrentProfile(c *fiber.Ctx) *domain.UserProfileResponse {
if profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse); ok && profile != nil {
return profile
}
if h.Auth != nil {
enriched, err := h.Auth.GetEnrichedProfile(c)
if err == nil && enriched != nil {
c.Locals("user_profile", enriched)
return enriched
}
}
return nil
}
func tenantIDFromProfile(profile *domain.UserProfileResponse) string {
if profile == nil || profile.TenantID == nil {
return ""
}
return strings.TrimSpace(*profile.TenantID)
}
func addClientIDToSet(set map[string]struct{}, raw any) {
switch value := raw.(type) {
case string:
for _, chunk := range strings.Split(value, ",") {
id := strings.TrimSpace(chunk)
if id != "" {
set[id] = struct{}{}
}
}
case []string:
for _, item := range value {
id := strings.TrimSpace(item)
if id != "" {
set[id] = struct{}{}
}
}
case []any:
for _, item := range value {
if str, ok := item.(string); ok {
id := strings.TrimSpace(str)
if id != "" {
set[id] = struct{}{}
}
}
}
}
}
func managedClientIDsFromProfile(profile *domain.UserProfileResponse) map[string]struct{} {
ids := make(map[string]struct{})
if profile == nil {
return ids
}
if profile.RelyingPartyID != nil {
if id := strings.TrimSpace(*profile.RelyingPartyID); id != "" {
ids[id] = struct{}{}
}
}
if profile.Metadata == nil {
return ids
}
for _, key := range []string{
"managed_client_ids",
"managedClientIds",
"relying_party_id",
"relyingPartyId",
"client_id",
"clientId",
} {
if raw, ok := profile.Metadata[key]; ok {
addClientIDToSet(ids, raw)
}
}
return ids
}
func resolveClientTenantID(summary clientSummary) string {
if summary.Metadata == nil {
return ""
}
clientTenantID, _ := summary.Metadata["tenant_id"].(string)
return strings.TrimSpace(clientTenantID)
}
func isRPAdminClientAllowed(profile *domain.UserProfileResponse, clientID string) bool {
if normalizeUserRole(profileRole(profile)) != domain.RoleRPAdmin {
return true
}
allowed := managedClientIDsFromProfile(profile)
if len(allowed) == 0 {
return false
}
_, ok := allowed[strings.TrimSpace(clientID)]
return ok
}
func profileRole(profile *domain.UserProfileResponse) string {
if profile == nil {
return ""
}
return strings.TrimSpace(profile.Role)
}
func (h *DevHandler) checkAppManagerPermission(c *fiber.Ctx) (bool, error) { func (h *DevHandler) checkAppManagerPermission(c *fiber.Ctx) (bool, error) {
profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse) profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse)
if (!ok || profile == nil) && h.Auth != nil { if (!ok || profile == nil) && h.Auth != nil {
@@ -151,11 +272,19 @@ func (h *DevHandler) checkAppManagerPermission(c *fiber.Ctx) (bool, error) {
} }
} }
if ok && profile != nil { if ok && profile != nil {
// Super Admin bypass role := normalizeUserRole(profile.Role)
if profile.Role == domain.RoleSuperAdmin { switch role {
case domain.RoleSuperAdmin:
slog.Info("Dev private permission granted by super_admin role", "user_id", profile.ID) slog.Info("Dev private permission granted by super_admin role", "user_id", profile.ID)
return true, nil return true, nil
case domain.RoleTenantAdmin, domain.RoleRPAdmin:
slog.Info("Dev private permission granted by role", "user_id", profile.ID, "role", role)
return true, nil
case domain.RoleUser:
return false, nil
} }
// Super Admin bypass
if isAdminEmail(profile.Email) { if isAdminEmail(profile.Email) {
slog.Info("Dev private permission granted by ADMIN_EMAIL match", "email", profile.Email) slog.Info("Dev private permission granted by ADMIN_EMAIL match", "email", profile.Email)
return true, nil return true, nil
@@ -203,16 +332,24 @@ func (h *DevHandler) checkAppManagerPermission(c *fiber.Ctx) (bool, error) {
if tokenEmail == "" { if tokenEmail == "" {
tokenEmail = strings.TrimSpace(info.Email) tokenEmail = strings.TrimSpace(info.Email)
} }
tokenRole = strings.TrimSpace(info.Role) tokenRole = normalizeUserRole(info.Role)
} else if err != nil { } else if err != nil {
slog.Warn("Dev private permission userinfo fallback failed", "error", err) slog.Warn("Dev private permission userinfo fallback failed", "error", err)
} }
} }
tokenRole = normalizeUserRole(tokenRole)
if tokenRole == domain.RoleSuperAdmin { if tokenRole == domain.RoleSuperAdmin {
slog.Info("Dev private permission granted by token role", "role", tokenRole) slog.Info("Dev private permission granted by token role", "role", tokenRole)
return true, nil return true, nil
} }
if tokenRole == domain.RoleTenantAdmin || tokenRole == domain.RoleRPAdmin {
slog.Info("Dev private permission granted by token role", "role", tokenRole)
return true, nil
}
if tokenRole == domain.RoleUser {
return false, nil
}
if isAdminEmail(tokenEmail) { if isAdminEmail(tokenEmail) {
slog.Info("Dev private permission granted by token email", "email", tokenEmail) slog.Info("Dev private permission granted by token email", "email", tokenEmail)
return true, nil return true, nil
@@ -237,7 +374,7 @@ func (h *DevHandler) checkAppManagerPermission(c *fiber.Ctx) (bool, error) {
if h.KratosAdmin != nil { if h.KratosAdmin != nil {
identity, err := h.KratosAdmin.GetIdentity(c.Context(), tokenSubject) identity, err := h.KratosAdmin.GetIdentity(c.Context(), tokenSubject)
if err == nil && identity != nil { if err == nil && identity != nil {
if rawRole, ok := identity.Traits["role"].(string); ok && rawRole == domain.RoleSuperAdmin { if rawRole, ok := identity.Traits["role"].(string); ok && normalizeUserRole(rawRole) == domain.RoleSuperAdmin {
slog.Info("Dev private permission granted by Kratos role", "subject", tokenSubject) slog.Info("Dev private permission granted by Kratos role", "subject", tokenSubject)
return true, nil return true, nil
} }
@@ -383,90 +520,20 @@ func (h *DevHandler) ListClients(c *fiber.Ctx) error {
offset = 0 offset = 0
} }
// [Tenant Isolation] Get current user's tenant ID profile := h.getCurrentProfile(c)
userTenantID := "" if profile == nil {
isSuperAdmin := false return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse) }
if (!ok || profile == nil) && h.Auth != nil { role := normalizeUserRole(profile.Role)
enriched, _ := h.Auth.GetEnrichedProfile(c) if !isDevConsoleRoleAllowed(role) {
if enriched != nil { return errorJSON(c, fiber.StatusForbidden, "forbidden")
profile = enriched
ok = true
c.Locals("user_profile", enriched)
}
} }
if ok && profile != nil { userTenantID := tenantIDFromProfile(profile)
if profile.TenantID != nil { isSuperAdmin := role == domain.RoleSuperAdmin
userTenantID = *profile.TenantID allowedClientIDs := managedClientIDsFromProfile(profile)
} if role == domain.RoleRPAdmin && len(allowedClientIDs) == 0 {
isSuperAdmin = profile.Role == domain.RoleSuperAdmin return errorJSON(c, fiber.StatusForbidden, "forbidden: rp_admin has no managed clients")
} else {
// If profile resolution failed, verify bearer token via OIDC userinfo fallback.
authHeader := c.Get("Authorization")
bearerToken := extractBearerToken(authHeader)
if bearerToken == "" {
return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
}
sub, email := extractAuthClaimsFromBearer(authHeader)
if sub == "" {
info, infoErr := h.fetchOIDCUserInfo(c.Context(), bearerToken)
if infoErr != nil {
slog.Warn("ListClients userinfo fallback failed", "error", infoErr)
return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
}
sub = strings.TrimSpace(info.Sub)
if email == "" {
email = strings.TrimSpace(info.Email)
}
if userTenantID == "" {
userTenantID = strings.TrimSpace(info.TenantID)
}
if strings.EqualFold(strings.TrimSpace(info.Role), domain.RoleSuperAdmin) {
isSuperAdmin = true
}
}
if sub == "" && email == "" {
return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
}
if h.KratosAdmin != nil && (userTenantID == "" || !isSuperAdmin) {
identityID := strings.TrimSpace(sub)
if identityID == "" && email != "" {
if resolved, err := h.KratosAdmin.FindIdentityIDByIdentifier(c.Context(), email); err == nil {
identityID = strings.TrimSpace(resolved)
}
}
if identityID != "" {
if identity, err := h.KratosAdmin.GetIdentity(c.Context(), identityID); err == nil && identity != nil {
if userTenantID == "" {
if tid, ok := identity.Traits["tenant_id"].(string); ok {
userTenantID = strings.TrimSpace(tid)
}
}
role := ""
if rawRole, ok := identity.Traits["role"].(string); ok {
role = strings.TrimSpace(rawRole)
}
if role == domain.RoleSuperAdmin {
isSuperAdmin = true
}
profile = &domain.UserProfileResponse{
ID: identityID,
Email: email,
Role: role,
TenantID: nil,
}
if userTenantID != "" {
tid := userTenantID
profile.TenantID = &tid
}
c.Locals("user_profile", profile)
}
}
}
} }
isAppManager, err := h.checkAppManagerPermission(c) isAppManager, err := h.checkAppManagerPermission(c)
@@ -503,6 +570,13 @@ func (h *DevHandler) ListClients(c *fiber.Ctx) error {
} }
} }
// 3. [Role Scope] RP Admin can only access managed RP IDs
if role == domain.RoleRPAdmin {
if _, ok := allowedClientIDs[summary.ID]; !ok {
continue
}
}
items = append(items, summary) items = append(items, summary)
} }
@@ -529,22 +603,27 @@ func (h *DevHandler) GetClient(c *fiber.Ctx) error {
} }
summary := h.mapClientSummary(*client) summary := h.mapClientSummary(*client)
profile := h.getCurrentProfile(c)
if profile == nil {
return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
}
role := normalizeUserRole(profile.Role)
if !isDevConsoleRoleAllowed(role) {
return errorJSON(c, fiber.StatusForbidden, "forbidden")
}
// [Tenant Isolation] Check if user has access to this client // [Tenant Isolation] Check if user has access to this client
isSuperAdmin := false isSuperAdmin := role == domain.RoleSuperAdmin
userTenantID := "" userTenantID := tenantIDFromProfile(profile)
if profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse); ok && profile != nil {
isSuperAdmin = profile.Role == domain.RoleSuperAdmin
if profile.TenantID != nil {
userTenantID = *profile.TenantID
}
}
if !isSuperAdmin { if !isSuperAdmin {
clientTenantID, _ := summary.Metadata["tenant_id"].(string) clientTenantID := resolveClientTenantID(summary)
if clientTenantID != userTenantID { if clientTenantID != userTenantID {
return errorJSON(c, fiber.StatusForbidden, "forbidden: access denied to client in another tenant") return errorJSON(c, fiber.StatusForbidden, "forbidden: access denied to client in another tenant")
} }
} }
if !isRPAdminClientAllowed(profile, summary.ID) {
return errorJSON(c, fiber.StatusForbidden, "forbidden: rp_admin scope does not include this client")
}
// Check permission for private clients // Check permission for private clients
if summary.Type == "private" { if summary.Type == "private" {
@@ -598,22 +677,27 @@ func (h *DevHandler) UpdateClientStatus(c *fiber.Ctx) error {
} }
summary := h.mapClientSummary(*current) summary := h.mapClientSummary(*current)
profile := h.getCurrentProfile(c)
if profile == nil {
return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
}
role := normalizeUserRole(profile.Role)
if !isDevConsoleRoleAllowed(role) {
return errorJSON(c, fiber.StatusForbidden, "forbidden")
}
// [Tenant Isolation] // [Tenant Isolation]
isSuperAdmin := false isSuperAdmin := role == domain.RoleSuperAdmin
userTenantID := "" userTenantID := tenantIDFromProfile(profile)
if profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse); ok && profile != nil {
isSuperAdmin = profile.Role == domain.RoleSuperAdmin
if profile.TenantID != nil {
userTenantID = *profile.TenantID
}
}
if !isSuperAdmin { if !isSuperAdmin {
clientTenantID, _ := summary.Metadata["tenant_id"].(string) clientTenantID := resolveClientTenantID(summary)
if clientTenantID != userTenantID { if clientTenantID != userTenantID {
return errorJSON(c, fiber.StatusForbidden, "forbidden: access denied to client in another tenant") return errorJSON(c, fiber.StatusForbidden, "forbidden: access denied to client in another tenant")
} }
} }
if !isRPAdminClientAllowed(profile, summary.ID) {
return errorJSON(c, fiber.StatusForbidden, "forbidden: rp_admin scope does not include this client")
}
if summary.Type == "private" { if summary.Type == "private" {
isAppManager, _ := h.checkAppManagerPermission(c) isAppManager, _ := h.checkAppManagerPermission(c)
@@ -655,6 +739,15 @@ func (h *DevHandler) UpdateClientStatus(c *fiber.Ctx) error {
func (h *DevHandler) CreateClient(c *fiber.Ctx) error { func (h *DevHandler) CreateClient(c *fiber.Ctx) error {
tenantID := h.injectTenantContextFromHeader(c) tenantID := h.injectTenantContextFromHeader(c)
profile := h.getCurrentProfile(c)
if profile == nil {
return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
}
role := normalizeUserRole(profile.Role)
if !isDevConsoleRoleAllowed(role) {
return errorJSON(c, fiber.StatusForbidden, "forbidden")
}
var req clientUpsertRequest var req clientUpsertRequest
if err := c.BodyParser(&req); err != nil { if err := c.BodyParser(&req); err != nil {
return errorJSON(c, fiber.StatusBadRequest, "invalid request body") return errorJSON(c, fiber.StatusBadRequest, "invalid request body")
@@ -706,7 +799,7 @@ func (h *DevHandler) CreateClient(c *fiber.Ctx) error {
} }
// [Tenant Isolation] Record owner information // [Tenant Isolation] Record owner information
if profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse); ok && profile != nil { if profile != nil {
metadata["user_id"] = profile.ID metadata["user_id"] = profile.ID
if tenantID == "" && profile.TenantID != nil { if tenantID == "" && profile.TenantID != nil {
tenantID = *profile.TenantID tenantID = *profile.TenantID
@@ -805,22 +898,27 @@ func (h *DevHandler) UpdateClient(c *fiber.Ctx) error {
} }
currentSummary := h.mapClientSummary(*current) currentSummary := h.mapClientSummary(*current)
profile := h.getCurrentProfile(c)
if profile == nil {
return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
}
role := normalizeUserRole(profile.Role)
if !isDevConsoleRoleAllowed(role) {
return errorJSON(c, fiber.StatusForbidden, "forbidden")
}
// [Tenant Isolation] // [Tenant Isolation]
isSuperAdmin := false isSuperAdmin := role == domain.RoleSuperAdmin
userTenantID := "" userTenantID := tenantIDFromProfile(profile)
if profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse); ok && profile != nil {
isSuperAdmin = profile.Role == domain.RoleSuperAdmin
if profile.TenantID != nil {
userTenantID = *profile.TenantID
}
}
if !isSuperAdmin { if !isSuperAdmin {
clientTenantID, _ := currentSummary.Metadata["tenant_id"].(string) clientTenantID := resolveClientTenantID(currentSummary)
if clientTenantID != userTenantID { if clientTenantID != userTenantID {
return errorJSON(c, fiber.StatusForbidden, "forbidden: access denied to client in another tenant") return errorJSON(c, fiber.StatusForbidden, "forbidden: access denied to client in another tenant")
} }
} }
if !isRPAdminClientAllowed(profile, currentSummary.ID) {
return errorJSON(c, fiber.StatusForbidden, "forbidden: rp_admin scope does not include this client")
}
clientType := "" clientType := ""
if req.Type != nil { if req.Type != nil {
@@ -931,22 +1029,27 @@ func (h *DevHandler) DeleteClient(c *fiber.Ctx) error {
} }
summary := h.mapClientSummary(*current) summary := h.mapClientSummary(*current)
profile := h.getCurrentProfile(c)
if profile == nil {
return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
}
role := normalizeUserRole(profile.Role)
if !isDevConsoleRoleAllowed(role) {
return errorJSON(c, fiber.StatusForbidden, "forbidden")
}
// [Tenant Isolation] // [Tenant Isolation]
isSuperAdmin := false isSuperAdmin := role == domain.RoleSuperAdmin
userTenantID := "" userTenantID := tenantIDFromProfile(profile)
if profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse); ok && profile != nil {
isSuperAdmin = profile.Role == domain.RoleSuperAdmin
if profile.TenantID != nil {
userTenantID = *profile.TenantID
}
}
if !isSuperAdmin { if !isSuperAdmin {
clientTenantID, _ := summary.Metadata["tenant_id"].(string) clientTenantID := resolveClientTenantID(summary)
if clientTenantID != userTenantID { if clientTenantID != userTenantID {
return errorJSON(c, fiber.StatusForbidden, "forbidden: access denied to client in another tenant") return errorJSON(c, fiber.StatusForbidden, "forbidden: access denied to client in another tenant")
} }
} }
if !isRPAdminClientAllowed(profile, summary.ID) {
return errorJSON(c, fiber.StatusForbidden, "forbidden: rp_admin scope does not include this client")
}
// [Security] Check permission for private clients // [Security] Check permission for private clients
if summary.Type == "private" { if summary.Type == "private" {
@@ -986,6 +1089,18 @@ func (h *DevHandler) ListConsents(c *fiber.Ctx) error {
return errorJSON(c, fiber.StatusBadRequest, "client_id is required") return errorJSON(c, fiber.StatusBadRequest, "client_id is required")
} }
profile := h.getCurrentProfile(c)
if profile == nil {
return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
}
role := normalizeUserRole(profile.Role)
if !isDevConsoleRoleAllowed(role) {
return errorJSON(c, fiber.StatusForbidden, "forbidden")
}
if !isRPAdminClientAllowed(profile, clientID) {
return errorJSON(c, fiber.StatusForbidden, "forbidden: rp_admin scope does not include this client")
}
subject := strings.TrimSpace(c.Query("subject")) subject := strings.TrimSpace(c.Query("subject"))
limit := c.QueryInt("limit", 50) limit := c.QueryInt("limit", 50)
offset := c.QueryInt("offset", 0) offset := c.QueryInt("offset", 0)
@@ -995,8 +1110,8 @@ func (h *DevHandler) ListConsents(c *fiber.Ctx) error {
// [Isolation] Get admin tenant ID from locals or header // [Isolation] Get admin tenant ID from locals or header
adminTenantID := "" adminTenantID := ""
if profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse); ok && profile != nil { if profile != nil {
if profile.Role != domain.RoleSuperAdmin && profile.TenantID != nil { if role != domain.RoleSuperAdmin && profile.TenantID != nil {
adminTenantID = *profile.TenantID adminTenantID = *profile.TenantID
} }
} }
@@ -1091,6 +1206,17 @@ func (h *DevHandler) RevokeConsents(c *fiber.Ctx) error {
return errorJSON(c, fiber.StatusBadRequest, "subject is required") return errorJSON(c, fiber.StatusBadRequest, "subject is required")
} }
clientID := strings.TrimSpace(c.Query("client_id")) clientID := strings.TrimSpace(c.Query("client_id"))
profile := h.getCurrentProfile(c)
if profile == nil {
return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
}
role := normalizeUserRole(profile.Role)
if !isDevConsoleRoleAllowed(role) {
return errorJSON(c, fiber.StatusForbidden, "forbidden")
}
if clientID != "" && !isRPAdminClientAllowed(profile, clientID) {
return errorJSON(c, fiber.StatusForbidden, "forbidden: rp_admin scope does not include this client")
}
// If subject is not a UUID, try to resolve it as an identifier (email/username) // If subject is not a UUID, try to resolve it as an identifier (email/username)
if _, err := uuid.Parse(subject); err != nil { if _, err := uuid.Parse(subject); err != nil {
@@ -1138,22 +1264,27 @@ func (h *DevHandler) RotateClientSecret(c *fiber.Ctx) error {
} }
summary := h.mapClientSummary(*current) summary := h.mapClientSummary(*current)
profile := h.getCurrentProfile(c)
if profile == nil {
return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
}
role := normalizeUserRole(profile.Role)
if !isDevConsoleRoleAllowed(role) {
return errorJSON(c, fiber.StatusForbidden, "forbidden")
}
// [Tenant Isolation] // [Tenant Isolation]
isSuperAdmin := false isSuperAdmin := role == domain.RoleSuperAdmin
userTenantID := "" userTenantID := tenantIDFromProfile(profile)
if profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse); ok && profile != nil {
isSuperAdmin = profile.Role == domain.RoleSuperAdmin
if profile.TenantID != nil {
userTenantID = *profile.TenantID
}
}
if !isSuperAdmin { if !isSuperAdmin {
clientTenantID, _ := summary.Metadata["tenant_id"].(string) clientTenantID := resolveClientTenantID(summary)
if clientTenantID != userTenantID { if clientTenantID != userTenantID {
return errorJSON(c, fiber.StatusForbidden, "forbidden: access denied to client in another tenant") return errorJSON(c, fiber.StatusForbidden, "forbidden: access denied to client in another tenant")
} }
} }
if !isRPAdminClientAllowed(profile, summary.ID) {
return errorJSON(c, fiber.StatusForbidden, "forbidden: rp_admin scope does not include this client")
}
// [Security] Check permission for private clients // [Security] Check permission for private clients
if summary.Type == "private" { if summary.Type == "private" {
@@ -1216,13 +1347,18 @@ func (h *DevHandler) ListAuditLogs(c *fiber.Ctx) error {
} }
h.injectTenantContextFromHeader(c) h.injectTenantContextFromHeader(c)
allowed, err := h.checkAppManagerPermission(c) profile := h.getCurrentProfile(c)
if err != nil { if profile == nil {
return errorJSON(c, fiber.StatusInternalServerError, "permission check error") return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
} }
if !allowed { role := normalizeUserRole(profile.Role)
if !isDevConsoleRoleAllowed(role) {
return errorJSON(c, fiber.StatusForbidden, "forbidden") return errorJSON(c, fiber.StatusForbidden, "forbidden")
} }
allowedClientIDs := managedClientIDsFromProfile(profile)
if role == domain.RoleRPAdmin && len(allowedClientIDs) == 0 {
return errorJSON(c, fiber.StatusForbidden, "forbidden: rp_admin has no managed clients")
}
limit := c.QueryInt("limit", 50) limit := c.QueryInt("limit", 50)
if limit <= 0 { if limit <= 0 {
@@ -1239,6 +1375,9 @@ func (h *DevHandler) ListAuditLogs(c *fiber.Ctx) error {
if tenantFilter == "" { if tenantFilter == "" {
tenantFilter = h.resolveDevTenantScope(c) tenantFilter = h.resolveDevTenantScope(c)
} }
if role != domain.RoleSuperAdmin && tenantFilter == "" {
tenantFilter = tenantIDFromProfile(profile)
}
cursorRaw := c.Query("cursor") cursorRaw := c.Query("cursor")
cursor, err := parseAuditCursor(cursorRaw) cursor, err := parseAuditCursor(cursorRaw)
@@ -1263,7 +1402,7 @@ func (h *DevHandler) ListAuditLogs(c *fiber.Ctx) error {
for _, logItem := range page { for _, logItem := range page {
scanned++ scanned++
if h.matchesDevAuditFilter(logItem, tenantFilter, clientFilter, actionFilter, statusFilter) { if h.matchesDevAuditFilter(logItem, tenantFilter, clientFilter, actionFilter, statusFilter, allowedClientIDs) {
collected = append(collected, logItem) collected = append(collected, logItem)
if len(collected) == limit+1 { if len(collected) == limit+1 {
break break
@@ -1308,7 +1447,7 @@ func (h *DevHandler) GetStats(c *fiber.Ctx) error {
userTenantID := "" userTenantID := ""
isSuperAdmin := false isSuperAdmin := false
if profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse); ok && profile != nil { if profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse); ok && profile != nil {
isSuperAdmin = profile.Role == domain.RoleSuperAdmin isSuperAdmin = normalizeUserRole(profile.Role) == domain.RoleSuperAdmin
if profile.TenantID != nil { if profile.TenantID != nil {
userTenantID = *profile.TenantID userTenantID = *profile.TenantID
} }
@@ -1553,6 +1692,7 @@ func clientTypeOrDefault(tokenEndpointAuthMethod string) string {
func (h *DevHandler) matchesDevAuditFilter( func (h *DevHandler) matchesDevAuditFilter(
logItem domain.AuditLog, logItem domain.AuditLog,
tenantFilter, clientFilter, actionFilter, statusFilter string, tenantFilter, clientFilter, actionFilter, statusFilter string,
allowedClientIDs map[string]struct{},
) bool { ) bool {
if !strings.Contains(logItem.EventType, "/api/v1/dev/") { if !strings.Contains(logItem.EventType, "/api/v1/dev/") {
return false return false
@@ -1574,6 +1714,20 @@ func (h *DevHandler) matchesDevAuditFilter(
return false return false
} }
} }
if len(allowedClientIDs) > 0 {
targetID, _ := details["target_id"].(string)
clientID, _ := details["client_id"].(string)
resolvedID := strings.TrimSpace(targetID)
if resolvedID == "" {
resolvedID = strings.TrimSpace(clientID)
}
if resolvedID == "" {
return false
}
if _, ok := allowedClientIDs[resolvedID]; !ok {
return false
}
}
if actionFilter != "" { if actionFilter != "" {
if normalizeAuditAction(logItem.EventType, details) != actionFilter { if normalizeAuditAction(logItem.EventType, details) != actionFilter {
return false return false

View File

@@ -82,14 +82,14 @@ func TestDevHandler_Isolation(t *testing.T) {
app.Use(func(c *fiber.Ctx) error { app.Use(func(c *fiber.Ctx) error {
c.Locals("user_profile", &domain.UserProfileResponse{ c.Locals("user_profile", &domain.UserProfileResponse{
ID: "user-a", ID: "user-a",
Role: domain.RoleUser, Role: domain.RoleTenantAdmin,
TenantID: &tenantA, TenantID: &tenantA,
}) })
return c.Next() return c.Next()
}) })
app.Get("/api/v1/dev/clients", h.ListClients) app.Get("/api/v1/dev/clients", h.ListClients)
mockKeto.On("CheckPermission", mock.Anything, "user-a", "System", "AppManager", "member").Return(false, nil) mockKeto.On("CheckPermission", mock.Anything, "user-a", "System", "AppManager", "member").Return(true, nil)
req := httptest.NewRequest(http.MethodGet, "/api/v1/dev/clients", nil) req := httptest.NewRequest(http.MethodGet, "/api/v1/dev/clients", nil)
resp, _ := app.Test(req, -1) resp, _ := app.Test(req, -1)
@@ -105,7 +105,7 @@ func TestDevHandler_Isolation(t *testing.T) {
assert.Equal(t, "client-tenant-a", res.Items[0].ID) assert.Equal(t, "client-tenant-a", res.Items[0].ID)
}) })
t.Run("GetClient should enforce tenant isolation", func(t *testing.T) { t.Run("Tenant member should be forbidden from DevFront clients", func(t *testing.T) {
app := fiber.New() app := fiber.New()
tenantA := "tenant-a" tenantA := "tenant-a"
app.Use(func(c *fiber.Ctx) error { app.Use(func(c *fiber.Ctx) error {
@@ -116,6 +116,52 @@ func TestDevHandler_Isolation(t *testing.T) {
}) })
return c.Next() return c.Next()
}) })
app.Get("/api/v1/dev/clients", h.ListClients)
req := httptest.NewRequest(http.MethodGet, "/api/v1/dev/clients", nil)
resp, _ := app.Test(req, -1)
assert.Equal(t, http.StatusForbidden, resp.StatusCode)
})
t.Run("RP Admin should only see managed clients", func(t *testing.T) {
app := fiber.New()
tenantA := "tenant-a"
app.Use(func(c *fiber.Ctx) error {
c.Locals("user_profile", &domain.UserProfileResponse{
ID: "rp-admin-a",
Role: domain.RoleRPAdmin,
TenantID: &tenantA,
Metadata: map[string]any{
"managed_client_ids": []any{"client-tenant-a"},
},
})
return c.Next()
})
app.Get("/api/v1/dev/clients", h.ListClients)
req := httptest.NewRequest(http.MethodGet, "/api/v1/dev/clients", nil)
resp, _ := app.Test(req, -1)
assert.Equal(t, http.StatusOK, resp.StatusCode)
var res struct {
Items []clientSummary `json:"items"`
}
json.NewDecoder(resp.Body).Decode(&res)
assert.Equal(t, 1, len(res.Items))
assert.Equal(t, "client-tenant-a", res.Items[0].ID)
})
t.Run("GetClient should enforce tenant isolation", func(t *testing.T) {
app := fiber.New()
tenantA := "tenant-a"
app.Use(func(c *fiber.Ctx) error {
c.Locals("user_profile", &domain.UserProfileResponse{
ID: "user-a",
Role: domain.RoleTenantAdmin,
TenantID: &tenantA,
})
return c.Next()
})
app.Get("/api/v1/dev/clients/:id", h.GetClient) app.Get("/api/v1/dev/clients/:id", h.GetClient)
// Case 1: Same tenant // Case 1: Same tenant
@@ -135,7 +181,7 @@ func TestDevHandler_Isolation(t *testing.T) {
app.Use(func(c *fiber.Ctx) error { app.Use(func(c *fiber.Ctx) error {
c.Locals("user_profile", &domain.UserProfileResponse{ c.Locals("user_profile", &domain.UserProfileResponse{
ID: "user-a", ID: "user-a",
Role: domain.RoleUser, Role: domain.RoleTenantAdmin,
TenantID: &tenantA, TenantID: &tenantA,
}) })
return c.Next() return c.Next()

View File

@@ -266,8 +266,6 @@ func TestGetStats_Success(t *testing.T) {
} }
mockKeto := new(devMockKetoService) mockKeto := new(devMockKetoService)
// mockKeto setup to allow stats view
mockKeto.On("CheckPermission", mock.Anything, "u1", "System", "AppManager", "member").Return(true, nil)
h := &DevHandler{ h := &DevHandler{
Hydra: &service.HydraAdminService{ Hydra: &service.HydraAdminService{
@@ -281,7 +279,7 @@ func TestGetStats_Success(t *testing.T) {
tenantID := "t1" tenantID := "t1"
app.Use(func(c *fiber.Ctx) error { app.Use(func(c *fiber.Ctx) error {
c.Locals("user_profile", &domain.UserProfileResponse{ c.Locals("user_profile", &domain.UserProfileResponse{
ID: "u1", Role: domain.RoleUser, TenantID: &tenantID, ID: "u1", Role: domain.RoleTenantAdmin, TenantID: &tenantID,
}) })
return c.Next() return c.Next()
}) })
@@ -297,7 +295,7 @@ func TestGetStats_Success(t *testing.T) {
assert.Equal(t, int64(2), res.TotalClients) assert.Equal(t, int64(2), res.TotalClients)
assert.Equal(t, int64(7), res.AuthFailures) assert.Equal(t, int64(7), res.AuthFailures)
assert.Equal(t, int64(3), res.ActiveSessions) assert.Equal(t, int64(3), res.ActiveSessions)
mockKeto.AssertExpectations(t) mockKeto.AssertNotCalled(t, "CheckPermission", mock.Anything, mock.Anything, "System", "AppManager", "member")
} }
func TestDevHandler_NoAuditNoAction(t *testing.T) { func TestDevHandler_NoAuditNoAction(t *testing.T) {
@@ -323,3 +321,78 @@ func TestDevHandler_NoAuditNoAction(t *testing.T) {
assert.Equal(t, http.StatusServiceUnavailable, resp.StatusCode) assert.Equal(t, http.StatusServiceUnavailable, resp.StatusCode)
}) })
} }
func TestListAuditLogs_TenantMemberForbidden(t *testing.T) {
h := &DevHandler{
Hydra: &service.HydraAdminService{AdminURL: "http://hydra.test"},
AuditRepo: &mockAuditRepo{},
Keto: new(devMockKetoService),
}
app := fiber.New()
tenantID := "tenant-a"
app.Use(func(c *fiber.Ctx) error {
c.Locals("user_profile", &domain.UserProfileResponse{
ID: "u-member",
Role: domain.RoleUser,
TenantID: &tenantID,
})
return c.Next()
})
app.Get("/api/v1/dev/audit-logs", h.ListAuditLogs)
req := httptest.NewRequest(http.MethodGet, "/api/v1/dev/audit-logs", nil)
resp, _ := app.Test(req, -1)
assert.Equal(t, http.StatusForbidden, resp.StatusCode)
}
func TestListAuditLogs_RPAdminScope(t *testing.T) {
auditRepo := &mockAuditRepo{
logs: []domain.AuditLog{
{
EventID: "evt-1",
EventType: "POST /api/v1/dev/clients",
Status: "success",
Timestamp: time.Now().UTC(),
Details: `{"target_id":"client-allowed","tenant_id":"tenant-a","action":"CREATE_CLIENT"}`,
},
{
EventID: "evt-2",
EventType: "POST /api/v1/dev/clients",
Status: "success",
Timestamp: time.Now().UTC().Add(-time.Minute),
Details: `{"target_id":"client-other","tenant_id":"tenant-a","action":"CREATE_CLIENT"}`,
},
},
}
h := &DevHandler{
Hydra: &service.HydraAdminService{AdminURL: "http://hydra.test"},
AuditRepo: auditRepo,
Keto: new(devMockKetoService),
}
app := fiber.New()
tenantID := "tenant-a"
app.Use(func(c *fiber.Ctx) error {
c.Locals("user_profile", &domain.UserProfileResponse{
ID: "u-rp-admin",
Role: domain.RoleRPAdmin,
TenantID: &tenantID,
Metadata: map[string]any{
"managed_client_ids": []any{"client-allowed"},
},
})
return c.Next()
})
app.Get("/api/v1/dev/audit-logs", h.ListAuditLogs)
req := httptest.NewRequest(http.MethodGet, "/api/v1/dev/audit-logs?limit=50", nil)
resp, _ := app.Test(req, -1)
assert.Equal(t, http.StatusOK, resp.StatusCode)
var result devAuditListResponse
_ = json.NewDecoder(resp.Body).Decode(&result)
assert.Len(t, result.Items, 1)
assert.Equal(t, "evt-1", result.Items[0].EventID)
}

View File

@@ -44,13 +44,14 @@ func (h *RelyingPartyHandler) ListAll(c *fiber.Ctx) error {
var rps []domain.RelyingParty var rps []domain.RelyingParty
var err error var err error
role := domain.NormalizeRole(profile.Role)
if profile.Role == domain.RoleSuperAdmin { if role == domain.RoleSuperAdmin {
rps, err = h.Service.ListAll(c.Context()) rps, err = h.Service.ListAll(c.Context())
} else if profile.Role == domain.RoleTenantAdmin && profile.TenantID != nil { } else if role == domain.RoleTenantAdmin && profile.TenantID != nil {
rps, err = h.Service.List(c.Context(), *profile.TenantID) rps, err = h.Service.List(c.Context(), *profile.TenantID)
} else { } else {
slog.Warn("Forbidden access to all applications", "userID", profile.ID, "role", profile.Role) slog.Warn("Forbidden access to all applications", "userID", profile.ID, "role", role)
return errorJSON(c, fiber.StatusForbidden, "forbidden: insufficient role to list all applications") return errorJSON(c, fiber.StatusForbidden, "forbidden: insufficient role to list all applications")
} }

View File

@@ -116,7 +116,7 @@ func (h *TenantHandler) ListTenants(c *fiber.Ctx) error {
profile, _ := c.Locals("user_profile").(*domain.UserProfileResponse) profile, _ := c.Locals("user_profile").(*domain.UserProfileResponse)
// If Tenant Admin, only list manageable tenants // If Tenant Admin, only list manageable tenants
if profile != nil && profile.Role == domain.RoleTenantAdmin { if profile != nil && domain.NormalizeRole(profile.Role) == domain.RoleTenantAdmin {
slog.Info("Listing manageable tenants for tenant admin", "userID", profile.ID) slog.Info("Listing manageable tenants for tenant admin", "userID", profile.ID)
tenants, err = h.Service.ListManageableTenants(c.Context(), profile.ID) tenants, err = h.Service.ListManageableTenants(c.Context(), profile.ID)
if err != nil { if err != nil {

View File

@@ -61,7 +61,7 @@ func (h *UserHandler) ListUsers(c *fiber.Ctx) error {
var requesterRole string var requesterRole string
var requesterCompany string var requesterCompany string
if profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse); ok { if profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse); ok {
requesterRole = profile.Role requesterRole = domain.NormalizeRole(profile.Role)
requesterCompany = profile.CompanyCode requesterCompany = profile.CompanyCode
} }
@@ -195,7 +195,7 @@ func (h *UserHandler) GetUser(c *fiber.Ctx) error {
// [New] Check access scope // [New] Check access scope
requester, _ := c.Locals("user_profile").(*domain.UserProfileResponse) requester, _ := c.Locals("user_profile").(*domain.UserProfileResponse)
if requester != nil && requester.Role == domain.RoleTenantAdmin { if requester != nil && domain.NormalizeRole(requester.Role) == domain.RoleTenantAdmin {
compCode := extractTraitString(identity.Traits, "companyCode") compCode := extractTraitString(identity.Traits, "companyCode")
if requester.CompanyCode == "" || compCode != requester.CompanyCode { if requester.CompanyCode == "" || compCode != requester.CompanyCode {
return errorJSON(c, fiber.StatusForbidden, "forbidden: access to user in another tenant denied") return errorJSON(c, fiber.StatusForbidden, "forbidden: access to user in another tenant denied")
@@ -263,9 +263,9 @@ func (h *UserHandler) CreateUser(c *fiber.Ctx) error {
} }
} }
role := strings.TrimSpace(req.Role) role := domain.NormalizeRole(req.Role)
if role == "" { if role == "" {
role = "user" role = domain.RoleUser
} }
attributes := map[string]interface{}{ attributes := map[string]interface{}{
@@ -380,7 +380,7 @@ func (h *UserHandler) UpdateUser(c *fiber.Ctx) error {
// [New] Check access scope // [New] Check access scope
requester, _ := c.Locals("user_profile").(*domain.UserProfileResponse) requester, _ := c.Locals("user_profile").(*domain.UserProfileResponse)
if requester != nil && requester.Role == domain.RoleTenantAdmin { if requester != nil && domain.NormalizeRole(requester.Role) == domain.RoleTenantAdmin {
compCode := extractTraitString(identity.Traits, "companyCode") compCode := extractTraitString(identity.Traits, "companyCode")
if requester.CompanyCode == "" || compCode != requester.CompanyCode { if requester.CompanyCode == "" || compCode != requester.CompanyCode {
return errorJSON(c, fiber.StatusForbidden, "forbidden: cannot update user in another tenant") return errorJSON(c, fiber.StatusForbidden, "forbidden: cannot update user in another tenant")
@@ -402,7 +402,7 @@ func (h *UserHandler) UpdateUser(c *fiber.Ctx) error {
} }
// [New] Tenant Admin restriction: Cannot change companyCode // [New] Tenant Admin restriction: Cannot change companyCode
if requester != nil && requester.Role == domain.RoleTenantAdmin { if requester != nil && domain.NormalizeRole(requester.Role) == domain.RoleTenantAdmin {
if req.CompanyCode != nil && *req.CompanyCode != requester.CompanyCode { if req.CompanyCode != nil && *req.CompanyCode != requester.CompanyCode {
return errorJSON(c, fiber.StatusForbidden, "forbidden: tenant admins cannot change user's tenant") return errorJSON(c, fiber.StatusForbidden, "forbidden: tenant admins cannot change user's tenant")
} }
@@ -437,9 +437,9 @@ func (h *UserHandler) UpdateUser(c *fiber.Ctx) error {
traits["department"] = strings.TrimSpace(*req.Department) traits["department"] = strings.TrimSpace(*req.Department)
} }
if req.Role != nil { if req.Role != nil {
role := strings.TrimSpace(*req.Role) role := domain.NormalizeRole(*req.Role)
if role == "" { if role == "" {
role = "user" role = domain.RoleUser
} }
traits["grade"] = role traits["grade"] = role
traits["role"] = role traits["role"] = role
@@ -507,7 +507,7 @@ func (h *UserHandler) DeleteUser(c *fiber.Ctx) error {
// [New] Check access scope before deletion // [New] Check access scope before deletion
requester, _ := c.Locals("user_profile").(*domain.UserProfileResponse) requester, _ := c.Locals("user_profile").(*domain.UserProfileResponse)
if requester != nil && requester.Role == domain.RoleTenantAdmin { if requester != nil && domain.NormalizeRole(requester.Role) == domain.RoleTenantAdmin {
identity, err := h.KratosAdmin.GetIdentity(c.Context(), userID) identity, err := h.KratosAdmin.GetIdentity(c.Context(), userID)
if err == nil && identity != nil { if err == nil && identity != nil {
compCode := extractTraitString(identity.Traits, "companyCode") compCode := extractTraitString(identity.Traits, "companyCode")
@@ -541,7 +541,11 @@ func (h *UserHandler) mapIdentitySummary(ctx context.Context, identity service.K
traits := identity.Traits traits := identity.Traits
role := extractTraitString(traits, "grade") role := extractTraitString(traits, "grade")
if role == "" { if role == "" {
role = "user" role = extractTraitString(traits, "role")
}
role = domain.NormalizeRole(role)
if role == "" {
role = domain.RoleUser
} }
compCode := extractTraitString(traits, "companyCode") compCode := extractTraitString(traits, "companyCode")
@@ -589,7 +593,11 @@ func (h *UserHandler) mapToLocalUser(identity service.KratosIdentity) *domain.Us
traits := identity.Traits traits := identity.Traits
role := extractTraitString(traits, "grade") role := extractTraitString(traits, "grade")
if role == "" { if role == "" {
role = "user" role = extractTraitString(traits, "role")
}
role = domain.NormalizeRole(role)
if role == "" {
role = domain.RoleUser
} }
compCode := extractTraitString(traits, "companyCode") compCode := extractTraitString(traits, "companyCode")
@@ -633,6 +641,9 @@ func (h *UserHandler) mapToLocalUser(identity service.KratosIdentity) *domain.Us
} }
func (h *UserHandler) syncKetoRole(ctx context.Context, userID, newRole, oldRole, oldTenantID string, newTenantID *string) { func (h *UserHandler) syncKetoRole(ctx context.Context, userID, newRole, oldRole, oldTenantID string, newTenantID *string) {
newRole = domain.NormalizeRole(newRole)
oldRole = domain.NormalizeRole(oldRole)
// Remove old roles // Remove old roles
if oldRole == domain.RoleSuperAdmin { if oldRole == domain.RoleSuperAdmin {
_ = h.KetoOutboxRepo.Create(ctx, &domain.KetoOutbox{ _ = h.KetoOutboxRepo.Create(ctx, &domain.KetoOutbox{

View File

@@ -31,8 +31,10 @@ func RequireKetoPermission(config RBACConfig, namespace, relation string) fiber.
// Store profile in locals for further use in handlers // Store profile in locals for further use in handlers
c.Locals("user_profile", profile) c.Locals("user_profile", profile)
role := domain.NormalizeRole(profile.Role)
// Super Admin bypass // Super Admin bypass
if profile.Role == domain.RoleSuperAdmin { if role == domain.RoleSuperAdmin {
return c.Next() return c.Next()
} }
@@ -67,7 +69,7 @@ func RequireKetoPermission(config RBACConfig, namespace, relation string) fiber.
} }
if !allowed { if !allowed {
slog.Warn("Keto permission denied", "userID", profile.ID, "userRole", profile.Role, "namespace", namespace, "objectID", objectID, "relation", relation, "X-Test-Role", c.Get("X-Test-Role")) slog.Warn("Keto permission denied", "userID", profile.ID, "userRole", role, "namespace", namespace, "objectID", objectID, "relation", relation, "X-Test-Role", c.Get("X-Test-Role"))
return errorJSON(c, fiber.StatusForbidden, "forbidden: keto permission denied for "+namespace+":"+objectID) return errorJSON(c, fiber.StatusForbidden, "forbidden: keto permission denied for "+namespace+":"+objectID)
} }
@@ -91,15 +93,17 @@ func RequireRole(config RBACConfig) fiber.Handler {
// Store profile in locals for further use in handlers // Store profile in locals for further use in handlers
c.Locals("user_profile", profile) c.Locals("user_profile", profile)
userRole := domain.NormalizeRole(profile.Role)
// Super Admin always has access // Super Admin always has access
if profile.Role == domain.RoleSuperAdmin { if userRole == domain.RoleSuperAdmin {
return c.Next() return c.Next()
} }
// Check if user's role is in allowed roles // Check if user's role is in allowed roles
roleAllowed := false roleAllowed := false
for _, role := range config.AllowedRoles { for _, role := range config.AllowedRoles {
if profile.Role == role { if userRole == domain.NormalizeRole(role) {
roleAllowed = true roleAllowed = true
break break
} }
@@ -108,7 +112,7 @@ func RequireRole(config RBACConfig) fiber.Handler {
if !roleAllowed { if !roleAllowed {
slog.Warn("RBAC access denied", slog.Warn("RBAC access denied",
"userID", profile.ID, "userID", profile.ID,
"userRole", profile.Role, "userRole", userRole,
"allowedRoles", config.AllowedRoles, "allowedRoles", config.AllowedRoles,
"path", c.Path(), "path", c.Path(),
"X-Test-Role", c.Get("X-Test-Role"), "X-Test-Role", c.Get("X-Test-Role"),
@@ -136,13 +140,15 @@ func RequireTenantMatch(config RBACConfig) fiber.Handler {
// Store profile in locals for further use in handlers // Store profile in locals for further use in handlers
c.Locals("user_profile", profile) c.Locals("user_profile", profile)
userRole := domain.NormalizeRole(profile.Role)
// Super Admin bypass // Super Admin bypass
if profile.Role == domain.RoleSuperAdmin { if userRole == domain.RoleSuperAdmin {
return c.Next() return c.Next()
} }
// Tenant Admin check // Tenant Admin check
if profile.Role == domain.RoleTenantAdmin { if userRole == domain.RoleTenantAdmin {
targetTenantID := c.Params("tenantId") targetTenantID := c.Params("tenantId")
if targetTenantID == "" { if targetTenantID == "" {
targetTenantID = c.Params("id") // common for /tenants/:id targetTenantID = c.Params("id") // common for /tenants/:id

View File

@@ -9,6 +9,7 @@
"lint": "biome check .", "lint": "biome check .",
"preview": "vite preview", "preview": "vite preview",
"test": "playwright test", "test": "playwright test",
"test:roles": "playwright test tests/devfront-role-switch-report.spec.ts",
"test:ui": "playwright test --ui" "test:ui": "playwright test --ui"
}, },
"dependencies": { "dependencies": {

View File

@@ -8,6 +8,7 @@ import ClientConsentsPage from "../features/clients/ClientConsentsPage";
import ClientDetailsPage from "../features/clients/ClientDetailsPage"; import ClientDetailsPage from "../features/clients/ClientDetailsPage";
import ClientGeneralPage from "../features/clients/ClientGeneralPage"; import ClientGeneralPage from "../features/clients/ClientGeneralPage";
import ClientsPage from "../features/clients/ClientsPage"; import ClientsPage from "../features/clients/ClientsPage";
import ProfilePage from "../features/profile/ProfilePage";
export const router = createBrowserRouter( export const router = createBrowserRouter(
[ [
@@ -33,6 +34,7 @@ export const router = createBrowserRouter(
{ path: "clients/:id/consents", element: <ClientConsentsPage /> }, { path: "clients/:id/consents", element: <ClientConsentsPage /> },
{ path: "clients/:id/settings", element: <ClientGeneralPage /> }, { path: "clients/:id/settings", element: <ClientGeneralPage /> },
{ path: "audit-logs", element: <AuditLogsPage /> }, { path: "audit-logs", element: <AuditLogsPage /> },
{ path: "profile", element: <ProfilePage /> },
], ],
}, },
], ],

View File

@@ -1,3 +1,4 @@
import { useQuery } from "@tanstack/react-query";
import { import {
BadgeCheck, BadgeCheck,
LogOut, LogOut,
@@ -5,13 +6,17 @@ import {
NotebookTabs, NotebookTabs,
ShieldHalf, ShieldHalf,
Sun, Sun,
User as UserIcon,
} from "lucide-react"; } from "lucide-react";
import { useEffect, useRef, useState } from "react"; import { useEffect, useRef, useState } from "react";
import { useAuth } from "react-oidc-context"; import { useAuth } from "react-oidc-context";
import { NavLink, Outlet, useNavigate } from "react-router-dom"; import { NavLink, Outlet, useNavigate } from "react-router-dom";
import { t } from "../../lib/i18n"; import { t } from "../../lib/i18n";
import { resolveProfileRole } from "../../lib/role";
import LanguageSelector from "../common/LanguageSelector"; import LanguageSelector from "../common/LanguageSelector";
import { Toaster } from "../ui/toaster"; import { Toaster } from "../ui/toaster";
import { Badge } from "../ui/badge";
import { fetchMe } from "../../features/auth/authApi";
const navItems = [ const navItems = [
{ {
@@ -40,6 +45,13 @@ function AppLayout() {
const [isRefreshingSession, setIsRefreshingSession] = useState(false); const [isRefreshingSession, setIsRefreshingSession] = useState(false);
const [nowMs, setNowMs] = useState(() => Date.now()); const [nowMs, setNowMs] = useState(() => Date.now());
const hasAccessToken = Boolean(auth.user?.access_token);
const { data: profile } = useQuery({
queryKey: ["userMe"],
queryFn: fetchMe,
enabled: hasAccessToken,
});
const handleLogout = () => { const handleLogout = () => {
if (window.confirm(t("msg.dev.logout_confirm", "로그아웃 하시겠습니까?"))) { if (window.confirm(t("msg.dev.logout_confirm", "로그아웃 하시겠습니까?"))) {
auth.removeUser(); auth.removeUser();
@@ -96,6 +108,18 @@ function AppLayout() {
auth.user?.profile?.email?.toString().trim() || auth.user?.profile?.email?.toString().trim() ||
t("ui.dev.profile.unknown_email", "unknown@example.com"); t("ui.dev.profile.unknown_email", "unknown@example.com");
const profileInitial = profileName.charAt(0).toUpperCase(); const profileInitial = profileName.charAt(0).toUpperCase();
const currentRole = resolveProfileRole(
auth.user?.profile as Record<string, unknown> | undefined,
);
// Use profile.role from API if available, otherwise fallback to local role
const displayRoleKey = profile?.role || currentRole;
const isDevConsoleAllowed = [
"super_admin",
"tenant_admin",
"rp_admin",
].includes(currentRole);
const expiresAtSec = auth.user?.expires_at; const expiresAtSec = auth.user?.expires_at;
const remainingMs = const remainingMs =
typeof expiresAtSec === "number" ? expiresAtSec * 1000 - nowMs : null; typeof expiresAtSec === "number" ? expiresAtSec * 1000 - nowMs : null;
@@ -191,23 +215,24 @@ function AppLayout() {
</span> </span>
</div> </div>
<div className="flex flex-col gap-1"> <div className="flex flex-col gap-1">
{navItems.map(({ labelKey, labelFallback, to, icon: Icon }) => ( {isDevConsoleAllowed &&
<NavLink navItems.map(({ labelKey, labelFallback, to, icon: Icon }) => (
key={to} <NavLink
to={to} key={to}
className={({ isActive }) => to={to}
[ className={({ isActive }) =>
"flex items-center gap-3 rounded-xl px-3 py-3 text-sm transition", [
isActive "flex items-center gap-3 rounded-xl px-3 py-3 text-sm transition",
? "bg-primary/10 text-primary shadow-[0_12px_40px_rgba(54,211,153,0.18)]" isActive
: "text-muted-foreground hover:bg-muted/10 hover:text-foreground", ? "bg-primary/10 text-primary shadow-[0_12px_40px_rgba(54,211,153,0.18)]"
].join(" ") : "text-muted-foreground hover:bg-muted/10 hover:text-foreground",
} ].join(" ")
> }
<Icon size={18} /> >
<span>{t(labelKey, labelFallback)}</span> <Icon size={18} />
</NavLink> <span>{t(labelKey, labelFallback)}</span>
))} </NavLink>
))}
</div> </div>
</nav> </nav>
</div> </div>
@@ -296,14 +321,41 @@ function AppLayout() {
<p className="text-xs uppercase tracking-[0.16em] text-muted-foreground"> <p className="text-xs uppercase tracking-[0.16em] text-muted-foreground">
{t("ui.dev.profile.menu_title", "Account")} {t("ui.dev.profile.menu_title", "Account")}
</p> </p>
<div className="mt-2 rounded-lg border border-border px-3 py-2"> <div className="mt-2 rounded-lg border border-border px-3 py-3 flex flex-col gap-2">
<p className="truncate text-sm font-semibold text-foreground"> <div>
{profileName} <p className="truncate text-sm font-semibold text-foreground">
</p> {profileName}
<p className="truncate text-xs text-muted-foreground"> </p>
{profileEmail} <p className="truncate text-xs text-muted-foreground">
</p> {profileEmail}
</p>
</div>
<div className="flex items-center pt-1">
<Badge
variant="outline"
className="text-[10px] px-2 py-0"
>
{t(
`ui.common.role.${displayRoleKey}`,
displayRoleKey.toUpperCase(),
)}
</Badge>
</div>
</div> </div>
<button
type="button"
role="menuitem"
className="mt-2 w-full flex items-center gap-2 rounded-lg border border-border px-3 py-2 text-left text-sm text-foreground transition hover:bg-muted/20"
onClick={() => {
navigate("/profile");
setIsProfileMenuOpen(false);
}}
>
<UserIcon size={16} className="text-muted-foreground" />
<span>{t("ui.dev.profile.title", "내 정보")}</span>
</button>
<button <button
type="button" type="button"
role="menuitem" role="menuitem"

View File

@@ -1,5 +1,7 @@
import { useAuth } from "react-oidc-context"; import { useAuth } from "react-oidc-context";
import { Navigate, Outlet } from "react-router-dom"; import { Navigate, Outlet } from "react-router-dom";
import { t } from "../../lib/i18n";
import { resolveProfileRole } from "../../lib/role";
export default function AuthGuard() { export default function AuthGuard() {
const auth = useAuth(); const auth = useAuth();
@@ -16,5 +18,39 @@ export default function AuthGuard() {
return <Navigate to="/login" replace />; return <Navigate to="/login" replace />;
} }
const normalizedRole = resolveProfileRole(
auth.user?.profile as Record<string, unknown> | undefined,
);
const isTenantMember =
normalizedRole === "user" || normalizedRole === "tenant_member";
if (isTenantMember) {
return (
<div className="min-h-screen grid place-items-center bg-background text-foreground p-6">
<div className="max-w-lg w-full rounded-xl border border-border bg-card p-6 space-y-4">
<h1 className="text-xl font-semibold">
{t("msg.dev.auth.access_denied_title", "접근 권한이 없습니다.")}
</h1>
<p className="text-sm text-muted-foreground">
{t(
"msg.dev.auth.access_denied_description",
"DevFront는 관리자 전용 화면입니다. 권한이 필요하면 관리자에게 요청해 주세요.",
)}
</p>
<button
type="button"
className="inline-flex items-center rounded-md bg-primary px-4 py-2 text-sm font-medium text-primary-foreground hover:opacity-90"
onClick={() => {
auth.removeUser();
window.location.href = "/login";
}}
>
{t("ui.common.back_to_login", "로그인으로 돌아가기")}
</button>
</div>
</div>
);
}
return <Outlet />; return <Outlet />;
} }

View File

@@ -356,7 +356,7 @@ function ClientConsentsPage() {
<div className="flex justify-end"> <div className="flex justify-end">
<Button <Button
variant="link" variant="ghost"
size="sm" size="sm"
className="text-xs text-muted-foreground p-0 h-auto" className="text-xs text-muted-foreground p-0 h-auto"
onClick={() => { onClick={() => {

View File

@@ -262,7 +262,7 @@ function ClientsPage() {
</select> </select>
</div> </div>
<Button <Button
variant="link" variant="ghost"
size="sm" size="sm"
className="text-xs text-muted-foreground ml-auto" className="text-xs text-muted-foreground ml-auto"
onClick={() => { onClick={() => {
@@ -291,7 +291,7 @@ function ClientsPage() {
item.tone === "up" item.tone === "up"
? "success" ? "success"
: item.tone === "down" : item.tone === "down"
? "destructive" ? "warning"
: "muted" : "muted"
} }
className={cn( className={cn(

View File

@@ -0,0 +1,216 @@
import { useQuery } from "@tanstack/react-query";
import {
User,
Shield,
Briefcase,
Mail,
Fingerprint,
Building2,
} from "lucide-react";
import { useState } from "react";
import { useAuth } from "react-oidc-context";
import {
Card,
CardContent,
CardDescription,
CardHeader,
CardTitle,
} from "../../components/ui/card";
import { fetchMe } from "../auth/authApi";
import { t } from "../../lib/i18n";
function ProfilePage() {
const auth = useAuth();
const hasAccessToken = Boolean(auth.user?.access_token);
const {
data: profile,
isLoading,
error,
} = useQuery({
queryKey: ["userMe"],
queryFn: fetchMe,
enabled: hasAccessToken,
});
const [activeTab, setActiveTab] = useState<"basic" | "role">("basic");
if (isLoading) {
return (
<div className="p-8 text-center">
{t("ui.dev.profile.loading", "Loading profile...")}
</div>
);
}
if (error || !profile) {
return (
<div className="p-8 text-center text-red-500">
{t("ui.dev.profile.error", "Failed to load profile information.")}
</div>
);
}
// Fallback to token information if API data is incomplete
const displayTenant =
profile.tenant?.name ||
profile.tenantId ||
auth.user?.profile?.tenant_id?.toString() ||
"-";
const displayCompanyCode =
profile.companyCode || auth.user?.profile?.companyCode?.toString() || "-";
return (
<div className="space-y-6 max-w-4xl mx-auto">
<div>
<h1 className="text-3xl font-black tracking-tight">
{t("ui.dev.profile.title", "내 정보")}
</h1>
<p className="text-muted-foreground mt-2">
{t(
"ui.dev.profile.subtitle",
"사용자 상세 정보 및 할당된 역할(Role)을 확인합니다.",
)}
</p>
</div>
<div className="flex space-x-1 border-b border-border pb-px">
<button
type="button"
onClick={() => setActiveTab("basic")}
className={`px-4 py-2 text-sm font-medium border-b-2 transition-colors ${
activeTab === "basic"
? "border-primary text-primary"
: "border-transparent text-muted-foreground hover:text-foreground hover:border-border"
}`}
>
{t("ui.dev.profile.tab.basic", "기본 정보")}
</button>
<button
type="button"
onClick={() => setActiveTab("role")}
className={`px-4 py-2 text-sm font-medium border-b-2 transition-colors ${
activeTab === "role"
? "border-primary text-primary"
: "border-transparent text-muted-foreground hover:text-foreground hover:border-border"
}`}
>
{t("ui.dev.profile.tab.role", "권한 및 역할")}
</button>
</div>
<div className="pt-4">
{activeTab === "basic" && (
<div className="grid gap-6 md:grid-cols-2">
<Card className="glass-panel">
<CardHeader>
<CardTitle className="text-lg flex items-center gap-2">
<User className="h-5 w-5 text-primary" />
{t("ui.dev.profile.basic.title", "사용자 정보")}
</CardTitle>
</CardHeader>
<CardContent className="space-y-4">
<div className="space-y-1">
<p className="text-sm font-medium text-muted-foreground flex items-center gap-2">
<Fingerprint className="h-4 w-4" />
{t("ui.dev.profile.basic.id", "User ID")}
</p>
<p className="text-sm break-all font-mono bg-muted/50 p-2 rounded-md">
{profile.id}
</p>
</div>
<div className="space-y-1">
<p className="text-sm font-medium text-muted-foreground flex items-center gap-2">
<User className="h-4 w-4" />
{t("ui.dev.profile.basic.name", "Name")}
</p>
<p className="text-sm">{profile.name}</p>
</div>
<div className="space-y-1">
<p className="text-sm font-medium text-muted-foreground flex items-center gap-2">
<Mail className="h-4 w-4" />
{t("ui.dev.profile.basic.email", "Email")}
</p>
<p className="text-sm">{profile.email}</p>
</div>
<div className="space-y-1">
<p className="text-sm font-medium text-muted-foreground flex items-center gap-2">
<Briefcase className="h-4 w-4" />
{t("ui.dev.profile.basic.phone", "Phone")}
</p>
<p className="text-sm">{profile.phone || "-"}</p>
</div>
</CardContent>
</Card>
<Card className="glass-panel">
<CardHeader>
<CardTitle className="text-lg flex items-center gap-2">
<Building2 className="h-5 w-5 text-primary" />
{t("ui.dev.profile.org.title", "조직 정보")}
</CardTitle>
</CardHeader>
<CardContent className="space-y-4">
<div className="space-y-1">
<p className="text-sm font-medium text-muted-foreground">
{t("ui.dev.profile.org.tenant", "테넌트")}
</p>
<p className="text-sm">{displayTenant}</p>
</div>
<div className="space-y-1">
<p className="text-sm font-medium text-muted-foreground">
{t("ui.dev.profile.org.company_code", "회사 코드")}
</p>
<p className="text-sm">{displayCompanyCode}</p>
</div>
</CardContent>
</Card>
</div>
)}
{activeTab === "role" && (
<Card className="glass-panel">
<CardHeader>
<CardTitle className="text-lg flex items-center gap-2">
<Shield className="h-5 w-5 text-primary" />
{t("ui.dev.profile.role.title", "시스템 역할")}
</CardTitle>
<CardDescription>
{t(
"ui.dev.profile.role.description",
"현재 계정에 부여된 권한 등급입니다.",
)}
</CardDescription>
</CardHeader>
<CardContent>
<div className="flex items-center gap-4 bg-muted/30 p-4 rounded-lg border border-border">
<div className="h-12 w-12 rounded-full bg-primary/20 flex items-center justify-center text-primary shrink-0">
<Briefcase className="h-6 w-6" />
</div>
<div className="flex flex-col gap-1 w-full">
<p className="text-sm text-muted-foreground font-medium uppercase tracking-wider">
{t("ui.dev.profile.role.current", "Current Role")}
</p>
<p className="text-xl font-bold mt-1">
{t(
`ui.common.role.${profile.role}`,
profile.role.toUpperCase(),
)}
</p>
<p className="mt-1 text-sm text-muted-foreground">
{t(
`ui.dev.profile.role.desc_${profile.role}`,
"시스템 역할에 대한 설명이 제공되지 않았습니다.",
)}
</p>
</div>
</div>
</CardContent>
</Card>
)}
</div>
</div>
);
}
export default ProfilePage;

27
devfront/src/lib/role.ts Normal file
View File

@@ -0,0 +1,27 @@
export function normalizeRole(rawRole: unknown): string {
if (typeof rawRole !== "string") return "";
const role = rawRole.trim().toLowerCase();
if (role === "tenant_member") return "user";
if (role === "admin") return "tenant_admin";
if (role === "superadmin") return "super_admin";
if (role === "tenantadmin") return "tenant_admin";
if (role === "rpadmin") return "rp_admin";
return role;
}
export function resolveProfileRole(
profile: Record<string, unknown> | undefined,
) {
if (!profile) return "";
const candidates = [
profile.role,
profile.grade,
profile["custom:role"],
profile["custom:grade"],
];
for (const candidate of candidates) {
const normalized = normalizeRole(candidate);
if (normalized) return normalized;
}
return "";
}

View File

@@ -207,6 +207,10 @@ unknown_error = "unknown error"
[msg.dev] [msg.dev]
logout_confirm = "Are you sure you want to log out?" logout_confirm = "Are you sure you want to log out?"
[msg.dev.auth]
access_denied_description = "DevFront is for administrators only. Request access from your administrator."
access_denied_title = "Access denied."
[msg.dev.audit] [msg.dev.audit]
empty = "No audit logs found." empty = "No audit logs found."
forbidden = "You do not have permission to view audit logs. Please request access from an administrator." forbidden = "You do not have permission to view audit logs. Please request access from an administrator."
@@ -890,6 +894,7 @@ tenant_dept = "TENANT / DEPT"
[ui.common] [ui.common]
add = "Add" add = "Add"
back = "Back" back = "Back"
back_to_login = "Back to login"
cancel = "Cancel" cancel = "Cancel"
close = "Close" close = "Close"
collapse = "Collapse" collapse = "Collapse"
@@ -1394,6 +1399,42 @@ verify = "Verify"
[ui.userfront.signup.success] [ui.userfront.signup.success]
action = "Action" action = "Action"
[ui.dev.profile]
unknown_name = "Unknown User"
unknown_email = "unknown@example.com"
menu_aria = "Open account menu"
menu_title = "Account"
title = "Profile"
subtitle = "View user details and assigned roles."
loading = "Loading profile..."
error = "Failed to load profile."
[ui.dev.profile.tab]
basic = "Basic Info"
role = "Roles & Permissions"
[ui.dev.profile.basic]
title = "User Info"
id = "User ID"
name = "Name"
email = "Email"
phone = "Phone Number"
[ui.dev.profile.org]
title = "Organization Info"
tenant = "Tenant"
company_code = "Company Code"
[ui.dev.profile.role]
title = "System Role"
description = "The permission level granted to this account."
current = "Current Role"
desc_super_admin = "Can manage all tenants and applications system-wide without restriction."
desc_tenant_admin = "Can manage all applications within their assigned tenant."
desc_rp_admin = "Can view and manage only assigned/linked applications."
desc_user = "Standard application access. DevFront access is denied."
desc_tenant_member = "Standard application access. DevFront access is denied."
[ui.admin.nav] [ui.admin.nav]
api_keys = "API Keys" api_keys = "API Keys"
audit_logs = "Audit Logs" audit_logs = "Audit Logs"

View File

@@ -207,6 +207,10 @@ unknown_error = "unknown error"
[msg.dev] [msg.dev]
logout_confirm = "로그아웃 하시겠습니까?" logout_confirm = "로그아웃 하시겠습니까?"
[msg.dev.auth]
access_denied_description = "DevFront는 관리자 전용 화면입니다. 권한이 필요하면 관리자에게 요청해 주세요."
access_denied_title = "접근 권한이 없습니다."
[msg.dev.audit] [msg.dev.audit]
empty = "조회된 감사 로그가 없습니다." empty = "조회된 감사 로그가 없습니다."
forbidden = "감사 로그를 조회할 권한이 없습니다. 관리자에게 권한을 요청해주세요." forbidden = "감사 로그를 조회할 권한이 없습니다. 관리자에게 권한을 요청해주세요."
@@ -890,6 +894,7 @@ tenant_dept = "TENANT / DEPT"
[ui.common] [ui.common]
add = "추가" add = "추가"
back = "돌아가기" back = "돌아가기"
back_to_login = "로그인으로 돌아가기"
cancel = "취소" cancel = "취소"
close = "닫기" close = "닫기"
collapse = "접기" collapse = "접기"
@@ -1406,3 +1411,39 @@ tenant_dashboard = "테넌트 대시보드"
user_groups = "유저 그룹" user_groups = "유저 그룹"
tenants = "테넌트" tenants = "테넌트"
users = "사용자" users = "사용자"
[ui.dev.profile]
unknown_name = "알 수 없는 사용자"
unknown_email = "unknown@example.com"
menu_aria = "계정 메뉴 열기"
menu_title = "Account"
title = "내 정보"
subtitle = "사용자 상세 정보 및 할당된 역할(Role)을 확인합니다."
loading = "프로필 정보를 불러오는 중..."
error = "프로필 정보를 불러오지 못했습니다."
[ui.dev.profile.tab]
basic = "기본 정보"
role = "권한 및 역할"
[ui.dev.profile.basic]
title = "사용자 정보"
id = "사용자 ID"
name = "이름"
email = "이메일"
phone = "전화번호"
[ui.dev.profile.org]
title = "조직 정보"
tenant = "테넌트"
company_code = "회사 코드"
[ui.dev.profile.role]
title = "시스템 역할"
description = "현재 계정에 부여된 권한 등급입니다."
current = "현재 역할"
desc_super_admin = "전체 시스템의 모든 테넌트와 모든 앱을 제한 없이 관리할 수 있습니다."
desc_tenant_admin = "본인이 속한 테넌트(조직/회사) 하위의 모든 앱을 관리할 수 있습니다."
desc_rp_admin = "본인에게 할당된 연동 앱(Client)만 확인 및 관리할 수 있습니다."
desc_user = "기본 앱 이용 권한을 가지며, DevFront 접근은 차단됩니다."
desc_tenant_member = "기본 앱 이용 권한을 가지며, DevFront 접근은 차단됩니다."

View File

@@ -207,6 +207,10 @@ unknown_error = ""
[msg.dev] [msg.dev]
logout_confirm = "" logout_confirm = ""
[msg.dev.auth]
access_denied_description = ""
access_denied_title = ""
[msg.dev.audit] [msg.dev.audit]
empty = "" empty = ""
forbidden = "" forbidden = ""
@@ -902,6 +906,7 @@ tenant_dept = ""
[ui.common] [ui.common]
add = "" add = ""
back = "" back = ""
back_to_login = ""
cancel = "" cancel = ""
close = "" close = ""
collapse = "" collapse = ""
@@ -1405,3 +1410,39 @@ verify = ""
[ui.userfront.signup.success] [ui.userfront.signup.success]
action = "" action = ""
[ui.dev.profile]
unknown_name = ""
unknown_email = ""
menu_aria = ""
menu_title = ""
title = ""
subtitle = ""
loading = ""
error = ""
[ui.dev.profile.tab]
basic = ""
role = ""
[ui.dev.profile.basic]
title = ""
id = ""
name = ""
email = ""
phone = ""
[ui.dev.profile.org]
title = ""
tenant = ""
company_code = ""
[ui.dev.profile.role]
title = ""
description = ""
current = ""
desc_super_admin = ""
desc_tenant_admin = ""
desc_rp_admin = ""
desc_user = ""
desc_tenant_member = ""

View File

@@ -0,0 +1,155 @@
import { expect, test } from "@playwright/test";
import {
type AuditLog,
type Consent,
installDevApiMock,
makeClient,
seedAuth,
} from "./helpers/devfront-fixtures";
import { captureEvidence } from "./helpers/evidence";
test.describe("DevFront role report", () => {
test.beforeEach(async ({ page }) => {
page.on("dialog", async (dialog) => {
await dialog.accept();
});
});
test("user(tenant_member) is blocked with 안내 문구", async ({
page,
}, testInfo) => {
await seedAuth(page, "user");
await installDevApiMock(page, {
clients: [],
consents: [] as Consent[],
auditLogs: [] as AuditLog[],
});
await page.goto("/clients");
await expect(
page.getByText(/관리자 전용 화면|administrator only/i),
).toBeVisible();
await captureEvidence(page, testInfo, "role-user-blocked");
});
test("rp_admin sees only assigned Gitea app and its logs", async ({
page,
}, testInfo) => {
await seedAuth(page, "rp_admin");
const state = {
clients: [makeClient("gitea-client", { name: "Gitea" })],
consents: [] as Consent[],
auditLogs: [
{
event_id: "evt-rp-1",
timestamp: "2026-03-04T01:00:00.000Z",
user_id: "rp-admin-user",
event_type: "CLIENT_UPDATE",
status: "success" as const,
ip_address: "127.0.0.1",
user_agent: "playwright",
details: JSON.stringify({
action: "UPDATE_CLIENT",
target_id: "gitea-client",
tenant_id: "tenant-a",
}),
},
] as AuditLog[],
};
await installDevApiMock(page, state);
await page.goto("/clients");
await expect(page.getByRole("link", { name: /Gitea/ })).toBeVisible();
await expect(page.getByText("gitea-client")).toBeVisible();
await captureEvidence(page, testInfo, "role-rp-admin-clients");
await page.goto("/audit-logs");
await expect(page.getByText("UPDATE_CLIENT")).toBeVisible();
await expect(page.getByText("gitea-client")).toBeVisible();
await captureEvidence(page, testInfo, "role-rp-admin-audit");
});
test("tenant_admin can manage tenant apps and see tenant logs", async ({
page,
}, testInfo) => {
await seedAuth(page, "tenant_admin");
const state = {
clients: [
makeClient("tenant-a-app-1", { name: "Tenant A CRM" }),
makeClient("tenant-a-app-2", { name: "Tenant A ERP" }),
],
consents: [] as Consent[],
auditLogs: [] as AuditLog[],
auditLogsByCursor: undefined,
};
await installDevApiMock(page, state);
await page.goto("/clients");
await expect(page.getByText("Tenant A CRM")).toBeVisible();
await expect(page.getByText("Tenant A ERP")).toBeVisible();
await captureEvidence(page, testInfo, "role-tenant-admin-clients");
await page.goto("/clients/tenant-a-app-1/settings");
await page
.getByPlaceholder("My Awesome Application")
.fill("Tenant A CRM Updated");
const updatePromise = page.waitForResponse(
(r) =>
r.url().includes("/api/v1/dev/clients") &&
r.request().method() === "PUT",
);
await page.getByRole("button", { name: /^저장$|^Save$/i }).click();
await updatePromise;
await page.goto("/audit-logs");
await expect(page.getByText("UPDATE_CLIENT")).toBeVisible({
timeout: 30000,
});
await expect(page.getByText("tenant-a-app-1")).toBeVisible();
await captureEvidence(page, testInfo, "role-tenant-admin-audit");
});
test("super_admin sees all and can generate log entries", async ({
page,
}, testInfo) => {
await seedAuth(page, "super_admin");
const state = {
clients: [
makeClient("tenant-a-app", { name: "Tenant A App" }),
makeClient("tenant-b-app", { name: "Tenant B App" }),
],
consents: [] as Consent[],
auditLogs: [] as AuditLog[],
auditLogsByCursor: undefined,
};
await installDevApiMock(page, state);
await page.goto("/clients");
await expect(page.getByText("Tenant A App")).toBeVisible();
await expect(page.getByText("Tenant B App")).toBeVisible();
await captureEvidence(page, testInfo, "role-super-admin-clients");
await page.goto("/clients/new");
await page
.getByPlaceholder("My Awesome Application")
.fill("Super Admin Created App");
await page
.getByPlaceholder(/https:\/\/app\.example\.com\/callback/i)
.fill("https://super-admin.example.com/callback");
const createPromise = page.waitForResponse(
(r) =>
r.url().includes("/api/v1/dev/clients") &&
r.request().method() === "POST",
);
await page.getByRole("button", { name: /앱 생성|Create/i }).click();
await createPromise;
await page.goto("/audit-logs");
await expect(page.getByText("CREATE_CLIENT")).toBeVisible({
timeout: 30000,
});
await captureEvidence(page, testInfo, "role-super-admin-audit");
});
});

View File

@@ -1,9 +1,9 @@
import { expect, test } from "@playwright/test"; import { expect, test } from "@playwright/test";
import { import {
type Consent,
installDevApiMock, installDevApiMock,
makeClient, makeClient,
seedAuth, seedAuth,
type Consent,
} from "./helpers/devfront-fixtures"; } from "./helpers/devfront-fixtures";
test.describe("DevFront security and isolation", () => { test.describe("DevFront security and isolation", () => {
@@ -47,4 +47,14 @@ test.describe("DevFront security and isolation", () => {
await expect(page.getByText("PKCE only app")).toBeVisible(); await expect(page.getByText("PKCE only app")).toBeVisible();
await expect(page.getByText("Server side App")).not.toBeVisible(); await expect(page.getByText("Server side App")).not.toBeVisible();
}); });
test("tenant_member user is blocked at AuthGuard", async ({ page }) => {
await seedAuth(page, "tenant_member");
await page.goto("/clients");
await expect(
page.getByText(/DevFront는 관리자 전용 화면입니다|administrator access/i),
).toBeVisible();
await expect(page).toHaveURL(/\/clients$/);
});
}); });

View File

@@ -70,35 +70,39 @@ export function makeClient(
}; };
} }
export async function seedAuth(page: Page) { export async function seedAuth(page: Page, role?: string) {
const nowInSeconds = Math.floor(Date.now() / 1000); const nowInSeconds = Math.floor(Date.now() / 1000);
await page.addInitScript((issuedAt) => { await page.addInitScript(
const mockOidcUser = { ({ issuedAt, injectedRole }) => {
id_token: "playwright-id-token", const mockOidcUser = {
session_state: "playwright-session", id_token: "playwright-id-token",
access_token: "playwright-access-token", session_state: "playwright-session",
refresh_token: "playwright-refresh-token", access_token: "playwright-access-token",
token_type: "Bearer", refresh_token: "playwright-refresh-token",
scope: "openid profile email", token_type: "Bearer",
profile: { scope: "openid profile email",
sub: "playwright-user", profile: {
email: "playwright@example.com", sub: "playwright-user",
name: "Playwright User", email: "playwright@example.com",
}, name: "Playwright User",
expires_at: issuedAt + 3600, ...(injectedRole ? { role: injectedRole } : {}),
}; },
expires_at: issuedAt + 3600,
};
window.localStorage.setItem( window.localStorage.setItem(
"oidc.user:http://localhost:5000/oidc:devfront", "oidc.user:http://localhost:5000/oidc:devfront",
JSON.stringify(mockOidcUser), JSON.stringify(mockOidcUser),
); );
window.localStorage.setItem( window.localStorage.setItem(
"oidc.user:http://localhost:5000/oidc/:devfront", "oidc.user:http://localhost:5000/oidc/:devfront",
JSON.stringify(mockOidcUser), JSON.stringify(mockOidcUser),
); );
window.localStorage.setItem("dev_tenant_id", "tenant-a"); window.localStorage.setItem("dev_tenant_id", "tenant-a");
}, nowInSeconds); },
{ issuedAt: nowInSeconds, injectedRole: role ?? "" },
);
} }
function json(route: Route, payload: unknown, status = 200) { function json(route: Route, payload: unknown, status = 200) {

View File

@@ -0,0 +1,24 @@
import type { Page, TestInfo } from "@playwright/test";
function safeName(name: string): string {
return name
.trim()
.toLowerCase()
.replace(/[^a-z0-9-_]+/g, "-")
.replace(/-+/g, "-")
.replace(/^-|-$/g, "");
}
export async function captureEvidence(
page: Page,
testInfo: TestInfo,
name: string,
) {
const filename = `${safeName(name)}.png`;
const fullPath = testInfo.outputPath(filename);
await page.screenshot({ path: fullPath, fullPage: true });
await testInfo.attach(name, {
path: fullPath,
contentType: "image/png",
});
}

View File

@@ -273,6 +273,10 @@ unknown_error = "unknown error"
[msg.dev] [msg.dev]
logout_confirm = "Are you sure you want to log out?" logout_confirm = "Are you sure you want to log out?"
[msg.dev.auth]
access_denied_description = "DevFront is for administrators only. Request access from your administrator."
access_denied_title = "Access denied."
[msg.dev.audit] [msg.dev.audit]
empty = "No audit logs found." empty = "No audit logs found."
forbidden = "You do not have permission to view audit logs. Please request access from an administrator." forbidden = "You do not have permission to view audit logs. Please request access from an administrator."
@@ -1056,6 +1060,7 @@ add = "Add"
admin_only = "Admin Only" admin_only = "Admin Only"
assign = "Assign" assign = "Assign"
back = "Back" back = "Back"
back_to_login = "Back to login"
cancel = "Cancel" cancel = "Cancel"
close = "Close" close = "Close"
collapse = "Collapse" collapse = "Collapse"
@@ -1155,6 +1160,31 @@ menu_aria = "Open account menu"
menu_title = "Account" menu_title = "Account"
unknown_email = "unknown@example.com" unknown_email = "unknown@example.com"
unknown_name = "Unknown User" unknown_name = "Unknown User"
title = "My Profile"
subtitle = "View user details and assigned roles."
loading = "Loading profile..."
error = "Failed to load profile."
[ui.dev.profile.tab]
basic = "Basic Info"
role = "Roles & Permissions"
[ui.dev.profile.basic]
title = "User Info"
id = "User ID"
name = "Name"
email = "Email"
phone = "Phone Number"
[ui.dev.profile.org]
title = "Organization Info"
tenant = "Tenant"
company_code = "Company Code"
[ui.dev.profile.role]
title = "System Role"
description = "The permission level granted to this account."
current = "Current Role"
[ui.dev.clients] [ui.dev.clients]
copy_client_id = "Copy client id" copy_client_id = "Copy client id"

View File

@@ -273,6 +273,10 @@ unknown_error = "unknown error"
[msg.dev] [msg.dev]
logout_confirm = "로그아웃 하시겠습니까?" logout_confirm = "로그아웃 하시겠습니까?"
[msg.dev.auth]
access_denied_description = "DevFront는 관리자 전용 화면입니다. 권한이 필요하면 관리자에게 요청해 주세요."
access_denied_title = "접근 권한이 없습니다."
[msg.dev.audit] [msg.dev.audit]
empty = "조회된 감사 로그가 없습니다." empty = "조회된 감사 로그가 없습니다."
forbidden = "감사 로그를 조회할 권한이 없습니다. 관리자에게 권한을 요청해주세요." forbidden = "감사 로그를 조회할 권한이 없습니다. 관리자에게 권한을 요청해주세요."
@@ -1056,6 +1060,7 @@ add = "추가"
admin_only = "관리자 전용" admin_only = "관리자 전용"
assign = "할당" assign = "할당"
back = "돌아가기" back = "돌아가기"
back_to_login = "로그인으로 돌아가기"
cancel = "취소" cancel = "취소"
close = "닫기" close = "닫기"
collapse = "접기" collapse = "접기"
@@ -1155,6 +1160,31 @@ menu_aria = "계정 메뉴 열기"
menu_title = "계정" menu_title = "계정"
unknown_email = "unknown@example.com" unknown_email = "unknown@example.com"
unknown_name = "Unknown User" unknown_name = "Unknown User"
title = "내 정보"
subtitle = "사용자 상세 정보 및 할당된 역할(Role)을 확인합니다."
loading = "프로필 정보를 불러오는 중..."
error = "프로필 정보를 불러오지 못했습니다."
[ui.dev.profile.tab]
basic = "기본 정보"
role = "권한 및 역할"
[ui.dev.profile.basic]
title = "사용자 정보"
id = "사용자 ID"
name = "이름"
email = "이메일"
phone = "전화번호"
[ui.dev.profile.org]
title = "조직 정보"
tenant = "테넌트"
company_code = "회사 코드"
[ui.dev.profile.role]
title = "시스템 역할"
description = "현재 계정에 부여된 권한 등급입니다."
current = "현재 역할"
[ui.dev.clients] [ui.dev.clients]
copy_client_id = "Copy client id" copy_client_id = "Copy client id"

View File

@@ -213,6 +213,10 @@ unknown_error = ""
[msg.dev] [msg.dev]
logout_confirm = "" logout_confirm = ""
[msg.dev.auth]
access_denied_description = ""
access_denied_title = ""
[msg.dev.audit] [msg.dev.audit]
empty = "" empty = ""
forbidden = "" forbidden = ""
@@ -921,6 +925,7 @@ add = ""
admin_only = "" admin_only = ""
assign = "" assign = ""
back = "" back = ""
back_to_login = ""
cancel = "" cancel = ""
close = "" close = ""
collapse = "" collapse = ""
@@ -1020,6 +1025,31 @@ menu_aria = ""
menu_title = "" menu_title = ""
unknown_email = "" unknown_email = ""
unknown_name = "" unknown_name = ""
title = ""
subtitle = ""
loading = ""
error = ""
[ui.dev.profile.tab]
basic = ""
role = ""
[ui.dev.profile.basic]
title = ""
id = ""
name = ""
email = ""
phone = ""
[ui.dev.profile.org]
title = ""
tenant = ""
company_code = ""
[ui.dev.profile.role]
title = ""
description = ""
current = ""
[ui.dev.clients] [ui.dev.clients]
new = "" new = ""