adminfront 및 백엔드: 글로벌 사이드바 11개 전 메뉴별 ReBAC 기반 접근 제어(Admin Control) 스키마, REST API, UI 설정 패널 전격 구현 완료

2026-06-10 16:55:34 +09:00
parent 5b4efae001
commit b4f80a36b0
12 changed files with 976 additions and 113 deletions
--- a/backend/internal/handler/tenant_handler.go
+++ b/backend/internal/handler/tenant_handler.go
@@ -3371,3 +3371,154 @@ func (h *TenantHandler) RemoveRelation(c *fiber.Ctx) error {

 	return c.SendStatus(fiber.StatusOK)
 }
+
+func (h *TenantHandler) ListSystemRelations(c *fiber.Ctx) error {
+	relations, err := h.Keto.ListRelations(c.Context(), "System", "system", "", "")
+	if err != nil {
+		return errorJSON(c, fiber.StatusInternalServerError, err.Error())
+	}
+
+	allowedRelations := map[string]bool{
+		"overview_viewers":           true,
+		"tenants_viewers":            true,
+		"org_chart_viewers":          true,
+		"worksmobile_viewers":        true,
+		"ory_ssot_viewers":           true,
+		"data_integrity_viewers":     true,
+		"users_viewers":              true,
+		"permissions_direct_viewers": true,
+		"auth_guard_viewers":         true,
+		"api_keys_viewers":           true,
+		"audit_logs_viewers":         true,
+	}
+
+	type userRelationInfo struct {
+		UserID    string   `json:"userId"`
+		Name      string   `json:"name"`
+		Email     string   `json:"email"`
+		Relations []string `json:"relations"`
+	}
+
+	userMap := make(map[string][]string)
+	for _, rel := range relations {
+		if !allowedRelations[rel.Relation] {
+			continue
+		}
+		if !strings.HasPrefix(rel.SubjectID, "User:") {
+			continue
+		}
+		userID := strings.TrimPrefix(rel.SubjectID, "User:")
+		userMap[userID] = append(userMap[userID], rel.Relation)
+	}
+
+	items := []userRelationInfo{}
+	for userID, rels := range userMap {
+		name := "Unknown"
+		email := "Unknown"
+
+		if h.KratosAdmin != nil {
+			identity, err := h.KratosAdmin.GetIdentity(c.Context(), userID)
+			if err == nil && identity != nil {
+				if n, ok := identity.Traits["name"].(string); ok {
+					name = n
+				}
+				if e, ok := identity.Traits["email"].(string); ok {
+					email = e
+				}
+			}
+		}
+
+		if name == "Unknown" && email == "Unknown" && h.UserRepo != nil {
+			user, err := h.UserRepo.FindByID(c.Context(), userID)
+			if err == nil && user != nil {
+				name = user.Name
+				email = user.Email
+			} else if userID == "00000000-0000-0000-0000-000000000000" {
+				name = "Dev Mock User"
+				email = "mock@hmac.kr"
+			}
+		}
+
+		items = append(items, userRelationInfo{
+			UserID:    userID,
+			Name:      name,
+			Email:     email,
+			Relations: rels,
+		})
+	}
+
+	return c.JSON(fiber.Map{
+		"items": items,
+	})
+}
+
+func (h *TenantHandler) AddSystemRelation(c *fiber.Ctx) error {
+	var req tenantRelationRequest
+	if err := c.BodyParser(&req); err != nil {
+		return errorJSON(c, fiber.StatusBadRequest, "invalid request body")
+	}
+
+	if req.UserID == "" || req.Relation == "" {
+		return errorJSON(c, fiber.StatusBadRequest, "userId and relation are required")
+	}
+
+	allowedRelations := map[string]bool{
+		"overview_viewers":           true,
+		"tenants_viewers":            true,
+		"org_chart_viewers":          true,
+		"worksmobile_viewers":        true,
+		"ory_ssot_viewers":           true,
+		"data_integrity_viewers":     true,
+		"users_viewers":              true,
+		"permissions_direct_viewers": true,
+		"auth_guard_viewers":         true,
+		"api_keys_viewers":           true,
+		"audit_logs_viewers":         true,
+	}
+
+	if !allowedRelations[req.Relation] {
+		return errorJSON(c, fiber.StatusBadRequest, "invalid or unsupported relation")
+	}
+
+	if h.Keto != nil {
+		relations, err := h.Keto.ListRelations(c.Context(), "System", "system", req.Relation, "User:"+req.UserID)
+		if err == nil && len(relations) > 0 {
+			return errorJSON(c, fiber.StatusConflict, "이미 해당 세부 권한이 등록된 사용자입니다.")
+		}
+	}
+
+	if h.KetoOutbox != nil {
+		_ = h.KetoOutbox.Create(c.Context(), &domain.KetoOutbox{
+			Namespace: "System",
+			Object:    "system",
+			Relation:  req.Relation,
+			Subject:   "User:" + req.UserID,
+			Action:    domain.KetoOutboxActionCreate,
+		})
+	}
+
+	return c.SendStatus(fiber.StatusOK)
+}
+
+func (h *TenantHandler) RemoveSystemRelation(c *fiber.Ctx) error {
+	var req tenantRelationRequest
+	if err := c.BodyParser(&req); err != nil {
+		return errorJSON(c, fiber.StatusBadRequest, "invalid request body")
+	}
+
+	if req.UserID == "" || req.Relation == "" {
+		return errorJSON(c, fiber.StatusBadRequest, "userId and relation are required")
+	}
+
+	if h.KetoOutbox != nil {
+		_ = h.KetoOutbox.Create(c.Context(), &domain.KetoOutbox{
+			Namespace: "System",
+			Object:    "system",
+			Relation:  req.Relation,
+			Subject:   "User:" + req.UserID,
+			Action:    domain.KetoOutboxActionDelete,
+		})
+	}
+
+	return c.SendStatus(fiber.StatusOK)
+}