adminfront 및 백엔드: 글로벌 사이드바 11개 전 메뉴별 ReBAC 기반 접근 제어(Admin Control) 스키마, REST API, UI 설정 패널 전격 구현 완료

backend/internal/handler/tenant_handler_relations_test.go

@@ -167,3 +167,103 @@ func TestTenantHandler_Relations(t *testing.T) {
 		assert.Equal(t, "User:"+userID, outboxEntries[0].Subject)
 	})
 }
+
+func TestTenantHandler_SystemRelations(t *testing.T) {
+	if !testsupport.DockerAvailable() {
+		t.Skip("Docker provider is unavailable in this environment")
+	}
+
+	db := newTenantHandlerSeedDeleteDB(t)
+	if err := db.AutoMigrate(&domain.KetoOutbox{}); err != nil {
+		t.Fatalf("failed to migrate outbox: %v", err)
+	}
+
+	mockSvc := new(MockTenantService)
+	mockKeto := new(devMockKetoService)
+	realOutbox := repository.NewKetoOutboxRepository(db)
+
+	h := &TenantHandler{
+		DB:         db,
+		Service:    mockSvc,
+		Keto:       mockKeto,
+		KetoOutbox: realOutbox,
+	}
+
+	userID := "user-system-1"
+
+	t.Run("ListSystemRelations - Returns correct system relations", func(t *testing.T) {
+		app := fiber.New()
+		app.Get("/system/relations", h.ListSystemRelations)
+
+		mockKeto.On("ListRelations", mock.Anything, "System", "system", "", "").Return([]service.RelationTuple{
+			{
+				Namespace: "System",
+				Object:    "system",
+				Relation:  "ory_ssot_viewers",
+				SubjectID: "User:" + userID,
+			},
+			{
+				Namespace: "System",
+				Object:    "system",
+				Relation:  "audit_logs_viewers",
+				SubjectID: "User:" + userID,
+			},
+		}, nil).Once()
+
+		req := httptest.NewRequest("GET", "/system/relations", nil)
+		resp, err := app.Test(req)
+		if err != nil {
+			t.Fatalf("request failed: %v", err)
+		}
+
+		assert.Equal(t, http.StatusOK, resp.StatusCode)
+
+		var got struct {
+			Items []struct {
+				UserID    string   `json:"userId"`
+				Relations []string `json:"relations"`
+			} `json:"items"`
+		}
+		err = json.NewDecoder(resp.Body).Decode(&got)
+		if err != nil {
+			t.Fatalf("failed to decode response: %v", err)
+		}
+
+		assert.Len(t, got.Items, 1)
+		assert.Equal(t, userID, got.Items[0].UserID)
+		assert.Contains(t, got.Items[0].Relations, "ory_ssot_viewers")
+		assert.Contains(t, got.Items[0].Relations, "audit_logs_viewers")
+		mockKeto.AssertExpectations(t)
+	})
+
+	t.Run("AddSystemRelation - Inserts into KetoOutbox DB table with System namespace", func(t *testing.T) {
+		app := fiber.New()
+		app.Post("/system/relations", h.AddSystemRelation)
+
+		mockKeto.On("ListRelations", mock.Anything, "System", "system", "ory_ssot_viewers", "User:"+userID).Return([]service.RelationTuple{}, nil).Once()
+
+		body, _ := json.Marshal(map[string]string{
+			"userId":   userID,
+			"relation": "ory_ssot_viewers",
+		})
+		req := httptest.NewRequest("POST", "/system/relations", bytes.NewReader(body))
+		req.Header.Set("Content-Type", "application/json")
+
+		resp, err := app.Test(req)
+		if err != nil {
+			t.Fatalf("request failed: %v", err)
+		}
+
+		assert.Equal(t, http.StatusOK, resp.StatusCode)
+
+		var outboxEntries []domain.KetoOutbox
+		if err := db.Where("object = ? AND relation = ? AND action = ?", "system", "ory_ssot_viewers", domain.KetoOutboxActionCreate).Find(&outboxEntries).Error; err != nil {
+			t.Fatalf("failed to query outbox: %v", err)
+		}
+
+		assert.Len(t, outboxEntries, 1)
+		assert.Equal(t, "System", outboxEntries[0].Namespace)
+		assert.Equal(t, "User:"+userID, outboxEntries[0].Subject)
+		mockKeto.AssertExpectations(t)
+	})
+}