offline 스코프 제거, rp_claims 값 표준화

2026-06-11 14:50:26 +09:00
parent f60b15a17b
commit c495e9119b
26 changed files with 1034 additions and 300 deletions
--- a/backend/internal/handler/rp_claims_e2e_test.go
+++ b/backend/internal/handler/rp_claims_e2e_test.go
@@ -95,8 +95,8 @@ func TestRPClaimsE2E_UpdatedClaimsAreScopedToCurrentRP(t *testing.T) {
 			rpClaimsE2EClaim("score", "number", "1", "user_and_admin", "user_and_admin"),
 			rpClaimsE2EClaim("featureList", "array", `["default"]`, "user_and_admin", "user_and_admin"),
 			rpClaimsE2EClaim("preferences", "object", `{"theme":"light","density":"comfortable"}`, "user_and_admin", "user_and_admin"),
-			rpClaimsE2EClaim("contractDate", "date", "2026-06-09", "user_and_admin", "user_and_admin"),
-			rpClaimsE2EClaim("approvedAt", "datetime", "2026-06-09T09:30", "user_and_admin", "user_and_admin"),
+			rpClaimsE2EClaim("contractDate", "date", float64(1780930800), "user_and_admin", "user_and_admin"),
+			rpClaimsE2EClaim("approvedAt", "datetime", float64(1780965000), "user_and_admin", "user_and_admin"),
 			rpClaimsE2EClaim("adminManagedNote", "text", "admin-default", "user_and_admin", "admin_only"),
 		}),
 		clientB: rpClaimsE2EClient(clientB, []map[string]any{
@@ -188,13 +188,14 @@ func TestRPClaimsE2E_UpdatedClaimsAreScopedToCurrentRP(t *testing.T) {
 	app.Post("/api/v1/auth/consent/accept", authHandler.AcceptConsentRequest)

 	initialA := acceptRPClaimsE2EConsent(t, app, capturedClaims, "challenge-client-a-default")
-	assert.Equal(t, "A", initialA["approvalLevel"])
-	assert.Equal(t, true, initialA["activeMember"])
-	assert.Equal(t, float64(1), initialA["score"])
-	assert.Equal(t, []any{"default"}, initialA["featureList"])
-	assert.Equal(t, map[string]any{"theme": "light", "density": "comfortable"}, initialA["preferences"])
-	assert.Equal(t, "2026-06-09", initialA["contractDate"])
-	assert.Equal(t, "2026-06-09T09:30", initialA["approvedAt"])
+	assert.Equal(t, "A", rpClaimValue(t, initialA, "approvalLevel"))
+	assert.Equal(t, "user_and_admin", rpClaimPermission(t, initialA, "approvalLevel", "readPermission"))
+	assert.Equal(t, true, rpClaimValue(t, initialA, "activeMember"))
+	assert.Equal(t, float64(1), rpClaimValue(t, initialA, "score"))
+	assert.Equal(t, []any{"default"}, rpClaimValue(t, initialA, "featureList"))
+	assert.Equal(t, map[string]any{"theme": "light", "density": "comfortable"}, rpClaimValue(t, initialA, "preferences"))
+	assert.Equal(t, float64(1780930800), rpClaimValue(t, initialA, "contractDate"))
+	assert.Equal(t, float64(1780965000), rpClaimValue(t, initialA, "approvedAt"))

 	upsertRPClaimsE2EMetadata(t, app, clientA, userID, map[string]any{
 		"approvalLevel":    "B",
@@ -202,8 +203,8 @@ func TestRPClaimsE2E_UpdatedClaimsAreScopedToCurrentRP(t *testing.T) {
 		"score":            42,
 		"featureList":      []string{"sso", "claims"},
 		"preferences":      map[string]any{"theme": "dark", "density": "compact"},
-		"contractDate":     "2026-06-10",
-		"approvedAt":       "2026-06-09T10:30",
+		"contractDate":     float64(1781017200),
+		"approvedAt":       float64(1780968600),
 		"adminManagedNote": "admin-updated",
 		"approvalLevel_permissions": map[string]any{
 			"writePermission": "user_and_admin",
@@ -211,14 +212,14 @@ func TestRPClaimsE2E_UpdatedClaimsAreScopedToCurrentRP(t *testing.T) {
 	})

 	updatedA := acceptRPClaimsE2EConsent(t, app, capturedClaims, "challenge-client-a-admin-update")
-	assert.Equal(t, "B", updatedA["approvalLevel"])
-	assert.Equal(t, false, updatedA["activeMember"])
-	assert.Equal(t, float64(42), updatedA["score"])
-	assert.Equal(t, []any{"sso", "claims"}, updatedA["featureList"])
-	assert.Equal(t, map[string]any{"theme": "dark", "density": "compact"}, updatedA["preferences"])
-	assert.Equal(t, "2026-06-10", updatedA["contractDate"])
-	assert.Equal(t, "2026-06-09T10:30", updatedA["approvedAt"])
-	assert.Equal(t, "admin-updated", updatedA["adminManagedNote"])
+	assert.Equal(t, "B", rpClaimValue(t, updatedA, "approvalLevel"))
+	assert.Equal(t, false, rpClaimValue(t, updatedA, "activeMember"))
+	assert.Equal(t, float64(42), rpClaimValue(t, updatedA, "score"))
+	assert.Equal(t, []any{"sso", "claims"}, rpClaimValue(t, updatedA, "featureList"))
+	assert.Equal(t, map[string]any{"theme": "dark", "density": "compact"}, rpClaimValue(t, updatedA, "preferences"))
+	assert.Equal(t, float64(1781017200), rpClaimValue(t, updatedA, "contractDate"))
+	assert.Equal(t, float64(1780968600), rpClaimValue(t, updatedA, "approvedAt"))
+	assert.Equal(t, "admin-updated", rpClaimValue(t, updatedA, "adminManagedNote"))
 	assert.NotContains(t, updatedA, "approvalLevel_permissions")
 	assert.NotContains(t, updatedA, "adminManagedNote_permissions")

@@ -237,12 +238,12 @@ func TestRPClaimsE2E_UpdatedClaimsAreScopedToCurrentRP(t *testing.T) {
 	assert.Equal(t, http.StatusOK, allowedSelfUpdate.StatusCode)

 	selfUpdatedA := acceptRPClaimsE2EConsent(t, app, capturedClaims, "challenge-client-a-self-update")
-	assert.Equal(t, "C", selfUpdatedA["approvalLevel"])
-	assert.Equal(t, "admin-updated", selfUpdatedA["adminManagedNote"])
+	assert.Equal(t, "C", rpClaimValue(t, selfUpdatedA, "approvalLevel"))
+	assert.Equal(t, "admin-updated", rpClaimValue(t, selfUpdatedA, "adminManagedNote"))

 	defaultB := acceptRPClaimsE2EConsent(t, app, capturedClaims, "challenge-client-b-default")
-	assert.Equal(t, "B-default", defaultB["approvalLevel"])
-	assert.Equal(t, false, defaultB["activeMember"])
+	assert.Equal(t, "B-default", rpClaimValue(t, defaultB, "approvalLevel"))
+	assert.Equal(t, false, rpClaimValue(t, defaultB, "activeMember"))
 	assert.NotContains(t, defaultB, "score")
 	assert.NotContains(t, defaultB, "featureList")
 	assert.NotContains(t, defaultB, "adminManagedNote")
@@ -252,9 +253,9 @@ func TestRPClaimsE2E_UpdatedClaimsAreScopedToCurrentRP(t *testing.T) {
 		"activeMember":  true,
 	})
 	updatedB := acceptRPClaimsE2EConsent(t, app, capturedClaims, "challenge-client-b-update")
-	assert.Equal(t, "B-rp-only", updatedB["approvalLevel"])
-	assert.Equal(t, true, updatedB["activeMember"])
-	assert.NotEqual(t, selfUpdatedA["approvalLevel"], updatedB["approvalLevel"])
+	assert.Equal(t, "B-rp-only", rpClaimValue(t, updatedB, "approvalLevel"))
+	assert.Equal(t, true, rpClaimValue(t, updatedB, "activeMember"))
+	assert.NotEqual(t, rpClaimValue(t, selfUpdatedA, "approvalLevel"), rpClaimValue(t, updatedB, "approvalLevel"))
 	assert.NotContains(t, updatedB, "score")
 	assert.NotContains(t, updatedB, "featureList")

@@ -276,7 +277,7 @@ func rpClaimsE2EClient(clientID string, claims []map[string]any) map[string]any
 	}
 }

-func rpClaimsE2EClaim(key, valueType, value, readPermission, writePermission string) map[string]any {
+func rpClaimsE2EClaim(key string, valueType string, value any, readPermission string, writePermission string) map[string]any {
 	return map[string]any{
 		"namespace":       "rp_claims",
 		"key":             key,
@@ -307,6 +308,24 @@ func acceptRPClaimsE2EConsent(t *testing.T, app *fiber.App, capturedClaims map[s
 	return rpClaims
 }

+func rpClaimValue(t *testing.T, claims map[string]any, key string) any {
+	t.Helper()
+
+	payload, ok := claims[key].(map[string]any)
+	require.Truef(t, ok, "rp_claims.%s must be an object payload", key)
+	return payload["value"]
+}
+
+func rpClaimPermission(t *testing.T, claims map[string]any, key string, permissionKey string) string {
+	t.Helper()
+
+	payload, ok := claims[key].(map[string]any)
+	require.Truef(t, ok, "rp_claims.%s must be an object payload", key)
+	value, ok := payload[permissionKey].(string)
+	require.Truef(t, ok, "rp_claims.%s.%s must be a string", key, permissionKey)
+	return value
+}
+
 func upsertRPClaimsE2EMetadata(t *testing.T, app *fiber.App, clientID, userID string, metadata map[string]any) {
 	t.Helper()