3단계 권한 모델 확장, keto 권한 정책

2026-02-03 14:21:37 +09:00
parent 6dbdd5d483
commit d09abab5a2
24 changed files with 1071 additions and 141 deletions
--- a/backend/cmd/server/main.go
+++ b/backend/cmd/server/main.go
@@ -200,6 +200,8 @@ func main() {
 		slog.Warn("Failed to connect to Redis. Auth features may fail.", "error", err)
 	}

+	ketoService := service.NewKetoService()
+
 	// Oathkeeper 상태를 주기적으로 확인해 다운을 감지합니다.
 	var oathkeeperProbe *HTTPProbe
 	if strings.ToLower(getEnv("OATHKEEPER_HEALTH_ENABLED", "true")) != "false" {
@@ -225,16 +227,17 @@ func main() {
 	// 2. Initialize Handlers
 	tenantRepo := repository.NewTenantRepository(db)
 	tenantService := service.NewTenantService(tenantRepo)
+	tenantService.SetKetoService(ketoService) // Keto 주입
 	userRepo := repository.NewUserRepository(db)

 	auditHandler := handler.NewAuditHandler(auditRepo)
-	authHandler := handler.NewAuthHandler(redisService, idpProvider, auditRepo, tenantService, userRepo)
+	authHandler := handler.NewAuthHandler(redisService, idpProvider, auditRepo, tenantService, ketoService, userRepo)
 	adminHandler := handler.NewAdminHandler()
 	devHandler := handler.NewDevHandler(redisService)
 	tenantHandler := handler.NewTenantHandler(db, tenantService)
 	kratosAdminService := service.NewKratosAdminService()
 	oryAdminProvider := service.NewOryProvider()
-	userHandler := handler.NewUserHandler(kratosAdminService, oryAdminProvider, tenantService, userRepo)
+	userHandler := handler.NewUserHandler(kratosAdminService, oryAdminProvider, tenantService, ketoService, userRepo)
 	apiKeyHandler := handler.NewApiKeyHandler(db)

 	// 3. Initialize Fiber
@@ -452,6 +455,9 @@ func main() {
 	api.Get("/audit", auditHandler.ListLogs)
 	api.Get("/audit/auth/timeline", authHandler.GetAuthTimeline)

+	// Public Tenant Registration
+	api.Post("/tenants/registration", tenantHandler.RegisterTenantPublic)
+
 	// Auth Proxy Routes
 	auth := api.Group("/auth")
 	auth.Post("/enchanted-link/init", authHandler.InitEnchantedLink)
@@ -463,6 +469,15 @@ func main() {
 	auth.Get("/consent", authHandler.GetConsentRequest)
 	auth.Post("/consent/accept", authHandler.AcceptConsentRequest)

+	auth.Post("/enchanted-link/init", authHandler.InitEnchantedLink)
+	auth.Post("/enchanted-link/poll", authHandler.PollEnchantedLink)
+	auth.Post("/magic-link/verify", authHandler.VerifyMagicLink)
+	auth.Post("/login/code/verify", authHandler.VerifyLoginCode)
+	auth.Post("/login/code/verify-short", authHandler.VerifyLoginShortCode)
+	auth.Post("/password/login", authHandler.PasswordLogin)
+	auth.Get("/consent", authHandler.GetConsentRequest)
+	auth.Post("/consent/accept", authHandler.AcceptConsentRequest)
+
 	auth.Post("/password/reset/initiate", authHandler.InitiatePasswordReset)
 	// [Changed] Use Interstitial Page for GET to prevent Scanner consumption
 	auth.Get("/password/reset/verify", authHandler.VerifyPasswordResetPage)
@@ -496,25 +511,41 @@ func main() {
 	// Admin Routes
 	admin := api.Group("/admin")
 	admin.Use(middleware.ApiKeyAuth(middleware.ApiKeyAuthConfig{DB: db})) // API Key 인증 추가
-	admin.Get("/check", adminHandler.CheckAuth)
-	admin.Get("/stats", adminHandler.GetSystemStats)
-	admin.Get("/tenants", tenantHandler.ListTenants)
-	admin.Post("/tenants", tenantHandler.CreateTenant)
-	admin.Get("/tenants/:id", tenantHandler.GetTenant)
-	admin.Put("/tenants/:id", tenantHandler.UpdateTenant)
-	admin.Delete("/tenants/:id", tenantHandler.DeleteTenant)
+
+	// RBAC Middleware Instances
+	requireSuperAdmin := middleware.RequireRole(middleware.RBACConfig{
+		AllowedRoles: []string{domain.RoleSuperAdmin},
+		AuthHandler:  authHandler,
+		KetoService:  ketoService,
+	})
+	requireAdmin := middleware.RequireRole(middleware.RBACConfig{
+		AllowedRoles: []string{domain.RoleSuperAdmin, domain.RoleTenantAdmin},
+		AuthHandler:  authHandler,
+		KetoService:  ketoService,
+	})
+
+	admin.Get("/check", adminHandler.CheckAuth) // 기본 Admin 체크는 requireAdmin 없이 ApiKeyAuth로만 보호될 수 있음 (또는 추가 가능)
+	admin.Get("/stats", requireSuperAdmin, adminHandler.GetSystemStats)
+
+	// Tenant Management (Super Admin Only)
+	admin.Get("/tenants", requireSuperAdmin, tenantHandler.ListTenants)
+	admin.Post("/tenants", requireSuperAdmin, tenantHandler.CreateTenant)
+	admin.Post("/tenants/:id/approve", requireSuperAdmin, tenantHandler.ApproveTenant)
+	admin.Get("/tenants/:id", requireAdmin, middleware.RequireKetoPermission(middleware.RBACConfig{AuthHandler: authHandler, KetoService: ketoService}, "Tenant", "view"), tenantHandler.GetTenant)
+	admin.Put("/tenants/:id", requireSuperAdmin, tenantHandler.UpdateTenant)
+	admin.Delete("/tenants/:id", requireSuperAdmin, tenantHandler.DeleteTenant)

 	// Admin User Management
-	admin.Get("/users", userHandler.ListUsers)
-	admin.Post("/users", userHandler.CreateUser)
-	admin.Get("/users/:id", userHandler.GetUser)
-	admin.Put("/users/:id", userHandler.UpdateUser)
-	admin.Delete("/users/:id", userHandler.DeleteUser)
+	admin.Get("/users", requireAdmin, userHandler.ListUsers) // TODO: TenantAdmin인 경우 해당 테넌트 사용자만 보이도록 Handler 수정 필요
+	admin.Post("/users", requireAdmin, userHandler.CreateUser)
+	admin.Get("/users/:id", requireAdmin, userHandler.GetUser)
+	admin.Put("/users/:id", requireAdmin, userHandler.UpdateUser)
+	admin.Delete("/users/:id", requireAdmin, userHandler.DeleteUser)

-	// API Key Management (M2M)
-	admin.Get("/api-keys", apiKeyHandler.ListApiKeys)
-	admin.Post("/api-keys", apiKeyHandler.CreateApiKey)
-	admin.Delete("/api-keys/:id", apiKeyHandler.DeleteApiKey)
+	// API Key Management (M2M) - Super Admin Only
+	admin.Get("/api-keys", requireSuperAdmin, apiKeyHandler.ListApiKeys)
+	admin.Post("/api-keys", requireSuperAdmin, apiKeyHandler.CreateApiKey)
+	admin.Delete("/api-keys/:id", requireSuperAdmin, apiKeyHandler.DeleteApiKey)

 	// 개발자 포털 라우트 (RP/Consent 관리 및 IdP 설정)
 	dev := api.Group("/dev")