kevin/baron-sso
1
0
Fork 0
forked from baron/baron-sso
Code Pull Requests Activity

Merge commit 'a4e5ee78d1b7220ad55467376b8a675d202e4de3'

Browse Source
This commit is contained in:
조찬영
2026-02-05 17:09:35 +09:00
parent 8831208c08 a4e5ee78d1
commit d3d9f7bea6
5 changed files with 823 additions and 242 deletions
Download Patch File Download Diff File Expand all files Collapse all files

287
backend/internal/handler/auth_handler_login_test.go Normal file
View File

@@ -0,0 +1,287 @@
/*
이 테스트 파일은 AuthHandler의 PasswordLogin 메서드 내 OIDC/Hydra 관련 로직을 검증합니다.
특히 Hydra Login Request 조회, 검증(Inactive 체크), 승인(Accept) 흐름을 중점적으로 테스트합니다.
*/
package handler
import (
"baron-sso-backend/internal/domain"
"baron-sso-backend/internal/service"
"bytes"
"context"
"encoding/json"
"errors"
"io"
"net/http"
"net/http/httptest"
"strings"
"testing"
"github.com/gofiber/fiber/v2"
"github.com/stretchr/testify/mock"
)
// --- Mocks ---
type MockIdentityProvider struct {
mock.Mock
}
func (m *MockIdentityProvider) Name() string {
return "mock-idp"
}
func (m *MockIdentityProvider) GetMetadata() (*domain.IDPMetadata, error) {
return nil, nil
}
func (m *MockIdentityProvider) CreateUser(user *domain.BrokerUser, password string) (string, error) {
return "", nil
}
func (m *MockIdentityProvider) SignIn(loginID, password string) (*domain.AuthInfo, error) {
args := m.Called(loginID, password)
if args.Get(0) == nil {
return nil, args.Error(1)
}
return args.Get(0).(*domain.AuthInfo), args.Error(1)
}
func (m *MockIdentityProvider) UserExists(loginID string) (bool, error) {
return true, nil
}
func (m *MockIdentityProvider) IssueSession(loginID string) (*domain.AuthInfo, error) {
return nil, nil
}
func (m *MockIdentityProvider) InitiateLinkLogin(loginID, returnTo string) (*domain.LinkLoginInit, error) {
return nil, nil
}
func (m *MockIdentityProvider) VerifyLoginCode(loginID, flowID, code string) (*domain.AuthInfo, error) {
return nil, nil
}
func (m *MockIdentityProvider) GetPasswordPolicy() (*domain.PasswordPolicy, error) {
return nil, nil
}
func (m *MockIdentityProvider) InitiatePasswordReset(loginID, redirectUrl string) error {
return nil
}
func (m *MockIdentityProvider) VerifyPasswordResetToken(token string) (*domain.AuthInfo, error) {
return nil, nil
}
func (m *MockIdentityProvider) UpdateUserPassword(loginID, newPassword string, r *http.Request) error {
return nil
}
type MockKratosAdminService struct {
// Simple mock for FindIdentityIDByIdentifier
}
func (m *MockKratosAdminService) FindIdentityIDByIdentifier(ctx context.Context, identifier string) (string, error) {
// Always return a static ID for simplicity in this test
if identifier == "fail" {
return "", errors.New("not found")
}
return "kratos-identity-id", nil
}
// --- Helper ---
func newAuthLoginTestApp(h *AuthHandler) *fiber.App {
app := fiber.New()
app.Post("/api/v1/auth/login", h.PasswordLogin)
return app
}
// mockHydraTransport simulates Hydra API responses
func mockHydraTransport(handler http.Handler) http.RoundTripper {
return roundTripFunc(func(req *http.Request) (*http.Response, error) {
w := httptest.NewRecorder()
handler.ServeHTTP(w, req)
return w.Result(), nil
})
}
// --- Tests ---
func TestPasswordLogin_OIDC_Success(t *testing.T) {
mockIdp := new(MockIdentityProvider)
// Mock IDP SignIn Success
mockIdp.On("SignIn", "user@example.com", "password").Return(&domain.AuthInfo{
SessionToken: &domain.Token{JWT: "valid-jwt"},
Subject: "kratos-identity-id",
}, nil)
// Mock Hydra Responses
hydraHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
switch {
case strings.Contains(r.URL.Path, "/oauth2/auth/requests/login") && r.Method == http.MethodGet:
// GetLoginRequest
challenge := r.URL.Query().Get("login_challenge")
if challenge != "challenge-123" {
http.Error(w, "invalid challenge", http.StatusBadRequest)
return
}
json.NewEncoder(w).Encode(domain.HydraLoginRequest{
Challenge: challenge,
Client: domain.HydraClient{ClientID: "client-1", Metadata: map[string]interface{}{"status": "active"}},
})
case strings.Contains(r.URL.Path, "/oauth2/auth/requests/login/accept") && r.Method == http.MethodPut:
// AcceptLoginRequest
json.NewEncoder(w).Encode(map[string]string{"redirect_to": "http://rp/cb"})
default:
http.NotFound(w, r)
}
})
h := &AuthHandler{
IdpProvider: mockIdp,
KratosAdmin: service.NewKratosAdminService(), // We need to mock this better if resolveKratosIdentityIDFromLoginID calls real API
Hydra: &service.HydraAdminService{
AdminURL: "http://hydra.test",
HTTPClient: &http.Client{Transport: mockHydraTransport(hydraHandler)},
},
}
// Inject Mock Kratos (Hack: overwrite the service field if it was an interface, but it's a struct pointer)
// AuthHandler uses *service.KratosAdminService struct pointer.
// KratosAdminService methods are real. We need to mock HTTP client inside KratosAdminService too.
kratosHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// Mock FindIdentityIDByIdentifier response
if strings.Contains(r.URL.Path, "/identities") {
json.NewEncoder(w).Encode([]map[string]interface{}{
{"id": "kratos-identity-id"},
})
return
}
http.NotFound(w, r)
})
h.KratosAdmin.HTTPClient = &http.Client{Transport: mockHydraTransport(kratosHandler)}
h.KratosAdmin.AdminURL = "http://kratos.test"
app := newAuthLoginTestApp(h)
body, _ := json.Marshal(map[string]string{
"loginId": "user@example.com",
"password": "password",
"login_challenge": "challenge-123",
})
req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/login", bytes.NewReader(body))
req.Header.Set("Content-Type", "application/json")
resp, err := app.Test(req)
if err != nil {
t.Fatalf("request failed: %v", err)
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
bodyBytes, _ := io.ReadAll(resp.Body)
t.Fatalf("expected 200, got %d, body: %s", resp.StatusCode, string(bodyBytes))
}
var got map[string]string
json.NewDecoder(resp.Body).Decode(&got)
if got["redirectTo"] != "http://rp/cb" {
t.Errorf("expected redirectTo http://rp/cb, got %s", got["redirectTo"])
}
}
func TestPasswordLogin_OIDC_InactiveClient(t *testing.T) {
mockIdp := new(MockIdentityProvider)
mockIdp.On("SignIn", "user@example.com", "password").Return(&domain.AuthInfo{
SessionToken: &domain.Token{JWT: "valid-jwt"},
Subject: "kratos-identity-id",
}, nil)
hydraHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if strings.Contains(r.URL.Path, "/oauth2/auth/requests/login") && r.Method == http.MethodGet {
json.NewEncoder(w).Encode(domain.HydraLoginRequest{
Client: domain.HydraClient{ClientID: "client-inactive", Metadata: map[string]interface{}{"status": "inactive"}},
})
return
}
http.NotFound(w, r)
})
h := &AuthHandler{
IdpProvider: mockIdp,
KratosAdmin: service.NewKratosAdminService(),
Hydra: &service.HydraAdminService{
AdminURL: "http://hydra.test",
HTTPClient: &http.Client{Transport: mockHydraTransport(hydraHandler)},
},
}
kratosHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
json.NewEncoder(w).Encode([]map[string]interface{}{{"id": "kratos-identity-id"}})
})
h.KratosAdmin.HTTPClient = &http.Client{Transport: mockHydraTransport(kratosHandler)}
h.KratosAdmin.AdminURL = "http://kratos.test"
app := newAuthLoginTestApp(h)
body, _ := json.Marshal(map[string]string{
"loginId": "user@example.com",
"password": "password",
"login_challenge": "challenge-inactive",
})
req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/login", bytes.NewReader(body))
req.Header.Set("Content-Type", "application/json")
resp, err := app.Test(req)
if err != nil {
t.Fatalf("request failed: %v", err)
}
defer resp.Body.Close()
// Should be Forbidden (403)
if resp.StatusCode != http.StatusForbidden {
t.Errorf("expected 403 Forbidden, got %d", resp.StatusCode)
}
}
func TestPasswordLogin_NoOIDC_Success(t *testing.T) {
mockIdp := new(MockIdentityProvider)
mockIdp.On("SignIn", "user@example.com", "password").Return(&domain.AuthInfo{
SessionToken: &domain.Token{JWT: "valid-jwt"},
Subject: "kratos-identity-id",
}, nil)
h := &AuthHandler{
IdpProvider: mockIdp,
KratosAdmin: service.NewKratosAdminService(),
Hydra: service.NewHydraAdminService(),
}
kratosHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
json.NewEncoder(w).Encode([]map[string]interface{}{{"id": "kratos-identity-id"}})
})
h.KratosAdmin.HTTPClient = &http.Client{Transport: mockHydraTransport(kratosHandler)}
h.KratosAdmin.AdminURL = "http://kratos.test"
app := newAuthLoginTestApp(h)
body, _ := json.Marshal(map[string]string{
"loginId": "user@example.com",
"password": "password",
})
req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/login", bytes.NewReader(body))
req.Header.Set("Content-Type", "application/json")
resp, err := app.Test(req)
if err != nil {
t.Fatalf("request failed: %v", err)
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
t.Errorf("expected 200, got %d", resp.StatusCode)
}
var got map[string]string
json.NewDecoder(resp.Body).Decode(&got)
if got["sessionJwt"] != "valid-jwt" {
t.Errorf("expected jwt valid-jwt, got %s", got["sessionJwt"])
}
// No redirectTo
if _, ok := got["redirectTo"]; ok {
t.Errorf("expected no redirectTo, got %s", got["redirectTo"])
}
}

6
backend/internal/service/hydra_admin_service_test.go
View File

@@ -284,11 +284,11 @@ func TestHydraAdminService_ErrorHandling(t *testing.T) {
defer server.Close()
s := &HydraAdminService{AdminURL: server.URL}
_, err := s.GetClient(context.Background(), "invalid")
assert.Error(t, err)
assert.Contains(t, err.Error(), "status=400")
err = s.DeleteClient(context.Background(), "invalid")
assert.Error(t, err)
@@ -306,7 +306,7 @@ func TestHydraAdminService_NotFound(t *testing.T) {
defer server.Close()
s := &HydraAdminService{AdminURL: server.URL}
_, err := s.GetClient(context.Background(), "none")
assert.Equal(t, ErrHydraNotFound, err)
}

295
backend/internal/service/relying_party_service_test.go Normal file
View File

@@ -0,0 +1,295 @@
/*
이 테스트 파일은 RelyingPartyService의 기능을 검증하기 위한 유닛 테스트입니다.
RelyingPartyService는 HydraAdminService, KetoService, RelyingPartyRepository와 협력하므로
각 의존성을 모킹(Mocking)하여 통합 로직을 검증합니다.
주요 테스트 항목:
1. Create: Hydra 클라이언트 생성 -> DB 저장 -> Keto 권한 설정 (성공 및 롤백 시나리오)
2. Get: DB 및 Hydra에서 정보 조회
3. Update: Hydra 및 DB 업데이트
4. Delete: DB 및 Hydra 삭제
*/
package service
import (
"baron-sso-backend/internal/domain"
"context"
"encoding/json"
"errors"
"net/http"
"strings"
"testing"
"github.com/stretchr/testify/mock"
)
// --- Mocks ---
type MockRelyingPartyRepository struct {
mock.Mock
}
func (m *MockRelyingPartyRepository) Create(ctx context.Context, rp *domain.RelyingParty) error {
args := m.Called(ctx, rp)
return args.Error(0)
}
func (m *MockRelyingPartyRepository) Update(ctx context.Context, rp *domain.RelyingParty) error {
args := m.Called(ctx, rp)
return args.Error(0)
}
func (m *MockRelyingPartyRepository) Delete(ctx context.Context, clientID string) error {
args := m.Called(ctx, clientID)
return args.Error(0)
}
func (m *MockRelyingPartyRepository) FindByID(ctx context.Context, clientID string) (*domain.RelyingParty, error) {
args := m.Called(ctx, clientID)
if rp, ok := args.Get(0).(*domain.RelyingParty); ok {
return rp, args.Error(1)
}
return nil, args.Error(1)
}
func (m *MockRelyingPartyRepository) ListByTenantID(ctx context.Context, tenantID string) ([]domain.RelyingParty, error) {
args := m.Called(ctx, tenantID)
return args.Get(0).([]domain.RelyingParty), args.Error(1)
}
func (m *MockRelyingPartyRepository) ListAll(ctx context.Context) ([]domain.RelyingParty, error) {
args := m.Called(ctx)
return args.Get(0).([]domain.RelyingParty), args.Error(1)
}
type MockKetoService struct {
mock.Mock
}
func (m *MockKetoService) CheckPermission(ctx context.Context, subject, namespace, object, relation string) (bool, error) {
args := m.Called(ctx, subject, namespace, object, relation)
return args.Bool(0), args.Error(1)
}
func (m *MockKetoService) CreateRelation(ctx context.Context, namespace, object, relation, subject string) error {
args := m.Called(ctx, namespace, object, relation, subject)
return args.Error(0)
}
func (m *MockKetoService) DeleteRelation(ctx context.Context, namespace, object, relation, subject string) error {
args := m.Called(ctx, namespace, object, relation, subject)
return args.Error(0)
}
// --- Tests ---
func TestRelyingPartyService_Create_Success(t *testing.T) {
// Setup
mockRepo := new(MockRelyingPartyRepository)
mockKeto := new(MockKetoService)
tenantID := "tenant-1"
inputClient := domain.HydraClient{
ClientName: "Test App",
}
// Hydra Mock
hydraHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if r.Method == http.MethodPost && strings.Contains(r.URL.Path, "/clients") {
var req domain.HydraClient
json.NewDecoder(r.Body).Decode(&req)
// Verify metadata injection
if req.Metadata["tenant_id"] != tenantID {
t.Errorf("expected tenant_id in metadata")
}
req.ClientID = "generated-client-id"
w.WriteHeader(http.StatusCreated)
json.NewEncoder(w).Encode(req)
return
}
http.NotFound(w, r)
})
hydraSvc := &HydraAdminService{
AdminURL: "http://hydra:4445",
HTTPClient: mockHydraClient(hydraHandler),
}
// Expectations
mockRepo.On("Create", mock.Anything, mock.MatchedBy(func(rp *domain.RelyingParty) bool {
return rp.ClientID == "generated-client-id" && rp.TenantID == tenantID
})).Return(nil)
mockKeto.On("CreateRelation", mock.Anything, "RelyingParty", "generated-client-id", "parent_tenant", "Tenant:"+tenantID).Return(nil)
// Execute
svc := NewRelyingPartyService(mockRepo, hydraSvc, mockKeto)
rp, err := svc.Create(context.Background(), tenantID, inputClient)
// Verify
if err != nil {
t.Fatalf("Create failed: %v", err)
}
if rp.ClientID != "generated-client-id" {
t.Errorf("expected client id generated-client-id, got %s", rp.ClientID)
}
mockRepo.AssertExpectations(t)
mockKeto.AssertExpectations(t)
}
func TestRelyingPartyService_Create_HydraFail(t *testing.T) {
mockRepo := new(MockRelyingPartyRepository)
mockKeto := new(MockKetoService)
hydraHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusInternalServerError)
})
hydraSvc := &HydraAdminService{
AdminURL: "http://hydra:4445",
HTTPClient: mockHydraClient(hydraHandler),
}
svc := NewRelyingPartyService(mockRepo, hydraSvc, mockKeto)
_, err := svc.Create(context.Background(), "tenant-1", domain.HydraClient{})
if err == nil {
t.Error("expected error from hydra")
}
}
func TestRelyingPartyService_Create_DBFail_Rollback(t *testing.T) {
mockRepo := new(MockRelyingPartyRepository)
mockKeto := new(MockKetoService)
clientID := "rollback-client-id"
// Hydra Mock: Create Succeeds, Delete Called
hydraHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if r.Method == http.MethodPost {
json.NewEncoder(w).Encode(domain.HydraClient{ClientID: clientID})
return
}
if r.Method == http.MethodDelete && strings.Contains(r.URL.Path, clientID) {
w.WriteHeader(http.StatusNoContent)
return
}
http.NotFound(w, r)
})
hydraSvc := &HydraAdminService{
AdminURL: "http://hydra:4445",
HTTPClient: mockHydraClient(hydraHandler),
}
// DB Fails
mockRepo.On("Create", mock.Anything, mock.Anything).Return(errors.New("db error"))
svc := NewRelyingPartyService(mockRepo, hydraSvc, mockKeto)
_, err := svc.Create(context.Background(), "tenant-1", domain.HydraClient{})
if err == nil {
t.Error("expected error from db")
}
mockRepo.AssertExpectations(t)
// Keto should NOT be called
mockKeto.AssertNotCalled(t, "CreateRelation")
}
func TestRelyingPartyService_Get_Success(t *testing.T) {
mockRepo := new(MockRelyingPartyRepository)
mockKeto := new(MockKetoService)
clientID := "client-123"
mockRepo.On("FindByID", mock.Anything, clientID).Return(&domain.RelyingParty{ClientID: clientID, Name: "DB Name"}, nil)
hydraHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
json.NewEncoder(w).Encode(domain.HydraClient{ClientID: clientID, ClientName: "Hydra Name"})
})
hydraSvc := &HydraAdminService{
AdminURL: "http://hydra:4445",
HTTPClient: mockHydraClient(hydraHandler),
}
svc := NewRelyingPartyService(mockRepo, hydraSvc, mockKeto)
rp, hc, err := svc.Get(context.Background(), clientID)
if err != nil {
t.Fatalf("Get failed: %v", err)
}
if rp.Name != "DB Name" {
t.Errorf("expected DB Name, got %s", rp.Name)
}
if hc.ClientName != "Hydra Name" {
t.Errorf("expected Hydra Name, got %s", hc.ClientName)
}
}
func TestRelyingPartyService_Update_Success(t *testing.T) {
mockRepo := new(MockRelyingPartyRepository)
mockKeto := new(MockKetoService)
clientID := "client-123"
// Hydra Update
hydraHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if r.Method == http.MethodPut {
var req domain.HydraClient
json.NewDecoder(r.Body).Decode(&req)
json.NewEncoder(w).Encode(req)
return
}
})
hydraSvc := &HydraAdminService{
AdminURL: "http://hydra:4445",
HTTPClient: mockHydraClient(hydraHandler),
}
// DB Update
mockRepo.On("FindByID", mock.Anything, clientID).Return(&domain.RelyingParty{ClientID: clientID, Name: "Old Name"}, nil)
mockRepo.On("Update", mock.Anything, mock.MatchedBy(func(rp *domain.RelyingParty) bool {
return rp.Name == "New Name"
})).Return(nil)
svc := NewRelyingPartyService(mockRepo, hydraSvc, mockKeto)
updateReq := domain.HydraClient{ClientName: "New Name"}
rp, err := svc.Update(context.Background(), clientID, updateReq)
if err != nil {
t.Fatalf("Update failed: %v", err)
}
if rp.Name != "New Name" {
t.Errorf("expected New Name, got %s", rp.Name)
}
mockRepo.AssertExpectations(t)
}
func TestRelyingPartyService_Delete_Success(t *testing.T) {
mockRepo := new(MockRelyingPartyRepository)
mockKeto := new(MockKetoService)
clientID := "client-123"
mockRepo.On("Delete", mock.Anything, clientID).Return(nil)
hydraHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if r.Method == http.MethodDelete {
w.WriteHeader(http.StatusNoContent)
}
})
hydraSvc := &HydraAdminService{
AdminURL: "http://hydra:4445",
HTTPClient: mockHydraClient(hydraHandler),
}
svc := NewRelyingPartyService(mockRepo, hydraSvc, mockKeto)
err := svc.Delete(context.Background(), clientID)
if err != nil {
t.Fatalf("Delete failed: %v", err)
}
mockRepo.AssertExpectations(t)
}