diff --git a/backend/internal/handler/dev_handler.go b/backend/internal/handler/dev_handler.go index 08f3faea..54bb5eba 100644 --- a/backend/internal/handler/dev_handler.go +++ b/backend/internal/handler/dev_handler.go @@ -199,6 +199,7 @@ var allowedRelyingPartyOperatorRelations = map[string]struct{}{ "admins": {}, "creator": {}, "config_editor": {}, + "secret_viewer": {}, "secret_rotator": {}, "jwks_viewer": {}, "jwks_operator": {}, @@ -215,7 +216,7 @@ func normalizeUserRole(role string) string { func isDevConsoleRoleAllowed(role string) bool { switch normalizeUserRole(role) { - case domain.RoleSuperAdmin, domain.RoleTenantAdmin, domain.RoleRPAdmin: + case domain.RoleSuperAdmin, domain.RoleTenantAdmin, domain.RoleRPAdmin, domain.RoleUser: return true default: return false @@ -372,6 +373,32 @@ func (h *DevHandler) canOperateClientByPermit(c *fiber.Ctx, profile *domain.User return err == nil && allowed } +func (h *DevHandler) canViewClientSecret(c *fiber.Ctx, profile *domain.UserProfileResponse, summary clientSummary) bool { + if canAccessClientByLegacyScope(profile, summary) { + return true + } + return h.canOperateClientByPermit(c, profile, summary, "view_secret") +} + +func (h *DevHandler) canBypassPrivateClientRestriction(c *fiber.Ctx, profile *domain.UserProfileResponse, summary clientSummary, relation string) bool { + if h.canOperateClientByPermit(c, profile, summary, relation) { + return true + } + allowed, err := h.checkAppManagerPermission(c) + return err == nil && allowed +} + +func (h *DevHandler) redactClientSecretUnlessAllowed(c *fiber.Ctx, profile *domain.UserProfileResponse, summary clientSummary) clientSummary { + if summary.ClientSecret == "" { + return summary + } + if h.canViewClientSecret(c, profile, summary) { + return summary + } + summary.ClientSecret = "" + return summary +} + func (h *DevHandler) canViewClientRelations(c *fiber.Ctx, profile *domain.UserProfileResponse, summary clientSummary) bool { if h.canOperateClientByPermit(c, profile, summary, "view_relationships") { return true @@ -474,7 +501,11 @@ func resolveClientTenantID(summary clientSummary) string { } func isRPAdminClientAllowed(profile *domain.UserProfileResponse, clientID string) bool { - if normalizeUserRole(profileRole(profile)) != domain.RoleRPAdmin { + role := normalizeUserRole(profileRole(profile)) + if role == domain.RoleUser { + return false + } + if role != domain.RoleRPAdmin { return true } allowed := managedClientIDsFromProfile(profile) @@ -665,7 +696,11 @@ func (h *DevHandler) SearchUsers(c *fiber.Ctx) error { return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required") } if !isDevConsoleRoleAllowed(normalizeUserRole(profile.Role)) { - return errorJSON(c, fiber.StatusForbidden, "forbidden") + clientID := strings.TrimSpace(c.Query("clientId")) + summary, err := h.loadClientSummary(c.Context(), clientID) + if clientID == "" || err != nil || !h.canManageClientRelations(c, profile, summary) { + return errorJSON(c, fiber.StatusForbidden, "forbidden") + } } if h.KratosAdmin == nil { return errorJSON(c, fiber.StatusServiceUnavailable, "kratos admin unavailable") @@ -993,7 +1028,7 @@ func (h *DevHandler) ListClients(c *fiber.Ctx) error { return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required") } role := normalizeUserRole(profile.Role) - if !isDevConsoleViewerRole(role) { + if !isDevConsoleRoleAllowed(role) { return errorJSON(c, fiber.StatusForbidden, "forbidden") } @@ -1054,7 +1089,7 @@ func (h *DevHandler) ListClients(c *fiber.Ctx) error { continue } - items = append(items, summary) + items = append(items, h.redactClientSecretUnlessAllowed(c, profile, summary)) } return c.JSON(clientListResponse{ @@ -1240,6 +1275,7 @@ func (h *DevHandler) GetClient(c *fiber.Ctx) error { } cacheState, _ := h.publicHeadlessJWKSCacheState(summary.ID) + summary = h.redactClientSecretUnlessAllowed(c, profile, summary) return c.JSON(clientDetailResponse{ Client: summary, @@ -1318,17 +1354,17 @@ func (h *DevHandler) UpdateClientStatus(c *fiber.Ctx) error { return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required") } role := normalizeUserRole(profile.Role) - if !isDevConsoleRoleAllowed(role) { + if !isDevConsoleViewerRole(role) { return errorJSON(c, fiber.StatusForbidden, "forbidden") } - if !canAccessClientByLegacyScope(profile, summary) && !h.canOperateClientByPermit(c, profile, summary, "change_status") { + canChangeStatusByPermit := h.canOperateClientByPermit(c, profile, summary, "change_status") + if !canAccessClientByLegacyScope(profile, summary) && !canChangeStatusByPermit { return errorJSON(c, fiber.StatusForbidden, "forbidden: rp_admin scope does not include this client") } - if summary.Type == "private" { - isAppManager, _ := h.checkAppManagerPermission(c) - if !isAppManager { + if summary.Type == "private" && !h.canBypassPrivateClientRestriction(c, profile, summary, "change_status") { + if !canChangeStatusByPermit { return errorJSON(c, fiber.StatusForbidden, "forbidden: insufficient permissions for private client") } } @@ -1352,6 +1388,7 @@ func (h *DevHandler) UpdateClientStatus(c *fiber.Ctx) error { } updatedSummary := h.mapClientSummary(*updated) + updatedSummary = h.redactClientSecretUnlessAllowed(c, profile, updatedSummary) cacheState, _ := h.publicHeadlessJWKSCacheState(updatedSummary.ID) return c.JSON(clientDetailResponse{ Client: updatedSummary, @@ -1566,7 +1603,7 @@ func (h *DevHandler) UpdateClient(c *fiber.Ctx) error { return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required") } role := normalizeUserRole(profile.Role) - if !isDevConsoleRoleAllowed(role) { + if !isDevConsoleViewerRole(role) { return errorJSON(c, fiber.StatusForbidden, "forbidden") } @@ -1584,11 +1621,7 @@ func (h *DevHandler) UpdateClient(c *fiber.Ctx) error { // [Security] Check permission for private clients (both current and new type) if currentSummary.Type == "private" || clientType == "private" { - isAppManager, err := h.checkAppManagerPermission(c) - if err != nil { - return errorJSON(c, fiber.StatusInternalServerError, "permission check error") - } - if !isAppManager { + if !h.canBypassPrivateClientRestriction(c, profile, currentSummary, "edit_config") { return errorJSON(c, fiber.StatusForbidden, "forbidden: insufficient permissions for private client") } } @@ -1736,7 +1769,7 @@ func (h *DevHandler) DeleteClient(c *fiber.Ctx) error { return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required") } role := normalizeUserRole(profile.Role) - if !isDevConsoleRoleAllowed(role) { + if !isDevConsoleViewerRole(role) { return errorJSON(c, fiber.StatusForbidden, "forbidden") } @@ -1746,8 +1779,7 @@ func (h *DevHandler) DeleteClient(c *fiber.Ctx) error { // [Security] Check permission for private clients if summary.Type == "private" { - isAppManager, _ := h.checkAppManagerPermission(c) - if !isAppManager { + if !h.canBypassPrivateClientRestriction(c, profile, summary, "manage") { return errorJSON(c, fiber.StatusForbidden, "forbidden: insufficient permissions for private client") } } @@ -1986,7 +2018,7 @@ func (h *DevHandler) RotateClientSecret(c *fiber.Ctx) error { return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required") } role := normalizeUserRole(profile.Role) - if !isDevConsoleRoleAllowed(role) { + if !isDevConsoleViewerRole(role) { return errorJSON(c, fiber.StatusForbidden, "forbidden") } @@ -1997,8 +2029,7 @@ func (h *DevHandler) RotateClientSecret(c *fiber.Ctx) error { // [Security] Check permission for private clients if summary.Type == "private" { - isAppManager, _ := h.checkAppManagerPermission(c) - if !isAppManager { + if !h.canBypassPrivateClientRestriction(c, profile, summary, "rotate_secret") { return errorJSON(c, fiber.StatusForbidden, "forbidden: insufficient permissions for private client") } } @@ -2076,7 +2107,7 @@ func (h *DevHandler) RefreshHeadlessJWKSCache(c *fiber.Ctx) error { return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required") } role := normalizeUserRole(profile.Role) - if !isDevConsoleRoleAllowed(role) { + if !isDevConsoleViewerRole(role) { return errorJSON(c, fiber.StatusForbidden, "forbidden") } if !canAccessClientByLegacyScope(profile, summary) && !h.canOperateClientByPermit(c, profile, summary, "operate_jwks") { @@ -2141,18 +2172,10 @@ func (h *DevHandler) RevokeHeadlessJWKSCache(c *fiber.Ctx) error { return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required") } role := normalizeUserRole(profile.Role) - if !isDevConsoleRoleAllowed(role) { + if !isDevConsoleViewerRole(role) { return errorJSON(c, fiber.StatusForbidden, "forbidden") } - isSuperAdmin := role == domain.RoleSuperAdmin - userTenantID := tenantIDFromProfile(profile) - if !isSuperAdmin { - clientTenantID := resolveClientTenantID(summary) - if clientTenantID != userTenantID { - return errorJSON(c, fiber.StatusForbidden, "forbidden: access denied to client in another tenant") - } - } - if !isRPAdminClientAllowed(profile, summary.ID) { + if !canAccessClientByLegacyScope(profile, summary) && !h.canOperateClientByPermit(c, profile, summary, "operate_jwks") { return errorJSON(c, fiber.StatusForbidden, "forbidden: rp_admin scope does not include this client") } diff --git a/backend/internal/handler/dev_handler_isolation_test.go b/backend/internal/handler/dev_handler_isolation_test.go index de329d23..7a075bd7 100644 --- a/backend/internal/handler/dev_handler_isolation_test.go +++ b/backend/internal/handler/dev_handler_isolation_test.go @@ -17,6 +17,8 @@ import ( func TestDevHandler_Isolation(t *testing.T) { mockKeto := new(devMockKetoService) + // Default Mock behavior: deny everything unless explicitly allowed + mockKeto.On("CheckPermission", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(false, nil).Maybe() h := &DevHandler{ Hydra: &service.HydraAdminService{ @@ -72,7 +74,6 @@ func TestDevHandler_Isolation(t *testing.T) { req.Header.Set("Origin", "http://localhost:5174") resp, _ := app.Test(req, -1) - // We expect 401 now because ListClients enforces authentication. assert.Equal(t, http.StatusUnauthorized, resp.StatusCode) }) @@ -89,7 +90,8 @@ func TestDevHandler_Isolation(t *testing.T) { }) app.Get("/api/v1/dev/clients", h.ListClients) - mockKeto.On("CheckPermission", mock.Anything, "user-a", "System", "global", "manage_all").Return(true, nil) + // Explicit permission for private client check bypass + mockKeto.On("CheckPermission", mock.Anything, "User:user-a", "System", "global", "manage_all").Return(true, nil).Once() req := httptest.NewRequest(http.MethodGet, "/api/v1/dev/clients", nil) resp, _ := app.Test(req, -1) @@ -100,17 +102,17 @@ func TestDevHandler_Isolation(t *testing.T) { } json.NewDecoder(resp.Body).Decode(&res) - // Should only see client-tenant-a + // Should only see client-tenant-a (tenant isolation) assert.Equal(t, 1, len(res.Items)) assert.Equal(t, "client-tenant-a", res.Items[0].ID) }) - t.Run("Tenant member should be forbidden from DevFront clients", func(t *testing.T) { + t.Run("Tenant member should see empty list from DevFront clients if no relation", func(t *testing.T) { app := fiber.New() tenantA := "tenant-a" app.Use(func(c *fiber.Ctx) error { c.Locals("user_profile", &domain.UserProfileResponse{ - ID: "user-a", + ID: "user-member", Role: domain.RoleUser, TenantID: &tenantA, }) @@ -120,7 +122,14 @@ func TestDevHandler_Isolation(t *testing.T) { req := httptest.NewRequest(http.MethodGet, "/api/v1/dev/clients", nil) resp, _ := app.Test(req, -1) - assert.Equal(t, http.StatusForbidden, resp.StatusCode) + assert.Equal(t, http.StatusOK, resp.StatusCode) + + var res struct { + Items []clientSummary `json:"items"` + } + json.NewDecoder(resp.Body).Decode(&res) + // Empty list because we didn't mock any specific 'view' permissions for this user + assert.Equal(t, 0, len(res.Items)) }) t.Run("RP Admin should only see managed clients", func(t *testing.T) { diff --git a/backend/internal/handler/dev_handler_test.go b/backend/internal/handler/dev_handler_test.go index ce3315bb..2bee527d 100644 --- a/backend/internal/handler/dev_handler_test.go +++ b/backend/internal/handler/dev_handler_test.go @@ -357,6 +357,83 @@ func TestUpdateClient_ReservedSystemNameForbidden(t *testing.T) { assert.Equal(t, http.StatusForbidden, resp.StatusCode) } +func TestUpdateClient_PrivateClientAllowedByEditConfigPermission(t *testing.T) { + transport := roundTripFunc(func(r *http.Request) (*http.Response, error) { + if r.Method == http.MethodGet && r.URL.Path == "/clients/client-1" { + return httpJSONAny(r, http.StatusOK, map[string]any{ + "client_id": "client-1", + "client_name": "App One", + "redirect_uris": []string{ + "http://localhost/cb", + }, + "grant_types": []string{"authorization_code", "refresh_token"}, + "response_types": []string{"code"}, + "scope": "openid profile email offline_access", + "token_endpoint_auth_method": "client_secret_basic", + "metadata": map[string]any{ + "status": "active", + "tenant_id": "tenant-1", + }, + }), nil + } + if r.Method == http.MethodPut && r.URL.Path == "/clients/client-1" { + return httpJSONAny(r, http.StatusOK, map[string]any{ + "client_id": "client-1", + "client_name": "App One Updated", + "redirect_uris": []string{ + "http://localhost/cb", + }, + "grant_types": []string{"authorization_code", "refresh_token"}, + "response_types": []string{"code"}, + "scope": "openid profile email offline_access", + "token_endpoint_auth_method": "client_secret_basic", + "metadata": map[string]any{ + "status": "active", + "tenant_id": "tenant-1", + }, + }), nil + } + return httpJSONAny(r, http.StatusNotFound, nil), nil + }) + + mockKeto := new(devMockKetoService) + mockKeto.On("CheckPermission", mock.Anything, "User:user-1", "RelyingParty", "client-1", "edit_config").Return(true, nil) + + h := &DevHandler{ + Hydra: &service.HydraAdminService{ + AdminURL: "http://hydra.test", + HTTPClient: &http.Client{Transport: transport}, + }, + Keto: mockKeto, + } + + app := fiber.New() + tenantID := "tenant-1" + app.Use(func(c *fiber.Ctx) error { + c.Locals("user_profile", &domain.UserProfileResponse{ + ID: "user-1", + Role: domain.RoleUser, + TenantID: &tenantID, + }) + return c.Next() + }) + app.Put("/api/v1/dev/clients/:id", h.UpdateClient) + + body, _ := json.Marshal(map[string]any{ + "name": "App One Updated", + }) + req := httptest.NewRequest(http.MethodPut, "/api/v1/dev/clients/client-1", bytes.NewReader(body)) + req.Header.Set("Content-Type", "application/json") + + resp, _ := app.Test(req, -1) + assert.Equal(t, http.StatusOK, resp.StatusCode) + + var result clientDetailResponse + _ = json.NewDecoder(resp.Body).Decode(&result) + assert.Equal(t, "App One Updated", result.Client.Name) + mockKeto.AssertExpectations(t) +} + func TestListClients_ProtectedSystemClientHidden(t *testing.T) { transport := roundTripFunc(func(r *http.Request) (*http.Response, error) { if r.URL.Path == "/clients" { @@ -511,6 +588,65 @@ func TestUpdateClientStatus_Success(t *testing.T) { assert.Equal(t, "inactive", res.Client.Status) } +func TestUpdateClientStatus_UserAllowedByStatusPermission(t *testing.T) { + transport := roundTripFunc(func(r *http.Request) (*http.Response, error) { + if r.Method == http.MethodGet && r.URL.Path == "/clients/client-1" { + return httpJSONAny(r, http.StatusOK, map[string]interface{}{ + "client_id": "client-1", + "client_name": "App One", + "metadata": map[string]interface{}{ + "tenant_id": "tenant-1", + "status": "active", + }, + }), nil + } + if r.Method == http.MethodPatch && r.URL.Path == "/clients/client-1" { + return httpJSONAny(r, http.StatusOK, map[string]interface{}{ + "client_id": "client-1", + "client_name": "App One", + "metadata": map[string]interface{}{ + "tenant_id": "tenant-1", + "status": "inactive", + }, + }), nil + } + return httpJSONAny(r, http.StatusNotFound, nil), nil + }) + + mockKeto := new(devMockKetoService) + mockKeto.On("CheckPermission", mock.Anything, "User:user-1", "RelyingParty", "client-1", "change_status").Return(true, nil) + + h := &DevHandler{ + Hydra: &service.HydraAdminService{ + AdminURL: "http://hydra.test", + HTTPClient: &http.Client{Transport: transport}, + }, + Keto: mockKeto, + } + app := fiber.New() + tenantID := "tenant-1" + app.Use(func(c *fiber.Ctx) error { + c.Locals("user_profile", &domain.UserProfileResponse{ + ID: "user-1", + Role: domain.RoleUser, + TenantID: &tenantID, + }) + return c.Next() + }) + app.Patch("/api/v1/dev/clients/:id/status", h.UpdateClientStatus) + + body, _ := json.Marshal(map[string]interface{}{"status": "inactive"}) + req := httptest.NewRequest(http.MethodPatch, "/api/v1/dev/clients/client-1/status", bytes.NewReader(body)) + req.Header.Set("Content-Type", "application/json") + resp, _ := app.Test(req, -1) + + assert.Equal(t, http.StatusOK, resp.StatusCode) + var res clientDetailResponse + _ = json.NewDecoder(resp.Body).Decode(&res) + assert.Equal(t, "inactive", res.Client.Status) + mockKeto.AssertExpectations(t) +} + func TestUpdateClientStatus_ProtectedSystemClientForbidden(t *testing.T) { transport := roundTripFunc(func(r *http.Request) (*http.Response, error) { if r.Method == http.MethodGet && r.URL.Path == "/clients/oathkeeper-introspect" { @@ -690,6 +826,106 @@ func TestGetClient_RPAdminAllowedByKetoViewPermission(t *testing.T) { mockKeto.AssertExpectations(t) } +func TestGetClient_RedactsSecretWithoutViewSecretPermission(t *testing.T) { + transport := roundTripFunc(func(r *http.Request) (*http.Response, error) { + if r.Method == http.MethodGet && r.URL.Path == "/clients/client-1" { + return httpJSONAny(r, http.StatusOK, map[string]interface{}{ + "client_id": "client-1", + "client_name": "App One", + "client_secret": "stored-secret", + "metadata": map[string]interface{}{ + "tenant_id": "tenant-1", + "status": "active", + }, + }), nil + } + return httpJSONAny(r, http.StatusNotFound, nil), nil + }) + + mockKeto := new(devMockKetoService) + mockKeto.On("CheckPermission", mock.Anything, "User:user-1", "Tenant", "tenant-1", "view_dev_console").Return(false, nil) + mockKeto.On("CheckPermission", mock.Anything, "User:user-1", "RelyingParty", "client-1", "view").Return(true, nil) + mockKeto.On("CheckPermission", mock.Anything, "User:user-1", "RelyingParty", "client-1", "view_secret").Return(false, nil) + + h := &DevHandler{ + Hydra: &service.HydraAdminService{ + AdminURL: "http://hydra.test", + HTTPClient: &http.Client{Transport: transport}, + }, + Keto: mockKeto, + } + app := fiber.New() + tenantID := "tenant-1" + app.Use(func(c *fiber.Ctx) error { + c.Locals("user_profile", &domain.UserProfileResponse{ + ID: "user-1", + Role: domain.RoleUser, + TenantID: &tenantID, + }) + return c.Next() + }) + app.Get("/api/v1/dev/clients/:id", h.GetClient) + + req := httptest.NewRequest(http.MethodGet, "/api/v1/dev/clients/client-1", nil) + resp, _ := app.Test(req, -1) + + assert.Equal(t, http.StatusOK, resp.StatusCode) + var result clientDetailResponse + _ = json.NewDecoder(resp.Body).Decode(&result) + assert.Empty(t, result.Client.ClientSecret) + mockKeto.AssertExpectations(t) +} + +func TestGetClient_UserAllowedToViewSecretByPermission(t *testing.T) { + transport := roundTripFunc(func(r *http.Request) (*http.Response, error) { + if r.Method == http.MethodGet && r.URL.Path == "/clients/client-1" { + return httpJSONAny(r, http.StatusOK, map[string]interface{}{ + "client_id": "client-1", + "client_name": "App One", + "client_secret": "stored-secret", + "metadata": map[string]interface{}{ + "tenant_id": "tenant-1", + "status": "active", + }, + }), nil + } + return httpJSONAny(r, http.StatusNotFound, nil), nil + }) + + mockKeto := new(devMockKetoService) + mockKeto.On("CheckPermission", mock.Anything, "User:user-1", "Tenant", "tenant-1", "view_dev_console").Return(false, nil) + mockKeto.On("CheckPermission", mock.Anything, "User:user-1", "RelyingParty", "client-1", "view").Return(true, nil) + mockKeto.On("CheckPermission", mock.Anything, "User:user-1", "RelyingParty", "client-1", "view_secret").Return(true, nil) + + h := &DevHandler{ + Hydra: &service.HydraAdminService{ + AdminURL: "http://hydra.test", + HTTPClient: &http.Client{Transport: transport}, + }, + Keto: mockKeto, + } + app := fiber.New() + tenantID := "tenant-1" + app.Use(func(c *fiber.Ctx) error { + c.Locals("user_profile", &domain.UserProfileResponse{ + ID: "user-1", + Role: domain.RoleUser, + TenantID: &tenantID, + }) + return c.Next() + }) + app.Get("/api/v1/dev/clients/:id", h.GetClient) + + req := httptest.NewRequest(http.MethodGet, "/api/v1/dev/clients/client-1", nil) + resp, _ := app.Test(req, -1) + + assert.Equal(t, http.StatusOK, resp.StatusCode) + var result clientDetailResponse + _ = json.NewDecoder(resp.Body).Decode(&result) + assert.Equal(t, "stored-secret", result.Client.ClientSecret) + mockKeto.AssertExpectations(t) +} + func TestRotateClientSecret_Success(t *testing.T) { transport := roundTripFunc(func(r *http.Request) (*http.Response, error) { if r.Method == http.MethodGet && r.URL.Path == "/clients/client-1" { @@ -1505,7 +1741,7 @@ func TestListClientRelations_RPAdminAllowedByViewRelationshipsPermission(t *test mockKeto.On("ListRelations", mock.Anything, "RelyingParty", "client-1", "config_editor", "").Return([]service.RelationTuple{ {Object: "client-1", Relation: "config_editor", SubjectID: "User:user-2"}, }, nil) - for _, relation := range []string{"admins", "creator", "secret_rotator", "jwks_viewer", "jwks_operator", "consent_viewer", "consent_revoker", "relationship_viewer", "audit_viewer", "status_operator"} { + for _, relation := range []string{"admins", "creator", "secret_viewer", "secret_rotator", "jwks_viewer", "jwks_operator", "consent_viewer", "consent_revoker", "relationship_viewer", "audit_viewer", "status_operator"} { mockKeto.On("ListRelations", mock.Anything, "RelyingParty", "client-1", relation, "").Return([]service.RelationTuple{}, nil) } mockKratos := new(devMockKratosAdmin) @@ -1724,3 +1960,69 @@ func TestSearchUsers_RPAdminSearchByNameOrEmailWithinTenantScope(t *testing.T) { assert.Equal(t, "alice@example.com", result.Items[0].Email) mockKratos.AssertExpectations(t) } + +func TestSearchUsers_UserAllowedByRPAdminRelation(t *testing.T) { + transport := roundTripFunc(func(r *http.Request) (*http.Response, error) { + if r.Method == http.MethodGet && r.URL.Path == "/clients/client-1" { + return httpJSONAny(r, http.StatusOK, map[string]any{ + "client_id": "client-1", + "client_name": "App One", + "metadata": map[string]any{ + "tenant_id": "tenant-1", + "status": "active", + }, + }), nil + } + return httpJSONAny(r, http.StatusNotFound, nil), nil + }) + + mockKeto := new(devMockKetoService) + mockKeto.On("CheckPermission", mock.Anything, "User:user-1", "RelyingParty", "client-1", "manage").Return(true, nil) + + mockKratos := new(devMockKratosAdmin) + mockKratos.On("ListIdentities", mock.Anything).Return([]service.KratosIdentity{ + { + ID: "target-user", + Traits: map[string]interface{}{ + "name": "김용연", + "email": "kyy@example.com", + "id": "kyy01", + "tenant_id": "tenant-1", + }, + }, + }, nil) + + h := &DevHandler{ + Hydra: &service.HydraAdminService{ + AdminURL: "http://hydra.test", + HTTPClient: &http.Client{Transport: transport}, + }, + Keto: mockKeto, + KratosAdmin: mockKratos, + } + + app := fiber.New() + tenantID := "tenant-1" + app.Use(func(c *fiber.Ctx) error { + c.Locals("user_profile", &domain.UserProfileResponse{ + ID: "user-1", + Role: domain.RoleUser, + TenantID: &tenantID, + }) + return c.Next() + }) + app.Get("/api/v1/dev/users", h.SearchUsers) + + req := httptest.NewRequest(http.MethodGet, "/api/v1/dev/users?clientId=client-1&search=김용연", nil) + resp, _ := app.Test(req, -1) + + assert.Equal(t, http.StatusOK, resp.StatusCode) + var result devUserListResponse + _ = json.NewDecoder(resp.Body).Decode(&result) + if assert.Len(t, result.Items, 1) { + assert.Equal(t, "target-user", result.Items[0].ID) + assert.Equal(t, "김용연", result.Items[0].Name) + } + mockKeto.AssertExpectations(t) + mockKratos.AssertExpectations(t) +} diff --git a/backend/internal/service/relying_party_service.go b/backend/internal/service/relying_party_service.go index 152e321b..606f8a68 100644 --- a/backend/internal/service/relying_party_service.go +++ b/backend/internal/service/relying_party_service.go @@ -29,6 +29,7 @@ var defaultRelyingPartyOperatorRelations = []string{ "admins", "creator", "config_editor", + "secret_viewer", "secret_rotator", "jwks_viewer", "jwks_operator", diff --git a/devfront/src/components/common/ForbiddenMessage.tsx b/devfront/src/components/common/ForbiddenMessage.tsx index 9466ce36..2a496ba3 100644 --- a/devfront/src/components/common/ForbiddenMessage.tsx +++ b/devfront/src/components/common/ForbiddenMessage.tsx @@ -30,7 +30,7 @@ export function ForbiddenMessage({ resourceToken }: Props) { } else if (role === "user" || role === "tenant_member") { explanation = t( "msg.dev.forbidden.user", - "일반 사용자는 관리자 화면에 접근할 수 없습니다.", + "일반 사용자 계정은 담당 RP(앱) 관리자 권한이 부여된 경우에만 해당 기능을 사용할 수 있습니다. 권한이 필요하면 관리자에게 요청하세요.", ); } diff --git a/devfront/src/features/clients/ClientRelationsPage.tsx b/devfront/src/features/clients/ClientRelationsPage.tsx index f99f923b..df3113ed 100644 --- a/devfront/src/features/clients/ClientRelationsPage.tsx +++ b/devfront/src/features/clients/ClientRelationsPage.tsx @@ -37,6 +37,7 @@ import { ClientDetailTabs } from "./ClientDetailTabs"; const relationOptions = [ "admins", "config_editor", + "secret_viewer", "secret_rotator", "jwks_viewer", "jwks_operator", @@ -78,7 +79,6 @@ function ClientRelationsPage() { null, ); const [isSearchOpen, setIsSearchOpen] = useState(false); - const { data: clientData } = useQuery({ queryKey: ["client", clientId], queryFn: () => fetchClient(clientId), @@ -95,13 +95,21 @@ function ClientRelationsPage() { enabled: clientId.length > 0, }); + const isRelationshipViewForbidden = + (error as AxiosError | null)?.response?.status === 403; + const relationshipViewForbiddenMessage = t( + "msg.dev.clients.relationships.view_forbidden", + "이 RP의 관계를 조회할 권한이 없습니다. 관리자에게 관계 조회 또는 RP 관리자 관계 부여를 요청해 주세요.", + ); + const { data: userSearchData, isFetching: isUserSearchLoading } = useQuery({ queryKey: ["dev-users", deferredUserSearch], - queryFn: () => fetchDevUsers(deferredUserSearch), + queryFn: () => fetchDevUsers(deferredUserSearch, 10, clientId), enabled: clientId.length > 0 && deferredUserSearch.length > 0 && - selectedUser == null, + selectedUser == null && + !isRelationshipViewForbidden, }); const sortedItems = useMemo(() => { @@ -342,147 +350,156 @@ function ClientRelationsPage() { -
- -
- { - if (!selectedUser && userSearch.trim() !== "") { - setIsSearchOpen(true); - } - }} - onChange={(event) => { - setSelectedUser(null); - setUserSearch(event.target.value); - setIsSearchOpen(true); - }} - placeholder={t( - "ui.dev.clients.relationships.user_search_placeholder", - "이름 또는 이메일 검색...", - )} - /> - {isSearchOpen && - selectedUser == null && - userSearch.trim() !== "" && ( -
- {isUserSearchLoading ? ( -
- {t( - "msg.dev.clients.relationships.search_loading", - "사용자를 찾는 중입니다...", - )} -
- ) : (userSearchData?.items ?? []).length > 0 ? ( - (userSearchData?.items ?? []).map((user) => ( - - )) - ) : ( -
- {t( - "msg.dev.clients.relationships.search_empty", - "검색 결과가 없습니다.", + {isRelationshipViewForbidden ? ( +
+ {relationshipViewForbiddenMessage} +
+ ) : ( + <> +
+ +
+ { + if (!selectedUser && userSearch.trim() !== "") { + setIsSearchOpen(true); + } + }} + onChange={(event) => { + setSelectedUser(null); + setUserSearch(event.target.value); + setIsSearchOpen(true); + }} + placeholder={t( + "ui.dev.clients.relationships.user_search_placeholder", + "이름 또는 이메일 검색...", + )} + /> + {isSearchOpen && + selectedUser == null && + userSearch.trim() !== "" && ( +
+ {isUserSearchLoading ? ( +
+ {t( + "msg.dev.clients.relationships.search_loading", + "사용자를 찾는 중입니다...", + )} +
+ ) : (userSearchData?.items ?? []).length > 0 ? ( + (userSearchData?.items ?? []).map((user) => ( + + )) + ) : ( +
+ {t( + "msg.dev.clients.relationships.search_empty", + "검색 결과가 없습니다.", + )} +
)}
)} -
+
+ {selectedUser && ( +

+ {t( + "msg.dev.clients.relationships.selected_user", + "선택된 사용자: {{user}}", + { user: formatUserLabel(selectedUser) }, + )} +

)} -
- {selectedUser && ( -

- {t( - "msg.dev.clients.relationships.selected_user", - "선택된 사용자: {{user}}", - { user: formatUserLabel(selectedUser) }, - )} -

- )} -
+
-
- -
- {relationOptions.map((relation) => { - const disabled = selectedUserExistingRelations.has(relation); - const isSelected = selectedRelations.includes(relation); - return ( -
+ handleRelationToggle(relation)} + /> +
+
+ {relationLabel(relation)} +
+
+ {relationDescription(relation)} +
+
+ {relation} +
+
+ + ); + })} +
+
-
- -
+
+ +
+ + )} @@ -503,7 +520,11 @@ function ClientRelationsPage() { - {error ? ( + {isRelationshipViewForbidden ? ( +
+ {relationshipViewForbiddenMessage} +
+ ) : error ? (
{t( "msg.dev.clients.relationships.load_error", diff --git a/devfront/src/lib/devApi.ts b/devfront/src/lib/devApi.ts index 6446d4f0..6ef6b0fd 100644 --- a/devfront/src/lib/devApi.ts +++ b/devfront/src/lib/devApi.ts @@ -202,11 +202,15 @@ export async function fetchClientRelations(clientId: string) { return data; } -export async function fetchDevUsers(search: string, limit = 10) { +export async function fetchDevUsers( + search: string, + limit = 10, + clientId?: string, +) { const { data } = await apiClient.get( "/dev/users", { - params: { search, limit }, + params: { search, limit, clientId }, }, ); return data; diff --git a/devfront/src/locales/en.toml b/devfront/src/locales/en.toml index bf5ff541..ea885824 100644 --- a/devfront/src/locales/en.toml +++ b/devfront/src/locales/en.toml @@ -388,8 +388,10 @@ list_description = "Lists operator relations directly assigned to this RP." load_error = "Failed to load relationships: {{error}}" loading = "Loading relationships..." empty = "No direct relationships assigned." +view_forbidden = "You do not have permission to view relationships for this RP. Ask an administrator to grant Relationship Viewer or RP Admin relationship." search_loading = "Searching users..." search_empty = "No users found." +search_forbidden_user = "General users cannot use user search for relationship assignment." selected_user = "Selected user: {{user}}" [msg.dev.clients.federation] @@ -1491,6 +1493,10 @@ description = "Marks the operator who created this RP." label = "RP General Settings" description = "Edit the name, redirect URIs, and general metadata." +[ui.dev.clients.relationships.option.secret_viewer] +label = "Secret View" +description = "View the Client secret for this RP." + [ui.dev.clients.relationships.option.secret_rotator] label = "Secret Rotation" description = "Rotate and reissue the client secret." diff --git a/devfront/src/locales/ko.toml b/devfront/src/locales/ko.toml index 61fcc171..36b80e62 100644 --- a/devfront/src/locales/ko.toml +++ b/devfront/src/locales/ko.toml @@ -388,8 +388,10 @@ list_description = "현재 RP에 직접 부여된 operator relation 목록입니 load_error = "관계 조회 실패: {{error}}" loading = "관계를 불러오는 중입니다..." empty = "직접 부여된 관계가 없습니다." +view_forbidden = "이 RP의 관계를 조회할 권한이 없습니다. 관리자에게 관계 조회 또는 RP 관리자 관계 부여를 요청해 주세요." search_loading = "사용자를 찾는 중입니다..." search_empty = "검색 결과가 없습니다." +search_forbidden_user = "일반 사용자는 관계 추가를 위한 사용자 검색을 사용할 수 없습니다." selected_user = "선택된 사용자: {{user}}" [msg.dev.clients.federation] @@ -1490,6 +1492,10 @@ description = "이 RP를 생성한 운영 주체를 표시합니다." label = "RP 일반 설정" description = "이름, Redirect URI, 메타데이터 같은 일반 설정을 수정합니다." +[ui.dev.clients.relationships.option.secret_viewer] +label = "시크릿 조회" +description = "이 RP의 Client secret을 조회합니다." + [ui.dev.clients.relationships.option.secret_rotator] label = "시크릿 재발급" description = "Client secret 재발급과 회전을 수행합니다." diff --git a/devfront/src/locales/template.toml b/devfront/src/locales/template.toml index 94c2c4fe..9e43f416 100644 --- a/devfront/src/locales/template.toml +++ b/devfront/src/locales/template.toml @@ -388,8 +388,10 @@ list_description = "" load_error = "" loading = "" empty = "" +view_forbidden = "" search_loading = "" search_empty = "" +search_forbidden_user = "" selected_user = "" [msg.dev.clients.federation] @@ -1490,6 +1492,10 @@ description = "" label = "" description = "" +[ui.dev.clients.relationships.option.secret_viewer] +label = "" +description = "" + [ui.dev.clients.relationships.option.secret_rotator] label = "" description = "" diff --git a/docker/ory/keto/namespaces.ts b/docker/ory/keto/namespaces.ts index 2e142757..2d387e27 100644 --- a/docker/ory/keto/namespaces.ts +++ b/docker/ory/keto/namespaces.ts @@ -63,6 +63,7 @@ class RelyingParty implements Namespace { access: (User | SubjectSet | SubjectSet | SubjectSet)[] creator: (User | SubjectSet)[] config_editor: (User | SubjectSet)[] + secret_viewer: (User | SubjectSet)[] secret_rotator: (User | SubjectSet)[] jwks_viewer: (User | SubjectSet)[] jwks_operator: (User | SubjectSet)[] @@ -77,6 +78,7 @@ class RelyingParty implements Namespace { view: (ctx: Context): boolean => this.related.admins.includes(ctx.subject) || this.related.config_editor.includes(ctx.subject) || + this.related.secret_viewer.includes(ctx.subject) || this.related.secret_rotator.includes(ctx.subject) || this.related.jwks_viewer.includes(ctx.subject) || this.related.jwks_operator.includes(ctx.subject) || @@ -101,6 +103,11 @@ class RelyingParty implements Namespace { this.related.config_editor.includes(ctx.subject) || this.permits.manage(ctx), + view_secret: (ctx: Context): boolean => + this.related.secret_viewer.includes(ctx.subject) || + this.permits.rotate_secret(ctx) || + this.permits.manage(ctx), + rotate_secret: (ctx: Context): boolean => this.related.secret_rotator.includes(ctx.subject) || this.permits.manage(ctx), diff --git a/docs/devfront-rp-relationships-guide.md b/docs/devfront-rp-relationships-guide.md index ae2543c6..9cc6e931 100644 --- a/docs/devfront-rp-relationships-guide.md +++ b/docs/devfront-rp-relationships-guide.md @@ -25,8 +25,9 @@ | 화면 표시명 | Relation key | 의미 | 주요 허용 기능 | |---|---|---|---| -| RP 관리자 | `admins` | RP 운영 전반을 관리할 수 있는 관리자 관계 | RP 조회, 설정 관리, secret 재발급, JWKS 운영, consent 조회/회수, 관계 조회, 감사 로그 조회, 상태 변경 | +| RP 관리자 | `admins` | RP 운영 전반을 관리할 수 있는 관리자 관계 | RP 조회, 설정 관리, secret 조회/재발급, JWKS 운영, consent 조회/회수, 관계 조회, 감사 로그 조회, 상태 변경 | | RP 일반 설정 | `config_editor` | RP 이름, Redirect URI, 메타데이터 같은 일반 설정을 수정할 수 있는 관계 | RP 조회, 일반 설정 수정 | +| 시크릿 조회 | `secret_viewer` | Client secret을 조회할 수 있는 관계 | RP 조회, client secret 조회 | | 시크릿 재발급 | `secret_rotator` | Client secret 재발급과 rotation을 수행할 수 있는 관계 | RP 조회, client secret 재발급 | | JWKS 조회 | `jwks_viewer` | JWKS 상태, 캐시 정보, key summary를 조회할 수 있는 관계 | RP 조회, JWKS 상태/캐시/key summary 조회 | | JWKS 운영 | `jwks_operator` | JWKS refresh/revoke 같은 운영 작업을 수행할 수 있는 관계 | RP 조회, JWKS 조회, JWKS refresh/revoke | @@ -42,10 +43,11 @@ Keto namespace 기준으로 relation은 다음 permit으로 계산된다. | Permit | 허용 relation / 조건 | 기능 의미 | |---|---|---| -| `view` | `admins`, `config_editor`, `secret_rotator`, `jwks_viewer`, `jwks_operator`, `consent_viewer`, `consent_revoker`, `relationship_viewer`, `audit_viewer`, `status_operator`, 부모 tenant의 `view` 또는 `view_dev_console` | RP 기본 조회 및 목록 노출 | +| `view` | `admins`, `config_editor`, `secret_viewer`, `secret_rotator`, `jwks_viewer`, `jwks_operator`, `consent_viewer`, `consent_revoker`, `relationship_viewer`, `audit_viewer`, `status_operator`, 부모 tenant의 `view` 또는 `view_dev_console` | RP 기본 조회 및 목록 노출 | | `manage` | `admins`, 부모 tenant의 `manage` | RP 관리 상위 권한 | | `create` | `creator`, 부모 tenant의 `grant_dev_permissions`, `manage` | RP 생성. `creator`는 현재 수동 부여하지 않는 내부 relation이다. | | `edit_config` | `config_editor`, `manage` | RP 일반 설정 수정 | +| `view_secret` | `secret_viewer`, `rotate_secret`, `manage` | client secret 조회 | | `rotate_secret` | `secret_rotator`, `manage` | client secret 재발급/회전 | | `view_jwks` | `jwks_viewer`, `operate_jwks`, `manage` | JWKS 상태/캐시/key summary 조회 | | `operate_jwks` | `jwks_operator`, `manage` | JWKS refresh/revoke | @@ -138,6 +140,7 @@ RP 생성 시 `metadata.user_id`가 존재하면 생성자에게 기본 운영 r - `admins` - `creator` - `config_editor` +- `secret_viewer` - `secret_rotator` - `jwks_viewer` - `jwks_operator`