일반 사용자의 DevFront 접근 및 RP 관리자 권한 연동

2026-04-20 14:16:24 +09:00
parent 51e46a4d00
commit e15de6d334
12 changed files with 570 additions and 182 deletions
--- a/backend/internal/handler/dev_handler.go
+++ b/backend/internal/handler/dev_handler.go
@@ -199,6 +199,7 @@ var allowedRelyingPartyOperatorRelations = map[string]struct{}{
 	"admins":              {},
 	"creator":             {},
 	"config_editor":       {},
+	"secret_viewer":       {},
 	"secret_rotator":      {},
 	"jwks_viewer":         {},
 	"jwks_operator":       {},
@@ -215,7 +216,7 @@ func normalizeUserRole(role string) string {

 func isDevConsoleRoleAllowed(role string) bool {
 	switch normalizeUserRole(role) {
-	case domain.RoleSuperAdmin, domain.RoleTenantAdmin, domain.RoleRPAdmin:
+	case domain.RoleSuperAdmin, domain.RoleTenantAdmin, domain.RoleRPAdmin, domain.RoleUser:
 		return true
 	default:
 		return false
@@ -372,6 +373,32 @@ func (h *DevHandler) canOperateClientByPermit(c *fiber.Ctx, profile *domain.User
 	return err == nil && allowed
 }

+func (h *DevHandler) canViewClientSecret(c *fiber.Ctx, profile *domain.UserProfileResponse, summary clientSummary) bool {
+	if canAccessClientByLegacyScope(profile, summary) {
+		return true
+	}
+	return h.canOperateClientByPermit(c, profile, summary, "view_secret")
+}
+
+func (h *DevHandler) canBypassPrivateClientRestriction(c *fiber.Ctx, profile *domain.UserProfileResponse, summary clientSummary, relation string) bool {
+	if h.canOperateClientByPermit(c, profile, summary, relation) {
+		return true
+	}
+	allowed, err := h.checkAppManagerPermission(c)
+	return err == nil && allowed
+}
+
+func (h *DevHandler) redactClientSecretUnlessAllowed(c *fiber.Ctx, profile *domain.UserProfileResponse, summary clientSummary) clientSummary {
+	if summary.ClientSecret == "" {
+		return summary
+	}
+	if h.canViewClientSecret(c, profile, summary) {
+		return summary
+	}
+	summary.ClientSecret = ""
+	return summary
+}
+
 func (h *DevHandler) canViewClientRelations(c *fiber.Ctx, profile *domain.UserProfileResponse, summary clientSummary) bool {
 	if h.canOperateClientByPermit(c, profile, summary, "view_relationships") {
 		return true
@@ -474,7 +501,11 @@ func resolveClientTenantID(summary clientSummary) string {
 }

 func isRPAdminClientAllowed(profile *domain.UserProfileResponse, clientID string) bool {
-	if normalizeUserRole(profileRole(profile)) != domain.RoleRPAdmin {
+	role := normalizeUserRole(profileRole(profile))
+	if role == domain.RoleUser {
+		return false
+	}
+	if role != domain.RoleRPAdmin {
 		return true
 	}
 	allowed := managedClientIDsFromProfile(profile)
@@ -665,7 +696,11 @@ func (h *DevHandler) SearchUsers(c *fiber.Ctx) error {
 		return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
 	}
 	if !isDevConsoleRoleAllowed(normalizeUserRole(profile.Role)) {
-		return errorJSON(c, fiber.StatusForbidden, "forbidden")
+		clientID := strings.TrimSpace(c.Query("clientId"))
+		summary, err := h.loadClientSummary(c.Context(), clientID)
+		if clientID == "" || err != nil || !h.canManageClientRelations(c, profile, summary) {
+			return errorJSON(c, fiber.StatusForbidden, "forbidden")
+		}
 	}
 	if h.KratosAdmin == nil {
 		return errorJSON(c, fiber.StatusServiceUnavailable, "kratos admin unavailable")
@@ -993,7 +1028,7 @@ func (h *DevHandler) ListClients(c *fiber.Ctx) error {
 		return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
 	}
 	role := normalizeUserRole(profile.Role)
-	if !isDevConsoleViewerRole(role) {
+	if !isDevConsoleRoleAllowed(role) {
 		return errorJSON(c, fiber.StatusForbidden, "forbidden")
 	}

@@ -1054,7 +1089,7 @@ func (h *DevHandler) ListClients(c *fiber.Ctx) error {
 			continue
 		}

-		items = append(items, summary)
+		items = append(items, h.redactClientSecretUnlessAllowed(c, profile, summary))
 	}

 	return c.JSON(clientListResponse{
@@ -1240,6 +1275,7 @@ func (h *DevHandler) GetClient(c *fiber.Ctx) error {
 	}

 	cacheState, _ := h.publicHeadlessJWKSCacheState(summary.ID)
+	summary = h.redactClientSecretUnlessAllowed(c, profile, summary)

 	return c.JSON(clientDetailResponse{
 		Client:            summary,
@@ -1318,17 +1354,17 @@ func (h *DevHandler) UpdateClientStatus(c *fiber.Ctx) error {
 		return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
 	}
 	role := normalizeUserRole(profile.Role)
-	if !isDevConsoleRoleAllowed(role) {
+	if !isDevConsoleViewerRole(role) {
 		return errorJSON(c, fiber.StatusForbidden, "forbidden")
 	}

-	if !canAccessClientByLegacyScope(profile, summary) && !h.canOperateClientByPermit(c, profile, summary, "change_status") {
+	canChangeStatusByPermit := h.canOperateClientByPermit(c, profile, summary, "change_status")
+	if !canAccessClientByLegacyScope(profile, summary) && !canChangeStatusByPermit {
 		return errorJSON(c, fiber.StatusForbidden, "forbidden: rp_admin scope does not include this client")
 	}

-	if summary.Type == "private" {
-		isAppManager, _ := h.checkAppManagerPermission(c)
-		if !isAppManager {
+	if summary.Type == "private" && !h.canBypassPrivateClientRestriction(c, profile, summary, "change_status") {
+		if !canChangeStatusByPermit {
 			return errorJSON(c, fiber.StatusForbidden, "forbidden: insufficient permissions for private client")
 		}
 	}
@@ -1352,6 +1388,7 @@ func (h *DevHandler) UpdateClientStatus(c *fiber.Ctx) error {
 	}

 	updatedSummary := h.mapClientSummary(*updated)
+	updatedSummary = h.redactClientSecretUnlessAllowed(c, profile, updatedSummary)
 	cacheState, _ := h.publicHeadlessJWKSCacheState(updatedSummary.ID)
 	return c.JSON(clientDetailResponse{
 		Client:            updatedSummary,
@@ -1566,7 +1603,7 @@ func (h *DevHandler) UpdateClient(c *fiber.Ctx) error {
 		return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
 	}
 	role := normalizeUserRole(profile.Role)
-	if !isDevConsoleRoleAllowed(role) {
+	if !isDevConsoleViewerRole(role) {
 		return errorJSON(c, fiber.StatusForbidden, "forbidden")
 	}

@@ -1584,11 +1621,7 @@ func (h *DevHandler) UpdateClient(c *fiber.Ctx) error {

 	// [Security] Check permission for private clients (both current and new type)
 	if currentSummary.Type == "private" || clientType == "private" {
-		isAppManager, err := h.checkAppManagerPermission(c)
-		if err != nil {
-			return errorJSON(c, fiber.StatusInternalServerError, "permission check error")
-		}
-		if !isAppManager {
+		if !h.canBypassPrivateClientRestriction(c, profile, currentSummary, "edit_config") {
 			return errorJSON(c, fiber.StatusForbidden, "forbidden: insufficient permissions for private client")
 		}
 	}
@@ -1736,7 +1769,7 @@ func (h *DevHandler) DeleteClient(c *fiber.Ctx) error {
 		return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
 	}
 	role := normalizeUserRole(profile.Role)
-	if !isDevConsoleRoleAllowed(role) {
+	if !isDevConsoleViewerRole(role) {
 		return errorJSON(c, fiber.StatusForbidden, "forbidden")
 	}

@@ -1746,8 +1779,7 @@ func (h *DevHandler) DeleteClient(c *fiber.Ctx) error {

 	// [Security] Check permission for private clients
 	if summary.Type == "private" {
-		isAppManager, _ := h.checkAppManagerPermission(c)
-		if !isAppManager {
+		if !h.canBypassPrivateClientRestriction(c, profile, summary, "manage") {
 			return errorJSON(c, fiber.StatusForbidden, "forbidden: insufficient permissions for private client")
 		}
 	}
@@ -1986,7 +2018,7 @@ func (h *DevHandler) RotateClientSecret(c *fiber.Ctx) error {
 		return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
 	}
 	role := normalizeUserRole(profile.Role)
-	if !isDevConsoleRoleAllowed(role) {
+	if !isDevConsoleViewerRole(role) {
 		return errorJSON(c, fiber.StatusForbidden, "forbidden")
 	}

@@ -1997,8 +2029,7 @@ func (h *DevHandler) RotateClientSecret(c *fiber.Ctx) error {

 	// [Security] Check permission for private clients
 	if summary.Type == "private" {
-		isAppManager, _ := h.checkAppManagerPermission(c)
-		if !isAppManager {
+		if !h.canBypassPrivateClientRestriction(c, profile, summary, "rotate_secret") {
 			return errorJSON(c, fiber.StatusForbidden, "forbidden: insufficient permissions for private client")
 		}
 	}
@@ -2076,7 +2107,7 @@ func (h *DevHandler) RefreshHeadlessJWKSCache(c *fiber.Ctx) error {
 		return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
 	}
 	role := normalizeUserRole(profile.Role)
-	if !isDevConsoleRoleAllowed(role) {
+	if !isDevConsoleViewerRole(role) {
 		return errorJSON(c, fiber.StatusForbidden, "forbidden")
 	}
 	if !canAccessClientByLegacyScope(profile, summary) && !h.canOperateClientByPermit(c, profile, summary, "operate_jwks") {
@@ -2141,18 +2172,10 @@ func (h *DevHandler) RevokeHeadlessJWKSCache(c *fiber.Ctx) error {
 		return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
 	}
 	role := normalizeUserRole(profile.Role)
-	if !isDevConsoleRoleAllowed(role) {
+	if !isDevConsoleViewerRole(role) {
 		return errorJSON(c, fiber.StatusForbidden, "forbidden")
 	}
-	isSuperAdmin := role == domain.RoleSuperAdmin
-	userTenantID := tenantIDFromProfile(profile)
-	if !isSuperAdmin {
-		clientTenantID := resolveClientTenantID(summary)
-		if clientTenantID != userTenantID {
-			return errorJSON(c, fiber.StatusForbidden, "forbidden: access denied to client in another tenant")
-		}
-	}
-	if !isRPAdminClientAllowed(profile, summary.ID) {
+	if !canAccessClientByLegacyScope(profile, summary) && !h.canOperateClientByPermit(c, profile, summary, "operate_jwks") {
 		return errorJSON(c, fiber.StatusForbidden, "forbidden: rp_admin scope does not include this client")
 	}

--- a/backend/internal/handler/dev_handler_isolation_test.go
+++ b/backend/internal/handler/dev_handler_isolation_test.go
@@ -17,6 +17,8 @@ import (

 func TestDevHandler_Isolation(t *testing.T) {
 	mockKeto := new(devMockKetoService)
+	// Default Mock behavior: deny everything unless explicitly allowed
+	mockKeto.On("CheckPermission", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(false, nil).Maybe()

 	h := &DevHandler{
 		Hydra: &service.HydraAdminService{
@@ -72,7 +74,6 @@ func TestDevHandler_Isolation(t *testing.T) {
 		req.Header.Set("Origin", "http://localhost:5174")

 		resp, _ := app.Test(req, -1)
-		// We expect 401 now because ListClients enforces authentication.
 		assert.Equal(t, http.StatusUnauthorized, resp.StatusCode)
 	})

@@ -89,7 +90,8 @@ func TestDevHandler_Isolation(t *testing.T) {
 		})
 		app.Get("/api/v1/dev/clients", h.ListClients)

-		mockKeto.On("CheckPermission", mock.Anything, "user-a", "System", "global", "manage_all").Return(true, nil)
+		// Explicit permission for private client check bypass
+		mockKeto.On("CheckPermission", mock.Anything, "User:user-a", "System", "global", "manage_all").Return(true, nil).Once()

 		req := httptest.NewRequest(http.MethodGet, "/api/v1/dev/clients", nil)
 		resp, _ := app.Test(req, -1)
@@ -100,17 +102,17 @@ func TestDevHandler_Isolation(t *testing.T) {
 		}
 		json.NewDecoder(resp.Body).Decode(&res)

-		// Should only see client-tenant-a
+		// Should only see client-tenant-a (tenant isolation)
 		assert.Equal(t, 1, len(res.Items))
 		assert.Equal(t, "client-tenant-a", res.Items[0].ID)
 	})

-	t.Run("Tenant member should be forbidden from DevFront clients", func(t *testing.T) {
+	t.Run("Tenant member should see empty list from DevFront clients if no relation", func(t *testing.T) {
 		app := fiber.New()
 		tenantA := "tenant-a"
 		app.Use(func(c *fiber.Ctx) error {
 			c.Locals("user_profile", &domain.UserProfileResponse{
-				ID:       "user-a",
+				ID:       "user-member",
 				Role:     domain.RoleUser,
 				TenantID: &tenantA,
 			})
@@ -120,7 +122,14 @@ func TestDevHandler_Isolation(t *testing.T) {

 		req := httptest.NewRequest(http.MethodGet, "/api/v1/dev/clients", nil)
 		resp, _ := app.Test(req, -1)
-		assert.Equal(t, http.StatusForbidden, resp.StatusCode)
+		assert.Equal(t, http.StatusOK, resp.StatusCode)
+
+		var res struct {
+			Items []clientSummary `json:"items"`
+		}
+		json.NewDecoder(resp.Body).Decode(&res)
+		// Empty list because we didn't mock any specific 'view' permissions for this user
+		assert.Equal(t, 0, len(res.Items))
 	})

 	t.Run("RP Admin should only see managed clients", func(t *testing.T) {
--- a/backend/internal/handler/dev_handler_test.go
+++ b/backend/internal/handler/dev_handler_test.go
@@ -357,6 +357,83 @@ func TestUpdateClient_ReservedSystemNameForbidden(t *testing.T) {
 	assert.Equal(t, http.StatusForbidden, resp.StatusCode)
 }

+func TestUpdateClient_PrivateClientAllowedByEditConfigPermission(t *testing.T) {
+	transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
+		if r.Method == http.MethodGet && r.URL.Path == "/clients/client-1" {
+			return httpJSONAny(r, http.StatusOK, map[string]any{
+				"client_id":   "client-1",
+				"client_name": "App One",
+				"redirect_uris": []string{
+					"http://localhost/cb",
+				},
+				"grant_types":                []string{"authorization_code", "refresh_token"},
+				"response_types":             []string{"code"},
+				"scope":                      "openid profile email offline_access",
+				"token_endpoint_auth_method": "client_secret_basic",
+				"metadata": map[string]any{
+					"status":    "active",
+					"tenant_id": "tenant-1",
+				},
+			}), nil
+		}
+		if r.Method == http.MethodPut && r.URL.Path == "/clients/client-1" {
+			return httpJSONAny(r, http.StatusOK, map[string]any{
+				"client_id":   "client-1",
+				"client_name": "App One Updated",
+				"redirect_uris": []string{
+					"http://localhost/cb",
+				},
+				"grant_types":                []string{"authorization_code", "refresh_token"},
+				"response_types":             []string{"code"},
+				"scope":                      "openid profile email offline_access",
+				"token_endpoint_auth_method": "client_secret_basic",
+				"metadata": map[string]any{
+					"status":    "active",
+					"tenant_id": "tenant-1",
+				},
+			}), nil
+		}
+		return httpJSONAny(r, http.StatusNotFound, nil), nil
+	})
+
+	mockKeto := new(devMockKetoService)
+	mockKeto.On("CheckPermission", mock.Anything, "User:user-1", "RelyingParty", "client-1", "edit_config").Return(true, nil)
+
+	h := &DevHandler{
+		Hydra: &service.HydraAdminService{
+			AdminURL:   "http://hydra.test",
+			HTTPClient: &http.Client{Transport: transport},
+		},
+		Keto: mockKeto,
+	}
+
+	app := fiber.New()
+	tenantID := "tenant-1"
+	app.Use(func(c *fiber.Ctx) error {
+		c.Locals("user_profile", &domain.UserProfileResponse{
+			ID:       "user-1",
+			Role:     domain.RoleUser,
+			TenantID: &tenantID,
+		})
+		return c.Next()
+	})
+	app.Put("/api/v1/dev/clients/:id", h.UpdateClient)
+
+	body, _ := json.Marshal(map[string]any{
+		"name": "App One Updated",
+	})
+	req := httptest.NewRequest(http.MethodPut, "/api/v1/dev/clients/client-1", bytes.NewReader(body))
+	req.Header.Set("Content-Type", "application/json")
+
+	resp, _ := app.Test(req, -1)
+	assert.Equal(t, http.StatusOK, resp.StatusCode)
+
+	var result clientDetailResponse
+	_ = json.NewDecoder(resp.Body).Decode(&result)
+	assert.Equal(t, "App One Updated", result.Client.Name)
+	mockKeto.AssertExpectations(t)
+}
+
 func TestListClients_ProtectedSystemClientHidden(t *testing.T) {
 	transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
 		if r.URL.Path == "/clients" {
@@ -511,6 +588,65 @@ func TestUpdateClientStatus_Success(t *testing.T) {
 	assert.Equal(t, "inactive", res.Client.Status)
 }

+func TestUpdateClientStatus_UserAllowedByStatusPermission(t *testing.T) {
+	transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
+		if r.Method == http.MethodGet && r.URL.Path == "/clients/client-1" {
+			return httpJSONAny(r, http.StatusOK, map[string]interface{}{
+				"client_id":   "client-1",
+				"client_name": "App One",
+				"metadata": map[string]interface{}{
+					"tenant_id": "tenant-1",
+					"status":    "active",
+				},
+			}), nil
+		}
+		if r.Method == http.MethodPatch && r.URL.Path == "/clients/client-1" {
+			return httpJSONAny(r, http.StatusOK, map[string]interface{}{
+				"client_id":   "client-1",
+				"client_name": "App One",
+				"metadata": map[string]interface{}{
+					"tenant_id": "tenant-1",
+					"status":    "inactive",
+				},
+			}), nil
+		}
+		return httpJSONAny(r, http.StatusNotFound, nil), nil
+	})
+
+	mockKeto := new(devMockKetoService)
+	mockKeto.On("CheckPermission", mock.Anything, "User:user-1", "RelyingParty", "client-1", "change_status").Return(true, nil)
+
+	h := &DevHandler{
+		Hydra: &service.HydraAdminService{
+			AdminURL:   "http://hydra.test",
+			HTTPClient: &http.Client{Transport: transport},
+		},
+		Keto: mockKeto,
+	}
+	app := fiber.New()
+	tenantID := "tenant-1"
+	app.Use(func(c *fiber.Ctx) error {
+		c.Locals("user_profile", &domain.UserProfileResponse{
+			ID:       "user-1",
+			Role:     domain.RoleUser,
+			TenantID: &tenantID,
+		})
+		return c.Next()
+	})
+	app.Patch("/api/v1/dev/clients/:id/status", h.UpdateClientStatus)
+
+	body, _ := json.Marshal(map[string]interface{}{"status": "inactive"})
+	req := httptest.NewRequest(http.MethodPatch, "/api/v1/dev/clients/client-1/status", bytes.NewReader(body))
+	req.Header.Set("Content-Type", "application/json")
+	resp, _ := app.Test(req, -1)
+
+	assert.Equal(t, http.StatusOK, resp.StatusCode)
+	var res clientDetailResponse
+	_ = json.NewDecoder(resp.Body).Decode(&res)
+	assert.Equal(t, "inactive", res.Client.Status)
+	mockKeto.AssertExpectations(t)
+}
+
 func TestUpdateClientStatus_ProtectedSystemClientForbidden(t *testing.T) {
 	transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
 		if r.Method == http.MethodGet && r.URL.Path == "/clients/oathkeeper-introspect" {
@@ -690,6 +826,106 @@ func TestGetClient_RPAdminAllowedByKetoViewPermission(t *testing.T) {
 	mockKeto.AssertExpectations(t)
 }

+func TestGetClient_RedactsSecretWithoutViewSecretPermission(t *testing.T) {
+	transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
+		if r.Method == http.MethodGet && r.URL.Path == "/clients/client-1" {
+			return httpJSONAny(r, http.StatusOK, map[string]interface{}{
+				"client_id":     "client-1",
+				"client_name":   "App One",
+				"client_secret": "stored-secret",
+				"metadata": map[string]interface{}{
+					"tenant_id": "tenant-1",
+					"status":    "active",
+				},
+			}), nil
+		}
+		return httpJSONAny(r, http.StatusNotFound, nil), nil
+	})
+
+	mockKeto := new(devMockKetoService)
+	mockKeto.On("CheckPermission", mock.Anything, "User:user-1", "Tenant", "tenant-1", "view_dev_console").Return(false, nil)
+	mockKeto.On("CheckPermission", mock.Anything, "User:user-1", "RelyingParty", "client-1", "view").Return(true, nil)
+	mockKeto.On("CheckPermission", mock.Anything, "User:user-1", "RelyingParty", "client-1", "view_secret").Return(false, nil)
+
+	h := &DevHandler{
+		Hydra: &service.HydraAdminService{
+			AdminURL:   "http://hydra.test",
+			HTTPClient: &http.Client{Transport: transport},
+		},
+		Keto: mockKeto,
+	}
+	app := fiber.New()
+	tenantID := "tenant-1"
+	app.Use(func(c *fiber.Ctx) error {
+		c.Locals("user_profile", &domain.UserProfileResponse{
+			ID:       "user-1",
+			Role:     domain.RoleUser,
+			TenantID: &tenantID,
+		})
+		return c.Next()
+	})
+	app.Get("/api/v1/dev/clients/:id", h.GetClient)
+
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/dev/clients/client-1", nil)
+	resp, _ := app.Test(req, -1)
+
+	assert.Equal(t, http.StatusOK, resp.StatusCode)
+	var result clientDetailResponse
+	_ = json.NewDecoder(resp.Body).Decode(&result)
+	assert.Empty(t, result.Client.ClientSecret)
+	mockKeto.AssertExpectations(t)
+}
+
+func TestGetClient_UserAllowedToViewSecretByPermission(t *testing.T) {
+	transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
+		if r.Method == http.MethodGet && r.URL.Path == "/clients/client-1" {
+			return httpJSONAny(r, http.StatusOK, map[string]interface{}{
+				"client_id":     "client-1",
+				"client_name":   "App One",
+				"client_secret": "stored-secret",
+				"metadata": map[string]interface{}{
+					"tenant_id": "tenant-1",
+					"status":    "active",
+				},
+			}), nil
+		}
+		return httpJSONAny(r, http.StatusNotFound, nil), nil
+	})
+
+	mockKeto := new(devMockKetoService)
+	mockKeto.On("CheckPermission", mock.Anything, "User:user-1", "Tenant", "tenant-1", "view_dev_console").Return(false, nil)
+	mockKeto.On("CheckPermission", mock.Anything, "User:user-1", "RelyingParty", "client-1", "view").Return(true, nil)
+	mockKeto.On("CheckPermission", mock.Anything, "User:user-1", "RelyingParty", "client-1", "view_secret").Return(true, nil)
+
+	h := &DevHandler{
+		Hydra: &service.HydraAdminService{
+			AdminURL:   "http://hydra.test",
+			HTTPClient: &http.Client{Transport: transport},
+		},
+		Keto: mockKeto,
+	}
+	app := fiber.New()
+	tenantID := "tenant-1"
+	app.Use(func(c *fiber.Ctx) error {
+		c.Locals("user_profile", &domain.UserProfileResponse{
+			ID:       "user-1",
+			Role:     domain.RoleUser,
+			TenantID: &tenantID,
+		})
+		return c.Next()
+	})
+	app.Get("/api/v1/dev/clients/:id", h.GetClient)
+
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/dev/clients/client-1", nil)
+	resp, _ := app.Test(req, -1)
+
+	assert.Equal(t, http.StatusOK, resp.StatusCode)
+	var result clientDetailResponse
+	_ = json.NewDecoder(resp.Body).Decode(&result)
+	assert.Equal(t, "stored-secret", result.Client.ClientSecret)
+	mockKeto.AssertExpectations(t)
+}
+
 func TestRotateClientSecret_Success(t *testing.T) {
 	transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
 		if r.Method == http.MethodGet && r.URL.Path == "/clients/client-1" {
@@ -1505,7 +1741,7 @@ func TestListClientRelations_RPAdminAllowedByViewRelationshipsPermission(t *test
 	mockKeto.On("ListRelations", mock.Anything, "RelyingParty", "client-1", "config_editor", "").Return([]service.RelationTuple{
 		{Object: "client-1", Relation: "config_editor", SubjectID: "User:user-2"},
 	}, nil)
-	for _, relation := range []string{"admins", "creator", "secret_rotator", "jwks_viewer", "jwks_operator", "consent_viewer", "consent_revoker", "relationship_viewer", "audit_viewer", "status_operator"} {
+	for _, relation := range []string{"admins", "creator", "secret_viewer", "secret_rotator", "jwks_viewer", "jwks_operator", "consent_viewer", "consent_revoker", "relationship_viewer", "audit_viewer", "status_operator"} {
 		mockKeto.On("ListRelations", mock.Anything, "RelyingParty", "client-1", relation, "").Return([]service.RelationTuple{}, nil)
 	}
 	mockKratos := new(devMockKratosAdmin)
@@ -1724,3 +1960,69 @@ func TestSearchUsers_RPAdminSearchByNameOrEmailWithinTenantScope(t *testing.T) {
 	assert.Equal(t, "alice@example.com", result.Items[0].Email)
 	mockKratos.AssertExpectations(t)
 }
+
+func TestSearchUsers_UserAllowedByRPAdminRelation(t *testing.T) {
+	transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
+		if r.Method == http.MethodGet && r.URL.Path == "/clients/client-1" {
+			return httpJSONAny(r, http.StatusOK, map[string]any{
+				"client_id":   "client-1",
+				"client_name": "App One",
+				"metadata": map[string]any{
+					"tenant_id": "tenant-1",
+					"status":    "active",
+				},
+			}), nil
+		}
+		return httpJSONAny(r, http.StatusNotFound, nil), nil
+	})
+
+	mockKeto := new(devMockKetoService)
+	mockKeto.On("CheckPermission", mock.Anything, "User:user-1", "RelyingParty", "client-1", "manage").Return(true, nil)
+
+	mockKratos := new(devMockKratosAdmin)
+	mockKratos.On("ListIdentities", mock.Anything).Return([]service.KratosIdentity{
+		{
+			ID: "target-user",
+			Traits: map[string]interface{}{
+				"name":      "김용연",
+				"email":     "kyy@example.com",
+				"id":        "kyy01",
+				"tenant_id": "tenant-1",
+			},
+		},
+	}, nil)
+
+	h := &DevHandler{
+		Hydra: &service.HydraAdminService{
+			AdminURL:   "http://hydra.test",
+			HTTPClient: &http.Client{Transport: transport},
+		},
+		Keto:        mockKeto,
+		KratosAdmin: mockKratos,
+	}
+
+	app := fiber.New()
+	tenantID := "tenant-1"
+	app.Use(func(c *fiber.Ctx) error {
+		c.Locals("user_profile", &domain.UserProfileResponse{
+			ID:       "user-1",
+			Role:     domain.RoleUser,
+			TenantID: &tenantID,
+		})
+		return c.Next()
+	})
+	app.Get("/api/v1/dev/users", h.SearchUsers)
+
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/dev/users?clientId=client-1&search=김용연", nil)
+	resp, _ := app.Test(req, -1)
+
+	assert.Equal(t, http.StatusOK, resp.StatusCode)
+	var result devUserListResponse
+	_ = json.NewDecoder(resp.Body).Decode(&result)
+	if assert.Len(t, result.Items, 1) {
+		assert.Equal(t, "target-user", result.Items[0].ID)
+		assert.Equal(t, "김용연", result.Items[0].Name)
+	}
+	mockKeto.AssertExpectations(t)
+	mockKratos.AssertExpectations(t)
+}