kevin/baron-sso
1
0
Fork 0
forked from baron/baron-sso
Code Pull Requests Activity

일반 사용자의 DevFront 접근 및 RP 관리자 권한 연동

Browse Source
This commit is contained in:
김용연
2026-04-20 14:16:24 +09:00
parent 51e46a4d00
commit e15de6d334
12 changed files with 570 additions and 182 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
backend/internal/handler/dev_handler_isolation_test.go
View File

@@ -17,6 +17,8 @@ import (
func TestDevHandler_Isolation(t *testing.T) {
mockKeto := new(devMockKetoService)
// Default Mock behavior: deny everything unless explicitly allowed
mockKeto.On("CheckPermission", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(false, nil).Maybe()
h := &DevHandler{
Hydra: &service.HydraAdminService{
@@ -72,7 +74,6 @@ func TestDevHandler_Isolation(t *testing.T) {
req.Header.Set("Origin", "http://localhost:5174")
resp, _ := app.Test(req, -1)
// We expect 401 now because ListClients enforces authentication.
assert.Equal(t, http.StatusUnauthorized, resp.StatusCode)
})
@@ -89,7 +90,8 @@ func TestDevHandler_Isolation(t *testing.T) {
})
app.Get("/api/v1/dev/clients", h.ListClients)
mockKeto.On("CheckPermission", mock.Anything, "user-a", "System", "global", "manage_all").Return(true, nil)
// Explicit permission for private client check bypass
mockKeto.On("CheckPermission", mock.Anything, "User:user-a", "System", "global", "manage_all").Return(true, nil).Once()
req := httptest.NewRequest(http.MethodGet, "/api/v1/dev/clients", nil)
resp, _ := app.Test(req, -1)
@@ -100,17 +102,17 @@ func TestDevHandler_Isolation(t *testing.T) {
}
json.NewDecoder(resp.Body).Decode(&res)
// Should only see client-tenant-a
// Should only see client-tenant-a (tenant isolation)
assert.Equal(t, 1, len(res.Items))
assert.Equal(t, "client-tenant-a", res.Items[0].ID)
})
t.Run("Tenant member should be forbidden from DevFront clients", func(t *testing.T) {
t.Run("Tenant member should see empty list from DevFront clients if no relation", func(t *testing.T) {
app := fiber.New()
tenantA := "tenant-a"
app.Use(func(c *fiber.Ctx) error {
c.Locals("user_profile", &domain.UserProfileResponse{
ID: "user-a",
ID: "user-member",
Role: domain.RoleUser,
TenantID: &tenantA,
})
@@ -120,7 +122,14 @@ func TestDevHandler_Isolation(t *testing.T) {
req := httptest.NewRequest(http.MethodGet, "/api/v1/dev/clients", nil)
resp, _ := app.Test(req, -1)
assert.Equal(t, http.StatusForbidden, resp.StatusCode)
assert.Equal(t, http.StatusOK, resp.StatusCode)
var res struct {
Items []clientSummary `json:"items"`
}
json.NewDecoder(resp.Body).Decode(&res)
// Empty list because we didn't mock any specific 'view' permissions for this user
assert.Equal(t, 0, len(res.Items))
})
t.Run("RP Admin should only see managed clients", func(t *testing.T) {