1
0
forked from baron/baron-sso

일반 사용자의 DevFront 접근 및 RP 관리자 권한 연동

This commit is contained in:
2026-04-20 14:16:24 +09:00
parent 51e46a4d00
commit e15de6d334
12 changed files with 570 additions and 182 deletions

View File

@@ -199,6 +199,7 @@ var allowedRelyingPartyOperatorRelations = map[string]struct{}{
"admins": {}, "admins": {},
"creator": {}, "creator": {},
"config_editor": {}, "config_editor": {},
"secret_viewer": {},
"secret_rotator": {}, "secret_rotator": {},
"jwks_viewer": {}, "jwks_viewer": {},
"jwks_operator": {}, "jwks_operator": {},
@@ -215,7 +216,7 @@ func normalizeUserRole(role string) string {
func isDevConsoleRoleAllowed(role string) bool { func isDevConsoleRoleAllowed(role string) bool {
switch normalizeUserRole(role) { switch normalizeUserRole(role) {
case domain.RoleSuperAdmin, domain.RoleTenantAdmin, domain.RoleRPAdmin: case domain.RoleSuperAdmin, domain.RoleTenantAdmin, domain.RoleRPAdmin, domain.RoleUser:
return true return true
default: default:
return false return false
@@ -372,6 +373,32 @@ func (h *DevHandler) canOperateClientByPermit(c *fiber.Ctx, profile *domain.User
return err == nil && allowed return err == nil && allowed
} }
func (h *DevHandler) canViewClientSecret(c *fiber.Ctx, profile *domain.UserProfileResponse, summary clientSummary) bool {
if canAccessClientByLegacyScope(profile, summary) {
return true
}
return h.canOperateClientByPermit(c, profile, summary, "view_secret")
}
func (h *DevHandler) canBypassPrivateClientRestriction(c *fiber.Ctx, profile *domain.UserProfileResponse, summary clientSummary, relation string) bool {
if h.canOperateClientByPermit(c, profile, summary, relation) {
return true
}
allowed, err := h.checkAppManagerPermission(c)
return err == nil && allowed
}
func (h *DevHandler) redactClientSecretUnlessAllowed(c *fiber.Ctx, profile *domain.UserProfileResponse, summary clientSummary) clientSummary {
if summary.ClientSecret == "" {
return summary
}
if h.canViewClientSecret(c, profile, summary) {
return summary
}
summary.ClientSecret = ""
return summary
}
func (h *DevHandler) canViewClientRelations(c *fiber.Ctx, profile *domain.UserProfileResponse, summary clientSummary) bool { func (h *DevHandler) canViewClientRelations(c *fiber.Ctx, profile *domain.UserProfileResponse, summary clientSummary) bool {
if h.canOperateClientByPermit(c, profile, summary, "view_relationships") { if h.canOperateClientByPermit(c, profile, summary, "view_relationships") {
return true return true
@@ -474,7 +501,11 @@ func resolveClientTenantID(summary clientSummary) string {
} }
func isRPAdminClientAllowed(profile *domain.UserProfileResponse, clientID string) bool { func isRPAdminClientAllowed(profile *domain.UserProfileResponse, clientID string) bool {
if normalizeUserRole(profileRole(profile)) != domain.RoleRPAdmin { role := normalizeUserRole(profileRole(profile))
if role == domain.RoleUser {
return false
}
if role != domain.RoleRPAdmin {
return true return true
} }
allowed := managedClientIDsFromProfile(profile) allowed := managedClientIDsFromProfile(profile)
@@ -665,7 +696,11 @@ func (h *DevHandler) SearchUsers(c *fiber.Ctx) error {
return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required") return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
} }
if !isDevConsoleRoleAllowed(normalizeUserRole(profile.Role)) { if !isDevConsoleRoleAllowed(normalizeUserRole(profile.Role)) {
return errorJSON(c, fiber.StatusForbidden, "forbidden") clientID := strings.TrimSpace(c.Query("clientId"))
summary, err := h.loadClientSummary(c.Context(), clientID)
if clientID == "" || err != nil || !h.canManageClientRelations(c, profile, summary) {
return errorJSON(c, fiber.StatusForbidden, "forbidden")
}
} }
if h.KratosAdmin == nil { if h.KratosAdmin == nil {
return errorJSON(c, fiber.StatusServiceUnavailable, "kratos admin unavailable") return errorJSON(c, fiber.StatusServiceUnavailable, "kratos admin unavailable")
@@ -993,7 +1028,7 @@ func (h *DevHandler) ListClients(c *fiber.Ctx) error {
return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required") return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
} }
role := normalizeUserRole(profile.Role) role := normalizeUserRole(profile.Role)
if !isDevConsoleViewerRole(role) { if !isDevConsoleRoleAllowed(role) {
return errorJSON(c, fiber.StatusForbidden, "forbidden") return errorJSON(c, fiber.StatusForbidden, "forbidden")
} }
@@ -1054,7 +1089,7 @@ func (h *DevHandler) ListClients(c *fiber.Ctx) error {
continue continue
} }
items = append(items, summary) items = append(items, h.redactClientSecretUnlessAllowed(c, profile, summary))
} }
return c.JSON(clientListResponse{ return c.JSON(clientListResponse{
@@ -1240,6 +1275,7 @@ func (h *DevHandler) GetClient(c *fiber.Ctx) error {
} }
cacheState, _ := h.publicHeadlessJWKSCacheState(summary.ID) cacheState, _ := h.publicHeadlessJWKSCacheState(summary.ID)
summary = h.redactClientSecretUnlessAllowed(c, profile, summary)
return c.JSON(clientDetailResponse{ return c.JSON(clientDetailResponse{
Client: summary, Client: summary,
@@ -1318,17 +1354,17 @@ func (h *DevHandler) UpdateClientStatus(c *fiber.Ctx) error {
return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required") return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
} }
role := normalizeUserRole(profile.Role) role := normalizeUserRole(profile.Role)
if !isDevConsoleRoleAllowed(role) { if !isDevConsoleViewerRole(role) {
return errorJSON(c, fiber.StatusForbidden, "forbidden") return errorJSON(c, fiber.StatusForbidden, "forbidden")
} }
if !canAccessClientByLegacyScope(profile, summary) && !h.canOperateClientByPermit(c, profile, summary, "change_status") { canChangeStatusByPermit := h.canOperateClientByPermit(c, profile, summary, "change_status")
if !canAccessClientByLegacyScope(profile, summary) && !canChangeStatusByPermit {
return errorJSON(c, fiber.StatusForbidden, "forbidden: rp_admin scope does not include this client") return errorJSON(c, fiber.StatusForbidden, "forbidden: rp_admin scope does not include this client")
} }
if summary.Type == "private" { if summary.Type == "private" && !h.canBypassPrivateClientRestriction(c, profile, summary, "change_status") {
isAppManager, _ := h.checkAppManagerPermission(c) if !canChangeStatusByPermit {
if !isAppManager {
return errorJSON(c, fiber.StatusForbidden, "forbidden: insufficient permissions for private client") return errorJSON(c, fiber.StatusForbidden, "forbidden: insufficient permissions for private client")
} }
} }
@@ -1352,6 +1388,7 @@ func (h *DevHandler) UpdateClientStatus(c *fiber.Ctx) error {
} }
updatedSummary := h.mapClientSummary(*updated) updatedSummary := h.mapClientSummary(*updated)
updatedSummary = h.redactClientSecretUnlessAllowed(c, profile, updatedSummary)
cacheState, _ := h.publicHeadlessJWKSCacheState(updatedSummary.ID) cacheState, _ := h.publicHeadlessJWKSCacheState(updatedSummary.ID)
return c.JSON(clientDetailResponse{ return c.JSON(clientDetailResponse{
Client: updatedSummary, Client: updatedSummary,
@@ -1566,7 +1603,7 @@ func (h *DevHandler) UpdateClient(c *fiber.Ctx) error {
return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required") return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
} }
role := normalizeUserRole(profile.Role) role := normalizeUserRole(profile.Role)
if !isDevConsoleRoleAllowed(role) { if !isDevConsoleViewerRole(role) {
return errorJSON(c, fiber.StatusForbidden, "forbidden") return errorJSON(c, fiber.StatusForbidden, "forbidden")
} }
@@ -1584,11 +1621,7 @@ func (h *DevHandler) UpdateClient(c *fiber.Ctx) error {
// [Security] Check permission for private clients (both current and new type) // [Security] Check permission for private clients (both current and new type)
if currentSummary.Type == "private" || clientType == "private" { if currentSummary.Type == "private" || clientType == "private" {
isAppManager, err := h.checkAppManagerPermission(c) if !h.canBypassPrivateClientRestriction(c, profile, currentSummary, "edit_config") {
if err != nil {
return errorJSON(c, fiber.StatusInternalServerError, "permission check error")
}
if !isAppManager {
return errorJSON(c, fiber.StatusForbidden, "forbidden: insufficient permissions for private client") return errorJSON(c, fiber.StatusForbidden, "forbidden: insufficient permissions for private client")
} }
} }
@@ -1736,7 +1769,7 @@ func (h *DevHandler) DeleteClient(c *fiber.Ctx) error {
return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required") return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
} }
role := normalizeUserRole(profile.Role) role := normalizeUserRole(profile.Role)
if !isDevConsoleRoleAllowed(role) { if !isDevConsoleViewerRole(role) {
return errorJSON(c, fiber.StatusForbidden, "forbidden") return errorJSON(c, fiber.StatusForbidden, "forbidden")
} }
@@ -1746,8 +1779,7 @@ func (h *DevHandler) DeleteClient(c *fiber.Ctx) error {
// [Security] Check permission for private clients // [Security] Check permission for private clients
if summary.Type == "private" { if summary.Type == "private" {
isAppManager, _ := h.checkAppManagerPermission(c) if !h.canBypassPrivateClientRestriction(c, profile, summary, "manage") {
if !isAppManager {
return errorJSON(c, fiber.StatusForbidden, "forbidden: insufficient permissions for private client") return errorJSON(c, fiber.StatusForbidden, "forbidden: insufficient permissions for private client")
} }
} }
@@ -1986,7 +2018,7 @@ func (h *DevHandler) RotateClientSecret(c *fiber.Ctx) error {
return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required") return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
} }
role := normalizeUserRole(profile.Role) role := normalizeUserRole(profile.Role)
if !isDevConsoleRoleAllowed(role) { if !isDevConsoleViewerRole(role) {
return errorJSON(c, fiber.StatusForbidden, "forbidden") return errorJSON(c, fiber.StatusForbidden, "forbidden")
} }
@@ -1997,8 +2029,7 @@ func (h *DevHandler) RotateClientSecret(c *fiber.Ctx) error {
// [Security] Check permission for private clients // [Security] Check permission for private clients
if summary.Type == "private" { if summary.Type == "private" {
isAppManager, _ := h.checkAppManagerPermission(c) if !h.canBypassPrivateClientRestriction(c, profile, summary, "rotate_secret") {
if !isAppManager {
return errorJSON(c, fiber.StatusForbidden, "forbidden: insufficient permissions for private client") return errorJSON(c, fiber.StatusForbidden, "forbidden: insufficient permissions for private client")
} }
} }
@@ -2076,7 +2107,7 @@ func (h *DevHandler) RefreshHeadlessJWKSCache(c *fiber.Ctx) error {
return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required") return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
} }
role := normalizeUserRole(profile.Role) role := normalizeUserRole(profile.Role)
if !isDevConsoleRoleAllowed(role) { if !isDevConsoleViewerRole(role) {
return errorJSON(c, fiber.StatusForbidden, "forbidden") return errorJSON(c, fiber.StatusForbidden, "forbidden")
} }
if !canAccessClientByLegacyScope(profile, summary) && !h.canOperateClientByPermit(c, profile, summary, "operate_jwks") { if !canAccessClientByLegacyScope(profile, summary) && !h.canOperateClientByPermit(c, profile, summary, "operate_jwks") {
@@ -2141,18 +2172,10 @@ func (h *DevHandler) RevokeHeadlessJWKSCache(c *fiber.Ctx) error {
return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required") return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
} }
role := normalizeUserRole(profile.Role) role := normalizeUserRole(profile.Role)
if !isDevConsoleRoleAllowed(role) { if !isDevConsoleViewerRole(role) {
return errorJSON(c, fiber.StatusForbidden, "forbidden") return errorJSON(c, fiber.StatusForbidden, "forbidden")
} }
isSuperAdmin := role == domain.RoleSuperAdmin if !canAccessClientByLegacyScope(profile, summary) && !h.canOperateClientByPermit(c, profile, summary, "operate_jwks") {
userTenantID := tenantIDFromProfile(profile)
if !isSuperAdmin {
clientTenantID := resolveClientTenantID(summary)
if clientTenantID != userTenantID {
return errorJSON(c, fiber.StatusForbidden, "forbidden: access denied to client in another tenant")
}
}
if !isRPAdminClientAllowed(profile, summary.ID) {
return errorJSON(c, fiber.StatusForbidden, "forbidden: rp_admin scope does not include this client") return errorJSON(c, fiber.StatusForbidden, "forbidden: rp_admin scope does not include this client")
} }

View File

@@ -17,6 +17,8 @@ import (
func TestDevHandler_Isolation(t *testing.T) { func TestDevHandler_Isolation(t *testing.T) {
mockKeto := new(devMockKetoService) mockKeto := new(devMockKetoService)
// Default Mock behavior: deny everything unless explicitly allowed
mockKeto.On("CheckPermission", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(false, nil).Maybe()
h := &DevHandler{ h := &DevHandler{
Hydra: &service.HydraAdminService{ Hydra: &service.HydraAdminService{
@@ -72,7 +74,6 @@ func TestDevHandler_Isolation(t *testing.T) {
req.Header.Set("Origin", "http://localhost:5174") req.Header.Set("Origin", "http://localhost:5174")
resp, _ := app.Test(req, -1) resp, _ := app.Test(req, -1)
// We expect 401 now because ListClients enforces authentication.
assert.Equal(t, http.StatusUnauthorized, resp.StatusCode) assert.Equal(t, http.StatusUnauthorized, resp.StatusCode)
}) })
@@ -89,7 +90,8 @@ func TestDevHandler_Isolation(t *testing.T) {
}) })
app.Get("/api/v1/dev/clients", h.ListClients) app.Get("/api/v1/dev/clients", h.ListClients)
mockKeto.On("CheckPermission", mock.Anything, "user-a", "System", "global", "manage_all").Return(true, nil) // Explicit permission for private client check bypass
mockKeto.On("CheckPermission", mock.Anything, "User:user-a", "System", "global", "manage_all").Return(true, nil).Once()
req := httptest.NewRequest(http.MethodGet, "/api/v1/dev/clients", nil) req := httptest.NewRequest(http.MethodGet, "/api/v1/dev/clients", nil)
resp, _ := app.Test(req, -1) resp, _ := app.Test(req, -1)
@@ -100,17 +102,17 @@ func TestDevHandler_Isolation(t *testing.T) {
} }
json.NewDecoder(resp.Body).Decode(&res) json.NewDecoder(resp.Body).Decode(&res)
// Should only see client-tenant-a // Should only see client-tenant-a (tenant isolation)
assert.Equal(t, 1, len(res.Items)) assert.Equal(t, 1, len(res.Items))
assert.Equal(t, "client-tenant-a", res.Items[0].ID) assert.Equal(t, "client-tenant-a", res.Items[0].ID)
}) })
t.Run("Tenant member should be forbidden from DevFront clients", func(t *testing.T) { t.Run("Tenant member should see empty list from DevFront clients if no relation", func(t *testing.T) {
app := fiber.New() app := fiber.New()
tenantA := "tenant-a" tenantA := "tenant-a"
app.Use(func(c *fiber.Ctx) error { app.Use(func(c *fiber.Ctx) error {
c.Locals("user_profile", &domain.UserProfileResponse{ c.Locals("user_profile", &domain.UserProfileResponse{
ID: "user-a", ID: "user-member",
Role: domain.RoleUser, Role: domain.RoleUser,
TenantID: &tenantA, TenantID: &tenantA,
}) })
@@ -120,7 +122,14 @@ func TestDevHandler_Isolation(t *testing.T) {
req := httptest.NewRequest(http.MethodGet, "/api/v1/dev/clients", nil) req := httptest.NewRequest(http.MethodGet, "/api/v1/dev/clients", nil)
resp, _ := app.Test(req, -1) resp, _ := app.Test(req, -1)
assert.Equal(t, http.StatusForbidden, resp.StatusCode) assert.Equal(t, http.StatusOK, resp.StatusCode)
var res struct {
Items []clientSummary `json:"items"`
}
json.NewDecoder(resp.Body).Decode(&res)
// Empty list because we didn't mock any specific 'view' permissions for this user
assert.Equal(t, 0, len(res.Items))
}) })
t.Run("RP Admin should only see managed clients", func(t *testing.T) { t.Run("RP Admin should only see managed clients", func(t *testing.T) {

View File

@@ -357,6 +357,83 @@ func TestUpdateClient_ReservedSystemNameForbidden(t *testing.T) {
assert.Equal(t, http.StatusForbidden, resp.StatusCode) assert.Equal(t, http.StatusForbidden, resp.StatusCode)
} }
func TestUpdateClient_PrivateClientAllowedByEditConfigPermission(t *testing.T) {
transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
if r.Method == http.MethodGet && r.URL.Path == "/clients/client-1" {
return httpJSONAny(r, http.StatusOK, map[string]any{
"client_id": "client-1",
"client_name": "App One",
"redirect_uris": []string{
"http://localhost/cb",
},
"grant_types": []string{"authorization_code", "refresh_token"},
"response_types": []string{"code"},
"scope": "openid profile email offline_access",
"token_endpoint_auth_method": "client_secret_basic",
"metadata": map[string]any{
"status": "active",
"tenant_id": "tenant-1",
},
}), nil
}
if r.Method == http.MethodPut && r.URL.Path == "/clients/client-1" {
return httpJSONAny(r, http.StatusOK, map[string]any{
"client_id": "client-1",
"client_name": "App One Updated",
"redirect_uris": []string{
"http://localhost/cb",
},
"grant_types": []string{"authorization_code", "refresh_token"},
"response_types": []string{"code"},
"scope": "openid profile email offline_access",
"token_endpoint_auth_method": "client_secret_basic",
"metadata": map[string]any{
"status": "active",
"tenant_id": "tenant-1",
},
}), nil
}
return httpJSONAny(r, http.StatusNotFound, nil), nil
})
mockKeto := new(devMockKetoService)
mockKeto.On("CheckPermission", mock.Anything, "User:user-1", "RelyingParty", "client-1", "edit_config").Return(true, nil)
h := &DevHandler{
Hydra: &service.HydraAdminService{
AdminURL: "http://hydra.test",
HTTPClient: &http.Client{Transport: transport},
},
Keto: mockKeto,
}
app := fiber.New()
tenantID := "tenant-1"
app.Use(func(c *fiber.Ctx) error {
c.Locals("user_profile", &domain.UserProfileResponse{
ID: "user-1",
Role: domain.RoleUser,
TenantID: &tenantID,
})
return c.Next()
})
app.Put("/api/v1/dev/clients/:id", h.UpdateClient)
body, _ := json.Marshal(map[string]any{
"name": "App One Updated",
})
req := httptest.NewRequest(http.MethodPut, "/api/v1/dev/clients/client-1", bytes.NewReader(body))
req.Header.Set("Content-Type", "application/json")
resp, _ := app.Test(req, -1)
assert.Equal(t, http.StatusOK, resp.StatusCode)
var result clientDetailResponse
_ = json.NewDecoder(resp.Body).Decode(&result)
assert.Equal(t, "App One Updated", result.Client.Name)
mockKeto.AssertExpectations(t)
}
func TestListClients_ProtectedSystemClientHidden(t *testing.T) { func TestListClients_ProtectedSystemClientHidden(t *testing.T) {
transport := roundTripFunc(func(r *http.Request) (*http.Response, error) { transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
if r.URL.Path == "/clients" { if r.URL.Path == "/clients" {
@@ -511,6 +588,65 @@ func TestUpdateClientStatus_Success(t *testing.T) {
assert.Equal(t, "inactive", res.Client.Status) assert.Equal(t, "inactive", res.Client.Status)
} }
func TestUpdateClientStatus_UserAllowedByStatusPermission(t *testing.T) {
transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
if r.Method == http.MethodGet && r.URL.Path == "/clients/client-1" {
return httpJSONAny(r, http.StatusOK, map[string]interface{}{
"client_id": "client-1",
"client_name": "App One",
"metadata": map[string]interface{}{
"tenant_id": "tenant-1",
"status": "active",
},
}), nil
}
if r.Method == http.MethodPatch && r.URL.Path == "/clients/client-1" {
return httpJSONAny(r, http.StatusOK, map[string]interface{}{
"client_id": "client-1",
"client_name": "App One",
"metadata": map[string]interface{}{
"tenant_id": "tenant-1",
"status": "inactive",
},
}), nil
}
return httpJSONAny(r, http.StatusNotFound, nil), nil
})
mockKeto := new(devMockKetoService)
mockKeto.On("CheckPermission", mock.Anything, "User:user-1", "RelyingParty", "client-1", "change_status").Return(true, nil)
h := &DevHandler{
Hydra: &service.HydraAdminService{
AdminURL: "http://hydra.test",
HTTPClient: &http.Client{Transport: transport},
},
Keto: mockKeto,
}
app := fiber.New()
tenantID := "tenant-1"
app.Use(func(c *fiber.Ctx) error {
c.Locals("user_profile", &domain.UserProfileResponse{
ID: "user-1",
Role: domain.RoleUser,
TenantID: &tenantID,
})
return c.Next()
})
app.Patch("/api/v1/dev/clients/:id/status", h.UpdateClientStatus)
body, _ := json.Marshal(map[string]interface{}{"status": "inactive"})
req := httptest.NewRequest(http.MethodPatch, "/api/v1/dev/clients/client-1/status", bytes.NewReader(body))
req.Header.Set("Content-Type", "application/json")
resp, _ := app.Test(req, -1)
assert.Equal(t, http.StatusOK, resp.StatusCode)
var res clientDetailResponse
_ = json.NewDecoder(resp.Body).Decode(&res)
assert.Equal(t, "inactive", res.Client.Status)
mockKeto.AssertExpectations(t)
}
func TestUpdateClientStatus_ProtectedSystemClientForbidden(t *testing.T) { func TestUpdateClientStatus_ProtectedSystemClientForbidden(t *testing.T) {
transport := roundTripFunc(func(r *http.Request) (*http.Response, error) { transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
if r.Method == http.MethodGet && r.URL.Path == "/clients/oathkeeper-introspect" { if r.Method == http.MethodGet && r.URL.Path == "/clients/oathkeeper-introspect" {
@@ -690,6 +826,106 @@ func TestGetClient_RPAdminAllowedByKetoViewPermission(t *testing.T) {
mockKeto.AssertExpectations(t) mockKeto.AssertExpectations(t)
} }
func TestGetClient_RedactsSecretWithoutViewSecretPermission(t *testing.T) {
transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
if r.Method == http.MethodGet && r.URL.Path == "/clients/client-1" {
return httpJSONAny(r, http.StatusOK, map[string]interface{}{
"client_id": "client-1",
"client_name": "App One",
"client_secret": "stored-secret",
"metadata": map[string]interface{}{
"tenant_id": "tenant-1",
"status": "active",
},
}), nil
}
return httpJSONAny(r, http.StatusNotFound, nil), nil
})
mockKeto := new(devMockKetoService)
mockKeto.On("CheckPermission", mock.Anything, "User:user-1", "Tenant", "tenant-1", "view_dev_console").Return(false, nil)
mockKeto.On("CheckPermission", mock.Anything, "User:user-1", "RelyingParty", "client-1", "view").Return(true, nil)
mockKeto.On("CheckPermission", mock.Anything, "User:user-1", "RelyingParty", "client-1", "view_secret").Return(false, nil)
h := &DevHandler{
Hydra: &service.HydraAdminService{
AdminURL: "http://hydra.test",
HTTPClient: &http.Client{Transport: transport},
},
Keto: mockKeto,
}
app := fiber.New()
tenantID := "tenant-1"
app.Use(func(c *fiber.Ctx) error {
c.Locals("user_profile", &domain.UserProfileResponse{
ID: "user-1",
Role: domain.RoleUser,
TenantID: &tenantID,
})
return c.Next()
})
app.Get("/api/v1/dev/clients/:id", h.GetClient)
req := httptest.NewRequest(http.MethodGet, "/api/v1/dev/clients/client-1", nil)
resp, _ := app.Test(req, -1)
assert.Equal(t, http.StatusOK, resp.StatusCode)
var result clientDetailResponse
_ = json.NewDecoder(resp.Body).Decode(&result)
assert.Empty(t, result.Client.ClientSecret)
mockKeto.AssertExpectations(t)
}
func TestGetClient_UserAllowedToViewSecretByPermission(t *testing.T) {
transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
if r.Method == http.MethodGet && r.URL.Path == "/clients/client-1" {
return httpJSONAny(r, http.StatusOK, map[string]interface{}{
"client_id": "client-1",
"client_name": "App One",
"client_secret": "stored-secret",
"metadata": map[string]interface{}{
"tenant_id": "tenant-1",
"status": "active",
},
}), nil
}
return httpJSONAny(r, http.StatusNotFound, nil), nil
})
mockKeto := new(devMockKetoService)
mockKeto.On("CheckPermission", mock.Anything, "User:user-1", "Tenant", "tenant-1", "view_dev_console").Return(false, nil)
mockKeto.On("CheckPermission", mock.Anything, "User:user-1", "RelyingParty", "client-1", "view").Return(true, nil)
mockKeto.On("CheckPermission", mock.Anything, "User:user-1", "RelyingParty", "client-1", "view_secret").Return(true, nil)
h := &DevHandler{
Hydra: &service.HydraAdminService{
AdminURL: "http://hydra.test",
HTTPClient: &http.Client{Transport: transport},
},
Keto: mockKeto,
}
app := fiber.New()
tenantID := "tenant-1"
app.Use(func(c *fiber.Ctx) error {
c.Locals("user_profile", &domain.UserProfileResponse{
ID: "user-1",
Role: domain.RoleUser,
TenantID: &tenantID,
})
return c.Next()
})
app.Get("/api/v1/dev/clients/:id", h.GetClient)
req := httptest.NewRequest(http.MethodGet, "/api/v1/dev/clients/client-1", nil)
resp, _ := app.Test(req, -1)
assert.Equal(t, http.StatusOK, resp.StatusCode)
var result clientDetailResponse
_ = json.NewDecoder(resp.Body).Decode(&result)
assert.Equal(t, "stored-secret", result.Client.ClientSecret)
mockKeto.AssertExpectations(t)
}
func TestRotateClientSecret_Success(t *testing.T) { func TestRotateClientSecret_Success(t *testing.T) {
transport := roundTripFunc(func(r *http.Request) (*http.Response, error) { transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
if r.Method == http.MethodGet && r.URL.Path == "/clients/client-1" { if r.Method == http.MethodGet && r.URL.Path == "/clients/client-1" {
@@ -1505,7 +1741,7 @@ func TestListClientRelations_RPAdminAllowedByViewRelationshipsPermission(t *test
mockKeto.On("ListRelations", mock.Anything, "RelyingParty", "client-1", "config_editor", "").Return([]service.RelationTuple{ mockKeto.On("ListRelations", mock.Anything, "RelyingParty", "client-1", "config_editor", "").Return([]service.RelationTuple{
{Object: "client-1", Relation: "config_editor", SubjectID: "User:user-2"}, {Object: "client-1", Relation: "config_editor", SubjectID: "User:user-2"},
}, nil) }, nil)
for _, relation := range []string{"admins", "creator", "secret_rotator", "jwks_viewer", "jwks_operator", "consent_viewer", "consent_revoker", "relationship_viewer", "audit_viewer", "status_operator"} { for _, relation := range []string{"admins", "creator", "secret_viewer", "secret_rotator", "jwks_viewer", "jwks_operator", "consent_viewer", "consent_revoker", "relationship_viewer", "audit_viewer", "status_operator"} {
mockKeto.On("ListRelations", mock.Anything, "RelyingParty", "client-1", relation, "").Return([]service.RelationTuple{}, nil) mockKeto.On("ListRelations", mock.Anything, "RelyingParty", "client-1", relation, "").Return([]service.RelationTuple{}, nil)
} }
mockKratos := new(devMockKratosAdmin) mockKratos := new(devMockKratosAdmin)
@@ -1724,3 +1960,69 @@ func TestSearchUsers_RPAdminSearchByNameOrEmailWithinTenantScope(t *testing.T) {
assert.Equal(t, "alice@example.com", result.Items[0].Email) assert.Equal(t, "alice@example.com", result.Items[0].Email)
mockKratos.AssertExpectations(t) mockKratos.AssertExpectations(t)
} }
func TestSearchUsers_UserAllowedByRPAdminRelation(t *testing.T) {
transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
if r.Method == http.MethodGet && r.URL.Path == "/clients/client-1" {
return httpJSONAny(r, http.StatusOK, map[string]any{
"client_id": "client-1",
"client_name": "App One",
"metadata": map[string]any{
"tenant_id": "tenant-1",
"status": "active",
},
}), nil
}
return httpJSONAny(r, http.StatusNotFound, nil), nil
})
mockKeto := new(devMockKetoService)
mockKeto.On("CheckPermission", mock.Anything, "User:user-1", "RelyingParty", "client-1", "manage").Return(true, nil)
mockKratos := new(devMockKratosAdmin)
mockKratos.On("ListIdentities", mock.Anything).Return([]service.KratosIdentity{
{
ID: "target-user",
Traits: map[string]interface{}{
"name": "김용연",
"email": "kyy@example.com",
"id": "kyy01",
"tenant_id": "tenant-1",
},
},
}, nil)
h := &DevHandler{
Hydra: &service.HydraAdminService{
AdminURL: "http://hydra.test",
HTTPClient: &http.Client{Transport: transport},
},
Keto: mockKeto,
KratosAdmin: mockKratos,
}
app := fiber.New()
tenantID := "tenant-1"
app.Use(func(c *fiber.Ctx) error {
c.Locals("user_profile", &domain.UserProfileResponse{
ID: "user-1",
Role: domain.RoleUser,
TenantID: &tenantID,
})
return c.Next()
})
app.Get("/api/v1/dev/users", h.SearchUsers)
req := httptest.NewRequest(http.MethodGet, "/api/v1/dev/users?clientId=client-1&search=김용연", nil)
resp, _ := app.Test(req, -1)
assert.Equal(t, http.StatusOK, resp.StatusCode)
var result devUserListResponse
_ = json.NewDecoder(resp.Body).Decode(&result)
if assert.Len(t, result.Items, 1) {
assert.Equal(t, "target-user", result.Items[0].ID)
assert.Equal(t, "김용연", result.Items[0].Name)
}
mockKeto.AssertExpectations(t)
mockKratos.AssertExpectations(t)
}

View File

@@ -29,6 +29,7 @@ var defaultRelyingPartyOperatorRelations = []string{
"admins", "admins",
"creator", "creator",
"config_editor", "config_editor",
"secret_viewer",
"secret_rotator", "secret_rotator",
"jwks_viewer", "jwks_viewer",
"jwks_operator", "jwks_operator",

View File

@@ -30,7 +30,7 @@ export function ForbiddenMessage({ resourceToken }: Props) {
} else if (role === "user" || role === "tenant_member") { } else if (role === "user" || role === "tenant_member") {
explanation = t( explanation = t(
"msg.dev.forbidden.user", "msg.dev.forbidden.user",
"일반 사용자는 관리자 화면에 접근할 수 습니다.", "일반 사용자 계정은 담당 RP(앱) 관리자 권한이 부여된 경우에만 해당 기능을 사용할 수 습니다. 권한이 필요하면 관리자에게 요청하세요.",
); );
} }

View File

@@ -37,6 +37,7 @@ import { ClientDetailTabs } from "./ClientDetailTabs";
const relationOptions = [ const relationOptions = [
"admins", "admins",
"config_editor", "config_editor",
"secret_viewer",
"secret_rotator", "secret_rotator",
"jwks_viewer", "jwks_viewer",
"jwks_operator", "jwks_operator",
@@ -78,7 +79,6 @@ function ClientRelationsPage() {
null, null,
); );
const [isSearchOpen, setIsSearchOpen] = useState(false); const [isSearchOpen, setIsSearchOpen] = useState(false);
const { data: clientData } = useQuery({ const { data: clientData } = useQuery({
queryKey: ["client", clientId], queryKey: ["client", clientId],
queryFn: () => fetchClient(clientId), queryFn: () => fetchClient(clientId),
@@ -95,13 +95,21 @@ function ClientRelationsPage() {
enabled: clientId.length > 0, enabled: clientId.length > 0,
}); });
const isRelationshipViewForbidden =
(error as AxiosError | null)?.response?.status === 403;
const relationshipViewForbiddenMessage = t(
"msg.dev.clients.relationships.view_forbidden",
"이 RP의 관계를 조회할 권한이 없습니다. 관리자에게 관계 조회 또는 RP 관리자 관계 부여를 요청해 주세요.",
);
const { data: userSearchData, isFetching: isUserSearchLoading } = useQuery({ const { data: userSearchData, isFetching: isUserSearchLoading } = useQuery({
queryKey: ["dev-users", deferredUserSearch], queryKey: ["dev-users", deferredUserSearch],
queryFn: () => fetchDevUsers(deferredUserSearch), queryFn: () => fetchDevUsers(deferredUserSearch, 10, clientId),
enabled: enabled:
clientId.length > 0 && clientId.length > 0 &&
deferredUserSearch.length > 0 && deferredUserSearch.length > 0 &&
selectedUser == null, selectedUser == null &&
!isRelationshipViewForbidden,
}); });
const sortedItems = useMemo(() => { const sortedItems = useMemo(() => {
@@ -342,147 +350,156 @@ function ClientRelationsPage() {
</CardDescription> </CardDescription>
</CardHeader> </CardHeader>
<CardContent className="space-y-6"> <CardContent className="space-y-6">
<div className="space-y-2"> {isRelationshipViewForbidden ? (
<Label htmlFor="user-search-input"> <div className="rounded-md border border-border bg-muted/30 p-4 text-sm text-muted-foreground">
{t("ui.dev.clients.relationships.user_search", "사용자")} {relationshipViewForbiddenMessage}
</Label> </div>
<div className="relative"> ) : (
<Input <>
id="user-search-input" <div className="space-y-2">
value={userSearch} <Label htmlFor="user-search-input">
onFocus={() => { {t("ui.dev.clients.relationships.user_search", "사용자")}
if (!selectedUser && userSearch.trim() !== "") { </Label>
setIsSearchOpen(true); <div className="relative">
} <Input
}} id="user-search-input"
onChange={(event) => { value={userSearch}
setSelectedUser(null); onFocus={() => {
setUserSearch(event.target.value); if (!selectedUser && userSearch.trim() !== "") {
setIsSearchOpen(true); setIsSearchOpen(true);
}} }
placeholder={t( }}
"ui.dev.clients.relationships.user_search_placeholder", onChange={(event) => {
"이름 또는 이메일 검색...", setSelectedUser(null);
)} setUserSearch(event.target.value);
/> setIsSearchOpen(true);
{isSearchOpen && }}
selectedUser == null && placeholder={t(
userSearch.trim() !== "" && ( "ui.dev.clients.relationships.user_search_placeholder",
<div className="absolute z-20 mt-2 max-h-64 w-full overflow-y-auto rounded-md border border-border bg-background shadow-lg"> "이름 또는 이메일 검색...",
{isUserSearchLoading ? ( )}
<div className="px-3 py-2 text-sm text-muted-foreground"> />
{t( {isSearchOpen &&
"msg.dev.clients.relationships.search_loading", selectedUser == null &&
"사용자를 찾는 중입니다...", userSearch.trim() !== "" && (
)} <div className="absolute z-20 mt-2 max-h-64 w-full overflow-y-auto rounded-md border border-border bg-background shadow-lg">
</div> {isUserSearchLoading ? (
) : (userSearchData?.items ?? []).length > 0 ? ( <div className="px-3 py-2 text-sm text-muted-foreground">
(userSearchData?.items ?? []).map((user) => ( {t(
<button "msg.dev.clients.relationships.search_loading",
key={user.id} "사용자를 찾는 중입니다...",
type="button" )}
className="flex w-full flex-col gap-1 px-3 py-2 text-left hover:bg-muted/40" </div>
onMouseDown={(event) => { ) : (userSearchData?.items ?? []).length > 0 ? (
event.preventDefault(); (userSearchData?.items ?? []).map((user) => (
handleSelectUser(user); <button
}} key={user.id}
> type="button"
<span className="text-sm font-semibold"> className="flex w-full flex-col gap-1 px-3 py-2 text-left hover:bg-muted/40"
{user.name || user.email} onMouseDown={(event) => {
</span> event.preventDefault();
<span className="text-xs text-muted-foreground"> handleSelectUser(user);
{user.email} }}
{user.loginId ? ` · ${user.loginId}` : ""} >
</span> <span className="text-sm font-semibold">
</button> {user.name || user.email}
)) </span>
) : ( <span className="text-xs text-muted-foreground">
<div className="px-3 py-2 text-sm text-muted-foreground"> {user.email}
{t( {user.loginId ? ` · ${user.loginId}` : ""}
"msg.dev.clients.relationships.search_empty", </span>
"검색 결과가 없습니다.", </button>
))
) : (
<div className="px-3 py-2 text-sm text-muted-foreground">
{t(
"msg.dev.clients.relationships.search_empty",
"검색 결과가 없습니다.",
)}
</div>
)} )}
</div> </div>
)} )}
</div> </div>
{selectedUser && (
<p className="text-xs text-muted-foreground">
{t(
"msg.dev.clients.relationships.selected_user",
"선택된 사용자: {{user}}",
{ user: formatUserLabel(selectedUser) },
)}
</p>
)} )}
</div> </div>
{selectedUser && (
<p className="text-xs text-muted-foreground">
{t(
"msg.dev.clients.relationships.selected_user",
"선택된 사용자: {{user}}",
{ user: formatUserLabel(selectedUser) },
)}
</p>
)}
</div>
<div className="space-y-3"> <div className="space-y-3">
<Label> <Label>
{t("ui.dev.clients.relationships.relation", "Relation")} {t("ui.dev.clients.relationships.relation", "Relation")}
</Label> </Label>
<div className="grid gap-3 md:grid-cols-2"> <div className="grid gap-3 md:grid-cols-2">
{relationOptions.map((relation) => { {relationOptions.map((relation) => {
const disabled = selectedUserExistingRelations.has(relation); const disabled =
const isSelected = selectedRelations.includes(relation); selectedUserExistingRelations.has(relation);
return ( const isSelected = selectedRelations.includes(relation);
<label return (
key={relation} <label
className={`flex gap-3 rounded-xl border p-4 transition-all ${ key={relation}
disabled className={`flex gap-3 rounded-xl border p-4 transition-all ${
? "border-border/60 bg-muted/30 opacity-60" disabled
: isSelected ? "border-border/60 bg-muted/30 opacity-60"
? "border-primary bg-primary/10 shadow-[0_0_0_1px_rgba(59,130,246,0.35)] ring-1 ring-primary/30" : isSelected
: "border-border bg-background hover:border-primary/40 hover:bg-muted/20" ? "border-primary bg-primary/10 shadow-[0_0_0_1px_rgba(59,130,246,0.35)] ring-1 ring-primary/30"
}`} : "border-border bg-background hover:border-primary/40 hover:bg-muted/20"
>
<input
type="checkbox"
className="mt-1 h-4 w-4 accent-primary"
checked={isSelected || disabled}
disabled={disabled}
onChange={() => handleRelationToggle(relation)}
/>
<div className="space-y-1">
<div
className={`text-sm font-semibold ${
isSelected && !disabled ? "text-primary" : ""
}`} }`}
> >
{relationLabel(relation)} <input
</div> type="checkbox"
<div className="text-xs text-muted-foreground"> className="mt-1 h-4 w-4 accent-primary"
{relationDescription(relation)} checked={isSelected || disabled}
</div> disabled={disabled}
<div onChange={() => handleRelationToggle(relation)}
className={`text-[11px] uppercase tracking-wide ${ />
isSelected && !disabled <div className="space-y-1">
? "text-primary/80" <div
: "text-muted-foreground/80" className={`text-sm font-semibold ${
}`} isSelected && !disabled ? "text-primary" : ""
> }`}
{relation} >
</div> {relationLabel(relation)}
</div> </div>
</label> <div className="text-xs text-muted-foreground">
); {relationDescription(relation)}
})} </div>
</div> <div
</div> className={`text-[11px] uppercase tracking-wide ${
isSelected && !disabled
? "text-primary/80"
: "text-muted-foreground/80"
}`}
>
{relation}
</div>
</div>
</label>
);
})}
</div>
</div>
<div className="flex justify-end"> <div className="flex justify-end">
<Button <Button
onClick={handleAdd} onClick={handleAdd}
disabled={addMutation.isPending} disabled={addMutation.isPending}
className="gap-2" className="gap-2"
> >
<Plus className="h-4 w-4" /> <Plus className="h-4 w-4" />
{addMutation.isPending {addMutation.isPending
? t("msg.common.loading", "Loading...") ? t("msg.common.loading", "Loading...")
: t("ui.dev.clients.relationships.add", "Add")} : t("ui.dev.clients.relationships.add", "Add")}
</Button> </Button>
</div> </div>
</>
)}
</CardContent> </CardContent>
</Card> </Card>
@@ -503,7 +520,11 @@ function ClientRelationsPage() {
</CardDescription> </CardDescription>
</CardHeader> </CardHeader>
<CardContent> <CardContent>
{error ? ( {isRelationshipViewForbidden ? (
<div className="rounded-md border border-border bg-muted/30 p-4 text-sm text-muted-foreground">
{relationshipViewForbiddenMessage}
</div>
) : error ? (
<div className="rounded-md border border-destructive/30 bg-destructive/5 p-4 text-sm text-destructive"> <div className="rounded-md border border-destructive/30 bg-destructive/5 p-4 text-sm text-destructive">
{t( {t(
"msg.dev.clients.relationships.load_error", "msg.dev.clients.relationships.load_error",

View File

@@ -202,11 +202,15 @@ export async function fetchClientRelations(clientId: string) {
return data; return data;
} }
export async function fetchDevUsers(search: string, limit = 10) { export async function fetchDevUsers(
search: string,
limit = 10,
clientId?: string,
) {
const { data } = await apiClient.get<DevAssignableUserListResponse>( const { data } = await apiClient.get<DevAssignableUserListResponse>(
"/dev/users", "/dev/users",
{ {
params: { search, limit }, params: { search, limit, clientId },
}, },
); );
return data; return data;

View File

@@ -388,8 +388,10 @@ list_description = "Lists operator relations directly assigned to this RP."
load_error = "Failed to load relationships: {{error}}" load_error = "Failed to load relationships: {{error}}"
loading = "Loading relationships..." loading = "Loading relationships..."
empty = "No direct relationships assigned." empty = "No direct relationships assigned."
view_forbidden = "You do not have permission to view relationships for this RP. Ask an administrator to grant Relationship Viewer or RP Admin relationship."
search_loading = "Searching users..." search_loading = "Searching users..."
search_empty = "No users found." search_empty = "No users found."
search_forbidden_user = "General users cannot use user search for relationship assignment."
selected_user = "Selected user: {{user}}" selected_user = "Selected user: {{user}}"
[msg.dev.clients.federation] [msg.dev.clients.federation]
@@ -1491,6 +1493,10 @@ description = "Marks the operator who created this RP."
label = "RP General Settings" label = "RP General Settings"
description = "Edit the name, redirect URIs, and general metadata." description = "Edit the name, redirect URIs, and general metadata."
[ui.dev.clients.relationships.option.secret_viewer]
label = "Secret View"
description = "View the Client secret for this RP."
[ui.dev.clients.relationships.option.secret_rotator] [ui.dev.clients.relationships.option.secret_rotator]
label = "Secret Rotation" label = "Secret Rotation"
description = "Rotate and reissue the client secret." description = "Rotate and reissue the client secret."

View File

@@ -388,8 +388,10 @@ list_description = "현재 RP에 직접 부여된 operator relation 목록입니
load_error = "관계 조회 실패: {{error}}" load_error = "관계 조회 실패: {{error}}"
loading = "관계를 불러오는 중입니다..." loading = "관계를 불러오는 중입니다..."
empty = "직접 부여된 관계가 없습니다." empty = "직접 부여된 관계가 없습니다."
view_forbidden = "이 RP의 관계를 조회할 권한이 없습니다. 관리자에게 관계 조회 또는 RP 관리자 관계 부여를 요청해 주세요."
search_loading = "사용자를 찾는 중입니다..." search_loading = "사용자를 찾는 중입니다..."
search_empty = "검색 결과가 없습니다." search_empty = "검색 결과가 없습니다."
search_forbidden_user = "일반 사용자는 관계 추가를 위한 사용자 검색을 사용할 수 없습니다."
selected_user = "선택된 사용자: {{user}}" selected_user = "선택된 사용자: {{user}}"
[msg.dev.clients.federation] [msg.dev.clients.federation]
@@ -1490,6 +1492,10 @@ description = "이 RP를 생성한 운영 주체를 표시합니다."
label = "RP 일반 설정" label = "RP 일반 설정"
description = "이름, Redirect URI, 메타데이터 같은 일반 설정을 수정합니다." description = "이름, Redirect URI, 메타데이터 같은 일반 설정을 수정합니다."
[ui.dev.clients.relationships.option.secret_viewer]
label = "시크릿 조회"
description = "이 RP의 Client secret을 조회합니다."
[ui.dev.clients.relationships.option.secret_rotator] [ui.dev.clients.relationships.option.secret_rotator]
label = "시크릿 재발급" label = "시크릿 재발급"
description = "Client secret 재발급과 회전을 수행합니다." description = "Client secret 재발급과 회전을 수행합니다."

View File

@@ -388,8 +388,10 @@ list_description = ""
load_error = "" load_error = ""
loading = "" loading = ""
empty = "" empty = ""
view_forbidden = ""
search_loading = "" search_loading = ""
search_empty = "" search_empty = ""
search_forbidden_user = ""
selected_user = "" selected_user = ""
[msg.dev.clients.federation] [msg.dev.clients.federation]
@@ -1490,6 +1492,10 @@ description = ""
label = "" label = ""
description = "" description = ""
[ui.dev.clients.relationships.option.secret_viewer]
label = ""
description = ""
[ui.dev.clients.relationships.option.secret_rotator] [ui.dev.clients.relationships.option.secret_rotator]
label = "" label = ""
description = "" description = ""

View File

@@ -63,6 +63,7 @@ class RelyingParty implements Namespace {
access: (User | SubjectSet<Tenant, "members"> | SubjectSet<System, "authenticated_users"> | SubjectSet<System, "super_admins">)[] access: (User | SubjectSet<Tenant, "members"> | SubjectSet<System, "authenticated_users"> | SubjectSet<System, "super_admins">)[]
creator: (User | SubjectSet<System, "super_admins">)[] creator: (User | SubjectSet<System, "super_admins">)[]
config_editor: (User | SubjectSet<System, "super_admins">)[] config_editor: (User | SubjectSet<System, "super_admins">)[]
secret_viewer: (User | SubjectSet<System, "super_admins">)[]
secret_rotator: (User | SubjectSet<System, "super_admins">)[] secret_rotator: (User | SubjectSet<System, "super_admins">)[]
jwks_viewer: (User | SubjectSet<System, "super_admins">)[] jwks_viewer: (User | SubjectSet<System, "super_admins">)[]
jwks_operator: (User | SubjectSet<System, "super_admins">)[] jwks_operator: (User | SubjectSet<System, "super_admins">)[]
@@ -77,6 +78,7 @@ class RelyingParty implements Namespace {
view: (ctx: Context): boolean => view: (ctx: Context): boolean =>
this.related.admins.includes(ctx.subject) || this.related.admins.includes(ctx.subject) ||
this.related.config_editor.includes(ctx.subject) || this.related.config_editor.includes(ctx.subject) ||
this.related.secret_viewer.includes(ctx.subject) ||
this.related.secret_rotator.includes(ctx.subject) || this.related.secret_rotator.includes(ctx.subject) ||
this.related.jwks_viewer.includes(ctx.subject) || this.related.jwks_viewer.includes(ctx.subject) ||
this.related.jwks_operator.includes(ctx.subject) || this.related.jwks_operator.includes(ctx.subject) ||
@@ -101,6 +103,11 @@ class RelyingParty implements Namespace {
this.related.config_editor.includes(ctx.subject) || this.related.config_editor.includes(ctx.subject) ||
this.permits.manage(ctx), this.permits.manage(ctx),
view_secret: (ctx: Context): boolean =>
this.related.secret_viewer.includes(ctx.subject) ||
this.permits.rotate_secret(ctx) ||
this.permits.manage(ctx),
rotate_secret: (ctx: Context): boolean => rotate_secret: (ctx: Context): boolean =>
this.related.secret_rotator.includes(ctx.subject) || this.related.secret_rotator.includes(ctx.subject) ||
this.permits.manage(ctx), this.permits.manage(ctx),

View File

@@ -25,8 +25,9 @@
| 화면 표시명 | Relation key | 의미 | 주요 허용 기능 | | 화면 표시명 | Relation key | 의미 | 주요 허용 기능 |
|---|---|---|---| |---|---|---|---|
| RP 관리자 | `admins` | RP 운영 전반을 관리할 수 있는 관리자 관계 | RP 조회, 설정 관리, secret 재발급, JWKS 운영, consent 조회/회수, 관계 조회, 감사 로그 조회, 상태 변경 | | RP 관리자 | `admins` | RP 운영 전반을 관리할 수 있는 관리자 관계 | RP 조회, 설정 관리, secret 조회/재발급, JWKS 운영, consent 조회/회수, 관계 조회, 감사 로그 조회, 상태 변경 |
| RP 일반 설정 | `config_editor` | RP 이름, Redirect URI, 메타데이터 같은 일반 설정을 수정할 수 있는 관계 | RP 조회, 일반 설정 수정 | | RP 일반 설정 | `config_editor` | RP 이름, Redirect URI, 메타데이터 같은 일반 설정을 수정할 수 있는 관계 | RP 조회, 일반 설정 수정 |
| 시크릿 조회 | `secret_viewer` | Client secret을 조회할 수 있는 관계 | RP 조회, client secret 조회 |
| 시크릿 재발급 | `secret_rotator` | Client secret 재발급과 rotation을 수행할 수 있는 관계 | RP 조회, client secret 재발급 | | 시크릿 재발급 | `secret_rotator` | Client secret 재발급과 rotation을 수행할 수 있는 관계 | RP 조회, client secret 재발급 |
| JWKS 조회 | `jwks_viewer` | JWKS 상태, 캐시 정보, key summary를 조회할 수 있는 관계 | RP 조회, JWKS 상태/캐시/key summary 조회 | | JWKS 조회 | `jwks_viewer` | JWKS 상태, 캐시 정보, key summary를 조회할 수 있는 관계 | RP 조회, JWKS 상태/캐시/key summary 조회 |
| JWKS 운영 | `jwks_operator` | JWKS refresh/revoke 같은 운영 작업을 수행할 수 있는 관계 | RP 조회, JWKS 조회, JWKS refresh/revoke | | JWKS 운영 | `jwks_operator` | JWKS refresh/revoke 같은 운영 작업을 수행할 수 있는 관계 | RP 조회, JWKS 조회, JWKS refresh/revoke |
@@ -42,10 +43,11 @@ Keto namespace 기준으로 relation은 다음 permit으로 계산된다.
| Permit | 허용 relation / 조건 | 기능 의미 | | Permit | 허용 relation / 조건 | 기능 의미 |
|---|---|---| |---|---|---|
| `view` | `admins`, `config_editor`, `secret_rotator`, `jwks_viewer`, `jwks_operator`, `consent_viewer`, `consent_revoker`, `relationship_viewer`, `audit_viewer`, `status_operator`, 부모 tenant의 `view` 또는 `view_dev_console` | RP 기본 조회 및 목록 노출 | | `view` | `admins`, `config_editor`, `secret_viewer`, `secret_rotator`, `jwks_viewer`, `jwks_operator`, `consent_viewer`, `consent_revoker`, `relationship_viewer`, `audit_viewer`, `status_operator`, 부모 tenant의 `view` 또는 `view_dev_console` | RP 기본 조회 및 목록 노출 |
| `manage` | `admins`, 부모 tenant의 `manage` | RP 관리 상위 권한 | | `manage` | `admins`, 부모 tenant의 `manage` | RP 관리 상위 권한 |
| `create` | `creator`, 부모 tenant의 `grant_dev_permissions`, `manage` | RP 생성. `creator`는 현재 수동 부여하지 않는 내부 relation이다. | | `create` | `creator`, 부모 tenant의 `grant_dev_permissions`, `manage` | RP 생성. `creator`는 현재 수동 부여하지 않는 내부 relation이다. |
| `edit_config` | `config_editor`, `manage` | RP 일반 설정 수정 | | `edit_config` | `config_editor`, `manage` | RP 일반 설정 수정 |
| `view_secret` | `secret_viewer`, `rotate_secret`, `manage` | client secret 조회 |
| `rotate_secret` | `secret_rotator`, `manage` | client secret 재발급/회전 | | `rotate_secret` | `secret_rotator`, `manage` | client secret 재발급/회전 |
| `view_jwks` | `jwks_viewer`, `operate_jwks`, `manage` | JWKS 상태/캐시/key summary 조회 | | `view_jwks` | `jwks_viewer`, `operate_jwks`, `manage` | JWKS 상태/캐시/key summary 조회 |
| `operate_jwks` | `jwks_operator`, `manage` | JWKS refresh/revoke | | `operate_jwks` | `jwks_operator`, `manage` | JWKS refresh/revoke |
@@ -138,6 +140,7 @@ RP 생성 시 `metadata.user_id`가 존재하면 생성자에게 기본 운영 r
- `admins` - `admins`
- `creator` - `creator`
- `config_editor` - `config_editor`
- `secret_viewer`
- `secret_rotator` - `secret_rotator`
- `jwks_viewer` - `jwks_viewer`
- `jwks_operator` - `jwks_operator`