forked from baron/baron-sso
일반 사용자의 DevFront 접근 및 RP 관리자 권한 연동
This commit is contained in:
@@ -199,6 +199,7 @@ var allowedRelyingPartyOperatorRelations = map[string]struct{}{
|
|||||||
"admins": {},
|
"admins": {},
|
||||||
"creator": {},
|
"creator": {},
|
||||||
"config_editor": {},
|
"config_editor": {},
|
||||||
|
"secret_viewer": {},
|
||||||
"secret_rotator": {},
|
"secret_rotator": {},
|
||||||
"jwks_viewer": {},
|
"jwks_viewer": {},
|
||||||
"jwks_operator": {},
|
"jwks_operator": {},
|
||||||
@@ -215,7 +216,7 @@ func normalizeUserRole(role string) string {
|
|||||||
|
|
||||||
func isDevConsoleRoleAllowed(role string) bool {
|
func isDevConsoleRoleAllowed(role string) bool {
|
||||||
switch normalizeUserRole(role) {
|
switch normalizeUserRole(role) {
|
||||||
case domain.RoleSuperAdmin, domain.RoleTenantAdmin, domain.RoleRPAdmin:
|
case domain.RoleSuperAdmin, domain.RoleTenantAdmin, domain.RoleRPAdmin, domain.RoleUser:
|
||||||
return true
|
return true
|
||||||
default:
|
default:
|
||||||
return false
|
return false
|
||||||
@@ -372,6 +373,32 @@ func (h *DevHandler) canOperateClientByPermit(c *fiber.Ctx, profile *domain.User
|
|||||||
return err == nil && allowed
|
return err == nil && allowed
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (h *DevHandler) canViewClientSecret(c *fiber.Ctx, profile *domain.UserProfileResponse, summary clientSummary) bool {
|
||||||
|
if canAccessClientByLegacyScope(profile, summary) {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
return h.canOperateClientByPermit(c, profile, summary, "view_secret")
|
||||||
|
}
|
||||||
|
|
||||||
|
func (h *DevHandler) canBypassPrivateClientRestriction(c *fiber.Ctx, profile *domain.UserProfileResponse, summary clientSummary, relation string) bool {
|
||||||
|
if h.canOperateClientByPermit(c, profile, summary, relation) {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
allowed, err := h.checkAppManagerPermission(c)
|
||||||
|
return err == nil && allowed
|
||||||
|
}
|
||||||
|
|
||||||
|
func (h *DevHandler) redactClientSecretUnlessAllowed(c *fiber.Ctx, profile *domain.UserProfileResponse, summary clientSummary) clientSummary {
|
||||||
|
if summary.ClientSecret == "" {
|
||||||
|
return summary
|
||||||
|
}
|
||||||
|
if h.canViewClientSecret(c, profile, summary) {
|
||||||
|
return summary
|
||||||
|
}
|
||||||
|
summary.ClientSecret = ""
|
||||||
|
return summary
|
||||||
|
}
|
||||||
|
|
||||||
func (h *DevHandler) canViewClientRelations(c *fiber.Ctx, profile *domain.UserProfileResponse, summary clientSummary) bool {
|
func (h *DevHandler) canViewClientRelations(c *fiber.Ctx, profile *domain.UserProfileResponse, summary clientSummary) bool {
|
||||||
if h.canOperateClientByPermit(c, profile, summary, "view_relationships") {
|
if h.canOperateClientByPermit(c, profile, summary, "view_relationships") {
|
||||||
return true
|
return true
|
||||||
@@ -474,7 +501,11 @@ func resolveClientTenantID(summary clientSummary) string {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func isRPAdminClientAllowed(profile *domain.UserProfileResponse, clientID string) bool {
|
func isRPAdminClientAllowed(profile *domain.UserProfileResponse, clientID string) bool {
|
||||||
if normalizeUserRole(profileRole(profile)) != domain.RoleRPAdmin {
|
role := normalizeUserRole(profileRole(profile))
|
||||||
|
if role == domain.RoleUser {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
if role != domain.RoleRPAdmin {
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
allowed := managedClientIDsFromProfile(profile)
|
allowed := managedClientIDsFromProfile(profile)
|
||||||
@@ -665,7 +696,11 @@ func (h *DevHandler) SearchUsers(c *fiber.Ctx) error {
|
|||||||
return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
|
return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
|
||||||
}
|
}
|
||||||
if !isDevConsoleRoleAllowed(normalizeUserRole(profile.Role)) {
|
if !isDevConsoleRoleAllowed(normalizeUserRole(profile.Role)) {
|
||||||
return errorJSON(c, fiber.StatusForbidden, "forbidden")
|
clientID := strings.TrimSpace(c.Query("clientId"))
|
||||||
|
summary, err := h.loadClientSummary(c.Context(), clientID)
|
||||||
|
if clientID == "" || err != nil || !h.canManageClientRelations(c, profile, summary) {
|
||||||
|
return errorJSON(c, fiber.StatusForbidden, "forbidden")
|
||||||
|
}
|
||||||
}
|
}
|
||||||
if h.KratosAdmin == nil {
|
if h.KratosAdmin == nil {
|
||||||
return errorJSON(c, fiber.StatusServiceUnavailable, "kratos admin unavailable")
|
return errorJSON(c, fiber.StatusServiceUnavailable, "kratos admin unavailable")
|
||||||
@@ -993,7 +1028,7 @@ func (h *DevHandler) ListClients(c *fiber.Ctx) error {
|
|||||||
return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
|
return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
|
||||||
}
|
}
|
||||||
role := normalizeUserRole(profile.Role)
|
role := normalizeUserRole(profile.Role)
|
||||||
if !isDevConsoleViewerRole(role) {
|
if !isDevConsoleRoleAllowed(role) {
|
||||||
return errorJSON(c, fiber.StatusForbidden, "forbidden")
|
return errorJSON(c, fiber.StatusForbidden, "forbidden")
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1054,7 +1089,7 @@ func (h *DevHandler) ListClients(c *fiber.Ctx) error {
|
|||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
|
|
||||||
items = append(items, summary)
|
items = append(items, h.redactClientSecretUnlessAllowed(c, profile, summary))
|
||||||
}
|
}
|
||||||
|
|
||||||
return c.JSON(clientListResponse{
|
return c.JSON(clientListResponse{
|
||||||
@@ -1240,6 +1275,7 @@ func (h *DevHandler) GetClient(c *fiber.Ctx) error {
|
|||||||
}
|
}
|
||||||
|
|
||||||
cacheState, _ := h.publicHeadlessJWKSCacheState(summary.ID)
|
cacheState, _ := h.publicHeadlessJWKSCacheState(summary.ID)
|
||||||
|
summary = h.redactClientSecretUnlessAllowed(c, profile, summary)
|
||||||
|
|
||||||
return c.JSON(clientDetailResponse{
|
return c.JSON(clientDetailResponse{
|
||||||
Client: summary,
|
Client: summary,
|
||||||
@@ -1318,17 +1354,17 @@ func (h *DevHandler) UpdateClientStatus(c *fiber.Ctx) error {
|
|||||||
return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
|
return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
|
||||||
}
|
}
|
||||||
role := normalizeUserRole(profile.Role)
|
role := normalizeUserRole(profile.Role)
|
||||||
if !isDevConsoleRoleAllowed(role) {
|
if !isDevConsoleViewerRole(role) {
|
||||||
return errorJSON(c, fiber.StatusForbidden, "forbidden")
|
return errorJSON(c, fiber.StatusForbidden, "forbidden")
|
||||||
}
|
}
|
||||||
|
|
||||||
if !canAccessClientByLegacyScope(profile, summary) && !h.canOperateClientByPermit(c, profile, summary, "change_status") {
|
canChangeStatusByPermit := h.canOperateClientByPermit(c, profile, summary, "change_status")
|
||||||
|
if !canAccessClientByLegacyScope(profile, summary) && !canChangeStatusByPermit {
|
||||||
return errorJSON(c, fiber.StatusForbidden, "forbidden: rp_admin scope does not include this client")
|
return errorJSON(c, fiber.StatusForbidden, "forbidden: rp_admin scope does not include this client")
|
||||||
}
|
}
|
||||||
|
|
||||||
if summary.Type == "private" {
|
if summary.Type == "private" && !h.canBypassPrivateClientRestriction(c, profile, summary, "change_status") {
|
||||||
isAppManager, _ := h.checkAppManagerPermission(c)
|
if !canChangeStatusByPermit {
|
||||||
if !isAppManager {
|
|
||||||
return errorJSON(c, fiber.StatusForbidden, "forbidden: insufficient permissions for private client")
|
return errorJSON(c, fiber.StatusForbidden, "forbidden: insufficient permissions for private client")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -1352,6 +1388,7 @@ func (h *DevHandler) UpdateClientStatus(c *fiber.Ctx) error {
|
|||||||
}
|
}
|
||||||
|
|
||||||
updatedSummary := h.mapClientSummary(*updated)
|
updatedSummary := h.mapClientSummary(*updated)
|
||||||
|
updatedSummary = h.redactClientSecretUnlessAllowed(c, profile, updatedSummary)
|
||||||
cacheState, _ := h.publicHeadlessJWKSCacheState(updatedSummary.ID)
|
cacheState, _ := h.publicHeadlessJWKSCacheState(updatedSummary.ID)
|
||||||
return c.JSON(clientDetailResponse{
|
return c.JSON(clientDetailResponse{
|
||||||
Client: updatedSummary,
|
Client: updatedSummary,
|
||||||
@@ -1566,7 +1603,7 @@ func (h *DevHandler) UpdateClient(c *fiber.Ctx) error {
|
|||||||
return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
|
return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
|
||||||
}
|
}
|
||||||
role := normalizeUserRole(profile.Role)
|
role := normalizeUserRole(profile.Role)
|
||||||
if !isDevConsoleRoleAllowed(role) {
|
if !isDevConsoleViewerRole(role) {
|
||||||
return errorJSON(c, fiber.StatusForbidden, "forbidden")
|
return errorJSON(c, fiber.StatusForbidden, "forbidden")
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1584,11 +1621,7 @@ func (h *DevHandler) UpdateClient(c *fiber.Ctx) error {
|
|||||||
|
|
||||||
// [Security] Check permission for private clients (both current and new type)
|
// [Security] Check permission for private clients (both current and new type)
|
||||||
if currentSummary.Type == "private" || clientType == "private" {
|
if currentSummary.Type == "private" || clientType == "private" {
|
||||||
isAppManager, err := h.checkAppManagerPermission(c)
|
if !h.canBypassPrivateClientRestriction(c, profile, currentSummary, "edit_config") {
|
||||||
if err != nil {
|
|
||||||
return errorJSON(c, fiber.StatusInternalServerError, "permission check error")
|
|
||||||
}
|
|
||||||
if !isAppManager {
|
|
||||||
return errorJSON(c, fiber.StatusForbidden, "forbidden: insufficient permissions for private client")
|
return errorJSON(c, fiber.StatusForbidden, "forbidden: insufficient permissions for private client")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -1736,7 +1769,7 @@ func (h *DevHandler) DeleteClient(c *fiber.Ctx) error {
|
|||||||
return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
|
return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
|
||||||
}
|
}
|
||||||
role := normalizeUserRole(profile.Role)
|
role := normalizeUserRole(profile.Role)
|
||||||
if !isDevConsoleRoleAllowed(role) {
|
if !isDevConsoleViewerRole(role) {
|
||||||
return errorJSON(c, fiber.StatusForbidden, "forbidden")
|
return errorJSON(c, fiber.StatusForbidden, "forbidden")
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1746,8 +1779,7 @@ func (h *DevHandler) DeleteClient(c *fiber.Ctx) error {
|
|||||||
|
|
||||||
// [Security] Check permission for private clients
|
// [Security] Check permission for private clients
|
||||||
if summary.Type == "private" {
|
if summary.Type == "private" {
|
||||||
isAppManager, _ := h.checkAppManagerPermission(c)
|
if !h.canBypassPrivateClientRestriction(c, profile, summary, "manage") {
|
||||||
if !isAppManager {
|
|
||||||
return errorJSON(c, fiber.StatusForbidden, "forbidden: insufficient permissions for private client")
|
return errorJSON(c, fiber.StatusForbidden, "forbidden: insufficient permissions for private client")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -1986,7 +2018,7 @@ func (h *DevHandler) RotateClientSecret(c *fiber.Ctx) error {
|
|||||||
return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
|
return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
|
||||||
}
|
}
|
||||||
role := normalizeUserRole(profile.Role)
|
role := normalizeUserRole(profile.Role)
|
||||||
if !isDevConsoleRoleAllowed(role) {
|
if !isDevConsoleViewerRole(role) {
|
||||||
return errorJSON(c, fiber.StatusForbidden, "forbidden")
|
return errorJSON(c, fiber.StatusForbidden, "forbidden")
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1997,8 +2029,7 @@ func (h *DevHandler) RotateClientSecret(c *fiber.Ctx) error {
|
|||||||
|
|
||||||
// [Security] Check permission for private clients
|
// [Security] Check permission for private clients
|
||||||
if summary.Type == "private" {
|
if summary.Type == "private" {
|
||||||
isAppManager, _ := h.checkAppManagerPermission(c)
|
if !h.canBypassPrivateClientRestriction(c, profile, summary, "rotate_secret") {
|
||||||
if !isAppManager {
|
|
||||||
return errorJSON(c, fiber.StatusForbidden, "forbidden: insufficient permissions for private client")
|
return errorJSON(c, fiber.StatusForbidden, "forbidden: insufficient permissions for private client")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -2076,7 +2107,7 @@ func (h *DevHandler) RefreshHeadlessJWKSCache(c *fiber.Ctx) error {
|
|||||||
return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
|
return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
|
||||||
}
|
}
|
||||||
role := normalizeUserRole(profile.Role)
|
role := normalizeUserRole(profile.Role)
|
||||||
if !isDevConsoleRoleAllowed(role) {
|
if !isDevConsoleViewerRole(role) {
|
||||||
return errorJSON(c, fiber.StatusForbidden, "forbidden")
|
return errorJSON(c, fiber.StatusForbidden, "forbidden")
|
||||||
}
|
}
|
||||||
if !canAccessClientByLegacyScope(profile, summary) && !h.canOperateClientByPermit(c, profile, summary, "operate_jwks") {
|
if !canAccessClientByLegacyScope(profile, summary) && !h.canOperateClientByPermit(c, profile, summary, "operate_jwks") {
|
||||||
@@ -2141,18 +2172,10 @@ func (h *DevHandler) RevokeHeadlessJWKSCache(c *fiber.Ctx) error {
|
|||||||
return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
|
return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
|
||||||
}
|
}
|
||||||
role := normalizeUserRole(profile.Role)
|
role := normalizeUserRole(profile.Role)
|
||||||
if !isDevConsoleRoleAllowed(role) {
|
if !isDevConsoleViewerRole(role) {
|
||||||
return errorJSON(c, fiber.StatusForbidden, "forbidden")
|
return errorJSON(c, fiber.StatusForbidden, "forbidden")
|
||||||
}
|
}
|
||||||
isSuperAdmin := role == domain.RoleSuperAdmin
|
if !canAccessClientByLegacyScope(profile, summary) && !h.canOperateClientByPermit(c, profile, summary, "operate_jwks") {
|
||||||
userTenantID := tenantIDFromProfile(profile)
|
|
||||||
if !isSuperAdmin {
|
|
||||||
clientTenantID := resolveClientTenantID(summary)
|
|
||||||
if clientTenantID != userTenantID {
|
|
||||||
return errorJSON(c, fiber.StatusForbidden, "forbidden: access denied to client in another tenant")
|
|
||||||
}
|
|
||||||
}
|
|
||||||
if !isRPAdminClientAllowed(profile, summary.ID) {
|
|
||||||
return errorJSON(c, fiber.StatusForbidden, "forbidden: rp_admin scope does not include this client")
|
return errorJSON(c, fiber.StatusForbidden, "forbidden: rp_admin scope does not include this client")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -17,6 +17,8 @@ import (
|
|||||||
|
|
||||||
func TestDevHandler_Isolation(t *testing.T) {
|
func TestDevHandler_Isolation(t *testing.T) {
|
||||||
mockKeto := new(devMockKetoService)
|
mockKeto := new(devMockKetoService)
|
||||||
|
// Default Mock behavior: deny everything unless explicitly allowed
|
||||||
|
mockKeto.On("CheckPermission", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(false, nil).Maybe()
|
||||||
|
|
||||||
h := &DevHandler{
|
h := &DevHandler{
|
||||||
Hydra: &service.HydraAdminService{
|
Hydra: &service.HydraAdminService{
|
||||||
@@ -72,7 +74,6 @@ func TestDevHandler_Isolation(t *testing.T) {
|
|||||||
req.Header.Set("Origin", "http://localhost:5174")
|
req.Header.Set("Origin", "http://localhost:5174")
|
||||||
|
|
||||||
resp, _ := app.Test(req, -1)
|
resp, _ := app.Test(req, -1)
|
||||||
// We expect 401 now because ListClients enforces authentication.
|
|
||||||
assert.Equal(t, http.StatusUnauthorized, resp.StatusCode)
|
assert.Equal(t, http.StatusUnauthorized, resp.StatusCode)
|
||||||
})
|
})
|
||||||
|
|
||||||
@@ -89,7 +90,8 @@ func TestDevHandler_Isolation(t *testing.T) {
|
|||||||
})
|
})
|
||||||
app.Get("/api/v1/dev/clients", h.ListClients)
|
app.Get("/api/v1/dev/clients", h.ListClients)
|
||||||
|
|
||||||
mockKeto.On("CheckPermission", mock.Anything, "user-a", "System", "global", "manage_all").Return(true, nil)
|
// Explicit permission for private client check bypass
|
||||||
|
mockKeto.On("CheckPermission", mock.Anything, "User:user-a", "System", "global", "manage_all").Return(true, nil).Once()
|
||||||
|
|
||||||
req := httptest.NewRequest(http.MethodGet, "/api/v1/dev/clients", nil)
|
req := httptest.NewRequest(http.MethodGet, "/api/v1/dev/clients", nil)
|
||||||
resp, _ := app.Test(req, -1)
|
resp, _ := app.Test(req, -1)
|
||||||
@@ -100,17 +102,17 @@ func TestDevHandler_Isolation(t *testing.T) {
|
|||||||
}
|
}
|
||||||
json.NewDecoder(resp.Body).Decode(&res)
|
json.NewDecoder(resp.Body).Decode(&res)
|
||||||
|
|
||||||
// Should only see client-tenant-a
|
// Should only see client-tenant-a (tenant isolation)
|
||||||
assert.Equal(t, 1, len(res.Items))
|
assert.Equal(t, 1, len(res.Items))
|
||||||
assert.Equal(t, "client-tenant-a", res.Items[0].ID)
|
assert.Equal(t, "client-tenant-a", res.Items[0].ID)
|
||||||
})
|
})
|
||||||
|
|
||||||
t.Run("Tenant member should be forbidden from DevFront clients", func(t *testing.T) {
|
t.Run("Tenant member should see empty list from DevFront clients if no relation", func(t *testing.T) {
|
||||||
app := fiber.New()
|
app := fiber.New()
|
||||||
tenantA := "tenant-a"
|
tenantA := "tenant-a"
|
||||||
app.Use(func(c *fiber.Ctx) error {
|
app.Use(func(c *fiber.Ctx) error {
|
||||||
c.Locals("user_profile", &domain.UserProfileResponse{
|
c.Locals("user_profile", &domain.UserProfileResponse{
|
||||||
ID: "user-a",
|
ID: "user-member",
|
||||||
Role: domain.RoleUser,
|
Role: domain.RoleUser,
|
||||||
TenantID: &tenantA,
|
TenantID: &tenantA,
|
||||||
})
|
})
|
||||||
@@ -120,7 +122,14 @@ func TestDevHandler_Isolation(t *testing.T) {
|
|||||||
|
|
||||||
req := httptest.NewRequest(http.MethodGet, "/api/v1/dev/clients", nil)
|
req := httptest.NewRequest(http.MethodGet, "/api/v1/dev/clients", nil)
|
||||||
resp, _ := app.Test(req, -1)
|
resp, _ := app.Test(req, -1)
|
||||||
assert.Equal(t, http.StatusForbidden, resp.StatusCode)
|
assert.Equal(t, http.StatusOK, resp.StatusCode)
|
||||||
|
|
||||||
|
var res struct {
|
||||||
|
Items []clientSummary `json:"items"`
|
||||||
|
}
|
||||||
|
json.NewDecoder(resp.Body).Decode(&res)
|
||||||
|
// Empty list because we didn't mock any specific 'view' permissions for this user
|
||||||
|
assert.Equal(t, 0, len(res.Items))
|
||||||
})
|
})
|
||||||
|
|
||||||
t.Run("RP Admin should only see managed clients", func(t *testing.T) {
|
t.Run("RP Admin should only see managed clients", func(t *testing.T) {
|
||||||
|
|||||||
@@ -357,6 +357,83 @@ func TestUpdateClient_ReservedSystemNameForbidden(t *testing.T) {
|
|||||||
assert.Equal(t, http.StatusForbidden, resp.StatusCode)
|
assert.Equal(t, http.StatusForbidden, resp.StatusCode)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestUpdateClient_PrivateClientAllowedByEditConfigPermission(t *testing.T) {
|
||||||
|
transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
|
||||||
|
if r.Method == http.MethodGet && r.URL.Path == "/clients/client-1" {
|
||||||
|
return httpJSONAny(r, http.StatusOK, map[string]any{
|
||||||
|
"client_id": "client-1",
|
||||||
|
"client_name": "App One",
|
||||||
|
"redirect_uris": []string{
|
||||||
|
"http://localhost/cb",
|
||||||
|
},
|
||||||
|
"grant_types": []string{"authorization_code", "refresh_token"},
|
||||||
|
"response_types": []string{"code"},
|
||||||
|
"scope": "openid profile email offline_access",
|
||||||
|
"token_endpoint_auth_method": "client_secret_basic",
|
||||||
|
"metadata": map[string]any{
|
||||||
|
"status": "active",
|
||||||
|
"tenant_id": "tenant-1",
|
||||||
|
},
|
||||||
|
}), nil
|
||||||
|
}
|
||||||
|
if r.Method == http.MethodPut && r.URL.Path == "/clients/client-1" {
|
||||||
|
return httpJSONAny(r, http.StatusOK, map[string]any{
|
||||||
|
"client_id": "client-1",
|
||||||
|
"client_name": "App One Updated",
|
||||||
|
"redirect_uris": []string{
|
||||||
|
"http://localhost/cb",
|
||||||
|
},
|
||||||
|
"grant_types": []string{"authorization_code", "refresh_token"},
|
||||||
|
"response_types": []string{"code"},
|
||||||
|
"scope": "openid profile email offline_access",
|
||||||
|
"token_endpoint_auth_method": "client_secret_basic",
|
||||||
|
"metadata": map[string]any{
|
||||||
|
"status": "active",
|
||||||
|
"tenant_id": "tenant-1",
|
||||||
|
},
|
||||||
|
}), nil
|
||||||
|
}
|
||||||
|
return httpJSONAny(r, http.StatusNotFound, nil), nil
|
||||||
|
})
|
||||||
|
|
||||||
|
mockKeto := new(devMockKetoService)
|
||||||
|
mockKeto.On("CheckPermission", mock.Anything, "User:user-1", "RelyingParty", "client-1", "edit_config").Return(true, nil)
|
||||||
|
|
||||||
|
h := &DevHandler{
|
||||||
|
Hydra: &service.HydraAdminService{
|
||||||
|
AdminURL: "http://hydra.test",
|
||||||
|
HTTPClient: &http.Client{Transport: transport},
|
||||||
|
},
|
||||||
|
Keto: mockKeto,
|
||||||
|
}
|
||||||
|
|
||||||
|
app := fiber.New()
|
||||||
|
tenantID := "tenant-1"
|
||||||
|
app.Use(func(c *fiber.Ctx) error {
|
||||||
|
c.Locals("user_profile", &domain.UserProfileResponse{
|
||||||
|
ID: "user-1",
|
||||||
|
Role: domain.RoleUser,
|
||||||
|
TenantID: &tenantID,
|
||||||
|
})
|
||||||
|
return c.Next()
|
||||||
|
})
|
||||||
|
app.Put("/api/v1/dev/clients/:id", h.UpdateClient)
|
||||||
|
|
||||||
|
body, _ := json.Marshal(map[string]any{
|
||||||
|
"name": "App One Updated",
|
||||||
|
})
|
||||||
|
req := httptest.NewRequest(http.MethodPut, "/api/v1/dev/clients/client-1", bytes.NewReader(body))
|
||||||
|
req.Header.Set("Content-Type", "application/json")
|
||||||
|
|
||||||
|
resp, _ := app.Test(req, -1)
|
||||||
|
assert.Equal(t, http.StatusOK, resp.StatusCode)
|
||||||
|
|
||||||
|
var result clientDetailResponse
|
||||||
|
_ = json.NewDecoder(resp.Body).Decode(&result)
|
||||||
|
assert.Equal(t, "App One Updated", result.Client.Name)
|
||||||
|
mockKeto.AssertExpectations(t)
|
||||||
|
}
|
||||||
|
|
||||||
func TestListClients_ProtectedSystemClientHidden(t *testing.T) {
|
func TestListClients_ProtectedSystemClientHidden(t *testing.T) {
|
||||||
transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
|
transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
|
||||||
if r.URL.Path == "/clients" {
|
if r.URL.Path == "/clients" {
|
||||||
@@ -511,6 +588,65 @@ func TestUpdateClientStatus_Success(t *testing.T) {
|
|||||||
assert.Equal(t, "inactive", res.Client.Status)
|
assert.Equal(t, "inactive", res.Client.Status)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestUpdateClientStatus_UserAllowedByStatusPermission(t *testing.T) {
|
||||||
|
transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
|
||||||
|
if r.Method == http.MethodGet && r.URL.Path == "/clients/client-1" {
|
||||||
|
return httpJSONAny(r, http.StatusOK, map[string]interface{}{
|
||||||
|
"client_id": "client-1",
|
||||||
|
"client_name": "App One",
|
||||||
|
"metadata": map[string]interface{}{
|
||||||
|
"tenant_id": "tenant-1",
|
||||||
|
"status": "active",
|
||||||
|
},
|
||||||
|
}), nil
|
||||||
|
}
|
||||||
|
if r.Method == http.MethodPatch && r.URL.Path == "/clients/client-1" {
|
||||||
|
return httpJSONAny(r, http.StatusOK, map[string]interface{}{
|
||||||
|
"client_id": "client-1",
|
||||||
|
"client_name": "App One",
|
||||||
|
"metadata": map[string]interface{}{
|
||||||
|
"tenant_id": "tenant-1",
|
||||||
|
"status": "inactive",
|
||||||
|
},
|
||||||
|
}), nil
|
||||||
|
}
|
||||||
|
return httpJSONAny(r, http.StatusNotFound, nil), nil
|
||||||
|
})
|
||||||
|
|
||||||
|
mockKeto := new(devMockKetoService)
|
||||||
|
mockKeto.On("CheckPermission", mock.Anything, "User:user-1", "RelyingParty", "client-1", "change_status").Return(true, nil)
|
||||||
|
|
||||||
|
h := &DevHandler{
|
||||||
|
Hydra: &service.HydraAdminService{
|
||||||
|
AdminURL: "http://hydra.test",
|
||||||
|
HTTPClient: &http.Client{Transport: transport},
|
||||||
|
},
|
||||||
|
Keto: mockKeto,
|
||||||
|
}
|
||||||
|
app := fiber.New()
|
||||||
|
tenantID := "tenant-1"
|
||||||
|
app.Use(func(c *fiber.Ctx) error {
|
||||||
|
c.Locals("user_profile", &domain.UserProfileResponse{
|
||||||
|
ID: "user-1",
|
||||||
|
Role: domain.RoleUser,
|
||||||
|
TenantID: &tenantID,
|
||||||
|
})
|
||||||
|
return c.Next()
|
||||||
|
})
|
||||||
|
app.Patch("/api/v1/dev/clients/:id/status", h.UpdateClientStatus)
|
||||||
|
|
||||||
|
body, _ := json.Marshal(map[string]interface{}{"status": "inactive"})
|
||||||
|
req := httptest.NewRequest(http.MethodPatch, "/api/v1/dev/clients/client-1/status", bytes.NewReader(body))
|
||||||
|
req.Header.Set("Content-Type", "application/json")
|
||||||
|
resp, _ := app.Test(req, -1)
|
||||||
|
|
||||||
|
assert.Equal(t, http.StatusOK, resp.StatusCode)
|
||||||
|
var res clientDetailResponse
|
||||||
|
_ = json.NewDecoder(resp.Body).Decode(&res)
|
||||||
|
assert.Equal(t, "inactive", res.Client.Status)
|
||||||
|
mockKeto.AssertExpectations(t)
|
||||||
|
}
|
||||||
|
|
||||||
func TestUpdateClientStatus_ProtectedSystemClientForbidden(t *testing.T) {
|
func TestUpdateClientStatus_ProtectedSystemClientForbidden(t *testing.T) {
|
||||||
transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
|
transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
|
||||||
if r.Method == http.MethodGet && r.URL.Path == "/clients/oathkeeper-introspect" {
|
if r.Method == http.MethodGet && r.URL.Path == "/clients/oathkeeper-introspect" {
|
||||||
@@ -690,6 +826,106 @@ func TestGetClient_RPAdminAllowedByKetoViewPermission(t *testing.T) {
|
|||||||
mockKeto.AssertExpectations(t)
|
mockKeto.AssertExpectations(t)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestGetClient_RedactsSecretWithoutViewSecretPermission(t *testing.T) {
|
||||||
|
transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
|
||||||
|
if r.Method == http.MethodGet && r.URL.Path == "/clients/client-1" {
|
||||||
|
return httpJSONAny(r, http.StatusOK, map[string]interface{}{
|
||||||
|
"client_id": "client-1",
|
||||||
|
"client_name": "App One",
|
||||||
|
"client_secret": "stored-secret",
|
||||||
|
"metadata": map[string]interface{}{
|
||||||
|
"tenant_id": "tenant-1",
|
||||||
|
"status": "active",
|
||||||
|
},
|
||||||
|
}), nil
|
||||||
|
}
|
||||||
|
return httpJSONAny(r, http.StatusNotFound, nil), nil
|
||||||
|
})
|
||||||
|
|
||||||
|
mockKeto := new(devMockKetoService)
|
||||||
|
mockKeto.On("CheckPermission", mock.Anything, "User:user-1", "Tenant", "tenant-1", "view_dev_console").Return(false, nil)
|
||||||
|
mockKeto.On("CheckPermission", mock.Anything, "User:user-1", "RelyingParty", "client-1", "view").Return(true, nil)
|
||||||
|
mockKeto.On("CheckPermission", mock.Anything, "User:user-1", "RelyingParty", "client-1", "view_secret").Return(false, nil)
|
||||||
|
|
||||||
|
h := &DevHandler{
|
||||||
|
Hydra: &service.HydraAdminService{
|
||||||
|
AdminURL: "http://hydra.test",
|
||||||
|
HTTPClient: &http.Client{Transport: transport},
|
||||||
|
},
|
||||||
|
Keto: mockKeto,
|
||||||
|
}
|
||||||
|
app := fiber.New()
|
||||||
|
tenantID := "tenant-1"
|
||||||
|
app.Use(func(c *fiber.Ctx) error {
|
||||||
|
c.Locals("user_profile", &domain.UserProfileResponse{
|
||||||
|
ID: "user-1",
|
||||||
|
Role: domain.RoleUser,
|
||||||
|
TenantID: &tenantID,
|
||||||
|
})
|
||||||
|
return c.Next()
|
||||||
|
})
|
||||||
|
app.Get("/api/v1/dev/clients/:id", h.GetClient)
|
||||||
|
|
||||||
|
req := httptest.NewRequest(http.MethodGet, "/api/v1/dev/clients/client-1", nil)
|
||||||
|
resp, _ := app.Test(req, -1)
|
||||||
|
|
||||||
|
assert.Equal(t, http.StatusOK, resp.StatusCode)
|
||||||
|
var result clientDetailResponse
|
||||||
|
_ = json.NewDecoder(resp.Body).Decode(&result)
|
||||||
|
assert.Empty(t, result.Client.ClientSecret)
|
||||||
|
mockKeto.AssertExpectations(t)
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestGetClient_UserAllowedToViewSecretByPermission(t *testing.T) {
|
||||||
|
transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
|
||||||
|
if r.Method == http.MethodGet && r.URL.Path == "/clients/client-1" {
|
||||||
|
return httpJSONAny(r, http.StatusOK, map[string]interface{}{
|
||||||
|
"client_id": "client-1",
|
||||||
|
"client_name": "App One",
|
||||||
|
"client_secret": "stored-secret",
|
||||||
|
"metadata": map[string]interface{}{
|
||||||
|
"tenant_id": "tenant-1",
|
||||||
|
"status": "active",
|
||||||
|
},
|
||||||
|
}), nil
|
||||||
|
}
|
||||||
|
return httpJSONAny(r, http.StatusNotFound, nil), nil
|
||||||
|
})
|
||||||
|
|
||||||
|
mockKeto := new(devMockKetoService)
|
||||||
|
mockKeto.On("CheckPermission", mock.Anything, "User:user-1", "Tenant", "tenant-1", "view_dev_console").Return(false, nil)
|
||||||
|
mockKeto.On("CheckPermission", mock.Anything, "User:user-1", "RelyingParty", "client-1", "view").Return(true, nil)
|
||||||
|
mockKeto.On("CheckPermission", mock.Anything, "User:user-1", "RelyingParty", "client-1", "view_secret").Return(true, nil)
|
||||||
|
|
||||||
|
h := &DevHandler{
|
||||||
|
Hydra: &service.HydraAdminService{
|
||||||
|
AdminURL: "http://hydra.test",
|
||||||
|
HTTPClient: &http.Client{Transport: transport},
|
||||||
|
},
|
||||||
|
Keto: mockKeto,
|
||||||
|
}
|
||||||
|
app := fiber.New()
|
||||||
|
tenantID := "tenant-1"
|
||||||
|
app.Use(func(c *fiber.Ctx) error {
|
||||||
|
c.Locals("user_profile", &domain.UserProfileResponse{
|
||||||
|
ID: "user-1",
|
||||||
|
Role: domain.RoleUser,
|
||||||
|
TenantID: &tenantID,
|
||||||
|
})
|
||||||
|
return c.Next()
|
||||||
|
})
|
||||||
|
app.Get("/api/v1/dev/clients/:id", h.GetClient)
|
||||||
|
|
||||||
|
req := httptest.NewRequest(http.MethodGet, "/api/v1/dev/clients/client-1", nil)
|
||||||
|
resp, _ := app.Test(req, -1)
|
||||||
|
|
||||||
|
assert.Equal(t, http.StatusOK, resp.StatusCode)
|
||||||
|
var result clientDetailResponse
|
||||||
|
_ = json.NewDecoder(resp.Body).Decode(&result)
|
||||||
|
assert.Equal(t, "stored-secret", result.Client.ClientSecret)
|
||||||
|
mockKeto.AssertExpectations(t)
|
||||||
|
}
|
||||||
|
|
||||||
func TestRotateClientSecret_Success(t *testing.T) {
|
func TestRotateClientSecret_Success(t *testing.T) {
|
||||||
transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
|
transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
|
||||||
if r.Method == http.MethodGet && r.URL.Path == "/clients/client-1" {
|
if r.Method == http.MethodGet && r.URL.Path == "/clients/client-1" {
|
||||||
@@ -1505,7 +1741,7 @@ func TestListClientRelations_RPAdminAllowedByViewRelationshipsPermission(t *test
|
|||||||
mockKeto.On("ListRelations", mock.Anything, "RelyingParty", "client-1", "config_editor", "").Return([]service.RelationTuple{
|
mockKeto.On("ListRelations", mock.Anything, "RelyingParty", "client-1", "config_editor", "").Return([]service.RelationTuple{
|
||||||
{Object: "client-1", Relation: "config_editor", SubjectID: "User:user-2"},
|
{Object: "client-1", Relation: "config_editor", SubjectID: "User:user-2"},
|
||||||
}, nil)
|
}, nil)
|
||||||
for _, relation := range []string{"admins", "creator", "secret_rotator", "jwks_viewer", "jwks_operator", "consent_viewer", "consent_revoker", "relationship_viewer", "audit_viewer", "status_operator"} {
|
for _, relation := range []string{"admins", "creator", "secret_viewer", "secret_rotator", "jwks_viewer", "jwks_operator", "consent_viewer", "consent_revoker", "relationship_viewer", "audit_viewer", "status_operator"} {
|
||||||
mockKeto.On("ListRelations", mock.Anything, "RelyingParty", "client-1", relation, "").Return([]service.RelationTuple{}, nil)
|
mockKeto.On("ListRelations", mock.Anything, "RelyingParty", "client-1", relation, "").Return([]service.RelationTuple{}, nil)
|
||||||
}
|
}
|
||||||
mockKratos := new(devMockKratosAdmin)
|
mockKratos := new(devMockKratosAdmin)
|
||||||
@@ -1724,3 +1960,69 @@ func TestSearchUsers_RPAdminSearchByNameOrEmailWithinTenantScope(t *testing.T) {
|
|||||||
assert.Equal(t, "alice@example.com", result.Items[0].Email)
|
assert.Equal(t, "alice@example.com", result.Items[0].Email)
|
||||||
mockKratos.AssertExpectations(t)
|
mockKratos.AssertExpectations(t)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestSearchUsers_UserAllowedByRPAdminRelation(t *testing.T) {
|
||||||
|
transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
|
||||||
|
if r.Method == http.MethodGet && r.URL.Path == "/clients/client-1" {
|
||||||
|
return httpJSONAny(r, http.StatusOK, map[string]any{
|
||||||
|
"client_id": "client-1",
|
||||||
|
"client_name": "App One",
|
||||||
|
"metadata": map[string]any{
|
||||||
|
"tenant_id": "tenant-1",
|
||||||
|
"status": "active",
|
||||||
|
},
|
||||||
|
}), nil
|
||||||
|
}
|
||||||
|
return httpJSONAny(r, http.StatusNotFound, nil), nil
|
||||||
|
})
|
||||||
|
|
||||||
|
mockKeto := new(devMockKetoService)
|
||||||
|
mockKeto.On("CheckPermission", mock.Anything, "User:user-1", "RelyingParty", "client-1", "manage").Return(true, nil)
|
||||||
|
|
||||||
|
mockKratos := new(devMockKratosAdmin)
|
||||||
|
mockKratos.On("ListIdentities", mock.Anything).Return([]service.KratosIdentity{
|
||||||
|
{
|
||||||
|
ID: "target-user",
|
||||||
|
Traits: map[string]interface{}{
|
||||||
|
"name": "김용연",
|
||||||
|
"email": "kyy@example.com",
|
||||||
|
"id": "kyy01",
|
||||||
|
"tenant_id": "tenant-1",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}, nil)
|
||||||
|
|
||||||
|
h := &DevHandler{
|
||||||
|
Hydra: &service.HydraAdminService{
|
||||||
|
AdminURL: "http://hydra.test",
|
||||||
|
HTTPClient: &http.Client{Transport: transport},
|
||||||
|
},
|
||||||
|
Keto: mockKeto,
|
||||||
|
KratosAdmin: mockKratos,
|
||||||
|
}
|
||||||
|
|
||||||
|
app := fiber.New()
|
||||||
|
tenantID := "tenant-1"
|
||||||
|
app.Use(func(c *fiber.Ctx) error {
|
||||||
|
c.Locals("user_profile", &domain.UserProfileResponse{
|
||||||
|
ID: "user-1",
|
||||||
|
Role: domain.RoleUser,
|
||||||
|
TenantID: &tenantID,
|
||||||
|
})
|
||||||
|
return c.Next()
|
||||||
|
})
|
||||||
|
app.Get("/api/v1/dev/users", h.SearchUsers)
|
||||||
|
|
||||||
|
req := httptest.NewRequest(http.MethodGet, "/api/v1/dev/users?clientId=client-1&search=김용연", nil)
|
||||||
|
resp, _ := app.Test(req, -1)
|
||||||
|
|
||||||
|
assert.Equal(t, http.StatusOK, resp.StatusCode)
|
||||||
|
var result devUserListResponse
|
||||||
|
_ = json.NewDecoder(resp.Body).Decode(&result)
|
||||||
|
if assert.Len(t, result.Items, 1) {
|
||||||
|
assert.Equal(t, "target-user", result.Items[0].ID)
|
||||||
|
assert.Equal(t, "김용연", result.Items[0].Name)
|
||||||
|
}
|
||||||
|
mockKeto.AssertExpectations(t)
|
||||||
|
mockKratos.AssertExpectations(t)
|
||||||
|
}
|
||||||
|
|||||||
@@ -29,6 +29,7 @@ var defaultRelyingPartyOperatorRelations = []string{
|
|||||||
"admins",
|
"admins",
|
||||||
"creator",
|
"creator",
|
||||||
"config_editor",
|
"config_editor",
|
||||||
|
"secret_viewer",
|
||||||
"secret_rotator",
|
"secret_rotator",
|
||||||
"jwks_viewer",
|
"jwks_viewer",
|
||||||
"jwks_operator",
|
"jwks_operator",
|
||||||
|
|||||||
@@ -30,7 +30,7 @@ export function ForbiddenMessage({ resourceToken }: Props) {
|
|||||||
} else if (role === "user" || role === "tenant_member") {
|
} else if (role === "user" || role === "tenant_member") {
|
||||||
explanation = t(
|
explanation = t(
|
||||||
"msg.dev.forbidden.user",
|
"msg.dev.forbidden.user",
|
||||||
"일반 사용자는 관리자 화면에 접근할 수 없습니다.",
|
"일반 사용자 계정은 담당 RP(앱) 관리자 권한이 부여된 경우에만 해당 기능을 사용할 수 있습니다. 권한이 필요하면 관리자에게 요청하세요.",
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -37,6 +37,7 @@ import { ClientDetailTabs } from "./ClientDetailTabs";
|
|||||||
const relationOptions = [
|
const relationOptions = [
|
||||||
"admins",
|
"admins",
|
||||||
"config_editor",
|
"config_editor",
|
||||||
|
"secret_viewer",
|
||||||
"secret_rotator",
|
"secret_rotator",
|
||||||
"jwks_viewer",
|
"jwks_viewer",
|
||||||
"jwks_operator",
|
"jwks_operator",
|
||||||
@@ -78,7 +79,6 @@ function ClientRelationsPage() {
|
|||||||
null,
|
null,
|
||||||
);
|
);
|
||||||
const [isSearchOpen, setIsSearchOpen] = useState(false);
|
const [isSearchOpen, setIsSearchOpen] = useState(false);
|
||||||
|
|
||||||
const { data: clientData } = useQuery({
|
const { data: clientData } = useQuery({
|
||||||
queryKey: ["client", clientId],
|
queryKey: ["client", clientId],
|
||||||
queryFn: () => fetchClient(clientId),
|
queryFn: () => fetchClient(clientId),
|
||||||
@@ -95,13 +95,21 @@ function ClientRelationsPage() {
|
|||||||
enabled: clientId.length > 0,
|
enabled: clientId.length > 0,
|
||||||
});
|
});
|
||||||
|
|
||||||
|
const isRelationshipViewForbidden =
|
||||||
|
(error as AxiosError | null)?.response?.status === 403;
|
||||||
|
const relationshipViewForbiddenMessage = t(
|
||||||
|
"msg.dev.clients.relationships.view_forbidden",
|
||||||
|
"이 RP의 관계를 조회할 권한이 없습니다. 관리자에게 관계 조회 또는 RP 관리자 관계 부여를 요청해 주세요.",
|
||||||
|
);
|
||||||
|
|
||||||
const { data: userSearchData, isFetching: isUserSearchLoading } = useQuery({
|
const { data: userSearchData, isFetching: isUserSearchLoading } = useQuery({
|
||||||
queryKey: ["dev-users", deferredUserSearch],
|
queryKey: ["dev-users", deferredUserSearch],
|
||||||
queryFn: () => fetchDevUsers(deferredUserSearch),
|
queryFn: () => fetchDevUsers(deferredUserSearch, 10, clientId),
|
||||||
enabled:
|
enabled:
|
||||||
clientId.length > 0 &&
|
clientId.length > 0 &&
|
||||||
deferredUserSearch.length > 0 &&
|
deferredUserSearch.length > 0 &&
|
||||||
selectedUser == null,
|
selectedUser == null &&
|
||||||
|
!isRelationshipViewForbidden,
|
||||||
});
|
});
|
||||||
|
|
||||||
const sortedItems = useMemo(() => {
|
const sortedItems = useMemo(() => {
|
||||||
@@ -342,147 +350,156 @@ function ClientRelationsPage() {
|
|||||||
</CardDescription>
|
</CardDescription>
|
||||||
</CardHeader>
|
</CardHeader>
|
||||||
<CardContent className="space-y-6">
|
<CardContent className="space-y-6">
|
||||||
<div className="space-y-2">
|
{isRelationshipViewForbidden ? (
|
||||||
<Label htmlFor="user-search-input">
|
<div className="rounded-md border border-border bg-muted/30 p-4 text-sm text-muted-foreground">
|
||||||
{t("ui.dev.clients.relationships.user_search", "사용자")}
|
{relationshipViewForbiddenMessage}
|
||||||
</Label>
|
</div>
|
||||||
<div className="relative">
|
) : (
|
||||||
<Input
|
<>
|
||||||
id="user-search-input"
|
<div className="space-y-2">
|
||||||
value={userSearch}
|
<Label htmlFor="user-search-input">
|
||||||
onFocus={() => {
|
{t("ui.dev.clients.relationships.user_search", "사용자")}
|
||||||
if (!selectedUser && userSearch.trim() !== "") {
|
</Label>
|
||||||
setIsSearchOpen(true);
|
<div className="relative">
|
||||||
}
|
<Input
|
||||||
}}
|
id="user-search-input"
|
||||||
onChange={(event) => {
|
value={userSearch}
|
||||||
setSelectedUser(null);
|
onFocus={() => {
|
||||||
setUserSearch(event.target.value);
|
if (!selectedUser && userSearch.trim() !== "") {
|
||||||
setIsSearchOpen(true);
|
setIsSearchOpen(true);
|
||||||
}}
|
}
|
||||||
placeholder={t(
|
}}
|
||||||
"ui.dev.clients.relationships.user_search_placeholder",
|
onChange={(event) => {
|
||||||
"이름 또는 이메일 검색...",
|
setSelectedUser(null);
|
||||||
)}
|
setUserSearch(event.target.value);
|
||||||
/>
|
setIsSearchOpen(true);
|
||||||
{isSearchOpen &&
|
}}
|
||||||
selectedUser == null &&
|
placeholder={t(
|
||||||
userSearch.trim() !== "" && (
|
"ui.dev.clients.relationships.user_search_placeholder",
|
||||||
<div className="absolute z-20 mt-2 max-h-64 w-full overflow-y-auto rounded-md border border-border bg-background shadow-lg">
|
"이름 또는 이메일 검색...",
|
||||||
{isUserSearchLoading ? (
|
)}
|
||||||
<div className="px-3 py-2 text-sm text-muted-foreground">
|
/>
|
||||||
{t(
|
{isSearchOpen &&
|
||||||
"msg.dev.clients.relationships.search_loading",
|
selectedUser == null &&
|
||||||
"사용자를 찾는 중입니다...",
|
userSearch.trim() !== "" && (
|
||||||
)}
|
<div className="absolute z-20 mt-2 max-h-64 w-full overflow-y-auto rounded-md border border-border bg-background shadow-lg">
|
||||||
</div>
|
{isUserSearchLoading ? (
|
||||||
) : (userSearchData?.items ?? []).length > 0 ? (
|
<div className="px-3 py-2 text-sm text-muted-foreground">
|
||||||
(userSearchData?.items ?? []).map((user) => (
|
{t(
|
||||||
<button
|
"msg.dev.clients.relationships.search_loading",
|
||||||
key={user.id}
|
"사용자를 찾는 중입니다...",
|
||||||
type="button"
|
)}
|
||||||
className="flex w-full flex-col gap-1 px-3 py-2 text-left hover:bg-muted/40"
|
</div>
|
||||||
onMouseDown={(event) => {
|
) : (userSearchData?.items ?? []).length > 0 ? (
|
||||||
event.preventDefault();
|
(userSearchData?.items ?? []).map((user) => (
|
||||||
handleSelectUser(user);
|
<button
|
||||||
}}
|
key={user.id}
|
||||||
>
|
type="button"
|
||||||
<span className="text-sm font-semibold">
|
className="flex w-full flex-col gap-1 px-3 py-2 text-left hover:bg-muted/40"
|
||||||
{user.name || user.email}
|
onMouseDown={(event) => {
|
||||||
</span>
|
event.preventDefault();
|
||||||
<span className="text-xs text-muted-foreground">
|
handleSelectUser(user);
|
||||||
{user.email}
|
}}
|
||||||
{user.loginId ? ` · ${user.loginId}` : ""}
|
>
|
||||||
</span>
|
<span className="text-sm font-semibold">
|
||||||
</button>
|
{user.name || user.email}
|
||||||
))
|
</span>
|
||||||
) : (
|
<span className="text-xs text-muted-foreground">
|
||||||
<div className="px-3 py-2 text-sm text-muted-foreground">
|
{user.email}
|
||||||
{t(
|
{user.loginId ? ` · ${user.loginId}` : ""}
|
||||||
"msg.dev.clients.relationships.search_empty",
|
</span>
|
||||||
"검색 결과가 없습니다.",
|
</button>
|
||||||
|
))
|
||||||
|
) : (
|
||||||
|
<div className="px-3 py-2 text-sm text-muted-foreground">
|
||||||
|
{t(
|
||||||
|
"msg.dev.clients.relationships.search_empty",
|
||||||
|
"검색 결과가 없습니다.",
|
||||||
|
)}
|
||||||
|
</div>
|
||||||
)}
|
)}
|
||||||
</div>
|
</div>
|
||||||
)}
|
)}
|
||||||
</div>
|
</div>
|
||||||
|
{selectedUser && (
|
||||||
|
<p className="text-xs text-muted-foreground">
|
||||||
|
{t(
|
||||||
|
"msg.dev.clients.relationships.selected_user",
|
||||||
|
"선택된 사용자: {{user}}",
|
||||||
|
{ user: formatUserLabel(selectedUser) },
|
||||||
|
)}
|
||||||
|
</p>
|
||||||
)}
|
)}
|
||||||
</div>
|
</div>
|
||||||
{selectedUser && (
|
|
||||||
<p className="text-xs text-muted-foreground">
|
|
||||||
{t(
|
|
||||||
"msg.dev.clients.relationships.selected_user",
|
|
||||||
"선택된 사용자: {{user}}",
|
|
||||||
{ user: formatUserLabel(selectedUser) },
|
|
||||||
)}
|
|
||||||
</p>
|
|
||||||
)}
|
|
||||||
</div>
|
|
||||||
|
|
||||||
<div className="space-y-3">
|
<div className="space-y-3">
|
||||||
<Label>
|
<Label>
|
||||||
{t("ui.dev.clients.relationships.relation", "Relation")}
|
{t("ui.dev.clients.relationships.relation", "Relation")}
|
||||||
</Label>
|
</Label>
|
||||||
<div className="grid gap-3 md:grid-cols-2">
|
<div className="grid gap-3 md:grid-cols-2">
|
||||||
{relationOptions.map((relation) => {
|
{relationOptions.map((relation) => {
|
||||||
const disabled = selectedUserExistingRelations.has(relation);
|
const disabled =
|
||||||
const isSelected = selectedRelations.includes(relation);
|
selectedUserExistingRelations.has(relation);
|
||||||
return (
|
const isSelected = selectedRelations.includes(relation);
|
||||||
<label
|
return (
|
||||||
key={relation}
|
<label
|
||||||
className={`flex gap-3 rounded-xl border p-4 transition-all ${
|
key={relation}
|
||||||
disabled
|
className={`flex gap-3 rounded-xl border p-4 transition-all ${
|
||||||
? "border-border/60 bg-muted/30 opacity-60"
|
disabled
|
||||||
: isSelected
|
? "border-border/60 bg-muted/30 opacity-60"
|
||||||
? "border-primary bg-primary/10 shadow-[0_0_0_1px_rgba(59,130,246,0.35)] ring-1 ring-primary/30"
|
: isSelected
|
||||||
: "border-border bg-background hover:border-primary/40 hover:bg-muted/20"
|
? "border-primary bg-primary/10 shadow-[0_0_0_1px_rgba(59,130,246,0.35)] ring-1 ring-primary/30"
|
||||||
}`}
|
: "border-border bg-background hover:border-primary/40 hover:bg-muted/20"
|
||||||
>
|
|
||||||
<input
|
|
||||||
type="checkbox"
|
|
||||||
className="mt-1 h-4 w-4 accent-primary"
|
|
||||||
checked={isSelected || disabled}
|
|
||||||
disabled={disabled}
|
|
||||||
onChange={() => handleRelationToggle(relation)}
|
|
||||||
/>
|
|
||||||
<div className="space-y-1">
|
|
||||||
<div
|
|
||||||
className={`text-sm font-semibold ${
|
|
||||||
isSelected && !disabled ? "text-primary" : ""
|
|
||||||
}`}
|
}`}
|
||||||
>
|
>
|
||||||
{relationLabel(relation)}
|
<input
|
||||||
</div>
|
type="checkbox"
|
||||||
<div className="text-xs text-muted-foreground">
|
className="mt-1 h-4 w-4 accent-primary"
|
||||||
{relationDescription(relation)}
|
checked={isSelected || disabled}
|
||||||
</div>
|
disabled={disabled}
|
||||||
<div
|
onChange={() => handleRelationToggle(relation)}
|
||||||
className={`text-[11px] uppercase tracking-wide ${
|
/>
|
||||||
isSelected && !disabled
|
<div className="space-y-1">
|
||||||
? "text-primary/80"
|
<div
|
||||||
: "text-muted-foreground/80"
|
className={`text-sm font-semibold ${
|
||||||
}`}
|
isSelected && !disabled ? "text-primary" : ""
|
||||||
>
|
}`}
|
||||||
{relation}
|
>
|
||||||
</div>
|
{relationLabel(relation)}
|
||||||
</div>
|
</div>
|
||||||
</label>
|
<div className="text-xs text-muted-foreground">
|
||||||
);
|
{relationDescription(relation)}
|
||||||
})}
|
</div>
|
||||||
</div>
|
<div
|
||||||
</div>
|
className={`text-[11px] uppercase tracking-wide ${
|
||||||
|
isSelected && !disabled
|
||||||
|
? "text-primary/80"
|
||||||
|
: "text-muted-foreground/80"
|
||||||
|
}`}
|
||||||
|
>
|
||||||
|
{relation}
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
</label>
|
||||||
|
);
|
||||||
|
})}
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
|
||||||
<div className="flex justify-end">
|
<div className="flex justify-end">
|
||||||
<Button
|
<Button
|
||||||
onClick={handleAdd}
|
onClick={handleAdd}
|
||||||
disabled={addMutation.isPending}
|
disabled={addMutation.isPending}
|
||||||
className="gap-2"
|
className="gap-2"
|
||||||
>
|
>
|
||||||
<Plus className="h-4 w-4" />
|
<Plus className="h-4 w-4" />
|
||||||
{addMutation.isPending
|
{addMutation.isPending
|
||||||
? t("msg.common.loading", "Loading...")
|
? t("msg.common.loading", "Loading...")
|
||||||
: t("ui.dev.clients.relationships.add", "Add")}
|
: t("ui.dev.clients.relationships.add", "Add")}
|
||||||
</Button>
|
</Button>
|
||||||
</div>
|
</div>
|
||||||
|
</>
|
||||||
|
)}
|
||||||
</CardContent>
|
</CardContent>
|
||||||
</Card>
|
</Card>
|
||||||
|
|
||||||
@@ -503,7 +520,11 @@ function ClientRelationsPage() {
|
|||||||
</CardDescription>
|
</CardDescription>
|
||||||
</CardHeader>
|
</CardHeader>
|
||||||
<CardContent>
|
<CardContent>
|
||||||
{error ? (
|
{isRelationshipViewForbidden ? (
|
||||||
|
<div className="rounded-md border border-border bg-muted/30 p-4 text-sm text-muted-foreground">
|
||||||
|
{relationshipViewForbiddenMessage}
|
||||||
|
</div>
|
||||||
|
) : error ? (
|
||||||
<div className="rounded-md border border-destructive/30 bg-destructive/5 p-4 text-sm text-destructive">
|
<div className="rounded-md border border-destructive/30 bg-destructive/5 p-4 text-sm text-destructive">
|
||||||
{t(
|
{t(
|
||||||
"msg.dev.clients.relationships.load_error",
|
"msg.dev.clients.relationships.load_error",
|
||||||
|
|||||||
@@ -202,11 +202,15 @@ export async function fetchClientRelations(clientId: string) {
|
|||||||
return data;
|
return data;
|
||||||
}
|
}
|
||||||
|
|
||||||
export async function fetchDevUsers(search: string, limit = 10) {
|
export async function fetchDevUsers(
|
||||||
|
search: string,
|
||||||
|
limit = 10,
|
||||||
|
clientId?: string,
|
||||||
|
) {
|
||||||
const { data } = await apiClient.get<DevAssignableUserListResponse>(
|
const { data } = await apiClient.get<DevAssignableUserListResponse>(
|
||||||
"/dev/users",
|
"/dev/users",
|
||||||
{
|
{
|
||||||
params: { search, limit },
|
params: { search, limit, clientId },
|
||||||
},
|
},
|
||||||
);
|
);
|
||||||
return data;
|
return data;
|
||||||
|
|||||||
@@ -388,8 +388,10 @@ list_description = "Lists operator relations directly assigned to this RP."
|
|||||||
load_error = "Failed to load relationships: {{error}}"
|
load_error = "Failed to load relationships: {{error}}"
|
||||||
loading = "Loading relationships..."
|
loading = "Loading relationships..."
|
||||||
empty = "No direct relationships assigned."
|
empty = "No direct relationships assigned."
|
||||||
|
view_forbidden = "You do not have permission to view relationships for this RP. Ask an administrator to grant Relationship Viewer or RP Admin relationship."
|
||||||
search_loading = "Searching users..."
|
search_loading = "Searching users..."
|
||||||
search_empty = "No users found."
|
search_empty = "No users found."
|
||||||
|
search_forbidden_user = "General users cannot use user search for relationship assignment."
|
||||||
selected_user = "Selected user: {{user}}"
|
selected_user = "Selected user: {{user}}"
|
||||||
|
|
||||||
[msg.dev.clients.federation]
|
[msg.dev.clients.federation]
|
||||||
@@ -1491,6 +1493,10 @@ description = "Marks the operator who created this RP."
|
|||||||
label = "RP General Settings"
|
label = "RP General Settings"
|
||||||
description = "Edit the name, redirect URIs, and general metadata."
|
description = "Edit the name, redirect URIs, and general metadata."
|
||||||
|
|
||||||
|
[ui.dev.clients.relationships.option.secret_viewer]
|
||||||
|
label = "Secret View"
|
||||||
|
description = "View the Client secret for this RP."
|
||||||
|
|
||||||
[ui.dev.clients.relationships.option.secret_rotator]
|
[ui.dev.clients.relationships.option.secret_rotator]
|
||||||
label = "Secret Rotation"
|
label = "Secret Rotation"
|
||||||
description = "Rotate and reissue the client secret."
|
description = "Rotate and reissue the client secret."
|
||||||
|
|||||||
@@ -388,8 +388,10 @@ list_description = "현재 RP에 직접 부여된 operator relation 목록입니
|
|||||||
load_error = "관계 조회 실패: {{error}}"
|
load_error = "관계 조회 실패: {{error}}"
|
||||||
loading = "관계를 불러오는 중입니다..."
|
loading = "관계를 불러오는 중입니다..."
|
||||||
empty = "직접 부여된 관계가 없습니다."
|
empty = "직접 부여된 관계가 없습니다."
|
||||||
|
view_forbidden = "이 RP의 관계를 조회할 권한이 없습니다. 관리자에게 관계 조회 또는 RP 관리자 관계 부여를 요청해 주세요."
|
||||||
search_loading = "사용자를 찾는 중입니다..."
|
search_loading = "사용자를 찾는 중입니다..."
|
||||||
search_empty = "검색 결과가 없습니다."
|
search_empty = "검색 결과가 없습니다."
|
||||||
|
search_forbidden_user = "일반 사용자는 관계 추가를 위한 사용자 검색을 사용할 수 없습니다."
|
||||||
selected_user = "선택된 사용자: {{user}}"
|
selected_user = "선택된 사용자: {{user}}"
|
||||||
|
|
||||||
[msg.dev.clients.federation]
|
[msg.dev.clients.federation]
|
||||||
@@ -1490,6 +1492,10 @@ description = "이 RP를 생성한 운영 주체를 표시합니다."
|
|||||||
label = "RP 일반 설정"
|
label = "RP 일반 설정"
|
||||||
description = "이름, Redirect URI, 메타데이터 같은 일반 설정을 수정합니다."
|
description = "이름, Redirect URI, 메타데이터 같은 일반 설정을 수정합니다."
|
||||||
|
|
||||||
|
[ui.dev.clients.relationships.option.secret_viewer]
|
||||||
|
label = "시크릿 조회"
|
||||||
|
description = "이 RP의 Client secret을 조회합니다."
|
||||||
|
|
||||||
[ui.dev.clients.relationships.option.secret_rotator]
|
[ui.dev.clients.relationships.option.secret_rotator]
|
||||||
label = "시크릿 재발급"
|
label = "시크릿 재발급"
|
||||||
description = "Client secret 재발급과 회전을 수행합니다."
|
description = "Client secret 재발급과 회전을 수행합니다."
|
||||||
|
|||||||
@@ -388,8 +388,10 @@ list_description = ""
|
|||||||
load_error = ""
|
load_error = ""
|
||||||
loading = ""
|
loading = ""
|
||||||
empty = ""
|
empty = ""
|
||||||
|
view_forbidden = ""
|
||||||
search_loading = ""
|
search_loading = ""
|
||||||
search_empty = ""
|
search_empty = ""
|
||||||
|
search_forbidden_user = ""
|
||||||
selected_user = ""
|
selected_user = ""
|
||||||
|
|
||||||
[msg.dev.clients.federation]
|
[msg.dev.clients.federation]
|
||||||
@@ -1490,6 +1492,10 @@ description = ""
|
|||||||
label = ""
|
label = ""
|
||||||
description = ""
|
description = ""
|
||||||
|
|
||||||
|
[ui.dev.clients.relationships.option.secret_viewer]
|
||||||
|
label = ""
|
||||||
|
description = ""
|
||||||
|
|
||||||
[ui.dev.clients.relationships.option.secret_rotator]
|
[ui.dev.clients.relationships.option.secret_rotator]
|
||||||
label = ""
|
label = ""
|
||||||
description = ""
|
description = ""
|
||||||
|
|||||||
@@ -63,6 +63,7 @@ class RelyingParty implements Namespace {
|
|||||||
access: (User | SubjectSet<Tenant, "members"> | SubjectSet<System, "authenticated_users"> | SubjectSet<System, "super_admins">)[]
|
access: (User | SubjectSet<Tenant, "members"> | SubjectSet<System, "authenticated_users"> | SubjectSet<System, "super_admins">)[]
|
||||||
creator: (User | SubjectSet<System, "super_admins">)[]
|
creator: (User | SubjectSet<System, "super_admins">)[]
|
||||||
config_editor: (User | SubjectSet<System, "super_admins">)[]
|
config_editor: (User | SubjectSet<System, "super_admins">)[]
|
||||||
|
secret_viewer: (User | SubjectSet<System, "super_admins">)[]
|
||||||
secret_rotator: (User | SubjectSet<System, "super_admins">)[]
|
secret_rotator: (User | SubjectSet<System, "super_admins">)[]
|
||||||
jwks_viewer: (User | SubjectSet<System, "super_admins">)[]
|
jwks_viewer: (User | SubjectSet<System, "super_admins">)[]
|
||||||
jwks_operator: (User | SubjectSet<System, "super_admins">)[]
|
jwks_operator: (User | SubjectSet<System, "super_admins">)[]
|
||||||
@@ -77,6 +78,7 @@ class RelyingParty implements Namespace {
|
|||||||
view: (ctx: Context): boolean =>
|
view: (ctx: Context): boolean =>
|
||||||
this.related.admins.includes(ctx.subject) ||
|
this.related.admins.includes(ctx.subject) ||
|
||||||
this.related.config_editor.includes(ctx.subject) ||
|
this.related.config_editor.includes(ctx.subject) ||
|
||||||
|
this.related.secret_viewer.includes(ctx.subject) ||
|
||||||
this.related.secret_rotator.includes(ctx.subject) ||
|
this.related.secret_rotator.includes(ctx.subject) ||
|
||||||
this.related.jwks_viewer.includes(ctx.subject) ||
|
this.related.jwks_viewer.includes(ctx.subject) ||
|
||||||
this.related.jwks_operator.includes(ctx.subject) ||
|
this.related.jwks_operator.includes(ctx.subject) ||
|
||||||
@@ -101,6 +103,11 @@ class RelyingParty implements Namespace {
|
|||||||
this.related.config_editor.includes(ctx.subject) ||
|
this.related.config_editor.includes(ctx.subject) ||
|
||||||
this.permits.manage(ctx),
|
this.permits.manage(ctx),
|
||||||
|
|
||||||
|
view_secret: (ctx: Context): boolean =>
|
||||||
|
this.related.secret_viewer.includes(ctx.subject) ||
|
||||||
|
this.permits.rotate_secret(ctx) ||
|
||||||
|
this.permits.manage(ctx),
|
||||||
|
|
||||||
rotate_secret: (ctx: Context): boolean =>
|
rotate_secret: (ctx: Context): boolean =>
|
||||||
this.related.secret_rotator.includes(ctx.subject) ||
|
this.related.secret_rotator.includes(ctx.subject) ||
|
||||||
this.permits.manage(ctx),
|
this.permits.manage(ctx),
|
||||||
|
|||||||
@@ -25,8 +25,9 @@
|
|||||||
|
|
||||||
| 화면 표시명 | Relation key | 의미 | 주요 허용 기능 |
|
| 화면 표시명 | Relation key | 의미 | 주요 허용 기능 |
|
||||||
|---|---|---|---|
|
|---|---|---|---|
|
||||||
| RP 관리자 | `admins` | RP 운영 전반을 관리할 수 있는 관리자 관계 | RP 조회, 설정 관리, secret 재발급, JWKS 운영, consent 조회/회수, 관계 조회, 감사 로그 조회, 상태 변경 |
|
| RP 관리자 | `admins` | RP 운영 전반을 관리할 수 있는 관리자 관계 | RP 조회, 설정 관리, secret 조회/재발급, JWKS 운영, consent 조회/회수, 관계 조회, 감사 로그 조회, 상태 변경 |
|
||||||
| RP 일반 설정 | `config_editor` | RP 이름, Redirect URI, 메타데이터 같은 일반 설정을 수정할 수 있는 관계 | RP 조회, 일반 설정 수정 |
|
| RP 일반 설정 | `config_editor` | RP 이름, Redirect URI, 메타데이터 같은 일반 설정을 수정할 수 있는 관계 | RP 조회, 일반 설정 수정 |
|
||||||
|
| 시크릿 조회 | `secret_viewer` | Client secret을 조회할 수 있는 관계 | RP 조회, client secret 조회 |
|
||||||
| 시크릿 재발급 | `secret_rotator` | Client secret 재발급과 rotation을 수행할 수 있는 관계 | RP 조회, client secret 재발급 |
|
| 시크릿 재발급 | `secret_rotator` | Client secret 재발급과 rotation을 수행할 수 있는 관계 | RP 조회, client secret 재발급 |
|
||||||
| JWKS 조회 | `jwks_viewer` | JWKS 상태, 캐시 정보, key summary를 조회할 수 있는 관계 | RP 조회, JWKS 상태/캐시/key summary 조회 |
|
| JWKS 조회 | `jwks_viewer` | JWKS 상태, 캐시 정보, key summary를 조회할 수 있는 관계 | RP 조회, JWKS 상태/캐시/key summary 조회 |
|
||||||
| JWKS 운영 | `jwks_operator` | JWKS refresh/revoke 같은 운영 작업을 수행할 수 있는 관계 | RP 조회, JWKS 조회, JWKS refresh/revoke |
|
| JWKS 운영 | `jwks_operator` | JWKS refresh/revoke 같은 운영 작업을 수행할 수 있는 관계 | RP 조회, JWKS 조회, JWKS refresh/revoke |
|
||||||
@@ -42,10 +43,11 @@ Keto namespace 기준으로 relation은 다음 permit으로 계산된다.
|
|||||||
|
|
||||||
| Permit | 허용 relation / 조건 | 기능 의미 |
|
| Permit | 허용 relation / 조건 | 기능 의미 |
|
||||||
|---|---|---|
|
|---|---|---|
|
||||||
| `view` | `admins`, `config_editor`, `secret_rotator`, `jwks_viewer`, `jwks_operator`, `consent_viewer`, `consent_revoker`, `relationship_viewer`, `audit_viewer`, `status_operator`, 부모 tenant의 `view` 또는 `view_dev_console` | RP 기본 조회 및 목록 노출 |
|
| `view` | `admins`, `config_editor`, `secret_viewer`, `secret_rotator`, `jwks_viewer`, `jwks_operator`, `consent_viewer`, `consent_revoker`, `relationship_viewer`, `audit_viewer`, `status_operator`, 부모 tenant의 `view` 또는 `view_dev_console` | RP 기본 조회 및 목록 노출 |
|
||||||
| `manage` | `admins`, 부모 tenant의 `manage` | RP 관리 상위 권한 |
|
| `manage` | `admins`, 부모 tenant의 `manage` | RP 관리 상위 권한 |
|
||||||
| `create` | `creator`, 부모 tenant의 `grant_dev_permissions`, `manage` | RP 생성. `creator`는 현재 수동 부여하지 않는 내부 relation이다. |
|
| `create` | `creator`, 부모 tenant의 `grant_dev_permissions`, `manage` | RP 생성. `creator`는 현재 수동 부여하지 않는 내부 relation이다. |
|
||||||
| `edit_config` | `config_editor`, `manage` | RP 일반 설정 수정 |
|
| `edit_config` | `config_editor`, `manage` | RP 일반 설정 수정 |
|
||||||
|
| `view_secret` | `secret_viewer`, `rotate_secret`, `manage` | client secret 조회 |
|
||||||
| `rotate_secret` | `secret_rotator`, `manage` | client secret 재발급/회전 |
|
| `rotate_secret` | `secret_rotator`, `manage` | client secret 재발급/회전 |
|
||||||
| `view_jwks` | `jwks_viewer`, `operate_jwks`, `manage` | JWKS 상태/캐시/key summary 조회 |
|
| `view_jwks` | `jwks_viewer`, `operate_jwks`, `manage` | JWKS 상태/캐시/key summary 조회 |
|
||||||
| `operate_jwks` | `jwks_operator`, `manage` | JWKS refresh/revoke |
|
| `operate_jwks` | `jwks_operator`, `manage` | JWKS refresh/revoke |
|
||||||
@@ -138,6 +140,7 @@ RP 생성 시 `metadata.user_id`가 존재하면 생성자에게 기본 운영 r
|
|||||||
- `admins`
|
- `admins`
|
||||||
- `creator`
|
- `creator`
|
||||||
- `config_editor`
|
- `config_editor`
|
||||||
|
- `secret_viewer`
|
||||||
- `secret_rotator`
|
- `secret_rotator`
|
||||||
- `jwks_viewer`
|
- `jwks_viewer`
|
||||||
- `jwks_operator`
|
- `jwks_operator`
|
||||||
|
|||||||
Reference in New Issue
Block a user