kevin/baron-sso
1
0
Fork 0
forked from baron/baron-sso
Code Pull Requests Activity

4단계 역할 정규화 및 dev 권한 스코프 검증 강화

Browse Source
This commit is contained in:
김용연
2026-03-04 13:16:34 +09:00
parent 0f8b19a9b1
commit eac16cfcd9
11 changed files with 521 additions and 177 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
backend/internal/handler/user_handler.go
View File

@@ -61,7 +61,7 @@ func (h *UserHandler) ListUsers(c *fiber.Ctx) error {
var requesterRole string
var requesterCompany string
if profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse); ok {
requesterRole = profile.Role
requesterRole = domain.NormalizeRole(profile.Role)
requesterCompany = profile.CompanyCode
}
@@ -195,7 +195,7 @@ func (h *UserHandler) GetUser(c *fiber.Ctx) error {
// [New] Check access scope
requester, _ := c.Locals("user_profile").(*domain.UserProfileResponse)
if requester != nil && requester.Role == domain.RoleTenantAdmin {
if requester != nil && domain.NormalizeRole(requester.Role) == domain.RoleTenantAdmin {
compCode := extractTraitString(identity.Traits, "companyCode")
if requester.CompanyCode == "" || compCode != requester.CompanyCode {
return errorJSON(c, fiber.StatusForbidden, "forbidden: access to user in another tenant denied")
@@ -263,9 +263,9 @@ func (h *UserHandler) CreateUser(c *fiber.Ctx) error {
}
}
role := strings.TrimSpace(req.Role)
role := domain.NormalizeRole(req.Role)
if role == "" {
role = "user"
role = domain.RoleUser
}
attributes := map[string]interface{}{
@@ -380,7 +380,7 @@ func (h *UserHandler) UpdateUser(c *fiber.Ctx) error {
// [New] Check access scope
requester, _ := c.Locals("user_profile").(*domain.UserProfileResponse)
if requester != nil && requester.Role == domain.RoleTenantAdmin {
if requester != nil && domain.NormalizeRole(requester.Role) == domain.RoleTenantAdmin {
compCode := extractTraitString(identity.Traits, "companyCode")
if requester.CompanyCode == "" || compCode != requester.CompanyCode {
return errorJSON(c, fiber.StatusForbidden, "forbidden: cannot update user in another tenant")
@@ -402,7 +402,7 @@ func (h *UserHandler) UpdateUser(c *fiber.Ctx) error {
}
// [New] Tenant Admin restriction: Cannot change companyCode
if requester != nil && requester.Role == domain.RoleTenantAdmin {
if requester != nil && domain.NormalizeRole(requester.Role) == domain.RoleTenantAdmin {
if req.CompanyCode != nil && *req.CompanyCode != requester.CompanyCode {
return errorJSON(c, fiber.StatusForbidden, "forbidden: tenant admins cannot change user's tenant")
}
@@ -437,9 +437,9 @@ func (h *UserHandler) UpdateUser(c *fiber.Ctx) error {
traits["department"] = strings.TrimSpace(*req.Department)
}
if req.Role != nil {
role := strings.TrimSpace(*req.Role)
role := domain.NormalizeRole(*req.Role)
if role == "" {
role = "user"
role = domain.RoleUser
}
traits["grade"] = role
traits["role"] = role
@@ -507,7 +507,7 @@ func (h *UserHandler) DeleteUser(c *fiber.Ctx) error {
// [New] Check access scope before deletion
requester, _ := c.Locals("user_profile").(*domain.UserProfileResponse)
if requester != nil && requester.Role == domain.RoleTenantAdmin {
if requester != nil && domain.NormalizeRole(requester.Role) == domain.RoleTenantAdmin {
identity, err := h.KratosAdmin.GetIdentity(c.Context(), userID)
if err == nil && identity != nil {
compCode := extractTraitString(identity.Traits, "companyCode")
@@ -541,7 +541,11 @@ func (h *UserHandler) mapIdentitySummary(ctx context.Context, identity service.K
traits := identity.Traits
role := extractTraitString(traits, "grade")
if role == "" {
role = "user"
role = extractTraitString(traits, "role")
}
role = domain.NormalizeRole(role)
if role == "" {
role = domain.RoleUser
}
compCode := extractTraitString(traits, "companyCode")
@@ -589,7 +593,11 @@ func (h *UserHandler) mapToLocalUser(identity service.KratosIdentity) *domain.Us
traits := identity.Traits
role := extractTraitString(traits, "grade")
if role == "" {
role = "user"
role = extractTraitString(traits, "role")
}
role = domain.NormalizeRole(role)
if role == "" {
role = domain.RoleUser
}
compCode := extractTraitString(traits, "companyCode")
@@ -633,6 +641,9 @@ func (h *UserHandler) mapToLocalUser(identity service.KratosIdentity) *domain.Us
}
func (h *UserHandler) syncKetoRole(ctx context.Context, userID, newRole, oldRole, oldTenantID string, newTenantID *string) {
newRole = domain.NormalizeRole(newRole)
oldRole = domain.NormalizeRole(oldRole)
// Remove old roles
if oldRole == domain.RoleSuperAdmin {
_ = h.KetoOutboxRepo.Create(ctx, &domain.KetoOutbox{