forked from baron/baron-sso
4단계 역할 정규화 및 dev 권한 스코프 검증 강화
This commit is contained in:
@@ -31,8 +31,10 @@ func RequireKetoPermission(config RBACConfig, namespace, relation string) fiber.
|
||||
// Store profile in locals for further use in handlers
|
||||
c.Locals("user_profile", profile)
|
||||
|
||||
role := domain.NormalizeRole(profile.Role)
|
||||
|
||||
// Super Admin bypass
|
||||
if profile.Role == domain.RoleSuperAdmin {
|
||||
if role == domain.RoleSuperAdmin {
|
||||
return c.Next()
|
||||
}
|
||||
|
||||
@@ -67,7 +69,7 @@ func RequireKetoPermission(config RBACConfig, namespace, relation string) fiber.
|
||||
}
|
||||
|
||||
if !allowed {
|
||||
slog.Warn("Keto permission denied", "userID", profile.ID, "userRole", profile.Role, "namespace", namespace, "objectID", objectID, "relation", relation, "X-Test-Role", c.Get("X-Test-Role"))
|
||||
slog.Warn("Keto permission denied", "userID", profile.ID, "userRole", role, "namespace", namespace, "objectID", objectID, "relation", relation, "X-Test-Role", c.Get("X-Test-Role"))
|
||||
return errorJSON(c, fiber.StatusForbidden, "forbidden: keto permission denied for "+namespace+":"+objectID)
|
||||
}
|
||||
|
||||
@@ -91,15 +93,17 @@ func RequireRole(config RBACConfig) fiber.Handler {
|
||||
// Store profile in locals for further use in handlers
|
||||
c.Locals("user_profile", profile)
|
||||
|
||||
userRole := domain.NormalizeRole(profile.Role)
|
||||
|
||||
// Super Admin always has access
|
||||
if profile.Role == domain.RoleSuperAdmin {
|
||||
if userRole == domain.RoleSuperAdmin {
|
||||
return c.Next()
|
||||
}
|
||||
|
||||
// Check if user's role is in allowed roles
|
||||
roleAllowed := false
|
||||
for _, role := range config.AllowedRoles {
|
||||
if profile.Role == role {
|
||||
if userRole == domain.NormalizeRole(role) {
|
||||
roleAllowed = true
|
||||
break
|
||||
}
|
||||
@@ -108,7 +112,7 @@ func RequireRole(config RBACConfig) fiber.Handler {
|
||||
if !roleAllowed {
|
||||
slog.Warn("RBAC access denied",
|
||||
"userID", profile.ID,
|
||||
"userRole", profile.Role,
|
||||
"userRole", userRole,
|
||||
"allowedRoles", config.AllowedRoles,
|
||||
"path", c.Path(),
|
||||
"X-Test-Role", c.Get("X-Test-Role"),
|
||||
@@ -136,13 +140,15 @@ func RequireTenantMatch(config RBACConfig) fiber.Handler {
|
||||
// Store profile in locals for further use in handlers
|
||||
c.Locals("user_profile", profile)
|
||||
|
||||
userRole := domain.NormalizeRole(profile.Role)
|
||||
|
||||
// Super Admin bypass
|
||||
if profile.Role == domain.RoleSuperAdmin {
|
||||
if userRole == domain.RoleSuperAdmin {
|
||||
return c.Next()
|
||||
}
|
||||
|
||||
// Tenant Admin check
|
||||
if profile.Role == domain.RoleTenantAdmin {
|
||||
if userRole == domain.RoleTenantAdmin {
|
||||
targetTenantID := c.Params("tenantId")
|
||||
if targetTenantID == "" {
|
||||
targetTenantID = c.Params("id") // common for /tenants/:id
|
||||
|
||||
Reference in New Issue
Block a user