kevin/baron-sso
1
0
Fork 0
forked from baron/baron-sso
Code Pull Requests Activity

Merge branch 'dev' into feature/af-issue363

Browse Source
This commit is contained in:
조찬영
2026-03-18 09:05:23 +09:00
parent 2463b5a67f 9d888a1162
commit ec8abf39aa
35 changed files with 2225 additions and 317 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
backend/internal/handler/auth_handler.go
View File

@@ -4004,17 +4004,19 @@ func (h *AuthHandler) resolveCurrentProfile(c *fiber.Ctx) (*domain.UserProfileRe
// 2. Role Override for real profile or fallback to Mock Profile
if profile != nil {
if isDev && mockRole != "" {
normalizedMockRole := domain.NormalizeRole(mockRole)
slog.Info("🔑 [AUTH] Overriding real profile role",
"email", profile.Email, "originalRole", profile.Role, "overriddenRole", mockRole)
profile.Role = mockRole
"email", profile.Email, "originalRole", profile.Role, "overriddenRole", normalizedMockRole)
profile.Role = normalizedMockRole
}
} else if isDev && mockRole != "" && token == "" && cookie == "" {
normalizedMockRole := domain.NormalizeRole(mockRole)
slog.Info("🔑 [AUTH] Using full Mock Auth (no session)", "role", mockRole)
profile = &domain.UserProfileResponse{
ID: "00000000-0000-0000-0000-000000000000",
Email: "mock@hmac.kr",
Name: "Dev Mock User",
Role: mockRole,
Role: normalizedMockRole,
}
if tid := c.Get("X-Tenant-ID"); tid != "" {
profile.TenantID = &tid
@@ -4027,6 +4029,7 @@ func (h *AuthHandler) resolveCurrentProfile(c *fiber.Ctx) (*domain.UserProfileRe
}
// 3. Post-Process (Defaults & Metadata Enrichment)
profile.Role = domain.NormalizeRole(profile.Role)
if profile.Role == "" {
profile.Role = domain.RoleUser
}
@@ -5123,6 +5126,7 @@ func (h *AuthHandler) mapKratosIdentityToProfile(identityID string, traits map[s
compCode, _ := traits["companyCode"].(string)
role, _ := traits["role"].(string)
tenantID, _ := traits["tenant_id"].(string)
relyingPartyID, _ := traits["relying_party_id"].(string)
profile := &domain.UserProfileResponse{
ID: identityID,
@@ -5132,18 +5136,22 @@ func (h *AuthHandler) mapKratosIdentityToProfile(identityID string, traits map[s
Department: dept,
AffiliationType: affType,
CompanyCode: compCode,
Role: role,
Role: domain.NormalizeRole(role),
Metadata: make(map[string]any),
}
if tenantID != "" {
profile.TenantID = &tenantID
}
if strings.TrimSpace(relyingPartyID) != "" {
rpID := strings.TrimSpace(relyingPartyID)
profile.RelyingPartyID = &rpID
}
coreTraits := map[string]bool{
"email": true, "name": true, "phone_number": true,
"grade": true, "companyCode": true, "department": true,
"affiliationType": true, "role": true, "tenant_id": true,
"affiliationType": true, "role": true, "tenant_id": true, "relying_party_id": true,
}
for k, v := range traits {
if !coreTraits[k] {

434
backend/internal/handler/dev_handler.go
View File

@@ -140,6 +140,127 @@ type clientUpsertRequest struct {
Metadata *map[string]interface{} `json:"metadata"`
}
func normalizeUserRole(role string) string {
return domain.NormalizeRole(role)
}
func isDevConsoleRoleAllowed(role string) bool {
switch normalizeUserRole(role) {
case domain.RoleSuperAdmin, domain.RoleTenantAdmin, domain.RoleRPAdmin:
return true
default:
return false
}
}
func (h *DevHandler) getCurrentProfile(c *fiber.Ctx) *domain.UserProfileResponse {
if profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse); ok && profile != nil {
return profile
}
if h.Auth != nil {
enriched, err := h.Auth.GetEnrichedProfile(c)
if err == nil && enriched != nil {
c.Locals("user_profile", enriched)
return enriched
}
}
return nil
}
func tenantIDFromProfile(profile *domain.UserProfileResponse) string {
if profile == nil || profile.TenantID == nil {
return ""
}
return strings.TrimSpace(*profile.TenantID)
}
func addClientIDToSet(set map[string]struct{}, raw any) {
switch value := raw.(type) {
case string:
for _, chunk := range strings.Split(value, ",") {
id := strings.TrimSpace(chunk)
if id != "" {
set[id] = struct{}{}
}
}
case []string:
for _, item := range value {
id := strings.TrimSpace(item)
if id != "" {
set[id] = struct{}{}
}
}
case []any:
for _, item := range value {
if str, ok := item.(string); ok {
id := strings.TrimSpace(str)
if id != "" {
set[id] = struct{}{}
}
}
}
}
}
func managedClientIDsFromProfile(profile *domain.UserProfileResponse) map[string]struct{} {
ids := make(map[string]struct{})
if profile == nil {
return ids
}
if profile.RelyingPartyID != nil {
if id := strings.TrimSpace(*profile.RelyingPartyID); id != "" {
ids[id] = struct{}{}
}
}
if profile.Metadata == nil {
return ids
}
for _, key := range []string{
"managed_client_ids",
"managedClientIds",
"relying_party_id",
"relyingPartyId",
"client_id",
"clientId",
} {
if raw, ok := profile.Metadata[key]; ok {
addClientIDToSet(ids, raw)
}
}
return ids
}
func resolveClientTenantID(summary clientSummary) string {
if summary.Metadata == nil {
return ""
}
clientTenantID, _ := summary.Metadata["tenant_id"].(string)
return strings.TrimSpace(clientTenantID)
}
func isRPAdminClientAllowed(profile *domain.UserProfileResponse, clientID string) bool {
if normalizeUserRole(profileRole(profile)) != domain.RoleRPAdmin {
return true
}
allowed := managedClientIDsFromProfile(profile)
if len(allowed) == 0 {
return false
}
_, ok := allowed[strings.TrimSpace(clientID)]
return ok
}
func profileRole(profile *domain.UserProfileResponse) string {
if profile == nil {
return ""
}
return strings.TrimSpace(profile.Role)
}
func (h *DevHandler) checkAppManagerPermission(c *fiber.Ctx) (bool, error) {
profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse)
if (!ok || profile == nil) && h.Auth != nil {
@@ -151,11 +272,19 @@ func (h *DevHandler) checkAppManagerPermission(c *fiber.Ctx) (bool, error) {
}
}
if ok && profile != nil {
// Super Admin bypass
if profile.Role == domain.RoleSuperAdmin {
role := normalizeUserRole(profile.Role)
switch role {
case domain.RoleSuperAdmin:
slog.Info("Dev private permission granted by super_admin role", "user_id", profile.ID)
return true, nil
case domain.RoleTenantAdmin, domain.RoleRPAdmin:
slog.Info("Dev private permission granted by role", "user_id", profile.ID, "role", role)
return true, nil
case domain.RoleUser:
return false, nil
}
// Super Admin bypass
if isAdminEmail(profile.Email) {
slog.Info("Dev private permission granted by ADMIN_EMAIL match", "email", profile.Email)
return true, nil
@@ -203,16 +332,24 @@ func (h *DevHandler) checkAppManagerPermission(c *fiber.Ctx) (bool, error) {
if tokenEmail == "" {
tokenEmail = strings.TrimSpace(info.Email)
}
tokenRole = strings.TrimSpace(info.Role)
tokenRole = normalizeUserRole(info.Role)
} else if err != nil {
slog.Warn("Dev private permission userinfo fallback failed", "error", err)
}
}
tokenRole = normalizeUserRole(tokenRole)
if tokenRole == domain.RoleSuperAdmin {
slog.Info("Dev private permission granted by token role", "role", tokenRole)
return true, nil
}
if tokenRole == domain.RoleTenantAdmin || tokenRole == domain.RoleRPAdmin {
slog.Info("Dev private permission granted by token role", "role", tokenRole)
return true, nil
}
if tokenRole == domain.RoleUser {
return false, nil
}
if isAdminEmail(tokenEmail) {
slog.Info("Dev private permission granted by token email", "email", tokenEmail)
return true, nil
@@ -237,7 +374,7 @@ func (h *DevHandler) checkAppManagerPermission(c *fiber.Ctx) (bool, error) {
if h.KratosAdmin != nil {
identity, err := h.KratosAdmin.GetIdentity(c.Context(), tokenSubject)
if err == nil && identity != nil {
if rawRole, ok := identity.Traits["role"].(string); ok && rawRole == domain.RoleSuperAdmin {
if rawRole, ok := identity.Traits["role"].(string); ok && normalizeUserRole(rawRole) == domain.RoleSuperAdmin {
slog.Info("Dev private permission granted by Kratos role", "subject", tokenSubject)
return true, nil
}
@@ -383,90 +520,20 @@ func (h *DevHandler) ListClients(c *fiber.Ctx) error {
offset = 0
}
// [Tenant Isolation] Get current user's tenant ID
userTenantID := ""
isSuperAdmin := false
profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse)
if (!ok || profile == nil) && h.Auth != nil {
enriched, _ := h.Auth.GetEnrichedProfile(c)
if enriched != nil {
profile = enriched
ok = true
c.Locals("user_profile", enriched)
}
profile := h.getCurrentProfile(c)
if profile == nil {
return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
}
role := normalizeUserRole(profile.Role)
if !isDevConsoleRoleAllowed(role) {
return errorJSON(c, fiber.StatusForbidden, "forbidden")
}
if ok && profile != nil {
if profile.TenantID != nil {
userTenantID = *profile.TenantID
}
isSuperAdmin = profile.Role == domain.RoleSuperAdmin
} else {
// If profile resolution failed, verify bearer token via OIDC userinfo fallback.
authHeader := c.Get("Authorization")
bearerToken := extractBearerToken(authHeader)
if bearerToken == "" {
return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
}
sub, email := extractAuthClaimsFromBearer(authHeader)
if sub == "" {
info, infoErr := h.fetchOIDCUserInfo(c.Context(), bearerToken)
if infoErr != nil {
slog.Warn("ListClients userinfo fallback failed", "error", infoErr)
return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
}
sub = strings.TrimSpace(info.Sub)
if email == "" {
email = strings.TrimSpace(info.Email)
}
if userTenantID == "" {
userTenantID = strings.TrimSpace(info.TenantID)
}
if strings.EqualFold(strings.TrimSpace(info.Role), domain.RoleSuperAdmin) {
isSuperAdmin = true
}
}
if sub == "" && email == "" {
return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
}
if h.KratosAdmin != nil && (userTenantID == "" || !isSuperAdmin) {
identityID := strings.TrimSpace(sub)
if identityID == "" && email != "" {
if resolved, err := h.KratosAdmin.FindIdentityIDByIdentifier(c.Context(), email); err == nil {
identityID = strings.TrimSpace(resolved)
}
}
if identityID != "" {
if identity, err := h.KratosAdmin.GetIdentity(c.Context(), identityID); err == nil && identity != nil {
if userTenantID == "" {
if tid, ok := identity.Traits["tenant_id"].(string); ok {
userTenantID = strings.TrimSpace(tid)
}
}
role := ""
if rawRole, ok := identity.Traits["role"].(string); ok {
role = strings.TrimSpace(rawRole)
}
if role == domain.RoleSuperAdmin {
isSuperAdmin = true
}
profile = &domain.UserProfileResponse{
ID: identityID,
Email: email,
Role: role,
TenantID: nil,
}
if userTenantID != "" {
tid := userTenantID
profile.TenantID = &tid
}
c.Locals("user_profile", profile)
}
}
}
userTenantID := tenantIDFromProfile(profile)
isSuperAdmin := role == domain.RoleSuperAdmin
allowedClientIDs := managedClientIDsFromProfile(profile)
if role == domain.RoleRPAdmin && len(allowedClientIDs) == 0 {
return errorJSON(c, fiber.StatusForbidden, "forbidden: rp_admin has no managed clients")
}
isAppManager, err := h.checkAppManagerPermission(c)
@@ -503,6 +570,13 @@ func (h *DevHandler) ListClients(c *fiber.Ctx) error {
}
}
// 3. [Role Scope] RP Admin can only access managed RP IDs
if role == domain.RoleRPAdmin {
if _, ok := allowedClientIDs[summary.ID]; !ok {
continue
}
}
items = append(items, summary)
}
@@ -529,22 +603,27 @@ func (h *DevHandler) GetClient(c *fiber.Ctx) error {
}
summary := h.mapClientSummary(*client)
profile := h.getCurrentProfile(c)
if profile == nil {
return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
}
role := normalizeUserRole(profile.Role)
if !isDevConsoleRoleAllowed(role) {
return errorJSON(c, fiber.StatusForbidden, "forbidden")
}
// [Tenant Isolation] Check if user has access to this client
isSuperAdmin := false
userTenantID := ""
if profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse); ok && profile != nil {
isSuperAdmin = profile.Role == domain.RoleSuperAdmin
if profile.TenantID != nil {
userTenantID = *profile.TenantID
}
}
isSuperAdmin := role == domain.RoleSuperAdmin
userTenantID := tenantIDFromProfile(profile)
if !isSuperAdmin {
clientTenantID, _ := summary.Metadata["tenant_id"].(string)
clientTenantID := resolveClientTenantID(summary)
if clientTenantID != userTenantID {
return errorJSON(c, fiber.StatusForbidden, "forbidden: access denied to client in another tenant")
}
}
if !isRPAdminClientAllowed(profile, summary.ID) {
return errorJSON(c, fiber.StatusForbidden, "forbidden: rp_admin scope does not include this client")
}
// Check permission for private clients
if summary.Type == "private" {
@@ -598,22 +677,27 @@ func (h *DevHandler) UpdateClientStatus(c *fiber.Ctx) error {
}
summary := h.mapClientSummary(*current)
profile := h.getCurrentProfile(c)
if profile == nil {
return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
}
role := normalizeUserRole(profile.Role)
if !isDevConsoleRoleAllowed(role) {
return errorJSON(c, fiber.StatusForbidden, "forbidden")
}
// [Tenant Isolation]
isSuperAdmin := false
userTenantID := ""
if profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse); ok && profile != nil {
isSuperAdmin = profile.Role == domain.RoleSuperAdmin
if profile.TenantID != nil {
userTenantID = *profile.TenantID
}
}
isSuperAdmin := role == domain.RoleSuperAdmin
userTenantID := tenantIDFromProfile(profile)
if !isSuperAdmin {
clientTenantID, _ := summary.Metadata["tenant_id"].(string)
clientTenantID := resolveClientTenantID(summary)
if clientTenantID != userTenantID {
return errorJSON(c, fiber.StatusForbidden, "forbidden: access denied to client in another tenant")
}
}
if !isRPAdminClientAllowed(profile, summary.ID) {
return errorJSON(c, fiber.StatusForbidden, "forbidden: rp_admin scope does not include this client")
}
if summary.Type == "private" {
isAppManager, _ := h.checkAppManagerPermission(c)
@@ -655,6 +739,15 @@ func (h *DevHandler) UpdateClientStatus(c *fiber.Ctx) error {
func (h *DevHandler) CreateClient(c *fiber.Ctx) error {
tenantID := h.injectTenantContextFromHeader(c)
profile := h.getCurrentProfile(c)
if profile == nil {
return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
}
role := normalizeUserRole(profile.Role)
if !isDevConsoleRoleAllowed(role) {
return errorJSON(c, fiber.StatusForbidden, "forbidden")
}
var req clientUpsertRequest
if err := c.BodyParser(&req); err != nil {
return errorJSON(c, fiber.StatusBadRequest, "invalid request body")
@@ -706,7 +799,7 @@ func (h *DevHandler) CreateClient(c *fiber.Ctx) error {
}
// [Tenant Isolation] Record owner information
if profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse); ok && profile != nil {
if profile != nil {
metadata["user_id"] = profile.ID
if tenantID == "" && profile.TenantID != nil {
tenantID = *profile.TenantID
@@ -805,22 +898,27 @@ func (h *DevHandler) UpdateClient(c *fiber.Ctx) error {
}
currentSummary := h.mapClientSummary(*current)
profile := h.getCurrentProfile(c)
if profile == nil {
return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
}
role := normalizeUserRole(profile.Role)
if !isDevConsoleRoleAllowed(role) {
return errorJSON(c, fiber.StatusForbidden, "forbidden")
}
// [Tenant Isolation]
isSuperAdmin := false
userTenantID := ""
if profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse); ok && profile != nil {
isSuperAdmin = profile.Role == domain.RoleSuperAdmin
if profile.TenantID != nil {
userTenantID = *profile.TenantID
}
}
isSuperAdmin := role == domain.RoleSuperAdmin
userTenantID := tenantIDFromProfile(profile)
if !isSuperAdmin {
clientTenantID, _ := currentSummary.Metadata["tenant_id"].(string)
clientTenantID := resolveClientTenantID(currentSummary)
if clientTenantID != userTenantID {
return errorJSON(c, fiber.StatusForbidden, "forbidden: access denied to client in another tenant")
}
}
if !isRPAdminClientAllowed(profile, currentSummary.ID) {
return errorJSON(c, fiber.StatusForbidden, "forbidden: rp_admin scope does not include this client")
}
clientType := ""
if req.Type != nil {
@@ -931,22 +1029,27 @@ func (h *DevHandler) DeleteClient(c *fiber.Ctx) error {
}
summary := h.mapClientSummary(*current)
profile := h.getCurrentProfile(c)
if profile == nil {
return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
}
role := normalizeUserRole(profile.Role)
if !isDevConsoleRoleAllowed(role) {
return errorJSON(c, fiber.StatusForbidden, "forbidden")
}
// [Tenant Isolation]
isSuperAdmin := false
userTenantID := ""
if profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse); ok && profile != nil {
isSuperAdmin = profile.Role == domain.RoleSuperAdmin
if profile.TenantID != nil {
userTenantID = *profile.TenantID
}
}
isSuperAdmin := role == domain.RoleSuperAdmin
userTenantID := tenantIDFromProfile(profile)
if !isSuperAdmin {
clientTenantID, _ := summary.Metadata["tenant_id"].(string)
clientTenantID := resolveClientTenantID(summary)
if clientTenantID != userTenantID {
return errorJSON(c, fiber.StatusForbidden, "forbidden: access denied to client in another tenant")
}
}
if !isRPAdminClientAllowed(profile, summary.ID) {
return errorJSON(c, fiber.StatusForbidden, "forbidden: rp_admin scope does not include this client")
}
// [Security] Check permission for private clients
if summary.Type == "private" {
@@ -986,6 +1089,18 @@ func (h *DevHandler) ListConsents(c *fiber.Ctx) error {
return errorJSON(c, fiber.StatusBadRequest, "client_id is required")
}
profile := h.getCurrentProfile(c)
if profile == nil {
return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
}
role := normalizeUserRole(profile.Role)
if !isDevConsoleRoleAllowed(role) {
return errorJSON(c, fiber.StatusForbidden, "forbidden")
}
if !isRPAdminClientAllowed(profile, clientID) {
return errorJSON(c, fiber.StatusForbidden, "forbidden: rp_admin scope does not include this client")
}
subject := strings.TrimSpace(c.Query("subject"))
limit := c.QueryInt("limit", 50)
offset := c.QueryInt("offset", 0)
@@ -995,8 +1110,8 @@ func (h *DevHandler) ListConsents(c *fiber.Ctx) error {
// [Isolation] Get admin tenant ID from locals or header
adminTenantID := ""
if profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse); ok && profile != nil {
if profile.Role != domain.RoleSuperAdmin && profile.TenantID != nil {
if profile != nil {
if role != domain.RoleSuperAdmin && profile.TenantID != nil {
adminTenantID = *profile.TenantID
}
}
@@ -1091,6 +1206,17 @@ func (h *DevHandler) RevokeConsents(c *fiber.Ctx) error {
return errorJSON(c, fiber.StatusBadRequest, "subject is required")
}
clientID := strings.TrimSpace(c.Query("client_id"))
profile := h.getCurrentProfile(c)
if profile == nil {
return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
}
role := normalizeUserRole(profile.Role)
if !isDevConsoleRoleAllowed(role) {
return errorJSON(c, fiber.StatusForbidden, "forbidden")
}
if clientID != "" && !isRPAdminClientAllowed(profile, clientID) {
return errorJSON(c, fiber.StatusForbidden, "forbidden: rp_admin scope does not include this client")
}
// If subject is not a UUID, try to resolve it as an identifier (email/username)
if _, err := uuid.Parse(subject); err != nil {
@@ -1138,22 +1264,27 @@ func (h *DevHandler) RotateClientSecret(c *fiber.Ctx) error {
}
summary := h.mapClientSummary(*current)
profile := h.getCurrentProfile(c)
if profile == nil {
return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
}
role := normalizeUserRole(profile.Role)
if !isDevConsoleRoleAllowed(role) {
return errorJSON(c, fiber.StatusForbidden, "forbidden")
}
// [Tenant Isolation]
isSuperAdmin := false
userTenantID := ""
if profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse); ok && profile != nil {
isSuperAdmin = profile.Role == domain.RoleSuperAdmin
if profile.TenantID != nil {
userTenantID = *profile.TenantID
}
}
isSuperAdmin := role == domain.RoleSuperAdmin
userTenantID := tenantIDFromProfile(profile)
if !isSuperAdmin {
clientTenantID, _ := summary.Metadata["tenant_id"].(string)
clientTenantID := resolveClientTenantID(summary)
if clientTenantID != userTenantID {
return errorJSON(c, fiber.StatusForbidden, "forbidden: access denied to client in another tenant")
}
}
if !isRPAdminClientAllowed(profile, summary.ID) {
return errorJSON(c, fiber.StatusForbidden, "forbidden: rp_admin scope does not include this client")
}
// [Security] Check permission for private clients
if summary.Type == "private" {
@@ -1216,13 +1347,18 @@ func (h *DevHandler) ListAuditLogs(c *fiber.Ctx) error {
}
h.injectTenantContextFromHeader(c)
allowed, err := h.checkAppManagerPermission(c)
if err != nil {
return errorJSON(c, fiber.StatusInternalServerError, "permission check error")
profile := h.getCurrentProfile(c)
if profile == nil {
return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
}
if !allowed {
role := normalizeUserRole(profile.Role)
if !isDevConsoleRoleAllowed(role) {
return errorJSON(c, fiber.StatusForbidden, "forbidden")
}
allowedClientIDs := managedClientIDsFromProfile(profile)
if role == domain.RoleRPAdmin && len(allowedClientIDs) == 0 {
return errorJSON(c, fiber.StatusForbidden, "forbidden: rp_admin has no managed clients")
}
limit := c.QueryInt("limit", 50)
if limit <= 0 {
@@ -1239,6 +1375,9 @@ func (h *DevHandler) ListAuditLogs(c *fiber.Ctx) error {
if tenantFilter == "" {
tenantFilter = h.resolveDevTenantScope(c)
}
if role != domain.RoleSuperAdmin && tenantFilter == "" {
tenantFilter = tenantIDFromProfile(profile)
}
cursorRaw := c.Query("cursor")
cursor, err := parseAuditCursor(cursorRaw)
@@ -1263,7 +1402,7 @@ func (h *DevHandler) ListAuditLogs(c *fiber.Ctx) error {
for _, logItem := range page {
scanned++
if h.matchesDevAuditFilter(logItem, tenantFilter, clientFilter, actionFilter, statusFilter) {
if h.matchesDevAuditFilter(logItem, tenantFilter, clientFilter, actionFilter, statusFilter, allowedClientIDs) {
collected = append(collected, logItem)
if len(collected) == limit+1 {
break
@@ -1308,7 +1447,7 @@ func (h *DevHandler) GetStats(c *fiber.Ctx) error {
userTenantID := ""
isSuperAdmin := false
if profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse); ok && profile != nil {
isSuperAdmin = profile.Role == domain.RoleSuperAdmin
isSuperAdmin = normalizeUserRole(profile.Role) == domain.RoleSuperAdmin
if profile.TenantID != nil {
userTenantID = *profile.TenantID
}
@@ -1553,6 +1692,7 @@ func clientTypeOrDefault(tokenEndpointAuthMethod string) string {
func (h *DevHandler) matchesDevAuditFilter(
logItem domain.AuditLog,
tenantFilter, clientFilter, actionFilter, statusFilter string,
allowedClientIDs map[string]struct{},
) bool {
if !strings.Contains(logItem.EventType, "/api/v1/dev/") {
return false
@@ -1574,6 +1714,20 @@ func (h *DevHandler) matchesDevAuditFilter(
return false
}
}
if len(allowedClientIDs) > 0 {
targetID, _ := details["target_id"].(string)
clientID, _ := details["client_id"].(string)
resolvedID := strings.TrimSpace(targetID)
if resolvedID == "" {
resolvedID = strings.TrimSpace(clientID)
}
if resolvedID == "" {
return false
}
if _, ok := allowedClientIDs[resolvedID]; !ok {
return false
}
}
if actionFilter != "" {
if normalizeAuditAction(logItem.EventType, details) != actionFilter {
return false

56
backend/internal/handler/dev_handler_isolation_test.go
View File

@@ -16,7 +16,7 @@ import (
)
func TestDevHandler_Isolation(t *testing.T) {
mockKeto := new(MockKetoService)
mockKeto := new(devMockKetoService)
h := &DevHandler{
Hydra: &service.HydraAdminService{
@@ -82,14 +82,14 @@ func TestDevHandler_Isolation(t *testing.T) {
app.Use(func(c *fiber.Ctx) error {
c.Locals("user_profile", &domain.UserProfileResponse{
ID: "user-a",
Role: domain.RoleUser,
Role: domain.RoleTenantAdmin,
TenantID: &tenantA,
})
return c.Next()
})
app.Get("/api/v1/dev/clients", h.ListClients)
mockKeto.On("CheckPermission", mock.Anything, "user-a", "System", "AppManager", "member").Return(false, nil)
mockKeto.On("CheckPermission", mock.Anything, "user-a", "System", "AppManager", "member").Return(true, nil)
req := httptest.NewRequest(http.MethodGet, "/api/v1/dev/clients", nil)
resp, _ := app.Test(req, -1)
@@ -105,7 +105,7 @@ func TestDevHandler_Isolation(t *testing.T) {
assert.Equal(t, "client-tenant-a", res.Items[0].ID)
})
t.Run("GetClient should enforce tenant isolation", func(t *testing.T) {
t.Run("Tenant member should be forbidden from DevFront clients", func(t *testing.T) {
app := fiber.New()
tenantA := "tenant-a"
app.Use(func(c *fiber.Ctx) error {
@@ -116,6 +116,52 @@ func TestDevHandler_Isolation(t *testing.T) {
})
return c.Next()
})
app.Get("/api/v1/dev/clients", h.ListClients)
req := httptest.NewRequest(http.MethodGet, "/api/v1/dev/clients", nil)
resp, _ := app.Test(req, -1)
assert.Equal(t, http.StatusForbidden, resp.StatusCode)
})
t.Run("RP Admin should only see managed clients", func(t *testing.T) {
app := fiber.New()
tenantA := "tenant-a"
app.Use(func(c *fiber.Ctx) error {
c.Locals("user_profile", &domain.UserProfileResponse{
ID: "rp-admin-a",
Role: domain.RoleRPAdmin,
TenantID: &tenantA,
Metadata: map[string]any{
"managed_client_ids": []any{"client-tenant-a"},
},
})
return c.Next()
})
app.Get("/api/v1/dev/clients", h.ListClients)
req := httptest.NewRequest(http.MethodGet, "/api/v1/dev/clients", nil)
resp, _ := app.Test(req, -1)
assert.Equal(t, http.StatusOK, resp.StatusCode)
var res struct {
Items []clientSummary `json:"items"`
}
json.NewDecoder(resp.Body).Decode(&res)
assert.Equal(t, 1, len(res.Items))
assert.Equal(t, "client-tenant-a", res.Items[0].ID)
})
t.Run("GetClient should enforce tenant isolation", func(t *testing.T) {
app := fiber.New()
tenantA := "tenant-a"
app.Use(func(c *fiber.Ctx) error {
c.Locals("user_profile", &domain.UserProfileResponse{
ID: "user-a",
Role: domain.RoleTenantAdmin,
TenantID: &tenantA,
})
return c.Next()
})
app.Get("/api/v1/dev/clients/:id", h.GetClient)
// Case 1: Same tenant
@@ -135,7 +181,7 @@ func TestDevHandler_Isolation(t *testing.T) {
app.Use(func(c *fiber.Ctx) error {
c.Locals("user_profile", &domain.UserProfileResponse{
ID: "user-a",
Role: domain.RoleUser,
Role: domain.RoleTenantAdmin,
TenantID: &tenantA,
})
return c.Next()

371
backend/internal/handler/dev_handler_test.go
View File

@@ -6,6 +6,7 @@ import (
"bytes"
"context"
"encoding/json"
"fmt"
"net/http"
"net/http/httptest"
"testing"
@@ -16,33 +17,79 @@ import (
"github.com/stretchr/testify/mock"
)
type MockKetoService struct {
// --- Mocks with Unique Names to Avoid Collisions ---
type devMockKetoService struct {
mock.Mock
}
func (m *MockKetoService) CheckPermission(ctx context.Context, subject, namespace, object, relation string) (bool, error) {
func (m *devMockKetoService) CheckPermission(ctx context.Context, subject, namespace, object, relation string) (bool, error) {
args := m.Called(ctx, subject, namespace, object, relation)
return args.Bool(0), args.Error(1)
}
func (m *MockKetoService) CreateRelation(ctx context.Context, namespace, object, relation, subject string) error {
return m.Called(ctx, namespace, object, relation, subject).Error(0)
func (m *devMockKetoService) CreateRelation(ctx context.Context, ns, obj, rel, sub string) error {
return m.Called(ctx, ns, obj, rel, sub).Error(0)
}
func (m *MockKetoService) DeleteRelation(ctx context.Context, namespace, object, relation, subject string) error {
return m.Called(ctx, namespace, object, relation, subject).Error(0)
func (m *devMockKetoService) DeleteRelation(ctx context.Context, ns, obj, rel, sub string) error {
return m.Called(ctx, ns, obj, rel, sub).Error(0)
}
func (m *MockKetoService) ListRelations(ctx context.Context, namespace, object, relation, subject string) ([]service.RelationTuple, error) {
args := m.Called(ctx, namespace, object, relation, subject)
func (m *devMockKetoService) ListRelations(ctx context.Context, ns, obj, rel, sub string) ([]service.RelationTuple, error) {
args := m.Called(ctx, ns, obj, rel, sub)
return args.Get(0).([]service.RelationTuple), args.Error(1)
}
func (m *MockKetoService) ListObjects(ctx context.Context, namespace, relation, subject string) ([]string, error) {
args := m.Called(ctx, namespace, relation, subject)
func (m *devMockKetoService) ListObjects(ctx context.Context, ns, rel, sub string) ([]string, error) {
args := m.Called(ctx, ns, rel, sub)
return args.Get(0).([]string), args.Error(1)
}
type devMockRedisRepo struct {
data map[string]string
}
func (m *devMockRedisRepo) Set(key, value string, exp time.Duration) error {
if m.data == nil {
m.data = make(map[string]string)
}
m.data[key] = value
return nil
}
func (m *devMockRedisRepo) Get(key string) (string, error) {
v, ok := m.data[key]
if !ok {
return "", fmt.Errorf("not found")
}
return v, nil
}
func (m *devMockRedisRepo) Delete(key string) error {
delete(m.data, key)
return nil
}
func (m *devMockRedisRepo) StoreVerificationCode(p, c string) error { return nil }
func (m *devMockRedisRepo) GetVerificationCode(p string) (string, error) { return "", nil }
func (m *devMockRedisRepo) DeleteVerificationCode(p string) error { return nil }
type devEnhancedMockAuditRepo struct {
mockAuditRepo
countFailures int64
countSessions int64
}
func (m *devEnhancedMockAuditRepo) CountFailuresSince(ctx context.Context, s time.Time, t string) (int64, error) {
return m.countFailures, nil
}
func (m *devEnhancedMockAuditRepo) CountActiveSessionsSince(ctx context.Context, s time.Time, t string) (int64, error) {
return m.countSessions, nil
}
// --- Tests ---
func TestListClients_Success(t *testing.T) {
transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
if r.URL.Path == "/clients" {
@@ -51,11 +98,10 @@ func TestListClients_Success(t *testing.T) {
{"client_id": "client-2", "client_name": "App Two", "metadata": map[string]interface{}{"status": "inactive"}},
}), nil
}
return httpJSONAny(r, http.StatusNotFound, map[string]string{"error": "not found"}), nil
return httpJSONAny(r, http.StatusNotFound, nil), nil
})
mockKeto := new(MockKetoService)
// For simplicity, always allow in basic success test
mockKeto := new(devMockKetoService)
mockKeto.On("CheckPermission", mock.Anything, mock.Anything, "System", "AppManager", "member").Return(true, nil)
h := &DevHandler{
@@ -76,72 +122,61 @@ func TestListClients_Success(t *testing.T) {
resp, _ := app.Test(req, -1)
assert.Equal(t, http.StatusOK, resp.StatusCode)
var res struct {
Items []clientSummary `json:"items"`
}
json.NewDecoder(resp.Body).Decode(&res)
assert.Equal(t, 2, len(res.Items))
assert.Equal(t, "client-1", res.Items[0].ID)
assert.Equal(t, "App One", res.Items[0].Name)
}
func TestGetClient_Success(t *testing.T) {
func TestUpdateClientStatus_Success(t *testing.T) {
transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
if r.URL.Path == "/clients/client-123" {
if r.Method == http.MethodGet && r.URL.Path == "/clients/client-1" {
return httpJSONAny(r, http.StatusOK, map[string]interface{}{
"client_id": "client-123",
"client_name": "Test App",
"metadata": map[string]interface{}{"status": "active"},
"client_id": "client-1", "metadata": map[string]interface{}{"status": "active"},
}), nil
}
return httpJSONAny(r, http.StatusNotFound, map[string]string{"error": "not found"}), nil
if r.Method == http.MethodPatch && r.URL.Path == "/clients/client-1" {
return httpJSONAny(r, http.StatusOK, map[string]interface{}{
"client_id": "client-1", "metadata": map[string]interface{}{"status": "inactive"},
}), nil
}
return httpJSONAny(r, http.StatusNotFound, nil), nil
})
mockKeto := new(MockKetoService)
h := &DevHandler{
Hydra: &service.HydraAdminService{
AdminURL: "http://hydra.test",
PublicURL: "http://hydra-public.test", // PublicURL 추가
HTTPClient: &http.Client{Transport: transport},
},
Keto: mockKeto,
Keto: new(devMockKetoService),
}
app := fiber.New()
app.Use(func(c *fiber.Ctx) error {
c.Locals("user_profile", &domain.UserProfileResponse{ID: "test-user", Role: domain.RoleSuperAdmin})
c.Locals("user_profile", &domain.UserProfileResponse{ID: "user-1", Role: domain.RoleSuperAdmin})
return c.Next()
})
app.Get("/api/v1/dev/clients/:id", h.GetClient)
app.Patch("/api/v1/dev/clients/:id/status", h.UpdateClientStatus)
req := httptest.NewRequest(http.MethodGet, "/api/v1/dev/clients/client-123", nil)
body, _ := json.Marshal(map[string]interface{}{"status": "inactive"})
req := httptest.NewRequest(http.MethodPatch, "/api/v1/dev/clients/client-1/status", bytes.NewReader(body))
req.Header.Set("Content-Type", "application/json")
resp, _ := app.Test(req, -1)
assert.Equal(t, http.StatusOK, resp.StatusCode)
var res clientDetailResponse
json.NewDecoder(resp.Body).Decode(&res)
assert.Equal(t, "client-123", res.Client.ID)
assert.Equal(t, "Test App", res.Client.Name)
assert.Equal(t, "http://hydra-public.test/oauth2/auth", res.Endpoints.Authorization)
assert.Equal(t, "inactive", res.Client.Status)
}
func TestCreateClient_Success(t *testing.T) {
func TestDeleteClient_Success(t *testing.T) {
transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
if r.Method == http.MethodPost && r.URL.Path == "/clients" {
return httpJSONAny(r, http.StatusCreated, map[string]interface{}{
"client_id": "new-client-123",
"client_name": "New App",
"client_secret": "secret-123",
}), nil
if r.Method == http.MethodGet && r.URL.Path == "/clients/client-1" {
return httpJSONAny(r, http.StatusOK, map[string]interface{}{"client_id": "client-1"}), nil
}
return httpJSONAny(r, http.StatusInternalServerError, map[string]string{"error": "hydra error"}), nil
if r.Method == http.MethodDelete && r.URL.Path == "/clients/client-1" {
return &http.Response{StatusCode: http.StatusNoContent, Body: http.NoBody}, nil
}
return httpJSONAny(r, http.StatusNotFound, nil), nil
})
mockKeto := new(MockKetoService)
secretRepo := &mockSecretRepo{secrets: make(map[string]string)}
redisRepo := &mockRedisRepo{data: make(map[string]string)}
secretRepo := &mockSecretRepo{secrets: map[string]string{"client-1": "secret"}}
redisRepo := &devMockRedisRepo{data: map[string]string{"client_secret:client-1": "secret"}}
h := &DevHandler{
Hydra: &service.HydraAdminService{
@@ -150,102 +185,214 @@ func TestCreateClient_Success(t *testing.T) {
},
SecretRepo: secretRepo,
Redis: redisRepo,
Keto: mockKeto,
Keto: new(devMockKetoService),
}
app := fiber.New()
app.Use(func(c *fiber.Ctx) error {
c.Locals("user_profile", &domain.UserProfileResponse{ID: "test-user", Role: domain.RoleSuperAdmin})
c.Locals("user_profile", &domain.UserProfileResponse{ID: "user-1", Role: domain.RoleSuperAdmin})
return c.Next()
})
app.Post("/api/v1/dev/clients", h.CreateClient)
body, _ := json.Marshal(map[string]interface{}{
"client_name": "New App",
"type": "private",
"redirectUris": []string{"http://localhost/cb"},
})
req := httptest.NewRequest(http.MethodPost, "/api/v1/dev/clients", bytes.NewReader(body))
req.Header.Set("Content-Type", "application/json")
app.Delete("/api/v1/dev/clients/:id", h.DeleteClient)
req := httptest.NewRequest(http.MethodDelete, "/api/v1/dev/clients/client-1", nil)
resp, _ := app.Test(req, -1)
assert.Equal(t, http.StatusCreated, resp.StatusCode)
secret, _ := secretRepo.GetByID(nil, "new-client-123")
assert.Equal(t, "secret-123", secret)
assert.Equal(t, http.StatusNoContent, resp.StatusCode)
s, _ := secretRepo.GetByID(nil, "client-1")
assert.Empty(t, s)
_, err := redisRepo.Get("client_secret:client-1")
assert.Error(t, err)
}
func TestListAuditLogs_FilterByActionAndClientID(t *testing.T) {
now := time.Now().UTC()
func TestRotateClientSecret_Success(t *testing.T) {
transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
if r.Method == http.MethodGet && r.URL.Path == "/clients/client-1" {
return httpJSONAny(r, http.StatusOK, map[string]interface{}{"client_id": "client-1"}), nil
}
if r.Method == http.MethodPut && r.URL.Path == "/clients/client-1" {
var body map[string]interface{}
json.NewDecoder(r.Body).Decode(&body)
return httpJSONAny(r, http.StatusOK, body), nil
}
return httpJSONAny(r, http.StatusNotFound, nil), nil
})
secretRepo := &mockSecretRepo{secrets: make(map[string]string)}
redisRepo := &devMockRedisRepo{data: make(map[string]string)}
h := &DevHandler{
Hydra: &service.HydraAdminService{
AdminURL: "http://hydra.test",
HTTPClient: &http.Client{Transport: transport},
},
SecretRepo: secretRepo,
Redis: redisRepo,
Keto: new(devMockKetoService),
}
app := fiber.New()
app.Use(func(c *fiber.Ctx) error {
c.Locals("user_profile", &domain.UserProfileResponse{ID: "user-1", Role: domain.RoleSuperAdmin})
return c.Next()
})
app.Post("/api/v1/dev/clients/:id/secret/rotate", h.RotateClientSecret)
req := httptest.NewRequest(http.MethodPost, "/api/v1/dev/clients/client-1/secret/rotate", nil)
resp, _ := app.Test(req, -1)
assert.Equal(t, http.StatusOK, resp.StatusCode)
var res clientDetailResponse
json.NewDecoder(resp.Body).Decode(&res)
assert.NotEmpty(t, res.Client.ClientSecret)
dbS, _ := secretRepo.GetByID(nil, "client-1")
assert.Equal(t, res.Client.ClientSecret, dbS)
}
func TestGetStats_Success(t *testing.T) {
transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
if r.URL.Path == "/clients" {
return httpJSONAny(r, http.StatusOK, []map[string]interface{}{
{"client_id": "c1", "metadata": map[string]interface{}{"tenant_id": "t1"}},
{"client_id": "c2", "metadata": map[string]interface{}{"tenant_id": "t1"}},
{"client_id": "c3", "metadata": map[string]interface{}{"tenant_id": "t2"}},
}), nil
}
return httpJSONAny(r, http.StatusNotFound, nil), nil
})
auditRepo := &devEnhancedMockAuditRepo{
countFailures: 7,
countSessions: 3,
}
mockKeto := new(devMockKetoService)
h := &DevHandler{
Hydra: &service.HydraAdminService{
AdminURL: "http://hydra.test",
HTTPClient: &http.Client{Transport: transport},
},
AuditRepo: auditRepo,
Keto: mockKeto,
}
app := fiber.New()
tenantID := "t1"
app.Use(func(c *fiber.Ctx) error {
c.Locals("user_profile", &domain.UserProfileResponse{
ID: "u1", Role: domain.RoleTenantAdmin, TenantID: &tenantID,
})
return c.Next()
})
app.Get("/api/v1/dev/stats", h.GetStats)
req := httptest.NewRequest(http.MethodGet, "/api/v1/dev/stats", nil)
resp, _ := app.Test(req, -1)
assert.Equal(t, http.StatusOK, resp.StatusCode)
var res devStatsResponse
json.NewDecoder(resp.Body).Decode(&res)
assert.Equal(t, int64(2), res.TotalClients)
assert.Equal(t, int64(7), res.AuthFailures)
assert.Equal(t, int64(3), res.ActiveSessions)
mockKeto.AssertNotCalled(t, "CheckPermission", mock.Anything, mock.Anything, "System", "AppManager", "member")
}
func TestDevHandler_NoAuditNoAction(t *testing.T) {
h := &DevHandler{
Hydra: &service.HydraAdminService{AdminURL: "http://hydra.test"},
AuditRepo: nil, // Missing
Keto: new(devMockKetoService),
}
t.Run("Mutating action fails when audit log is unavailable", func(t *testing.T) {
app := fiber.New()
app.Use(func(c *fiber.Ctx) error {
if h.AuditRepo == nil {
return c.Status(fiber.StatusServiceUnavailable).JSON(fiber.Map{"error": "Audit service unavailable"})
}
return c.Next()
})
app.Post("/api/v1/dev/clients", h.CreateClient)
req := httptest.NewRequest(http.MethodPost, "/api/v1/dev/clients", bytes.NewReader([]byte("{}")))
resp, _ := app.Test(req, -1)
assert.Equal(t, http.StatusServiceUnavailable, resp.StatusCode)
})
}
func TestListAuditLogs_TenantMemberForbidden(t *testing.T) {
h := &DevHandler{
Hydra: &service.HydraAdminService{AdminURL: "http://hydra.test"},
AuditRepo: &mockAuditRepo{},
Keto: new(devMockKetoService),
}
app := fiber.New()
tenantID := "tenant-a"
app.Use(func(c *fiber.Ctx) error {
c.Locals("user_profile", &domain.UserProfileResponse{
ID: "u-member",
Role: domain.RoleUser,
TenantID: &tenantID,
})
return c.Next()
})
app.Get("/api/v1/dev/audit-logs", h.ListAuditLogs)
req := httptest.NewRequest(http.MethodGet, "/api/v1/dev/audit-logs", nil)
resp, _ := app.Test(req, -1)
assert.Equal(t, http.StatusForbidden, resp.StatusCode)
}
func TestListAuditLogs_RPAdminScope(t *testing.T) {
auditRepo := &mockAuditRepo{
logs: []domain.AuditLog{
{
EventID: "evt-1",
Timestamp: now,
UserID: "user-a",
EventType: "PUT /api/v1/dev/clients/client-1",
EventType: "POST /api/v1/dev/clients",
Status: "success",
Details: `{"action":"UPDATE_CLIENT","target_id":"client-1","tenant_id":"tenant-a"}`,
Timestamp: time.Now().UTC(),
Details: `{"target_id":"client-allowed","tenant_id":"tenant-a","action":"CREATE_CLIENT"}`,
},
{
EventID: "evt-2",
Timestamp: now.Add(-time.Minute),
UserID: "user-a",
EventType: "DELETE /api/v1/dev/clients/client-1",
EventType: "POST /api/v1/dev/clients",
Status: "success",
Details: `{"action":"DELETE_CLIENT","target_id":"client-1","tenant_id":"tenant-a"}`,
},
{
EventID: "evt-3",
Timestamp: now.Add(-2 * time.Minute),
UserID: "user-b",
EventType: "PUT /api/v1/dev/clients/client-2",
Status: "failure",
Details: `{"action":"UPDATE_CLIENT","target_id":"client-2","tenant_id":"tenant-b"}`,
Timestamp: time.Now().UTC().Add(-time.Minute),
Details: `{"target_id":"client-other","tenant_id":"tenant-a","action":"CREATE_CLIENT"}`,
},
},
}
h := &DevHandler{
Hydra: &service.HydraAdminService{AdminURL: "http://hydra.test"},
AuditRepo: auditRepo,
Keto: new(MockKetoService),
Keto: new(devMockKetoService),
}
app := fiber.New()
tenantID := "tenant-a"
app.Use(func(c *fiber.Ctx) error {
c.Locals("user_profile", &domain.UserProfileResponse{ID: "test-user", Role: domain.RoleSuperAdmin})
return c.Next()
})
app.Get("/api/v1/dev/audit-logs", h.ListAuditLogs)
req := httptest.NewRequest(http.MethodGet, "/api/v1/dev/audit-logs?action=UPDATE_CLIENT&client_id=client-1&status=success", nil)
resp, _ := app.Test(req, -1)
assert.Equal(t, http.StatusOK, resp.StatusCode)
var res devAuditListResponse
_ = json.NewDecoder(resp.Body).Decode(&res)
assert.Len(t, res.Items, 1)
assert.Equal(t, "evt-1", res.Items[0].EventID)
assert.Equal(t, "success", res.Items[0].Status)
}
func TestListAuditLogs_NonAdminKetoErrorReturnsForbidden(t *testing.T) {
mockKeto := new(MockKetoService)
mockKeto.On("CheckPermission", mock.Anything, "user-1", "System", "AppManager", "member").Return(false, assert.AnError)
h := &DevHandler{
AuditRepo: &mockAuditRepo{},
Keto: mockKeto,
}
app := fiber.New()
app.Use(func(c *fiber.Ctx) error {
c.Locals("user_profile", &domain.UserProfileResponse{ID: "user-1", Role: domain.RoleUser})
c.Locals("user_profile", &domain.UserProfileResponse{
ID: "u-rp-admin",
Role: domain.RoleRPAdmin,
TenantID: &tenantID,
Metadata: map[string]any{
"managed_client_ids": []any{"client-allowed"},
},
})
return c.Next()
})
app.Get("/api/v1/dev/audit-logs", h.ListAuditLogs)
req := httptest.NewRequest(http.MethodGet, "/api/v1/dev/audit-logs?limit=50", nil)
resp, _ := app.Test(req, -1)
assert.Equal(t, http.StatusOK, resp.StatusCode)
assert.Equal(t, http.StatusForbidden, resp.StatusCode)
mockKeto.AssertExpectations(t)
var result devAuditListResponse
_ = json.NewDecoder(resp.Body).Decode(&result)
assert.Len(t, result.Items, 1)
assert.Equal(t, "evt-1", result.Items[0].EventID)
}

7
backend/internal/handler/relying_party_handler.go
View File

@@ -44,13 +44,14 @@ func (h *RelyingPartyHandler) ListAll(c *fiber.Ctx) error {
var rps []domain.RelyingParty
var err error
role := domain.NormalizeRole(profile.Role)
if profile.Role == domain.RoleSuperAdmin {
if role == domain.RoleSuperAdmin {
rps, err = h.Service.ListAll(c.Context())
} else if profile.Role == domain.RoleTenantAdmin && profile.TenantID != nil {
} else if role == domain.RoleTenantAdmin && profile.TenantID != nil {
rps, err = h.Service.List(c.Context(), *profile.TenantID)
} else {
slog.Warn("Forbidden access to all applications", "userID", profile.ID, "role", profile.Role)
slog.Warn("Forbidden access to all applications", "userID", profile.ID, "role", role)
return errorJSON(c, fiber.StatusForbidden, "forbidden: insufficient role to list all applications")
}

2
backend/internal/handler/tenant_handler.go
View File

@@ -116,7 +116,7 @@ func (h *TenantHandler) ListTenants(c *fiber.Ctx) error {
profile, _ := c.Locals("user_profile").(*domain.UserProfileResponse)
// If Tenant Admin, only list manageable tenants
if profile != nil && profile.Role == domain.RoleTenantAdmin {
if profile != nil && domain.NormalizeRole(profile.Role) == domain.RoleTenantAdmin {
slog.Info("Listing manageable tenants for tenant admin", "userID", profile.ID)
tenants, err = h.Service.ListManageableTenants(c.Context(), profile.ID)
if err != nil {

33
backend/internal/handler/user_handler.go
View File

@@ -76,7 +76,8 @@ func (h *UserHandler) ListUsers(c *fiber.Ctx) error {
// [New] Get requester profile from middleware
var requesterRole string
if profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse); ok {
requesterRole = profile.Role
requesterRole = domain.NormalizeRole(profile.Role)
requesterCompany = profile.CompanyCode
}
limit := c.QueryInt("limit", 50)
@@ -306,9 +307,9 @@ func (h *UserHandler) CreateUser(c *fiber.Ctx) error {
}
}
role := strings.TrimSpace(req.Role)
role := domain.NormalizeRole(req.Role)
if role == "" {
role = "user"
role = domain.RoleUser
}
attributes := map[string]interface{}{
@@ -969,7 +970,7 @@ func (h *UserHandler) UpdateUser(c *fiber.Ctx) error {
// [New] Check access scope
requester, _ := c.Locals("user_profile").(*domain.UserProfileResponse)
if requester != nil && requester.Role == domain.RoleTenantAdmin {
if requester != nil && domain.NormalizeRole(requester.Role) == domain.RoleTenantAdmin {
compCode := extractTraitString(identity.Traits, "companyCode")
if requester.CompanyCode == "" || compCode != requester.CompanyCode {
return errorJSON(c, fiber.StatusForbidden, "forbidden: cannot update user in another tenant")
@@ -991,7 +992,7 @@ func (h *UserHandler) UpdateUser(c *fiber.Ctx) error {
}
// [New] Tenant Admin restriction: Cannot change companyCode
if requester != nil && requester.Role == domain.RoleTenantAdmin {
if requester != nil && domain.NormalizeRole(requester.Role) == domain.RoleTenantAdmin {
if req.CompanyCode != nil && *req.CompanyCode != requester.CompanyCode {
return errorJSON(c, fiber.StatusForbidden, "forbidden: tenant admins cannot change user's tenant")
}
@@ -1068,9 +1069,9 @@ func (h *UserHandler) UpdateUser(c *fiber.Ctx) error {
traits["department"] = strings.TrimSpace(*req.Department)
}
if req.Role != nil {
role := strings.TrimSpace(*req.Role)
role := domain.NormalizeRole(*req.Role)
if role == "" {
role = "user"
role = domain.RoleUser
}
traits["grade"] = role
traits["role"] = role
@@ -1133,7 +1134,7 @@ func (h *UserHandler) DeleteUser(c *fiber.Ctx) error {
// [New] Check access scope before deletion
requester, _ := c.Locals("user_profile").(*domain.UserProfileResponse)
if requester != nil && requester.Role == domain.RoleTenantAdmin {
if requester != nil && domain.NormalizeRole(requester.Role) == domain.RoleTenantAdmin {
identity, err := h.KratosAdmin.GetIdentity(c.Context(), userID)
if err == nil && identity != nil {
compCode := extractTraitString(identity.Traits, "companyCode")
@@ -1167,7 +1168,11 @@ func (h *UserHandler) mapIdentitySummary(ctx context.Context, identity service.K
traits := identity.Traits
role := extractTraitString(traits, "grade")
if role == "" {
role = "user"
role = extractTraitString(traits, "role")
}
role = domain.NormalizeRole(role)
if role == "" {
role = domain.RoleUser
}
compCode := extractTraitString(traits, "companyCode")
@@ -1229,9 +1234,12 @@ func (h *UserHandler) mapToLocalUser(identity service.KratosIdentity) *domain.Us
traits := identity.Traits
role := extractTraitString(traits, "grade")
if role == "" {
role = "user"
role = extractTraitString(traits, "role")
}
role = domain.NormalizeRole(role)
if role == "" {
role = domain.RoleUser
}
// Try "companyCode" first, then fallback to "company_code"
compCode := extractTraitString(traits, "companyCode")
if compCode == "" {
compCode = extractTraitString(traits, "company_code")
@@ -1283,6 +1291,9 @@ func (h *UserHandler) mapToLocalUser(identity service.KratosIdentity) *domain.Us
}
func (h *UserHandler) syncKetoRole(ctx context.Context, userID, newRole, oldRole, oldTenantID string, newTenantID *string) {
newRole = domain.NormalizeRole(newRole)
oldRole = domain.NormalizeRole(oldRole)
if h.KetoOutboxRepo == nil {
return
}