custom claim 타입보정 UI. 대표테넌트 노출 보정

2026-06-11 11:27:11 +09:00
parent 0bb3ccb850
commit f60b15a17b
37 changed files with 2952 additions and 417 deletions
--- a/backend/internal/handler/auth_handler_dynamic_claims_test.go
+++ b/backend/internal/handler/auth_handler_dynamic_claims_test.go
@@ -827,3 +827,148 @@ func TestAcceptConsentRequest_AppliesConfiguredIDTokenClaims(t *testing.T) {
 		assert.Equal(t, []any{"sso", "claims"}, rpClaims["features"])
 	}
 }
+
+func TestAcceptConsentRequest_UsesUpdatedRPUserMetadataForRPClaims(t *testing.T) {
+	var capturedClaims map[string]any
+
+	transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
+		if r.URL.Path == "/oauth2/auth/requests/consent" && r.URL.Query().Get("consent_challenge") == "challenge-rp-user-claims" {
+			return httpJSONAny(r, http.StatusOK, map[string]any{
+				"challenge":       "challenge-rp-user-claims",
+				"requested_scope": []string{"openid", "profile"},
+				"subject":         "user-rp-claims",
+				"client": map[string]any{
+					"client_id": "client-rp-claims",
+					"metadata": map[string]any{
+						"id_token_claims": []map[string]any{
+							{
+								"namespace": "rp_claims",
+								"key":       "approvalLevel",
+								"value":     "A",
+								"valueType": "text",
+							},
+							{
+								"namespace": "rp_claims",
+								"key":       "activeMember",
+								"value":     "true",
+								"valueType": "boolean",
+							},
+							{
+								"namespace": "rp_claims",
+								"key":       "score",
+								"value":     "1",
+								"valueType": "number",
+							},
+							{
+								"namespace": "rp_claims",
+								"key":       "featureList",
+								"value":     `["default"]`,
+								"valueType": "array",
+							},
+							{
+								"namespace": "rp_claims",
+								"key":       "preferences",
+								"value":     `{"theme":"light","density":"comfortable"}`,
+								"valueType": "object",
+							},
+							{
+								"namespace": "rp_claims",
+								"key":       "contractDate",
+								"value":     "2026-06-09",
+								"valueType": "date",
+							},
+							{
+								"namespace": "rp_claims",
+								"key":       "approvedAt",
+								"value":     "2026-06-09T09:30",
+								"valueType": "datetime",
+							},
+						},
+					},
+				},
+			}), nil
+		}
+		if r.URL.Path == "/oauth2/auth/requests/consent/accept" && r.URL.Query().Get("consent_challenge") == "challenge-rp-user-claims" {
+			body, _ := io.ReadAll(r.Body)
+			var acceptReq map[string]any
+			json.Unmarshal(body, &acceptReq)
+			if session, ok := acceptReq["session"].(map[string]any); ok {
+				capturedClaims = session["id_token"].(map[string]any)
+			}
+
+			return httpJSONAny(r, http.StatusOK, map[string]any{
+				"redirect_to": "http://rp/cb",
+			}), nil
+		}
+		return httpResponse(r, http.StatusNotFound, "not found"), nil
+	})
+
+	client := &http.Client{Transport: transport}
+	h := &AuthHandler{
+		Hydra: &service.HydraAdminService{
+			AdminURL:   "http://hydra.test",
+			HTTPClient: client,
+		},
+		KratosAdmin: new(MockKratosAdminService),
+	}
+	h.KratosAdmin.(*MockKratosAdminService).On("GetIdentity", mock.Anything, "user-rp-claims").Return(&service.KratosIdentity{
+		ID: "user-rp-claims",
+		Traits: map[string]any{
+			"email": "rp-user@example.com",
+			"name":  "RP User",
+		},
+	}, nil)
+	repo := new(devMockRPUserMetadataRepo)
+	repo.On("Get", mock.Anything, "client-rp-claims", "user-rp-claims").Return(&domain.RPUserMetadata{
+		ClientID: "client-rp-claims",
+		UserID:   "user-rp-claims",
+		Metadata: domain.JSONMap{
+			"approvalLevel": "B",
+			"activeMember":  false,
+			"score":         float64(42),
+			"featureList":   []any{"sso", "claims"},
+			"preferences": map[string]any{
+				"theme":   "dark",
+				"density": "compact",
+			},
+			"contractDate": "2026-06-10",
+			"approvedAt":   "2026-06-09T10:30",
+			"internalMemo": "must-not-leak",
+			"approvalLevel_permissions": map[string]any{
+				"readPermission":  "admin_only",
+				"writePermission": "user_and_admin",
+			},
+		},
+	}, nil).Once()
+	h.RPUserMetadataRepo = repo
+
+	app := fiber.New()
+	app.Post("/api/v1/auth/consent/accept", h.AcceptConsentRequest)
+
+	reqBody, _ := json.Marshal(map[string]any{
+		"consent_challenge": "challenge-rp-user-claims",
+		"grant_scope":       []string{"openid", "profile"},
+	})
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/consent/accept", bytes.NewReader(reqBody))
+	req.Header.Set("Content-Type", "application/json")
+
+	resp, err := app.Test(req)
+	assert.NoError(t, err)
+	assert.Equal(t, http.StatusOK, resp.StatusCode)
+
+	assert.NotNil(t, capturedClaims)
+	rpClaims, ok := capturedClaims["rp_claims"].(map[string]any)
+	if assert.True(t, ok) {
+		assert.Equal(t, "B", rpClaims["approvalLevel"])
+		assert.Equal(t, false, rpClaims["activeMember"])
+		assert.Equal(t, float64(42), rpClaims["score"])
+		assert.Equal(t, []any{"sso", "claims"}, rpClaims["featureList"])
+		assert.Equal(t, map[string]any{"theme": "dark", "density": "compact"}, rpClaims["preferences"])
+		assert.Equal(t, "2026-06-10", rpClaims["contractDate"])
+		assert.Equal(t, "2026-06-09T10:30", rpClaims["approvedAt"])
+		assert.NotContains(t, rpClaims, "internalMemo")
+		assert.NotContains(t, rpClaims, "approvalLevel_permissions")
+	}
+	assert.NotContains(t, capturedClaims, "rp_profiles")
+	repo.AssertExpectations(t)
+}