forked from baron/baron-sso
tenants 명칭 및 profile 전화번호 추가
This commit is contained in:
@@ -1111,6 +1111,9 @@ func buildOidcClaimsFromTraits(traits map[string]any, scopes []string, tenantID
|
|||||||
if len(emails) > 0 {
|
if len(emails) > 0 {
|
||||||
profile["emails"] = emails
|
profile["emails"] = emails
|
||||||
}
|
}
|
||||||
|
if phone := getString("phone_number"); phone != "" {
|
||||||
|
profile["phones"] = []string{phone}
|
||||||
|
}
|
||||||
if len(profile) > 0 {
|
if len(profile) > 0 {
|
||||||
claims["profile"] = profile
|
claims["profile"] = profile
|
||||||
}
|
}
|
||||||
@@ -1364,7 +1367,7 @@ func (h *AuthHandler) withHanmacFamilyTenantClaims(ctx context.Context, claims m
|
|||||||
|
|
||||||
func tenantClaimScopeRequested(scopes []string) bool {
|
func tenantClaimScopeRequested(scopes []string) bool {
|
||||||
for _, scope := range scopes {
|
for _, scope := range scopes {
|
||||||
if strings.EqualFold(strings.TrimSpace(scope), "tenant") {
|
if strings.EqualFold(strings.TrimSpace(scope), "tenants") || strings.EqualFold(strings.TrimSpace(scope), "tenant") {
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -203,7 +203,7 @@ func TestGetConsentRequest_AddsMandatoryTenantScope(t *testing.T) {
|
|||||||
"allowed_tenants": []string{"tenant-allow"},
|
"allowed_tenants": []string{"tenant-allow"},
|
||||||
"structured_scopes": []map[string]any{
|
"structured_scopes": []map[string]any{
|
||||||
{"name": "openid", "mandatory": true},
|
{"name": "openid", "mandatory": true},
|
||||||
{"name": "tenant", "mandatory": true, "locked": true},
|
{"name": "tenants", "mandatory": true, "locked": true},
|
||||||
{"name": "profile", "mandatory": false},
|
{"name": "profile", "mandatory": false},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
@@ -262,9 +262,9 @@ func TestGetConsentRequest_AddsMandatoryTenantScope(t *testing.T) {
|
|||||||
var body map[string]any
|
var body map[string]any
|
||||||
json.NewDecoder(resp.Body).Decode(&body)
|
json.NewDecoder(resp.Body).Decode(&body)
|
||||||
|
|
||||||
assert.Equal(t, []any{"openid", "tenant", "profile"}, body["requested_scope"])
|
assert.Equal(t, []any{"openid", "tenants", "profile"}, body["requested_scope"])
|
||||||
scopeDetails := body["scope_details"].(map[string]any)
|
scopeDetails := body["scope_details"].(map[string]any)
|
||||||
tenantDetail := scopeDetails["tenant"].(map[string]any)
|
tenantDetail := scopeDetails["tenants"].(map[string]any)
|
||||||
assert.Equal(t, true, tenantDetail["mandatory"])
|
assert.Equal(t, true, tenantDetail["mandatory"])
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -448,7 +448,7 @@ func TestAcceptConsentRequest_EnforcesMandatoryTenantScope(t *testing.T) {
|
|||||||
"allowed_tenants": []string{"tenant-abc"},
|
"allowed_tenants": []string{"tenant-abc"},
|
||||||
"structured_scopes": []map[string]any{
|
"structured_scopes": []map[string]any{
|
||||||
{"name": "openid", "mandatory": true},
|
{"name": "openid", "mandatory": true},
|
||||||
{"name": "tenant", "mandatory": true, "locked": true},
|
{"name": "tenants", "mandatory": true, "locked": true},
|
||||||
{"name": "profile", "mandatory": false},
|
{"name": "profile", "mandatory": false},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
@@ -511,5 +511,5 @@ func TestAcceptConsentRequest_EnforcesMandatoryTenantScope(t *testing.T) {
|
|||||||
resp, err := app.Test(req)
|
resp, err := app.Test(req)
|
||||||
assert.NoError(t, err)
|
assert.NoError(t, err)
|
||||||
assert.Equal(t, http.StatusOK, resp.StatusCode)
|
assert.Equal(t, http.StatusOK, resp.StatusCode)
|
||||||
assert.Equal(t, []string{"openid", "tenant", "profile"}, capturedGrantScopes)
|
assert.Equal(t, []string{"openid", "tenants", "profile"}, capturedGrantScopes)
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -72,6 +72,7 @@ func TestBuildOidcClaimsFromTraits_DynamicClaims(t *testing.T) {
|
|||||||
traits := map[string]any{
|
traits := map[string]any{
|
||||||
"email": "user@baron.com",
|
"email": "user@baron.com",
|
||||||
"name": "홍길동",
|
"name": "홍길동",
|
||||||
|
"phone_number": "+821012345678",
|
||||||
"tenant_id": "primary-tenant-999", // Added primary tenant
|
"tenant_id": "primary-tenant-999", // Added primary tenant
|
||||||
"tenant-1": map[string]any{
|
"tenant-1": map[string]any{
|
||||||
"department": "개발팀",
|
"department": "개발팀",
|
||||||
@@ -91,6 +92,8 @@ func TestBuildOidcClaimsFromTraits_DynamicClaims(t *testing.T) {
|
|||||||
assert.Equal(t, "primary-tenant-999", claims["tenant_id"])
|
assert.Equal(t, "primary-tenant-999", claims["tenant_id"])
|
||||||
assert.Nil(t, claims["department"])
|
assert.Nil(t, claims["department"])
|
||||||
assert.Nil(t, claims["grade"])
|
assert.Nil(t, claims["grade"])
|
||||||
|
profile := claims["profile"].(map[string]any)
|
||||||
|
assert.Equal(t, []string{"+821012345678"}, profile["phones"])
|
||||||
|
|
||||||
assert.Nil(t, claims["tenants"])
|
assert.Nil(t, claims["tenants"])
|
||||||
assert.Contains(t, claims["joined_tenants"], "tenant-1")
|
assert.Contains(t, claims["joined_tenants"], "tenant-1")
|
||||||
@@ -105,6 +108,8 @@ func TestBuildOidcClaimsFromTraits_DynamicClaims(t *testing.T) {
|
|||||||
assert.Equal(t, "tenant-1", claims["tenant_id"])
|
assert.Equal(t, "tenant-1", claims["tenant_id"])
|
||||||
assert.Nil(t, claims["department"])
|
assert.Nil(t, claims["department"])
|
||||||
assert.Nil(t, claims["grade"])
|
assert.Nil(t, claims["grade"])
|
||||||
|
profile := claims["profile"].(map[string]any)
|
||||||
|
assert.Equal(t, []string{"+821012345678"}, profile["phones"])
|
||||||
|
|
||||||
assert.Nil(t, claims["tenants"])
|
assert.Nil(t, claims["tenants"])
|
||||||
assert.Contains(t, claims["joined_tenants"], "tenant-1")
|
assert.Contains(t, claims["joined_tenants"], "tenant-1")
|
||||||
@@ -119,6 +124,8 @@ func TestBuildOidcClaimsFromTraits_DynamicClaims(t *testing.T) {
|
|||||||
assert.Equal(t, "tenant-2", claims["tenant_id"])
|
assert.Equal(t, "tenant-2", claims["tenant_id"])
|
||||||
assert.Nil(t, claims["department"])
|
assert.Nil(t, claims["department"])
|
||||||
assert.Nil(t, claims["grade"])
|
assert.Nil(t, claims["grade"])
|
||||||
|
profile := claims["profile"].(map[string]any)
|
||||||
|
assert.Equal(t, []string{"+821012345678"}, profile["phones"])
|
||||||
|
|
||||||
assert.Nil(t, claims["tenants"])
|
assert.Nil(t, claims["tenants"])
|
||||||
assert.Contains(t, claims["joined_tenants"], "primary-tenant-999")
|
assert.Contains(t, claims["joined_tenants"], "primary-tenant-999")
|
||||||
@@ -131,17 +138,21 @@ func TestBuildOidcClaimsFromTraits_DynamicClaims(t *testing.T) {
|
|||||||
assert.Equal(t, "tenant-3", claims["tenant_id"])
|
assert.Equal(t, "tenant-3", claims["tenant_id"])
|
||||||
assert.Nil(t, claims["department"])
|
assert.Nil(t, claims["department"])
|
||||||
assert.Nil(t, claims["grade"])
|
assert.Nil(t, claims["grade"])
|
||||||
|
profile := claims["profile"].(map[string]any)
|
||||||
|
assert.Equal(t, []string{"+821012345678"}, profile["phones"])
|
||||||
|
|
||||||
assert.Nil(t, claims["tenants"])
|
assert.Nil(t, claims["tenants"])
|
||||||
assert.Contains(t, claims["joined_tenants"], "tenant-1")
|
assert.Contains(t, claims["joined_tenants"], "tenant-1")
|
||||||
assert.Contains(t, claims["joined_tenants"], "primary-tenant-999")
|
assert.Contains(t, claims["joined_tenants"], "primary-tenant-999")
|
||||||
})
|
})
|
||||||
|
|
||||||
t.Run("Tenant scope includes detailed tenant metadata", func(t *testing.T) {
|
t.Run("Tenants scope includes detailed tenant metadata", func(t *testing.T) {
|
||||||
claims := buildOidcClaimsFromTraits(traits, []string{"openid", "profile", "tenant"}, "tenant-1")
|
claims := buildOidcClaimsFromTraits(traits, []string{"openid", "profile", "tenants"}, "tenant-1")
|
||||||
assert.Equal(t, "tenant-1", claims["tenant_id"])
|
assert.Equal(t, "tenant-1", claims["tenant_id"])
|
||||||
assert.Equal(t, "개발팀", claims["department"])
|
assert.Equal(t, "개발팀", claims["department"])
|
||||||
assert.Equal(t, "선임", claims["grade"])
|
assert.Equal(t, "선임", claims["grade"])
|
||||||
|
profile := claims["profile"].(map[string]any)
|
||||||
|
assert.Equal(t, []string{"+821012345678"}, profile["phones"])
|
||||||
assert.NotNil(t, claims["tenants"])
|
assert.NotNil(t, claims["tenants"])
|
||||||
assert.Contains(t, claims["joined_tenants"], "tenant-1")
|
assert.Contains(t, claims["joined_tenants"], "tenant-1")
|
||||||
assert.Contains(t, claims["joined_tenants"], "tenant-2")
|
assert.Contains(t, claims["joined_tenants"], "tenant-2")
|
||||||
@@ -190,7 +201,7 @@ func TestAcceptConsentRequest_DynamicClaims(t *testing.T) {
|
|||||||
if r.URL.Path == "/oauth2/auth/requests/consent" && r.URL.Query().Get("consent_challenge") == "challenge-dynamic" {
|
if r.URL.Path == "/oauth2/auth/requests/consent" && r.URL.Query().Get("consent_challenge") == "challenge-dynamic" {
|
||||||
return httpJSONAny(r, http.StatusOK, map[string]any{
|
return httpJSONAny(r, http.StatusOK, map[string]any{
|
||||||
"challenge": "challenge-dynamic",
|
"challenge": "challenge-dynamic",
|
||||||
"requested_scope": []string{"openid", "profile", "tenant"},
|
"requested_scope": []string{"openid", "profile", "tenants"},
|
||||||
"subject": "user-123",
|
"subject": "user-123",
|
||||||
"client": map[string]any{
|
"client": map[string]any{
|
||||||
"client_id": "client-app",
|
"client_id": "client-app",
|
||||||
@@ -260,7 +271,7 @@ func TestAcceptConsentRequest_DynamicClaims(t *testing.T) {
|
|||||||
|
|
||||||
reqBody, _ := json.Marshal(map[string]any{
|
reqBody, _ := json.Marshal(map[string]any{
|
||||||
"consent_challenge": "challenge-dynamic",
|
"consent_challenge": "challenge-dynamic",
|
||||||
"grant_scope": []string{"openid", "profile", "tenant"},
|
"grant_scope": []string{"openid", "profile", "tenants"},
|
||||||
})
|
})
|
||||||
req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/consent/accept", bytes.NewReader(reqBody))
|
req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/consent/accept", bytes.NewReader(reqBody))
|
||||||
req.Header.Set("Content-Type", "application/json")
|
req.Header.Set("Content-Type", "application/json")
|
||||||
@@ -290,7 +301,7 @@ func TestAcceptConsentRequest_UsesRepresentativeTenantIDInsteadOfClientTenantCon
|
|||||||
if r.URL.Path == "/oauth2/auth/requests/consent" && r.URL.Query().Get("consent_challenge") == "challenge-representative-tenant" {
|
if r.URL.Path == "/oauth2/auth/requests/consent" && r.URL.Query().Get("consent_challenge") == "challenge-representative-tenant" {
|
||||||
return httpJSONAny(r, http.StatusOK, map[string]any{
|
return httpJSONAny(r, http.StatusOK, map[string]any{
|
||||||
"challenge": "challenge-representative-tenant",
|
"challenge": "challenge-representative-tenant",
|
||||||
"requested_scope": []string{"openid", "profile", "tenant"},
|
"requested_scope": []string{"openid", "profile", "tenants"},
|
||||||
"subject": "user-representative",
|
"subject": "user-representative",
|
||||||
"client": map[string]any{
|
"client": map[string]any{
|
||||||
"client_id": "client-app",
|
"client_id": "client-app",
|
||||||
@@ -367,7 +378,7 @@ func TestAcceptConsentRequest_IncludesHanmacFamilyTenantClaimDetails(t *testing.
|
|||||||
if r.URL.Path == "/oauth2/auth/requests/consent" && r.URL.Query().Get("consent_challenge") == "challenge-hanmac-tenant-claim" {
|
if r.URL.Path == "/oauth2/auth/requests/consent" && r.URL.Query().Get("consent_challenge") == "challenge-hanmac-tenant-claim" {
|
||||||
return httpJSONAny(r, http.StatusOK, map[string]any{
|
return httpJSONAny(r, http.StatusOK, map[string]any{
|
||||||
"challenge": "challenge-hanmac-tenant-claim",
|
"challenge": "challenge-hanmac-tenant-claim",
|
||||||
"requested_scope": []string{"openid", "profile", "tenant"},
|
"requested_scope": []string{"openid", "profile", "tenants"},
|
||||||
"subject": "user-hanmac",
|
"subject": "user-hanmac",
|
||||||
"client": map[string]any{
|
"client": map[string]any{
|
||||||
"client_id": "hanmac-rp",
|
"client_id": "hanmac-rp",
|
||||||
@@ -462,7 +473,7 @@ func TestAcceptConsentRequest_IncludesHanmacFamilyTenantClaimDetails(t *testing.
|
|||||||
|
|
||||||
reqBody, _ := json.Marshal(map[string]any{
|
reqBody, _ := json.Marshal(map[string]any{
|
||||||
"consent_challenge": "challenge-hanmac-tenant-claim",
|
"consent_challenge": "challenge-hanmac-tenant-claim",
|
||||||
"grant_scope": []string{"openid", "profile", "tenant"},
|
"grant_scope": []string{"openid", "profile", "tenants"},
|
||||||
})
|
})
|
||||||
req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/consent/accept", bytes.NewReader(reqBody))
|
req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/consent/accept", bytes.NewReader(reqBody))
|
||||||
req.Header.Set("Content-Type", "application/json")
|
req.Header.Set("Content-Type", "application/json")
|
||||||
@@ -574,7 +585,7 @@ func TestAcceptConsentRequest_DoesNotEmitLegacyProfileArray(t *testing.T) {
|
|||||||
if r.URL.Path == "/oauth2/auth/requests/consent" && r.URL.Query().Get("consent_challenge") == "challenge-rp-profile" {
|
if r.URL.Path == "/oauth2/auth/requests/consent" && r.URL.Query().Get("consent_challenge") == "challenge-rp-profile" {
|
||||||
return httpJSONAny(r, http.StatusOK, map[string]any{
|
return httpJSONAny(r, http.StatusOK, map[string]any{
|
||||||
"challenge": "challenge-rp-profile",
|
"challenge": "challenge-rp-profile",
|
||||||
"requested_scope": []string{"openid", "profile", "tenant"},
|
"requested_scope": []string{"openid", "profile", "tenants"},
|
||||||
"subject": "user-123",
|
"subject": "user-123",
|
||||||
"client": map[string]any{
|
"client": map[string]any{
|
||||||
"client_id": "client-app",
|
"client_id": "client-app",
|
||||||
@@ -666,7 +677,7 @@ func TestGetConsentRequest_Skip_DynamicClaims(t *testing.T) {
|
|||||||
if r.URL.Path == "/oauth2/auth/requests/consent" && r.URL.Query().Get("consent_challenge") == "challenge-skip-dynamic" {
|
if r.URL.Path == "/oauth2/auth/requests/consent" && r.URL.Query().Get("consent_challenge") == "challenge-skip-dynamic" {
|
||||||
return httpJSONAny(r, http.StatusOK, map[string]any{
|
return httpJSONAny(r, http.StatusOK, map[string]any{
|
||||||
"challenge": "challenge-skip-dynamic",
|
"challenge": "challenge-skip-dynamic",
|
||||||
"requested_scope": []string{"openid", "profile", "tenant"},
|
"requested_scope": []string{"openid", "profile", "tenants"},
|
||||||
"skip": true,
|
"skip": true,
|
||||||
"subject": "user-456",
|
"subject": "user-456",
|
||||||
"client": map[string]any{
|
"client": map[string]any{
|
||||||
@@ -861,7 +872,7 @@ func TestAcceptConsentRequest_AppliesConfiguredIDTokenClaims(t *testing.T) {
|
|||||||
if r.URL.Path == "/oauth2/auth/requests/consent" && r.URL.Query().Get("consent_challenge") == "challenge-configured-claims" {
|
if r.URL.Path == "/oauth2/auth/requests/consent" && r.URL.Query().Get("consent_challenge") == "challenge-configured-claims" {
|
||||||
return httpJSONAny(r, http.StatusOK, map[string]any{
|
return httpJSONAny(r, http.StatusOK, map[string]any{
|
||||||
"challenge": "challenge-configured-claims",
|
"challenge": "challenge-configured-claims",
|
||||||
"requested_scope": []string{"openid", "profile", "tenant"},
|
"requested_scope": []string{"openid", "profile", "tenants"},
|
||||||
"subject": "user-789",
|
"subject": "user-789",
|
||||||
"client": map[string]any{
|
"client": map[string]any{
|
||||||
"client_id": "client-configured-claims",
|
"client_id": "client-configured-claims",
|
||||||
@@ -973,7 +984,7 @@ func TestAcceptConsentRequest_UsesUpdatedRPUserMetadataForRPClaims(t *testing.T)
|
|||||||
if r.URL.Path == "/oauth2/auth/requests/consent" && r.URL.Query().Get("consent_challenge") == "challenge-rp-user-claims" {
|
if r.URL.Path == "/oauth2/auth/requests/consent" && r.URL.Query().Get("consent_challenge") == "challenge-rp-user-claims" {
|
||||||
return httpJSONAny(r, http.StatusOK, map[string]any{
|
return httpJSONAny(r, http.StatusOK, map[string]any{
|
||||||
"challenge": "challenge-rp-user-claims",
|
"challenge": "challenge-rp-user-claims",
|
||||||
"requested_scope": []string{"openid", "profile", "tenant"},
|
"requested_scope": []string{"openid", "profile", "tenants"},
|
||||||
"subject": "user-rp-claims",
|
"subject": "user-rp-claims",
|
||||||
"client": map[string]any{
|
"client": map[string]any{
|
||||||
"client_id": "client-rp-claims",
|
"client_id": "client-rp-claims",
|
||||||
@@ -1119,7 +1130,7 @@ func TestAcceptConsentRequest_UsesUpdatedRPUserMetadataForRPClaims(t *testing.T)
|
|||||||
|
|
||||||
reqBody, _ := json.Marshal(map[string]any{
|
reqBody, _ := json.Marshal(map[string]any{
|
||||||
"consent_challenge": "challenge-rp-user-claims",
|
"consent_challenge": "challenge-rp-user-claims",
|
||||||
"grant_scope": []string{"openid", "profile", "tenant"},
|
"grant_scope": []string{"openid", "profile", "tenants"},
|
||||||
})
|
})
|
||||||
req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/consent/accept", bytes.NewReader(reqBody))
|
req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/consent/accept", bytes.NewReader(reqBody))
|
||||||
req.Header.Set("Content-Type", "application/json")
|
req.Header.Set("Content-Type", "application/json")
|
||||||
|
|||||||
@@ -463,7 +463,7 @@ func normalizeScopesInConsentOrder(scopes []string) []string {
|
|||||||
out := make([]string, 0, len(combined))
|
out := make([]string, 0, len(combined))
|
||||||
|
|
||||||
appendIfPresent := func(scope string) {
|
appendIfPresent := func(scope string) {
|
||||||
scope = strings.TrimSpace(scope)
|
scope = canonicalConsentScopeName(scope)
|
||||||
if scope == "" || isLegacyRefreshTokenScopeAlias(scope) {
|
if scope == "" || isLegacyRefreshTokenScopeAlias(scope) {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
@@ -471,7 +471,7 @@ func normalizeScopesInConsentOrder(scopes []string) []string {
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
for _, candidate := range combined {
|
for _, candidate := range combined {
|
||||||
if strings.TrimSpace(candidate) != scope {
|
if canonicalConsentScopeName(candidate) != scope {
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
seen[scope] = struct{}{}
|
seen[scope] = struct{}{}
|
||||||
@@ -481,10 +481,10 @@ func normalizeScopesInConsentOrder(scopes []string) []string {
|
|||||||
}
|
}
|
||||||
|
|
||||||
appendIfPresent("openid")
|
appendIfPresent("openid")
|
||||||
appendIfPresent("tenant")
|
appendIfPresent("tenants")
|
||||||
|
|
||||||
for _, scope := range combined {
|
for _, scope := range combined {
|
||||||
scope = strings.TrimSpace(scope)
|
scope = canonicalConsentScopeName(scope)
|
||||||
if scope == "" || isLegacyRefreshTokenScopeAlias(scope) {
|
if scope == "" || isLegacyRefreshTokenScopeAlias(scope) {
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
@@ -501,7 +501,7 @@ func normalizeScopesInConsentOrder(scopes []string) []string {
|
|||||||
func requiredClientScopes(client domain.HydraClient) []string {
|
func requiredClientScopes(client domain.HydraClient) []string {
|
||||||
required := make([]string, 0, 4)
|
required := make([]string, 0, 4)
|
||||||
if clientTenantAccessRestricted(client.Metadata) {
|
if clientTenantAccessRestricted(client.Metadata) {
|
||||||
required = append(required, "tenant")
|
required = append(required, "tenants")
|
||||||
}
|
}
|
||||||
|
|
||||||
if client.Metadata == nil {
|
if client.Metadata == nil {
|
||||||
@@ -535,3 +535,12 @@ func requiredClientScopes(client domain.HydraClient) []string {
|
|||||||
|
|
||||||
return normalizeScopesInConsentOrder(required)
|
return normalizeScopesInConsentOrder(required)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func canonicalConsentScopeName(scope string) string {
|
||||||
|
switch strings.ToLower(strings.TrimSpace(scope)) {
|
||||||
|
case "tenant":
|
||||||
|
return "tenants"
|
||||||
|
default:
|
||||||
|
return strings.TrimSpace(scope)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|||||||
@@ -121,20 +121,20 @@ func TestCreateClient_RejectsTenantAccessWithoutAllowedTenants(t *testing.T) {
|
|||||||
assert.False(t, hydraCalled)
|
assert.False(t, hydraCalled)
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestMergeRequestedScopesWithClientRequirements_AddsTenantScope(t *testing.T) {
|
func TestMergeRequestedScopesWithClientRequirements_AddsTenantsScope(t *testing.T) {
|
||||||
client := domain.HydraClient{
|
client := domain.HydraClient{
|
||||||
Metadata: map[string]any{
|
Metadata: map[string]any{
|
||||||
"tenant_access_restricted": true,
|
"tenant_access_restricted": true,
|
||||||
"structured_scopes": []map[string]any{
|
"structured_scopes": []map[string]any{
|
||||||
{"name": "openid", "mandatory": true},
|
{"name": "openid", "mandatory": true},
|
||||||
{"name": "tenant", "mandatory": true, "locked": true},
|
{"name": "tenants", "mandatory": true, "locked": true},
|
||||||
{"name": "profile", "mandatory": false},
|
{"name": "profile", "mandatory": false},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
merged := mergeRequestedScopesWithClientRequirements(client, []string{"openid", "profile"})
|
merged := mergeRequestedScopesWithClientRequirements(client, []string{"openid", "profile"})
|
||||||
assert.Equal(t, []string{"openid", "tenant", "profile"}, merged)
|
assert.Equal(t, []string{"openid", "tenants", "profile"}, merged)
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestMergeRequestedScopesWithClientRequirements_StripsRefreshTokenScopeAliases(t *testing.T) {
|
func TestMergeRequestedScopesWithClientRequirements_StripsRefreshTokenScopeAliases(t *testing.T) {
|
||||||
@@ -154,7 +154,7 @@ func TestMergeRequestedScopesWithClientRequirements_StripsRefreshTokenScopeAlias
|
|||||||
[]string{"openid", "offline", "profile", "offline_access"},
|
[]string{"openid", "offline", "profile", "offline_access"},
|
||||||
)
|
)
|
||||||
|
|
||||||
assert.Equal(t, []string{"openid", "tenant", "profile", "offline_access", "email"}, merged)
|
assert.Equal(t, []string{"openid", "tenants", "profile", "offline_access", "email"}, merged)
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestBuildHydraAuthorizationURL_StripsRefreshTokenScopeAliases(t *testing.T) {
|
func TestBuildHydraAuthorizationURL_StripsRefreshTokenScopeAliases(t *testing.T) {
|
||||||
|
|||||||
@@ -864,7 +864,7 @@ func TestUpdateClient_AuditDetailsIncludeGeneralSettingChanges(t *testing.T) {
|
|||||||
},
|
},
|
||||||
"grant_types": []string{"authorization_code", "refresh_token"},
|
"grant_types": []string{"authorization_code", "refresh_token"},
|
||||||
"response_types": []string{"code"},
|
"response_types": []string{"code"},
|
||||||
"scope": "openid profile email tenant",
|
"scope": "openid profile email tenants",
|
||||||
"token_endpoint_auth_method": "private_key_jwt",
|
"token_endpoint_auth_method": "private_key_jwt",
|
||||||
"metadata": map[string]any{
|
"metadata": map[string]any{
|
||||||
"status": "active",
|
"status": "active",
|
||||||
@@ -905,7 +905,7 @@ func TestUpdateClient_AuditDetailsIncludeGeneralSettingChanges(t *testing.T) {
|
|||||||
|
|
||||||
body, _ := json.Marshal(map[string]any{
|
body, _ := json.Marshal(map[string]any{
|
||||||
"name": "App One Updated",
|
"name": "App One Updated",
|
||||||
"scopes": []string{"openid", "profile", "email", "tenant"},
|
"scopes": []string{"openid", "profile", "email", "tenants"},
|
||||||
"metadata": map[string]any{
|
"metadata": map[string]any{
|
||||||
"tenant_access_restricted": true,
|
"tenant_access_restricted": true,
|
||||||
"allowed_tenants": []string{"tenant-1", "tenant-2"},
|
"allowed_tenants": []string{"tenant-1", "tenant-2"},
|
||||||
@@ -3009,7 +3009,7 @@ func TestUpdateClient_RevokesExistingConsentsWhenTenantPolicyChanges(t *testing.
|
|||||||
RedirectURIs: []string{"https://rp.example.com/callback"},
|
RedirectURIs: []string{"https://rp.example.com/callback"},
|
||||||
GrantTypes: []string{"authorization_code", "refresh_token"},
|
GrantTypes: []string{"authorization_code", "refresh_token"},
|
||||||
ResponseTypes: []string{"code"},
|
ResponseTypes: []string{"code"},
|
||||||
Scope: "openid tenant profile email",
|
Scope: "openid tenants profile email",
|
||||||
TokenEndpointAuthMethod: "none",
|
TokenEndpointAuthMethod: "none",
|
||||||
Metadata: map[string]any{
|
Metadata: map[string]any{
|
||||||
"tenant_access_restricted": true,
|
"tenant_access_restricted": true,
|
||||||
@@ -3093,7 +3093,7 @@ func TestUpdateClient_DoesNotRevokeConsentsWhenTenantPolicyUnchanged(t *testing.
|
|||||||
RedirectURIs: []string{"https://rp.example.com/callback"},
|
RedirectURIs: []string{"https://rp.example.com/callback"},
|
||||||
GrantTypes: []string{"authorization_code", "refresh_token"},
|
GrantTypes: []string{"authorization_code", "refresh_token"},
|
||||||
ResponseTypes: []string{"code"},
|
ResponseTypes: []string{"code"},
|
||||||
Scope: "openid tenant profile email",
|
Scope: "openid tenants profile email",
|
||||||
TokenEndpointAuthMethod: "none",
|
TokenEndpointAuthMethod: "none",
|
||||||
Metadata: map[string]any{
|
Metadata: map[string]any{
|
||||||
"tenant_access_restricted": true,
|
"tenant_access_restricted": true,
|
||||||
|
|||||||
@@ -91,7 +91,7 @@ function makeClientDetail(
|
|||||||
if (includeTenantScope) {
|
if (includeTenantScope) {
|
||||||
structuredScopes.push({
|
structuredScopes.push({
|
||||||
id: "2",
|
id: "2",
|
||||||
name: "tenant",
|
name: "tenants",
|
||||||
description: "Tenant access",
|
description: "Tenant access",
|
||||||
mandatory: tenantScopeMandatory,
|
mandatory: tenantScopeMandatory,
|
||||||
locked: tenantAccessRestricted,
|
locked: tenantAccessRestricted,
|
||||||
@@ -106,7 +106,7 @@ function makeClientDetail(
|
|||||||
status: "active",
|
status: "active",
|
||||||
redirectUris: ["https://rp.example.com/callback"],
|
redirectUris: ["https://rp.example.com/callback"],
|
||||||
scopes: includeTenantScope
|
scopes: includeTenantScope
|
||||||
? ["openid", "tenant", "profile"]
|
? ["openid", "tenants", "profile"]
|
||||||
: ["openid", "profile"],
|
: ["openid", "profile"],
|
||||||
tokenEndpointAuthMethod: "client_secret_basic",
|
tokenEndpointAuthMethod: "client_secret_basic",
|
||||||
metadata: {
|
metadata: {
|
||||||
@@ -334,7 +334,7 @@ describe("ClientGeneralPage RP claims", () => {
|
|||||||
);
|
);
|
||||||
});
|
});
|
||||||
|
|
||||||
it("preserves tenant scope mandatory state when tenant access restriction is off", async () => {
|
it("preserves tenants scope mandatory state when tenant access restriction is off", async () => {
|
||||||
fetchClientMock.mockResolvedValue(
|
fetchClientMock.mockResolvedValue(
|
||||||
makeClientDetail("old_claim", {
|
makeClientDetail("old_claim", {
|
||||||
includeTenantScope: true,
|
includeTenantScope: true,
|
||||||
@@ -355,7 +355,7 @@ describe("ClientGeneralPage RP claims", () => {
|
|||||||
const tenantScopeRow = Array.from(container.querySelectorAll("tr")).find(
|
const tenantScopeRow = Array.from(container.querySelectorAll("tr")).find(
|
||||||
(row) =>
|
(row) =>
|
||||||
Array.from(row.querySelectorAll("input")).some(
|
Array.from(row.querySelectorAll("input")).some(
|
||||||
(input) => (input as HTMLInputElement).value === "tenant",
|
(input) => (input as HTMLInputElement).value === "tenants",
|
||||||
),
|
),
|
||||||
);
|
);
|
||||||
|
|
||||||
@@ -393,7 +393,7 @@ describe("ClientGeneralPage RP claims", () => {
|
|||||||
tenant_access_restricted: false,
|
tenant_access_restricted: false,
|
||||||
structured_scopes: expect.arrayContaining([
|
structured_scopes: expect.arrayContaining([
|
||||||
expect.objectContaining({
|
expect.objectContaining({
|
||||||
name: "tenant",
|
name: "tenants",
|
||||||
mandatory: false,
|
mandatory: false,
|
||||||
locked: false,
|
locked: false,
|
||||||
}),
|
}),
|
||||||
|
|||||||
@@ -650,8 +650,8 @@ function ClientGeneralPage() {
|
|||||||
},
|
},
|
||||||
{
|
{
|
||||||
id: "2",
|
id: "2",
|
||||||
name: "tenant",
|
name: "tenants",
|
||||||
description: t("msg.dev.clients.scopes.tenant", "소속 테넌트 정보 접근"),
|
description: t("msg.dev.clients.scopes.tenants", "소속 테넌트 정보 접근"),
|
||||||
mandatory: false,
|
mandatory: false,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@@ -675,14 +675,14 @@ function ClientGeneralPage() {
|
|||||||
);
|
);
|
||||||
|
|
||||||
const tenantScopeDescription = t(
|
const tenantScopeDescription = t(
|
||||||
"msg.dev.clients.scopes.tenant",
|
"msg.dev.clients.scopes.tenants",
|
||||||
"소속 테넌트 정보 접근",
|
"소속 테넌트 정보 접근",
|
||||||
);
|
);
|
||||||
|
|
||||||
const buildTenantScope = useCallback(
|
const buildTenantScope = useCallback(
|
||||||
(id: string): ScopeItem => ({
|
(id: string): ScopeItem => ({
|
||||||
id,
|
id,
|
||||||
name: "tenant",
|
name: "tenants",
|
||||||
description: tenantScopeDescription,
|
description: tenantScopeDescription,
|
||||||
mandatory: true,
|
mandatory: true,
|
||||||
locked: true,
|
locked: true,
|
||||||
@@ -693,12 +693,15 @@ function ClientGeneralPage() {
|
|||||||
const normalizeScopesForTenantAccess = useCallback(
|
const normalizeScopesForTenantAccess = useCallback(
|
||||||
(nextScopes: ScopeItem[], restricted: boolean): ScopeItem[] => {
|
(nextScopes: ScopeItem[], restricted: boolean): ScopeItem[] => {
|
||||||
const normalized = nextScopes.map((scope) => {
|
const normalized = nextScopes.map((scope) => {
|
||||||
if (scope.name.trim() !== "tenant") {
|
const scopeName = scope.name.trim();
|
||||||
|
if (scopeName !== "tenants" && scopeName !== "tenant") {
|
||||||
return scope;
|
return scope;
|
||||||
}
|
}
|
||||||
|
const canonicalName = "tenants";
|
||||||
if (restricted) {
|
if (restricted) {
|
||||||
return {
|
return {
|
||||||
...scope,
|
...scope,
|
||||||
|
name: canonicalName,
|
||||||
description: scope.description || tenantScopeDescription,
|
description: scope.description || tenantScopeDescription,
|
||||||
mandatory: true,
|
mandatory: true,
|
||||||
locked: true,
|
locked: true,
|
||||||
@@ -706,6 +709,7 @@ function ClientGeneralPage() {
|
|||||||
}
|
}
|
||||||
return {
|
return {
|
||||||
...scope,
|
...scope,
|
||||||
|
name: canonicalName,
|
||||||
description: scope.description || tenantScopeDescription,
|
description: scope.description || tenantScopeDescription,
|
||||||
locked: false,
|
locked: false,
|
||||||
};
|
};
|
||||||
@@ -713,20 +717,23 @@ function ClientGeneralPage() {
|
|||||||
|
|
||||||
if (
|
if (
|
||||||
restricted &&
|
restricted &&
|
||||||
!normalized.some((scope) => scope.name.trim() === "tenant")
|
!normalized.some(
|
||||||
|
(scope) => scope.name.trim() === "tenants" || scope.name.trim() === "tenant",
|
||||||
|
)
|
||||||
) {
|
) {
|
||||||
normalized.push(buildTenantScope(`tenant-${Date.now()}`));
|
normalized.push(buildTenantScope(`tenants-${Date.now()}`));
|
||||||
}
|
}
|
||||||
|
|
||||||
const openidScopes = normalized.filter(
|
const openidScopes = normalized.filter(
|
||||||
(scope) => scope.name.trim() === "openid",
|
(scope) => scope.name.trim() === "openid",
|
||||||
);
|
);
|
||||||
const tenantScopes = normalized.filter(
|
const tenantScopes = normalized.filter(
|
||||||
(scope) => scope.name.trim() === "tenant",
|
(scope) =>
|
||||||
|
scope.name.trim() === "tenants" || scope.name.trim() === "tenant",
|
||||||
);
|
);
|
||||||
const remainingScopes = normalized.filter((scope) => {
|
const remainingScopes = normalized.filter((scope) => {
|
||||||
const name = scope.name.trim();
|
const name = scope.name.trim();
|
||||||
return name !== "openid" && name !== "tenant";
|
return name !== "openid" && name !== "tenants" && name !== "tenant";
|
||||||
});
|
});
|
||||||
|
|
||||||
return [...openidScopes, ...tenantScopes, ...remainingScopes];
|
return [...openidScopes, ...tenantScopes, ...remainingScopes];
|
||||||
@@ -762,7 +769,7 @@ function ClientGeneralPage() {
|
|||||||
},
|
},
|
||||||
{
|
{
|
||||||
id: "standard-tenant",
|
id: "standard-tenant",
|
||||||
name: "tenant",
|
name: "tenants",
|
||||||
description: tenantScopeDescription,
|
description: tenantScopeDescription,
|
||||||
source: "standard",
|
source: "standard",
|
||||||
},
|
},
|
||||||
@@ -2389,7 +2396,7 @@ function ClientGeneralPage() {
|
|||||||
<p className="leading-relaxed">
|
<p className="leading-relaxed">
|
||||||
{t(
|
{t(
|
||||||
"ui.dev.clients.general.tenant_access.hint",
|
"ui.dev.clients.general.tenant_access.hint",
|
||||||
"제한을 켜면 tenant 스코프가 자동으로 포함되며, 허용 테넌트를 하나 이상 선택해야 합니다.",
|
"제한을 켜면 tenants 스코프가 자동으로 포함되며, 허용 테넌트를 하나 이상 선택해야 합니다.",
|
||||||
)}
|
)}
|
||||||
</p>
|
</p>
|
||||||
</div>
|
</div>
|
||||||
|
|||||||
@@ -518,6 +518,8 @@ description = "Manage OIDC applications, authentication methods, redirect URIs,
|
|||||||
email = "Email"
|
email = "Email"
|
||||||
openid = "Openid"
|
openid = "Openid"
|
||||||
profile = "Profile"
|
profile = "Profile"
|
||||||
|
tenant = "Tenant access"
|
||||||
|
tenants = "Tenants access"
|
||||||
|
|
||||||
[msg.dev.dashboard]
|
[msg.dev.dashboard]
|
||||||
access_denied = "The dashboard is available only to users with developer access."
|
access_denied = "The dashboard is available only to users with developer access."
|
||||||
@@ -1622,7 +1624,7 @@ description = "Scope Description"
|
|||||||
mandatory = "Mandatory"
|
mandatory = "Mandatory"
|
||||||
name = "Scope Name"
|
name = "Scope Name"
|
||||||
delete = "Delete"
|
delete = "Delete"
|
||||||
tenant = "Tenant"
|
tenants = "Tenants"
|
||||||
|
|
||||||
[ui.dev.clients.general.tenant_access]
|
[ui.dev.clients.general.tenant_access]
|
||||||
title = "Tenant access restriction"
|
title = "Tenant access restriction"
|
||||||
@@ -1633,7 +1635,7 @@ search_placeholder = "Search by tenant name or slug"
|
|||||||
selected_title = "Allowed tenants"
|
selected_title = "Allowed tenants"
|
||||||
selected_empty = "No tenants selected yet."
|
selected_empty = "No tenants selected yet."
|
||||||
empty = "No tenants match your search."
|
empty = "No tenants match your search."
|
||||||
hint = "Turning this on adds the tenant scope automatically and requires at least one allowed tenant."
|
hint = "Turning this on adds the tenants scope automatically and requires at least one allowed tenant."
|
||||||
autocomplete_hint = "Type a tenant name to see autocomplete suggestions. Click one to add it to the allowed list."
|
autocomplete_hint = "Type a tenant name to see autocomplete suggestions. Click one to add it to the allowed list."
|
||||||
validation_required = "Select at least one allowed tenant when tenant access restriction is enabled."
|
validation_required = "Select at least one allowed tenant when tenant access restriction is enabled."
|
||||||
picker_title = "Select tenant"
|
picker_title = "Select tenant"
|
||||||
|
|||||||
@@ -518,6 +518,8 @@ description = "OIDC 앱, 인증 방식, 리다이렉트 URI, 비밀키 재발행
|
|||||||
email = "이메일 주소 접근"
|
email = "이메일 주소 접근"
|
||||||
openid = "OIDC 인증 필수 스코프"
|
openid = "OIDC 인증 필수 스코프"
|
||||||
profile = "기본 프로필 정보 접근"
|
profile = "기본 프로필 정보 접근"
|
||||||
|
tenant = "테넌트 접근"
|
||||||
|
tenants = "테넌트 접근"
|
||||||
|
|
||||||
[msg.dev.dashboard]
|
[msg.dev.dashboard]
|
||||||
access_denied = "대시보드는 개발자 권한이 있어야 볼 수 있습니다."
|
access_denied = "대시보드는 개발자 권한이 있어야 볼 수 있습니다."
|
||||||
@@ -1621,7 +1623,7 @@ description = "설명"
|
|||||||
mandatory = "필수"
|
mandatory = "필수"
|
||||||
name = "스코프 이름"
|
name = "스코프 이름"
|
||||||
delete = "삭제"
|
delete = "삭제"
|
||||||
tenant = "테넌트"
|
tenants = "테넌트들"
|
||||||
|
|
||||||
[ui.dev.clients.general.tenant_access]
|
[ui.dev.clients.general.tenant_access]
|
||||||
title = "테넌트 접근 제한"
|
title = "테넌트 접근 제한"
|
||||||
@@ -1632,7 +1634,7 @@ search_placeholder = "테넌트 이름 또는 슬러그로 검색"
|
|||||||
selected_title = "허용 테넌트"
|
selected_title = "허용 테넌트"
|
||||||
selected_empty = "아직 선택된 테넌트가 없습니다."
|
selected_empty = "아직 선택된 테넌트가 없습니다."
|
||||||
empty = "검색 결과가 없습니다."
|
empty = "검색 결과가 없습니다."
|
||||||
hint = "제한을 켜면 tenant 스코프가 자동으로 포함되며, 허용 테넌트를 하나 이상 선택해야 합니다."
|
hint = "제한을 켜면 tenants 스코프가 자동으로 포함되며, 허용 테넌트를 하나 이상 선택해야 합니다."
|
||||||
autocomplete_hint = "테넌트 이름을 입력하면 자동 완성 후보가 나타납니다. 클릭하면 허용 목록에 추가됩니다."
|
autocomplete_hint = "테넌트 이름을 입력하면 자동 완성 후보가 나타납니다. 클릭하면 허용 목록에 추가됩니다."
|
||||||
validation_required = "테넌트 접근 제한을 사용할 경우 허용 테넌트를 하나 이상 선택해야 합니다."
|
validation_required = "테넌트 접근 제한을 사용할 경우 허용 테넌트를 하나 이상 선택해야 합니다."
|
||||||
picker_title = "테넌트 선택"
|
picker_title = "테넌트 선택"
|
||||||
|
|||||||
@@ -241,6 +241,9 @@ Baron은 기본적으로 대표소속 tenant와 전체 소속 tenant 목록을
|
|||||||
"emails": [
|
"emails": [
|
||||||
"hanmac-user@example.com"
|
"hanmac-user@example.com"
|
||||||
],
|
],
|
||||||
|
"phones": [
|
||||||
|
"+821012345678"
|
||||||
|
],
|
||||||
"names": {
|
"names": {
|
||||||
"name": "한맥 사용자"
|
"name": "한맥 사용자"
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user