package service import ( "baron-sso-backend/internal/domain" "bytes" "context" "encoding/json" "fmt" "io" "log/slog" "net" "net/http" "net/url" "os" "time" ) // OryProvider는 Kratos/Hydra를 기반으로 하는 IDP 어댑터의 최소 스켈레톤입니다. // 지금은 스키마 메타데이터만 반환하며, 나머지 동작은 후속 작업에서 구현합니다. type OryProvider struct { KratosAdminURL string KratosPublicURL string HydraAdminURL string HTTPClient *http.Client } func NewOryProvider() *OryProvider { return &OryProvider{ KratosAdminURL: getenv("KRATOS_ADMIN_URL", "http://kratos:4434"), KratosPublicURL: getenv("KRATOS_PUBLIC_URL", "http://kratos:4433"), HydraAdminURL: getenv("HYDRA_ADMIN_URL", "http://hydra:4445"), } } func (o *OryProvider) Name() string { return "Ory (Kratos/Hydra)" } // GetMetadata는 BrokerUser가 요구하는 필드를 Kratos traits에 매핑 가능하다는 가정으로 반환합니다. func (o *OryProvider) GetMetadata() (*domain.IDPMetadata, error) { return &domain.IDPMetadata{ SupportedFields: []string{ "id", "email", "name", "phone_number", "grade", "department", "affiliationType", "companyCode", }, }, nil } // CreateUser는 Kratos Admin API를 통해 identity를 생성합니다. func (o *OryProvider) CreateUser(user *domain.BrokerUser, password string) (string, error) { if user == nil { return "", fmt.Errorf("ory provider: user payload is nil") } if user.Email == "" || password == "" { return "", fmt.Errorf("ory provider: email and password are required") } // 중복 확인 existingID, err := o.findIdentityID(user.Email) if err != nil { return "", fmt.Errorf("ory provider: search identity failed: %w", err) } if existingID != "" { return "", fmt.Errorf("ory provider: identity already exists for email=%s", user.Email) } traits := map[string]interface{}{ "email": user.Email, "name": user.Name, "phone_number": user.PhoneNumber, } for k, v := range user.Attributes { traits[k] = v } payload := map[string]interface{}{ "schema_id": "default", "traits": traits, "credentials": map[string]interface{}{ "password": map[string]interface{}{ "config": map[string]string{ "password": password, }, }, }, } body, _ := json.Marshal(payload) req, err := http.NewRequestWithContext(context.Background(), http.MethodPost, fmt.Sprintf("%s/admin/identities", o.KratosAdminURL), bytes.NewReader(body)) if err != nil { return "", fmt.Errorf("ory provider: build create request failed: %w", err) } req.Header.Set("Content-Type", "application/json") resp, err := o.httpClient().Do(req) if err != nil { return "", fmt.Errorf("ory provider: create identity request failed: %w", err) } defer resp.Body.Close() if resp.StatusCode >= 300 { respBody, _ := io.ReadAll(io.LimitReader(resp.Body, 2048)) return "", fmt.Errorf("ory provider: create identity failed status=%d body=%s", resp.StatusCode, string(respBody)) } var created struct { ID string `json:"id"` } if err := json.NewDecoder(resp.Body).Decode(&created); err != nil { return "", fmt.Errorf("ory provider: decode create identity response failed: %w", err) } slog.Info("Ory identity created", "identity_id", created.ID, "email", user.Email) return created.ID, nil } // SignIn은 Kratos Public API의 login API 플로우를 사용해 세션 토큰을 발급합니다. func (o *OryProvider) SignIn(loginID, password string) (*domain.AuthInfo, error) { if loginID == "" || password == "" { return nil, fmt.Errorf("ory provider: loginID and password are required") } flowID, err := o.startLoginFlow() if err != nil { return nil, err } body, _ := json.Marshal(map[string]string{ "identifier": loginID, "password": password, "method": "password", }) loginURL := fmt.Sprintf("%s/self-service/login?flow=%s", o.KratosPublicURL, flowID) req, err := http.NewRequestWithContext(context.Background(), http.MethodPost, loginURL, bytes.NewReader(body)) if err != nil { return nil, fmt.Errorf("ory provider: build login request failed: %w", err) } req.Header.Set("Content-Type", "application/json") resp, err := o.httpClient().Do(req) if err != nil { return nil, fmt.Errorf("ory provider: login request failed: %w", err) } defer resp.Body.Close() if resp.StatusCode >= 300 { respBody, _ := io.ReadAll(io.LimitReader(resp.Body, 2048)) return nil, fmt.Errorf("ory provider: login failed status=%d body=%s", resp.StatusCode, string(respBody)) } var result struct { SessionToken string `json:"session_token"` SessionTokenExpiresAt time.Time `json:"session_token_expires_at"` Session struct { Identity struct { ID string `json:"id"` } `json:"identity"` } `json:"session"` } if err := json.NewDecoder(resp.Body).Decode(&result); err != nil { return nil, fmt.Errorf("ory provider: decode login response failed: %w", err) } if result.SessionToken == "" { return nil, fmt.Errorf("ory provider: empty session token returned") } slog.Info("Ory login successful", "identity_id", result.Session.Identity.ID, "loginID", loginID, "expires_at", result.SessionTokenExpiresAt, ) return &domain.AuthInfo{ SessionToken: &domain.Token{ JWT: result.SessionToken, Expiration: result.SessionTokenExpiresAt, }, Subject: result.Session.Identity.ID, }, nil } // InitiatePasswordReset는 현재 내부 토큰/메일 흐름을 사용하고 있으므로 NO-OP로 둡니다. func (o *OryProvider) InitiatePasswordReset(loginID, redirectUrl string) error { slog.Info("Ory InitiatePasswordReset bypassed (handled by app internal flow)", "loginID", loginID, "redirect", redirectUrl) return nil } // VerifyPasswordResetToken는 내부 토큰 검증 흐름을 사용하므로 아직 구현하지 않습니다. func (o *OryProvider) VerifyPasswordResetToken(token string) (*domain.AuthInfo, error) { return nil, fmt.Errorf("ory provider: VerifyPasswordResetToken not implemented (internal token flow expected)") } // UpdateUserPassword: Kratos Admin API를 통해 비밀번호를 갱신합니다. func (o *OryProvider) UpdateUserPassword(loginID, newPassword string, r *http.Request) error { if loginID == "" || newPassword == "" { return fmt.Errorf("ory provider: loginID or new password missing") } identityID, err := o.findIdentityID(loginID) if err != nil { return fmt.Errorf("ory provider: find identity failed: %w", err) } if identityID == "" { return fmt.Errorf("ory provider: identity not found for loginID=%s", loginID) } payload := map[string]interface{}{ "credentials": map[string]interface{}{ "password": map[string]interface{}{ "config": map[string]string{ "password": newPassword, }, }, }, } body, _ := json.Marshal(payload) req, err := http.NewRequestWithContext(context.Background(), http.MethodPatch, fmt.Sprintf("%s/admin/identities/%s", o.KratosAdminURL, identityID), bytes.NewReader(body)) if err != nil { return fmt.Errorf("ory provider: build request failed: %w", err) } req.Header.Set("Content-Type", "application/json") resp, err := o.httpClient().Do(req) if err != nil { return fmt.Errorf("ory provider: request failed: %w", err) } defer resp.Body.Close() if resp.StatusCode >= 300 { respBody, _ := io.ReadAll(io.LimitReader(resp.Body, 1024)) return fmt.Errorf("ory provider: password update failed status=%d body=%s", resp.StatusCode, string(respBody)) } slog.Info("Ory password updated via Kratos admin", "identity_id", identityID, "loginID", loginID) return nil } func getenv(key, fallback string) string { if v := os.Getenv(key); v != "" { return v } return fallback } // findIdentityID: Kratos Admin API에서 credentials_identifier로 검색 후 첫 번째 identity id 반환 func (o *OryProvider) findIdentityID(loginID string) (string, error) { u, err := url.Parse(fmt.Sprintf("%s/admin/identities", o.KratosAdminURL)) if err != nil { return "", err } query := u.Query() query.Set("credentials_identifier", loginID) u.RawQuery = query.Encode() req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, u.String(), nil) if err != nil { return "", err } resp, err := o.httpClient().Do(req) if err != nil { return "", err } defer resp.Body.Close() if resp.StatusCode == http.StatusNotFound { return "", nil } if resp.StatusCode >= 300 { body, _ := io.ReadAll(io.LimitReader(resp.Body, 1024)) return "", fmt.Errorf("kratos admin search failed status=%d body=%s", resp.StatusCode, string(body)) } var identities []struct { ID string `json:"id"` } if err := json.NewDecoder(resp.Body).Decode(&identities); err != nil { return "", fmt.Errorf("decode response failed: %w", err) } if len(identities) == 0 { return "", nil } return identities[0].ID, nil } func (o *OryProvider) httpClient() *http.Client { if o.HTTPClient != nil { return o.HTTPClient } return &http.Client{ Timeout: 10 * time.Second, Transport: &http.Transport{ DialContext: (&net.Dialer{ Timeout: 5 * time.Second, KeepAlive: 30 * time.Second, }).DialContext, TLSHandshakeTimeout: 5 * time.Second, }, } } // startLoginFlow는 Kratos Public API에서 login flow ID를 발급받습니다. func (o *OryProvider) startLoginFlow() (string, error) { req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, fmt.Sprintf("%s/self-service/login/api", o.KratosPublicURL), nil) if err != nil { return "", fmt.Errorf("ory provider: build login flow request failed: %w", err) } resp, err := o.httpClient().Do(req) if err != nil { return "", fmt.Errorf("ory provider: login flow request failed: %w", err) } defer resp.Body.Close() if resp.StatusCode >= 300 { body, _ := io.ReadAll(io.LimitReader(resp.Body, 2048)) return "", fmt.Errorf("ory provider: login flow failed status=%d body=%s", resp.StatusCode, string(body)) } var result struct { ID string `json:"id"` } if err := json.NewDecoder(resp.Body).Decode(&result); err != nil { return "", fmt.Errorf("ory provider: decode login flow failed: %w", err) } if result.ID == "" { return "", fmt.Errorf("ory provider: empty login flow id") } return result.ID, nil }