import { Namespace, Context, SubjectSet } from "@ory/keto-definitions" class User implements Namespace {} class System implements Namespace { related: { super_admins: User[] authenticated_users: User[] // 🌟 μ‹ κ·œ κΈ€λ‘œλ²Œ 메뉴 κΆŒν•œ (Admin Control) μ •μ˜ - 쑰회(Read) overview_viewers: User[] tenants_viewers: User[] org_chart_viewers: User[] worksmobile_viewers: User[] ory_ssot_viewers: User[] data_integrity_viewers: User[] users_viewers: User[] permissions_direct_viewers: User[] auth_guard_viewers: User[] api_keys_viewers: User[] audit_logs_viewers: User[] // 🌟 μ‹ κ·œ κΈ€λ‘œλ²Œ 메뉴 κΆŒν•œ (Admin Control) μ •μ˜ - μˆ˜μ •(Write) overview_managers: User[] tenants_managers: User[] org_chart_managers: User[] worksmobile_managers: User[] ory_ssot_managers: User[] data_integrity_managers: User[] users_managers: User[] permissions_direct_managers: User[] auth_guard_managers: User[] api_keys_managers: User[] audit_logs_managers: User[] } permits = { manage_all: (ctx: Context): boolean => this.related.super_admins.includes(ctx.subject), // 🌟 κΈ€λ‘œλ²Œ 메뉴 ν—ˆκ°€ κ·œμΉ™ (Permit Rules) - 쑰회(access_)와 μˆ˜μ •(manage_) μ™„μ „ 뢄리 이원화 access_overview: (ctx: Context): boolean => this.related.overview_viewers.includes(ctx.subject) || this.permits.manage_overview(ctx), manage_overview: (ctx: Context): boolean => this.related.overview_managers.includes(ctx.subject) || this.permits.manage_all(ctx), access_tenants: (ctx: Context): boolean => this.related.tenants_viewers.includes(ctx.subject) || this.permits.manage_tenants(ctx), manage_tenants: (ctx: Context): boolean => this.related.tenants_managers.includes(ctx.subject) || this.permits.manage_all(ctx), access_org_chart: (ctx: Context): boolean => this.related.org_chart_viewers.includes(ctx.subject) || this.permits.manage_org_chart(ctx), manage_org_chart: (ctx: Context): boolean => this.related.org_chart_managers.includes(ctx.subject) || this.permits.manage_all(ctx), access_worksmobile: (ctx: Context): boolean => this.related.worksmobile_viewers.includes(ctx.subject) || this.permits.manage_worksmobile(ctx), manage_worksmobile: (ctx: Context): boolean => this.related.worksmobile_managers.includes(ctx.subject) || this.permits.manage_all(ctx), access_ory_ssot: (ctx: Context): boolean => this.related.ory_ssot_viewers.includes(ctx.subject) || this.permits.manage_ory_ssot(ctx), manage_ory_ssot: (ctx: Context): boolean => this.related.ory_ssot_managers.includes(ctx.subject) || this.permits.manage_all(ctx), access_data_integrity: (ctx: Context): boolean => this.related.data_integrity_viewers.includes(ctx.subject) || this.permits.manage_data_integrity(ctx), manage_data_integrity: (ctx: Context): boolean => this.related.data_integrity_managers.includes(ctx.subject) || this.permits.manage_all(ctx), access_users: (ctx: Context): boolean => this.related.users_viewers.includes(ctx.subject) || this.permits.manage_users(ctx), manage_users: (ctx: Context): boolean => this.related.users_managers.includes(ctx.subject) || this.permits.manage_all(ctx), access_permissions_direct: (ctx: Context): boolean => this.related.permissions_direct_viewers.includes(ctx.subject) || this.permits.manage_permissions_direct(ctx), manage_permissions_direct: (ctx: Context): boolean => this.related.permissions_direct_managers.includes(ctx.subject) || this.permits.manage_all(ctx), access_auth_guard: (ctx: Context): boolean => this.related.auth_guard_viewers.includes(ctx.subject) || this.permits.manage_auth_guard(ctx), manage_auth_guard: (ctx: Context): boolean => this.related.auth_guard_managers.includes(ctx.subject) || this.permits.manage_all(ctx), access_api_keys: (ctx: Context): boolean => this.related.api_keys_viewers.includes(ctx.subject) || this.permits.manage_api_keys(ctx), manage_api_keys: (ctx: Context): boolean => this.related.api_keys_managers.includes(ctx.subject) || this.permits.manage_all(ctx), access_audit_logs: (ctx: Context): boolean => this.related.audit_logs_viewers.includes(ctx.subject) || this.permits.manage_audit_logs(ctx), manage_audit_logs: (ctx: Context): boolean => this.related.audit_logs_managers.includes(ctx.subject) || this.permits.manage_all(ctx) } } class Tenant implements Namespace { related: { owners: (User | SubjectSet)[] admins: (User | SubjectSet)[] members: (User | SubjectSet | SubjectSet | SubjectSet)[] parents: Tenant[] developer_console_viewer: (User | SubjectSet)[] developer_console_grant_manager: (User | SubjectSet)[] // 🌟 μ‹ κ·œ 직접 관계 (Direct Relations) μ •μ˜ profile_viewers: (User | SubjectSet)[] profile_managers: (User | SubjectSet)[] permissions_viewers: (User | SubjectSet)[] permissions_managers: (User | SubjectSet)[] organization_viewers: (User | SubjectSet)[] organization_managers: (User | SubjectSet)[] schema_viewers: (User | SubjectSet)[] schema_managers: (User | SubjectSet)[] } permits = { // 1. ν”„λ‘œν•„ (Profile) νƒ­ ν—ˆκ°€ κ·œμΉ™ view_profile: (ctx: Context): boolean => this.related.profile_viewers.includes(ctx.subject) || this.permits.manage_profile(ctx) || this.permits.view(ctx), // 멀버/κ΄€λ¦¬μž/μ†Œμœ μžλŠ” κΈ°λ³Έ 쑰회 κ°€λŠ₯ manage_profile: (ctx: Context): boolean => this.related.profile_managers.includes(ctx.subject) || this.permits.manage(ctx), // κ΄€λ¦¬μž/μ†Œμœ μžλŠ” κΈ°λ³Έ μˆ˜μ • κ°€λŠ₯ // 2. κΆŒν•œ 관리 (Permissions) νƒ­ ν—ˆκ°€ κ·œμΉ™ view_permissions: (ctx: Context): boolean => this.related.permissions_viewers.includes(ctx.subject) || this.permits.manage_permissions(ctx) || this.permits.view(ctx), manage_permissions: (ctx: Context): boolean => this.related.permissions_managers.includes(ctx.subject) || this.permits.manage_admins(ctx), // μ†Œμœ μžλŠ” κΈ°λ³Έ 관리 κ°€λŠ₯ // 3. 쑰직 관리 (Organization) νƒ­ ν—ˆκ°€ κ·œμΉ™ view_organization: (ctx: Context): boolean => this.related.organization_viewers.includes(ctx.subject) || this.permits.manage_organization(ctx) || this.permits.view(ctx), manage_organization: (ctx: Context): boolean => this.related.organization_managers.includes(ctx.subject) || this.permits.manage(ctx), // 4. μ‚¬μš©μž μŠ€ν‚€λ§ˆ (Schema) νƒ­ ν—ˆκ°€ κ·œμΉ™ view_schema: (ctx: Context): boolean => this.related.schema_viewers.includes(ctx.subject) || this.permits.manage_schema(ctx) || this.permits.view(ctx), manage_schema: (ctx: Context): boolean => this.related.schema_managers.includes(ctx.subject) || this.permits.manage(ctx), // --- κΈ°μ‘΄ λ§ˆμŠ€ν„° 및 상속 κ·œμΉ™ 보쑴 --- view: (ctx: Context): boolean => this.related.members.includes(ctx.subject) || this.related.admins.includes(ctx.subject) || this.related.owners.includes(ctx.subject) || this.related.parents.traverse((p) => p.permits.view(ctx)), manage: (ctx: Context): boolean => this.related.admins.includes(ctx.subject) || this.related.owners.includes(ctx.subject) || this.related.parents.traverse((p) => p.permits.manage(ctx)), manage_admins: (ctx: Context): boolean => this.related.owners.includes(ctx.subject) || this.related.parents.traverse((p) => p.permits.manage_admins(ctx)), create_subtenant: (ctx: Context): boolean => this.permits.manage(ctx), view_dev_console: (ctx: Context): boolean => this.related.developer_console_viewer.includes(ctx.subject) || this.permits.grant_dev_permissions(ctx) || this.permits.manage(ctx) || this.related.parents.traverse((p) => p.permits.view_dev_console(ctx)), grant_dev_permissions: (ctx: Context): boolean => this.related.developer_console_grant_manager.includes(ctx.subject) || this.permits.manage_admins(ctx) || this.related.parents.traverse((p) => p.permits.grant_dev_permissions(ctx)) } } class RelyingParty implements Namespace { related: { admins: (User | SubjectSet | SubjectSet | SubjectSet)[] parents: Tenant[] access: (User | SubjectSet | SubjectSet | SubjectSet)[] creator: (User | SubjectSet)[] config_editor: (User | SubjectSet)[] secret_viewer: (User | SubjectSet)[] secret_rotator: (User | SubjectSet)[] jwks_viewer: (User | SubjectSet)[] jwks_operator: (User | SubjectSet)[] consent_viewer: (User | SubjectSet)[] consent_revoker: (User | SubjectSet)[] relationship_viewer: (User | SubjectSet)[] audit_viewer: (User | SubjectSet)[] status_operator: (User | SubjectSet)[] } permits = { view: (ctx: Context): boolean => this.related.admins.includes(ctx.subject) || this.related.config_editor.includes(ctx.subject) || this.related.secret_viewer.includes(ctx.subject) || this.related.secret_rotator.includes(ctx.subject) || this.related.jwks_viewer.includes(ctx.subject) || this.related.jwks_operator.includes(ctx.subject) || this.related.consent_viewer.includes(ctx.subject) || this.related.consent_revoker.includes(ctx.subject) || this.related.relationship_viewer.includes(ctx.subject) || this.related.audit_viewer.includes(ctx.subject) || this.related.status_operator.includes(ctx.subject) || this.related.parents.traverse((t) => t.permits.view(ctx)) || this.related.parents.traverse((t) => t.permits.view_dev_console(ctx)), manage: (ctx: Context): boolean => this.related.admins.includes(ctx.subject) || this.related.parents.traverse((t) => t.permits.manage(ctx)), create: (ctx: Context): boolean => this.related.creator.includes(ctx.subject) || this.related.parents.traverse((t) => t.permits.grant_dev_permissions(ctx)) || this.permits.manage(ctx), edit_config: (ctx: Context): boolean => this.related.config_editor.includes(ctx.subject) || this.permits.manage(ctx), view_secret: (ctx: Context): boolean => this.related.secret_viewer.includes(ctx.subject) || this.permits.rotate_secret(ctx) || this.permits.manage(ctx), rotate_secret: (ctx: Context): boolean => this.related.secret_rotator.includes(ctx.subject) || this.permits.manage(ctx), view_jwks: (ctx: Context): boolean => this.related.jwks_viewer.includes(ctx.subject) || this.permits.operate_jwks(ctx) || this.permits.manage(ctx), operate_jwks: (ctx: Context): boolean => this.related.jwks_operator.includes(ctx.subject) || this.permits.manage(ctx), view_consents: (ctx: Context): boolean => this.related.consent_viewer.includes(ctx.subject) || this.permits.revoke_consents(ctx) || this.permits.manage(ctx), revoke_consents: (ctx: Context): boolean => this.related.consent_revoker.includes(ctx.subject) || this.permits.manage(ctx), view_relationships: (ctx: Context): boolean => this.related.relationship_viewer.includes(ctx.subject) || this.related.parents.traverse((t) => t.permits.grant_dev_permissions(ctx)) || this.permits.manage(ctx), view_audit_logs: (ctx: Context): boolean => this.related.audit_viewer.includes(ctx.subject) || this.permits.manage(ctx), change_status: (ctx: Context): boolean => this.related.status_operator.includes(ctx.subject) || this.permits.manage(ctx), access: (ctx: Context): boolean => this.related.access.includes(ctx.subject) || this.permits.manage(ctx) } }