package handler import ( "baron-sso-backend/internal/domain" "baron-sso-backend/internal/service" "bytes" "encoding/json" "net/http" "net/http/httptest" "strings" "testing" "github.com/gofiber/fiber/v2" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/mock" ) func TestDevHandler_Isolation(t *testing.T) { createHandler := func(mockKeto *devMockKetoService) *DevHandler { return &DevHandler{ Hydra: &service.HydraAdminService{ AdminURL: "http://hydra.test", HTTPClient: &http.Client{ Transport: roundTripFunc(func(r *http.Request) (*http.Response, error) { if r.Method == http.MethodGet && r.URL.Path == "/clients" { return httpJSONAny(r, http.StatusOK, []map[string]any{ { "client_id": "client-tenant-a", "client_name": "App Tenant A", "token_endpoint_auth_method": "none", // PKCE "metadata": map[string]any{"tenant_id": "tenant-a"}, }, { "client_id": "client-tenant-b", "client_name": "App Tenant B", "token_endpoint_auth_method": "none", // PKCE "metadata": map[string]any{"tenant_id": "tenant-b"}, }, }), nil } if (r.Method == http.MethodGet || r.Method == http.MethodPut) && strings.HasPrefix(r.URL.Path, "/clients/") { id := strings.TrimPrefix(r.URL.Path, "/clients/") tenantID := "tenant-a" if id == "client-tenant-b" { tenantID = "tenant-b" } return httpJSONAny(r, http.StatusOK, map[string]any{ "client_id": id, "client_name": "App " + id, "token_endpoint_auth_method": "none", "metadata": map[string]any{"tenant_id": tenantID}, }), nil } if r.Method == http.MethodPost && r.URL.Path == "/clients" { var body map[string]any json.NewDecoder(r.Body).Decode(&body) return httpJSONAny(r, http.StatusCreated, body), nil } return httpJSONAny(r, http.StatusNotFound, nil), nil }), }, }, Keto: mockKeto, } } t.Run("Local bypass should be removed", func(t *testing.T) { mockKeto := new(devMockKetoService) h := createHandler(mockKeto) app := fiber.New() app.Get("/api/v1/dev/clients", h.ListClients) req := httptest.NewRequest(http.MethodGet, "/api/v1/dev/clients", nil) req.Header.Set("Origin", "http://localhost:5174") resp, _ := app.Test(req, -1) assert.Equal(t, http.StatusUnauthorized, resp.StatusCode) }) t.Run("ListClients should show all for SuperAdmin", func(t *testing.T) { mockKeto := new(devMockKetoService) h := createHandler(mockKeto) app := fiber.New() app.Use(func(c *fiber.Ctx) error { c.Locals("user_profile", &domain.UserProfileResponse{ ID: "super-user", Role: domain.RoleSuperAdmin, }) return c.Next() }) app.Get("/api/v1/dev/clients", h.ListClients) req := httptest.NewRequest(http.MethodGet, "/api/v1/dev/clients", nil) resp, _ := app.Test(req, -1) assert.Equal(t, http.StatusOK, resp.StatusCode) var res struct { Items []clientSummary `json:"items"` } json.NewDecoder(resp.Body).Decode(&res) // Should see both clients assert.Equal(t, 2, len(res.Items)) }) t.Run("ListClients should filter by permit for non-SuperAdmin", func(t *testing.T) { mockKeto := new(devMockKetoService) h := createHandler(mockKeto) app := fiber.New() tenantA := "tenant-a" app.Use(func(c *fiber.Ctx) error { c.Locals("user_profile", &domain.UserProfileResponse{ ID: "user-a", Role: domain.RoleUser, TenantID: &tenantA, }) return c.Next() }) app.Get("/api/v1/dev/clients", h.ListClients) // Explicit permission for private client check bypass mockKeto.On("CheckPermission", mock.Anything, "User:user-a", "System", "global", "manage_all").Return(true, nil).Maybe() // Mock permit for the specific client mockKeto.On("CheckPermission", mock.Anything, "User:user-a", "RelyingParty", "client-tenant-a", "view").Return(true, nil).Maybe() // Deny for other clients mockKeto.On("CheckPermission", mock.Anything, "User:user-a", "RelyingParty", "client-tenant-b", "view").Return(false, nil).Maybe() mockKeto.On("ListRelations", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return([]service.RelationTuple{}, nil).Maybe() req := httptest.NewRequest(http.MethodGet, "/api/v1/dev/clients", nil) resp, _ := app.Test(req, -1) assert.Equal(t, http.StatusOK, resp.StatusCode) var res struct { Items []clientSummary `json:"items"` } json.NewDecoder(resp.Body).Decode(&res) // Should only see client-tenant-a (tenant permit) assert.Equal(t, 1, len(res.Items)) assert.Equal(t, "client-tenant-a", res.Items[0].ID) }) t.Run("Tenant member should see empty list from DevFront clients if no relation", func(t *testing.T) { mockKeto := new(devMockKetoService) h := createHandler(mockKeto) app := fiber.New() tenantA := "tenant-a" app.Use(func(c *fiber.Ctx) error { c.Locals("user_profile", &domain.UserProfileResponse{ ID: "user-member", Role: domain.RoleUser, TenantID: &tenantA, }) return c.Next() }) app.Get("/api/v1/dev/clients", h.ListClients) // Deny all by default mockKeto.On("CheckPermission", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(false, nil).Maybe() req := httptest.NewRequest(http.MethodGet, "/api/v1/dev/clients", nil) resp, _ := app.Test(req, -1) assert.Equal(t, http.StatusOK, resp.StatusCode) var res struct { Items []clientSummary `json:"items"` } json.NewDecoder(resp.Body).Decode(&res) // Empty list because we didn't mock any specific 'view' permissions for this user assert.Equal(t, 0, len(res.Items)) }) t.Run("GetClient should enforce isolation for non-SuperAdmin", func(t *testing.T) { mockKeto := new(devMockKetoService) h := createHandler(mockKeto) app := fiber.New() tenantA := "tenant-a" app.Use(func(c *fiber.Ctx) error { c.Locals("user_profile", &domain.UserProfileResponse{ ID: "user-a", Role: domain.RoleUser, TenantID: &tenantA, }) return c.Next() }) app.Get("/api/v1/dev/clients/:id", h.GetClient) // Case 1: Same tenant BUT no permit (Normal users need permit now) mockKeto.On("CheckPermission", mock.Anything, "User:user-a", "RelyingParty", "client-tenant-a", "view").Return(false, nil).Once() req := httptest.NewRequest(http.MethodGet, "/api/v1/dev/clients/client-tenant-a", nil) resp, _ := app.Test(req, -1) assert.Equal(t, http.StatusForbidden, resp.StatusCode) // Case 2: Same tenant WITH permit mockKeto.On("CheckPermission", mock.Anything, "User:user-a", "RelyingParty", "client-tenant-a", "view").Return(true, nil).Maybe() mockKeto.On("ListRelations", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return([]service.RelationTuple{}, nil).Maybe() req = httptest.NewRequest(http.MethodGet, "/api/v1/dev/clients/client-tenant-a", nil) resp, _ = app.Test(req, -1) assert.Equal(t, http.StatusOK, resp.StatusCode) // Case 3: Different tenant mockKeto.On("CheckPermission", mock.Anything, "User:user-a", "RelyingParty", "client-tenant-b", "view").Return(false, nil).Maybe() req = httptest.NewRequest(http.MethodGet, "/api/v1/dev/clients/client-tenant-b", nil) resp, _ = app.Test(req, -1) assert.Equal(t, http.StatusForbidden, resp.StatusCode) }) t.Run("CreateClient should record user_id and tenant_id", func(t *testing.T) { mockKeto := new(devMockKetoService) h := createHandler(mockKeto) app := fiber.New() tenantA := "tenant-a" app.Use(func(c *fiber.Ctx) error { c.Locals("user_profile", &domain.UserProfileResponse{ ID: "user-a", Role: domain.RoleSuperAdmin, // Bypass for creation permission TenantID: &tenantA, }) return c.Next() }) app.Post("/api/v1/dev/clients", h.CreateClient) body, _ := json.Marshal(map[string]any{ "client_name": "New App", "type": "pkce", "redirectUris": []string{"http://localhost/cb"}, }) req := httptest.NewRequest(http.MethodPost, "/api/v1/dev/clients", bytes.NewReader(body)) req.Header.Set("Content-Type", "application/json") req.Header.Set("X-Tenant-ID", "tenant-a") resp, _ := app.Test(req, -1) assert.Equal(t, http.StatusCreated, resp.StatusCode) var res clientDetailResponse json.NewDecoder(resp.Body).Decode(&res) assert.Equal(t, "tenant-a", res.Client.Metadata["tenant_id"]) assert.Equal(t, "user-a", res.Client.Metadata["user_id"]) }) }