baron-sso/backend/internal/handler/internal_domain_personal_policy.go

package handler

import (
	"baron-sso-backend/internal/domain"
	"context"
	"fmt"
	"strings"
)

var internalEmailDomainsDisallowedForPersonal = map[string]bool{
	"brsw.kr":         true,
	"hanmaceng.co.kr": true,
	"samaneng.com":    true,
	"hallasanup.com":  true,
	"jangheon.co.kr":  true,
	"jangheon.com":    true,
	"pre-cast.co.kr":  true,
}

func internalDomainPersonalPolicyMessage(email string) string {
	return fmt.Sprintf("내부 도메인 사용자는 개인 소속으로 생성하거나 변경할 수 없습니다: %s", strings.ToLower(strings.TrimSpace(email)))
}

func emailUsesInternalPersonalRestrictedDomain(email string) bool {
	_, domainPart, err := domain.SplitEmailDomain(email)
	if err != nil {
		return false
	}
	return internalEmailDomainsDisallowedForPersonal[strings.ToLower(strings.TrimSpace(domainPart))]
}

func isPersonalTenantForInternalDomainPolicy(tenant *domain.Tenant) bool {
	if tenant == nil {
		return false
	}
	if strings.EqualFold(strings.TrimSpace(tenant.Type), domain.TenantTypePersonal) {
		return true
	}
	slug := strings.ToLower(strings.TrimSpace(tenant.Slug))
	return slug == "personal" || strings.HasPrefix(slug, "personal-")
}

func (h *UserHandler) ensureInternalDomainNotAssignedToPersonal(ctx context.Context, email string, tenantID string, tenantSlug string, resolvedTenant *domain.Tenant) error {
	if !emailUsesInternalPersonalRestrictedDomain(email) {
		return nil
	}
	tenant := resolvedTenant
	if tenant == nil && h.TenantService != nil {
		if id := strings.TrimSpace(tenantID); id != "" {
			if found, err := h.TenantService.GetTenant(ctx, id); err == nil && found != nil {
				tenant = found
			}
		}
		if tenant == nil {
			if slug := strings.TrimSpace(tenantSlug); slug != "" {
				if found, err := h.TenantService.GetTenantBySlug(ctx, slug); err == nil && found != nil {
					tenant = found
				}
			}
		}
	}
	if isPersonalTenantForInternalDomainPolicy(tenant) {
		return fmt.Errorf("%s", internalDomainPersonalPolicyMessage(email))
	}
	return nil
}