baron-sso/backend/internal/service/ory_service.go

package service

import (
	"baron-sso-backend/internal/domain"
	"bytes"
	"context"
	"encoding/json"
	"fmt"
	"io"
	"log/slog"
	"net"
	"net/http"
	"net/url"
	"os"
	"time"
)

// OryProvider는 Kratos/Hydra를 기반으로 하는 IDP 어댑터의 최소 스켈레톤입니다.
// 지금은 스키마 메타데이터만 반환하며, 나머지 동작은 후속 작업에서 구현합니다.
type OryProvider struct {
	KratosAdminURL  string
	KratosPublicURL string
	HydraAdminURL   string
	HTTPClient      *http.Client
}

func NewOryProvider() *OryProvider {
	return &OryProvider{
		KratosAdminURL:  getenv("KRATOS_ADMIN_URL", "http://kratos:4434"),
		KratosPublicURL: getenv("KRATOS_PUBLIC_URL", "http://kratos:4433"),
		HydraAdminURL:   getenv("HYDRA_ADMIN_URL", "http://hydra:4445"),
	}
}

func (o *OryProvider) Name() string {
	return "Ory (Kratos/Hydra)"
}

// GetMetadata는 BrokerUser가 요구하는 필드를 Kratos traits에 매핑 가능하다는 가정으로 반환합니다.
func (o *OryProvider) GetMetadata() (*domain.IDPMetadata, error) {
	return &domain.IDPMetadata{
		SupportedFields: []string{
			"id", "email", "name", "phone_number",
			"grade", "department", "affiliationType", "companyCode",
		},
	}, nil
}

// CreateUser는 Kratos Admin API를 통해 identity를 생성합니다.
func (o *OryProvider) CreateUser(user *domain.BrokerUser, password string) (string, error) {
	if user == nil {
		return "", fmt.Errorf("ory provider: user payload is nil")
	}
	if user.Email == "" || password == "" {
		return "", fmt.Errorf("ory provider: email and password are required")
	}

	// 중복 확인
	existingID, err := o.findIdentityID(user.Email)
	if err != nil {
		return "", fmt.Errorf("ory provider: search identity failed: %w", err)
	}
	if existingID != "" {
		return "", fmt.Errorf("ory provider: identity already exists for email=%s", user.Email)
	}

	traits := map[string]interface{}{
		"email":        user.Email,
		"name":         user.Name,
		"phone_number": user.PhoneNumber,
	}
	for k, v := range user.Attributes {
		traits[k] = v
	}

	payload := map[string]interface{}{
		"schema_id": "default",
		"traits":    traits,
		"credentials": map[string]interface{}{
			"password": map[string]interface{}{
				"config": map[string]string{
					"password": password,
				},
			},
		},
	}

	body, _ := json.Marshal(payload)
	req, err := http.NewRequestWithContext(context.Background(), http.MethodPost, fmt.Sprintf("%s/admin/identities", o.KratosAdminURL), bytes.NewReader(body))
	if err != nil {
		return "", fmt.Errorf("ory provider: build create request failed: %w", err)
	}
	req.Header.Set("Content-Type", "application/json")

	resp, err := o.httpClient().Do(req)
	if err != nil {
		return "", fmt.Errorf("ory provider: create identity request failed: %w", err)
	}
	defer resp.Body.Close()
	if resp.StatusCode >= 300 {
		respBody, _ := io.ReadAll(io.LimitReader(resp.Body, 2048))
		return "", fmt.Errorf("ory provider: create identity failed status=%d body=%s", resp.StatusCode, string(respBody))
	}

	var created struct {
		ID string `json:"id"`
	}
	if err := json.NewDecoder(resp.Body).Decode(&created); err != nil {
		return "", fmt.Errorf("ory provider: decode create identity response failed: %w", err)
	}

	slog.Info("Ory identity created", "identity_id", created.ID, "email", user.Email)
	return created.ID, nil
}

// SignIn은 Kratos Public API의 login API 플로우를 사용해 세션 토큰을 발급합니다.
func (o *OryProvider) SignIn(loginID, password string) (*domain.AuthInfo, error) {
	if loginID == "" || password == "" {
		return nil, fmt.Errorf("ory provider: loginID and password are required")
	}

	flowID, err := o.startLoginFlow()
	if err != nil {
		return nil, err
	}

	body, _ := json.Marshal(map[string]string{
		"identifier": loginID,
		"password":   password,
		"method":     "password",
	})
	loginURL := fmt.Sprintf("%s/self-service/login?flow=%s", o.KratosPublicURL, flowID)
	req, err := http.NewRequestWithContext(context.Background(), http.MethodPost, loginURL, bytes.NewReader(body))
	if err != nil {
		return nil, fmt.Errorf("ory provider: build login request failed: %w", err)
	}
	req.Header.Set("Content-Type", "application/json")

	resp, err := o.httpClient().Do(req)
	if err != nil {
		return nil, fmt.Errorf("ory provider: login request failed: %w", err)
	}
	defer resp.Body.Close()

	if resp.StatusCode >= 300 {
		respBody, _ := io.ReadAll(io.LimitReader(resp.Body, 2048))
		return nil, fmt.Errorf("ory provider: login failed status=%d body=%s", resp.StatusCode, string(respBody))
	}

	var result struct {
		SessionToken          string    `json:"session_token"`
		SessionTokenExpiresAt time.Time `json:"session_token_expires_at"`
		Session               struct {
			Identity struct {
				ID string `json:"id"`
			} `json:"identity"`
		} `json:"session"`
	}
	if err := json.NewDecoder(resp.Body).Decode(&result); err != nil {
		return nil, fmt.Errorf("ory provider: decode login response failed: %w", err)
	}
	if result.SessionToken == "" {
		return nil, fmt.Errorf("ory provider: empty session token returned")
	}

	slog.Info("Ory login successful",
		"identity_id", result.Session.Identity.ID,
		"loginID", loginID,
		"expires_at", result.SessionTokenExpiresAt,
	)

	return &domain.AuthInfo{
		SessionToken: &domain.Token{
			JWT:        result.SessionToken,
			Expiration: result.SessionTokenExpiresAt,
		},
		Subject: result.Session.Identity.ID,
	}, nil
}

// InitiatePasswordReset는 현재 내부 토큰/메일 흐름을 사용하고 있으므로 NO-OP로 둡니다.
func (o *OryProvider) InitiatePasswordReset(loginID, redirectUrl string) error {
	slog.Info("Ory InitiatePasswordReset bypassed (handled by app internal flow)", "loginID", loginID, "redirect", redirectUrl)
	return nil
}

// VerifyPasswordResetToken는 내부 토큰 검증 흐름을 사용하므로 아직 구현하지 않습니다.
func (o *OryProvider) VerifyPasswordResetToken(token string) (*domain.AuthInfo, error) {
	return nil, fmt.Errorf("ory provider: VerifyPasswordResetToken not implemented (internal token flow expected)")
}

// UpdateUserPassword: Kratos Admin API를 통해 비밀번호를 갱신합니다.
func (o *OryProvider) UpdateUserPassword(loginID, newPassword string, r *http.Request) error {
	if loginID == "" || newPassword == "" {
		return fmt.Errorf("ory provider: loginID or new password missing")
	}

	identityID, err := o.findIdentityID(loginID)
	if err != nil {
		return fmt.Errorf("ory provider: find identity failed: %w", err)
	}

	if identityID == "" {
		return fmt.Errorf("ory provider: identity not found for loginID=%s", loginID)
	}

	payload := map[string]interface{}{
		"credentials": map[string]interface{}{
			"password": map[string]interface{}{
				"config": map[string]string{
					"password": newPassword,
				},
			},
		},
	}

	body, _ := json.Marshal(payload)
	req, err := http.NewRequestWithContext(context.Background(), http.MethodPatch, fmt.Sprintf("%s/admin/identities/%s", o.KratosAdminURL, identityID), bytes.NewReader(body))
	if err != nil {
		return fmt.Errorf("ory provider: build request failed: %w", err)
	}
	req.Header.Set("Content-Type", "application/json")

	resp, err := o.httpClient().Do(req)
	if err != nil {
		return fmt.Errorf("ory provider: request failed: %w", err)
	}
	defer resp.Body.Close()
	if resp.StatusCode >= 300 {
		respBody, _ := io.ReadAll(io.LimitReader(resp.Body, 1024))
		return fmt.Errorf("ory provider: password update failed status=%d body=%s", resp.StatusCode, string(respBody))
	}

	slog.Info("Ory password updated via Kratos admin", "identity_id", identityID, "loginID", loginID)
	return nil
}

func getenv(key, fallback string) string {
	if v := os.Getenv(key); v != "" {
		return v
	}
	return fallback
}

// findIdentityID: Kratos Admin API에서 credentials_identifier로 검색 후 첫 번째 identity id 반환
func (o *OryProvider) findIdentityID(loginID string) (string, error) {
	u, err := url.Parse(fmt.Sprintf("%s/admin/identities", o.KratosAdminURL))
	if err != nil {
		return "", err
	}

	query := u.Query()
	query.Set("credentials_identifier", loginID)
	u.RawQuery = query.Encode()

	req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, u.String(), nil)
	if err != nil {
		return "", err
	}

	resp, err := o.httpClient().Do(req)
	if err != nil {
		return "", err
	}
	defer resp.Body.Close()

	if resp.StatusCode == http.StatusNotFound {
		return "", nil
	}
	if resp.StatusCode >= 300 {
		body, _ := io.ReadAll(io.LimitReader(resp.Body, 1024))
		return "", fmt.Errorf("kratos admin search failed status=%d body=%s", resp.StatusCode, string(body))
	}

	var identities []struct {
		ID string `json:"id"`
	}
	if err := json.NewDecoder(resp.Body).Decode(&identities); err != nil {
		return "", fmt.Errorf("decode response failed: %w", err)
	}
	if len(identities) == 0 {
		return "", nil
	}
	return identities[0].ID, nil
}

func (o *OryProvider) httpClient() *http.Client {
	if o.HTTPClient != nil {
		return o.HTTPClient
	}
	return &http.Client{
		Timeout: 10 * time.Second,
		Transport: &http.Transport{
			DialContext: (&net.Dialer{
				Timeout:   5 * time.Second,
				KeepAlive: 30 * time.Second,
			}).DialContext,
			TLSHandshakeTimeout: 5 * time.Second,
		},
	}
}

// startLoginFlow는 Kratos Public API에서 login flow ID를 발급받습니다.
func (o *OryProvider) startLoginFlow() (string, error) {
	req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, fmt.Sprintf("%s/self-service/login/api", o.KratosPublicURL), nil)
	if err != nil {
		return "", fmt.Errorf("ory provider: build login flow request failed: %w", err)
	}

	resp, err := o.httpClient().Do(req)
	if err != nil {
		return "", fmt.Errorf("ory provider: login flow request failed: %w", err)
	}
	defer resp.Body.Close()

	if resp.StatusCode >= 300 {
		body, _ := io.ReadAll(io.LimitReader(resp.Body, 2048))
		return "", fmt.Errorf("ory provider: login flow failed status=%d body=%s", resp.StatusCode, string(body))
	}

	var result struct {
		ID string `json:"id"`
	}
	if err := json.NewDecoder(resp.Body).Decode(&result); err != nil {
		return "", fmt.Errorf("ory provider: decode login flow failed: %w", err)
	}
	if result.ID == "" {
		return "", fmt.Errorf("ory provider: empty login flow id")
	}
	return result.ID, nil
}