baron-sso/backend/internal/service/relying_party_service.go

package service

import (
	"baron-sso-backend/internal/domain"
	"context"
	"fmt"
	"log/slog"
)

type RelyingPartyService interface {
	Create(ctx context.Context, tenantID string, client domain.HydraClient) (*domain.RelyingParty, error)
	Get(ctx context.Context, clientID string) (*domain.RelyingParty, *domain.HydraClient, error)
	List(ctx context.Context, tenantID string) ([]domain.RelyingParty, error)
	ListAll(ctx context.Context) ([]domain.RelyingParty, error)
	ListByTenantIDs(ctx context.Context, tenantIDs []string) ([]domain.RelyingParty, error)
	Update(ctx context.Context, clientID string, client domain.HydraClient) (*domain.RelyingParty, error)
	Delete(ctx context.Context, clientID string) error
}

type relyingPartyService struct {
	hydraService *HydraAdminService
	ketoService  KetoService
}

func NewRelyingPartyService(
	hydraService *HydraAdminService,
	ketoService KetoService,
) RelyingPartyService {
	return &relyingPartyService{
		hydraService: hydraService,
		ketoService:  ketoService,
	}
}

func (s *relyingPartyService) Create(ctx context.Context, tenantID string, client domain.HydraClient) (*domain.RelyingParty, error) {
	// 1. Create Client in Hydra
	if client.Metadata == nil {
		client.Metadata = make(map[string]interface{})
	}
	client.Metadata["tenant_id"] = tenantID
	// Ensure description is in metadata if provided in some other way? 
	// The input 'client' is domain.HydraClient. It doesn't have a separate description field. 
	// Assuming caller puts description in metadata.

	createdClient, err := s.hydraService.CreateClient(ctx, client)
	if err != nil {
		return nil, fmt.Errorf("failed to create hydra client: %w", err)
	}

	// 2. Create Relation in Keto
	// RelyingParty:<client_id>#parent_tenant@Tenant:<tenant_id>
	err = s.ketoService.CreateRelation(ctx, "RelyingParty", createdClient.ClientID, "parent_tenant", "Tenant:"+tenantID)
	if err != nil {
		slog.Error("Failed to create keto relation for relying party", "error", err, "client_id", createdClient.ClientID)
		// Try to cleanup Hydra client
		_ = s.hydraService.DeleteClient(ctx, createdClient.ClientID)
		return nil, err
	}

	return s.mapHydraToDomain(createdClient), nil
}

func (s *relyingPartyService) Get(ctx context.Context, clientID string) (*domain.RelyingParty, *domain.HydraClient, error) {
	hydraClient, err := s.hydraService.GetClient(ctx, clientID)
	if err != nil {
		return nil, nil, err
	}

	return s.mapHydraToDomain(hydraClient), hydraClient, nil
}

func (s *relyingPartyService) List(ctx context.Context, tenantID string) ([]domain.RelyingParty, error) {
	// 1. Fetch ClientIDs from Keto
	// Subject: Tenant:<tenantID>, Relation: parent_tenant, Namespace: RelyingParty
	// Note: ListRelations checks "who has relation to subject". 
	// Relation tuple: RelyingParty:cid # parent_tenant @ Tenant:tid
	// We want to find objects where subject=Tenant:tid.
	tuples, err := s.ketoService.ListRelations(ctx, "RelyingParty", "", "parent_tenant", "Tenant:"+tenantID)
	if err != nil {
		return nil, err
	}

	var rps []domain.RelyingParty
	for _, t := range tuples {
		// Object is "RelyingParty:clientId"
		if len(t.Object) > 13 && t.Object[:13] == "RelyingParty:" {
			clientID := t.Object[13:]
			client, err := s.hydraService.GetClient(ctx, clientID)
			if err != nil {
				slog.Warn("Failed to fetch relying party from hydra", "client_id", clientID, "error", err)
				continue
			}
			if rp := s.mapHydraToDomain(client); rp != nil {
				rps = append(rps, *rp)
			}
		}
	}

	return rps, nil
}

func (s *relyingPartyService) ListAll(ctx context.Context) ([]domain.RelyingParty, error) {
	// This might be heavy if there are many clients.
	// Hydra doesn't support "List all clients" easily without pagination.
	// Assuming HydraAdminService has ListClients or similar?
	// The interface wasn't shown, but assuming it's available or we skip implementation.
	// For now, let's return empty or error?
	// Wait, repo.ListAll was used. 
	// Let's assume we can't implement efficient ListAll without DB, 
	// UNLESS we use Keto to list all RelyingParties (if Keto supports listing all objects in namespace).
	// Keto doesn't support listing all objects easily.
	// But `hydraService` likely has `ListClients`.
	return nil, fmt.Errorf("ListAll not implemented in SSOT mode yet") 
}

func (s *relyingPartyService) ListByTenantIDs(ctx context.Context, tenantIDs []string) ([]domain.RelyingParty, error) {
	var allRps []domain.RelyingParty
	for _, tid := range tenantIDs {
		rps, err := s.List(ctx, tid)
		if err == nil {
			allRps = append(allRps, rps...)
		}
	}
	return allRps, nil
}

func (s *relyingPartyService) Update(ctx context.Context, clientID string, client domain.HydraClient) (*domain.RelyingParty, error) {
	updatedClient, err := s.hydraService.UpdateClient(ctx, clientID, client)
	if err != nil {
		return nil, err
	}
	return s.mapHydraToDomain(updatedClient), nil
}

func (s *relyingPartyService) Delete(ctx context.Context, clientID string) error {
	// 1. Get client to find tenantID (for Keto cleanup)
	client, err := s.hydraService.GetClient(ctx, clientID)
	if err != nil {
		return err // Or ignore if not found?
	}
	tenantID := ""
	if client.Metadata != nil {
		if tid, ok := client.Metadata["tenant_id"].(string); ok {
			tenantID = tid
		}
	}

	// 2. Delete from Hydra
	if err := s.hydraService.DeleteClient(ctx, clientID); err != nil {
		return err
	}

	// 3. Delete from Keto
	if tenantID != "" {
		_ = s.ketoService.DeleteRelation(ctx, "RelyingParty", clientID, "parent_tenant", "Tenant:"+tenantID)
	}

	return nil
}

func (s *relyingPartyService) mapHydraToDomain(client *domain.HydraClient) *domain.RelyingParty {
	if client == nil {
		return nil
	}
	rp := &domain.RelyingParty{
		ClientID: client.ClientID,
		Name:     client.ClientName,
	}
	if client.Metadata != nil {
		if tid, ok := client.Metadata["tenant_id"].(string); ok {
			rp.TenantID = tid
		}
		if desc, ok := client.Metadata["description"].(string); ok {
			rp.Description = desc
		}
	}
	return rp
}