[Refactor] AuthorizationService — 도메인 Service의 SCOPE 의존 제거 및 Strategy 패턴 도입

code-style.md

@@ -2,7 +2,7 @@
 
 > **목적**: AI Agent 및 AI 코드 리뷰 자동화를 위한 명확한 규칙 정의
 > **대상 언어/프레임워크**: Java 17+, Spring Boot, JPA, Lombok, JUnit 5, RestAssured, Swagger (springdoc-openapi), Flyway
-> **최종 수정일**: 2025-02-24
+> **최종 수정일**: 2026-02-25
 
 ---
 
@@ -311,6 +311,22 @@ String name = place.getTitle();
 | `null`이 절대 들어오지 않음이 확실한 경우 | 원시 타입 (`long`, `int`, `boolean` 등) | 성능 이점 및 의도 명시 |
 | Entity의 `id` 필드 | **항상 래퍼 타입** (`Long`) | JPA 영속화 전 `null` 상태 필요 |
 
+### 3.3 null 검증
+
+- null 여부를 검사할 때는 `== null` / `!= null` 대신 반드시 `Objects.isNull()` / `Objects.nonNull()`을 사용한다.
+
+```java
+// ❌ 직접 비교
+if (scopeId == null) {
+    throw new InternalServerException();
+}
+
+// ✅ Objects 유틸 사용
+if (Objects.isNull(scopeId)) {
+    throw new InternalServerException();
+}
+```
+
 ---
 
 ## 4. Bean 주입
@@ -1064,6 +1080,20 @@ when(placeJpaRepository.findById(anyLong()))
 
 - 검증할 데이터가 **1개**이면 `assertThat`만 사용한다.
 - 검증할 데이터가 **여러 개**이면 `assertSoftly`를 사용한다.
+- `assertSoftly` 내부 람다의 파라미터 변수명은 **반드시 `s`**로 작성한다. (`softly` 등 다른 이름 사용 금지)
+
+```java
+// ✅ 람다 파라미터 s 사용
+assertSoftly(s -> {
+    s.assertThat(result.title()).isEqualTo("제목");
+    s.assertThat(result.content()).isEqualTo("내용");
+});
+
+// ❌ softly 사용 금지
+assertSoftly(softly -> {
+    softly.assertThat(result.title()).isEqualTo("제목");
+});
+```
 
 ### 12.9 필드 순서
 
@@ -1162,11 +1192,16 @@ then(announcementJpaRepository).should(never())
 
 ### 12.18 테스트 코드 개행 규칙
 
+- BDDMockito `given()` 호출에서 `.willReturn()`, `.willThrow()` 등의 체이닝은 **반드시 개행**한다. 한 줄로 작성하지 않는다.
+
 ```java
 // ✅ BDDMockito given() 개행
 given(placeJpaRepository.findById(anyLong()))
         .willReturn(Optional.of(place));
 
+// ❌ 한 줄로 작성 금지
+given(placeJpaRepository.findById(anyLong())).willReturn(Optional.of(place));
+
 // ✅ assertThat 개행 — 체이닝 여러 개
 assertThat(result)
         .hasSize(3)
@@ -1324,6 +1359,7 @@ public class AnnouncementService { }
 - [ ] 클래스 필드 외에 `final` 키워드가 사용되었는가?
 - [ ] Entity의 `id` 필드가 원시 타입(`long`)으로 선언되었는가?
 - [ ] 연관관계가 FK ID(`Long festivalId`)로만 매핑되어 있는가?
+- [ ] null 검증에 `== null` / `!= null` 직접 비교를 사용하고 있는가? (`Objects.isNull()` / `Objects.nonNull()` 사용해야 함)
 
 ### 검증
 
@@ -1378,7 +1414,9 @@ public class AnnouncementService { }
 - [ ] 객체 생성과 저장이 분리되지 않았는가?
 - [ ] RestAssured에서 `.given()` 전 개행이 누락되었는가?
 - [ ] `Mockito.when()` 대신 `BDDMockito.given()`을 사용하고 있는가?
+- [ ] `given().willReturn()` 등 체이닝이 한 줄로 작성되어 있는가? (반드시 개행해야 함)
 - [ ] 검증이 여러 개인데 `assertSoftly`를 사용하지 않았는가?
+- [ ] `assertSoftly` 람다 파라미터명이 `s`가 아닌가? (❌ `softly`, ✅ `s`)
 - [ ] 도메인 테스트에서 Fixture를 사용하고 있는가? (직접 `new`로 생성해야 함)
 - [ ] Controller 테스트에서 필드 사이즈 검증이 누락되었는가?
 - [ ] when 절의 결과 변수명이 `result`가 아닌가?

src/main/java/com/daedan/festabook/announcement/service/AnnouncementService.java

@@ -9,6 +9,8 @@
 import com.daedan.festabook.announcement.dto.AnnouncementUpdateRequest;
 import com.daedan.festabook.announcement.dto.AnnouncementUpdateResponse;
 import com.daedan.festabook.announcement.infrastructure.AnnouncementJpaRepository;
+import com.daedan.festabook.authorization.AccessAction;
+import com.daedan.festabook.authorization.AuthorizationContext;
 import com.daedan.festabook.authorization.service.AuthorizationService;
 import com.daedan.festabook.festival.domain.Festival;
 import com.daedan.festabook.festival.domain.FestivalNotificationManager;
@@ -32,17 +34,22 @@ public class AnnouncementService {
     private static final String ANNOUNCEMENT_TITLE_WITH_UNIVERSITY_NAME_FORMAT = "[%s] %s";
 
     private final AnnouncementJpaRepository announcementJpaRepository;
+    private final AuthorizationService authorizationService;
     private final FestivalJpaRepository festivalJpaRepository;
     private final FestivalNotificationManager notificationManager;
-    private final AuthorizationService authorizationService;
 
     @Lockable(
             spelKey = "'AnnouncementService'.concat(#festivalId)",
             useMethodScopeLock = false
     )
     @Transactional
     public AnnouncementResponse createAnnouncement(Long festivalId, AnnouncementRequest request) {
-        authorizationService.validateFestivalCommandAccess(festivalId);
+        authorizationService.authorize(
+                Announcement.class,
+                AccessAction.CREATE,
+                AuthorizationContext.ofScope(festivalId)
+        );
+
         Festival festival = getFestivalById(festivalId);
 
         Announcement announcement = request.toEntity(festival);
@@ -71,7 +78,11 @@ public AnnouncementUpdateResponse updateAnnouncement(
             Long announcementId,
             AnnouncementUpdateRequest request
     ) {
-        authorizationService.validateFestivalCommandAccess(Announcement.class, announcementId);
+        authorizationService.authorize(
+                Announcement.class,
+                AccessAction.UPDATE,
+                AuthorizationContext.ofAssociated(announcementId, Announcement.class)
+        );
         Announcement announcement = getAnnouncementById(announcementId);
         announcement.updateTitleAndContent(request.title(), request.content());
         return AnnouncementUpdateResponse.from(announcement);
@@ -87,7 +98,11 @@ public AnnouncementPinUpdateResponse updateAnnouncementPin(
             Long announcementId,
             AnnouncementPinUpdateRequest request
     ) {
-        authorizationService.validateFestivalCommandAccess(Announcement.class, announcementId);
+        authorizationService.authorize(
+                Announcement.class,
+                AccessAction.UPDATE,
+                AuthorizationContext.ofAssociated(announcementId, Announcement.class)
+        );
         Announcement announcement = getAnnouncementById(announcementId);
         if (announcement.isUnpinned() && request.pinned()) {
             validatePinnedLimit(festivalId);
@@ -99,13 +114,21 @@ public AnnouncementPinUpdateResponse updateAnnouncementPin(
 
     @Transactional
     public void deleteAnnouncementByAnnouncementId(Long announcementId) {
-        authorizationService.validateFestivalCommandAccess(Announcement.class, announcementId);
+        authorizationService.authorize(
+                Announcement.class,
+                AccessAction.DELETE,
+                AuthorizationContext.ofAssociated(announcementId, Announcement.class)
+        );
         Announcement announcement = getAnnouncementById(announcementId);
         announcementJpaRepository.delete(announcement);
     }
 
     public void sendAnnouncementNotification(Long festivalId, Long announcementId) {
-        authorizationService.validateFestivalCommandAccess(Announcement.class, announcementId);
+        authorizationService.authorize(
+                Announcement.class,
+                AccessAction.NOTIFY,
+                AuthorizationContext.ofAssociated(announcementId, Announcement.class)
+        );
         Announcement announcement = getAnnouncementById(announcementId);
         Festival festival = getFestivalByIdWithOrganization(festivalId);
 

src/main/java/com/daedan/festabook/authorization/AccessAction.java

@@ -0,0 +1,10 @@
+package com.daedan.festabook.authorization;
+
+public enum AccessAction {
+    CREATE,
+    READ,
+    UPDATE,
+    DELETE,
+    MANAGE,
+    NOTIFY
+}

src/main/java/com/daedan/festabook/authorization/AccessSubject.java

@@ -0,0 +1,7 @@
+package com.daedan.festabook.authorization;
+
+public enum AccessSubject {
+    ORGANIZER,
+    STAFF,
+    PLACE_ACCESS
+}

src/main/java/com/daedan/festabook/authorization/AuthorizationContext.java

@@ -0,0 +1,59 @@
+package com.daedan.festabook.authorization;
+
+import java.util.List;
+
+@SuppressWarnings("rawtypes")
+public class AuthorizationContext {
+
+    private final Long scopeId;
+    private final List<Long> associatedIds;
+    private final Class resolverType;
+    private final Long principalId;
+
+    private AuthorizationContext(Long scopeId, List<Long> associatedIds, Class<?> resolverType, Long principalId) {
+        this.scopeId = scopeId;
+        this.associatedIds = associatedIds;
+        this.resolverType = resolverType;
+        this.principalId = principalId;
+    }
+
+    public static AuthorizationContext ofScope(Long scopeId) {
+        return new AuthorizationContext(scopeId, null, null, null);
+    }
+
+    public static AuthorizationContext ofAssociated(List<Long> associatedIds, Class<?> resolverType) {
+        return new AuthorizationContext(null, associatedIds, resolverType, null);
+    }
+
+    public static AuthorizationContext ofAssociated(Long associatedId, Class<?> resolverType) {
+        return new AuthorizationContext(null, List.of(associatedId), resolverType, null);
+    }
+
+    public static AuthorizationContext ofScopeAndAssociated(Long scopeId, Long associatedId, Class<?> resolverType) {
+        return new AuthorizationContext(scopeId, List.of(associatedId), resolverType, null);
+    }
+
+    public static AuthorizationContext ofScopes(List<Long> scopeIds) {
+        return new AuthorizationContext(null, scopeIds, null, null);
+    }
+
+    public static AuthorizationContext ofPrincipal(Long principalId) {
+        return new AuthorizationContext(null, null, null, principalId);
+    }
+
+    public Long getScopeId() {
+        return scopeId;
+    }
+
+    public List<Long> getAssociatedIds() {
+        return associatedIds;
+    }
+
+    public Class getResolverType() {
+        return resolverType;
+    }
+
+    public Long getPrincipalId() {
+        return principalId;
+    }
+}

src/main/java/com/daedan/festabook/authorization/AuthorizationKey.java

@@ -0,0 +1,8 @@
+package com.daedan.festabook.authorization;
+
+public record AuthorizationKey(
+        Class<?> target,
+        AccessAction action,
+        AccessSubject subject
+) {
+}

src/main/java/com/daedan/festabook/authorization/AuthorizationStrategy.java

@@ -0,0 +1,10 @@
+package com.daedan.festabook.authorization;
+
+import com.daedan.festabook.global.security.authorization.AccountDetails;
+
+public interface AuthorizationStrategy {
+
+    boolean supports(AuthorizationKey key);
+
+    boolean isAuthorized(AccountDetails accountDetails, AuthorizationContext context);
+}

src/main/java/com/daedan/festabook/authorization/domain/PlaceIdsResolver.java

@@ -2,7 +2,6 @@
 
 import com.daedan.festabook.global.domain.BaseEntity;
 import java.util.List;
-import java.util.Optional;
 
 public interface PlaceIdsResolver {
 

src/main/java/com/daedan/festabook/authorization/resolver/FestivalIdsResolverRegistry.java

@@ -0,0 +1,31 @@
+package com.daedan.festabook.authorization.resolver;
+
+import com.daedan.festabook.authorization.domain.FestivalIdsResolver;
+import com.daedan.festabook.global.exception.InternalServerException;
+import java.util.List;
+import java.util.Map;
+import java.util.stream.Collectors;
+import org.springframework.stereotype.Component;
+
+@Component
+public class FestivalIdsResolverRegistry {
+
+    private final Map<Class<?>, FestivalIdsResolver> resolverMap;
+
+    public FestivalIdsResolverRegistry(List<FestivalIdsResolver> resolvers) {
+        this.resolverMap = resolvers.stream()
+                .collect(Collectors.toMap(FestivalIdsResolver::getResolverType, resolver -> resolver));
+    }
+
+    public boolean hasResolver(Class<?> resolverType) {
+        return resolverMap.containsKey(resolverType);
+    }
+
+    public List<Long> resolve(Class<?> resolverType, List<Long> entityIds) {
+        FestivalIdsResolver resolver = resolverMap.get(resolverType);
+        if (resolver == null) {
+            throw new InternalServerException();
+        }
+        return resolver.resolve(entityIds);
+    }
+}

src/main/java/com/daedan/festabook/authorization/resolver/OrganizationIdResolverRegistry.java

@@ -0,0 +1,32 @@
+package com.daedan.festabook.authorization.resolver;
+
+import com.daedan.festabook.authorization.domain.OrganizationIdResolver;
+import com.daedan.festabook.global.exception.InternalServerException;
+import java.util.List;
+import java.util.Map;
+import java.util.stream.Collectors;
+import org.springframework.stereotype.Component;
+
+@Component
+public class OrganizationIdResolverRegistry {
+
+    private final Map<Class<?>, OrganizationIdResolver> resolverMap;
+
+    public OrganizationIdResolverRegistry(List<OrganizationIdResolver> resolvers) {
+        this.resolverMap = resolvers.stream()
+                .collect(Collectors.toMap(OrganizationIdResolver::getResolverType, resolver -> resolver));
+    }
+
+    public boolean hasResolver(Class<?> resolverType) {
+        return resolverMap.containsKey(resolverType);
+    }
+
+    public Long resolve(Class<?> resolverType, Long entityId) {
+        OrganizationIdResolver resolver = resolverMap.get(resolverType);
+        if (resolver == null) {
+            throw new InternalServerException();
+        }
+        return resolver.resolve(entityId)
+                .orElseThrow(InternalServerException::new);
+    }
+}

src/main/java/com/daedan/festabook/authorization/resolver/PlaceIdsResolverRegistry.java

@@ -0,0 +1,31 @@
+package com.daedan.festabook.authorization.resolver;
+
+import com.daedan.festabook.authorization.domain.PlaceIdsResolver;
+import com.daedan.festabook.global.exception.InternalServerException;
+import java.util.List;
+import java.util.Map;
+import java.util.stream.Collectors;
+import org.springframework.stereotype.Component;
+
+@Component
+public class PlaceIdsResolverRegistry {
+
+    private final Map<Class<?>, PlaceIdsResolver> resolverMap;
+
+    public PlaceIdsResolverRegistry(List<PlaceIdsResolver> resolvers) {
+        this.resolverMap = resolvers.stream()
+                .collect(Collectors.toMap(PlaceIdsResolver::getResolverType, resolver -> resolver));
+    }
+
+    public boolean hasResolver(Class<?> resolverType) {
+        return resolverMap.containsKey(resolverType);
+    }
+
+    public List<Long> resolve(Class<?> resolverType, List<Long> entityIds) {
+        PlaceIdsResolver resolver = resolverMap.get(resolverType);
+        if (resolver == null) {
+            throw new InternalServerException();
+        }
+        return resolver.resolve(entityIds);
+    }
+}