feat(M4-CSP-036): CSP 인증 설정 검증 API 및 AWS 인터페이스 리팩토링#77
Closed
dogfootman wants to merge 69 commits into
Closed
Conversation
…irect dependencies for OpenTelemetry and other libraries.
…ement. Added endpoint to retrieve workspaces assigned to a project, updated project creation to optionally assign a workspace, and improved error handling. Modified swagger definitions for better clarity and added new constants for authentication methods.
…nce API documentation for project and workspace management. Introduced new endpoints for workspace retrieval and improved error handling in existing API definitions.
…ncluding local build instructions, service dependencies, and image management commands. Update project and workspace services to utilize environment variable for default workspace name, improve error handling, and streamline project assignment logic.
…s and project management. Removed deprecated endpoints, added new endpoints for workspace assignment and unassignment, and updated parameter definitions for clarity. Enhanced error handling and improved Swagger definitions for better API usability.
Feature/project workspace assignment
This reverts commit e3f09da.
This commit introduces a new CLI tool that consolidates multiple Swagger/OpenAPI specifications into a unified serviceActions YAML file. Key features include support for both Swagger 2.0 and OpenAPI 3.0+, automatic format detection, and the ability to process local files and remote URLs. The tool also includes version management for frameworks and detailed output options. New files added: - aggregator.go: Core logic for processing frameworks and aggregating results. - config.go: Configuration structure and loading functions. - http.go: HTTP utilities for fetching Swagger specs. - main.go: Entry point for the CLI tool with command-line flag handling. - output.go: Functions for writing and appending YAML output. - parser.go: Parsing logic for Swagger/OpenAPI specifications. - transformer.go: Transformation logic to convert specs into service actions. - README.md: Documentation for usage and features. - frameworks.yaml: Example configuration file for defining frameworks. This implementation sets the foundation for further enhancements and integrations with the MC-IAM-Manager project.
Feature/csp account idp management
Feature/swagger to yaml
Add support for base URL and authentication in API import functionality
Add public user signup API that creates users in pending state: - Users are created with enabled=false and require admin approval - Email, password, name, and organization (optional) are required - Username is automatically generated from email address - Organization info is stored in Keycloak user attributes - Validation enforces email format and minimum 8-character password Add validation utilities: - Field-level validation with Korean error messages - Structured error responses with HTTP status codes - Support for duplicate email detection (409 Conflict) Add admin password reset API: - Platform administrators can reset user passwords - Requires minimum 8-character password - Updates password directly in Keycloak API endpoints: - POST /api/auth/signup - Public user signup (no authentication) - PUT /api/users/id/:userId/password - Admin password reset (platformAdmin only)
Update operationId to match function names: - SignupUser API with model.SignupRequest - ResetUserPassword API with model.ResetPasswordRequest Add request model definitions with validation rules: - Email format validation - Password minimum 8 characters - Required fields enforcement
Add SignupUser and ResetUserPassword to service-actions.yaml:
- POST /api/auth/signup - Public user signup
- PUT /api/users/id/{userId}/password - Admin password reset
Update frameworks.yaml swagger path from ../../docs to ../../src/docs
Total actions increased from 133 to 165 for mc-iam-manager
Add three detailed documentation files: - FR-004-ANALYSIS.md: Requirements analysis with gap analysis - FR-004-IMPLEMENTATION.md: Implementation details with code examples - FR-004-TEST-RESULTS.md: Test results with 10 test scenarios Documentation covers: - Requirements breakdown (FR-004-01 to FR-004-09) - Implementation architecture and code structure - API specifications and request/response examples - Build and integration test results - Manual test scenarios for validation
Add detailed development guide based on FR-004 implementation: - Development environment setup - Git worktree workflow - Requirements analysis process - Code implementation guidelines (models, services, handlers) - Testing procedures (build, swagger, service-actions) - Documentation standards - Code review and PR creation process - Comprehensive checklists Guide covers complete workflow from feature planning to PR merge
feat(FR-007-02): CreateMenu 역할 매핑 확장
- docs/swagger.yaml, swagger.json: synced from src/docs (adds changeMyPassword and other new APIs) - conf/mc-iam-manager/api.yaml: add changeMyPassword action (PUT /api/users/me/password) - conf/mc-iam-manager/service-actions.yaml: regenerated mc-iam-manager section via swagger-to-actions (165 → 186 actions) - asset/mcmpapi/mcmp_api.yaml: add changeMyPassword action - asset/mcmpapi/service-actions.yaml: regenerated mc-iam-manager section via swagger-to-actions
feat: sync changeMyPassword to all config and swagger files
DB에 역할이 있어도 Keycloak 미동기화 시 복구 가능하도록 수정. IAM-BUG-002 해결
fix(role): IAM-BUG-002 AssignPlatformRole idempotent 수정
- BUG-E4: wrap ErrOrganizationNotFound with %w in CreateOrganization so handler correctly maps non-existent parent_id to 400 instead of 500 - BUG-E6: introduce ErrUserOrganizationNotFound sentinel in repository; RemoveUserOrganization now returns 404 instead of 400 when mapping absent - feat: add name/code query param search to GET /api/groups and GET /api/organizations via FindByFilter repository method and SearchOrganizations service method Co-Authored-By: Paperclip <noreply@paperclip.ing>
- POST /api/groups/id/{groupId}/users — bulk assign users to group (DB + KC)
- DELETE /api/groups/id/{groupId}/users/{userId} — remove user from group (DB + KC)
- Add AssignGroupUsersRequest model
- Add AssignUsersToGroup service method with Keycloak sync
Co-Authored-By: Paperclip <noreply@paperclip.ing>
…nt (IDO-19)
- GET /api/users/id/{userId}/groups?hierarchy=true — return groups with
path and level from organization tree
- PUT /api/users/id/{userId}/groups — replace all user group memberships
(remove existing, assign new list)
- Add GetUserOrganizationsWithHierarchy and ReplaceUserGroups service methods
Co-Authored-By: Paperclip <noreply@paperclip.ing>
…-20, IDO-21)
- role_id not found now returns 404 (was 500) in assign/remove platform role
- workspace_id and role_id validated before group-workspace assignment
- GET /api/groups/id/{groupId}/platform-roles/available — unassigned roles
- GET /api/groups/id/{groupId}/workspaces/available — unmapped workspaces
- Add ErrRoleMasterNotFound sentinel; reuse ErrWorkspaceNotFound from workspace repo
- Add FindAvailablePlatformRoles and FindAvailableWorkspaces repository methods
- Add GetAvailablePlatformRoles and GetAvailableWorkspaces service methods
Co-Authored-By: Paperclip <noreply@paperclip.ing>
… API for group workspace role assignment (IDO-21) - Add ErrRoleMasterNotFound sentinel error to group_role_repository - Add FindAvailableWorkspacesForGroup repo method (workspaces not yet mapped to a group) - Update AssignGroupWorkspace service: validate workspace_id and role_id exist (404) before creating mapping - Add GetAvailableGroupWorkspaces service method - Add GetAvailableGroupWorkspaces handler: GET /api/groups/id/:groupId/workspaces/available - Update AssignGroupWorkspace handler: handle ErrWorkspaceNotFound and ErrRoleMasterNotFound with 404 responses - Register new route in main.go Co-Authored-By: Paperclip <noreply@paperclip.ing>
- model: Company struct (mcmp_companies), CompanyRequest/UpdateRequest/Response DTOs - repository: CompanyRepository with ExistsByRealmName, Create, First, Save, Count - service: CompanyService with singleton CRUD, activate/deactivate, CreateDefaultCompany - handler: CompanyHandler with 5 endpoints (POST/GET/PUT/DELETE /api/company, POST /api/company/activate) - main: AutoMigrate Company, register /api/company routes with PlatformAdminMiddleware - admin: integrate CreateDefaultCompany in SetupInitialAdmin (non-fatal, idempotent)
- repository: 8 tests (Create, First, ExistsByRealmName, Save, Count) - service: 13 tests (CreateCompany conflict/realm-error, GetCompany, UpdateCompany, DeactivateCompany idempotent, ActivateCompany idempotent, CreateDefaultCompany) - all 21 tests PASS with SQLite in-memory DB
feat(M7-COMP): add company management API (COMP-001~006)
그룹-워크스페이스 역할 매핑 기능(IDO-21) 단위 테스트 구현 및 컴파일 오류 수정 - GroupRoleRepository 단위 테스트 9개 추가 (TC-025~028 커버) - GroupRoleService 단위 테스트 11개 추가 (서비스 레이어 전체 커버) - isGroupDuplicateError SQLite 호환성 추가 (테스트용 인메모리 DB 지원) - role_repository.go gorm 체인 .Error 누락 컴파일 오류 수정 - workspace_repository.go log.Printf 포맷 문자열 오류 수정 Refs: IDO-21 evaluation: 22.5 (complexity: 5.0, volume: 7.5, thinking: 5.0, others: 5.0) comment: 그룹-워크스페이스 역할 매핑 기능의 Repository/Service 레이어 단위 테스트 20개를 구현하고, SQLite 인메모리 DB 기반의 테스트 인프라를 구축하였으며 기존 컴파일 오류 2건도 함께 수정함 Human-Time: 6h Ai-Driven-Time: 1h productivity: 600% Generated-By: Claude Code
develop 브랜치 머지 시 발생한 충돌 해결 - ErrRoleMasterNotFound 중복 선언 제거 - FindAvailablePlatformRoles/FindAvailableWorkspaces 메서드 보존 (develop 추가분) - GetAvailableGroupWorkspaces 핸들러 중복 선언 제거 - AssignGroupWorkspace 서비스 에러 래핑 유지 (HEAD 버전) Refs: IDO-21 evaluation: 2.0 (complexity: 1.0, volume: 0.5, thinking: 0.5, others: 0.0) comment: develop 머지 충돌 해결 - 중복 선언 제거 및 양쪽 기능 모두 보존 Human-Time: 20m Ai-Driven-Time: 5m productivity: 400% Generated-By: Claude Code
feat(iam): 그룹-워크스페이스 역할 할당 관리 기능 추가 (IDO-21)
- BUG-MENU-01: DeleteMenusRolesMapping c.Param → c.QueryParam 수정 + DeleteRoleMenuMappingByRoleAndMenu 함수 추가 - BUG-MENU-02: UpdateMenu isAction 항상 덮어쓰는 버그 수정 + CreateMenuRequest.IsAction bool → *bool 변경, nil 체크 조건부 업데이트 - BUG-MENU-03: Swagger 주석 라우트 경로 수정 + /api/menus/tree/list → /api/menus/menus-tree/list - BUG-MENU-04: GetMenuByID/DeleteMenu ErrMenuNotFound → 404 반환 처리 - BUG-MENU-05: DeleteMenu 하위 메뉴 CASCADE 미삭제 수정 + DeleteMenuWithChildren (PostgreSQL WITH RECURSIVE CTE) 추가
fix(M3-RBAC): 메뉴 관리 API 버그 수정 5건
#71) Co-authored-by: raccoon-mh <wsx1341@gmail.com>
- gcp_credential_service.go 신규 생성: GCP Workload Identity Federation 2단계 흐름 1. STS token exchange (sts.googleapis.com/v1/token) 2. Service Account impersonation (iamcredentials.googleapis.com) - csp_credential_service.go: GCP case 분기 추가, gcpCredService DI 연결 - model/csp_credential.go: GCP 응답 필드(accessToken, tokenType) 추가 및 omitempty 적용
feat(M4-CSP): GCP WIF 기반 임시 자격증명 발급 구현
- alibaba_credential_service.go 신규 생성: RAM AssumeRoleWithSAML HTTP 호출 - keycloak_service.go: GetSamlAssertionByServiceAccount() RFC 8693 SAML2 토큰 교환 추가 - csp_credential_service.go: case "alibaba" 분기 추가, alibabaCredService DI 연결 - constants/constants.go: CSPTypeAlibaba = "alibaba" 추가 - model/csp_credential.go: AccessKeySecret, SecurityToken 필드 추가 (omitempty) - handler/csp_account_handler.go: CSP 타입 enum에 alibaba 추가
feat(M4-CSP): Alibaba RAM SAML 기반 임시 자격증명 발급 구현
* feat(M4-CSP): 인증방식(OIDC/SAML/SECRET_KEY)별 CSP 자격증명 발급 dispatch 구현 - csp_mapping_repository: CspRole 조회 시 CspIdpConfig Preload 추가 (AuthMethod 정상 로드) - aws_credential_service: AssumeRoleWithSAML 메서드 추가 (AWS SDK v2) - csp_credential_service: ErrUnsupportedAuthMethod, getSecretKeyCredentials 추가 및 (cspType, authMethod) 중첩 dispatch 리팩터링 - AWS: OIDC/SAML/SECRET_KEY 지원 - GCP: OIDC/SECRET_KEY 지원 - Alibaba: SAML/SECRET_KEY 지원 - CspIdpConfig 미설정 시 backward-compat 기본값 적용 * feat(M4-CSP): 멀티 CSP 등록 및 SECRET_KEY 기본 지원 확장 (Phase 1) - constants: tencent, ibm, ncp, nhn, kt, openstack CSP 타입 상수 추가 - handler: CSP 타입 검증 하드코딩 → map lookup 리팩터링 (10종 지원) - model: CreateCspAccountRequest oneof validator에 alibaba 포함 및 신규 CSP 타입 추가 - service: azure/tencent/ibm/ncp/nhn/kt/openstack에 SECRET_KEY dispatch 추가 federation 미구현 authMethod는 ErrUnsupportedAuthMethod 반환 * feat(M4-CSP): IDP 현황 요약 및 일괄 헬스체크 API 추가 (ACC-02) - GET /api/csp-idp-configs/summary: CSP 계정별 IDP 설정 현황 집계 조회 - POST /api/csp-idp-configs/health-check: 활성 IDP 전체 연결 상태 goroutine 병렬 확인 - model: CspIdpSummary, HealthCheckResult, BulkHealthCheckRequest/Response 추가 - repository: GetSummary() LEFT JOIN 집계 쿼리 추가 - service: GetIdpSummary(), BulkHealthCheck() 추가 (30초 timeout, CONNECTED/FAILED/TIMEOUT) - handler/main: 라우트 2개 등록 * feat: CSP 인증방식(OIDC/SAML/SECRET_KEY) 동적 선택 지원 및 단위 테스트 추가 - constants: AuthMethodSecretKey 상수 추가 - model: CspCredentialRequest에 AuthMethod 필드 추가, CreateCspRoleRequest에 AuthMethod 필드 추가 - repository: role_repository에서 AuthMethod 하드코딩 제거 (기본값만 적용) - repository: FindCspRoleMappingsByRoleIDAndCspType에 authMethod 필터 파라미터 추가 - service: role_service에서 cspRole.AuthMethod 동적 적용 - service: CspCredentialService에 credUserRepo/credMappingRepo 인터페이스 주입 지원 - test: GetTemporaryCredentials 19개 단위 테스트 (CSP×AuthMethod 전체 매트릭스) Co-Authored-By: Paperclip <noreply@paperclip.ing> * fix(M4-SAML): fix SAML token exchange for AWS STS AssumeRoleWithSAML - Change client_credentials to password grant in GetSamlAssertionByServiceAccount UserSession is required for Keycloak SAML token exchange (RFC 8693) - Decode base64url SAML Assertion and wrap in samlp:Response AWS STS requires full SAMLResponse wrapper, not bare Assertion - Add standard base64 encoding for SAMLAssertion parameter - Add decodeBase64URLToString() and buildSAMLResponse() helpers * feat(M4-CSP-036): add CSP credentials validation API POST /api/workspaces/credentials/validate - Step-by-step validation for CSP×AuthMethod combinations - AWS OIDC (6 steps), AWS SAML (7 steps), AWS SECRET_KEY (3 steps), GCP OIDC (6 steps) - IAM Provider/Trust checks in degraded mode (skipped when no AWS credentials) - All steps always included in response (ok/failed/skipped) - AWS SAML: auto-resolve urn:amazon:webservices as Keycloak SAML client * refactor(M4-CSP-036): move AWS IAM calls into AwsCredentialService interface - Add CheckOIDCProvider, CheckSAMLProvider, CheckRoleTrust, CheckCallerIdentity to AwsCredentialService interface - Remove direct AWS SDK imports from csp_validation_service.go (all AWS calls go through interface) - Remove degraded mode: IAM permission failure is now a hard fail (not skipped) - Add CheckSAMLClientConfig to KeycloakService for SAML client existence check - Add unit/integration tests: csp_validation_service_test, csp_idp_config_service_test, csp_validation_integration_test - Add mock stubs: mock_keycloak_service_test, mock_csp_credential_deps_test updates --------- Co-authored-by: raccoon-mh <wsx1341@gmail.com> Co-authored-by: Paperclip <noreply@paperclip.ing>
Member
Author
|
PR 대상 변경: MZC-CSC/mc-iam-manager develop 브랜치로 재생성 |
MZC-CSC
pushed a commit
that referenced
this pull request
Apr 27, 2026
fix/refactor(M4-CSP): Alibaba STS fix, SAML pre-check gate, CspRole service layer refactoring
MZC-CSC
pushed a commit
that referenced
this pull request
May 11, 2026
fix/refactor(M4-CSP): Alibaba STS fix, SAML pre-check gate, CspRole service layer refactoring
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
CSP×AuthMethod 검증 단계
Test plan
go test ./src/service/... -run TestCspValidation— 단위 테스트 (모의 객체 기반)go test ./src/repository/... -run TestCspIdpConfig— repository 단위 테스트INTEGRATION_TEST=1 go test ./src/service/... -run TestIntegration— 통합 테스트 (실제 KC/AWS 연결 필요)