feat(keycloak): M4.3 — Admin API adapter + claim resolver
internal/keycloak Adapter (HTTPAdapter + Mock). POST /v1/tenants now provisions a KC organization + IT_ADMIN invite when admin_email is set; KC failures emit keycloak.provision_failed but don't roll back. POST /v1/internal/keycloak/claims resolves the current claim bundle for any (tenant_id|tenant_slug|user_attrs.*) lookup. Mock used in tests + when KEYCLOAK_ADMIN_URL is empty. HTTPAdapter tested against an in-process stub KC (httptest.Server). Refs: M4.3
This commit was merged in pull request #8.
This commit is contained in:
@@ -20,6 +20,18 @@ type createTenantReq struct {
|
||||
Plan string `json:"plan,omitempty"`
|
||||
Kind string `json:"kind,omitempty"`
|
||||
SalesOwner string `json:"sales_owner,omitempty"`
|
||||
// AdminEmail is optional. When set, the Keycloak adapter provisions
|
||||
// an organization + invites this user as IT_ADMIN. Omitted for
|
||||
// sales-led flows that invite the admin later via the portal.
|
||||
AdminEmail string `json:"admin_email,omitempty"`
|
||||
AdminName string `json:"admin_name,omitempty"`
|
||||
}
|
||||
|
||||
// createTenantResp wraps the tenant with the optional KC invite URL so
|
||||
// dev testers can use it without waiting for the email.
|
||||
type createTenantResp struct {
|
||||
Tenant *store.Tenant `json:"tenant"`
|
||||
InviteURL string `json:"invite_url,omitempty"`
|
||||
}
|
||||
|
||||
func (s *Server) createTenant(w http.ResponseWriter, r *http.Request) {
|
||||
@@ -40,7 +52,7 @@ func (s *Server) createTenant(w http.ResponseWriter, r *http.Request) {
|
||||
return
|
||||
}
|
||||
|
||||
ctx, cancel := context.WithTimeout(r.Context(), 5*time.Second)
|
||||
ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
|
||||
defer cancel()
|
||||
t, err := s.Store.CreateTenant(ctx, store.TenantCreate{
|
||||
Slug: in.Slug, Name: in.Name, Plan: in.Plan, Kind: in.Kind, SalesOwner: in.SalesOwner,
|
||||
@@ -63,7 +75,25 @@ func (s *Server) createTenant(w http.ResponseWriter, r *http.Request) {
|
||||
Metadata: map[string]interface{}{"plan": t.Plan, "kind": t.Kind},
|
||||
})
|
||||
|
||||
writeJSON(w, http.StatusCreated, t)
|
||||
// Best-effort Keycloak provisioning. A failure here doesn't roll the
|
||||
// tenant back — the operator can resend the invite via the KC admin UI.
|
||||
// We emit an audit event regardless so the failure is traceable.
|
||||
inviteURL, kcErr := s.provisionKeycloak(ctx, t, in.AdminEmail, in.AdminName)
|
||||
if kcErr != nil {
|
||||
s.emitAudit(ctx, r, store.AuditEvent{
|
||||
TenantID: t.ID, Action: "keycloak.provision_failed",
|
||||
TargetID: t.ID, TargetType: "tenant",
|
||||
Metadata: map[string]interface{}{"err": kcErr.Error(), "admin_email": in.AdminEmail},
|
||||
})
|
||||
} else if in.AdminEmail != "" {
|
||||
s.emitAudit(ctx, r, store.AuditEvent{
|
||||
TenantID: t.ID, Action: "keycloak.invite_sent",
|
||||
TargetID: in.AdminEmail, TargetType: "user", TargetName: in.AdminEmail,
|
||||
Metadata: map[string]interface{}{"role": "IT_ADMIN"},
|
||||
})
|
||||
}
|
||||
|
||||
writeJSON(w, http.StatusCreated, createTenantResp{Tenant: t, InviteURL: inviteURL})
|
||||
}
|
||||
|
||||
func (s *Server) getTenant(w http.ResponseWriter, r *http.Request) {
|
||||
|
||||
Reference in New Issue
Block a user