From 487c10d4d0c81970d0dc49a0a547d91d01d029e7 Mon Sep 17 00:00:00 2001 From: Klaus Date: Thu, 7 May 2026 14:14:48 +0900 Subject: [PATCH 1/2] =?UTF-8?q?feat(admin):=20=EC=BD=98=ED=85=90=EC=B8=A0?= =?UTF-8?q?=20=EA=B4=80=EB=A6=AC=EC=9E=90=20=EB=A1=9C=EA=B7=B8=EC=9D=B8=20?= =?UTF-8?q?API=20=EC=B6=94=EA=B0=80?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ...7_콘텐츠관리자권한및관리자로그인API추가.md | 22 +++++ .../member/AdminMemberLoginController.kt | 15 +++ .../admin/member/AdminMemberLoginResponse.kt | 8 ++ .../admin/member/AdminMemberLoginService.kt | 39 ++++++++ .../admin/member/AdminMemberRepository.kt | 4 +- .../admin/member/AdminMemberService.kt | 4 + .../sodalive/configs/SecurityConfig.kt | 1 + .../sodalive/i18n/SodaMessageSource.kt | 5 + .../kr/co/vividnext/sodalive/member/Member.kt | 2 +- .../member/AdminMemberLoginControllerTest.kt | 66 +++++++++++++ .../member/AdminMemberLoginServiceTest.kt | 98 +++++++++++++++++++ 11 files changed, 262 insertions(+), 2 deletions(-) create mode 100644 docs/20260507_콘텐츠관리자권한및관리자로그인API추가.md create mode 100644 src/main/kotlin/kr/co/vividnext/sodalive/admin/member/AdminMemberLoginController.kt create mode 100644 src/main/kotlin/kr/co/vividnext/sodalive/admin/member/AdminMemberLoginResponse.kt create mode 100644 src/main/kotlin/kr/co/vividnext/sodalive/admin/member/AdminMemberLoginService.kt create mode 100644 src/test/kotlin/kr/co/vividnext/sodalive/admin/member/AdminMemberLoginControllerTest.kt create mode 100644 src/test/kotlin/kr/co/vividnext/sodalive/admin/member/AdminMemberLoginServiceTest.kt diff --git a/docs/20260507_콘텐츠관리자권한및관리자로그인API추가.md b/docs/20260507_콘텐츠관리자권한및관리자로그인API추가.md new file mode 100644 index 00000000..0d674f53 --- /dev/null +++ b/docs/20260507_콘텐츠관리자권한및관리자로그인API추가.md @@ -0,0 +1,22 @@ +# 콘텐츠 관리자 권한 및 관리자 로그인 API 추가 + +## 작업 항목 +- [x] `MemberRole`에 콘텐츠 관리자 권한을 추가한다. +- [x] 관리자 로그인 API 테스트를 먼저 추가하고 RED를 확인한다. +- [x] 관리자와 콘텐츠 관리자만 로그인 가능한 관리자 전용 로그인 API를 구현한다. +- [x] 응답을 `token`, `role`만 포함하도록 구현한다. +- [x] focused test, 관련 테스트, 스타일 검사를 실행하고 결과를 기록한다. + +## 설계 +- 새 권한은 기존 `MemberRole` enum에 `CONTENT_MANAGER`로 추가한다. +- 새 API는 관리자 도메인의 `/admin/member/login`으로 추가하고 인증 없이 호출 가능하도록 보안 설정에 permitAll을 추가한다. +- 서비스는 기존 이메일/비밀번호 인증 흐름과 JWT 생성 방식을 재사용하되, `ADMIN`, `CONTENT_MANAGER` 외 역할은 `common.error.bad_credentials` 예외로 거부한다. +- 응답 DTO는 관리자 로그인 전용으로 분리해 `token`, `role`만 노출한다. + +## 검증 기록 +- 2026-05-07: RED 확인: `./gradlew test --tests 'kr.co.vividnext.sodalive.admin.member.AdminMemberLoginServiceTest' --tests 'kr.co.vividnext.sodalive.admin.member.AdminMemberLoginControllerTest'` 실행 시 `AdminMemberLoginService`, `AdminMemberLoginController`, `AdminMemberLoginResponse`, `CONTENT_MANAGER`, `findByEmail` 미구현으로 `compileTestKotlin`이 실패함을 확인했다. +- 2026-05-07: GREEN 확인: 동일 focused test가 `BUILD SUCCESSFUL`로 통과해 관리자/콘텐츠 관리자 로그인 허용 및 일반 사용자 거부를 확인했다. +- 2026-05-07: API 응답 확인: `./gradlew test --tests 'kr.co.vividnext.sodalive.admin.member.AdminMemberLoginControllerTest.shouldReturnTokenAndRoleJson'`가 `BUILD SUCCESSFUL`로 통과해 `POST /admin/member/login` JSON 응답의 `data.token`, `data.role`을 확인했다. +- 2026-05-07: 회귀 확인: `./gradlew test --tests 'kr.co.vividnext.sodalive.admin.member.*'`가 `BUILD SUCCESSFUL`로 통과했다. +- 2026-05-07: 스타일 확인: `./gradlew ktlintCheck`가 `BUILD SUCCESSFUL`로 통과했다. +- 2026-05-07: Kotlin LSP는 현재 환경에 `.kt` 서버가 설정되어 있지 않아 `lsp_diagnostics` 실행이 불가했다. 대신 Gradle 컴파일 포함 focused/관련 test와 ktlint로 검증했다. diff --git a/src/main/kotlin/kr/co/vividnext/sodalive/admin/member/AdminMemberLoginController.kt b/src/main/kotlin/kr/co/vividnext/sodalive/admin/member/AdminMemberLoginController.kt new file mode 100644 index 00000000..3a6e2dd1 --- /dev/null +++ b/src/main/kotlin/kr/co/vividnext/sodalive/admin/member/AdminMemberLoginController.kt @@ -0,0 +1,15 @@ +package kr.co.vividnext.sodalive.admin.member + +import kr.co.vividnext.sodalive.common.ApiResponse +import kr.co.vividnext.sodalive.member.login.LoginRequest +import org.springframework.web.bind.annotation.PostMapping +import org.springframework.web.bind.annotation.RequestBody +import org.springframework.web.bind.annotation.RequestMapping +import org.springframework.web.bind.annotation.RestController + +@RestController +@RequestMapping("/admin/member") +class AdminMemberLoginController(private val service: AdminMemberLoginService) { + @PostMapping("/login") + fun login(@RequestBody request: LoginRequest) = ApiResponse.ok(service.login(request)) +} diff --git a/src/main/kotlin/kr/co/vividnext/sodalive/admin/member/AdminMemberLoginResponse.kt b/src/main/kotlin/kr/co/vividnext/sodalive/admin/member/AdminMemberLoginResponse.kt new file mode 100644 index 00000000..f9602c0e --- /dev/null +++ b/src/main/kotlin/kr/co/vividnext/sodalive/admin/member/AdminMemberLoginResponse.kt @@ -0,0 +1,8 @@ +package kr.co.vividnext.sodalive.admin.member + +import kr.co.vividnext.sodalive.member.MemberRole + +data class AdminMemberLoginResponse( + val token: String, + val role: MemberRole +) diff --git a/src/main/kotlin/kr/co/vividnext/sodalive/admin/member/AdminMemberLoginService.kt b/src/main/kotlin/kr/co/vividnext/sodalive/admin/member/AdminMemberLoginService.kt new file mode 100644 index 00000000..a29bdaba --- /dev/null +++ b/src/main/kotlin/kr/co/vividnext/sodalive/admin/member/AdminMemberLoginService.kt @@ -0,0 +1,39 @@ +package kr.co.vividnext.sodalive.admin.member + +import kr.co.vividnext.sodalive.common.SodaException +import kr.co.vividnext.sodalive.jwt.TokenProvider +import kr.co.vividnext.sodalive.member.MemberAdapter +import kr.co.vividnext.sodalive.member.MemberRole +import kr.co.vividnext.sodalive.member.login.LoginRequest +import org.springframework.security.authentication.UsernamePasswordAuthenticationToken +import org.springframework.security.crypto.password.PasswordEncoder +import org.springframework.stereotype.Service + +@Service +class AdminMemberLoginService( + private val repository: AdminMemberRepository, + private val passwordEncoder: PasswordEncoder, + private val tokenProvider: TokenProvider +) { + fun login(request: LoginRequest): AdminMemberLoginResponse { + val member = repository.findByEmail(request.email) + ?: throw SodaException(messageKey = "common.error.bad_credentials") + + if (member.role != MemberRole.ADMIN && member.role != MemberRole.CONTENT_MANAGER) { + throw SodaException(messageKey = "common.error.bad_credentials") + } + + if (!member.isActive || !passwordEncoder.matches(request.password, member.password)) { + throw SodaException(messageKey = "common.error.bad_credentials") + } + + val authentication = UsernamePasswordAuthenticationToken( + MemberAdapter(member), + null, + MemberAdapter(member).authorities + ) + val token = tokenProvider.createToken(authentication = authentication, memberId = member.id!!) + + return AdminMemberLoginResponse(token = token, role = member.role) + } +} diff --git a/src/main/kotlin/kr/co/vividnext/sodalive/admin/member/AdminMemberRepository.kt b/src/main/kotlin/kr/co/vividnext/sodalive/admin/member/AdminMemberRepository.kt index 4249bd35..81e046e3 100644 --- a/src/main/kotlin/kr/co/vividnext/sodalive/admin/member/AdminMemberRepository.kt +++ b/src/main/kotlin/kr/co/vividnext/sodalive/admin/member/AdminMemberRepository.kt @@ -6,7 +6,9 @@ import kr.co.vividnext.sodalive.member.MemberRole import kr.co.vividnext.sodalive.member.QMember.member import org.springframework.data.jpa.repository.JpaRepository -interface AdminMemberRepository : JpaRepository, AdminMemberQueryRepository +interface AdminMemberRepository : JpaRepository, AdminMemberQueryRepository { + fun findByEmail(email: String?): Member? +} interface AdminMemberQueryRepository { fun getMemberTotalCount(role: MemberRole? = null): Int diff --git a/src/main/kotlin/kr/co/vividnext/sodalive/admin/member/AdminMemberService.kt b/src/main/kotlin/kr/co/vividnext/sodalive/admin/member/AdminMemberService.kt index 6b6334be..858a31a6 100644 --- a/src/main/kotlin/kr/co/vividnext/sodalive/admin/member/AdminMemberService.kt +++ b/src/main/kotlin/kr/co/vividnext/sodalive/admin/member/AdminMemberService.kt @@ -101,6 +101,10 @@ class AdminMemberService( MemberRole.CREATOR -> messageSource.getMessage("admin.member.role.creator", langContext.lang).orEmpty() MemberRole.AGENT -> messageSource.getMessage("admin.member.role.agent", langContext.lang).orEmpty() MemberRole.BOT -> messageSource.getMessage("admin.member.role.bot", langContext.lang).orEmpty() + MemberRole.CONTENT_MANAGER -> + messageSource + .getMessage("admin.member.role.content_manager", langContext.lang) + .orEmpty() } val loginType = when (it.provider) { diff --git a/src/main/kotlin/kr/co/vividnext/sodalive/configs/SecurityConfig.kt b/src/main/kotlin/kr/co/vividnext/sodalive/configs/SecurityConfig.kt index 3b847923..6c7d7ef6 100644 --- a/src/main/kotlin/kr/co/vividnext/sodalive/configs/SecurityConfig.kt +++ b/src/main/kotlin/kr/co/vividnext/sodalive/configs/SecurityConfig.kt @@ -74,6 +74,7 @@ class SecurityConfig( .antMatchers("/member/login/kakao").permitAll() .antMatchers("/member/login/apple").permitAll() .antMatchers("/member/login/line").permitAll() + .antMatchers("/admin/member/login").permitAll() .antMatchers("/creator-admin/member/login").permitAll() .antMatchers("/member/forgot-password").permitAll() .antMatchers("/stplat/terms_of_service").permitAll() diff --git a/src/main/kotlin/kr/co/vividnext/sodalive/i18n/SodaMessageSource.kt b/src/main/kotlin/kr/co/vividnext/sodalive/i18n/SodaMessageSource.kt index 817dc15d..3c77acd7 100644 --- a/src/main/kotlin/kr/co/vividnext/sodalive/i18n/SodaMessageSource.kt +++ b/src/main/kotlin/kr/co/vividnext/sodalive/i18n/SodaMessageSource.kt @@ -1044,6 +1044,11 @@ class SodaMessageSource { Lang.KO to "봇", Lang.EN to "Bot", Lang.JA to "ボット" + ), + "admin.member.role.content_manager" to mapOf( + Lang.KO to "콘텐츠 관리자", + Lang.EN to "Content Manager", + Lang.JA to "コンテンツ管理者" ) ) diff --git a/src/main/kotlin/kr/co/vividnext/sodalive/member/Member.kt b/src/main/kotlin/kr/co/vividnext/sodalive/member/Member.kt index c1f631b2..367110c2 100644 --- a/src/main/kotlin/kr/co/vividnext/sodalive/member/Member.kt +++ b/src/main/kotlin/kr/co/vividnext/sodalive/member/Member.kt @@ -177,7 +177,7 @@ enum class Gender { } enum class MemberRole { - ADMIN, BOT, USER, CREATOR, AGENT + ADMIN, BOT, USER, CREATOR, AGENT, CONTENT_MANAGER } enum class MemberProvider { diff --git a/src/test/kotlin/kr/co/vividnext/sodalive/admin/member/AdminMemberLoginControllerTest.kt b/src/test/kotlin/kr/co/vividnext/sodalive/admin/member/AdminMemberLoginControllerTest.kt new file mode 100644 index 00000000..249cced3 --- /dev/null +++ b/src/test/kotlin/kr/co/vividnext/sodalive/admin/member/AdminMemberLoginControllerTest.kt @@ -0,0 +1,66 @@ +package kr.co.vividnext.sodalive.admin.member + +import kr.co.vividnext.sodalive.member.MemberRole +import kr.co.vividnext.sodalive.member.login.LoginRequest +import org.junit.jupiter.api.Assertions.assertEquals +import org.junit.jupiter.api.Assertions.assertTrue +import org.junit.jupiter.api.BeforeEach +import org.junit.jupiter.api.DisplayName +import org.junit.jupiter.api.Test +import org.mockito.Mockito +import org.springframework.http.MediaType +import org.springframework.test.web.servlet.MockMvc +import org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post +import org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath +import org.springframework.test.web.servlet.result.MockMvcResultMatchers.status +import org.springframework.test.web.servlet.setup.MockMvcBuilders + +class AdminMemberLoginControllerTest { + private lateinit var service: AdminMemberLoginService + private lateinit var controller: AdminMemberLoginController + private lateinit var mockMvc: MockMvc + + @BeforeEach + fun setup() { + service = mock() + controller = AdminMemberLoginController(service = service) + mockMvc = MockMvcBuilders.standaloneSetup(controller).build() + } + + @Test + @DisplayName("POST /admin/member/login은 token과 role을 응답한다") + fun shouldReturnTokenAndRole() { + val request = LoginRequest(email = "admin@test.com", password = "password") + val loginResponse = AdminMemberLoginResponse(token = "admin-token", role = MemberRole.ADMIN) + Mockito.`when`(service.login(request)).thenReturn(loginResponse) + + val response = controller.login(request) + + assertTrue(response.success) + assertEquals("admin-token", response.data?.token) + assertEquals(MemberRole.ADMIN, response.data?.role) + } + + @Test + @DisplayName("POST /admin/member/login은 JSON으로 token과 role을 응답한다") + fun shouldReturnTokenAndRoleJson() { + val request = LoginRequest(email = "content@test.com", password = "password") + Mockito.`when`(service.login(request)).thenReturn( + AdminMemberLoginResponse(token = "content-token", role = MemberRole.CONTENT_MANAGER) + ) + + mockMvc.perform( + post("/admin/member/login") + .contentType(MediaType.APPLICATION_JSON) + .content("""{"email":"content@test.com","password":"password"}""") + ) + .andExpect(status().isOk) + .andExpect(jsonPath("$.success").value(true)) + .andExpect(jsonPath("$.data.token").value("content-token")) + .andExpect(jsonPath("$.data.role").value("CONTENT_MANAGER")) + } + + private inline fun mock(): T { + return Mockito.mock(T::class.java) + } +} diff --git a/src/test/kotlin/kr/co/vividnext/sodalive/admin/member/AdminMemberLoginServiceTest.kt b/src/test/kotlin/kr/co/vividnext/sodalive/admin/member/AdminMemberLoginServiceTest.kt new file mode 100644 index 00000000..0ebfbbb5 --- /dev/null +++ b/src/test/kotlin/kr/co/vividnext/sodalive/admin/member/AdminMemberLoginServiceTest.kt @@ -0,0 +1,98 @@ +package kr.co.vividnext.sodalive.admin.member + +import kr.co.vividnext.sodalive.common.SodaException +import kr.co.vividnext.sodalive.jwt.TokenProvider +import kr.co.vividnext.sodalive.member.Member +import kr.co.vividnext.sodalive.member.MemberRepository +import kr.co.vividnext.sodalive.member.MemberRole +import kr.co.vividnext.sodalive.member.login.LoginRequest +import kr.co.vividnext.sodalive.member.token.MemberTokenRepository +import org.junit.jupiter.api.Assertions.assertEquals +import org.junit.jupiter.api.Assertions.assertThrows +import org.junit.jupiter.api.Assertions.assertTrue +import org.junit.jupiter.api.BeforeEach +import org.junit.jupiter.api.DisplayName +import org.junit.jupiter.api.Test +import org.mockito.Mockito +import org.springframework.security.crypto.password.PasswordEncoder + +class AdminMemberLoginServiceTest { + private lateinit var repository: AdminMemberRepository + private lateinit var passwordEncoder: PasswordEncoder + private lateinit var tokenRepository: MemberTokenRepository + private lateinit var service: AdminMemberLoginService + + @BeforeEach + fun setup() { + repository = mock() + passwordEncoder = mock() + tokenRepository = mock() + val tokenProvider = TokenProvider( + secret = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==", + tokenValidityInSeconds = 3600, + repository = mock(), + tokenRepository = tokenRepository + ) + tokenProvider.afterPropertiesSet() + service = AdminMemberLoginService( + repository = repository, + passwordEncoder = passwordEncoder, + tokenProvider = tokenProvider + ) + } + + @Test + @DisplayName("관리자는 관리자 로그인 API로 token과 role을 받는다") + fun shouldLoginAdmin() { + val member = createMember(id = 1L, role = MemberRole.ADMIN) + Mockito.`when`(repository.findByEmail("admin@test.com")).thenReturn(member) + Mockito.`when`(passwordEncoder.matches("password", "encoded-password")).thenReturn(true) + + val response = service.login(LoginRequest(email = "admin@test.com", password = "password")) + + assertTrue(response.token.isNotBlank()) + assertEquals(MemberRole.ADMIN, response.role) + } + + @Test + @DisplayName("콘텐츠 관리자는 관리자 로그인 API로 token과 role을 받는다") + fun shouldLoginContentManager() { + val member = createMember(id = 2L, role = MemberRole.CONTENT_MANAGER) + Mockito.`when`(repository.findByEmail("content@test.com")).thenReturn(member) + Mockito.`when`(passwordEncoder.matches("password", "encoded-password")).thenReturn(true) + + val response = service.login(LoginRequest(email = "content@test.com", password = "password")) + + assertTrue(response.token.isNotBlank()) + assertEquals(MemberRole.CONTENT_MANAGER, response.role) + } + + @Test + @DisplayName("일반 사용자는 관리자 로그인 API를 사용할 수 없다") + fun shouldRejectUser() { + val member = createMember(id = 3L, role = MemberRole.USER) + Mockito.`when`(repository.findByEmail("user@test.com")).thenReturn(member) + + val exception = assertThrows(SodaException::class.java) { + service.login(LoginRequest(email = "user@test.com", password = "password")) + } + + assertEquals("common.error.bad_credentials", exception.messageKey) + Mockito.verifyNoInteractions(tokenRepository) + } + + private fun createMember(id: Long, role: MemberRole): Member { + val member = Member( + email = "member$id@test.com", + password = "encoded-password", + nickname = "member$id", + role = role + ) + member.id = id + return member + } + + private inline fun mock(): T { + return Mockito.mock(T::class.java) + } +} -- 2.49.1 From 85621cd107cc7527b39654311a3189f2428cdcf4 Mon Sep 17 00:00:00 2001 From: Klaus Date: Thu, 7 May 2026 14:34:23 +0900 Subject: [PATCH 2/2] =?UTF-8?q?feat(admin):=20=EC=BD=98=ED=85=90=EC=B8=A0?= =?UTF-8?q?=20=EA=B4=80=EB=A6=AC=EC=9E=90=20=EC=9D=BD=EA=B8=B0=20=EA=B6=8C?= =?UTF-8?q?=ED=95=9C=EC=9D=84=20=ED=99=95=EC=9E=A5=ED=95=9C=EB=8B=A4?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ...7_콘텐츠관리자권한및관리자로그인API추가.md | 24 +++ .../admin/content/AdminContentController.kt | 5 +- .../vividnext/sodalive/menu/MenuController.kt | 2 +- .../AdminContentControllerSecurityTest.kt | 184 ++++++++++++++++++ .../menu/MenuControllerSecurityTest.kt | 116 +++++++++++ 5 files changed, 329 insertions(+), 2 deletions(-) create mode 100644 src/test/kotlin/kr/co/vividnext/sodalive/admin/content/AdminContentControllerSecurityTest.kt create mode 100644 src/test/kotlin/kr/co/vividnext/sodalive/menu/MenuControllerSecurityTest.kt diff --git a/docs/20260507_콘텐츠관리자권한및관리자로그인API추가.md b/docs/20260507_콘텐츠관리자권한및관리자로그인API추가.md index 0d674f53..d5866a3b 100644 --- a/docs/20260507_콘텐츠관리자권한및관리자로그인API추가.md +++ b/docs/20260507_콘텐츠관리자권한및관리자로그인API추가.md @@ -6,6 +6,10 @@ - [x] 관리자와 콘텐츠 관리자만 로그인 가능한 관리자 전용 로그인 API를 구현한다. - [x] 응답을 `token`, `role`만 포함하도록 구현한다. - [x] focused test, 관련 테스트, 스타일 검사를 실행하고 결과를 기록한다. +- [x] 콘텐츠 관리자가 `GET /menu`를 호출할 수 있도록 메뉴 조회 권한을 확장한다. +- [x] 콘텐츠 관리자가 관리자 콘텐츠 목록/조회 보조 API를 호출할 수 있도록 읽기 권한만 확장한다. +- [x] 콘텐츠 관리자가 관리자 콘텐츠 수정 API를 호출할 수 없도록 수정 권한은 관리자 전용으로 유지한다. +- [x] focused security test, 관련 테스트, 스타일 검사를 실행하고 결과를 기록한다. ## 설계 - 새 권한은 기존 `MemberRole` enum에 `CONTENT_MANAGER`로 추가한다. @@ -13,6 +17,21 @@ - 서비스는 기존 이메일/비밀번호 인증 흐름과 JWT 생성 방식을 재사용하되, `ADMIN`, `CONTENT_MANAGER` 외 역할은 `common.error.bad_credentials` 예외로 거부한다. - 응답 DTO는 관리자 로그인 전용으로 분리해 `token`, `role`만 노출한다. +## 후속 설계: 콘텐츠 관리자 메뉴 및 콘텐츠 읽기 권한 +- `CONTENT_MANAGER`는 이미 관리자 로그인 API로 토큰을 받을 수 있으므로 새 역할이나 새 권한 타입을 추가하지 않는다. +- 메뉴 조회는 기존 `GET /menu`와 `MenuRepository.getMenu(member.role)` 구조를 그대로 사용한다. 컨트롤러의 `@PreAuthorize`에 `CONTENT_MANAGER`만 추가해 콘텐츠 관리자가 자신의 역할에 매핑된 메뉴를 받을 수 있게 한다. +- `/content/list`는 서버 코드 상수가 아니라 `Menu.route` DB 값으로 내려가는 구조이므로, 서버에서는 별도 라우트 상수를 추가하지 않는다. 실제 메뉴 노출은 `roles = CONTENT_MANAGER`, `route = /content/list`, `isActive = true` 데이터가 존재할 때 가능하다. +- 관리자 콘텐츠 API는 기존 `hasRole('ADMIN')` 클래스 권한을 메서드 단위로 분리한다. `GET /admin/audio-content/list`, `GET /admin/audio-content/search`, `GET /admin/audio-content/main/tab`은 `ADMIN`과 `CONTENT_MANAGER`를 허용하고, `PUT /admin/audio-content`는 `ADMIN`만 허용한다. +- 콘텐츠 재생은 기존 사용자 콘텐츠 API의 `GET /audio-content/{id}/generate-url` 흐름을 변경하지 않는다. 이 API는 로그인 사용자와 구매/접근 조건으로 재생 URL을 제어하므로 콘텐츠 관리자 전용 우회 권한은 추가하지 않는다. + +## 구현 계획 +- [x] `MenuController` 보안 테스트를 추가해 `CONTENT_MANAGER`가 `GET /menu`에 접근 가능하고 일반 사용자는 거부되는지 확인한다. +- [x] `AdminContentController` 보안 테스트를 추가해 `CONTENT_MANAGER`는 목록/검색/메인탭 조회가 가능하고 수정은 거부되는지 확인한다. +- [x] 테스트가 실패하는 것을 확인한다. +- [x] `MenuController`의 `@PreAuthorize`에 `CONTENT_MANAGER`를 추가한다. +- [x] `AdminContentController`의 클래스 단위 `@PreAuthorize`를 제거하고 각 메서드에 읽기/수정 권한을 분리한다. +- [x] focused test, 관련 test, ktlint를 실행해 검증한다. + ## 검증 기록 - 2026-05-07: RED 확인: `./gradlew test --tests 'kr.co.vividnext.sodalive.admin.member.AdminMemberLoginServiceTest' --tests 'kr.co.vividnext.sodalive.admin.member.AdminMemberLoginControllerTest'` 실행 시 `AdminMemberLoginService`, `AdminMemberLoginController`, `AdminMemberLoginResponse`, `CONTENT_MANAGER`, `findByEmail` 미구현으로 `compileTestKotlin`이 실패함을 확인했다. - 2026-05-07: GREEN 확인: 동일 focused test가 `BUILD SUCCESSFUL`로 통과해 관리자/콘텐츠 관리자 로그인 허용 및 일반 사용자 거부를 확인했다. @@ -20,3 +39,8 @@ - 2026-05-07: 회귀 확인: `./gradlew test --tests 'kr.co.vividnext.sodalive.admin.member.*'`가 `BUILD SUCCESSFUL`로 통과했다. - 2026-05-07: 스타일 확인: `./gradlew ktlintCheck`가 `BUILD SUCCESSFUL`로 통과했다. - 2026-05-07: Kotlin LSP는 현재 환경에 `.kt` 서버가 설정되어 있지 않아 `lsp_diagnostics` 실행이 불가했다. 대신 Gradle 컴파일 포함 focused/관련 test와 ktlint로 검증했다. +- 2026-05-07: RED 확인: `./gradlew test --tests 'kr.co.vividnext.sodalive.menu.MenuControllerSecurityTest' --tests 'kr.co.vividnext.sodalive.admin.content.AdminContentControllerSecurityTest'` 실행 시 `CONTENT_MANAGER`의 `GET /menu`, `GET /admin/audio-content/list`, `GET /admin/audio-content/search`, `GET /admin/audio-content/main/tab` 허용 기대 테스트 4건이 실패함을 확인했다. +- 2026-05-07: GREEN 확인: 동일 focused security test가 `BUILD SUCCESSFUL`로 통과해 콘텐츠 관리자 메뉴 조회, 관리자 콘텐츠 목록/검색/메인탭 조회 허용과 관리자 콘텐츠 수정 거부를 확인했다. +- 2026-05-07: 관련 테스트 확인: `./gradlew test --tests 'kr.co.vividnext.sodalive.admin.content.AdminContentServiceTest' --tests 'kr.co.vividnext.sodalive.admin.member.AdminMemberLoginServiceTest' --tests 'kr.co.vividnext.sodalive.admin.member.AdminMemberLoginControllerTest'`가 `BUILD SUCCESSFUL`로 통과했다. +- 2026-05-07: 스타일 확인: `./gradlew ktlintCheck`가 `BUILD SUCCESSFUL`로 통과했다. +- 2026-05-07: Kotlin LSP는 현재 환경에 `.kt` 서버가 설정되어 있지 않아 `lsp_diagnostics` 실행이 불가했다. 대신 Gradle 컴파일 포함 focused/관련 test와 ktlint로 검증했다. diff --git a/src/main/kotlin/kr/co/vividnext/sodalive/admin/content/AdminContentController.kt b/src/main/kotlin/kr/co/vividnext/sodalive/admin/content/AdminContentController.kt index 7e303c80..7e471b46 100644 --- a/src/main/kotlin/kr/co/vividnext/sodalive/admin/content/AdminContentController.kt +++ b/src/main/kotlin/kr/co/vividnext/sodalive/admin/content/AdminContentController.kt @@ -13,10 +13,10 @@ import org.springframework.web.bind.annotation.RestController import org.springframework.web.multipart.MultipartFile @RestController -@PreAuthorize("hasRole('ADMIN')") @RequestMapping("/admin/audio-content") class AdminContentController(private val service: AdminContentService) { @GetMapping("/list") + @PreAuthorize("hasAnyRole('ADMIN', 'CONTENT_MANAGER')") fun getAudioContentList( @RequestParam(value = "status", required = false) status: ContentReleaseStatus?, pageable: Pageable @@ -28,6 +28,7 @@ class AdminContentController(private val service: AdminContentService) { ) @GetMapping("/search") + @PreAuthorize("hasAnyRole('ADMIN', 'CONTENT_MANAGER')") fun searchAudioContent( @RequestParam(value = "status", required = false) status: ContentReleaseStatus?, @RequestParam(value = "search_word") searchWord: String, @@ -41,12 +42,14 @@ class AdminContentController(private val service: AdminContentService) { ) @PutMapping(consumes = [MediaType.MULTIPART_FORM_DATA_VALUE]) + @PreAuthorize("hasRole('ADMIN')") fun modifyAudioContent( @RequestPart("request") requestString: String, @RequestPart("coverImage", required = false) coverImage: MultipartFile? = null ) = ApiResponse.ok(service.updateAudioContent(coverImage, requestString)) @GetMapping("/main/tab") + @PreAuthorize("hasAnyRole('ADMIN', 'CONTENT_MANAGER')") fun getContentMainTabList() = ApiResponse.ok(service.getContentMainTabList()) } diff --git a/src/main/kotlin/kr/co/vividnext/sodalive/menu/MenuController.kt b/src/main/kotlin/kr/co/vividnext/sodalive/menu/MenuController.kt index 2e768433..d1ef3f42 100644 --- a/src/main/kotlin/kr/co/vividnext/sodalive/menu/MenuController.kt +++ b/src/main/kotlin/kr/co/vividnext/sodalive/menu/MenuController.kt @@ -13,7 +13,7 @@ import org.springframework.web.bind.annotation.RestController @RequestMapping("/menu") class MenuController(private val service: MenuService) { @GetMapping - @PreAuthorize("hasAnyRole('AGENT', 'ADMIN', 'CREATOR')") + @PreAuthorize("hasAnyRole('AGENT', 'ADMIN', 'CREATOR', 'CONTENT_MANAGER')") fun getMenus( @AuthenticationPrincipal(expression = "#this == 'anonymousUser' ? null : member") member: Member? ) = run { diff --git a/src/test/kotlin/kr/co/vividnext/sodalive/admin/content/AdminContentControllerSecurityTest.kt b/src/test/kotlin/kr/co/vividnext/sodalive/admin/content/AdminContentControllerSecurityTest.kt new file mode 100644 index 00000000..f45460aa --- /dev/null +++ b/src/test/kotlin/kr/co/vividnext/sodalive/admin/content/AdminContentControllerSecurityTest.kt @@ -0,0 +1,184 @@ +package kr.co.vividnext.sodalive.admin.content + +import kr.co.vividnext.sodalive.common.CountryContext +import kr.co.vividnext.sodalive.content.main.tab.GetContentMainTabItem +import kr.co.vividnext.sodalive.i18n.LangContext +import kr.co.vividnext.sodalive.i18n.SodaMessageSource +import org.junit.jupiter.api.DisplayName +import org.junit.jupiter.api.Test +import org.mockito.Mockito +import org.springframework.beans.factory.annotation.Autowired +import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest +import org.springframework.boot.test.context.TestConfiguration +import org.springframework.boot.test.mock.mockito.MockBean +import org.springframework.context.annotation.Bean +import org.springframework.context.annotation.Import +import org.springframework.data.domain.PageRequest +import org.springframework.http.HttpStatus +import org.springframework.http.MediaType +import org.springframework.mock.web.MockMultipartFile +import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity +import org.springframework.security.config.annotation.web.builders.HttpSecurity +import org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.anonymous +import org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.user +import org.springframework.security.web.SecurityFilterChain +import org.springframework.security.web.authentication.HttpStatusEntryPoint +import org.springframework.test.web.servlet.MockMvc +import org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get +import org.springframework.test.web.servlet.request.MockMvcRequestBuilders.multipart +import org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath +import org.springframework.test.web.servlet.result.MockMvcResultMatchers.status +import javax.servlet.http.HttpServletResponse + +@WebMvcTest(AdminContentController::class) +@Import(AdminContentControllerSecurityTest.TestSecurityConfig::class) +class AdminContentControllerSecurityTest @Autowired constructor( + private val mockMvc: MockMvc +) { + @MockBean + private lateinit var service: AdminContentService + + @MockBean + private lateinit var countryContext: CountryContext + + @MockBean + private lateinit var langContext: LangContext + + @MockBean + private lateinit var sodaMessageSource: SodaMessageSource + + @TestConfiguration + @EnableGlobalMethodSecurity(prePostEnabled = true) + class TestSecurityConfig { + @Bean + fun securityFilterChain(http: HttpSecurity): SecurityFilterChain { + return http + .csrf().disable() + .authorizeRequests() + .anyRequest().authenticated() + .and() + .exceptionHandling() + .authenticationEntryPoint(HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED)) + .accessDeniedHandler { _, response, _ -> response.sendError(HttpServletResponse.SC_FORBIDDEN) } + .and() + .build() + } + } + + @Test + @DisplayName("콘텐츠 관리자 권한이면 관리자 콘텐츠 목록 조회에 성공한다") + fun shouldAllowContentManagerRoleForContentList() { + Mockito.`when`( + service.getAudioContentList( + status = ContentReleaseStatus.OPEN, + pageable = PageRequest.of(0, 20) + ) + ).thenReturn(GetAdminContentListResponse(totalCount = 0, items = emptyList())) + + mockMvc.perform( + get("/admin/audio-content/list") + .param("page", "0") + .param("size", "20") + .with(user("content-manager").roles("CONTENT_MANAGER")) + ) + .andExpect(status().isOk) + .andExpect(jsonPath("$.success").value(true)) + .andExpect(jsonPath("$.data.totalCount").value(0)) + } + + @Test + @DisplayName("콘텐츠 관리자 권한이면 관리자 콘텐츠 검색에 성공한다") + fun shouldAllowContentManagerRoleForContentSearch() { + Mockito.`when`( + service.searchAudioContent( + status = ContentReleaseStatus.OPEN, + searchWord = "title", + pageable = PageRequest.of(0, 20) + ) + ).thenReturn(GetAdminContentListResponse(totalCount = 0, items = emptyList())) + + mockMvc.perform( + get("/admin/audio-content/search") + .param("search_word", "title") + .param("page", "0") + .param("size", "20") + .with(user("content-manager").roles("CONTENT_MANAGER")) + ) + .andExpect(status().isOk) + .andExpect(jsonPath("$.success").value(true)) + } + + @Test + @DisplayName("콘텐츠 관리자 권한이면 관리자 콘텐츠 메인 탭 조회에 성공한다") + fun shouldAllowContentManagerRoleForContentMainTab() { + Mockito.`when`(service.getContentMainTabList()).thenReturn( + listOf(GetContentMainTabItem(tabId = 1L, title = "홈")) + ) + + mockMvc.perform( + get("/admin/audio-content/main/tab") + .with(user("content-manager").roles("CONTENT_MANAGER")) + ) + .andExpect(status().isOk) + .andExpect(jsonPath("$.success").value(true)) + .andExpect(jsonPath("$.data[0].tabId").value(1L)) + } + + @Test + @DisplayName("콘텐츠 관리자 권한이면 관리자 콘텐츠 수정에 접근할 수 없다") + fun shouldRejectContentManagerRoleForContentUpdate() { + val requestPart = MockMultipartFile( + "request", + "request.json", + MediaType.APPLICATION_JSON_VALUE, + "{\"id\":1,\"isDefaultCoverImage\":false}".toByteArray() + ) + + mockMvc.perform( + multipart("/admin/audio-content") + .file(requestPart) + .with { request -> + request.method = "PUT" + request + } + .with(user("content-manager").roles("CONTENT_MANAGER")) + ) + .andExpect(status().isOk) + .andExpect(jsonPath("$.success").value(false)) + } + + @Test + @DisplayName("관리자 권한이면 관리자 콘텐츠 수정에 접근할 수 있다") + fun shouldAllowAdminRoleForContentUpdate() { + val requestPart = MockMultipartFile( + "request", + "request.json", + MediaType.APPLICATION_JSON_VALUE, + "{\"id\":1,\"isDefaultCoverImage\":false}".toByteArray() + ) + + mockMvc.perform( + multipart("/admin/audio-content") + .file(requestPart) + .with { request -> + request.method = "PUT" + request + } + .with(user("admin").roles("ADMIN")) + ) + .andExpect(status().isOk) + .andExpect(jsonPath("$.success").value(true)) + } + + @Test + @DisplayName("익명 사용자는 관리자 콘텐츠 목록 조회에 접근할 수 없다") + fun shouldRejectAnonymousUserForContentList() { + mockMvc.perform( + get("/admin/audio-content/list") + .param("page", "0") + .param("size", "20") + .with(anonymous()) + ) + .andExpect(status().isUnauthorized) + } +} diff --git a/src/test/kotlin/kr/co/vividnext/sodalive/menu/MenuControllerSecurityTest.kt b/src/test/kotlin/kr/co/vividnext/sodalive/menu/MenuControllerSecurityTest.kt new file mode 100644 index 00000000..3650bcd4 --- /dev/null +++ b/src/test/kotlin/kr/co/vividnext/sodalive/menu/MenuControllerSecurityTest.kt @@ -0,0 +1,116 @@ +package kr.co.vividnext.sodalive.menu + +import kr.co.vividnext.sodalive.common.CountryContext +import kr.co.vividnext.sodalive.i18n.LangContext +import kr.co.vividnext.sodalive.i18n.SodaMessageSource +import kr.co.vividnext.sodalive.member.Member +import kr.co.vividnext.sodalive.member.MemberAdapter +import kr.co.vividnext.sodalive.member.MemberRole +import org.junit.jupiter.api.DisplayName +import org.junit.jupiter.api.Test +import org.mockito.Mockito +import org.springframework.beans.factory.annotation.Autowired +import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest +import org.springframework.boot.test.context.TestConfiguration +import org.springframework.boot.test.mock.mockito.MockBean +import org.springframework.context.annotation.Bean +import org.springframework.context.annotation.Import +import org.springframework.http.HttpStatus +import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity +import org.springframework.security.config.annotation.web.builders.HttpSecurity +import org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.anonymous +import org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.user +import org.springframework.security.web.SecurityFilterChain +import org.springframework.security.web.authentication.HttpStatusEntryPoint +import org.springframework.test.web.servlet.MockMvc +import org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get +import org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath +import org.springframework.test.web.servlet.result.MockMvcResultMatchers.status +import javax.servlet.http.HttpServletResponse + +@WebMvcTest(MenuController::class) +@Import(MenuControllerSecurityTest.TestSecurityConfig::class) +class MenuControllerSecurityTest @Autowired constructor( + private val mockMvc: MockMvc +) { + @MockBean + private lateinit var service: MenuService + + @MockBean + private lateinit var countryContext: CountryContext + + @MockBean + private lateinit var langContext: LangContext + + @MockBean + private lateinit var sodaMessageSource: SodaMessageSource + + @TestConfiguration + @EnableGlobalMethodSecurity(prePostEnabled = true) + class TestSecurityConfig { + @Bean + fun securityFilterChain(http: HttpSecurity): SecurityFilterChain { + return http + .csrf().disable() + .authorizeRequests() + .anyRequest().authenticated() + .and() + .exceptionHandling() + .authenticationEntryPoint(HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED)) + .accessDeniedHandler { _, response, _ -> response.sendError(HttpServletResponse.SC_FORBIDDEN) } + .and() + .build() + } + } + + @Test + @DisplayName("콘텐츠 관리자 권한이면 메뉴 조회에 성공한다") + fun shouldAllowContentManagerRole() { + val member = createMember(role = MemberRole.CONTENT_MANAGER) + Mockito.`when`(service.getMenus(member)).thenReturn( + listOf(GetMenuResponse(title = "콘텐츠 리스트", route = "/content/list")) + ) + + mockMvc.perform( + get("/menu") + .with(user(MemberAdapter(member))) + ) + .andExpect(status().isOk) + .andExpect(jsonPath("$.success").value(true)) + .andExpect(jsonPath("$.data[0].route").value("/content/list")) + } + + @Test + @DisplayName("일반 사용자 권한이면 메뉴 조회에 접근할 수 없다") + fun shouldRejectUserRole() { + val member = createMember(role = MemberRole.USER) + + mockMvc.perform( + get("/menu") + .with(user(MemberAdapter(member))) + ) + .andExpect(status().isOk) + .andExpect(jsonPath("$.success").value(false)) + } + + @Test + @DisplayName("익명 사용자는 메뉴 조회에 접근할 수 없다") + fun shouldRejectAnonymousUser() { + mockMvc.perform( + get("/menu") + .with(anonymous()) + ) + .andExpect(status().isUnauthorized) + } + + private fun createMember(role: MemberRole): Member { + return Member( + email = "${role.name.lowercase()}@test.com", + password = "password", + nickname = role.name.lowercase(), + role = role + ).apply { + id = role.ordinal.toLong() + 1 + } + } +} -- 2.49.1