fix: Sheet API 요청자 접근 권한 검증 추가

JanooGwan · web-flow · commit 8e1e241f9d83 · 2026-04-02T20:04:41.000+09:00
* fix: integrated 시트 요청자 접근 권한 검증 추가

* fix: integrated 시트 권한 검증 보완

* fix: integrated 시트 서비스 계정 접근 재검증 추가

* fix: integrated 시트 Drive OAuth 미연결 우회 차단

* test: integrated 시트 OAuth 미연결 중단 검증 추가

* test: integrated 시트 검증 테스트 중복 정리
diff --git a/src/main/java/gg/agit/konect/domain/club/service/ClubSheetIntegratedService.java b/src/main/java/gg/agit/konect/domain/club/service/ClubSheetIntegratedService.java
@@ -23,8 +23,12 @@ public SheetImportResponse analyzeAndImportPreMembers(
         clubPermissionValidator.validateManagerAccess(clubId, requesterId);
 
         String spreadsheetId = SpreadsheetUrlParser.extractId(spreadsheetUrl);
-        // OAuth 미연결이면 건너뛰고 계속 진행한다. Drive 초기화/인증 오류는 예외로 전파한다.
-        googleSheetPermissionService.tryGrantServiceAccountWriterAccess(requesterId, spreadsheetId);
+        // integrated 등록은 요청자 Google Drive OAuth 연결을 전제로 한다.
+        // 연결된 계정이 실제 시트 접근 권한을 가지는지 검증한 뒤 서비스 계정 권한을 맞춘다.
+        googleSheetPermissionService.validateRequesterAccessAndTryGrantServiceAccountWriterAccess(
+            requesterId,
+            spreadsheetId
+        );
 
         SheetHeaderMapper.SheetAnalysisResult analysis =
             sheetHeaderMapper.analyzeAllSheets(spreadsheetId);
diff --git a/src/main/java/gg/agit/konect/domain/club/service/GoogleDrivePermissionHelper.java b/src/main/java/gg/agit/konect/domain/club/service/GoogleDrivePermissionHelper.java
@@ -94,7 +94,8 @@ static List<Permission> listAllPermissions(Drive driveService, String fileId) th
 
         do {
             Drive.Permissions.List request = driveService.permissions().list(fileId)
-                .setFields(PERMISSION_FIELDS);
+                .setFields(PERMISSION_FIELDS)
+                .setSupportsAllDrives(true);
             if (nextPageToken != null) {
                 request.setPageToken(nextPageToken);
             }
@@ -142,6 +143,7 @@ private static PermissionApplyStatus applyServiceAccountPermission(
 
             userDriveService.permissions().create(fileId, permission)
                 .setSendNotificationEmail(false)
+                .setSupportsAllDrives(true)
                 .execute();
             log.info(
                 "Service account {} access granted. fileId={}, email={}",
@@ -165,6 +167,7 @@ private static PermissionApplyStatus applyServiceAccountPermission(
 
         Permission updatedPermission = new Permission().setRole(targetRole);
         userDriveService.permissions().update(fileId, existingPermission.getId(), updatedPermission)
+            .setSupportsAllDrives(true)
             .execute();
         log.info(
             "Service account permission upgraded. fileId={}, fromRole={}, toRole={}, email={}",
diff --git a/src/main/java/gg/agit/konect/domain/club/service/GoogleSheetPermissionService.java b/src/main/java/gg/agit/konect/domain/club/service/GoogleSheetPermissionService.java
@@ -7,6 +7,7 @@
 import org.springframework.util.StringUtils;
 
 import com.google.api.services.drive.Drive;
+import com.google.api.services.drive.model.File;
 import com.google.auth.oauth2.ServiceAccountCredentials;
 
 import gg.agit.konect.domain.user.enums.Provider;
@@ -23,15 +24,25 @@
 public class GoogleSheetPermissionService {
 
     private final ServiceAccountCredentials serviceAccountCredentials;
+    private final Drive googleDriveService;
     private final GoogleSheetsConfig googleSheetsConfig;
     private final UserOAuthAccountRepository userOAuthAccountRepository;
 
+    public void validateRequesterAccessAndTryGrantServiceAccountWriterAccess(
+        Integer requesterId,
+        String spreadsheetId
+    ) {
+        String refreshToken = requireRefreshToken(requesterId);
+        Drive userDriveService = buildUserDriveService(refreshToken, requesterId);
+        validateRequesterSpreadsheetAccess(userDriveService, requesterId, spreadsheetId);
+        boolean granted = tryGrantServiceAccountWriterAccess(userDriveService, requesterId, spreadsheetId);
+        if (!granted) {
+            requireServiceAccountSpreadsheetAccess(spreadsheetId, requesterId);
+        }
+    }
+
     public boolean tryGrantServiceAccountWriterAccess(Integer requesterId, String spreadsheetId) {
-        String refreshToken = userOAuthAccountRepository
-            .findByUserIdAndProvider(requesterId, Provider.GOOGLE)
-            .map(account -> account.getGoogleDriveRefreshToken())
-            .filter(StringUtils::hasText)
-            .orElse(null);
+        String refreshToken = resolveRefreshToken(requesterId);
 
         if (refreshToken == null) {
             log.warn(
@@ -41,14 +52,35 @@ public boolean tryGrantServiceAccountWriterAccess(Integer requesterId, String sp
             return false;
         }
 
-        Drive userDriveService;
-        try {
-            userDriveService = googleSheetsConfig.buildUserDriveService(refreshToken);
-        } catch (IOException | GeneralSecurityException e) {
-            log.error("Failed to build user Drive service. requesterId={}", requesterId, e);
-            throw CustomException.of(ApiResponseCode.FAILED_INIT_GOOGLE_DRIVE);
-        }
+        Drive userDriveService = buildUserDriveService(refreshToken, requesterId);
+        return tryGrantServiceAccountWriterAccess(userDriveService, requesterId, spreadsheetId);
+    }
+
+    private String requireRefreshToken(Integer requesterId) {
+        return userOAuthAccountRepository.findByUserIdAndProvider(requesterId, Provider.GOOGLE)
+            .map(account -> account.getGoogleDriveRefreshToken())
+            .filter(StringUtils::hasText)
+            .orElseThrow(() -> {
+                log.warn(
+                    "Rejecting spreadsheet registration because Google Drive OAuth is not connected. requesterId={}",
+                    requesterId
+                );
+                return CustomException.of(ApiResponseCode.NOT_FOUND_GOOGLE_DRIVE_AUTH);
+            });
+    }
+
+    private String resolveRefreshToken(Integer requesterId) {
+        return userOAuthAccountRepository.findByUserIdAndProvider(requesterId, Provider.GOOGLE)
+            .map(account -> account.getGoogleDriveRefreshToken())
+            .filter(StringUtils::hasText)
+            .orElse(null);
+    }
 
+    private boolean tryGrantServiceAccountWriterAccess(
+        Drive userDriveService,
+        Integer requesterId,
+        String spreadsheetId
+    ) {
         try {
             GoogleDrivePermissionHelper.ensureServiceAccountPermission(
                 userDriveService,
@@ -91,6 +123,105 @@ public boolean tryGrantServiceAccountWriterAccess(Integer requesterId, String sp
         }
     }
 
+    private Drive buildUserDriveService(String refreshToken, Integer requesterId) {
+        try {
+            return googleSheetsConfig.buildUserDriveService(refreshToken);
+        } catch (IOException | GeneralSecurityException e) {
+            log.error("Failed to build user Drive service. requesterId={}", requesterId, e);
+            throw CustomException.of(ApiResponseCode.FAILED_INIT_GOOGLE_DRIVE);
+        }
+    }
+
+    private void validateRequesterSpreadsheetAccess(
+        Drive userDriveService,
+        Integer requesterId,
+        String spreadsheetId
+    ) {
+        try {
+            File file = userDriveService.files().get(spreadsheetId)
+                .setFields("id")
+                .setSupportsAllDrives(true)
+                .execute();
+            if (file == null || !StringUtils.hasText(file.getId())) {
+                throw GoogleSheetApiExceptionHelper.accessDenied();
+            }
+        } catch (IOException e) {
+            if (GoogleSheetApiExceptionHelper.isInvalidGrant(e)) {
+                log.warn(
+                    "Google Drive OAuth token is invalid while validating spreadsheet access. requesterId={}, "
+                        + "spreadsheetId={}, cause={}",
+                    requesterId,
+                    spreadsheetId,
+                    GoogleSheetApiExceptionHelper.extractDetail(e)
+                );
+                throw GoogleSheetApiExceptionHelper.invalidGoogleDriveAuth(e);
+            }
+
+            if (GoogleSheetApiExceptionHelper.isAuthFailure(e)) {
+                log.warn(
+                    "Google Drive OAuth auth failure while validating spreadsheet access. requesterId={}, "
+                        + "spreadsheetId={}, cause={}",
+                    requesterId,
+                    spreadsheetId,
+                    GoogleSheetApiExceptionHelper.extractDetail(e)
+                );
+                throw GoogleSheetApiExceptionHelper.invalidGoogleDriveAuth(e);
+            }
+
+            if (GoogleSheetApiExceptionHelper.isAccessDenied(e)
+                || GoogleSheetApiExceptionHelper.isNotFound(e)) {
+                log.warn(
+                    "Requester has no spreadsheet access. requesterId={}, spreadsheetId={}, cause={}",
+                    requesterId,
+                    spreadsheetId,
+                    e.getMessage()
+                );
+                throw GoogleSheetApiExceptionHelper.accessDenied();
+            }
+
+            log.error(
+                "Unexpected error while validating requester spreadsheet access. requesterId={}, spreadsheetId={}",
+                requesterId,
+                spreadsheetId,
+                e
+            );
+            throw CustomException.of(ApiResponseCode.FAILED_SYNC_GOOGLE_SHEET);
+        }
+    }
+
+    private void requireServiceAccountSpreadsheetAccess(String spreadsheetId, Integer requesterId) {
+        try {
+            File file = googleDriveService.files().get(spreadsheetId)
+                .setFields("id")
+                .setSupportsAllDrives(true)
+                .execute();
+            if (file == null || !StringUtils.hasText(file.getId())) {
+                throw GoogleSheetApiExceptionHelper.accessDenied();
+            }
+        } catch (IOException e) {
+            if (GoogleSheetApiExceptionHelper.isAccessDenied(e)
+                || GoogleSheetApiExceptionHelper.isNotFound(e)) {
+                log.warn(
+                    "Service account has no spreadsheet access after auto-share failed. requesterId={}, "
+                        + "spreadsheetId={}, cause={}",
+                    requesterId,
+                    spreadsheetId,
+                    e.getMessage()
+                );
+                throw GoogleSheetApiExceptionHelper.accessDenied();
+            }
+
+            log.error(
+                "Unexpected error while re-checking service account spreadsheet access. requesterId={}, "
+                    + "spreadsheetId={}",
+                requesterId,
+                spreadsheetId,
+                e
+            );
+            throw CustomException.of(ApiResponseCode.FAILED_SYNC_GOOGLE_SHEET);
+        }
+    }
+
     private String getServiceAccountEmail() {
         return serviceAccountCredentials.getClientEmail();
     }
diff --git a/src/test/java/gg/agit/konect/domain/club/service/ClubSheetIntegratedServiceTest.java b/src/test/java/gg/agit/konect/domain/club/service/ClubSheetIntegratedServiceTest.java
@@ -3,6 +3,7 @@
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatThrownBy;
 import static org.mockito.BDDMockito.given;
+import static org.mockito.BDDMockito.willThrow;
 import static org.mockito.Mockito.inOrder;
 import static org.mockito.Mockito.verifyNoInteractions;
 
@@ -53,8 +54,6 @@ void analyzeAndImportPreMembersSuccess() {
             new SheetHeaderMapper.SheetAnalysisResult(SheetColumnMapping.defaultMapping(), null, null);
         SheetImportResponse expected = SheetImportResponse.of(3, 1, List.of("warn"));
 
-        given(googleSheetPermissionService.tryGrantServiceAccountWriterAccess(requesterId, spreadsheetId))
-            .willReturn(true);
         given(sheetHeaderMapper.analyzeAllSheets(spreadsheetId)).willReturn(analysis);
         given(sheetImportService.importPreMembersFromSheet(
             clubId,
@@ -81,7 +80,7 @@ void analyzeAndImportPreMembersSuccess() {
         );
         inOrder.verify(clubPermissionValidator).validateManagerAccess(clubId, requesterId);
         inOrder.verify(googleSheetPermissionService)
-            .tryGrantServiceAccountWriterAccess(requesterId, spreadsheetId);
+            .validateRequesterAccessAndTryGrantServiceAccountWriterAccess(requesterId, spreadsheetId);
         inOrder.verify(sheetHeaderMapper).analyzeAllSheets(spreadsheetId);
         inOrder.verify(clubMemberSheetService).updateSheetId(
             clubId,
@@ -99,76 +98,66 @@ void analyzeAndImportPreMembersSuccess() {
     }
 
     @Test
-    @DisplayName("자동 권한 부여가 실패해도 기존 공유 권한으로 가져오기를 계속 시도한다")
-    void analyzeAndImportPreMembersContinuesWhenAutoGrantFails() {
+    @DisplayName("자동 권한 부여 중 예외가 발생하면 후속 시트 작업을 진행하지 않는다")
+    void analyzeAndImportPreMembersStopsWhenAutoGrantThrowsException() {
         // given
         Integer clubId = 1;
         Integer requesterId = 2;
         String spreadsheetUrl =
             "https://docs.google.com/spreadsheets/d/1BxiMVs0XRA5nFMdKvBdBZjgmUUqptlbs74OgVE2upms/edit";
         String spreadsheetId = "1BxiMVs0XRA5nFMdKvBdBZjgmUUqptlbs74OgVE2upms";
-        SheetHeaderMapper.SheetAnalysisResult analysis =
-            new SheetHeaderMapper.SheetAnalysisResult(SheetColumnMapping.defaultMapping(), null, null);
-        SheetImportResponse expected = SheetImportResponse.of(1, 0, List.of());
+        CustomException expected = CustomException.of(ApiResponseCode.FAILED_INIT_GOOGLE_DRIVE);
 
-        given(googleSheetPermissionService.tryGrantServiceAccountWriterAccess(requesterId, spreadsheetId))
-            .willReturn(false);
-        given(sheetHeaderMapper.analyzeAllSheets(spreadsheetId)).willReturn(analysis);
-        given(sheetImportService.importPreMembersFromSheet(
-            clubId,
-            requesterId,
-            spreadsheetId,
-            analysis.memberListMapping()
-        ))
-            .willReturn(expected);
+        willThrow(expected).given(googleSheetPermissionService)
+            .validateRequesterAccessAndTryGrantServiceAccountWriterAccess(requesterId, spreadsheetId);
 
-        // when
-        SheetImportResponse actual = clubSheetIntegratedService.analyzeAndImportPreMembers(
+        // when & then
+        assertThatThrownBy(() -> clubSheetIntegratedService.analyzeAndImportPreMembers(
             clubId,
             requesterId,
             spreadsheetUrl
-        );
+        ))
+            .isSameAs(expected);
+        verifyNoInteractions(sheetHeaderMapper, clubMemberSheetService, sheetImportService);
+    }
 
-        // then
-        InOrder inOrder = inOrder(
-            clubPermissionValidator,
-            googleSheetPermissionService,
-            sheetHeaderMapper,
-            clubMemberSheetService,
-            sheetImportService
-        );
-        inOrder.verify(clubPermissionValidator).validateManagerAccess(clubId, requesterId);
-        inOrder.verify(googleSheetPermissionService)
-            .tryGrantServiceAccountWriterAccess(requesterId, spreadsheetId);
-        inOrder.verify(sheetHeaderMapper).analyzeAllSheets(spreadsheetId);
-        inOrder.verify(clubMemberSheetService).updateSheetId(
-            clubId,
-            requesterId,
-            spreadsheetId,
-            analysis
-        );
-        inOrder.verify(sheetImportService).importPreMembersFromSheet(
+    @Test
+    @DisplayName("요청자 계정이 시트 접근 권한이 없으면 후속 시트 작업을 진행하지 않는다")
+    void analyzeAndImportPreMembersStopsWhenRequesterHasNoSpreadsheetAccess() {
+        // given
+        Integer clubId = 1;
+        Integer requesterId = 2;
+        String spreadsheetUrl =
+            "https://docs.google.com/spreadsheets/d/1BxiMVs0XRA5nFMdKvBdBZjgmUUqptlbs74OgVE2upms/edit";
+        String spreadsheetId = "1BxiMVs0XRA5nFMdKvBdBZjgmUUqptlbs74OgVE2upms";
+        CustomException expected = CustomException.of(ApiResponseCode.FORBIDDEN_GOOGLE_SHEET_ACCESS);
+
+        willThrow(expected).given(googleSheetPermissionService)
+            .validateRequesterAccessAndTryGrantServiceAccountWriterAccess(requesterId, spreadsheetId);
+
+        // when & then
+        assertThatThrownBy(() -> clubSheetIntegratedService.analyzeAndImportPreMembers(
             clubId,
             requesterId,
-            spreadsheetId,
-            analysis.memberListMapping()
-        );
-        assertThat(actual).isEqualTo(expected);
+            spreadsheetUrl
+        ))
+            .isSameAs(expected);
+        verifyNoInteractions(sheetHeaderMapper, clubMemberSheetService, sheetImportService);
     }
 
     @Test
-    @DisplayName("자동 권한 부여 중 예외가 발생하면 후속 시트 작업을 진행하지 않는다")
-    void analyzeAndImportPreMembersStopsWhenAutoGrantThrowsException() {
+    @DisplayName("Drive OAuth가 연결되지 않으면 후속 시트 작업을 진행하지 않는다")
+    void analyzeAndImportPreMembersStopsWhenGoogleDriveOAuthIsNotConnected() {
         // given
         Integer clubId = 1;
         Integer requesterId = 2;
         String spreadsheetUrl =
             "https://docs.google.com/spreadsheets/d/1BxiMVs0XRA5nFMdKvBdBZjgmUUqptlbs74OgVE2upms/edit";
         String spreadsheetId = "1BxiMVs0XRA5nFMdKvBdBZjgmUUqptlbs74OgVE2upms";
-        CustomException expected = CustomException.of(ApiResponseCode.FAILED_INIT_GOOGLE_DRIVE);
+        CustomException expected = CustomException.of(ApiResponseCode.NOT_FOUND_GOOGLE_DRIVE_AUTH);
 
-        given(googleSheetPermissionService.tryGrantServiceAccountWriterAccess(requesterId, spreadsheetId))
-            .willThrow(expected);
+        willThrow(expected).given(googleSheetPermissionService)
+            .validateRequesterAccessAndTryGrantServiceAccountWriterAccess(requesterId, spreadsheetId);
 
         // when & then
         assertThatThrownBy(() -> clubSheetIntegratedService.analyzeAndImportPreMembers(
diff --git a/src/test/java/gg/agit/konect/domain/club/service/GoogleSheetPermissionServiceTest.java b/src/test/java/gg/agit/konect/domain/club/service/GoogleSheetPermissionServiceTest.java
