frontegg-mock: add tenant management API endpoints

Adds mock implementations for Frontegg tenant API:
- GET /tenants - list all tenants
- GET /tenants/:id - get tenant by ID
- POST /tenants - create tenant
- PATCH /tenants/:id/metadata - update tenant metadata
- POST /identity/resources/auth/v1/api-token - vendor API token auth

These endpoints are being added to assist with local development
of internal services in the cloud repo.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: jubrad

Cargo.lock

@@ -11,10 +11,12 @@ pub mod auth;
 pub mod group;
 pub mod scim;
 pub mod sso;
+pub mod tenant;
 pub mod user;
 
 pub use auth::*;
 pub use group::*;
 pub use scim::*;
 pub use sso::*;
+pub use tenant::*;
 pub use user::*;

src/frontegg-mock/src/handlers.rs

@@ -12,6 +12,7 @@ use crate::server::Context;
 use crate::utils::{RefreshTokenTarget, generate_access_token, generate_refresh_token};
 use axum::{Json, extract::State, http::StatusCode};
 use mz_frontegg_auth::{ApiTokenResponse, ClaimTokenType};
+use serde::{Deserialize, Serialize};
 use std::sync::Arc;
 use std::sync::atomic::Ordering;
 
@@ -137,3 +138,47 @@ pub async fn handle_post_token_refresh(
         }
     }
 }
+
+/// Request body for vendor authentication.
+#[derive(Debug, Clone, Deserialize)]
+#[serde(rename_all = "camelCase")]
+pub struct VendorAuthRequest {
+    pub client_id: String,
+    pub secret: String,
+}
+
+/// Response body for vendor authentication.
+#[derive(Debug, Clone, Serialize)]
+#[serde(rename_all = "camelCase")]
+pub struct VendorAuthResponse {
+    pub token: String,
+    pub expires_in: i64,
+}
+
+/// Handle POST /auth/vendor
+/// Authenticates a vendor SDK client and returns a JWT token.
+pub async fn handle_post_auth_vendor(
+    State(context): State<Arc<Context>>,
+    Json(_request): Json<VendorAuthRequest>,
+) -> Result<Json<VendorAuthResponse>, StatusCode> {
+    // For the mock, we accept any client_id/secret and return a valid token.
+    // In production, this would validate the credentials.
+    let now_secs = (context.now)() / 1000;
+    let exp_secs = now_secs as i64 + context.expires_in_secs;
+    let token = jsonwebtoken::encode(
+        &jsonwebtoken::Header::new(jsonwebtoken::Algorithm::RS256),
+        &serde_json::json!({
+            "sub": "vendor",
+            "iss": context.issuer,
+            "iat": now_secs,
+            "exp": exp_secs,
+        }),
+        &context.encoding_key,
+    )
+    .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?;
+
+    Ok(Json(VendorAuthResponse {
+        token,
+        expires_in: context.expires_in_secs,
+    }))
+}

src/frontegg-mock/src/handlers/auth.rs

@@ -0,0 +1,198 @@
+// Copyright Materialize, Inc. and contributors. All rights reserved.
+//
+// Use of this software is governed by the Business Source License
+// included in the LICENSE file.
+//
+// As of the Change Date specified in that file, in accordance with
+// the Business Source License, use of this software will be governed
+// by the Apache License, Version 2.0.
+
+use std::collections::BTreeSet;
+use std::sync::Arc;
+
+use axum::Json;
+use axum::extract::{Path, State};
+use chrono::Utc;
+use axum::http::StatusCode;
+use serde::Deserialize;
+use uuid::Uuid;
+
+use crate::models::{TenantConfig, TenantResponse};
+use crate::server::Context;
+
+/// Handle GET /tenants/resources/tenants/v1
+/// Lists all tenants.
+///
+/// If no explicit tenants are configured, derives tenants from the users' tenant_ids.
+pub async fn handle_list_tenants(
+    State(context): State<Arc<Context>>,
+) -> Result<Json<Vec<TenantResponse>>, StatusCode> {
+    let tenants = context.tenants.lock().unwrap();
+
+    // If explicit tenants are configured, return those
+    if !tenants.is_empty() {
+        let responses: Vec<TenantResponse> = tenants.values().map(TenantResponse::from).collect();
+        return Ok(Json(responses));
+    }
+    drop(tenants);
+
+    // Otherwise, derive tenants from users
+    let users = context.users.lock().unwrap();
+    let tenant_ids: BTreeSet<_> = users.values().map(|u| u.tenant_id).collect();
+
+    let now = Utc::now();
+    let responses: Vec<TenantResponse> = tenant_ids
+        .into_iter()
+        .map(|id| TenantResponse {
+            id,
+            name: format!("Tenant {}", &id.to_string()[..8]),
+            metadata: serde_json::json!({}),
+            creator_name: None,
+            creator_email: None,
+            created_at: now,
+            updated_at: now,
+            deleted_at: None,
+        })
+        .collect();
+
+    Ok(Json(responses))
+}
+
+/// Handle GET /tenants/resources/tenants/v1/:id
+/// Gets a single tenant by ID.
+///
+/// Note: The frontegg client expects a Vec<Tenant> response (and pops the first element).
+pub async fn handle_get_tenant(
+    State(context): State<Arc<Context>>,
+    Path(id): Path<Uuid>,
+) -> Result<Json<Vec<TenantResponse>>, StatusCode> {
+    let tenants = context.tenants.lock().unwrap();
+
+    // If the tenant exists in the explicit tenants map, return it
+    if let Some(tenant) = tenants.get(&id) {
+        return Ok(Json(vec![TenantResponse::from(tenant)]));
+    }
+    drop(tenants);
+
+    // Check if the tenant exists in users
+    let users = context.users.lock().unwrap();
+    let tenant_exists = users.values().any(|u| u.tenant_id == id);
+    drop(users);
+
+    if !tenant_exists {
+        return Ok(Json(vec![])); // Empty vec will cause client to return NOT_FOUND
+    }
+
+    // Return a derived tenant
+    let now = Utc::now();
+    let response = TenantResponse {
+        id,
+        name: format!("Tenant {}", &id.to_string()[..8]),
+        metadata: serde_json::json!({}),
+        creator_name: None,
+        creator_email: None,
+        created_at: now,
+        updated_at: now,
+        deleted_at: None,
+    };
+
+    Ok(Json(vec![response]))
+}
+
+/// Request body for creating a tenant.
+#[derive(Debug, Deserialize)]
+#[serde(rename_all = "camelCase")]
+pub struct CreateTenantRequest {
+    #[serde(default = "Uuid::new_v4")]
+    pub tenant_id: Uuid,
+    pub name: String,
+    #[serde(default)]
+    pub metadata: serde_json::Value,
+    pub creator_name: Option<String>,
+    pub creator_email: Option<String>,
+}
+
+/// Handle POST /tenants/resources/tenants/v1
+/// Creates a new tenant.
+pub async fn handle_create_tenant(
+    State(context): State<Arc<Context>>,
+    Json(body): Json<CreateTenantRequest>,
+) -> Result<Json<TenantResponse>, StatusCode> {
+    let now = Utc::now();
+    let tenant = TenantConfig {
+        id: body.tenant_id,
+        name: body.name,
+        metadata: body.metadata,
+        creator_name: body.creator_name,
+        creator_email: body.creator_email,
+        created_at: now,
+        updated_at: now,
+        deleted_at: None,
+    };
+
+    let response = TenantResponse::from(&tenant);
+    let mut tenants = context.tenants.lock().unwrap();
+    tenants.insert(tenant.id, tenant);
+
+    Ok(Json(response))
+}
+
+/// Request body for setting tenant metadata.
+#[derive(Debug, Deserialize)]
+pub struct SetTenantMetadataRequest {
+    pub metadata: serde_json::Value,
+}
+
+/// Handle POST /tenants/resources/tenants/v1/:id/metadata
+/// Sets/updates tenant metadata.
+pub async fn handle_set_tenant_metadata(
+    State(context): State<Arc<Context>>,
+    Path(id): Path<Uuid>,
+    Json(body): Json<SetTenantMetadataRequest>,
+) -> Result<Json<TenantResponse>, StatusCode> {
+    let mut tenants = context.tenants.lock().unwrap();
+
+    // If the tenant exists in the explicit tenants map, update it
+    if let Some(tenant) = tenants.get_mut(&id) {
+        // Merge the new metadata with existing metadata
+        if let Some(existing) = tenant.metadata.as_object_mut() {
+            if let Some(new_obj) = body.metadata.as_object() {
+                for (k, v) in new_obj {
+                    existing.insert(k.clone(), v.clone());
+                }
+            }
+        } else {
+            tenant.metadata = body.metadata;
+        }
+        tenant.updated_at = Utc::now();
+        return Ok(Json(TenantResponse::from(&*tenant)));
+    }
+    drop(tenants);
+
+    // Check if the tenant exists in users
+    let users = context.users.lock().unwrap();
+    let tenant_exists = users.values().any(|u| u.tenant_id == id);
+    drop(users);
+
+    if !tenant_exists {
+        return Err(StatusCode::NOT_FOUND);
+    }
+
+    // Create a new tenant entry with the metadata
+    let now = Utc::now();
+    let tenant = TenantConfig {
+        id,
+        name: format!("Tenant {}", &id.to_string()[..8]),
+        metadata: body.metadata,
+        creator_name: None,
+        creator_email: None,
+        created_at: now,
+        updated_at: now,
+        deleted_at: None,
+    };
+    let response = TenantResponse::from(&tenant);
+    let mut tenants = context.tenants.lock().unwrap();
+    tenants.insert(id, tenant);
+
+    Ok(Json(response))
+}

src/frontegg-mock/src/handlers/tenant.rs

@@ -10,13 +10,15 @@
 pub mod group;
 pub mod scim;
 pub mod sso;
+pub mod tenant;
 pub mod token;
 pub mod user;
 pub mod utils;
 
 pub use group::*;
 pub use scim::*;
 pub use sso::*;
+pub use tenant::*;
 pub use token::*;
 pub use user::*;
 pub use utils::*;