add email scope

traPtitech · May 8, 2024 · 4e5889d · 4e5889d
1 parent 13c15f4
commit 4e5889d
Show file tree

Hide file tree

Showing 6 changed files with 49 additions and 11 deletions.
diff --git a/migration/v35.go b/migration/v35.go
@@ -10,18 +10,37 @@ func v35() *gormigrate.Migration {
 	return &gormigrate.Migration{
 		ID: "35",
 		Migrate: func(db *gorm.DB) error {
-			v := v35UserRole{
-				Name:        "profile",
-				Oauth2Scope: true,
-				System:      true,
-				Permissions: []v35RolePermission{
-					{
-						Role:       "profile",
-						Permission: "get_me",
+			roles := []v35UserRole{
+				{
+					Name:        "profile",
+					Oauth2Scope: true,
+					System:      true,
+					Permissions: []v35RolePermission{
+						{
+							Role:       "profile",
+							Permission: "get_me",
+						},
 					},
 				},
+				{
+					Name:        "email",
+					Oauth2Scope: true,
+					System:      true,
+					Permissions: []v35RolePermission{
+						{
+							Role:       "profile",
+							Permission: "get_me",
+						},
+					},
+				},
+			}
+			for _, role := range roles {
+				err := db.Create(&role).Error
+				if err != nil {
+					return err
+				}
 			}
-			return db.Create(v).Error
+			return nil
 		},
 	}
 }

diff --git a/model/oauth2.go b/model/oauth2.go
@@ -31,7 +31,7 @@ type AccessScopes map[AccessScope]struct{}
 
 // SupportedAccessScopes 対応するスコープ一覧を返します
 func SupportedAccessScopes() []string {
-	return []string{"read", "write", "manage_bot", "openid", "profile"}
+	return []string{"read", "write", "manage_bot", "openid", "profile", "email"}
 }
 
 // Value database/sql/driver.Valuer 実装

diff --git a/service/oidc/userinfo.go b/service/oidc/userinfo.go
@@ -44,6 +44,8 @@ func (s *Service) GetUserInfo(userID uuid.UUID) (map[string]any, error) {
 	return map[string]any{
 		// OIDC standard claims
 		"name":               user.GetName(),
+		"email":              user.GetName() + "+dummy@example.com",
+		"email_verified":     false,
 		"preferred_username": user.GetName(),
 		"picture":            s.origin + "/api/v3/public/icon/" + user.GetName(),
 		"updated_at":         user.GetUpdatedAt(),

diff --git a/service/rbac/role/email.go b/service/rbac/role/email.go
@@ -0,0 +1,12 @@
+package role
+
+import (
+	"github.com/traPtitech/traQ/service/rbac/permission"
+)
+
+// Email ユーザー情報読み取り専用ロール (for OIDC)
+const Email = "email"
+
+var emailPerms = []permission.Permission{
+	permission.GetMe,
+}
diff --git a/service/rbac/role/profile.go b/service/rbac/role/profile.go
@@ -4,7 +4,7 @@ import (
 	"github.com/traPtitech/traQ/service/rbac/permission"
 )
 
-// Profile ユーザー情報読み取り専用ロール
+// Profile ユーザー情報読み取り専用ロール (for OIDC)
 const Profile = "profile"
 
 var profilePerms = []permission.Permission{

diff --git a/service/rbac/role/role.go b/service/rbac/role/role.go
@@ -43,6 +43,11 @@ func GetSystemRoles() Roles {
 			oauth2Scope: true,
 			permissions: permission.PermissionsFromArray(profilePerms),
 		},
+		Email: &systemRole{
+			name:        Email,
+			oauth2Scope: true,
+			permissions: permission.PermissionsFromArray(emailPerms),
+		},
 	}
 }