client credentials grantを利用できるように #2433
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,68 @@ | ||
| package migration | ||
|
|
||
| import ( | ||
| "github.com/go-gormigrate/gormigrate/v2" | ||
| "gorm.io/gorm" | ||
| ) | ||
|
|
||
| // v37 OAuth Client Credentials Grantの対応のため、clientロールを追加 | ||
| func v37() *gormigrate.Migration { | ||
| return &gormigrate.Migration{ | ||
| ID: "37", | ||
| Migrate: func(db *gorm.DB) error { | ||
| roles := []v37UserRole{ | ||
| { | ||
| Name: "client", | ||
| Oauth2Scope: false, | ||
| System: true, | ||
| Permissions: []v37RolePermission{ | ||
| { | ||
| Role: "client", | ||
| Permission: "get_user", | ||
| }, | ||
| { | ||
| Role: "client", | ||
| Permission: "get_user_tag", | ||
| }, | ||
| { | ||
| Role: "client", | ||
| Permission: "get_user_group", | ||
| }, | ||
| { | ||
| Role: "client", | ||
| Permission: "get_stamp", | ||
| }, | ||
| }, | ||
| }, | ||
| } | ||
| for _, role := range roles { | ||
| err := db.Create(&role).Error | ||
| if err != nil { | ||
| return err | ||
| } | ||
| } | ||
| return nil | ||
| }, | ||
| } | ||
| } | ||
|
|
||
| type v37UserRole struct { | ||
| Name string `gorm:"type:varchar(30);not null;primaryKey"` | ||
| Oauth2Scope bool `gorm:"type:boolean;not null;default:false"` | ||
| System bool `gorm:"type:boolean;not null;default:false"` | ||
|
|
||
| Permissions []v37RolePermission `gorm:"constraint:user_role_permissions_role_user_roles_name_foreign,OnUpdate:CASCADE,OnDelete:CASCADE;foreignKey:Role;references:Name"` | ||
| } | ||
|
|
||
| func (*v37UserRole) TableName() string { | ||
| return "user_roles" | ||
| } | ||
|
|
||
| type v37RolePermission struct { | ||
| Role string `gorm:"type:varchar(30);not null;primaryKey"` | ||
| Permission string `gorm:"type:varchar(30);not null;primaryKey"` | ||
| } | ||
|
|
||
| func (*v37RolePermission) TableName() string { | ||
| return "user_role_permissions" | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| package role | ||
|
|
||
| import ( | ||
| "github.com/traPtitech/traQ/service/rbac/permission" | ||
| ) | ||
|
|
||
| // Client Clientロール (for OAuth2 client credentials grant) | ||
| const Client = "client" | ||
|
|
||
| // 自分自身以外の参照系は許可するようにしたいが、https://github.com/traPtitech/traQ/pull/2433#discussion_r1649383346 | ||
| // の事情から許可できる権限が限られる | ||
| // https://github.com/traPtitech/traQ/issues/2463 で権限を増やせるよう対応予定 | ||
| var clientPerms = []permission.Permission{ | ||
| permission.GetUser, | ||
| permission.GetUserTag, | ||
| permission.GetUserGroup, | ||
| permission.GetStamp, | ||
| } | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
knoQで使いたいのでGetUsersやGetUserGroupsがあると助かります:pray:
Draftで仮置きしてるだけかもですが
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
GetUsersとGetUserGroupsのAPIはそれぞれpermission.GetUserとpermission.GetUserGroupを持っていれば叩けますね。(APIと一対一対応ではなく、一つのpermissionが複数のAPIを対象として許可しています。)
ref:
traQ/router/v3/router.go
Line 88 in 4ac1640
traQ/router/v3/router.go
Line 281 in 4ac1640
一応permissionのListは
traQ/service/rbac/permission/permission.go
Line 47 in 4ac1640
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
少なくない?そんなことない?
自身のユーザーに関連しないものは許可してよさそう
https://github.com/traPtitech/traQ/blob/master/service/rbac/role/read.go
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
見落としあるかもしれませんが、確認した限りはこれら以外のpermissionで許可されるエンドポイントの中には
getRequestUserIDが 含まれてそうな感じでした。e.g.
permission.GetMessageで許可されるエンドポイントの中にGetDirectMessagesが含まれるtraQ/router/v3/messages.go
Line 344 in 4ac1640
traQ/router/v3/router.go
Line 97 in 4ac1640
permissionで許可するエンドポイントの対応関係を上手く考え直せば与えられる許可は増やせそうですが、影響範囲大きくなるのでひとまずこれぐらいでも良いかなと思ってます。
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
うーん、なるほど あまりきめ細やかに制御されてなくて難しいんですね
そうしたらその権限の制御のやり方を考え直す(より細やかにする)か、client credentials grantにそもそもユーザーをどうにかして紐づけるか、とかを考えたいところですね
少なくとも今やらない(できなかった)のなら、その理由をコメントとかで書いておくべきだと思います
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Issue立てつつコメント残す形にしました