Merge pull request #1435 from SuperFlyTV/feat/reimplement-client-mongo-writes

feat(webui): reimplement client mongo writes

Author: nytamin

meteor/server/Connections.ts

@@ -4,8 +4,6 @@ import { logger } from './logging'
 import { sendTrace } from './api/integration/influx'
 import { PeripheralDevices } from './collections'
 import { MetricsGauge } from '@sofie-automation/corelib/dist/prometheus'
-import { parseUserPermissions, USER_PERMISSIONS_HEADER } from '@sofie-automation/meteor-lib/dist/userPermissions'
-import { Settings } from './Settings'
 
 const connections = new Set<string>()
 const connectionsGauge = new MetricsGauge({
@@ -16,24 +14,6 @@ const connectionsGauge = new MetricsGauge({
 Meteor.onConnection((conn: Meteor.Connection) => {
 	// This is called whenever a new ddp-connection is opened (ie a web-client or a peripheral-device)
 
-	if (Settings.enableHeaderAuth) {
-		const userLevel = parseUserPermissions(conn.httpHeaders[USER_PERMISSIONS_HEADER])
-
-		// HACK: force the userId of the connection before it can be used.
-		// This ensures we know the permissions of the connection before it can try to do anything
-		// This could probably be safely done inside a meteor method, as we only need it when directly modifying a collection in the client,
-		// but that will cause all the publications to restart when changing the userId.
-		const connSession = (Meteor as any).server.sessions.get(conn.id)
-		if (!connSession) {
-			logger.error(`Failed to find session for ddp connection! "${conn.id}"`)
-			// Close the connection, it won't be secure
-			conn.close()
-			return
-		} else {
-			connSession.userId = JSON.stringify(userLevel)
-		}
-	}
-
 	const connectionId: string = conn.id
 	// var clientAddress = conn.clientAddress; // ip-adress
 

meteor/server/api/mongo.ts

@@ -0,0 +1,102 @@
+import { registerClassToMeteorMethods } from '../methods'
+import { MethodContextAPI } from './methodContext'
+import { MongoAPI, MongoAPIMethods } from '@sofie-automation/meteor-lib/dist/api/mongo'
+import { CollectionName } from '@sofie-automation/corelib/dist/dataModel/Collections'
+import { ProtectedString } from '../lib/tempLib'
+import { logger } from '../logging'
+import { collectionsAllowDenyCache, collectionsCache } from '../collections/collection'
+import { Meteor } from 'meteor/meteor'
+import { checkHasOneOfPermissions, parseConnectionPermissions } from '../security/auth'
+import { triggerWriteAccess } from '../security/securityVerify'
+
+const hasOwn = Object.prototype.hasOwnProperty
+const ALLOWED_UPDATE_OPERATIONS = {
+	$inc: 1,
+	$set: 1,
+	$unset: 1,
+	$addToSet: 1,
+	$pop: 1,
+	$pullAll: 1,
+	$pull: 1,
+	$pushAll: 1,
+	$push: 1,
+	$bit: 1,
+}
+
+class MongoAPIClass extends MethodContextAPI implements MongoAPI {
+	async insertDocument(collectionName: CollectionName, _newDocument: any): Promise<ProtectedString<any>> {
+		triggerWriteAccess()
+
+		logger.error(`MongoAPI.insertDocument for "${collectionName}"`)
+		throw new Error('Not supported')
+	}
+
+	async updateDocument(collectionName: CollectionName, selector: any, modifier: any, _options: any): Promise<number> {
+		triggerWriteAccess()
+
+		if (!this.connection) throw new Meteor.Error(403, 'Only supported from the client')
+
+		const validator = collectionsAllowDenyCache.get(collectionName)
+		if (!validator) throw new Meteor.Error(403, `Not allowed to update collection: "${collectionName}`)
+
+		const collection = collectionsCache.get(collectionName)
+		if (!collection) throw new Meteor.Error(403, `Unknown collection: "${collectionName}`)
+
+		const permissions = parseConnectionPermissions(this.connection)
+		if (!checkHasOneOfPermissions(permissions, collectionName, ...validator.requiredPermissions))
+			throw new Meteor.Error(403, `Not allowed to update collection: "${collectionName}"`)
+
+		let documentId: string | null = null
+		if (typeof selector === 'string') {
+			documentId = selector
+		} else if (selector && typeof selector === 'object') {
+			documentId = selector._id
+		}
+		if (!documentId || typeof documentId !== 'string') {
+			throw new Meteor.Error(403, `Update operations can only do so by id: "${collectionName}"`)
+		}
+
+		const mutatorKeys = Object.keys(modifier)
+		if (mutatorKeys.length === 0) {
+			throw new Meteor.Error(403, 'Update modifier is not valid.')
+		}
+
+		// compute modified fields
+		const modifiedFields = new Set<string>()
+		mutatorKeys.forEach((op) => {
+			const params = modifier[op]
+			if (op.charAt(0) !== '$') {
+				throw new Meteor.Error(403, 'Update modifier is not valid.')
+			} else if (!hasOwn.call(ALLOWED_UPDATE_OPERATIONS, op)) {
+				throw new Meteor.Error(403, `Access denied. Operator ${op} not allowed in a restricted collection.`)
+			} else {
+				Object.keys(params).forEach((field) => {
+					// treat dotted fields as if they are replacing their
+					// top-level part
+					if (field.indexOf('.') !== -1) field = field.substring(0, field.indexOf('.'))
+
+					// record the field we are trying to change
+					modifiedFields.add(field)
+				})
+			}
+		})
+
+		const currentDocument = await collection.findOneAsync(selector)
+		if (!currentDocument) throw new Meteor.Error(404, `Document not found`)
+
+		// Perform check
+		const isAllowed = await validator.update(permissions, currentDocument, Array.from(modifiedFields), modifier)
+		if (!isAllowed) throw new Meteor.Error(403, `Not allowed to update collection: "${collectionName}"`)
+
+		// Perform update
+		return collection.updateAsync(currentDocument._id, modifier)
+	}
+
+	async removeDocument(collectionName: CollectionName, _selector: any): Promise<any> {
+		triggerWriteAccess()
+
+		logger.error(`MongoAPI.insertDocument for "${collectionName}"`)
+		throw new Meteor.Error(500, 'Not supported')
+	}
+}
+registerClassToMeteorMethods(MongoAPIMethods, MongoAPIClass, true)

meteor/server/collections/collection.ts

@@ -1,6 +1,5 @@
-import { UserId } from '@sofie-automation/corelib/dist/dataModel/Ids'
 import { FindOptions, MongoModifier, MongoQuery } from '@sofie-automation/corelib/dist/mongo'
-import { ProtectedString, protectString } from '@sofie-automation/corelib/dist/protectedString'
+import { ProtectedString } from '@sofie-automation/corelib/dist/protectedString'
 import { Meteor } from 'meteor/meteor'
 import { Mongo } from 'meteor/mongo'
 import { NpmModuleMongodb } from 'meteor/npm-mongo'
@@ -20,18 +19,22 @@ import {
 	UpsertOptions,
 } from '@sofie-automation/meteor-lib/dist/collections/lib'
 import { MinimalMongoCursor } from './implementations/asyncCollection'
+import { UserPermissions } from '@sofie-automation/meteor-lib/dist/userPermissions'
 
-export interface MongoAllowRules<DBInterface> {
+export interface CustomMongoAllowRules<DBInterface> {
 	// insert?: (userId: UserId | null, doc: DBInterface) => Promise<boolean> | boolean
-	update?: (
-		userId: UserId | null,
+	requiredPermissions: Array<keyof UserPermissions>
+	update: (
+		permissions: UserPermissions,
 		doc: DBInterface,
 		fieldNames: FieldNames<DBInterface>,
 		modifier: MongoModifier<DBInterface>
 	) => Promise<boolean> | boolean
 	// remove?: (userId: UserId | null, doc: DBInterface) => Promise<boolean> | boolean
 }
 
+export const collectionsAllowDenyCache = new Map<string, CustomMongoAllowRules<any>>()
+
 /**
  * Map of current collection objects.
  * Future: Could this weakly hold the collections?
@@ -55,11 +58,16 @@ export function getOrCreateMongoCollection(name: string): Mongo.Collection<any>
  */
 export function createAsyncOnlyMongoCollection<DBInterface extends { _id: ProtectedString<any> }>(
 	name: CollectionName,
-	allowRules: MongoAllowRules<DBInterface> | false
+	allowRules: CustomMongoAllowRules<DBInterface> | false
 ): AsyncOnlyMongoCollection<DBInterface> {
 	const collection = getOrCreateMongoCollection(name)
 
-	setupCollectionAllowRules(collection, allowRules)
+	if (allowRules) {
+		if (allowRules.requiredPermissions.length === 0)
+			throw new Meteor.Error(403, `No permissions specified for collection "${name}"`)
+
+		collectionsAllowDenyCache.set(name, allowRules as CustomMongoAllowRules<any>)
+	}
 
 	const wrappedCollection = wrapMeteorCollectionIntoAsyncCollection<DBInterface>(collection, name)
 
@@ -83,8 +91,6 @@ export function createAsyncOnlyReadOnlyMongoCollection<DBInterface extends { _id
 
 	registerCollection(name, readonlyCollection)
 
-	setupCollectionAllowRules(collection, false)
-
 	return readonlyCollection
 }
 
@@ -101,27 +107,6 @@ function wrapMeteorCollectionIntoAsyncCollection<DBInterface extends { _id: Prot
 	}
 }
 
-function setupCollectionAllowRules<DBInterface extends { _id: ProtectedString<any> }>(
-	collection: Mongo.Collection<DBInterface>,
-	args: MongoAllowRules<DBInterface> | false
-) {
-	if (!args) {
-		// Mutations are disabled by default
-		return
-	}
-
-	const { /* insert: origInsert,*/ update: origUpdate /*remove: origRemove*/ } = args
-
-	const options: Parameters<Mongo.Collection<DBInterface>['allow']>[0] = {
-		update: origUpdate
-			? async (userId: string | null, doc: DBInterface, fieldNames: string[], modifier: any) =>
-					origUpdate(protectString(userId), doc, fieldNames as any, modifier)
-			: () => false,
-	}
-
-	collection.allow(options)
-}
-
 /**
  * A minimal Async only wrapping around the base Mongo.Collection type
  */

meteor/server/collections/index.ts

@@ -32,17 +32,15 @@ import { createAsyncOnlyMongoCollection, createAsyncOnlyReadOnlyMongoCollection
 import { ObserveChangesForHash } from './lib'
 import { logger } from '../logging'
 import { allowOnlyFields, rejectFields } from '../security/allowDeny'
-import { checkUserIdHasOneOfPermissions } from '../security/auth'
 import { DBNotificationObj } from '@sofie-automation/corelib/dist/dataModel/Notifications'
 
 export * from './bucket'
 export * from './packages-media'
 export * from './rundown'
 
 export const Blueprints = createAsyncOnlyMongoCollection<Blueprint>(CollectionName.Blueprints, {
-	update(userId, doc, fields, _modifier) {
-		if (!checkUserIdHasOneOfPermissions(userId, CollectionName.Blueprints, 'configure')) return false
-
+	requiredPermissions: ['configure'],
+	update(_permissions, doc, fields, _modifier) {
 		return allowOnlyFields(doc, fields, ['name', 'disableVersionChecks'])
 	},
 })
@@ -51,9 +49,8 @@ registerIndex(Blueprints, {
 })
 
 export const CoreSystem = createAsyncOnlyMongoCollection<ICoreSystem>(CollectionName.CoreSystem, {
-	async update(userId, doc, fields, _modifier) {
-		if (!checkUserIdHasOneOfPermissions(userId, CollectionName.CoreSystem, 'configure')) return false
-
+	requiredPermissions: ['configure'],
+	async update(_permissions, doc, fields, _modifier) {
 		return allowOnlyFields(doc, fields, [
 			'systemInfo',
 			'name',
@@ -110,9 +107,8 @@ registerIndex(Notifications, {
 })
 
 export const Organizations = createAsyncOnlyMongoCollection<DBOrganization>(CollectionName.Organizations, {
-	async update(userId, doc, fields, _modifier) {
-		if (!checkUserIdHasOneOfPermissions(userId, CollectionName.Organizations, 'configure')) return false
-
+	requiredPermissions: ['configure'],
+	async update(_permissions, doc, fields, _modifier) {
 		return allowOnlyFields(doc, fields, ['userRoles'])
 	},
 })
@@ -126,9 +122,8 @@ registerIndex(PeripheralDeviceCommands, {
 })
 
 export const PeripheralDevices = createAsyncOnlyMongoCollection<PeripheralDevice>(CollectionName.PeripheralDevices, {
-	update(userId, doc, fields, _modifier) {
-		if (!checkUserIdHasOneOfPermissions(userId, CollectionName.PeripheralDevices, 'configure')) return false
-
+	requiredPermissions: ['configure'],
+	update(_permissions, doc, fields, _modifier) {
 		return allowOnlyFields(doc, fields, [
 			'name',
 			'deviceName',
@@ -151,9 +146,8 @@ registerIndex(PeripheralDevices, {
 })
 
 export const RundownLayouts = createAsyncOnlyMongoCollection<RundownLayoutBase>(CollectionName.RundownLayouts, {
-	async update(userId, doc, fields) {
-		if (!checkUserIdHasOneOfPermissions(userId, CollectionName.RundownLayouts, 'configure')) return false
-
+	requiredPermissions: ['configure'],
+	async update(_permissions, doc, fields) {
 		return rejectFields(doc, fields, ['_id', 'showStyleBaseId'])
 	},
 })
@@ -168,9 +162,8 @@ registerIndex(RundownLayouts, {
 })
 
 export const ShowStyleBases = createAsyncOnlyMongoCollection<DBShowStyleBase>(CollectionName.ShowStyleBases, {
-	async update(userId, doc, fields) {
-		if (!checkUserIdHasOneOfPermissions(userId, CollectionName.ShowStyleBases, 'configure')) return false
-
+	requiredPermissions: ['configure'],
+	async update(_permissions, doc, fields) {
 		return rejectFields(doc, fields, ['_id'])
 	},
 })
@@ -179,9 +172,8 @@ registerIndex(ShowStyleBases, {
 })
 
 export const ShowStyleVariants = createAsyncOnlyMongoCollection<DBShowStyleVariant>(CollectionName.ShowStyleVariants, {
-	async update(userId, doc, fields) {
-		if (!checkUserIdHasOneOfPermissions(userId, CollectionName.ShowStyleVariants, 'configure')) return false
-
+	requiredPermissions: ['configure'],
+	async update(_permissions, doc, fields) {
 		return rejectFields(doc, fields, ['showStyleBaseId'])
 	},
 })
@@ -191,9 +183,8 @@ registerIndex(ShowStyleVariants, {
 })
 
 export const Snapshots = createAsyncOnlyMongoCollection<SnapshotItem>(CollectionName.Snapshots, {
-	update(userId, doc, fields, _modifier) {
-		if (!checkUserIdHasOneOfPermissions(userId, CollectionName.Snapshots, 'configure')) return false
-
+	requiredPermissions: ['configure'],
+	update(_permissions, doc, fields, _modifier) {
 		return allowOnlyFields(doc, fields, ['comment'])
 	},
 })
@@ -205,9 +196,8 @@ registerIndex(Snapshots, {
 })
 
 export const Studios = createAsyncOnlyMongoCollection<DBStudio>(CollectionName.Studios, {
-	async update(userId, doc, fields, _modifier) {
-		if (!checkUserIdHasOneOfPermissions(userId, CollectionName.Studios, 'configure')) return false
-
+	requiredPermissions: ['configure'],
+	async update(_permissions, doc, fields, _modifier) {
 		return rejectFields(doc, fields, ['_id'])
 	},
 })
@@ -234,9 +224,8 @@ export const TranslationsBundles = createAsyncOnlyMongoCollection<TranslationsBu
 )
 
 export const TriggeredActions = createAsyncOnlyMongoCollection<DBTriggeredActions>(CollectionName.TriggeredActions, {
-	async update(userId, doc, fields) {
-		if (!checkUserIdHasOneOfPermissions(userId, CollectionName.TriggeredActions, 'configure')) return false
-
+	requiredPermissions: ['configure'],
+	async update(_permissions, doc, fields) {
 		return rejectFields(doc, fields, ['_id'])
 	},
 })

meteor/server/main.ts

@@ -19,6 +19,7 @@ import './api/ingest/debug'
 import './api/integration/expectedPackages'
 import './api/integration/media-scanner'
 import './api/integration/mediaWorkFlows'
+import './api/mongo'
 import './api/peripheralDevice'
 import './api/playout/api'
 import './api/rundown'

meteor/server/security/auth.ts

@@ -7,8 +7,6 @@ import { Settings } from '../Settings'
 import { Meteor } from 'meteor/meteor'
 import Koa from 'koa'
 import { triggerWriteAccess } from './securityVerify'
-import { UserId } from '@sofie-automation/corelib/dist/dataModel/Ids'
-import { unprotectString } from '../lib/tempLib'
 import { logger } from '../logging'
 import { CollectionName } from '@sofie-automation/corelib/dist/dataModel/Collections'
 
@@ -62,8 +60,8 @@ export function assertConnectionHasOneOfPermissions(
 	throw new Meteor.Error(403, 'Not authorized')
 }
 
-export function checkUserIdHasOneOfPermissions(
-	userId: UserId | null,
+export function checkHasOneOfPermissions(
+	permissions: UserPermissions,
 	collectionName: CollectionName,
 	...allowedPermissions: Array<keyof UserPermissions>
 ): boolean {
@@ -74,9 +72,8 @@ export function checkUserIdHasOneOfPermissions(
 	// Skip if auth is disabled
 	if (!Settings.enableHeaderAuth) return true
 
-	if (!userId) throw new Meteor.Error(403, 'UserId is null')
+	if (!permissions) throw new Meteor.Error(403, 'Permissions is null')
 
-	const permissions: UserPermissions = JSON.parse(unprotectString(userId))
 	for (const permission of allowedPermissions) {
 		if (permissions[permission]) return true
 	}