wip: more ddp

Julusian · Julusian · commit 082090a6fee3 · 2024-10-30T13:57:20.000Z
diff --git a/meteor/server/api/client.ts b/meteor/server/api/client.ts
@@ -7,35 +7,30 @@ import { ClientAPI, NewClientAPI, ClientAPIMethods } from '@sofie-automation/met
 import { UserActionsLogItem } from '@sofie-automation/meteor-lib/dist/collections/UserActionsLog'
 import { registerClassToMeteorMethods } from '../methods'
 import { MethodContext, MethodContextAPI } from './methodContext'
-import { Settings } from '../Settings'
-import { resolveCredentials } from '../security/lib/credentials'
 import { isInTestWrite, triggerWriteAccessBecauseNoCheckNecessary } from '../security/lib/securityVerify'
-import { PeripheralDeviceContentWriteAccess } from '../security/peripheralDevice'
 import { endTrace, sendTrace, startTrace } from './integration/influx'
 import { interpollateTranslation, translateMessage } from '@sofie-automation/corelib/dist/TranslatableMessage'
 import { UserError } from '@sofie-automation/corelib/dist/error'
 import { StudioJobFunc } from '@sofie-automation/corelib/dist/worker/studio'
 import { QueueStudioJob } from '../worker/worker'
 import { profiler } from './profiler'
 import {
-	OrganizationId,
 	PeripheralDeviceId,
 	RundownId,
 	RundownPlaylistId,
 	StudioId,
 	UserActionsLogItemId,
-	UserId,
 } from '@sofie-automation/corelib/dist/dataModel/Ids'
 import {
 	checkAccessToPlaylist,
 	checkAccessToRundown,
 	VerifiedRundownForUserAction,
 	VerifiedRundownPlaylistForUserAction,
 } from './lib'
-import { BasicAccessContext } from '../security/organization'
 import { UserActionsLog } from '../collections'
 import { executePeripheralDeviceFunctionWithCustomTimeout } from './peripheralDevice/executeFunction'
 import { LeveledLogMethodFixed } from '@sofie-automation/corelib/dist/logging'
+import { assertConnectionHasOneOfPermissions } from '../security/auth'
 
 function rewrapError(methodName: string, e: any): ClientAPI.ClientResponseError {
 	const userError = UserError.fromUnknown(e)
@@ -65,7 +60,7 @@ export namespace ServerClientAPI {
 			eventTime,
 			`worker.${jobName}`,
 			jobArguments as any,
-			async (_credentials, userActionMetadata) => {
+			async (userActionMetadata) => {
 				checkArgs()
 
 				const playlist = await checkAccessToPlaylist(context, playlistId)
@@ -92,7 +87,7 @@ export namespace ServerClientAPI {
 			eventTime,
 			`worker.${jobName}`,
 			jobArguments as any,
-			async (_credentials, userActionMetadata) => {
+			async (userActionMetadata) => {
 				checkArgs()
 
 				const rundown = await checkAccessToRundown(context, rundownId)
@@ -185,11 +180,11 @@ export namespace ServerClientAPI {
 		eventTime: Time,
 		methodName: string,
 		methodArgs: Record<string, unknown>,
-		fcn: (credentials: BasicAccessContext, userActionMetadata: UserActionMetadata) => Promise<TRes>
+		fcn: (userActionMetadata: UserActionMetadata) => Promise<TRes>
 	): Promise<ClientAPI.ClientResponse<TRes>> {
 		// If we are in the test write auth check mode, then bypass all special logic to ensure errors dont get mangled
 		if (isInTestWrite()) {
-			const result = await fcn({ organizationId: null, userId: null }, {})
+			const result = await fcn({})
 			return ClientAPI.responseSuccess(result)
 		}
 
@@ -203,23 +198,21 @@ export namespace ServerClientAPI {
 				// Called internally from server-side.
 				// Just run and return right away:
 				try {
-					const result = await fcn({ organizationId: null, userId: null }, {})
+					const result = await fcn({})
 
 					return ClientAPI.responseSuccess(result)
 				} catch (e) {
 					return rewrapError(methodName, e)
 				}
 			} else {
-				const credentials = await getLoggedInCredentials(context)
-
 				// Start the db entry, but don't wait for it
 				const actionId: UserActionsLogItemId = getRandomId()
 				const pInitialInsert = UserActionsLog.insertAsync(
 					literal<UserActionsLogItem>({
 						_id: actionId,
 						clientAddress: context.connection.clientAddress,
-						organizationId: credentials.organizationId,
-						userId: credentials.userId,
+						organizationId: null,
+						userId: null,
 						context: userEvent,
 						method: methodName,
 						args: JSON.stringify(methodArgs),
@@ -233,7 +226,7 @@ export namespace ServerClientAPI {
 
 				const userActionMetadata: UserActionMetadata = {}
 				try {
-					const result = await fcn(credentials, userActionMetadata)
+					const result = await fcn(userActionMetadata)
 
 					const completeTime = Date.now()
 					pInitialInsert
@@ -325,14 +318,15 @@ export namespace ServerClientAPI {
 			})
 		}
 
-		const access = await PeripheralDeviceContentWriteAccess.executeFunction(methodContext, deviceId)
+		// TODO - check this. This probably needs to be moved out of this method, with the client using more targetted methods
+		assertConnectionHasOneOfPermissions(methodContext.connection, 'studio', 'configure', 'service')
 
 		await UserActionsLog.insertAsync(
 			literal<UserActionsLogItem>({
 				_id: actionId,
 				clientAddress: methodContext.connection ? methodContext.connection.clientAddress : '',
-				organizationId: access.organizationId,
-				userId: access.userId,
+				organizationId: null,
+				userId: null,
 				context: context,
 				method: `${deviceId}: ${method}`,
 				args: JSON.stringify(args),
@@ -395,7 +389,8 @@ export namespace ServerClientAPI {
 			})
 		}
 
-		await PeripheralDeviceContentWriteAccess.executeFunction(methodContext, deviceId)
+		// TODO - check this. This probably needs to be moved out of this method, with the client using more targetted methods
+		assertConnectionHasOneOfPermissions(methodContext.connection, 'studio', 'configure', 'service')
 
 		return executePeripheralDeviceFunctionWithCustomTimeout(deviceId, timeoutTime, {
 			functionName,
@@ -407,17 +402,6 @@ export namespace ServerClientAPI {
 			return Promise.reject(err)
 		})
 	}
-
-	async function getLoggedInCredentials(methodContext: MethodContext): Promise<BasicAccessContext> {
-		let userId: UserId | null = null
-		let organizationId: OrganizationId | null = null
-		if (Settings.enableUserAccounts) {
-			const cred = await resolveCredentials({ userId: methodContext.userId })
-			if (cred.user) userId = cred.user._id
-			organizationId = cred.organizationId
-		}
-		return { userId, organizationId }
-	}
 }
 
 class ServerClientAPIClass extends MethodContextAPI implements NewClientAPI {
diff --git a/meteor/server/security/organization.ts b/meteor/server/security/organization.ts
@@ -5,15 +5,7 @@ import { allowAccessToOrganization } from './lib/security'
 import { Credentials, ResolvedCredentials } from './lib/credentials'
 import { Settings } from '../Settings'
 import { isProtectedString } from '../lib/tempLib'
-import { OrganizationId, UserId } from '@sofie-automation/corelib/dist/dataModel/Ids'
-
-export type BasicAccessContext = { organizationId: OrganizationId | null; userId: UserId | null }
-
-export interface OrganizationContentAccess {
-	userId: UserId | null
-	organizationId: OrganizationId | null
-	cred: ResolvedCredentials | Credentials
-}
+import { OrganizationId } from '@sofie-automation/corelib/dist/dataModel/Ids'
 
 export namespace OrganizationReadAccess {
 	export async function organization(
diff --git a/meteor/server/security/peripheralDevice.ts b/meteor/server/security/peripheralDevice.ts
@@ -1,18 +1,11 @@
 import { Meteor } from 'meteor/meteor'
-import { check } from '../lib/check'
-import { PeripheralDevice } from '@sofie-automation/corelib/dist/dataModel/PeripheralDevice'
 import { isProtectedString } from '../lib/tempLib'
 import { logNotAllowed } from './lib/lib'
-import { MediaWorkFlow } from '@sofie-automation/shared-lib/dist/core/model/MediaWorkFlows'
 import { MongoQueryKey } from '@sofie-automation/corelib/dist/mongo'
-import { Credentials, ResolvedCredentials, resolveCredentials } from './lib/credentials'
-import { allowAccessToPeripheralDevice, allowAccessToPeripheralDeviceContent } from './lib/security'
+import { Credentials, ResolvedCredentials } from './lib/credentials'
+import { allowAccessToPeripheralDevice } from './lib/security'
 import { Settings } from '../Settings'
-import { triggerWriteAccess } from './lib/securityVerify'
-import { profiler } from '../api/profiler'
-import { StudioContentWriteAccess } from './studio'
-import { OrganizationId, PeripheralDeviceId, StudioId, UserId } from '@sofie-automation/corelib/dist/dataModel/Ids'
-import { PeripheralDevices } from '../collections'
+import { PeripheralDeviceId } from '@sofie-automation/corelib/dist/dataModel/Ids'
 
 export namespace PeripheralDeviceReadAccess {
 	/** Check for read access for a peripheral device */
@@ -36,123 +29,3 @@ export namespace PeripheralDeviceReadAccess {
 		return true
 	}
 }
-export interface MediaWorkFlowContentAccess extends PeripheralDeviceContentWriteAccess.ContentAccess {
-	mediaWorkFlow: MediaWorkFlow
-}
-
-export namespace PeripheralDeviceContentWriteAccess {
-	export interface ContentAccess {
-		userId: UserId | null
-		organizationId: OrganizationId | null
-		deviceId: PeripheralDeviceId
-		device: PeripheralDevice
-		cred: ResolvedCredentials | Credentials
-	}
-
-	// These functions throws if access is not allowed.
-
-	/**
-	 * Check if a user is allowed to execute a PeripheralDevice function in a Studio
-	 */
-	export async function executeFunction(cred0: Credentials, deviceId: PeripheralDeviceId): Promise<ContentAccess> {
-		triggerWriteAccess()
-		const device = await PeripheralDevices.findOneAsync(deviceId)
-		if (!device) throw new Meteor.Error(404, `PeripheralDevice "${deviceId}" not found`)
-
-		let studioId: StudioId
-		if (device.studioId) {
-			studioId = device.studioId
-		} else if (device.parentDeviceId) {
-			// Child devices aren't assigned to the studio themselves, instead look up the parent device and use it's studioId:
-			const parentDevice = await PeripheralDevices.findOneAsync(device.parentDeviceId)
-			if (!parentDevice)
-				throw new Meteor.Error(
-					404,
-					`Parent PeripheralDevice "${device.parentDeviceId}" of "${deviceId}" not found!`
-				)
-			if (!parentDevice.studioId)
-				throw new Meteor.Error(
-					404,
-					`Parent PeripheralDevice "${device.parentDeviceId}" of "${deviceId}" doesn't have any studioId set`
-				)
-			studioId = parentDevice.studioId
-		} else {
-			throw new Meteor.Error(404, `PeripheralDevice "${deviceId}" doesn't have any studioId set`)
-		}
-
-		const access = await StudioContentWriteAccess.executeFunction(cred0, studioId)
-
-		const access2 = await allowAccessToPeripheralDeviceContent(access.cred, device)
-		if (!access2.playout) throw new Meteor.Error(403, `Not allowed: ${access2.reason}`)
-
-		return {
-			...access,
-			deviceId: device._id,
-			device,
-		}
-	}
-
-	/** Check for permission to modify a peripheralDevice */
-	export async function peripheralDevice(cred0: Credentials, deviceId: PeripheralDeviceId): Promise<ContentAccess> {
-		await backwardsCompatibilityfix(cred0, deviceId)
-		return anyContent(cred0, deviceId)
-	}
-
-	/** Return credentials if writing is allowed, throw otherwise */
-	async function anyContent(cred0: Credentials, deviceId: PeripheralDeviceId): Promise<ContentAccess> {
-		const span = profiler.startSpan('PeripheralDeviceContentWriteAccess.anyContent')
-		triggerWriteAccess()
-		check(deviceId, String)
-		const device = await PeripheralDevices.findOneAsync(deviceId)
-		if (!device) throw new Meteor.Error(404, `PeripheralDevice "${deviceId}" not found`)
-
-		// If the device has a parent, use that for access control:
-		const parentDevice = device.parentDeviceId
-			? await PeripheralDevices.findOneAsync(device.parentDeviceId)
-			: device
-		if (!parentDevice)
-			throw new Meteor.Error(404, `PeripheralDevice parentDevice "${device.parentDeviceId}" not found`)
-
-		if (!Settings.enableUserAccounts) {
-			// Note: this is kind of a hack to keep backwards compatibility..
-			if (!device.parentDeviceId && parentDevice.token !== cred0.token) {
-				throw new Meteor.Error(401, `Not allowed access to peripheralDevice`)
-			}
-
-			span?.end()
-			return {
-				userId: null,
-				organizationId: null,
-				deviceId: deviceId,
-				device: device,
-				cred: cred0,
-			}
-		} else {
-			if (!cred0.userId && parentDevice.token !== cred0.token) {
-				throw new Meteor.Error(401, `Not allowed access to peripheralDevice`)
-			}
-			const cred = await resolveCredentials(cred0)
-			const access = await allowAccessToPeripheralDeviceContent(cred, parentDevice)
-			if (!access.update) throw new Meteor.Error(403, `Not allowed: ${access.reason}`)
-			if (!access.document) throw new Meteor.Error(500, `Internal error: access.document not set`)
-
-			span?.end()
-			return {
-				userId: cred.user ? cred.user._id : null,
-				organizationId: cred.organizationId,
-				deviceId: deviceId,
-				device: device,
-				cred: cred,
-			}
-		}
-	}
-}
-async function backwardsCompatibilityfix(cred0: Credentials, deviceId: PeripheralDeviceId) {
-	if (!Settings.enableUserAccounts) {
-		// Note: This is a temporary hack to keep backwards compatibility:
-		const device = (await PeripheralDevices.findOneAsync(deviceId, { fields: { token: 1 } })) as
-			| Pick<PeripheralDevice, '_id' | 'token'>
-			| undefined
-		if (device) cred0.token = device.token
-	}
-}
