wip: more ddp

Author: Julusian

meteor/server/api/ExternalMessageQueue.ts

@@ -9,11 +9,14 @@ import {
 } from '@sofie-automation/meteor-lib/dist/api/ExternalMessageQueue'
 import { StatusObject, setSystemStatus } from '../systemStatus/systemStatus'
 import { MethodContextAPI, MethodContext } from './methodContext'
-import { StudioContentWriteAccess } from '../security/studio'
 import { ExternalMessageQueueObjId } from '@sofie-automation/corelib/dist/dataModel/Ids'
 import { ExternalMessageQueue } from '../collections'
 import { ExternalMessageQueueObj } from '@sofie-automation/corelib/dist/dataModel/ExternalMessageQueue'
 import { MongoQuery } from '@sofie-automation/corelib/dist/mongo'
+import { UserPermissions } from '@sofie-automation/meteor-lib/dist/userPermissions'
+import { assertConnectionHasOneOfPermissions } from '../security/auth'
+
+const USER_PERMISSIONS_FOR_EXTERNAL_MESSAGES: Array<keyof UserPermissions> = ['configure', 'studio', 'service']
 
 let updateExternalMessageQueueStatusTimeout = 0
 function updateExternalMessageQueueStatus(): void {
@@ -68,36 +71,44 @@ Meteor.startup(() => {
 
 async function removeExternalMessage(context: MethodContext, messageId: ExternalMessageQueueObjId): Promise<void> {
 	check(messageId, String)
-	await StudioContentWriteAccess.externalMessage(context, messageId)
+
+	assertConnectionHasOneOfPermissions(context.connection, ...USER_PERMISSIONS_FOR_EXTERNAL_MESSAGES)
 
 	// TODO - is this safe? what if it is in the middle of execution?
 	await ExternalMessageQueue.removeAsync(messageId)
 }
 async function toggleHold(context: MethodContext, messageId: ExternalMessageQueueObjId): Promise<void> {
 	check(messageId, String)
-	const access = await StudioContentWriteAccess.externalMessage(context, messageId)
-	const m = access.message
-	if (!m) throw new Meteor.Error(404, `ExternalMessage "${messageId}" not found!`)
+
+	assertConnectionHasOneOfPermissions(context.connection, ...USER_PERMISSIONS_FOR_EXTERNAL_MESSAGES)
+
+	const existingMessage = await ExternalMessageQueue.findOneAsync(messageId)
+	if (!existingMessage) throw new Meteor.Error(404, `ExternalMessage "${messageId}" not found!`)
 
 	await ExternalMessageQueue.updateAsync(messageId, {
 		$set: {
-			hold: !m.hold,
+			hold: !existingMessage.hold,
 		},
 	})
 }
 async function retry(context: MethodContext, messageId: ExternalMessageQueueObjId): Promise<void> {
 	check(messageId, String)
-	const access = await StudioContentWriteAccess.externalMessage(context, messageId)
-	const m = access.message
-	if (!m) throw new Meteor.Error(404, `ExternalMessage "${messageId}" not found!`)
+
+	assertConnectionHasOneOfPermissions(context.connection, ...USER_PERMISSIONS_FOR_EXTERNAL_MESSAGES)
+
+	const existingMessage = await ExternalMessageQueue.findOneAsync(messageId)
+	if (!existingMessage) throw new Meteor.Error(404, `ExternalMessage "${messageId}" not found!`)
 
 	const tryGap = getCurrentTime() - 1 * 60 * 1000
 	await ExternalMessageQueue.updateAsync(messageId, {
 		$set: {
 			manualRetry: true,
 			hold: false,
 			errorFatal: false,
-			lastTry: m.lastTry !== undefined && m.lastTry > tryGap ? tryGap : m.lastTry,
+			lastTry:
+				existingMessage.lastTry !== undefined && existingMessage.lastTry > tryGap
+					? tryGap
+					: existingMessage.lastTry,
 		},
 	})
 	// triggerdoMessageQueue(1000)

meteor/server/api/ingest/lib.ts

@@ -5,9 +5,7 @@ import { stringifyError } from '@sofie-automation/shared-lib/dist/lib/stringifyE
 import { PeripheralDevice, PeripheralDeviceCategory } from '@sofie-automation/corelib/dist/dataModel/PeripheralDevice'
 import { Rundown, RundownSourceNrcs } from '@sofie-automation/corelib/dist/dataModel/Rundown'
 import { logger } from '../../logging'
-import { PeripheralDeviceContentWriteAccess } from '../../security/peripheralDevice'
 import { MethodContext } from '../methodContext'
-import { Credentials } from '../../security/lib/credentials'
 import { profiler } from '../profiler'
 import { IngestJobFunc } from '@sofie-automation/corelib/dist/worker/ingest'
 import { QueueIngestJob } from '../../worker/worker'
@@ -21,6 +19,7 @@ import {
 } from '@sofie-automation/corelib/dist/dataModel/Ids'
 import { PeripheralDevices } from '../../collections'
 import { getStudioIdFromDevice } from '../studio/lib'
+import { assertConnectionHasOneOfPermissions } from '../../security/auth'
 
 /**
  * Run an ingest operation via the worker.
@@ -68,20 +67,37 @@ export async function runIngestOperation<T extends keyof IngestJobFunc>(
 export async function checkAccessAndGetPeripheralDevice(
 	deviceId: PeripheralDeviceId,
 	token: string | undefined,
-	context: Credentials | MethodContext
+	context: MethodContext
 ): Promise<PeripheralDevice> {
 	const span = profiler.startSpan('lib.checkAccessAndGetPeripheralDevice')
 
-	const { device: peripheralDevice } = await PeripheralDeviceContentWriteAccess.peripheralDevice(
-		{ userId: context.userId, token },
-		deviceId
-	)
-	if (!peripheralDevice) {
-		throw new Meteor.Error(404, `PeripheralDevice "${deviceId}" not found`)
+	assertConnectionHasOneOfPermissions(context.connection, 'gateway')
+
+	// If no token, we will never match
+	if (!token) throw new Meteor.Error(401, `Not allowed access to peripheralDevice`)
+
+	const device = await PeripheralDevices.findOneAsync({ _id: deviceId })
+	if (!device) throw new Meteor.Error(404, `PeripheralDevice "${deviceId}" not found`)
+
+	// Check if the device has a token, and if it matches:
+	if (device.token && device.token === token) {
+		span?.end()
+		return device
+	}
+
+	// If the device has a parent, try that for access control:
+	const parentDevice = device.parentDeviceId ? await PeripheralDevices.findOneAsync(device.parentDeviceId) : device
+	if (!parentDevice) throw new Meteor.Error(404, `PeripheralDevice parentDevice "${device.parentDeviceId}" not found`)
+
+	// Check if the parent device has a token, and if it matches:
+	if (parentDevice.token && parentDevice.token === token) {
+		span?.end()
+		return device
 	}
 
+	// No match for token found
 	span?.end()
-	return peripheralDevice
+	throw new Meteor.Error(401, `Not allowed access to peripheralDevice`)
 }
 
 export function getRundownId(studioId: StudioId, rundownExternalId: string): RundownId {

meteor/server/api/organizations.ts

@@ -4,13 +4,15 @@ import { MethodContextAPI, MethodContext } from './methodContext'
 import { NewOrganizationAPI, OrganizationAPIMethods } from '@sofie-automation/meteor-lib/dist/api/organization'
 import { registerClassToMeteorMethods } from '../methods'
 import { DBOrganization, DBOrganizationBase } from '@sofie-automation/meteor-lib/dist/collections/Organization'
-import { OrganizationContentWriteAccess } from '../security/organization'
-import { triggerWriteAccessBecauseNoCheckNecessary } from '../security/lib/securityVerify'
 import { insertStudioInner } from './studio/api'
 import { insertShowStyleBaseInner } from './showStyles'
 import { BlueprintId, OrganizationId } from '@sofie-automation/corelib/dist/dataModel/Ids'
 import { Blueprints, CoreSystem, Organizations, ShowStyleBases, Studios } from '../collections'
 import { getCoreSystemAsync } from '../coreSystem/collection'
+import { UserPermissions } from '@sofie-automation/meteor-lib/dist/userPermissions'
+import { assertConnectionHasOneOfPermissions } from '../security/auth'
+
+const PERMISSIONS_FOR_MANAGE_ORGANIZATIONS: Array<keyof UserPermissions> = ['configure']
 
 async function createDefaultEnvironmentForOrg(orgId: OrganizationId) {
 	let systemBlueprintId: BlueprintId | undefined
@@ -42,8 +44,11 @@ async function createDefaultEnvironmentForOrg(orgId: OrganizationId) {
 		await ShowStyleBases.updateAsync(showStyleId, { $set: { blueprintId: showStyleBlueprintId } })
 }
 
-export async function createOrganization(organization: DBOrganizationBase): Promise<OrganizationId> {
-	triggerWriteAccessBecauseNoCheckNecessary()
+export async function createOrganization(
+	context: MethodContext,
+	organization: DBOrganizationBase
+): Promise<OrganizationId> {
+	assertConnectionHasOneOfPermissions(context.connection, ...PERMISSIONS_FOR_MANAGE_ORGANIZATIONS)
 
 	const orgId = await Organizations.insertAsync(
 		literal<DBOrganization>({
@@ -60,7 +65,7 @@ export async function createOrganization(organization: DBOrganizationBase): Prom
 }
 
 async function removeOrganization(context: MethodContext, organizationId: OrganizationId) {
-	await OrganizationContentWriteAccess.organization(context, organizationId)
+	assertConnectionHasOneOfPermissions(context.connection, ...PERMISSIONS_FOR_MANAGE_ORGANIZATIONS)
 
 	await Organizations.removeAsync(organizationId)
 }

meteor/server/api/peripheralDevice.ts

@@ -26,7 +26,6 @@ import { MediaWorkFlowStep } from '@sofie-automation/shared-lib/dist/core/model/
 import { MOS } from '@sofie-automation/corelib'
 import { determineDiffTime } from './systemTime/systemTime'
 import { getTimeDiff } from './systemTime/api'
-import { PeripheralDeviceContentWriteAccess } from '../security/peripheralDevice'
 import { MethodContextAPI, MethodContext } from './methodContext'
 import { triggerWriteAccess, triggerWriteAccessBecauseNoCheckNecessary } from '../security/lib/securityVerify'
 import { checkAccessAndGetPeripheralDevice } from './ingest/lib'
@@ -81,7 +80,9 @@ export namespace ServerPeripheralDeviceAPI {
 		check(deviceId, String)
 		const existingDevice = await PeripheralDevices.findOneAsync(deviceId)
 		if (existingDevice) {
-			await PeripheralDeviceContentWriteAccess.peripheralDevice({ userId: context.userId, token }, deviceId)
+			await checkAccessAndGetPeripheralDevice(deviceId, token, context)
+		} else {
+			triggerWriteAccessBecauseNoCheckNecessary()
 		}
 
 		check(token, String)

meteor/server/api/rundown.ts

@@ -12,14 +12,14 @@ import {
 	TriggerReloadDataResponse,
 } from '@sofie-automation/meteor-lib/dist/api/userActions'
 import { MethodContextAPI, MethodContext } from './methodContext'
-import { StudioContentWriteAccess } from '../security/studio'
 import { runIngestOperation } from './ingest/lib'
 import { IngestJobs } from '@sofie-automation/corelib/dist/worker/ingest'
 import { VerifiedRundownForUserAction, VerifiedRundownPlaylistForUserAction } from './lib'
 import { Blueprint } from '@sofie-automation/corelib/dist/dataModel/Blueprint'
 import { DBStudio } from '@sofie-automation/corelib/dist/dataModel/Studio'
 import { RundownPlaylistId } from '@sofie-automation/corelib/dist/dataModel/Ids'
 import { Blueprints, Rundowns, ShowStyleBases, ShowStyleVariants, Studios } from '../collections'
+import { triggerWriteAccessBecauseNoCheckNecessary } from '../security/lib/securityVerify'
 
 export namespace ServerRundownAPI {
 	/** Remove an individual rundown */
@@ -63,16 +63,15 @@ export namespace ServerRundownAPI {
 
 export namespace ClientRundownAPI {
 	export async function rundownPlaylistNeedsResync(
-		context: MethodContext,
+		_context: MethodContext,
 		playlistId: RundownPlaylistId
 	): Promise<string[]> {
 		check(playlistId, String)
-		const access = await StudioContentWriteAccess.rundownPlaylist(context, playlistId)
-		const playlist = access.playlist
+		triggerWriteAccessBecauseNoCheckNecessary()
 
 		const rundowns = await Rundowns.findFetchAsync(
 			{
-				playlistId: playlist._id,
+				playlistId: playlistId,
 			},
 			{
 				sort: { _id: 1 },

meteor/server/security/auth.ts

@@ -19,6 +19,7 @@ export function parseConnectionPermissions(conn: RequestCredentials): UserPermis
 			developer: true,
 			testing: true,
 			service: true,
+			gateway: true,
 		}
 	}
 

meteor/server/security/organization.ts

@@ -2,10 +2,8 @@ import { Meteor } from 'meteor/meteor'
 import { logNotAllowed } from './lib/lib'
 import { MongoQueryKey } from '@sofie-automation/corelib/dist/mongo'
 import { allowAccessToOrganization } from './lib/security'
-import { Credentials, ResolvedCredentials, resolveCredentials } from './lib/credentials'
+import { Credentials, ResolvedCredentials } from './lib/credentials'
 import { Settings } from '../Settings'
-import { MethodContext } from '../api/methodContext'
-import { triggerWriteAccess } from './lib/securityVerify'
 import { isProtectedString } from '../lib/tempLib'
 import { OrganizationId, UserId } from '@sofie-automation/corelib/dist/dataModel/Ids'
 
@@ -46,39 +44,3 @@ export namespace OrganizationReadAccess {
 		return organizationContent(organizationId, cred)
 	}
 }
-export namespace OrganizationContentWriteAccess {
-	// These functions throws if access is not allowed.
-
-	export async function organization(
-		cred0: Credentials,
-		organizationId: OrganizationId
-	): Promise<OrganizationContentAccess> {
-		return anyContent(cred0, { organizationId })
-	}
-
-	/** Return credentials if writing is allowed, throw otherwise */
-	async function anyContent(
-		cred0: Credentials | MethodContext,
-		existingObj?: { organizationId: OrganizationId | null }
-	): Promise<OrganizationContentAccess> {
-		triggerWriteAccess()
-		if (!Settings.enableUserAccounts) {
-			return { userId: null, organizationId: null, cred: cred0 }
-		}
-		const cred = await resolveCredentials(cred0)
-		if (!cred.user) throw new Meteor.Error(403, `Not logged in`)
-		if (!cred.organizationId) throw new Meteor.Error(500, `User has no organization`)
-
-		const access = await allowAccessToOrganization(
-			cred,
-			existingObj ? existingObj.organizationId : cred.organizationId
-		)
-		if (!access.update) throw new Meteor.Error(403, `Not allowed: ${access.reason}`)
-
-		return {
-			userId: cred.user._id,
-			organizationId: cred.organizationId,
-			cred: cred,
-		}
-	}
-}

meteor/server/security/studio.ts

@@ -4,19 +4,11 @@ import { MongoQueryKey } from '@sofie-automation/corelib/dist/mongo'
 import { logNotAllowed } from './lib/lib'
 import { ExternalMessageQueueObj } from '@sofie-automation/corelib/dist/dataModel/ExternalMessageQueue'
 import { Credentials, ResolvedCredentials, resolveCredentials } from './lib/credentials'
-import { DBRundownPlaylist } from '@sofie-automation/corelib/dist/dataModel/RundownPlaylist'
 import { Settings } from '../Settings'
 import { triggerWriteAccess } from './lib/securityVerify'
 import { isProtectedString } from '../lib/tempLib'
 import { fetchStudioLight } from '../optimizations'
-import {
-	ExternalMessageQueueObjId,
-	OrganizationId,
-	RundownPlaylistId,
-	StudioId,
-	UserId,
-} from '@sofie-automation/corelib/dist/dataModel/Ids'
-import { ExternalMessageQueue, RundownPlaylists } from '../collections'
+import { OrganizationId, StudioId, UserId } from '@sofie-automation/corelib/dist/dataModel/Ids'
 import { StudioLight } from '@sofie-automation/corelib/dist/dataModel/Studio'
 
 export namespace StudioReadAccess {
@@ -61,25 +53,6 @@ export interface ExternalMessageContentAccess extends StudioContentAccess {
 export namespace StudioContentWriteAccess {
 	// These functions throws if access is not allowed.
 
-	export async function rundownPlaylist(
-		cred0: Credentials,
-		existingPlaylist: DBRundownPlaylist | RundownPlaylistId
-	): Promise<StudioContentAccess & { playlist: DBRundownPlaylist }> {
-		triggerWriteAccess()
-		if (existingPlaylist && isProtectedString(existingPlaylist)) {
-			const playlistId = existingPlaylist
-			const m = await RundownPlaylists.findOneAsync(playlistId)
-			if (!m) throw new Meteor.Error(404, `RundownPlaylist "${playlistId}" not found!`)
-			existingPlaylist = m
-		}
-		return { ...(await anyContent(cred0, existingPlaylist.studioId)), playlist: existingPlaylist }
-	}
-
-	/** Check for permission to select active routesets in the studio */
-	export async function routeSet(cred0: Credentials, studioId: StudioId): Promise<StudioContentAccess> {
-		return anyContent(cred0, studioId)
-	}
-
 	/** Check for permission to modify a bucket or its contents belonging to the studio */
 	export async function bucket(cred0: Credentials, studioId: StudioId): Promise<StudioContentAccess> {
 		return anyContent(cred0, studioId)
@@ -90,21 +63,6 @@ export namespace StudioContentWriteAccess {
 		return anyContent(cred0, studioId)
 	}
 
-	/** Check for permission to modify an ExternalMessageQueueObj */
-	export async function externalMessage(
-		cred0: Credentials,
-		existingMessage: ExternalMessageQueueObj | ExternalMessageQueueObjId
-	): Promise<ExternalMessageContentAccess> {
-		triggerWriteAccess()
-		if (existingMessage && isProtectedString(existingMessage)) {
-			const messageId = existingMessage
-			const m = await ExternalMessageQueue.findOneAsync(messageId)
-			if (!m) throw new Meteor.Error(404, `ExternalMessage "${messageId}" not found!`)
-			existingMessage = m
-		}
-		return { ...(await anyContent(cred0, existingMessage.studioId)), message: existingMessage }
-	}
-
 	/**
 	 * We don't have user levels, so we can use a simple check for all cases
 	 * Return credentials if writing is allowed, throw otherwise

packages/meteor-lib/src/userPermissions.ts

@@ -7,8 +7,9 @@ export interface UserPermissions {
 	developer: boolean
 	testing: boolean
 	service: boolean
+	gateway: boolean
 }
-const allowedPermissions = new Set<keyof UserPermissions>(['studio', 'configure', 'developer', 'testing', 'service'])
+const allowedPermissions = new Set<keyof UserPermissions>(['studio', 'configure', 'developer', 'testing', 'service','gateway'])
 
 export function parseUserPermissions(encodedPermissions: string | undefined): UserPermissions {
 	if (encodedPermissions === 'admin') {
@@ -18,6 +19,7 @@ export function parseUserPermissions(encodedPermissions: string | undefined): Us
 			developer: true,
 			testing: true,
 			service: true,
+			gateway:true
 		}
 	}
 
@@ -26,7 +28,7 @@ export function parseUserPermissions(encodedPermissions: string | undefined): Us
 		configure: false,
 		developer: false,
 		testing: false,
-		service: false,
+		service: false,gateway:false
 	}
 
 	if (encodedPermissions && typeof encodedPermissions === 'string') {