wip: rearrange

Author: Julusian

meteor/__mocks__/meteor.ts

@@ -2,6 +2,7 @@ import { stringifyError } from '@sofie-automation/shared-lib/dist/lib/stringifyE
 import * as _ from 'underscore'
 import { Fiber } from './Fibers'
 import { MongoMock } from './mongo'
+import { USER_PERMISSIONS_HEADER } from '@sofie-automation/meteor-lib/dist/userPermissions'
 
 let controllableDefer = false
 
@@ -122,6 +123,9 @@ export namespace MeteorMock {
 			userId: mockUser ? mockUser._id : undefined,
 			connection: {
 				clientAddress: '1.1.1.1',
+				httpHeaders: {
+					[USER_PERMISSIONS_HEADER]: 'admin',
+				},
 			},
 			unblock: () => {
 				// noop

meteor/server/api/client.ts

@@ -26,7 +26,7 @@ import {
 	checkAccessToRundown,
 	VerifiedRundownForUserAction,
 	VerifiedRundownPlaylistForUserAction,
-} from './lib'
+} from '../security/check'
 import { UserActionsLog } from '../collections'
 import { executePeripheralDeviceFunctionWithCustomTimeout } from './peripheralDevice/executeFunction'
 import { LeveledLogMethodFixed } from '@sofie-automation/corelib/dist/logging'
@@ -63,7 +63,7 @@ export namespace ServerClientAPI {
 			async (userActionMetadata) => {
 				checkArgs()
 
-				const playlist = await checkAccessToPlaylist(context, playlistId)
+				const playlist = await checkAccessToPlaylist(context.connection, playlistId)
 				return runStudioJob(playlist.studioId, jobName, jobArguments, userActionMetadata)
 			}
 		)
@@ -90,7 +90,7 @@ export namespace ServerClientAPI {
 			async (userActionMetadata) => {
 				checkArgs()
 
-				const rundown = await checkAccessToRundown(context, rundownId)
+				const rundown = await checkAccessToRundown(context.connection, rundownId)
 				return runStudioJob(rundown.studioId, jobName, jobArguments, userActionMetadata)
 			}
 		)
@@ -112,7 +112,7 @@ export namespace ServerClientAPI {
 		return runUserActionInLog(context, userEvent, eventTime, methodName, args, async () => {
 			checkArgs()
 
-			const playlist = await checkAccessToPlaylist(context, playlistId)
+			const playlist = await checkAccessToPlaylist(context.connection, playlistId)
 			return fcn(playlist)
 		})
 	}
@@ -133,7 +133,7 @@ export namespace ServerClientAPI {
 		return runUserActionInLog(context, userEvent, eventTime, methodName, args, async () => {
 			checkArgs()
 
-			const rundown = await checkAccessToRundown(context, rundownId)
+			const rundown = await checkAccessToRundown(context.connection, rundownId)
 			return fcn(rundown)
 		})
 	}

meteor/server/api/deviceTriggers/observer.ts

@@ -10,7 +10,7 @@ import {
 	PreviewWrappedAdLib,
 } from '@sofie-automation/meteor-lib/dist/api/MountedTriggers'
 import { logger } from '../../logging'
-import { checkAccessAndGetPeripheralDevice } from '../ingest/lib'
+import { checkAccessAndGetPeripheralDevice } from '../../security/check'
 import { StudioActionManagers } from './StudioActionManagers'
 import { JobQueueWithClasses } from '@sofie-automation/shared-lib/dist/lib/JobQueueWithClasses'
 import { StudioDeviceTriggerManager } from './StudioDeviceTriggerManager'

meteor/server/api/evaluations.ts

@@ -9,7 +9,7 @@ import { fetchStudioLight } from '../optimizations'
 import { sendSlackMessageToWebhook } from './integration/slack'
 import { DBRundownPlaylist } from '@sofie-automation/corelib/dist/dataModel/RundownPlaylist'
 import { Evaluations, RundownPlaylists } from '../collections'
-import { VerifiedRundownPlaylistForUserAction } from './lib'
+import { VerifiedRundownPlaylistForUserAction } from '../security/check'
 
 export async function saveEvaluation(
 	_playlist: VerifiedRundownPlaylistForUserAction,

meteor/server/api/ingest/actions.ts

@@ -6,7 +6,7 @@ import { GenericDeviceActions } from './genericDevice/actions'
 import { PeripheralDeviceType } from '@sofie-automation/corelib/dist/dataModel/PeripheralDevice'
 import { IngestJobs } from '@sofie-automation/corelib/dist/worker/ingest'
 import { assertNever } from '@sofie-automation/corelib/dist/lib'
-import { VerifiedRundownForUserAction } from '../lib'
+import { VerifiedRundownForUserAction } from '../../security/check'
 
 /*
 This file contains actions that can be performed on an ingest-device

meteor/server/api/ingest/lib.ts

@@ -5,7 +5,6 @@ import { stringifyError } from '@sofie-automation/shared-lib/dist/lib/stringifyE
 import { PeripheralDevice, PeripheralDeviceCategory } from '@sofie-automation/corelib/dist/dataModel/PeripheralDevice'
 import { Rundown, RundownSourceNrcs } from '@sofie-automation/corelib/dist/dataModel/Rundown'
 import { logger } from '../../logging'
-import { MethodContext } from '../methodContext'
 import { profiler } from '../profiler'
 import { IngestJobFunc } from '@sofie-automation/corelib/dist/worker/ingest'
 import { QueueIngestJob } from '../../worker/worker'
@@ -19,8 +18,6 @@ import {
 } from '@sofie-automation/corelib/dist/dataModel/Ids'
 import { PeripheralDevices } from '../../collections'
 import { getStudioIdFromDevice } from '../studio/lib'
-import { assertConnectionHasOneOfPermissions } from '../../security/auth'
-import { SubscriptionContext } from '../../publications/lib'
 
 /**
  * Run an ingest operation via the worker.
@@ -64,43 +61,6 @@ export async function runIngestOperation<T extends keyof IngestJobFunc>(
 	}
 }
 
-/** Check Access and return PeripheralDevice, throws otherwise */
-export async function checkAccessAndGetPeripheralDevice(
-	deviceId: PeripheralDeviceId,
-	token: string | undefined,
-	context: MethodContext | SubscriptionContext
-): Promise<PeripheralDevice> {
-	const span = profiler.startSpan('lib.checkAccessAndGetPeripheralDevice')
-
-	assertConnectionHasOneOfPermissions(context.connection, 'gateway')
-
-	// If no token, we will never match
-	if (!token) throw new Meteor.Error(401, `Not allowed access to peripheralDevice`)
-
-	const device = await PeripheralDevices.findOneAsync({ _id: deviceId })
-	if (!device) throw new Meteor.Error(404, `PeripheralDevice "${deviceId}" not found`)
-
-	// Check if the device has a token, and if it matches:
-	if (device.token && device.token === token) {
-		span?.end()
-		return device
-	}
-
-	// If the device has a parent, try that for access control:
-	const parentDevice = device.parentDeviceId ? await PeripheralDevices.findOneAsync(device.parentDeviceId) : device
-	if (!parentDevice) throw new Meteor.Error(404, `PeripheralDevice parentDevice "${device.parentDeviceId}" not found`)
-
-	// Check if the parent device has a token, and if it matches:
-	if (parentDevice.token && parentDevice.token === token) {
-		span?.end()
-		return device
-	}
-
-	// No match for token found
-	span?.end()
-	throw new Meteor.Error(401, `Not allowed access to peripheralDevice`)
-}
-
 export function getRundownId(studioId: StudioId, rundownExternalId: string): RundownId {
 	if (!studioId) throw new Meteor.Error(500, 'getRundownId: studio not set!')
 	if (!rundownExternalId) throw new Meteor.Error(401, 'getRundownId: rundownExternalId must be set!')

meteor/server/api/ingest/mosDevice/mosIntegration.ts

@@ -1,16 +1,12 @@
 import { MOS } from '@sofie-automation/corelib'
 import { logger } from '../../../logging'
-import {
-	checkAccessAndGetPeripheralDevice,
-	fetchStudioIdFromDevice,
-	generateRundownSource,
-	runIngestOperation,
-} from '../lib'
+import { fetchStudioIdFromDevice, generateRundownSource, runIngestOperation } from '../lib'
 import { parseMosString } from './lib'
 import { MethodContext } from '../../methodContext'
 import { profiler } from '../../profiler'
 import { IngestJobs } from '@sofie-automation/corelib/dist/worker/ingest'
 import { PeripheralDeviceId } from '@sofie-automation/corelib/dist/dataModel/Ids'
+import { checkAccessAndGetPeripheralDevice } from '../../../security/check'
 
 const apmNamespace = 'mosIntegration'
 

meteor/server/api/ingest/rundownInput.ts

@@ -7,18 +7,14 @@ import { lazyIgnore } from '../../lib/lib'
 import { IngestRundown, IngestSegment, IngestPart, IngestPlaylist } from '@sofie-automation/blueprints-integration'
 import { logger } from '../../logging'
 import { RundownIngestDataCache } from './ingestCache'
-import {
-	checkAccessAndGetPeripheralDevice,
-	fetchStudioIdFromDevice,
-	generateRundownSource,
-	runIngestOperation,
-} from './lib'
+import { fetchStudioIdFromDevice, generateRundownSource, runIngestOperation } from './lib'
 import { MethodContext } from '../methodContext'
 import { IngestJobs } from '@sofie-automation/corelib/dist/worker/ingest'
 import { MediaObject } from '@sofie-automation/shared-lib/dist/core/model/MediaObjects'
 import { PeripheralDeviceId, RundownId, SegmentId, StudioId } from '@sofie-automation/corelib/dist/dataModel/Ids'
 import { NrcsIngestCacheType } from '@sofie-automation/corelib/dist/dataModel/NrcsIngestDataCache'
 import { stringifyError } from '@sofie-automation/shared-lib/dist/lib/stringifyError'
+import { checkAccessAndGetPeripheralDevice } from '../../security/check'
 
 export namespace RundownInput {
 	export async function dataPlaylistGet(

meteor/server/api/integration/expectedPackages.ts

@@ -1,7 +1,7 @@
 import { check } from '../../lib/check'
 import { Meteor } from 'meteor/meteor'
 import { MethodContext } from '../methodContext'
-import { checkAccessAndGetPeripheralDevice } from '../ingest/lib'
+import { checkAccessAndGetPeripheralDevice } from '../../security/check'
 import { ExpectedPackageStatusAPI, PackageInfo } from '@sofie-automation/blueprints-integration'
 import { ExpectedPackageWorkStatus } from '@sofie-automation/corelib/dist/dataModel/ExpectedPackageWorkStatuses'
 import { assertNever, literal, protectString } from '../../lib/tempLib'

meteor/server/api/integration/media-scanner.ts

@@ -1,6 +1,6 @@
 import { Meteor } from 'meteor/meteor'
 import { protectString } from '../../lib/tempLib'
-import { checkAccessAndGetPeripheralDevice } from '../ingest/lib'
+import { checkAccessAndGetPeripheralDevice } from '../../security/check'
 import { MethodContext } from '../methodContext'
 import { MediaObject } from '@sofie-automation/shared-lib/dist/core/model/MediaObjects'
 import { MediaObjId, PeripheralDeviceId } from '@sofie-automation/corelib/dist/dataModel/Ids'