From 4388618e9a98d70fcaeceaa7c2a95274ed7d69e6 Mon Sep 17 00:00:00 2001
From: Denys Smirnov <dennwc@pm.me>
Date: Sun, 23 Jun 2024 21:54:28 +0300
Subject: [PATCH] Update protocol. Use SIP grants. (#2808)

---
 go.mod              |  2 +-
 go.sum              |  4 ++--
 pkg/service/auth.go | 16 ++++++++++++++++
 pkg/service/sip.go  | 33 +++++++++++++++++++++++++++++++++
 4 files changed, 52 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index 707d5b698..e26f6c4d8 100644
--- a/go.mod
+++ b/go.mod
@@ -20,7 +20,7 @@ require (
 	github.com/jxskiss/base62 v1.1.0
 	github.com/livekit/mageutil v0.0.0-20230125210925-54e8a70427c1
 	github.com/livekit/mediatransportutil v0.0.0-20240622055623-ce8d272f389e
-	github.com/livekit/protocol v1.18.0
+	github.com/livekit/protocol v1.19.0
 	github.com/livekit/psrpc v0.5.3-0.20240526192918-fbdaf10e6aa5
 	github.com/mackerelio/go-osstat v0.2.5
 	github.com/magefile/mage v1.15.0
diff --git a/go.sum b/go.sum
index 9a6dad577..3883f60c8 100644
--- a/go.sum
+++ b/go.sum
@@ -152,8 +152,8 @@ github.com/livekit/mageutil v0.0.0-20230125210925-54e8a70427c1 h1:jm09419p0lqTkD
 github.com/livekit/mageutil v0.0.0-20230125210925-54e8a70427c1/go.mod h1:Rs3MhFwutWhGwmY1VQsygw28z5bWcnEYmS1OG9OxjOQ=
 github.com/livekit/mediatransportutil v0.0.0-20240622055623-ce8d272f389e h1:ZKA07UcpsdMmLUAA/GHJiFbyZ/QHpggIk7npkjUx9H4=
 github.com/livekit/mediatransportutil v0.0.0-20240622055623-ce8d272f389e/go.mod h1:jwKUCmObuiEDH0iiuJHaGMXwRs3RjrB4G6qqgkr/5oE=
-github.com/livekit/protocol v1.18.0 h1:LLOjKBA8rtnGpVGjAmKUROy7bv/l9q1wyn9hNmj8Sdg=
-github.com/livekit/protocol v1.18.0/go.mod h1:cN8WmGQR+kWz1+UWcAQdFFUcbW76PnfZDdkLAbYIqd4=
+github.com/livekit/protocol v1.19.0 h1:EPcFQAa6ymVknKn21NbSeFuUsHTA8r3DH+RmP72yRrU=
+github.com/livekit/protocol v1.19.0/go.mod h1:cN8WmGQR+kWz1+UWcAQdFFUcbW76PnfZDdkLAbYIqd4=
 github.com/livekit/psrpc v0.5.3-0.20240526192918-fbdaf10e6aa5 h1:mTZyrjk5WEWMsvaYtJ42pG7DuxysKj21DKPINpGSIto=
 github.com/livekit/psrpc v0.5.3-0.20240526192918-fbdaf10e6aa5/go.mod h1:CQUBSPfYYAaevg1TNCc6/aYsa8DJH4jSRFdCeSZk5u0=
 github.com/mackerelio/go-osstat v0.2.5 h1:+MqTbZUhoIt4m8qzkVoXUJg1EuifwlAJSk4Yl2GXh+o=
diff --git a/pkg/service/auth.go b/pkg/service/auth.go
index c319eceff..8ea3a3617 100644
--- a/pkg/service/auth.go
+++ b/pkg/service/auth.go
@@ -196,6 +196,22 @@ func EnsureIngressAdminPermission(ctx context.Context) error {
 	return nil
 }
 
+func EnsureSIPAdminPermission(ctx context.Context) error {
+	claims := GetGrants(ctx)
+	if claims == nil || claims.SIP == nil || !claims.SIP.Admin {
+		return ErrPermissionDenied
+	}
+	return nil
+}
+
+func EnsureSIPCallPermission(ctx context.Context) error {
+	claims := GetGrants(ctx)
+	if claims == nil || claims.SIP == nil || !claims.SIP.Call {
+		return ErrPermissionDenied
+	}
+	return nil
+}
+
 // wraps authentication errors around Twirp
 func twirpAuthError(err error) error {
 	return twirp.NewError(twirp.Unauthenticated, err.Error())
diff --git a/pkg/service/sip.go b/pkg/service/sip.go
index c70522560..c32dbc7e1 100644
--- a/pkg/service/sip.go
+++ b/pkg/service/sip.go
@@ -61,6 +61,9 @@ func NewSIPService(
 }
 
 func (s *SIPService) CreateSIPTrunk(ctx context.Context, req *livekit.CreateSIPTrunkRequest) (*livekit.SIPTrunkInfo, error) {
+	if err := EnsureSIPAdminPermission(ctx); err != nil {
+		return nil, twirpAuthError(err)
+	}
 	if s.store == nil {
 		return nil, ErrSIPNotConnected
 	}
@@ -101,6 +104,9 @@ func (s *SIPService) CreateSIPTrunk(ctx context.Context, req *livekit.CreateSIPT
 }
 
 func (s *SIPService) CreateSIPInboundTrunk(ctx context.Context, req *livekit.CreateSIPInboundTrunkRequest) (*livekit.SIPInboundTrunkInfo, error) {
+	if err := EnsureSIPAdminPermission(ctx); err != nil {
+		return nil, twirpAuthError(err)
+	}
 	if s.store == nil {
 		return nil, ErrSIPNotConnected
 	}
@@ -132,6 +138,9 @@ func (s *SIPService) CreateSIPInboundTrunk(ctx context.Context, req *livekit.Cre
 }
 
 func (s *SIPService) CreateSIPOutboundTrunk(ctx context.Context, req *livekit.CreateSIPOutboundTrunkRequest) (*livekit.SIPOutboundTrunkInfo, error) {
+	if err := EnsureSIPAdminPermission(ctx); err != nil {
+		return nil, twirpAuthError(err)
+	}
 	if s.store == nil {
 		return nil, ErrSIPNotConnected
 	}
@@ -151,6 +160,9 @@ func (s *SIPService) CreateSIPOutboundTrunk(ctx context.Context, req *livekit.Cr
 }
 
 func (s *SIPService) ListSIPTrunk(ctx context.Context, req *livekit.ListSIPTrunkRequest) (*livekit.ListSIPTrunkResponse, error) {
+	if err := EnsureSIPAdminPermission(ctx); err != nil {
+		return nil, twirpAuthError(err)
+	}
 	if s.store == nil {
 		return nil, ErrSIPNotConnected
 	}
@@ -164,6 +176,9 @@ func (s *SIPService) ListSIPTrunk(ctx context.Context, req *livekit.ListSIPTrunk
 }
 
 func (s *SIPService) ListSIPInboundTrunk(ctx context.Context, req *livekit.ListSIPInboundTrunkRequest) (*livekit.ListSIPInboundTrunkResponse, error) {
+	if err := EnsureSIPAdminPermission(ctx); err != nil {
+		return nil, twirpAuthError(err)
+	}
 	if s.store == nil {
 		return nil, ErrSIPNotConnected
 	}
@@ -177,6 +192,9 @@ func (s *SIPService) ListSIPInboundTrunk(ctx context.Context, req *livekit.ListS
 }
 
 func (s *SIPService) ListSIPOutboundTrunk(ctx context.Context, req *livekit.ListSIPOutboundTrunkRequest) (*livekit.ListSIPOutboundTrunkResponse, error) {
+	if err := EnsureSIPAdminPermission(ctx); err != nil {
+		return nil, twirpAuthError(err)
+	}
 	if s.store == nil {
 		return nil, ErrSIPNotConnected
 	}
@@ -190,6 +208,9 @@ func (s *SIPService) ListSIPOutboundTrunk(ctx context.Context, req *livekit.List
 }
 
 func (s *SIPService) DeleteSIPTrunk(ctx context.Context, req *livekit.DeleteSIPTrunkRequest) (*livekit.SIPTrunkInfo, error) {
+	if err := EnsureSIPAdminPermission(ctx); err != nil {
+		return nil, twirpAuthError(err)
+	}
 	if s.store == nil {
 		return nil, ErrSIPNotConnected
 	}
@@ -207,6 +228,9 @@ func (s *SIPService) DeleteSIPTrunk(ctx context.Context, req *livekit.DeleteSIPT
 }
 
 func (s *SIPService) CreateSIPDispatchRule(ctx context.Context, req *livekit.CreateSIPDispatchRuleRequest) (*livekit.SIPDispatchRuleInfo, error) {
+	if err := EnsureSIPAdminPermission(ctx); err != nil {
+		return nil, twirpAuthError(err)
+	}
 	if s.store == nil {
 		return nil, ErrSIPNotConnected
 	}
@@ -239,6 +263,9 @@ func (s *SIPService) CreateSIPDispatchRule(ctx context.Context, req *livekit.Cre
 }
 
 func (s *SIPService) ListSIPDispatchRule(ctx context.Context, req *livekit.ListSIPDispatchRuleRequest) (*livekit.ListSIPDispatchRuleResponse, error) {
+	if err := EnsureSIPAdminPermission(ctx); err != nil {
+		return nil, twirpAuthError(err)
+	}
 	if s.store == nil {
 		return nil, ErrSIPNotConnected
 	}
@@ -252,6 +279,9 @@ func (s *SIPService) ListSIPDispatchRule(ctx context.Context, req *livekit.ListS
 }
 
 func (s *SIPService) DeleteSIPDispatchRule(ctx context.Context, req *livekit.DeleteSIPDispatchRuleRequest) (*livekit.SIPDispatchRuleInfo, error) {
+	if err := EnsureSIPAdminPermission(ctx); err != nil {
+		return nil, twirpAuthError(err)
+	}
 	if s.store == nil {
 		return nil, ErrSIPNotConnected
 	}
@@ -269,6 +299,9 @@ func (s *SIPService) DeleteSIPDispatchRule(ctx context.Context, req *livekit.Del
 }
 
 func (s *SIPService) CreateSIPParticipantWithToken(ctx context.Context, req *livekit.CreateSIPParticipantRequest, wsUrl, token string) (*livekit.SIPParticipantInfo, error) {
+	if err := EnsureSIPCallPermission(ctx); err != nil {
+		return nil, twirpAuthError(err)
+	}
 	if s.store == nil {
 		return nil, ErrSIPNotConnected
 	}