dandri/livekit
1
0
Fork 0
mirror of https://github.com/livekit/livekit.git synced 2026-03-30 19:55:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

Use ingress specific grants (#1125)

Browse Source
This commit is contained in:
Benjamin Pracht
2022-10-26 21:37:36 -07:00
committed by GitHub
parent b2493b49f7
commit 9a45b59414
2 changed files with 12 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
pkg/service/auth.go
View File

@@ -161,6 +161,14 @@ func EnsureRecordPermission(ctx context.Context) error {
return nil
}
func EnsureIngressAdminPermission(ctx context.Context) error {
claims := GetGrants(ctx)
if claims == nil || !claims.Video.IngressAdmin {
return ErrPermissionDenied
}
return nil
}
// wraps authentication errors around Twirp
func twirpAuthError(err error) error {
return twirp.NewError(twirp.Unauthenticated, err.Error())

17
pkg/service/ingress.go
View File

@@ -64,13 +64,10 @@ func (s *IngressService) CreateIngress(ctx context.Context, req *livekit.CreateI
}
func (s *IngressService) CreateIngressWithUrlPrefix(ctx context.Context, urlPrefix string, req *livekit.CreateIngressRequest) (*livekit.IngressInfo, error) {
roomName, err := EnsureJoinPermission(ctx)
err := EnsureIngressAdminPermission(ctx)
if err != nil {
return nil, twirpAuthError(err)
}
if req.RoomName != "" && req.RoomName != string(roomName) {
return nil, twirpAuthError(ErrPermissionDenied)
}
sk := utils.NewGuid("")
@@ -133,13 +130,10 @@ func (s *IngressService) sendRPCWithRetry(ctx context.Context, req *livekit.Ingr
}
func (s *IngressService) UpdateIngress(ctx context.Context, req *livekit.UpdateIngressRequest) (*livekit.IngressInfo, error) {
roomName, err := EnsureJoinPermission(ctx)
err := EnsureIngressAdminPermission(ctx)
if err != nil {
return nil, twirpAuthError(err)
}
if req.RoomName != "" && req.RoomName != string(roomName) {
return nil, twirpAuthError(ErrPermissionDenied)
}
if s.rpcClient == nil {
return nil, ErrIngressNotConnected
@@ -204,13 +198,10 @@ func (s *IngressService) UpdateIngress(ctx context.Context, req *livekit.UpdateI
}
func (s *IngressService) ListIngress(ctx context.Context, req *livekit.ListIngressRequest) (*livekit.ListIngressResponse, error) {
roomName, err := EnsureJoinPermission(ctx)
err := EnsureIngressAdminPermission(ctx)
if err != nil {
return nil, twirpAuthError(err)
}
if req.RoomName != "" && req.RoomName != string(roomName) {
return nil, twirpAuthError(ErrPermissionDenied)
}
infos, err := s.store.ListIngress(ctx, livekit.RoomName(req.RoomName))
if err != nil {
@@ -222,7 +213,7 @@ func (s *IngressService) ListIngress(ctx context.Context, req *livekit.ListIngre
}
func (s *IngressService) DeleteIngress(ctx context.Context, req *livekit.DeleteIngressRequest) (*livekit.IngressInfo, error) {
if _, err := EnsureJoinPermission(ctx); err != nil {
if err := EnsureIngressAdminPermission(ctx); err != nil {
return nil, twirpAuthError(err)
}