From 9a45b594140625d92fbf2eb3d35f3d9b5dabec65 Mon Sep 17 00:00:00 2001
From: Benjamin Pracht <benjamin@livekit.io>
Date: Wed, 26 Oct 2022 21:37:36 -0700
Subject: [PATCH] Use ingress specific grants (#1125)

---
 pkg/service/auth.go    |  8 ++++++++
 pkg/service/ingress.go | 17 ++++-------------
 2 files changed, 12 insertions(+), 13 deletions(-)

diff --git a/pkg/service/auth.go b/pkg/service/auth.go
index da3803f45..a5f97da9a 100644
--- a/pkg/service/auth.go
+++ b/pkg/service/auth.go
@@ -161,6 +161,14 @@ func EnsureRecordPermission(ctx context.Context) error {
 	return nil
 }
 
+func EnsureIngressAdminPermission(ctx context.Context) error {
+	claims := GetGrants(ctx)
+	if claims == nil || !claims.Video.IngressAdmin {
+		return ErrPermissionDenied
+	}
+	return nil
+}
+
 // wraps authentication errors around Twirp
 func twirpAuthError(err error) error {
 	return twirp.NewError(twirp.Unauthenticated, err.Error())
diff --git a/pkg/service/ingress.go b/pkg/service/ingress.go
index e23d91eb7..e35a81787 100644
--- a/pkg/service/ingress.go
+++ b/pkg/service/ingress.go
@@ -64,13 +64,10 @@ func (s *IngressService) CreateIngress(ctx context.Context, req *livekit.CreateI
 }
 
 func (s *IngressService) CreateIngressWithUrlPrefix(ctx context.Context, urlPrefix string, req *livekit.CreateIngressRequest) (*livekit.IngressInfo, error) {
-	roomName, err := EnsureJoinPermission(ctx)
+	err := EnsureIngressAdminPermission(ctx)
 	if err != nil {
 		return nil, twirpAuthError(err)
 	}
-	if req.RoomName != "" && req.RoomName != string(roomName) {
-		return nil, twirpAuthError(ErrPermissionDenied)
-	}
 
 	sk := utils.NewGuid("")
 
@@ -133,13 +130,10 @@ func (s *IngressService) sendRPCWithRetry(ctx context.Context, req *livekit.Ingr
 }
 
 func (s *IngressService) UpdateIngress(ctx context.Context, req *livekit.UpdateIngressRequest) (*livekit.IngressInfo, error) {
-	roomName, err := EnsureJoinPermission(ctx)
+	err := EnsureIngressAdminPermission(ctx)
 	if err != nil {
 		return nil, twirpAuthError(err)
 	}
-	if req.RoomName != "" && req.RoomName != string(roomName) {
-		return nil, twirpAuthError(ErrPermissionDenied)
-	}
 
 	if s.rpcClient == nil {
 		return nil, ErrIngressNotConnected
@@ -204,13 +198,10 @@ func (s *IngressService) UpdateIngress(ctx context.Context, req *livekit.UpdateI
 }
 
 func (s *IngressService) ListIngress(ctx context.Context, req *livekit.ListIngressRequest) (*livekit.ListIngressResponse, error) {
-	roomName, err := EnsureJoinPermission(ctx)
+	err := EnsureIngressAdminPermission(ctx)
 	if err != nil {
 		return nil, twirpAuthError(err)
 	}
-	if req.RoomName != "" && req.RoomName != string(roomName) {
-		return nil, twirpAuthError(ErrPermissionDenied)
-	}
 
 	infos, err := s.store.ListIngress(ctx, livekit.RoomName(req.RoomName))
 	if err != nil {
@@ -222,7 +213,7 @@ func (s *IngressService) ListIngress(ctx context.Context, req *livekit.ListIngre
 }
 
 func (s *IngressService) DeleteIngress(ctx context.Context, req *livekit.DeleteIngressRequest) (*livekit.IngressInfo, error) {
-	if _, err := EnsureJoinPermission(ctx); err != nil {
+	if err := EnsureIngressAdminPermission(ctx); err != nil {
 		return nil, twirpAuthError(err)
 	}