Mux Playback Restriction ( Secure Streams )

Change-Id: I0c244295686c28e44173982684c300bb59a990b6

Author: smarcet

app/Http/Controllers/Apis/Protected/Summit/Factories/SummitValidationRulesFactory.php

@@ -15,6 +15,8 @@
 use App\Http\ValidationRulesFactories\AbstractValidationRulesFactory;
 use App\Models\Foundation\Summit\ISummitExternalScheduleFeedType;
 use App\Models\Foundation\Summit\Registration\ISummitExternalRegistrationFeedType;
+use App\Rules\DomainArray;
+
 /**
  * Class SummitValidationRulesFactory
  * @package App\Http\Controllers
@@ -100,6 +102,7 @@ public static function buildForAdd(array $payload = []): array
             'registration_slug_prefix' => 'sometimes|string|max:50',
             'mux_token_id' => 'nullable|string',
             'mux_token_secret' => 'nullable|string',
+            'mux_allowed_domains' => ['sometimes', new DomainArray()],
         ];
     }
 
@@ -181,6 +184,7 @@ public static function buildForUpdate(array $payload = []): array
             'registration_slug_prefix' => 'sometimes|string|max:50',
             'mux_token_id' => 'nullable|string',
             'mux_token_secret' => 'nullable|string',
+            'mux_allowed_domains' => ['sometimes', new DomainArray()],
         ];
     }
 }

app/Jobs/CreateMUXPlaybackRestrictionForSummit.php

@@ -0,0 +1,69 @@
+<?php namespace App\Jobs;
+/*
+ * Copyright 2023 OpenStack Foundation
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ **/
+
+use Illuminate\Bus\Queueable;
+use Illuminate\Contracts\Queue\ShouldQueue;
+use Illuminate\Foundation\Bus\Dispatchable;
+use Illuminate\Queue\InteractsWithQueue;
+use Illuminate\Queue\SerializesModels;
+use Illuminate\Support\Facades\Log;
+use services\model\ISummitService;
+
+/**
+ * Class CreateMUXPlaybackRestrictionForSummit
+ * @package App\Jobs
+ */
+final class CreateMUXPlaybackRestrictionForSummit implements ShouldQueue
+{
+    use Dispatchable, InteractsWithQueue, Queueable, SerializesModels;
+
+    public $tries = 2;
+    /**
+     * @var int
+     */
+    private $summit_id;
+
+    /**
+     * @param int $summit_id
+     */
+    public function __construct(int $summit_id)
+    {
+        $this->summit_id = $summit_id;
+    }
+
+    public function handle(ISummitService $service)
+    {
+        try {
+            Log::debug("CreateMUXPlaybackRestrictionForSummit::handle summit id {$this->summit_id}");
+            $service->generateMuxPlaybackRestriction($this->summit_id);
+        } catch (\Exception $ex) {
+            Log::error($ex);
+            throw $ex;
+        }
+    }
+
+    public function failed(\Throwable $exception)
+    {
+        Log::debug
+        (
+            sprintf
+            (
+                "CreateMUXPlaybackRestrictionForSummit::failed summit id %s error %s",
+                $this->summit_id,
+                $exception->getMessage()
+            )
+        );
+        Log::error($exception);
+    }
+}

app/ModelSerializers/Summit/AdminSummitSerializer.php

@@ -67,6 +67,7 @@ final class AdminSummitSerializer extends SummitSerializer
         // MUX
         'MuxTokenId' => 'mux_token_id:json_string',
         'MuxTokenSecret' => 'mux_token_secret:json_string',
+        'MuxAllowedDomains' => 'mux_allowed_domains:json_string_array',
     ];
 
     protected static $allowed_relations = [

app/ModelSerializers/Summit/SummitEventSecureStreamSerializer.php

@@ -24,7 +24,7 @@
  */
 final class SummitEventSecureStreamSerializer extends SilverStripeSerializer
 {
-    const JWT_TTL = 60 * 60 * 24; // secs
+    const JWT_TTL = 60 * 60 * 6; // secs
     const TTL_SKEW = 60; // secs
     /**
      * @param $expand
@@ -44,14 +44,16 @@ public function serialize($expand = null, array $fields = [], array $relations =
 
         Log::debug(sprintf("SummitEventSecureStreamSerializer::serialize cache key %s", $key));
 
-        if(Cache::has($key)){
-            $values = json_decode(Cache::get($key), true);
+        $summit = $event->getSummit();
+
+        if(Cache::tags(sprintf('secure_streams_%s',$summit->getId()))->has($key)){
+            $values = json_decode(Cache::tags(sprintf('secure_streams_%s',$summit->getId()))->get($key), true);
             Log::debug(sprintf("SummitEventSecureStreamSerializer::serialize cache hit for event %s", $event->getId()));
             return $values;
         }
 
         $values = parent::serialize($expand, $fields, $relations, $params);
-        $summit = $event->getSummit();
+
 
         if(!$event->IsSecureStream()){
             Log::debug
@@ -120,7 +122,7 @@ public function serialize($expand = null, array $fields = [], array $relations =
         $stream_duration = $event->getStreamDuration();
         if(!$stream_duration) $stream_duration = self::JWT_TTL;
         $exp = time() +  $stream_duration;
-
+        $playback_restriction_id = $summit->getMuxPlaybackRestrictionId();
         foreach($tokenTypes as $type => $audience ) {
 
             $payload = [
@@ -130,13 +132,17 @@ public function serialize($expand = null, array $fields = [], array $relations =
                 "kid" => $key_id,
             ];
 
+            if(!empty($playback_restriction_id))
+                $payload['playback_restriction_id'] = $playback_restriction_id;
+
+
            $tokens[$type] = JWT::encode($payload, base64_decode($key_secret), 'RS256');
         }
 
 
         $values['tokens'] = $tokens;
 
-        Cache::put($key, json_encode($values),  $stream_duration - self::TTL_SKEW);
+        Cache::tags(sprintf('secure_streams_%s',$summit->getId()))->put($key, json_encode($values),  $stream_duration - self::TTL_SKEW);
 
         return $values;
     }

app/Models/Foundation/Summit/Events/SummitEvent.php

@@ -1218,7 +1218,8 @@ public function setStreamingUrl(?string $streaming_url): void
     {
         $this->streaming_url = $streaming_url;
         $key = $this->getSecureStreamCacheKey();
-        if(Cache::has($key)) Cache::forget($key);
+        if(Cache::tags(sprintf('secure_streams_%s',$this->summit->getId()))->has($key))
+            Cache::tags(sprintf('secure_streams_%s',$this->summit->getId()))->forget($key);
     }
 
     /**
@@ -1462,7 +1463,8 @@ public function setStreamingType(string $streaming_type): void
             throw new ValidationException(sprintf("%s is not a valid streaming type", $streaming_type));
         $this->streaming_type = $streaming_type;
         $key = $this->getSecureStreamCacheKey();
-        if(Cache::has($key)) Cache::forget($key);
+        if(Cache::tags(sprintf('secure_streams_%s',$this->summit->getId()))->has($key))
+            Cache::tags(sprintf('secure_streams_%s',$this->summit->getId()))->forget($key);
     }
 
     /**
@@ -1588,7 +1590,8 @@ public function setStreamIsSecure(bool $stream_is_secure): void
         $this->stream_is_secure = $stream_is_secure;
 
         $key = $this->getSecureStreamCacheKey();
-        if(Cache::has($key)) Cache::forget($key);
+        if(Cache::tags(sprintf('secure_streams_%s',$this->summit->getId()))->has($key))
+            Cache::tags(sprintf('secure_streams_%s',$this->summit->getId()))->forget($key);
 
         if($this->hasSummit() && $this->stream_is_secure && !$this->summit->hasMuxPrivateKey())
             CreateMUXURLSigningKeyForSummit::dispatch($this->summit->getId());

app/Models/Foundation/Summit/Factories/SummitFactory.php

@@ -484,6 +484,10 @@ public static function populate(Summit $summit, array $data){
             $summit->setMuxTokenSecret(trim($data['mux_token_secret']));
         }
 
+        if(isset($data['mux_allowed_domains'])){
+            $summit->setMuxAllowedDomains($data['mux_allowed_domains']);
+        }
+
         return $summit;
     }
 }

app/Models/Foundation/Summit/Summit.php

@@ -12,6 +12,7 @@
  * limitations under the License.
  **/
 
+use App\Jobs\CreateMUXPlaybackRestrictionForSummit;
 use App\Models\Foundation\Main\IGroup;
 use App\Models\Foundation\Main\OrderableChilds;
 use App\Models\Foundation\Summit\EmailFlows\SummitEmailEventFlowType;
@@ -34,6 +35,7 @@
 use DateTime;
 use Doctrine\Common\Collections\ArrayCollection;
 use Doctrine\Common\Collections\Criteria;
+use Illuminate\Support\Facades\Cache;
 use Illuminate\Support\Facades\Config;
 use Illuminate\Support\Facades\Log;
 use models\exceptions\ValidationException;
@@ -663,6 +665,18 @@ public function setMarketingSiteOauth2ClientScopes(string $marketing_site_oauth2
      */
     private $mux_private_key;
 
+    /**
+     * @ORM\Column(name="MUXPlaybackRestrictionId", type="string")
+     * @var string
+     */
+    private $mux_playback_restriction_id;
+
+    /**
+     * @ORM\Column(name="MUXAllowedDomains", type="string")
+     * @var string
+     */
+    private $mux_allowed_domains;
+
     /**
      * @ORM\OneToMany(targetEntity="models\summit\SummitEventType", mappedBy="summit",  cascade={"persist","remove"}, orphanRemoval=true)
      */
@@ -6489,7 +6503,6 @@ public function hasRelatedActivities(PresentationCategory $track): bool{
     public function getQRCodesEncKey():?string {
         return $this->qr_codes_enc_key;
     }
-
     public function hasQRCodesEncKey():bool{
         return !empty($this->qr_codes_enc_key);
     }
@@ -6573,4 +6586,58 @@ public function hasMuxPrivateKey():bool{
         return !empty($this->mux_private_key);
     }
 
+    /**
+     * @return string
+     */
+    public function getMuxPlaybackRestrictionId(): ?string
+    {
+        return $this->mux_playback_restriction_id;
+    }
+
+    /**
+     * @param string $mux_playback_restriction_id
+     */
+    public function setMuxPlaybackRestrictionId(string $mux_playback_restriction_id): void
+    {
+        $this->mux_playback_restriction_id = $mux_playback_restriction_id;
+
+        Cache::tags(sprintf('secure_streams_%s', $this->id))->flush();
+    }
+
+    public function clearMuxPlaybackRestrictionId(): void
+    {
+        $this->mux_playback_restriction_id = null;
+
+        Cache::tags(sprintf('secure_streams_%s', $this->id))->flush();
+    }
+
+    /**
+     * @return string
+     */
+    public function getMuxAllowedDomains(): array
+    {
+        if(empty($this->mux_allowed_domains)) return [];
+        return explode('|', $this->mux_allowed_domains);
+    }
+
+    /**
+     * @param array $mux_allowed_domains
+     */
+    public function setMuxAllowedDomains(array $mux_allowed_domains): void
+    {
+        Log::debug
+        (
+            sprintf
+            (
+                "Summit::setMuxAllowedDomains summit %s mux_allowed_domains %s",
+                $this->getId(),
+                json_encode($mux_allowed_domains)
+            )
+        );
+
+        $this->mux_allowed_domains = implode('|', $mux_allowed_domains);
+        if(!empty($this->mux_token_id) && !empty($this->mux_token_secret))
+            CreateMUXPlaybackRestrictionForSummit::dispatch($this->id);
+    }
+
 }

app/Rules/Domain.php

@@ -0,0 +1,59 @@
+<?php namespace App\Rules;
+/*
+ * Copyright 2023 OpenStack Foundation
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ **/
+
+use Illuminate\Contracts\Validation\Rule;
+use Illuminate\Support\Facades\Log;
+
+/**
+ * Class Domain
+ * @package App\Rules
+ */
+final class Domain implements Rule
+{
+    public static function validate($attribute, $value): bool
+    {
+        Log::debug(sprintf("Domain::validate %s", $value));
+
+        if (stripos($value, 'localhost') !== false) {
+            return true;
+        }
+
+        if(!preg_match('/^(?:[a-z0-9](?:[a-z0-9-æøå]{0,61}[a-z0-9])?\.)+[a-z0-9][a-z0-9-]{0,61}[a-z0-9]$/isu', $value))
+            return false;
+
+        return true;
+    }
+
+    /**
+     * Determine if the validation rule passes.
+     *
+     * @param  string  $attribute
+     * @param  mixed  $value
+     * @return bool
+     */
+    public function passes($attribute, $value): bool
+    {
+       return self::validate($attribute, $value);
+    }
+
+    /**
+     * Get the validation error message.
+     *
+     * @return string
+     */
+    public function message(): string
+    {
+        return trans('The :attribute is not a valid domain.');
+    }
+}