From fa5c2c37441768babdc78b7022bae63a3baf8317 Mon Sep 17 00:00:00 2001 From: gioelecerati <50955448+gioelecerati@users.noreply.github.com> Date: Mon, 30 Oct 2023 15:11:45 +0100 Subject: [PATCH] access-control: cookie based access control (#934) * access-control: cookie based access control * fix isauthorized --- handlers/accesscontrol/access-control.go | 19 ++++++++++++++----- handlers/misttriggers/user_new.go | 11 +++++++++++ middleware/gating.go | 7 ++++++- 3 files changed, 31 insertions(+), 6 deletions(-) diff --git a/handlers/accesscontrol/access-control.go b/handlers/accesscontrol/access-control.go index ddbef8f0b..94136cbd7 100644 --- a/handlers/accesscontrol/access-control.go +++ b/handlers/accesscontrol/access-control.go @@ -8,7 +8,6 @@ import ( "errors" "fmt" "net/http" - "net/url" "strings" "sync" "time" @@ -63,7 +62,7 @@ func NewAccessControlHandlersCollection(cli config.Cli) *AccessControlHandlersCo func (ac *AccessControlHandlersCollection) HandleUserNew(ctx context.Context, payload *misttriggers.UserNewPayload) (bool, error) { playbackID := payload.StreamName[strings.Index(payload.StreamName, "+")+1:] - playbackAccessControlAllowed, err := ac.IsAuthorized(playbackID, payload.URL) + playbackAccessControlAllowed, err := ac.IsAuthorized(playbackID, payload) if err != nil { glog.Errorf("Unable to get playback access control info for playbackId=%v err=%s", playbackID, err.Error()) return false, err @@ -78,11 +77,21 @@ func (ac *AccessControlHandlersCollection) HandleUserNew(ctx context.Context, pa return false, nil } -func (ac *AccessControlHandlersCollection) IsAuthorized(playbackID string, reqURL *url.URL) (bool, error) { +func (ac *AccessControlHandlersCollection) IsAuthorized(playbackID string, payload *misttriggers.UserNewPayload) (bool, error) { + acReq := PlaybackAccessControlRequest{Stream: playbackID, Type: "accessKey"} cacheKey := "" - accessKey := reqURL.Query().Get("accessKey") - jwt := reqURL.Query().Get("jwt") + accessKey := payload.URL.Query().Get("accessKey") + jwt := payload.URL.Query().Get("jwt") + + if accessKey == "" { + accessKey = payload.AccessKey + } + + if jwt == "" { + jwt = payload.JWT + } + if accessKey != "" { acReq.Type = "accessKey" acReq.AccessKey = accessKey diff --git a/handlers/misttriggers/user_new.go b/handlers/misttriggers/user_new.go index 4f126f6f1..8b300b53e 100644 --- a/handlers/misttriggers/user_new.go +++ b/handlers/misttriggers/user_new.go @@ -17,6 +17,9 @@ type UserNewPayload struct { URL *url.URL FullURL string SessionID string + Cookies []*http.Cookie + AccessKey string + JWT string } func ParseUserNewPayload(payload MistTriggerBody) (UserNewPayload, error) { @@ -43,6 +46,14 @@ func ParseUserNewPayload(payload MistTriggerBody) (UserNewPayload, error) { func (d *MistCallbackHandlersCollection) TriggerUserNew(ctx context.Context, w http.ResponseWriter, req *http.Request, body MistTriggerBody) { payload, err := ParseUserNewPayload(body) + cookies := req.Cookies() + accessKey := req.Header.Get("X-Livepeer-Access-Key") + jwt := req.Header.Get("X-Livepeer-JWT") + + payload.Cookies = cookies // would remove probably when everything's working + payload.AccessKey = accessKey + payload.JWT = jwt + if err != nil { glog.Infof("Error parsing USER_NEW payload error=%q payload=%q", err, string(body)) w.WriteHeader(http.StatusBadRequest) diff --git a/middleware/gating.go b/middleware/gating.go index 1d992a03b..4d6002af9 100644 --- a/middleware/gating.go +++ b/middleware/gating.go @@ -8,6 +8,7 @@ import ( "github.com/livepeer/catalyst-api/config" catErrs "github.com/livepeer/catalyst-api/errors" "github.com/livepeer/catalyst-api/handlers/accesscontrol" + "github.com/livepeer/catalyst-api/handlers/misttriggers" "github.com/livepeer/catalyst-api/log" "github.com/livepeer/catalyst-api/playback" "github.com/livepeer/catalyst-api/requests" @@ -31,7 +32,11 @@ func (h *GatingHandler) GatingCheck(next httprouter.Handle) httprouter.Handle { accessKey := req.URL.Query().Get("accessKey") jwt := req.URL.Query().Get("jwt") - playbackAccessControlAllowed, err := h.AccessControl.IsAuthorized(playbackID, req.URL) + payload := misttriggers.UserNewPayload{ + URL: req.URL, + } + + playbackAccessControlAllowed, err := h.AccessControl.IsAuthorized(playbackID, &payload) if err != nil { log.LogError(requestID, "unable to get playback access control info", err, "playbackID", playbackID, "accessKey", accessKey, "jwt", jwt) catErrs.WriteHTTPInternalServerError(w, "error authorizing playback request", nil)