accessControl: Add /gate endpoint for Catalyst integration

[gioelecerati]

What does this pull request do? Explain your changes. (required)

Creates a /access-control/gate endpoint for Catalyst integration

Specific updates (required)

• Allow to pass a stream or an asset playbackId to the endpoint
• The response can be either 2XX or 4XX depending on the existence of the content, whether the publicKey is valid and owned by the same User that own the content

Condition	Status Code	Allowed
Content is not gated	204 No Content	YES
Content is gated and JWT is valid	204 No Content	YES
Content not found	404 Not found	NO
Content is gated, Signing Key does not exist	403 Forbidden	NO
Content is gated, signing key and content don’t share the same owner	403 Forbidden	NO
Content is gated, signing key is disabled	403 Forbidden	NO
Content does not have a playback Policy	204 No Content	YES

• Tests for all the possible cases

How did you test each of these updates (required)

yarn test

Does this pull request close any open issues?

Fixes #1285
Partially Fixes #1288

Screenshots (optional):

Checklist:

• I have read the CONTRIBUTING document.
• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have added tests to cover my changes.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Updated
livepeer-studio	✅ Ready (Inspect)	Visit Preview	Oct 3, 2022 at 11:42PM (UTC)

[codecov]

Codecov Report

Merging #1317 (fc7df4a) into master (7814e9b) will increase coverage by 0.27925%.
The diff coverage is 88.23529%.

@@                 Coverage Diff                 @@
##              master       #1317         +/-   ##
===================================================
+ Coverage   51.60416%   51.88341%   +0.27924%     
===================================================
  Files             68          68                 
  Lines           4426        4460         +34     
  Branches         822         833         +11     
===================================================
+ Hits            2284        2314         +30     
- Misses          1849        1851          +2     
- Partials         293         295          +2     

Impacted Files	Coverage Δ
packages/api/src/controllers/signing-key.ts	60.67416% <ø> (ø)
packages/api/src/controllers/access-control.ts	89.18919% <87.87879%> (-10.81082%)	⬇️
packages/api/src/middleware/tracking.ts	81.81818% <100.00000%> (+0.86579%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 7814e9b...fc7df4a. Read the comment docs.

Impacted Files	Coverage Δ
packages/api/src/controllers/signing-key.ts	60.67416% <ø> (ø)
packages/api/src/controllers/access-control.ts	89.18919% <87.87879%> (-10.81082%)	⬇️
packages/api/src/middleware/tracking.ts	81.81818% <100.00000%> (+0.86579%)	⬆️

[victorges]

LGTM, but I have some specific suggestions to make the code a little more maintainable specifically regarding security. Overall, we should default to (gate) "closed" instead of "open" in unexpected code paths or inputs.

[victorges]

re-LGTM!
(havent checked the code again but the replies to comment make full sense)

[victorges]

This should not be here. It is common logic for any kind of playback policy. If the user is suspended, playback should be invariably blocked.

So this should go to before any branch on the playback policy, right after fetching the content itself.

Also, you should also check || content.suspended which is available for stream objects. Given assets don't have that field, you might need to do || ("suspended" in content && content.suspended) for TypeScript happiness.