Change authz object for agent writer config (#243)

foxford · May 20, 2021 · f94be0c · f94be0c
1 parent b0fb07f
commit f94be0c
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 13 deletions.
diff --git a/docs/src/authz.md b/docs/src/authz.md
@@ -26,8 +26,6 @@ object / action                           | create | read | update | list | subs
 ----------------------------------------- | ------ | ---- | ------ | ---- | ---------
 ["rooms"]                                 |      + |      |        |    + |
 ["rooms", ROOM_ID]                        |        |    + |      + |      |
-["rooms", ROOM_ID, "agents"]              |        |      |      + |    + |
-["rooms", ROOM_ID, "agents", AGENT_ID]    |        |    + |        |      |
 ["rooms", ROOM_ID, "rtcs"]                |      + |      |        |    + |
 ["rooms", ROOM_ID, "rtcs", RTC_ID]        |        |    + |      + |      |
 ["rooms", ROOM_ID, "events"]              |        |      |        |      |         +
diff --git a/src/app/endpoint/agent_writer_config.rs b/src/app/endpoint/agent_writer_config.rs
@@ -128,13 +128,22 @@ impl RequestHandler for UpdateHandler {
         };
 
         // Authorize agent writer config updating on the tenant.
-        let room_id = room.id().to_string();
-        let object = vec!["rooms", &room_id, "agents"];
+        let is_only_owned_config =
+            payload.configs.len() == 1 && &payload.configs[0].agent_id == reqp.as_agent_id();
 
-        let authz_time = context
-            .authz()
-            .authorize(room.audience(), reqp, object, "update")
-            .await?;
+        let maybe_authz_time = if is_only_owned_config {
+            None
+        } else {
+            let room_id = room.id().to_string();
+            let object = vec!["rooms", &room_id];
+
+            let authz_time = context
+                .authz()
+                .authorize(room.audience(), reqp, object, "update")
+                .await?;
+
+            Some(authz_time)
+        };
 
         let conn = context.get_conn()?;
 
@@ -195,7 +204,7 @@ impl RequestHandler for UpdateHandler {
             state.clone(),
             reqp,
             context.start_timestamp(),
-            Some(authz_time),
+            maybe_authz_time,
         );
 
         let notification = helpers::build_notification(
@@ -224,7 +233,7 @@ impl RequestHandler for UpdateHandler {
                     &backend,
                     &rtc_writer_configs_with_rtcs,
                     context.start_timestamp(),
-                    authz_time,
+                    maybe_authz_time,
                 )
                 .or_else(|err| Err(err).error(AppErrorKind::MessageBuildingFailed))?;
 
@@ -352,7 +361,7 @@ mod tests {
 
             // Allow agent to update agent_writer_config.
             let room_id = room.id().to_string();
-            let object = vec!["rooms", &room_id, "agents"];
+            let object = vec!["rooms", &room_id];
             authz.allow(agent1.account_id(), object, "update");
 
             // Make agent_writer_config.update request.

diff --git a/src/backend/janus/transactions/update_agent_writer_config.rs b/src/backend/janus/transactions/update_agent_writer_config.rs
@@ -26,11 +26,14 @@ impl Client {
         backend: &JanusBackend,
         rtc_writer_configs_with_rtcs: &[(RtcWriterConfig, Rtc)],
         start_timestamp: DateTime<Utc>,
-        authz_time: Duration,
+        maybe_authz_time: Option<Duration>,
     ) -> Result<OutgoingMessage<MessageRequest>> {
         let to = backend.id();
         let mut short_term_timing = ShortTermTimingProperties::until_now(start_timestamp);
-        short_term_timing.set_authorization_time(authz_time);
+
+        if let Some(authz_time) = maybe_authz_time {
+            short_term_timing.set_authorization_time(authz_time);
+        }
 
         let props = reqp.to_request(
             METHOD,