Add app device access verification to ACL manager

[Steve-Mcl]

part of #3018

Description

This pull request adds device access verification to the ACL manager, allowing for devices assigned to an application to use the nr-project-nodes

The changes include new functions for checking device access to projects and applications, as well as updates to existing functions for verifying device access to topics.

ACL changes

Updated to use dev: topic prefix 22/11/2023

Click to reveal

ACL	Changes?
project - subscribe Receive broadcasts from other projects in the team ff/v1/<team>/p/+/out/+/# checkTeamId
project - subscribe Receive messages sent to this project ff/v1/<team>/p/<project>/in/+/# checkTeamAndObjectIds
project - subscribe Receive link-call response messages sent to this project ff/v1/<team>/p/<project>/res[-id]/+/# checkTeamAndObjectIds
project - publish Send message to other project ff/v1/<team>/p/+/in/+/# checkTeamId
project - publish Send link-call response messages to other project ff/v1/<team>/p/+/res/+/# checkTeamId
project - publish Send broadcast messages ff/v1/<team>/p/<project>/out/+/# checkTeamAndObjectIds
device - subscribe Receive broadcasts from other projects in the team ff/v1/<team>/p/+/out/+/# checkDeviceIsAssigned
device - subscribe Receive messages sent to this device ff/v1/<team>/p/<project>/in/+/# checkDeviceCanAccessProject	❌ verify changed... - old: checkDeviceAssignedToProject - new: checkDeviceCanAccessProject
device - subscribe Receive link-call response messages sent to this device (instance owned) ff/v1/<team>/p/<project>/res/+/# checkDeviceCanAccessProject	❌ topic changed... - old: /^ff\/v1\/([^\/]+)\/p\/([^\/]+)\/res\/[^\/]+($|\/.*$)$/ - new: /^ff\/v1\/([^\/]+)\/p\/(?!dev:)([^\/]+)\/res\/[^\/]+($|\/.*$)$/ ❌ verify changed... - old: checkDeviceAssignedToProject - new: checkDeviceCanAccessProject
device - publish Send message to specific project ff/v1/<team>/p/<project>/in/+/# checkDeviceCanAccessProject	❌ topic changed... - old: /^ff\/v1\/([^\/]+)\/p\/([^\/]+)\/in\/[^\/]+($|\/.*$)/ - new: /^ff\/v1\/([^\/]+)\/p\/(?!dev:)([^\/]+)\/in\/[^\/]+($|\/.*$)/
device - publish Send broadcast messages (from instance owned devices in the team) ff/v1/<team>/p/<project>/out/+/# checkDeviceCanAccessProject	❌ topic changed... - old: /^ff\/v1\/([^\/]+)\/p\/([^\/]+)\/out\/[^\/]+($|\/.*$)/ - new: /^ff\/v1\/([^\/]+)\/p\/(?!dev:)([^\/]+)\/out\/[^\/]+($|\/.*$)/ ❌ verify changed... - old: checkDeviceAssignedToProject - new: checkDeviceCanAccessProject
device - publish Send link-call response messages back to source instance ff/v1/<team>/p/+/res/+/# checkDeviceCanAccessProject	❌ topic changed... - old: /^ff\/v1\/([^\/]+)\/p\/([^\/]+)\/res\/[^\/]+($|\/.*$)/ - new: /^ff\/v1\/([^\/]+)\/p\/(?!dev:)([^\/]+)\/res\/[^\/]+($|\/.*$)/
device - subscribe Receive link-call response messages sent to this device (app owned) ff/v1/<team>/p/dev:<deviceid>/res/+/# checkDeviceIsAssigned	❌ New ACL... topic: /^ff\/v1\/([^\/]+)\/p\/dev:([^\/]+)\/res\/[^\/]+($|\/.*$)$/ verify: checkDeviceIsAssigned shared: false
device - publish Send broadcast messages (from app owned devices in the team) ff/v1/<team>/p/dev:<deviceid>/out/+/# checkDeviceIsAssigned	❌ New ACL... topic: /^ff\/v1\/([^\/]+)\/p\/dev:([^\/]+)\/out\/[^\/]+($|\/.*$)/ verify: checkDeviceIsAssigned shared: false

Verification

Tester will need an instance project with an instance device AND an application assigned device.

Flow for instance/instance device:

[{"id":"44847c54a83c677e","type":"project link in","z":"4928842f215d6b11","name":"broadcast/from/app-device","project":"all","broadcast":true,"topic":"broadcast/from/app-device","x":170,"y":220,"wires":[["567126446dbb84d4"]]},{"id":"eb50ccb766bc049f","type":"project link in","z":"4928842f215d6b11","name":"direct/to/instance","project":"all","broadcast":false,"topic":"directly/to/instance","x":140,"y":280,"wires":[["cc68b2d760289f74"]]},{"id":"2faae5c3b5e829f5","type":"project link in","z":"4928842f215d6b11","name":"production/shifts","project":"all","broadcast":false,"topic":"production/shifts","x":140,"y":400,"wires":[["1dbd7eaf9e745c80"]]},{"id":"1dbd7eaf9e745c80","type":"function","z":"4928842f215d6b11","name":"Get Shifts from DB","func":"switch (msg.topic) {\n    case \"LINE1\":\n        msg.payload = {\n            SOS: '07:00',\n            EOS: '16:40',\n            BRK1: '09:30',\n            BRK2: '12:00',\n            BRK3: '14:40',\n        }\n        break\n    case \"LINE2\":\n        msg.payload = {\n            SOS: '08:00',\n            EOS: '17:30',\n            BRK1: '10:30',\n            BRK2: '13:00',\n            BRK3: '15:40',\n        }\n        break;\n    default:\n        msg.payload = {}\n        msg.error = `Unrecognised Production Line`\n        msg.topic = msg.error\n}\nreturn msg;","outputs":1,"timeout":0,"noerr":0,"initialize":"","finalize":"","libs":[],"x":350,"y":400,"wires":[["cbd8db14efec1154","6c38d0646e7a532e"]]},{"id":"cbd8db14efec1154","type":"project link out","z":"4928842f215d6b11","name":"return","mode":"return","broadcast":false,"project":"c140b5c1-f849-4bf1-afa2-56ff5258606e","topic":"","x":520,"y":400,"wires":[]},{"id":"2334ffed53342096","type":"project link out","z":"4928842f215d6b11","name":"broadcast/all-instances","mode":"link","broadcast":true,"project":"c140b5c1-f849-4bf1-afa2-56ff5258606e","topic":"broadcast/all-instances","x":450,"y":60,"wires":[]},{"id":"8dd1a3b528d49270","type":"project link out","z":"4928842f215d6b11","name":"broadcast/from/instance","mode":"link","broadcast":true,"project":"c140b5c1-f849-4bf1-afa2-56ff5258606e","topic":"broadcast/from/instance","x":460,"y":120,"wires":[]},{"id":"cc68b2d760289f74","type":"debug","z":"4928842f215d6b11","name":"debug 2","active":true,"tosidebar":true,"console":false,"tostatus":false,"complete":"payload","targetType":"msg","statusVal":"","statusType":"auto","x":460,"y":280,"wires":[]},{"id":"567126446dbb84d4","type":"debug","z":"4928842f215d6b11","name":"debug 1","active":true,"tosidebar":true,"console":false,"tostatus":false,"complete":"payload","targetType":"msg","statusVal":"","statusType":"auto","x":440,"y":220,"wires":[]},{"id":"6c38d0646e7a532e","type":"debug","z":"4928842f215d6b11","name":"debug 7","active":true,"tosidebar":true,"console":true,"tostatus":false,"complete":"true","targetType":"full","statusVal":"","statusType":"auto","x":460,"y":500,"wires":[]},{"id":"e9953748a2392f01","type":"inject","z":"4928842f215d6b11","name":"after 5 sec","props":[{"p":"payload"},{"p":"topic","vt":"str"}],"repeat":"","crontab":"","once":false,"onceDelay":"5","topic":"","payload":"true","payloadType":"bool","x":95,"y":120,"wires":[["60a3ace38b3dba31"]],"l":false},{"id":"50350dba702d7e8b","type":"change","z":"4928842f215d6b11","name":"Get Env Vars","rules":[{"t":"set","p":"payload","pt":"msg","to":"{\"greeting\": \"Hi from instance\"}","tot":"json"},{"t":"set","p":"payload.instance","pt":"msg","to":"FF_INSTANCE_NAME","tot":"env"},{"t":"set","p":"payload.id","pt":"msg","to":"FF_INSTANCE_ID","tot":"env"}],"action":"","reg":false,"x":210,"y":60,"wires":[["2334ffed53342096"]]},{"id":"86b2cd1ab19ce971","type":"inject","z":"4928842f215d6b11","name":"","props":[{"p":"payload"},{"p":"topic","vt":"str"}],"repeat":"","crontab":"","once":false,"onceDelay":"5","topic":"","payload":"true","payloadType":"bool","x":95,"y":60,"wires":[["50350dba702d7e8b"]],"l":false},{"id":"60a3ace38b3dba31","type":"change","z":"4928842f215d6b11","name":"Get Env Vars","rules":[{"t":"set","p":"payload","pt":"msg","to":"{\"greeting\": \"Hi from instance\"}","tot":"json"},{"t":"set","p":"payload.instance","pt":"msg","to":"FF_INSTANCE_NAME","tot":"env"},{"t":"set","p":"payload.id","pt":"msg","to":"FF_INSTANCE_ID","tot":"env"}],"action":"","reg":false,"x":210,"y":120,"wires":[["8dd1a3b528d49270"]]}]

Flow for App assigned device

[{"id":"5a4a159ca780ada2","type":"project link in","z":"FFF0000000000001","name":"broadcast/all-instances","project":"all","broadcast":true,"topic":"broadcast/all-instances","x":160,"y":80,"wires":[["817cceb24925bdf4"]]},{"id":"817cceb24925bdf4","type":"debug","z":"FFF0000000000001","name":"debug 1","active":true,"tosidebar":true,"console":true,"tostatus":false,"complete":"payload","targetType":"msg","statusVal":"","statusType":"auto","x":460,"y":80,"wires":[]},{"id":"c33d3ff66c39df74","type":"project link in","z":"FFF0000000000001","name":"broadcast/from/instance","project":"all","broadcast":true,"topic":"broadcast/from/instance","x":160,"y":140,"wires":[["b438e594b40bbafb"]]},{"id":"b438e594b40bbafb","type":"debug","z":"FFF0000000000001","name":"debug 2","active":true,"tosidebar":true,"console":true,"tostatus":false,"complete":"payload","targetType":"msg","statusVal":"","statusType":"auto","x":450,"y":140,"wires":[]},{"id":"e9953748a2392f01","type":"inject","z":"FFF0000000000001","name":"after 5 sec","props":[{"p":"payload"},{"p":"topic","vt":"str"}],"repeat":"","crontab":"","once":false,"onceDelay":"5","topic":"","payload":"true","payloadType":"bool","x":95,"y":320,"wires":[["1a98b3641a3e34bd"]],"l":false},{"id":"1a98b3641a3e34bd","type":"change","z":"FFF0000000000001","name":"Get Env Vars","rules":[{"t":"set","p":"payload","pt":"msg","to":"{\"greeting\": \"Hi from app-device\"}","tot":"json"},{"t":"set","p":"payload.device","pt":"msg","to":"FF_DEVICE_NAME","tot":"env"},{"t":"set","p":"payload.application","pt":"msg","to":"FF_APPLICATION_NAME","tot":"env"}],"action":"","reg":false,"x":210,"y":320,"wires":[["e42e805e204c0341"]]},{"id":"e42e805e204c0341","type":"project link out","z":"FFF0000000000001","name":"directly/to/instance","mode":"link","broadcast":false,"project":"c140b5c1-f849-4bf1-afa2-56ff5258606e","topic":"directly/to/instance","x":410,"y":320,"wires":[]},{"id":"734b45bb2f32695c","type":"project link out","z":"FFF0000000000001","name":"broadcast/from/app-device","mode":"link","broadcast":true,"project":"c140b5c1-f849-4bf1-afa2-56ff5258606e","topic":"broadcast/from/app-device","x":440,"y":260,"wires":[]},{"id":"50350dba702d7e8b","type":"change","z":"FFF0000000000001","name":"Get Env Vars","rules":[{"t":"set","p":"payload","pt":"msg","to":"{\"greeting\": \"Hi from app-device\"}","tot":"json"},{"t":"set","p":"payload.device","pt":"msg","to":"FF_DEVICE_NAME","tot":"env"},{"t":"set","p":"payload.application","pt":"msg","to":"FF_APPLICATION_NAME","tot":"env"}],"action":"","reg":false,"x":210,"y":260,"wires":[["734b45bb2f32695c"]]},{"id":"86b2cd1ab19ce971","type":"inject","z":"FFF0000000000001","name":"","props":[{"p":"payload"},{"p":"topic","vt":"str"}],"repeat":"","crontab":"","once":false,"onceDelay":"5","topic":"","payload":"true","payloadType":"bool","x":95,"y":260,"wires":[["50350dba702d7e8b"]],"l":false},{"id":"9811651554bddbf3","type":"project link call","z":"FFF0000000000001","name":"Get Production SHIFT timings","project":"c140b5c1-f849-4bf1-afa2-56ff5258606e","topic":"production/shifts","timeout":"10","x":370,"y":440,"wires":[["d2fb86fcce11e633"]]},{"id":"42791624ccfe2fe7","type":"inject","z":"FFF0000000000001","name":"","props":[{"p":"topic","vt":"str"}],"repeat":"","crontab":"","once":false,"onceDelay":0.1,"topic":"LINE1","x":130,"y":440,"wires":[["9811651554bddbf3"]]},{"id":"e1428cac57230fda","type":"inject","z":"FFF0000000000001","name":"","props":[{"p":"topic","vt":"str"}],"repeat":"","crontab":"","once":false,"onceDelay":0.1,"topic":"LINE2","x":130,"y":480,"wires":[["9811651554bddbf3"]]},{"id":"d2fb86fcce11e633","type":"debug","z":"FFF0000000000001","name":"debug 3","active":true,"tosidebar":true,"console":false,"tostatus":true,"complete":"payload","targetType":"msg","statusVal":"msg.payload ? msg.payload : (\"ERROR: \" & msg.error)","statusType":"jsonata","x":460,"y":500,"wires":[]},{"id":"98d8a52008be0746","type":"inject","z":"FFF0000000000001","name":"","props":[{"p":"topic","vt":"str"}],"repeat":"","crontab":"","once":false,"onceDelay":0.1,"topic":"LINE3","x":130,"y":520,"wires":[["9811651554bddbf3"]]}]

After importing the flows, you will need to select the right targets in the "project-in/out" nodes for your setup.

The test is to operate the injects from instance device reach app device and vice-versa.

This is a demo showing what you should get:

app-device-proj-link.mp4

TODO:

• Explore possible tests
• Update docs
• (Next iteration) support device/instance --> to device direct messaging

Related Issue(s)

#3018

Checklist

• I have read the contribution guidelines
• Suitable unit/system level tests have been added and they pass
• Documentation has been updated
  • Upgrade instructions
  • Configuration details
  • Concepts
• Changes flowforge.yml?
  • Issue/PR raised on FlowFuse/helm to update ConfigMap Template
  • Issue/PR raised on FlowFuse/CloudProject to update values for Staging/Production

Labels

• Backport needed? -> add the backport label
• Includes a DB migration? -> add the area:migration label

[codecov]

Codecov Report

Attention: 16 lines in your changes are missing coverage. Please review.

Comparison is base (79cb728) 39.83% compared to head (01f6df1) 39.76%.
Report is 35 commits behind head on main.

Files	Patch %	Lines
forge/routes/api/deviceLive.js	27.77%	13 Missing ⚠️
forge/comms/aclManager.js	91.30%	2 Missing ⚠️
forge/db/models/Device.js	90.90%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3074      +/-   ##
==========================================
- Coverage   39.83%   39.76%   -0.07%     
==========================================
  Files         573      578       +5     
  Lines       20692    21020     +328     
  Branches     4929     5037     +108     
==========================================
+ Hits         8242     8359     +117     
- Misses      12450    12661     +211     

Flag	Coverage Δ
backend	75.43% <70.37%> (-0.23%)	⬇️
frontend	1.99% <0.00%> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[knolleary]

It's a bit hard to figure out due to the way the git diff is showing the changes - but I'd expect any future support for a publish targeting a device to be on a /d/ topic, not a /p/ topic - so not sure this reliance on the length of this topic component is something we should rely on.

It would be helpful to a have a summary of the topics/rules being introduced in the PR description for ease of reference. I haven't got to the other related PRs to know if you've documented them elsewhere, but as this is the PR dealing with changing the platform ACLs, it would be handy to have here.

[Steve-Mcl]

It was an absolute melon twister Nick 😄

I will attempt to answer the your questions in a meaningful manner (I am also working on suitable documentation for future reference)

but I'd expect any future support for a publish targeting a device to be on a /d/ topic, not a /p/ topic

Agreed and considered and will likely be how it is handled for instance/device → device, but at this point in time, it is not supported and is in effect interlocked by insisting on the topic being 11 or more characters. I suspect I will remove these once I have a working schema for instance/device → device

However, it was necessary to differentiate a PUB originating from an instance device vs PUB originating from an app assigned device in some scenarios and therefore an alternate verification routine was needed

Consider these

"Send message to specific project"

instance assigned device publishes direct to a project

1. The device has access to a projectId and can form the topic ff/v1/7N152GxG2p/p/23d79df8-183c-4104-aa97-8915e1897326/in/a/b
   • this is the topic it uses to PUB direct to project 23d79df8-183c-4104-aa97-8915e1897326
2. The receiving projects' Project-In node subscribes to a/b which equates to ff/v1/7N152GxG2p/p/23d79df8-183c-4104-aa97-8915e1897326/in/a/b

application assigned device publishes direct to a project

1. As the Project In Node will subscribe to ff/v1/7N152GxG2p/p/23d79df8-183c-4104-aa97-8915e1897326/in/a/b the device must also publish on this topic

In summary - the /p/ remains even though it is a device publishing

"Broadcast a message"

instance assigned device

1. The device has access to a projectId and can form the topic ff/v1/7N152GxG2p/p/23d79df8-183c-4104-aa97-8915e1897326/out/a/b
   • this is the topic it uses to PUB broadcasts 23d79df8-183c-4104-aa97-8915e1897326

Project In subscription

3. A receiving projects' Project-In node subscribes to a/b which equates to ff/v1/7N152GxG2p/p/+/out/a/b
4. Therefore a device (both instance and app owned) Project-In node must also subscribe to ff/v1/7N152GxG2p/p/+/out/a/b

application assigned device

1. The device does not have a projectId, only its own deviceId or the applicationId
2. Since the code already knows which device is which, I supplant the projectId with the applicationId
3. This means we get the topic ff/v1/7N152GxG2p/p/1234567890/out/a/b (where 1234567890 is the app id)
4. This means we cannot use the same verification function since we are not verifying a project ID but an application ID

In summary - the /p/ remains even though it is an application device publishing

To get over this hump, I chose to leave the Project In node as-is and differentiate the verification logic path by the /ID/ provided.

The alternative solution I considered was to modify the Project-In node to either subscribe to both ff/v1/7N152GxG2p/p/... and ff/v1/7N152GxG2p/d/... OR subscribe to ff/v1/7N152GxG2p/+/...

---

Tomorrow, I hope to have a clearer picture of the direct instance/device → device and a full summary of current existing condition, this PR condition and our final stance.

I think it may be prudent to hang fire and evaluate this before any merges?

---

PS: I appreciate that ↑ wasn't entirely as clear as I had hoped! Imagine how my head was noodled doing the work ;)

[Steve-Mcl]

@knolleary

I have got all tests passing and managed to update the PR OP with a list of ACLs (existing/new/changes) in a format that doesnt mess up regex (harder than you might imagine 😆 )

Anyhow, I have one remaining reservation and that is, as noted before in the review comment, this PR is publishing app-owned-devices broadcasts out on xxx/p/xxx - and it works, and this is how it needs to be so that project-in nodes on an instance can subscribe to the broadcasts when the target is "all instances"

As discussed before, this was to minimise multiple subs or using a wildcard.

I am now thinking should we make separate entries in the project-in node dropdown. e.g:

[ All instances ]
[ All devices ]
[ instances 1 ]
[ instances 2 ]
[ instances n ]

This would permit us the change the topic ACL to xxx/d/xxx and remove the {11,} length check.

[Steve-Mcl]

Hi @knolleary

I have updated the topics and ACLs to use the app: prefix

I will update the OP with the new topic/ACLs for reference shortly.

[Steve-Mcl]

@knolleary - topic prefix adjusted as per discussion.

Had an odd Postrgre only tests fail (re-running it)

[knolleary]

Approved pending the postgres test passing

[Steve-Mcl]

@knolleary I think I clicked Request Approval milliseconds after you clicked "Approved" - can you do it again please?

[knolleary]

@Steve-Mcl Postgres test failed again. Need to understand that.

[knolleary]

Postgres failure is can be reproduced locally:

[2023-11-22T14:14:08.735Z] ERROR: invalid input syntax for type uuid: "rbXm6nmA62" {"reqId":"req-11","req":{"method":"POST","url":"/api/comms/auth/acl","hostname":"localhost:80","remoteAddress":"127.0.0.1"},"res":{"statusCode":500,"request":{"url":"/api/comms/auth/acl","method":"POST","remoteAddress":"127.0.0.1"}}}
    err: {
      "type": "DatabaseError",
      "message": "invalid input syntax for type uuid: \"rbXm6nmA62\"",
      "stack":
          Error
              at Query.run (/Users/nol/code/ff/dev-env/packages/flowfuse/node_modules/sequelize/lib/dialects/postgres/query.js:50:25)
              at /Users/nol/code/ff/dev-env/packages/flowfuse/node_modules/sequelize/lib/sequelize.js:315:28
              at runMicrotasks (<anonymous>)
              at processTicksAndRejections (node:internal/process/task_queues:96:5)
              at async PostgresQueryInterface.select (/Users/nol/code/ff/dev-env/packages/flowfuse/node_modules/sequelize/lib/dialects/abstract/query-interface.js:407:12)
              at async Function.findAll (/Users/nol/code/ff/dev-env/packages/flowfuse/node_modules/sequelize/lib/model.js:1140:21)
              at async Function.findOne (/Users/nol/code/ff/dev-env/packages/flowfuse/node_modules/sequelize/lib/model.js:1240:12)
              at async Function.getProjectTeamId (/Users/nol/code/ff/dev-env/packages/flowfuse/forge/db/models/Project.js:459:37)
              at async Object.checkDeviceCanAccessProject (/Users/nol/code/ff/dev-env/packages/flowfuse/forge/comms/aclManager.js:90:35)
              at async Object.verify (/Users/nol/code/ff/dev-env/packages/flowfuse/forge/comms/aclManager.js:209:39)
              at async Object.<anonymous> (/Users/nol/code/ff/dev-env/packages/flowfuse/forge/comms/authRoutes.js:54:25)

[knolleary]

The failing test is because it's checking a device cannot broadcase if it doesn't provide the dev: prefix. This leads the code to assumes its a project id - which postgres rejects because it doesn't look like a uuid - unlike sqlite that just returns no results.