querysub 0.437.0 → 0.438.0

package/src/4-querysub/permissions.ts

@@ -1,336 +1,336 @@
-import { cache, cacheArgsEqual, cacheLimited } from "socket-function/src/caching";
-import { measureFnc, measureWrap, nameFunction } from "socket-function/src/profiling/measure";
-import { getPathSuffix, getPathDepth, trimPathStrToDepth, getPathFromStr, rootPathStr, getPathIndex, getPathStr1, joinPathStres, appendToPathStr, getPathStr } from "../path";
-import { atomic, atomicObjectRead, isSynced, proxyWatcher } from "../2-proxy/PathValueProxyWatcher";
-import { SchemaObject, getSchemaObject, hasWildcardMatch, getWildcardMatches, PERMISSIONS_FUNCTION_ID, PermissionsCheckResult, getDevelopmentModule } from "../3-path-functions/syncSchema";
-import { getModuleFromConfig } from "../3-path-functions/pathFunctionLoader";
-import { getSchemaPartsFromPath, functionSchema, DEPTH_TO_DATA, overrideCurrentCall, CallSpec, FunctionSpec, DOMAIN_INDEX, MODULE_INDEX } from "../3-path-functions/PathFunctionRunner";
-import debugbreak from "debugbreak";
-import { blue, red, yellow } from "socket-function/src/formatting/logColors";
-import { ignoreErrors } from "../errors";
-import { epochTime } from "../0-path-value-core/pathValueCore";
-import { isClient } from "../config2";
-import { sort } from "socket-function/src/misc";
-import { Querysub } from "./QuerysubController";
-import { CALL_PERMISSIONS_KEY } from "./permissionsShared";
-import { getDomain, isLocal, isPublic } from "../config";
-
-function watchModule(config: FunctionSpec): NodeJS.Module | undefined {
-    let module = getModuleFromConfig(config);
-    if (module && typeof module === "object" && module instanceof Promise) {
-        // NOTE: The errors should throw correctly when proxyWatch is triggered (which will be immediately
-        //  after our ignore handler runs), because the underlying implementation should convert promises
-        //  to throws (or undefined, if errors are ignored).
-        ignoreErrors(module);
-        proxyWatcher.triggerOnPromiseFinish(module, { waitReason: "waitForModuleToLoad" });
-        return undefined;
-    }
-    return module;
-}
-
-const callPermissionsPath = getPathStr1(CALL_PERMISSIONS_KEY);
-
-/** NOTE: This can only be used synchronously, and must be recreated after the current
- *      synchronous code is finished.
- */
-export class PermissionsCheck {
-    private dead = false;
-    private static skippingChecks = false;
-
-    public static DEBUG = false;
-
-    constructor(private callerConfig: { callerMachineId: string; callerIP: string; }) {
-        setImmediate(() => this.dead = true);
-    }
-
-    private perSchema = cacheArgsEqual((schema: SchemaObject, fnc: FunctionSpec) => {
-        return new PermissionsCheckSchema(
-            { machineID: this.callerConfig.callerMachineId, IP: this.callerConfig.callerIP },
-            schema,
-            fnc
-        );
-    });
-
-    private getModulePermissions(domainName: string) {
-        if (!isPublic() && domainName === getDomain()) {
-            return function (moduleId: string): {
-                schema: SchemaObject;
-                fnc: FunctionSpec;
-            } | undefined {
-                let fnc: FunctionSpec = {
-                    DomainName: domainName,
-                    ModuleId: moduleId,
-                    FunctionId: PERMISSIONS_FUNCTION_ID,
-                    exportPathStr: callPermissionsPath,
-                    // NOTE: These SHOULDN'T be required, as we don't commit this function to the FunctionRunner,
-                    //  we just use this to run the function on the local machine.
-                    FilePath: "LOCAL_PERMISSIONS_HACK",
-                    gitURL: "LOCAL_PERMISSIONS_HACK",
-                    gitRef: "LOCAL_PERMISSIONS_HACK",
-                };
-                let modulePermissions = getDevelopmentModule(moduleId);
-                if (!modulePermissions) throw new Error(`No development module found for ${moduleId}. Was it imported? Try restarting the edge server.`);
-                let schema = getSchemaObject(modulePermissions);
-                if (!schema) throw new Error(`Module does not export a schema: ${moduleId}`);
-                return {
-                    schema,
-                    fnc,
-                };
-            };
-        }
-        return this.getModulePermissionsBase(domainName);
-    }
-
-    private getModulePermissionsBase = cache((domainName: string) => {
-        return cache((moduleId: string) => {
-            let functionConfigProxy = PermissionsCheck.skipPermissionsChecks(() =>
-                functionSchema()[domainName].PathFunctionRunner[moduleId].Sources[PERMISSIONS_FUNCTION_ID],
-            );
-            const functionConfig = PermissionsCheck.skipPermissionsChecks(() => atomic(functionConfigProxy));
-            if (!functionConfig) {
-                if (isSynced(functionConfigProxy)) {
-                    console.warn(red(`Missing path to permissions. You might need to rerun "yarn deploy", ensuring all schemas are imported in a file called "/deploy.ts". Path ${domainName}.${moduleId}.${PERMISSIONS_FUNCTION_ID}`));
-                }
-                return undefined;
-            }
-            let module: NodeJS.Module | undefined;
-            try {
-                module = watchModule(functionConfig);
-            } catch (e: any) {
-                console.warn(yellow(`Rejecting permissions due to error when loading module ${functionConfig.gitURL}#${functionConfig.gitRef}:${functionConfig.FilePath}\n${e.stack}`));
-                return undefined;
-            }
-
-            if (!module) return undefined;
-            let schema = getSchemaObject(module);
-            if (!schema) return undefined;
-            return {
-                schema,
-                fnc: functionConfig,
-            };
-        });
-    });
-
-    pathPartsCache = new Map<string, {
-        domainName: string;
-        moduleId: string;
-        pathPrefix: string;
-        rootKey: string;
-        callExamplePath: string;
-        emptyKeyPath: string;
-    }>();
-    // IMPORTANT! This function USED TO BE a major hotspot for function evaluation, and so is heavily optimized.
-    public checkPermissions(path: string): { permissionsPath: string; allowed: boolean; } {
-        if (this.dead) throw new Error("PermissionsCheck MUST be used synchronously, after which it cannot be reused");
-        if (PermissionsCheck.skippingChecks) return { permissionsPath: rootPathStr, allowed: true };
-
-        let pathPrefix = trimPathStrToDepth(path, DEPTH_TO_DATA);
-        let pathParts = this.pathPartsCache.get(pathPrefix);
-        if (!pathParts) {
-            const domainName = getPathIndex(path, DOMAIN_INDEX) || "";
-            const moduleId = getPathIndex(path, MODULE_INDEX) || "";
-            let rootKey = getPathIndex(path, DEPTH_TO_DATA - 1) || "";
-
-            pathParts = {
-                domainName,
-                moduleId,
-                pathPrefix,
-                rootKey,
-                callExamplePath: appendToPathStr(pathPrefix, "ExampleCallId"),
-                emptyKeyPath: appendToPathStr(pathPrefix, ""),
-            };
-            this.pathPartsCache.set(pathPrefix, pathParts);
-        }
-
-        if (!pathParts.domainName) return { permissionsPath: trimPathStrToDepth(path, DOMAIN_INDEX + 1), allowed: false };
-        if (!pathParts.moduleId) return { permissionsPath: trimPathStrToDepth(path, MODULE_INDEX + 1), allowed: false };
-        if (!pathParts.rootKey) return { permissionsPath: trimPathStrToDepth(path, DEPTH_TO_DATA), allowed: false };
-
-        const schemaObj = this.getModulePermissions(pathParts.domainName)(pathParts.moduleId);
-        if (!schemaObj) return { permissionsPath: trimPathStrToDepth(path, MODULE_INDEX + 1), allowed: false };
-
-        let instance = this.perSchema(schemaObj.schema, schemaObj.fnc);
-        instance.pathPrefix = pathPrefix;
-
-        const rootKey = pathParts.rootKey;
-
-        if (rootKey === "Module" || rootKey === "Sources") {
-            return instance.checkPermissionsBase(callPermissionsPath);
-        }
-        if (rootKey === "Calls" || rootKey === "Results") {
-            // Don't allow "" call to be read, as this would allow running Object.values() to read all calls.
-            if (path === pathParts.emptyKeyPath) return { permissionsPath: path, allowed: false };
-            // NOTE: A lot of the time, anyone will technically be able to read calls, as we don't inspect the call.
-            //  However... they would need to know the id, which will be very hard to guess.
-            //  - Also inspecting the call adds a lot of call overhead, so we would prefer not to do that.
-            let result = instance.checkPermissionsBase(callPermissionsPath);
-            return {
-                // Make sure the path is specific, so when we are called again callId is not undefined
-                permissionsPath: pathParts.callExamplePath,
-                allowed: result.allowed
-            };
-        }
-        if (rootKey === "Data") {
-            let dataPath = getPathSuffix(path, DEPTH_TO_DATA);
-            return instance.checkPermissionsBase(dataPath);
-        }
-        return { permissionsPath: path, allowed: false };
-    }
-
-    public static ignorePermissionsChecks = this.skipPermissionsChecks;
-    public static skipPermissionsChecks<T>(code: () => T) {
-        let prev = this.skippingChecks;
-        this.skippingChecks = true;
-        try {
-            return code();
-        } finally {
-            this.skippingChecks = prev;
-        }
-    }
-}
-class PermissionsCheckSchema {
-    public pathPrefix = rootPathStr;
-
-    constructor(
-        private callerConfig: { machineID: string; IP: string },
-        private schema: SchemaObject,
-        private fnc: FunctionSpec,
-    ) { }
-    private exampleCall: CallSpec = {
-        callerMachineId: this.callerConfig.machineID,
-        callerIP: this.callerConfig.IP,
-        CallId: "",
-        DomainName: "",
-        FunctionId: "",
-        ModuleId: "",
-        runAtTime: epochTime,
-        argsEncoded: "",
-    };
-
-    /** Converts a specific path to a more general path. All paths which map to this general path
-     *      will have identical permissions checks.
-     */
-    private getCachePermissionsPath(path: string): string {
-        if (this.schema.permissionsNonWildcards.has(path)) {
-            return path;
-        }
-        let depth = getPathDepth(path);
-        for (let i = depth - 1; i > 0; i--) {
-            let ancestorPath = trimPathStrToDepth(path, i);
-            if (this.schema.permissionsNonWildcards.has(ancestorPath)) {
-                return ancestorPath;
-            }
-        }
-        if (this.schema.permissionsWildcards.length > 0) {
-            let valuePath = getPathFromStr(path);
-            // Using a tree would be algorithmically faster, but... might not even be faster in practice?
-            //  (at least for a small number of checks, which there should almost always be)
-            for (let wildcardCheck of this.schema.permissionsWildcards) {
-                if (hasWildcardMatch(wildcardCheck.pathParts, valuePath)) {
-                    return trimPathStrToDepth(path, wildcardCheck.pathParts.length);
-                }
-            }
-        }
-
-        return rootPathStr;
-    }
-
-    // NOTE: For our trivial "127.0.0.1" check this cache isn't needed. But permissions checks might be A LOT slower,
-    //  so it is important to cache it based on the permissionsPath.
-    private checkCache = cacheLimited(1000 * 1000, measureWrap((permissionsPath: string) => {
-        let checks = this.getChecks(permissionsPath);
-        let allowed = overrideCurrentCall({
-            spec: this.exampleCall,
-            fnc: this.fnc,
-        }, () => {
-            // NOTE: If we read inside of a permissions check we don't want to ALSO check
-            //  permissions checks on those because:
-            //  1) It might infinitely loop
-            //  2) When checking permissions we need to be allowed to read all values!
-            return PermissionsCheck.skipPermissionsChecks(() => {
-                for (let check of checks) {
-                    try {
-                        let result = check();
-                        if (!result && PermissionsCheck.DEBUG) {
-                            let anyUnsynced = false;
-                            try {
-                                anyUnsynced = Querysub.anyUnsynced();
-                            } catch { }
-                            if (!anyUnsynced) {
-                                // NOTE: This gets loud, as it happens EVERY TIME we check permissions. We already have a check in QuerysubController,
-                                //  which should be enough.
-                                //console.log(blue(`Denied permissions for ${joinPathStres(this.pathPrefix, permissionsPath)} due to check at ${(check as any).debugName}`));
-                                check();
-                            }
-                        }
-                        if (typeof result === "object") {
-                            if (!result.allowed) {
-                                return false;
-                            }
-                            if (result.skipParentChecks) {
-                                return result.allowed;
-                            }
-                        } else if (!result) {
-                            return false;
-                        }
-                    } catch {
-                        return false;
-                    }
-                }
-                return true;
-            });
-        });
-        return { permissionsPath: joinPathStres(this.pathPrefix, permissionsPath), allowed };
-    }, "permissionsCheckInsideCache"));
-
-    public checkPermissionsBase(dataPath: string): { permissionsPath: string; allowed: boolean; } {
-        let permissionsPath = this.getCachePermissionsPath(dataPath);
-        return this.checkCache(permissionsPath);
-    }
-    // NOTE: We don't cache the result of a permissions check, because it might change while
-    //  a function is evaluating. If they need to be skipped for the purposes of speed (which is hard
-    //  to believe, considering all the other sources of overhead we have), skipPermissionsChecks
-    //  can be used to quickly skip them.
-    private getChecks = cacheLimited(1000 * 1000, ((path: string): (() => PermissionsCheckResult)[] => {
-        let checks: {
-            check: () => PermissionsCheckResult;
-            path: string;
-        }[] = [];
-        let depth = getPathDepth(path);
-        for (let i = depth; i >= 0; i--) {
-            let ancestorPath = trimPathStrToDepth(path, i);
-            const permissions = this.schema.permissionsNonWildcards.get(ancestorPath);
-            if (permissions) {
-                let check = () => permissions({
-                    callerMachineId: this.callerConfig.machineID,
-                    matchedPath: ancestorPath,
-                    pathWildcards: [],
-                });
-                if (PermissionsCheck.DEBUG) {
-                    Object.assign(check, { debugName: ancestorPath });
-                }
-                checks.push({ check, path: ancestorPath });
-            }
-        }
-        // Using a tree would be algorithmically faster, but... might not even be faster in practice?
-        //  (at least for a small number of checks, which there should almost always be)
-        for (let wildcardCheck of this.schema.permissionsWildcards) {
-            let matches = getWildcardMatches(wildcardCheck.pathParts, getPathFromStr(path));
-            if (!matches) continue;
-            let matchedPath = trimPathStrToDepth(path, wildcardCheck.pathParts.length);
-            let check = () => wildcardCheck.callback({
-                callerMachineId: this.callerConfig.machineID,
-                matchedPath,
-                pathWildcards: matches || [],
-            });
-            if (PermissionsCheck.DEBUG) {
-                Object.assign(check, { debugName: wildcardCheck.pathParts.join(".") });
-            }
-            checks.push({ check, path: matchedPath });
-        }
-
-        sort(checks, x => -x.path.length);
-
-        return checks.map(x => x.check);
-    }));
+import { cache, cacheArgsEqual, cacheLimited } from "socket-function/src/caching";
+import { measureFnc, measureWrap, nameFunction } from "socket-function/src/profiling/measure";
+import { getPathSuffix, getPathDepth, trimPathStrToDepth, getPathFromStr, rootPathStr, getPathIndex, getPathStr1, joinPathStres, appendToPathStr, getPathStr } from "../path";
+import { atomic, atomicObjectRead, isSynced, proxyWatcher } from "../2-proxy/PathValueProxyWatcher";
+import { SchemaObject, getSchemaObject, hasWildcardMatch, getWildcardMatches, PERMISSIONS_FUNCTION_ID, PermissionsCheckResult, getDevelopmentModule } from "../3-path-functions/syncSchema";
+import { getModuleFromConfig } from "../3-path-functions/pathFunctionLoader";
+import { getSchemaPartsFromPath, functionSchema, DEPTH_TO_DATA, overrideCurrentCall, CallSpec, FunctionSpec, DOMAIN_INDEX, MODULE_INDEX } from "../3-path-functions/PathFunctionRunner";
+import debugbreak from "debugbreak";
+import { blue, red, yellow } from "socket-function/src/formatting/logColors";
+import { ignoreErrors } from "../errors";
+import { epochTime } from "../0-path-value-core/pathValueCore";
+import { isClient } from "../config2";
+import { sort } from "socket-function/src/misc";
+import { Querysub } from "./QuerysubController";
+import { CALL_PERMISSIONS_KEY } from "./permissionsShared";
+import { getDomain, isLocal, isPublic } from "../config";
+
+function watchModule(config: FunctionSpec): NodeJS.Module | undefined {
+    let module = getModuleFromConfig(config);
+    if (module && typeof module === "object" && module instanceof Promise) {
+        // NOTE: The errors should throw correctly when proxyWatch is triggered (which will be immediately
+        //  after our ignore handler runs), because the underlying implementation should convert promises
+        //  to throws (or undefined, if errors are ignored).
+        ignoreErrors(module);
+        proxyWatcher.triggerOnPromiseFinish(module, { waitReason: "waitForModuleToLoad" });
+        return undefined;
+    }
+    return module;
+}
+
+const callPermissionsPath = getPathStr1(CALL_PERMISSIONS_KEY);
+
+/** NOTE: This can only be used synchronously, and must be recreated after the current
+ *      synchronous code is finished.
+ */
+export class PermissionsCheck {
+    private dead = false;
+    private static skippingChecks = false;
+
+    public static DEBUG = false;
+
+    constructor(private callerConfig: { callerMachineId: string; callerIP: string; }) {
+        setImmediate(() => this.dead = true);
+    }
+
+    private perSchema = cacheArgsEqual((schema: SchemaObject, fnc: FunctionSpec) => {
+        return new PermissionsCheckSchema(
+            { machineID: this.callerConfig.callerMachineId, IP: this.callerConfig.callerIP },
+            schema,
+            fnc
+        );
+    });
+
+    private getModulePermissions(domainName: string) {
+        if (!isPublic() && domainName === getDomain()) {
+            return function (moduleId: string): {
+                schema: SchemaObject;
+                fnc: FunctionSpec;
+            } | undefined {
+                let fnc: FunctionSpec = {
+                    DomainName: domainName,
+                    ModuleId: moduleId,
+                    FunctionId: PERMISSIONS_FUNCTION_ID,
+                    exportPathStr: callPermissionsPath,
+                    // NOTE: These SHOULDN'T be required, as we don't commit this function to the FunctionRunner,
+                    //  we just use this to run the function on the local machine.
+                    FilePath: "LOCAL_PERMISSIONS_HACK",
+                    gitURL: "LOCAL_PERMISSIONS_HACK",
+                    gitRef: "LOCAL_PERMISSIONS_HACK",
+                };
+                let modulePermissions = getDevelopmentModule(moduleId);
+                if (!modulePermissions) throw new Error(`No development module found for ${moduleId}. Was it imported? Try restarting the edge server.`);
+                let schema = getSchemaObject(modulePermissions);
+                if (!schema) throw new Error(`Module does not export a schema: ${moduleId}`);
+                return {
+                    schema,
+                    fnc,
+                };
+            };
+        }
+        return this.getModulePermissionsBase(domainName);
+    }
+
+    private getModulePermissionsBase = cache((domainName: string) => {
+        return cache((moduleId: string) => {
+            let functionConfigProxy = PermissionsCheck.skipPermissionsChecks(() =>
+                functionSchema()[domainName].PathFunctionRunner[moduleId].Sources[PERMISSIONS_FUNCTION_ID],
+            );
+            const functionConfig = PermissionsCheck.skipPermissionsChecks(() => atomic(functionConfigProxy));
+            if (!functionConfig) {
+                if (isSynced(functionConfigProxy)) {
+                    console.warn(red(`Missing path to permissions. You might need to rerun "yarn deploy", ensuring all schemas are imported in a file called "/deploy.ts". Path ${domainName}.${moduleId}.${PERMISSIONS_FUNCTION_ID}`));
+                }
+                return undefined;
+            }
+            let module: NodeJS.Module | undefined;
+            try {
+                module = watchModule(functionConfig);
+            } catch (e: any) {
+                console.warn(yellow(`Rejecting permissions due to error when loading module ${functionConfig.gitURL}#${functionConfig.gitRef}:${functionConfig.FilePath}\n${e.stack}`));
+                return undefined;
+            }
+
+            if (!module) return undefined;
+            let schema = getSchemaObject(module);
+            if (!schema) return undefined;
+            return {
+                schema,
+                fnc: functionConfig,
+            };
+        });
+    });
+
+    pathPartsCache = new Map<string, {
+        domainName: string;
+        moduleId: string;
+        pathPrefix: string;
+        rootKey: string;
+        callExamplePath: string;
+        emptyKeyPath: string;
+    }>();
+    // IMPORTANT! This function USED TO BE a major hotspot for function evaluation, and so is heavily optimized.
+    public checkPermissions(path: string): { permissionsPath: string; allowed: boolean; } {
+        if (this.dead) throw new Error("PermissionsCheck MUST be used synchronously, after which it cannot be reused");
+        if (PermissionsCheck.skippingChecks) return { permissionsPath: rootPathStr, allowed: true };
+
+        let pathPrefix = trimPathStrToDepth(path, DEPTH_TO_DATA);
+        let pathParts = this.pathPartsCache.get(pathPrefix);
+        if (!pathParts) {
+            const domainName = getPathIndex(path, DOMAIN_INDEX) || "";
+            const moduleId = getPathIndex(path, MODULE_INDEX) || "";
+            let rootKey = getPathIndex(path, DEPTH_TO_DATA - 1) || "";
+
+            pathParts = {
+                domainName,
+                moduleId,
+                pathPrefix,
+                rootKey,
+                callExamplePath: appendToPathStr(pathPrefix, "ExampleCallId"),
+                emptyKeyPath: appendToPathStr(pathPrefix, ""),
+            };
+            this.pathPartsCache.set(pathPrefix, pathParts);
+        }
+
+        if (!pathParts.domainName) return { permissionsPath: trimPathStrToDepth(path, DOMAIN_INDEX + 1), allowed: false };
+        if (!pathParts.moduleId) return { permissionsPath: trimPathStrToDepth(path, MODULE_INDEX + 1), allowed: false };
+        if (!pathParts.rootKey) return { permissionsPath: trimPathStrToDepth(path, DEPTH_TO_DATA), allowed: false };
+
+        const schemaObj = this.getModulePermissions(pathParts.domainName)(pathParts.moduleId);
+        if (!schemaObj) return { permissionsPath: trimPathStrToDepth(path, MODULE_INDEX + 1), allowed: false };
+
+        let instance = this.perSchema(schemaObj.schema, schemaObj.fnc);
+        instance.pathPrefix = pathPrefix;
+
+        const rootKey = pathParts.rootKey;
+
+        if (rootKey === "Module" || rootKey === "Sources") {
+            return instance.checkPermissionsBase(callPermissionsPath);
+        }
+        if (rootKey === "Calls" || rootKey === "Results") {
+            // Don't allow "" call to be read, as this would allow running Object.values() to read all calls.
+            if (path === pathParts.emptyKeyPath) return { permissionsPath: path, allowed: false };
+            // NOTE: A lot of the time, anyone will technically be able to read calls, as we don't inspect the call.
+            //  However... they would need to know the id, which will be very hard to guess.
+            //  - Also inspecting the call adds a lot of call overhead, so we would prefer not to do that.
+            let result = instance.checkPermissionsBase(callPermissionsPath);
+            return {
+                // Make sure the path is specific, so when we are called again callId is not undefined
+                permissionsPath: pathParts.callExamplePath,
+                allowed: result.allowed
+            };
+        }
+        if (rootKey === "Data") {
+            let dataPath = getPathSuffix(path, DEPTH_TO_DATA);
+            return instance.checkPermissionsBase(dataPath);
+        }
+        return { permissionsPath: path, allowed: false };
+    }
+
+    public static ignorePermissionsChecks = this.skipPermissionsChecks;
+    public static skipPermissionsChecks<T>(code: () => T) {
+        let prev = this.skippingChecks;
+        this.skippingChecks = true;
+        try {
+            return code();
+        } finally {
+            this.skippingChecks = prev;
+        }
+    }
+}
+class PermissionsCheckSchema {
+    public pathPrefix = rootPathStr;
+
+    constructor(
+        private callerConfig: { machineID: string; IP: string },
+        private schema: SchemaObject,
+        private fnc: FunctionSpec,
+    ) { }
+    private exampleCall: CallSpec = {
+        callerMachineId: this.callerConfig.machineID,
+        callerIP: this.callerConfig.IP,
+        CallId: "",
+        DomainName: "",
+        FunctionId: "",
+        ModuleId: "",
+        runAtTime: epochTime,
+        argsEncoded: "",
+    };
+
+    /** Converts a specific path to a more general path. All paths which map to this general path
+     *      will have identical permissions checks.
+     */
+    private getCachePermissionsPath(path: string): string {
+        if (this.schema.permissionsNonWildcards.has(path)) {
+            return path;
+        }
+        let depth = getPathDepth(path);
+        for (let i = depth - 1; i > 0; i--) {
+            let ancestorPath = trimPathStrToDepth(path, i);
+            if (this.schema.permissionsNonWildcards.has(ancestorPath)) {
+                return ancestorPath;
+            }
+        }
+        if (this.schema.permissionsWildcards.length > 0) {
+            let valuePath = getPathFromStr(path);
+            // Using a tree would be algorithmically faster, but... might not even be faster in practice?
+            //  (at least for a small number of checks, which there should almost always be)
+            for (let wildcardCheck of this.schema.permissionsWildcards) {
+                if (hasWildcardMatch(wildcardCheck.pathParts, valuePath)) {
+                    return trimPathStrToDepth(path, wildcardCheck.pathParts.length);
+                }
+            }
+        }
+
+        return rootPathStr;
+    }
+
+    // NOTE: For our trivial "127.0.0.1" check this cache isn't needed. But permissions checks might be A LOT slower,
+    //  so it is important to cache it based on the permissionsPath.
+    private checkCache = cacheLimited(1000 * 1000, measureWrap((permissionsPath: string) => {
+        let checks = this.getChecks(permissionsPath);
+        let allowed = overrideCurrentCall({
+            spec: this.exampleCall,
+            fnc: this.fnc,
+        }, () => {
+            // NOTE: If we read inside of a permissions check we don't want to ALSO check
+            //  permissions checks on those because:
+            //  1) It might infinitely loop
+            //  2) When checking permissions we need to be allowed to read all values!
+            return PermissionsCheck.skipPermissionsChecks(() => {
+                for (let check of checks) {
+                    try {
+                        let result = check();
+                        if (!result && PermissionsCheck.DEBUG) {
+                            let anyUnsynced = false;
+                            try {
+                                anyUnsynced = Querysub.anyUnsynced();
+                            } catch { }
+                            if (!anyUnsynced) {
+                                // NOTE: This gets loud, as it happens EVERY TIME we check permissions. We already have a check in QuerysubController,
+                                //  which should be enough.
+                                //console.log(blue(`Denied permissions for ${joinPathStres(this.pathPrefix, permissionsPath)} due to check at ${(check as any).debugName}`));
+                                check();
+                            }
+                        }
+                        if (typeof result === "object") {
+                            if (!result.allowed) {
+                                return false;
+                            }
+                            if (result.skipParentChecks) {
+                                return result.allowed;
+                            }
+                        } else if (!result) {
+                            return false;
+                        }
+                    } catch {
+                        return false;
+                    }
+                }
+                return true;
+            });
+        });
+        return { permissionsPath: joinPathStres(this.pathPrefix, permissionsPath), allowed };
+    }, "permissionsCheckInsideCache"));
+
+    public checkPermissionsBase(dataPath: string): { permissionsPath: string; allowed: boolean; } {
+        let permissionsPath = this.getCachePermissionsPath(dataPath);
+        return this.checkCache(permissionsPath);
+    }
+    // NOTE: We don't cache the result of a permissions check, because it might change while
+    //  a function is evaluating. If they need to be skipped for the purposes of speed (which is hard
+    //  to believe, considering all the other sources of overhead we have), skipPermissionsChecks
+    //  can be used to quickly skip them.
+    private getChecks = cacheLimited(1000 * 1000, ((path: string): (() => PermissionsCheckResult)[] => {
+        let checks: {
+            check: () => PermissionsCheckResult;
+            path: string;
+        }[] = [];
+        let depth = getPathDepth(path);
+        for (let i = depth; i >= 0; i--) {
+            let ancestorPath = trimPathStrToDepth(path, i);
+            const permissions = this.schema.permissionsNonWildcards.get(ancestorPath);
+            if (permissions) {
+                let check = () => permissions({
+                    callerMachineId: this.callerConfig.machineID,
+                    matchedPath: ancestorPath,
+                    pathWildcards: [],
+                });
+                if (PermissionsCheck.DEBUG) {
+                    Object.assign(check, { debugName: ancestorPath });
+                }
+                checks.push({ check, path: ancestorPath });
+            }
+        }
+        // Using a tree would be algorithmically faster, but... might not even be faster in practice?
+        //  (at least for a small number of checks, which there should almost always be)
+        for (let wildcardCheck of this.schema.permissionsWildcards) {
+            let matches = getWildcardMatches(wildcardCheck.pathParts, getPathFromStr(path));
+            if (!matches) continue;
+            let matchedPath = trimPathStrToDepth(path, wildcardCheck.pathParts.length);
+            let check = () => wildcardCheck.callback({
+                callerMachineId: this.callerConfig.machineID,
+                matchedPath,
+                pathWildcards: matches || [],
+            });
+            if (PermissionsCheck.DEBUG) {
+                Object.assign(check, { debugName: wildcardCheck.pathParts.join(".") });
+            }
+            checks.push({ check, path: matchedPath });
+        }
+
+        sort(checks, x => -x.path.length);
+
+        return checks.map(x => x.check);
+    }));
 }