mirror of
				https://github.com/meilisearch/meilisearch.git
				synced 2025-10-26 05:26:27 +00:00 
			
		
		
		
	Making it work with index uid patterns
This commit is contained in:
		
							
								
								
									
										1
									
								
								Cargo.lock
									
									
									
										generated
									
									
									
								
							
							
						
						
									
										1
									
								
								Cargo.lock
									
									
									
										generated
									
									
									
								
							| @@ -2535,6 +2535,7 @@ dependencies = [ | ||||
|  "base64 0.13.1", | ||||
|  "enum-iterator", | ||||
|  "hmac", | ||||
|  "maplit", | ||||
|  "meilisearch-types", | ||||
|  "rand", | ||||
|  "roaring", | ||||
|   | ||||
| @@ -7,6 +7,7 @@ edition = "2021" | ||||
| base64 = "0.13.1" | ||||
| enum-iterator = "1.1.3" | ||||
| hmac = "0.12.1" | ||||
| maplit = "1.0.2" | ||||
| meilisearch-types = { path = "../meilisearch-types" } | ||||
| rand = "0.8.5" | ||||
| roaring = { version = "0.10.0", features = ["serde"] } | ||||
|   | ||||
| @@ -8,6 +8,7 @@ use std::path::Path; | ||||
| use std::sync::Arc; | ||||
|  | ||||
| use error::{AuthControllerError, Result}; | ||||
| use maplit::hashset; | ||||
| use meilisearch_types::index_uid_pattern::IndexUidPattern; | ||||
| use meilisearch_types::keys::{Action, CreateApiKey, Key, PatchApiKey}; | ||||
| use meilisearch_types::star_or::StarOr; | ||||
| @@ -75,31 +76,12 @@ impl AuthController { | ||||
|         search_rules: Option<SearchRules>, | ||||
|     ) -> Result<AuthFilter> { | ||||
|         let mut filters = AuthFilter::default(); | ||||
|         let key = self | ||||
|             .store | ||||
|             .get_api_key(uid)? | ||||
|             .ok_or_else(|| AuthControllerError::ApiKeyNotFound(uid.to_string()))?; | ||||
|         let key = self.get_key(uid)?; | ||||
|  | ||||
|         if !key.indexes.iter().any(|i| i == &StarOr::Star) { | ||||
|             filters.search_rules = match search_rules { | ||||
|                 // Intersect search_rules with parent key authorized indexes. | ||||
|                 Some(search_rules) => SearchRules::Map( | ||||
|                     key.indexes | ||||
|                         .into_iter() | ||||
|                         .filter_map(|index| { | ||||
|                             search_rules.get_index_search_rules(index.deref()).map( | ||||
|                                 |index_search_rules| { | ||||
|                                     (String::from(index), Some(index_search_rules)) | ||||
|                                 }, | ||||
|                             ) | ||||
|                         }) | ||||
|                         .collect(), | ||||
|                 ), | ||||
|                 None => SearchRules::Set(key.indexes.into_iter().map(String::from).collect()), | ||||
|             }; | ||||
|         } else if let Some(search_rules) = search_rules { | ||||
|             filters.search_rules = search_rules; | ||||
|         } | ||||
|         filters.search_rules = match search_rules { | ||||
|             Some(search_rules) => search_rules, | ||||
|             None => SearchRules::Set(key.indexes.into_iter().collect()), | ||||
|         }; | ||||
|  | ||||
|         filters.allow_index_creation = self.is_key_authorized(uid, Action::IndexesAdd, None)?; | ||||
|  | ||||
| @@ -182,13 +164,13 @@ impl Default for AuthFilter { | ||||
| #[derive(Debug, Serialize, Deserialize, Clone)] | ||||
| #[serde(untagged)] | ||||
| pub enum SearchRules { | ||||
|     Set(HashSet<String>), | ||||
|     Map(HashMap<String, Option<IndexSearchRules>>), | ||||
|     Set(HashSet<IndexUidPattern>), | ||||
|     Map(HashMap<IndexUidPattern, Option<IndexSearchRules>>), | ||||
| } | ||||
|  | ||||
| impl Default for SearchRules { | ||||
|     fn default() -> Self { | ||||
|         Self::Set(Some("*".to_string()).into_iter().collect()) | ||||
|         Self::Set(hashset! { IndexUidPattern::all() }) | ||||
|     } | ||||
| } | ||||
|  | ||||
| @@ -198,16 +180,12 @@ impl SearchRules { | ||||
|             Self::Set(set) => { | ||||
|                 set.contains("*") | ||||
|                     || set.contains(index) | ||||
|                     || set | ||||
|                         .iter() // We must store the IndexUidPattern in the Set | ||||
|                         .any(|pattern| IndexUidPattern::new_unchecked(pattern).matches_str(index)) | ||||
|                     || set.iter().any(|pattern| pattern.matches_str(index)) | ||||
|             } | ||||
|             Self::Map(map) => { | ||||
|                 map.contains_key("*") | ||||
|                     || map.contains_key(index) | ||||
|                     || map | ||||
|                         .keys() // We must store the IndexUidPattern in the Map | ||||
|                         .any(|pattern| IndexUidPattern::new_unchecked(pattern).matches_str(index)) | ||||
|                     || map.keys().any(|pattern| pattern.matches_str(index)) | ||||
|             } | ||||
|         } | ||||
|     } | ||||
| @@ -215,21 +193,26 @@ impl SearchRules { | ||||
|     pub fn get_index_search_rules(&self, index: &str) -> Option<IndexSearchRules> { | ||||
|         match self { | ||||
|             Self::Set(set) => { | ||||
|                 if set.contains("*") || set.contains(index) { | ||||
|                 if self.is_index_authorized(index) { | ||||
|                     Some(IndexSearchRules::default()) | ||||
|                 } else { | ||||
|                     None | ||||
|                 } | ||||
|             } | ||||
|             Self::Map(map) => { | ||||
|                 map.get(index).or_else(|| map.get("*")).map(|isr| isr.clone().unwrap_or_default()) | ||||
|                 // We must take the most retrictive rule of this index uid patterns set of rules. | ||||
|                 map.iter() | ||||
|                     .filter(|(pattern, _)| pattern.matches_str(index)) | ||||
|                     .max_by_key(|(pattern, _)| (pattern.is_exact(), pattern.len())) | ||||
|                     .map(|(_, rule)| rule.clone()) | ||||
|                     .flatten() | ||||
|             } | ||||
|         } | ||||
|     } | ||||
|  | ||||
|     /// Return the list of indexes such that `self.is_index_authorized(index) == true`, | ||||
|     /// or `None` if all indexes satisfy this condition. | ||||
|     pub fn authorized_indexes(&self) -> Option<Vec<String>> { | ||||
|     pub fn authorized_indexes(&self) -> Option<Vec<IndexUidPattern>> { | ||||
|         match self { | ||||
|             SearchRules::Set(set) => { | ||||
|                 if set.contains("*") { | ||||
| @@ -250,7 +233,7 @@ impl SearchRules { | ||||
| } | ||||
|  | ||||
| impl IntoIterator for SearchRules { | ||||
|     type Item = (String, IndexSearchRules); | ||||
|     type Item = (IndexUidPattern, IndexSearchRules); | ||||
|     type IntoIter = Box<dyn Iterator<Item = Self::Item>>; | ||||
|  | ||||
|     fn into_iter(self) -> Self::IntoIter { | ||||
|   | ||||
| @@ -1,7 +1,10 @@ | ||||
| use std::borrow::Borrow; | ||||
| use std::error::Error; | ||||
| use std::fmt; | ||||
| use std::ops::Deref; | ||||
| use std::str::FromStr; | ||||
|  | ||||
| use deserr::DeserializeFromValue; | ||||
| use serde::{Deserialize, Serialize}; | ||||
|  | ||||
| use crate::error::{Code, ErrorCode}; | ||||
| @@ -9,17 +12,25 @@ use crate::index_uid::{IndexUid, IndexUidFormatError}; | ||||
|  | ||||
| /// An index uid pattern is composed of only ascii alphanumeric characters, - and _, between 1 and 400 | ||||
| /// bytes long and optionally ending with a *. | ||||
| #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Eq)] | ||||
| #[cfg_attr(feature = "test-traits", derive(proptest_derive::Arbitrary))] | ||||
| pub struct IndexUidPattern( | ||||
|     #[cfg_attr(feature = "test-traits", proptest(regex("[a-zA-Z0-9_-]{1,400}\\*?")))] String, | ||||
| ); | ||||
| #[derive(Serialize, Deserialize, DeserializeFromValue, Debug, Clone, PartialEq, Eq, Hash)] | ||||
| #[deserr(from(&String) = FromStr::from_str -> IndexUidPatternFormatError)] | ||||
| pub struct IndexUidPattern(String); | ||||
|  | ||||
| impl IndexUidPattern { | ||||
|     pub fn new_unchecked(s: impl AsRef<str>) -> Self { | ||||
|         Self(s.as_ref().to_string()) | ||||
|     } | ||||
|  | ||||
|     /// Matches any index name. | ||||
|     pub fn all() -> Self { | ||||
|         IndexUidPattern::from_str("*").unwrap() | ||||
|     } | ||||
|  | ||||
|     /// Returns `true` if the pattern matches a specific index name. | ||||
|     pub fn is_exact(&self) -> bool { | ||||
|         !self.0.ends_with('*') | ||||
|     } | ||||
|  | ||||
|     /// Returns wether this index uid matches this index uid pattern. | ||||
|     pub fn matches(&self, uid: &IndexUid) -> bool { | ||||
|         self.matches_str(uid.as_str()) | ||||
| @@ -34,7 +45,7 @@ impl IndexUidPattern { | ||||
|     } | ||||
| } | ||||
|  | ||||
| impl std::ops::Deref for IndexUidPattern { | ||||
| impl Deref for IndexUidPattern { | ||||
|     type Target = str; | ||||
|  | ||||
|     fn deref(&self) -> &Self::Target { | ||||
| @@ -42,6 +53,12 @@ impl std::ops::Deref for IndexUidPattern { | ||||
|     } | ||||
| } | ||||
|  | ||||
| impl Borrow<str> for IndexUidPattern { | ||||
|     fn borrow(&self) -> &str { | ||||
|         &self.0 | ||||
|     } | ||||
| } | ||||
|  | ||||
| impl TryFrom<String> for IndexUidPattern { | ||||
|     type Error = IndexUidPatternFormatError; | ||||
|  | ||||
|   | ||||
| @@ -47,7 +47,7 @@ pub struct CreateApiKey { | ||||
|     #[deserr(error = DeserrError<InvalidApiKeyActions>)] | ||||
|     pub actions: Vec<Action>, | ||||
|     #[deserr(error = DeserrError<InvalidApiKeyIndexes>)] | ||||
|     pub indexes: Vec<StarOr<IndexUidPattern>>, | ||||
|     pub indexes: Vec<IndexUidPattern>, | ||||
|     #[deserr(error = DeserrError<InvalidApiKeyExpiresAt>, default = None, from(&String) = parse_expiration_date -> TakeErrorMessage<ParseOffsetDateTimeError>)] | ||||
|     pub expires_at: Option<OffsetDateTime>, | ||||
| } | ||||
| @@ -109,7 +109,7 @@ pub struct Key { | ||||
|     pub name: Option<String>, | ||||
|     pub uid: KeyId, | ||||
|     pub actions: Vec<Action>, | ||||
|     pub indexes: Vec<StarOr<IndexUidPattern>>, | ||||
|     pub indexes: Vec<IndexUidPattern>, | ||||
|     #[serde(with = "time::serde::rfc3339::option")] | ||||
|     pub expires_at: Option<OffsetDateTime>, | ||||
|     #[serde(with = "time::serde::rfc3339")] | ||||
| @@ -127,7 +127,7 @@ impl Key { | ||||
|             description: Some("Use it for anything that is not a search operation. Caution! Do not expose it on a public frontend".to_string()), | ||||
|             uid, | ||||
|             actions: vec![Action::All], | ||||
|             indexes: vec![StarOr::Star], | ||||
|             indexes: vec![IndexUidPattern::all()], | ||||
|             expires_at: None, | ||||
|             created_at: now, | ||||
|             updated_at: now, | ||||
| @@ -142,7 +142,7 @@ impl Key { | ||||
|             description: Some("Use it to search from the frontend".to_string()), | ||||
|             uid, | ||||
|             actions: vec![Action::Search], | ||||
|             indexes: vec![StarOr::Star], | ||||
|             indexes: vec![IndexUidPattern::all()], | ||||
|             expires_at: None, | ||||
|             created_at: now, | ||||
|             updated_at: now, | ||||
|   | ||||
| @@ -230,7 +230,10 @@ pub mod policies { | ||||
|                     } | ||||
|                 } | ||||
|  | ||||
|                 return auth.get_key_filters(uid, Some(data.claims.search_rules)).ok(); | ||||
|                 match auth.get_key_filters(uid, Some(data.claims.search_rules)) { | ||||
|                     Ok(auth) if auth.search_rules.is_index_authorized() => Some(auth), | ||||
|                     _ => None, | ||||
|                 } | ||||
|             } | ||||
|  | ||||
|             None | ||||
|   | ||||
		Reference in New Issue
	
	Block a user