mirror of
				https://github.com/meilisearch/meilisearch.git
				synced 2025-10-25 21:16:28 +00:00 
			
		
		
		
	feat(auth): API keys
implements: https://github.com/meilisearch/specifications/blob/develop/text/0085-api-keys.md - Add tests on API keys management route (meilisearch-http/tests/auth/api_keys.rs) - Add tests checking authorizations on each meilisearch routes (meilisearch-http/tests/auth/authorization.rs) - Implement API keys management routes (meilisearch-http/src/routes/api_key.rs) - Create module to manage API keys and authorizations (meilisearch-auth) - Reimplement GuardedData to extend authorizations (meilisearch-http/src/extractors/authentication/mod.rs) - Change X-MEILI-API-KEY by Authorization Bearer (meilisearch-http/src/extractors/authentication/mod.rs) - Change meilisearch routes to fit to the new authorization feature (meilisearch-http/src/routes/) - close #1867
This commit is contained in:
		| @@ -2,15 +2,13 @@ use meilisearch_error::{Code, ErrorCode}; | ||||
|  | ||||
| #[derive(Debug, thiserror::Error)] | ||||
| pub enum AuthenticationError { | ||||
|     #[error("The X-MEILI-API-KEY header is missing.")] | ||||
|     #[error("The Authorization header is missing. It must use the bearer authorization method.")] | ||||
|     MissingAuthorizationHeader, | ||||
|     #[error("The provided API key is invalid.")] | ||||
|     InvalidToken(String), | ||||
|     // Triggered on configuration error. | ||||
|     #[error("An internal error has occurred. `Irretrievable state`.")] | ||||
|     IrretrievableState, | ||||
|     #[error("An internal error has occurred. `Unknown authentication policy`.")] | ||||
|     UnknownPolicy, | ||||
| } | ||||
|  | ||||
| impl ErrorCode for AuthenticationError { | ||||
| @@ -19,7 +17,6 @@ impl ErrorCode for AuthenticationError { | ||||
|             AuthenticationError::MissingAuthorizationHeader => Code::MissingAuthorizationHeader, | ||||
|             AuthenticationError::InvalidToken(_) => Code::InvalidToken, | ||||
|             AuthenticationError::IrretrievableState => Code::Internal, | ||||
|             AuthenticationError::UnknownPolicy => Code::Internal, | ||||
|         } | ||||
|     } | ||||
| } | ||||
|   | ||||
| @@ -1,7 +1,5 @@ | ||||
| mod error; | ||||
|  | ||||
| use std::any::{Any, TypeId}; | ||||
| use std::collections::HashMap; | ||||
| use std::marker::PhantomData; | ||||
| use std::ops::Deref; | ||||
|  | ||||
| @@ -11,73 +9,20 @@ use futures::future::{ok, Ready}; | ||||
| use meilisearch_error::ResponseError; | ||||
|  | ||||
| use error::AuthenticationError; | ||||
|  | ||||
| macro_rules! create_policies { | ||||
|     ($($name:ident), *) => { | ||||
|         pub mod policies { | ||||
|             use std::collections::HashSet; | ||||
|             use crate::extractors::authentication::Policy; | ||||
|  | ||||
|             $( | ||||
|                 #[derive(Debug, Default)] | ||||
|                 pub struct $name { | ||||
|                     inner: HashSet<Vec<u8>> | ||||
|                 } | ||||
|  | ||||
|                 impl $name { | ||||
|                     pub fn new() -> Self { | ||||
|                         Self { inner: HashSet::new() } | ||||
|                     } | ||||
|  | ||||
|                     pub fn add(&mut self, token: Vec<u8>) { | ||||
|                         self.inner.insert(token); | ||||
|                     } | ||||
|                 } | ||||
|  | ||||
|                 impl Policy for $name { | ||||
|                     fn authenticate(&self, token: &[u8]) -> bool { | ||||
|                         self.inner.contains(token) | ||||
|                     } | ||||
|                 } | ||||
|             )* | ||||
|         } | ||||
|     }; | ||||
| } | ||||
|  | ||||
| create_policies!(Public, Private, Admin); | ||||
|  | ||||
| /// Instanciate a `Policies`, filled with the given policies. | ||||
| macro_rules! init_policies { | ||||
|     ($($name:ident), *) => { | ||||
|         { | ||||
|             let mut policies = crate::extractors::authentication::Policies::new(); | ||||
|             $( | ||||
|                 let policy = $name::new(); | ||||
|                 policies.insert(policy); | ||||
|             )* | ||||
|             policies | ||||
|         } | ||||
|     }; | ||||
| } | ||||
|  | ||||
| /// Adds user to all specified policies. | ||||
| macro_rules! create_users { | ||||
|     ($policies:ident, $($user:expr => { $($policy:ty), * }), *) => { | ||||
|         { | ||||
|             $( | ||||
|                 $( | ||||
|                     $policies.get_mut::<$policy>().map(|p| p.add($user.to_owned())); | ||||
|                 )* | ||||
|             )* | ||||
|         } | ||||
|     }; | ||||
| } | ||||
| use meilisearch_auth::{AuthController, AuthFilter}; | ||||
|  | ||||
| pub struct GuardedData<T, D> { | ||||
|     data: D, | ||||
|     filters: AuthFilter, | ||||
|     _marker: PhantomData<T>, | ||||
| } | ||||
|  | ||||
| impl<T, D> GuardedData<T, D> { | ||||
|     pub fn filters(&self) -> &AuthFilter { | ||||
|         &self.filters | ||||
|     } | ||||
| } | ||||
|  | ||||
| impl<T, D> Deref for GuardedData<T, D> { | ||||
|     type Target = D; | ||||
|  | ||||
| @@ -86,56 +31,6 @@ impl<T, D> Deref for GuardedData<T, D> { | ||||
|     } | ||||
| } | ||||
|  | ||||
| pub trait Policy { | ||||
|     fn authenticate(&self, token: &[u8]) -> bool; | ||||
| } | ||||
|  | ||||
| #[derive(Debug)] | ||||
| pub struct Policies { | ||||
|     inner: HashMap<TypeId, Box<dyn Any>>, | ||||
| } | ||||
|  | ||||
| impl Policies { | ||||
|     pub fn new() -> Self { | ||||
|         Self { | ||||
|             inner: HashMap::new(), | ||||
|         } | ||||
|     } | ||||
|  | ||||
|     pub fn insert<S: Policy + 'static>(&mut self, policy: S) { | ||||
|         self.inner.insert(TypeId::of::<S>(), Box::new(policy)); | ||||
|     } | ||||
|  | ||||
|     pub fn get<S: Policy + 'static>(&self) -> Option<&S> { | ||||
|         self.inner | ||||
|             .get(&TypeId::of::<S>()) | ||||
|             .and_then(|p| p.downcast_ref::<S>()) | ||||
|     } | ||||
|  | ||||
|     pub fn get_mut<S: Policy + 'static>(&mut self) -> Option<&mut S> { | ||||
|         self.inner | ||||
|             .get_mut(&TypeId::of::<S>()) | ||||
|             .and_then(|p| p.downcast_mut::<S>()) | ||||
|     } | ||||
| } | ||||
|  | ||||
| impl Default for Policies { | ||||
|     fn default() -> Self { | ||||
|         Self::new() | ||||
|     } | ||||
| } | ||||
|  | ||||
| pub enum AuthConfig { | ||||
|     NoAuth, | ||||
|     Auth(Policies), | ||||
| } | ||||
|  | ||||
| impl Default for AuthConfig { | ||||
|     fn default() -> Self { | ||||
|         Self::NoAuth | ||||
|     } | ||||
| } | ||||
|  | ||||
| impl<P: Policy + 'static, D: 'static + Clone> FromRequest for GuardedData<P, D> { | ||||
|     type Config = AuthConfig; | ||||
|  | ||||
| @@ -152,32 +47,113 @@ impl<P: Policy + 'static, D: 'static + Clone> FromRequest for GuardedData<P, D> | ||||
|                 AuthConfig::NoAuth => match req.app_data::<D>().cloned() { | ||||
|                     Some(data) => ok(Self { | ||||
|                         data, | ||||
|                         filters: AuthFilter::default(), | ||||
|                         _marker: PhantomData, | ||||
|                     }), | ||||
|                     None => err(AuthenticationError::IrretrievableState.into()), | ||||
|                 }, | ||||
|                 AuthConfig::Auth(policies) => match policies.get::<P>() { | ||||
|                     Some(policy) => match req.headers().get("x-meili-api-key") { | ||||
|                         Some(token) => { | ||||
|                             if policy.authenticate(token.as_bytes()) { | ||||
|                                 match req.app_data::<D>().cloned() { | ||||
|                                     Some(data) => ok(Self { | ||||
|                                         data, | ||||
|                                         _marker: PhantomData, | ||||
|                                     }), | ||||
|                                     None => err(AuthenticationError::IrretrievableState.into()), | ||||
|                 AuthConfig::Auth => match req.app_data::<AuthController>().cloned() { | ||||
|                     Some(auth) => match req | ||||
|                         .headers() | ||||
|                         .get("Authorization") | ||||
|                         .map(|type_token| type_token.to_str().unwrap_or_default().splitn(2, ' ')) | ||||
|                     { | ||||
|                         Some(mut type_token) => match type_token.next() { | ||||
|                             Some("Bearer") => { | ||||
|                                 // TODO: find a less hardcoded way? | ||||
|                                 let index = req.match_info().get("index_uid"); | ||||
|                                 let token = type_token.next().unwrap_or("unknown"); | ||||
|                                 match P::authenticate(auth, token, index) { | ||||
|                                     Some(filters) => match req.app_data::<D>().cloned() { | ||||
|                                         Some(data) => ok(Self { | ||||
|                                             data, | ||||
|                                             filters, | ||||
|                                             _marker: PhantomData, | ||||
|                                         }), | ||||
|                                         None => err(AuthenticationError::IrretrievableState.into()), | ||||
|                                     }, | ||||
|                                     None => { | ||||
|                                         let token = token.to_string(); | ||||
|                                         err(AuthenticationError::InvalidToken(token).into()) | ||||
|                                     } | ||||
|                                 } | ||||
|                             } else { | ||||
|                                 let token = token.to_str().unwrap_or("unknown").to_string(); | ||||
|                                 err(AuthenticationError::InvalidToken(token).into()) | ||||
|                             } | ||||
|                         } | ||||
|                             _otherwise => { | ||||
|                                 err(AuthenticationError::MissingAuthorizationHeader.into()) | ||||
|                             } | ||||
|                         }, | ||||
|                         None => err(AuthenticationError::MissingAuthorizationHeader.into()), | ||||
|                     }, | ||||
|                     None => err(AuthenticationError::UnknownPolicy.into()), | ||||
|                     None => err(AuthenticationError::IrretrievableState.into()), | ||||
|                 }, | ||||
|             }, | ||||
|             None => err(AuthenticationError::IrretrievableState.into()), | ||||
|         } | ||||
|     } | ||||
| } | ||||
|  | ||||
| pub trait Policy { | ||||
|     fn authenticate(auth: AuthController, token: &str, index: Option<&str>) -> Option<AuthFilter>; | ||||
| } | ||||
|  | ||||
| pub mod policies { | ||||
|     use crate::extractors::authentication::Policy; | ||||
|     use meilisearch_auth::{Action, AuthController, AuthFilter}; | ||||
|     // reexport actions in policies in order to be used in routes configuration. | ||||
|     pub use meilisearch_auth::actions; | ||||
|  | ||||
|     pub struct MasterPolicy; | ||||
|  | ||||
|     impl Policy for MasterPolicy { | ||||
|         fn authenticate( | ||||
|             auth: AuthController, | ||||
|             token: &str, | ||||
|             _index: Option<&str>, | ||||
|         ) -> Option<AuthFilter> { | ||||
|             if let Some(master_key) = auth.get_master_key() { | ||||
|                 if master_key == token { | ||||
|                     return Some(AuthFilter::default()); | ||||
|                 } | ||||
|             } | ||||
|  | ||||
|             None | ||||
|         } | ||||
|     } | ||||
|  | ||||
|     pub struct ActionPolicy<const A: u8>; | ||||
|  | ||||
|     impl<const A: u8> Policy for ActionPolicy<A> { | ||||
|         fn authenticate( | ||||
|             auth: AuthController, | ||||
|             token: &str, | ||||
|             index: Option<&str>, | ||||
|         ) -> Option<AuthFilter> { | ||||
|             // authenticate if token is the master key. | ||||
|             if let Some(master_key) = auth.get_master_key() { | ||||
|                 if master_key == token { | ||||
|                     return Some(AuthFilter::default()); | ||||
|                 } | ||||
|             } | ||||
|  | ||||
|             // authenticate if token is allowed. | ||||
|             if let Some(action) = Action::from_repr(A) { | ||||
|                 let index = index.map(|i| i.as_bytes()); | ||||
|                 if let Ok(true) = auth.authenticate(token.as_bytes(), action, index) { | ||||
|                     return auth.get_key_filters(token).ok(); | ||||
|                 } | ||||
|             } | ||||
|  | ||||
|             None | ||||
|         } | ||||
|     } | ||||
| } | ||||
| pub enum AuthConfig { | ||||
|     NoAuth, | ||||
|     Auth, | ||||
| } | ||||
|  | ||||
| impl Default for AuthConfig { | ||||
|     fn default() -> Self { | ||||
|         Self::NoAuth | ||||
|     } | ||||
| } | ||||
|   | ||||
		Reference in New Issue
	
	Block a user