searchengines-web/MeiliSearch
searchengines-web/MeiliSearch
1
0
Fork 0
mirror of https://github.com/meilisearch/MeiliSearch synced 2025-07-03 11:57:07 +02:00
Code Issues Releases Wiki Activity

Merge #1989

Browse source 
1989: Extend API keys r=curquiza a=ManyTheFish

# Pull Request

## What does this PR do?

- Add API keys in snapshots
- Add API keys in dumps
- fix QA #1979

fix #1979
fix #1995
fix #2001
fix #2003

related to #1890

Co-authored-by: many <maxime@meilisearch.com>
This commit is contained in:
bors[bot] 2021-12-14 17:22:58 +00:00 committed by GitHub
commit 5af51c852c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
19 changed files with 418 additions and 204 deletions
Download patch file Download diff file Expand all files Collapse all files

213
meilisearch-http/tests/auth/api_keys.rs
View file

@ -1,6 +1,7 @@
use crate::common::Server;
use assert_json_diff::assert_json_include;
use serde_json::json;
use std::{thread, time};
#[actix_rt::test]
async fn add_valid_api_key() {
@ -15,7 +16,7 @@ async fn add_valid_api_key() {
"documents.add",
"documents.get",
"documents.delete",
"indexes.add",
"indexes.create",
"indexes.get",
"indexes.update",
"indexes.delete",
@ -43,7 +44,7 @@ async fn add_valid_api_key() {
"documents.add",
"documents.get",
"documents.delete",
"indexes.add",
"indexes.create",
"indexes.get",
"indexes.update",
"indexes.delete",
@ -71,7 +72,7 @@ async fn add_valid_api_key_no_description() {
"actions": [
"documents.add"
],
"expiresAt": "2050-11-13T00:00:00Z"
"expiresAt": "2050-11-13T00:00:00"
});
let (response, code) = server.add_api_key(content).await;
@ -153,9 +154,7 @@ async fn error_add_api_key_missing_parameter() {
// missing indexes
let content = json!({
"description": "Indexing API key",
"actions": [
"documents.add"
],
"actions": ["documents.add"],
"expiresAt": "2050-11-13T00:00:00Z"
});
let (response, code) = server.add_api_key(content).await;
@ -187,6 +186,24 @@ async fn error_add_api_key_missing_parameter() {
assert_eq!(response, expected_response);
assert_eq!(code, 400);
// missing expiration date
let content = json!({
"description": "Indexing API key",
"indexes": ["products"],
"actions": ["documents.add"],
});
let (response, code) = server.add_api_key(content).await;
let expected_response = json!({
"message": "`expiresAt` field is mandatory.",
"code": "missing_parameter",
"type": "invalid_request",
"link":"https://docs.meilisearch.com/errors#missing_parameter"
});
assert_eq!(response, expected_response);
assert_eq!(code, 400);
}
#[actix_rt::test]
@ -311,6 +328,32 @@ async fn error_add_api_key_invalid_parameters_expires_at() {
assert_eq!(code, 400);
}
#[actix_rt::test]
async fn error_add_api_key_invalid_parameters_expires_at_in_the_past() {
let mut server = Server::new_auth().await;
server.use_api_key("MASTER_KEY");
let content = json!({
"description": "Indexing API key",
"indexes": ["products"],
"actions": [
"documents.add"
],
"expiresAt": "2010-11-13T00:00:00Z"
});
let (response, code) = server.add_api_key(content).await;
let expected_response = json!({
"message": r#"expiresAt field value `"2010-11-13T00:00:00Z"` is invalid. It should be in ISO-8601 format to represents a date or datetime in the future or specified as a null value. e.g. 'YYYY-MM-DD' or 'YYYY-MM-DDTHH:MM:SS'."#,
"code": "invalid_api_key_expires_at",
"type": "invalid_request",
"link": "https://docs.meilisearch.com/errors#invalid_api_key_expires_at"
});
assert_eq!(response, expected_response);
assert_eq!(code, 400);
}
#[actix_rt::test]
async fn get_api_key() {
let mut server = Server::new_auth().await;
@ -324,7 +367,7 @@ async fn get_api_key() {
"documents.add",
"documents.get",
"documents.delete",
"indexes.add",
"indexes.create",
"indexes.get",
"indexes.update",
"indexes.delete",
@ -359,7 +402,7 @@ async fn get_api_key() {
"documents.add",
"documents.get",
"documents.delete",
"indexes.add",
"indexes.create",
"indexes.get",
"indexes.update",
"indexes.delete",
@ -449,7 +492,7 @@ async fn list_api_keys() {
"documents.add",
"documents.get",
"documents.delete",
"indexes.add",
"indexes.create",
"indexes.get",
"indexes.update",
"indexes.delete",
@ -468,19 +511,9 @@ async fn list_api_keys() {
assert_eq!(code, 201);
let (response, code) = server.list_api_keys().await;
assert!(response.is_array());
let response = &response.as_array().unwrap();
let created_key = response
.iter()
.find(|x| x["description"] == "Indexing API key")
.unwrap();
assert!(created_key["key"].is_string());
assert!(created_key["expiresAt"].is_string());
assert!(created_key["createdAt"].is_string());
assert!(created_key["updatedAt"].is_string());
let expected_response = json!({
let expected_response = json!([
{
"description": "Indexing API key",
"indexes": ["products"],
"actions": [
@ -488,7 +521,7 @@ async fn list_api_keys() {
"documents.add",
"documents.get",
"documents.delete",
"indexes.add",
"indexes.create",
"indexes.get",
"indexes.update",
"indexes.delete",
@ -500,49 +533,21 @@ async fn list_api_keys() {
"dumps.get"
],
"expiresAt": "2050-11-13T00:00:00Z"
});
assert_json_include!(actual: created_key, expected: expected_response);
assert_eq!(code, 200);
// check if default admin key is present.
let admin_key = response
.iter()
.find(|x| x["description"] == "Default Admin API Key (Use it for all other operations. Caution! Do not use it on a public frontend)")
.unwrap();
assert!(created_key["key"].is_string());
assert!(created_key["expiresAt"].is_string());
assert!(created_key["createdAt"].is_string());
assert!(created_key["updatedAt"].is_string());
let expected_response = json!({
"description": "Default Admin API Key (Use it for all other operations. Caution! Do not use it on a public frontend)",
"indexes": ["*"],
"actions": ["*"],
"expiresAt": serde_json::Value::Null,
});
assert_json_include!(actual: admin_key, expected: expected_response);
assert_eq!(code, 200);
// check if default search key is present.
let admin_key = response
.iter()
.find(|x| x["description"] == "Default Search API Key (Use it to search from the frontend)")
.unwrap();
assert!(created_key["key"].is_string());
assert!(created_key["expiresAt"].is_string());
assert!(created_key["createdAt"].is_string());
assert!(created_key["updatedAt"].is_string());
let expected_response = json!({
},
{
"description": "Default Search API Key (Use it to search from the frontend)",
"indexes": ["*"],
"actions": ["search"],
"expiresAt": serde_json::Value::Null,
});
},
{
"description": "Default Admin API Key (Use it for all other operations. Caution! Do not use it on a public frontend)",
"indexes": ["*"],
"actions": ["*"],
"expiresAt": serde_json::Value::Null,
}]);
assert_json_include!(actual: admin_key, expected: expected_response);
assert_json_include!(actual: response, expected: expected_response);
assert_eq!(code, 200);
}
@ -594,7 +599,7 @@ async fn delete_api_key() {
"documents.add",
"documents.get",
"documents.delete",
"indexes.add",
"indexes.create",
"indexes.get",
"indexes.update",
"indexes.delete",
@ -694,7 +699,7 @@ async fn patch_api_key_description() {
"documents.add",
"documents.get",
"documents.delete",
"indexes.add",
"indexes.create",
"indexes.get",
"indexes.update",
"indexes.delete",
@ -719,6 +724,7 @@ async fn patch_api_key_description() {
// Add a description
let content = json!({ "description": "Indexing API key" });
thread::sleep(time::Duration::new(1, 0));
let (response, code) = server.patch_api_key(&key, content).await;
assert!(response["key"].is_string());
assert!(response["expiresAt"].is_string());
@ -734,7 +740,7 @@ async fn patch_api_key_description() {
"documents.add",
"documents.get",
"documents.delete",
"indexes.add",
"indexes.create",
"indexes.get",
"indexes.update",
"indexes.delete",
@ -764,7 +770,7 @@ async fn patch_api_key_description() {
"documents.add",
"documents.get",
"documents.delete",
"indexes.add",
"indexes.create",
"indexes.get",
"indexes.update",
"indexes.delete",
@ -793,7 +799,7 @@ async fn patch_api_key_description() {
"documents.add",
"documents.get",
"documents.delete",
"indexes.add",
"indexes.create",
"indexes.get",
"indexes.update",
"indexes.delete",
@ -821,7 +827,7 @@ async fn patch_api_key_indexes() {
"documents.add",
"documents.get",
"documents.delete",
"indexes.add",
"indexes.create",
"indexes.get",
"indexes.update",
"indexes.delete",
@ -845,6 +851,7 @@ async fn patch_api_key_indexes() {
let content = json!({ "indexes": ["products", "prices"] });
thread::sleep(time::Duration::new(1, 0));
let (response, code) = server.patch_api_key(&key, content).await;
assert!(response["key"].is_string());
assert!(response["expiresAt"].is_string());
@ -860,7 +867,7 @@ async fn patch_api_key_indexes() {
"documents.add",
"documents.get",
"documents.delete",
"indexes.add",
"indexes.create",
"indexes.get",
"indexes.update",
"indexes.delete",
@ -888,7 +895,7 @@ async fn patch_api_key_actions() {
"documents.add",
"documents.get",
"documents.delete",
"indexes.add",
"indexes.create",
"indexes.get",
"indexes.update",
"indexes.delete",
@ -920,6 +927,7 @@ async fn patch_api_key_actions() {
],
});
thread::sleep(time::Duration::new(1, 0));
let (response, code) = server.patch_api_key(&key, content).await;
assert!(response["key"].is_string());
assert!(response["expiresAt"].is_string());
@ -957,7 +965,7 @@ async fn patch_api_key_expiration_date() {
"documents.add",
"documents.get",
"documents.delete",
"indexes.add",
"indexes.create",
"indexes.get",
"indexes.update",
"indexes.delete",
@ -965,7 +973,7 @@ async fn patch_api_key_expiration_date() {
"dumps.create",
"dumps.get"
],
"expiresAt": "205-11-13T00:00:00Z"
"expiresAt": "2050-11-13T00:00:00Z"
});
let (response, code) = server.add_api_key(content).await;
@ -981,6 +989,7 @@ async fn patch_api_key_expiration_date() {
let content = json!({ "expiresAt": "2055-11-13T00:00:00Z" });
thread::sleep(time::Duration::new(1, 0));
let (response, code) = server.patch_api_key(&key, content).await;
assert!(response["key"].is_string());
assert!(response["expiresAt"].is_string());
@ -996,7 +1005,7 @@ async fn patch_api_key_expiration_date() {
"documents.add",
"documents.get",
"documents.delete",
"indexes.add",
"indexes.create",
"indexes.get",
"indexes.update",
"indexes.delete",
@ -1166,3 +1175,65 @@ async fn error_patch_api_key_indexes_invalid_parameters() {
assert_eq!(response, expected_response);
assert_eq!(code, 400);
}
#[actix_rt::test]
async fn error_access_api_key_routes_no_master_key_set() {
let mut server = Server::new().await;
let expected_response = json!({
"message": "The Authorization header is missing. It must use the bearer authorization method.",
"code": "missing_authorization_header",
"type": "auth",
"link": "https://docs.meilisearch.com/errors#missing_authorization_header"
});
let expected_code = 401;
let (response, code) = server.add_api_key(json!({})).await;
assert_eq!(response, expected_response);
assert_eq!(code, expected_code);
let (response, code) = server.patch_api_key("content", json!({})).await;
assert_eq!(response, expected_response);
assert_eq!(code, expected_code);
let (response, code) = server.get_api_key("content").await;
assert_eq!(response, expected_response);
assert_eq!(code, expected_code);
let (response, code) = server.list_api_keys().await;
assert_eq!(response, expected_response);
assert_eq!(code, expected_code);
server.use_api_key("MASTER_KEY");
let expected_response = json!({"message": "The provided API key is invalid.",
"code": "invalid_api_key",
"type": "auth",
"link": "https://docs.meilisearch.com/errors#invalid_api_key"
});
let expected_code = 403;
let (response, code) = server.add_api_key(json!({})).await;
assert_eq!(response, expected_response);
assert_eq!(code, expected_code);
let (response, code) = server.patch_api_key("content", json!({})).await;
assert_eq!(response, expected_response);
assert_eq!(code, expected_code);
let (response, code) = server.get_api_key("content").await;
assert_eq!(response, expected_response);
assert_eq!(code, expected_code);
let (response, code) = server.list_api_keys().await;
assert_eq!(response, expected_response);
assert_eq!(code, expected_code);
}

106
meilisearch-http/tests/auth/authorization.rs
View file

@ -1,4 +1,5 @@
use crate::common::Server;
use chrono::{Duration, Utc};
use maplit::hashmap;
use once_cell::sync::Lazy;
use serde_json::{json, Value};
@ -19,7 +20,7 @@ static AUTHORIZATIONS: Lazy<HashMap<(&'static str, &'static str), &'static str>>
("PUT", "/indexes/products/") => "indexes.update",
("GET", "/indexes/products/") => "indexes.get",
("DELETE", "/indexes/products/") => "indexes.delete",
("POST", "/indexes") => "indexes.add",
("POST", "/indexes") => "indexes.create",
("GET", "/indexes") => "indexes.get",
("GET", "/indexes/products/settings") => "settings.get",
("GET", "/indexes/products/settings/displayed-attributes") => "settings.get",
@ -61,13 +62,15 @@ static INVALID_RESPONSE: Lazy<Value> = Lazy::new(|| {
#[actix_rt::test]
async fn error_access_expired_key() {
use std::{thread, time};
let mut server = Server::new_auth().await;
server.use_api_key("MASTER_KEY");
let content = json!({
"indexes": ["products"],
"actions": ALL_ACTIONS.clone(),
"expiresAt": "2020-11-13T00:00:00Z"
"expiresAt": (Utc::now() + Duration::seconds(1)),
});
let (response, code) = server.add_api_key(content).await;
@ -77,6 +80,9 @@ async fn error_access_expired_key() {
let key = response["key"].as_str().unwrap();
server.use_api_key(&key);
// wait until the key is expired.
thread::sleep(time::Duration::new(1, 0));
for (method, route) in AUTHORIZATIONS.keys() {
let (response, code) = server.dummy_request(method, route).await;
@ -93,7 +99,7 @@ async fn error_access_unauthorized_index() {
let content = json!({
"indexes": ["sales"],
"actions": ALL_ACTIONS.clone(),
"expiresAt": "2050-11-13T00:00:00Z"
"expiresAt": Utc::now() + Duration::hours(1),
});
let (response, code) = server.add_api_key(content).await;
@ -123,7 +129,7 @@ async fn error_access_unauthorized_action() {
let content = json!({
"indexes": ["products"],
"actions": [],
"expiresAt": "2050-11-13T00:00:00Z"
"expiresAt": Utc::now() + Duration::hours(1),
});
let (response, code) = server.add_api_key(content).await;
@ -159,7 +165,7 @@ async fn access_authorized_restricted_index() {
let content = json!({
"indexes": ["products"],
"actions": [],
"expiresAt": "2050-11-13T00:00:00Z"
"expiresAt": Utc::now() + Duration::hours(1),
});
let (response, code) = server.add_api_key(content).await;
@ -210,7 +216,7 @@ async fn access_authorized_no_index_restriction() {
let content = json!({
"indexes": ["*"],
"actions": [],
"expiresAt": "2050-11-13T00:00:00Z"
"expiresAt": Utc::now() + Duration::hours(1),
});
let (response, code) = server.add_api_key(content).await;
@ -272,7 +278,7 @@ async fn access_authorized_stats_restricted_index() {
let content = json!({
"indexes": ["products"],
"actions": ["stats.get"],
"expiresAt": "2050-11-13T00:00:00Z"
"expiresAt": Utc::now() + Duration::hours(1),
});
let (response, code) = server.add_api_key(content).await;
assert_eq!(code, 201);
@ -311,7 +317,7 @@ async fn access_authorized_stats_no_index_restriction() {
let content = json!({
"indexes": ["*"],
"actions": ["stats.get"],
"expiresAt": "2050-11-13T00:00:00Z"
"expiresAt": Utc::now() + Duration::hours(1),
});
let (response, code) = server.add_api_key(content).await;
assert_eq!(code, 201);
@ -350,7 +356,7 @@ async fn list_authorized_indexes_restricted_index() {
let content = json!({
"indexes": ["products"],
"actions": ["indexes.get"],
"expiresAt": "2050-11-13T00:00:00Z"
"expiresAt": Utc::now() + Duration::hours(1),
});
let (response, code) = server.add_api_key(content).await;
assert_eq!(code, 201);
@ -390,7 +396,7 @@ async fn list_authorized_indexes_no_index_restriction() {
let content = json!({
"indexes": ["*"],
"actions": ["indexes.get"],
"expiresAt": "2050-11-13T00:00:00Z"
"expiresAt": Utc::now() + Duration::hours(1),
});
let (response, code) = server.add_api_key(content).await;
assert_eq!(code, 201);
@ -410,3 +416,83 @@ async fn list_authorized_indexes_no_index_restriction() {
// key should have access on `test` index.
assert!(response.iter().any(|index| index["uid"] == "test"));
}
#[actix_rt::test]
async fn list_authorized_tasks_restricted_index() {
let mut server = Server::new_auth().await;
server.use_api_key("MASTER_KEY");
// create index `test`
let index = server.index("test");
let (_, code) = index.create(Some("id")).await;
assert_eq!(code, 202);
// create index `products`
let index = server.index("products");
let (_, code) = index.create(Some("product_id")).await;
assert_eq!(code, 202);
index.wait_task(0).await;
// create key with access on `products` index only.
let content = json!({
"indexes": ["products"],
"actions": ["tasks.get"],
"expiresAt": Utc::now() + Duration::hours(1),
});
let (response, code) = server.add_api_key(content).await;
assert_eq!(code, 201);
assert!(response["key"].is_string());
// use created key.
let key = response["key"].as_str().unwrap();
server.use_api_key(&key);
let (response, code) = server.service.get("/tasks").await;
assert_eq!(code, 200);
println!("{}", response);
let response = response["results"].as_array().unwrap();
// key should have access on `products` index.
assert!(response.iter().any(|task| task["indexUid"] == "products"));
// key should not have access on `test` index.
assert!(!response.iter().any(|task| task["indexUid"] == "test"));
}
#[actix_rt::test]
async fn list_authorized_tasks_no_index_restriction() {
let mut server = Server::new_auth().await;
server.use_api_key("MASTER_KEY");
// create index `test`
let index = server.index("test");
let (_, code) = index.create(Some("id")).await;
assert_eq!(code, 202);
// create index `products`
let index = server.index("products");
let (_, code) = index.create(Some("product_id")).await;
assert_eq!(code, 202);
index.wait_task(0).await;
// create key with access on all indexes.
let content = json!({
"indexes": ["*"],
"actions": ["tasks.get"],
"expiresAt": Utc::now() + Duration::hours(1),
});
let (response, code) = server.add_api_key(content).await;
assert_eq!(code, 201);
assert!(response["key"].is_string());
// use created key.
let key = response["key"].as_str().unwrap();
server.use_api_key(&key);
let (response, code) = server.service.get("/tasks").await;
assert_eq!(code, 200);
let response = response["results"].as_array().unwrap();
// key should have access on `products` index.
assert!(response.iter().any(|task| task["indexUid"] == "products"));
// key should have access on `test` index.
assert!(response.iter().any(|task| task["indexUid"] == "test"));
}