feat(auth): Implement Tenant token

Make meilisearch support JWT authentication signed with meilisearch API keys
using HS256, HS384 or HS512 algorithms.

Related spec: https://github.com/meilisearch/specifications/pull/89
Fix #1991

meilisearch-http/src/extractors/authentication/mod.rs

@@ -50,19 +50,23 @@ impl<P: Policy + 'static, D: 'static + Clone> FromRequest for GuardedData<P, D>
                     Some("Bearer") => {
                         // TODO: find a less hardcoded way?
                         let index = req.match_info().get("index_uid");
-                        let token = type_token.next().unwrap_or("unknown");
-                        match P::authenticate(auth, token, index) {
-                            Some(filters) => match req.app_data::<D>().cloned() {
-                                Some(data) => ok(Self {
-                                    data,
-                                    filters,
-                                    _marker: PhantomData,
-                                }),
-                                None => err(AuthenticationError::IrretrievableState.into()),
+                        match type_token.next() {
+                            Some(token) => match P::authenticate(auth, token, index) {
+                                Some(filters) => match req.app_data::<D>().cloned() {
+                                    Some(data) => ok(Self {
+                                        data,
+                                        filters,
+                                        _marker: PhantomData,
+                                    }),
+                                    None => err(AuthenticationError::IrretrievableState.into()),
+                                },
+                                None => {
+                                    let token = token.to_string();
+                                    err(AuthenticationError::InvalidToken(token).into())
+                                }
                             },
                             None => {
-                                let token = token.to_string();
-                                err(AuthenticationError::InvalidToken(token).into())
+                                err(AuthenticationError::InvalidToken("unknown".to_string()).into())
                             }
                         }
                     }
@@ -90,11 +94,22 @@ pub trait Policy {
 }
 
 pub mod policies {
+    use chrono::Utc;
+    use jsonwebtoken::{dangerous_insecure_decode, decode, Algorithm, DecodingKey, Validation};
+    use once_cell::sync::Lazy;
+    use serde::{Deserialize, Serialize};
+
     use crate::extractors::authentication::Policy;
-    use meilisearch_auth::{Action, AuthController, AuthFilter};
+    use meilisearch_auth::{Action, AuthController, AuthFilter, SearchRules};
     // reexport actions in policies in order to be used in routes configuration.
     pub use meilisearch_auth::actions;
 
+    pub static TENANT_TOKEN_VALIDATION: Lazy<Validation> = Lazy::new(|| Validation {
+        validate_exp: false,
+        algorithms: vec![Algorithm::HS256, Algorithm::HS384, Algorithm::HS512],
+        ..Default::default()
+    });
+
     pub struct MasterPolicy;
 
     impl Policy for MasterPolicy {
@@ -126,15 +141,81 @@ pub mod policies {
                 return Some(AuthFilter::default());
             }
 
-            // authenticate if token is allowed.
-            if let Some(action) = Action::from_repr(A) {
-                let index = index.map(|i| i.as_bytes());
+            // Tenant token
+            if let Some(filters) = ActionPolicy::<A>::authenticate_tenant_token(&auth, token, index)
+            {
+                return Some(filters);
+            } else if let Some(action) = Action::from_repr(A) {
+                // API key
                 if let Ok(true) = auth.authenticate(token.as_bytes(), action, index) {
-                    return auth.get_key_filters(token).ok();
+                    return auth.get_key_filters(token, None).ok();
                 }
             }
 
             None
         }
     }
+
+    impl<const A: u8> ActionPolicy<A> {
+        fn authenticate_tenant_token(
+            auth: &AuthController,
+            token: &str,
+            index: Option<&str>,
+        ) -> Option<AuthFilter> {
+            // Only search action can be accessed by a tenant token.
+            if A != actions::SEARCH {
+                return None;
+            }
+
+            // get token fields without validating it.
+            let Claims {
+                search_rules,
+                exp,
+                api_key_prefix,
+            } = dangerous_insecure_decode::<Claims>(token).ok()?.claims;
+
+            // Check index access if an index restriction is provided.
+            if let Some(index) = index {
+                if !search_rules.is_index_authorized(index) {
+                    return None;
+                }
+            }
+
+            // Check if token is expired.
+            if let Some(exp) = exp {
+                if Utc::now().timestamp() > exp {
+                    return None;
+                }
+            }
+
+            // check if parent key is authorized to do the action.
+            if auth
+                .is_key_authorized(api_key_prefix.as_bytes(), Action::Search, index)
+                .ok()?
+            {
+                // Check if tenant token is valid.
+                let key = auth.generate_key(&api_key_prefix)?;
+                decode::<Claims>(
+                    token,
+                    &DecodingKey::from_secret(key.as_bytes()),
+                    &TENANT_TOKEN_VALIDATION,
+                )
+                .ok()?;
+
+                return auth
+                    .get_key_filters(api_key_prefix, Some(search_rules))
+                    .ok();
+            }
+
+            None
+        }
+    }
+
+    #[derive(Debug, Serialize, Deserialize)]
+    #[serde(rename_all = "camelCase")]
+    struct Claims {
+        search_rules: SearchRules,
+        exp: Option<i64>,
+        api_key_prefix: String,
+    }
 }