Fix(auth): Forbid index creation on alternates routes

Forbid index creation on alternates routes when the action `index.create` is not given fix #2024
2025-07-03 11:57:07 +02:00 · 2021-12-15 14:52:33 +01:00 · 2021-12-15 14:52:33 +01:00 · a845cd8880
commit a845cd8880
parent 845d3114ea
11 changed files with 213 additions and 23 deletions
--- a/meilisearch-http/src/routes/indexes/documents.rs
+++ b/meilisearch-http/src/routes/indexes/documents.rs
@ -173,6 +173,7 @@ pub async fn add_documents(
        &req,
    );

+    let allow_index_creation = meilisearch.filters().allow_index_creation;
    let task = document_addition(
        extract_mime_type(&req)?,
        meilisearch,
@ -180,6 +181,7 @@ pub async fn add_documents(
        params.primary_key,
        body,
        IndexDocumentsMethod::ReplaceDocuments,
+        allow_index_creation,
    )
    .await?;

@ -203,6 +205,7 @@ pub async fn update_documents(
        &req,
    );

+    let allow_index_creation = meilisearch.filters().allow_index_creation;
    let task = document_addition(
        extract_mime_type(&req)?,
        meilisearch,
@ -210,6 +213,7 @@ pub async fn update_documents(
        params.into_inner().primary_key,
        body,
        IndexDocumentsMethod::UpdateDocuments,
+        allow_index_creation,
    )
    .await?;

@ -223,6 +227,7 @@ async fn document_addition(
    primary_key: Option<String>,
    body: Payload,
    method: IndexDocumentsMethod,
+    allow_index_creation: bool,
 ) -> Result<SummarizedTaskView, ResponseError> {
    let format = match mime_type
        .as_ref()
@ -250,6 +255,7 @@ async fn document_addition(
        primary_key,
        method,
        format,
+        allow_index_creation,
    };

    let task = meilisearch.register_update(index_uid, update).await?.into();
--- a/meilisearch-http/src/routes/indexes/settings.rs
+++ b/meilisearch-http/src/routes/indexes/settings.rs
@ -34,9 +34,12 @@ macro_rules! make_setting_route {
                    $attr: Setting::Reset,
                    ..Default::default()
                };
+
+                let allow_index_creation = meilisearch.filters().allow_index_creation;
                let update = Update::Settings {
                    settings,
                    is_deletion: true,
+                    allow_index_creation,
                };
                let task: SummarizedTaskView = meilisearch
                    .register_update(index_uid.into_inner(), update)
@ -66,9 +69,11 @@ macro_rules! make_setting_route {
                    ..Default::default()
                };

+                let allow_index_creation = meilisearch.filters().allow_index_creation;
                let update = Update::Settings {
                    settings,
                    is_deletion: false,
+                    allow_index_creation,
                };
                let task: SummarizedTaskView = meilisearch
                    .register_update(index_uid.into_inner(), update)
@ -272,9 +277,11 @@ pub async fn update_all(
        Some(&req),
    );

+    let allow_index_creation = meilisearch.filters().allow_index_creation;
    let update = Update::Settings {
        settings,
        is_deletion: false,
+        allow_index_creation,
    };
    let task: SummarizedTaskView = meilisearch
        .register_update(index_uid.into_inner(), update)
@ -300,9 +307,11 @@ pub async fn delete_all(
 ) -> Result<HttpResponse, ResponseError> {
    let settings = Settings::cleared().into_unchecked();

+    let allow_index_creation = data.filters().allow_index_creation;
    let update = Update::Settings {
        settings,
        is_deletion: true,
+        allow_index_creation,
    };
    let task: SummarizedTaskView = data
        .register_update(index_uid.into_inner(), update)
--- a/meilisearch-http/tests/auth/authorization.rs
+++ b/meilisearch-http/tests/auth/authorization.rs
@ -496,3 +496,135 @@ async fn list_authorized_tasks_no_index_restriction() {
    // key should have access on `test` index.
    assert!(response.iter().any(|task| task["indexUid"] == "test"));
 }
+
+#[actix_rt::test]
+async fn error_creating_index_without_action() {
+    let mut server = Server::new_auth().await;
+    server.use_api_key("MASTER_KEY");
+
+    // create key with access on all indexes.
+    let content = json!({
+        "indexes": ["*"],
+        "actions": ALL_ACTIONS.iter().cloned().filter(|a| *a != "indexes.create").collect::<Vec<_>>(),
+        "expiresAt": "2050-11-13T00:00:00Z"
+    });
+    let (response, code) = server.add_api_key(content).await;
+    assert_eq!(code, 201);
+    assert!(response["key"].is_string());
+
+    // use created key.
+    let key = response["key"].as_str().unwrap();
+    server.use_api_key(&key);
+
+    let expected_error = json!({
+        "message": "Index `test` not found.",
+        "code": "index_not_found",
+        "type": "invalid_request",
+        "link": "https://docs.meilisearch.com/errors#index_not_found"
+    });
+
+    // try to create a index via add documents route
+    let index = server.index("test");
+    let documents = json!([
+        {
+            "id": 1,
+            "content": "foo",
+        }
+    ]);
+
+    let (response, code) = index.add_documents(documents, None).await;
+    assert_eq!(code, 202, "{:?}", response);
+    let task_id = response["uid"].as_u64().unwrap();
+
+    let response = index.wait_task(task_id).await;
+    assert_eq!(response["status"], "failed");
+    assert_eq!(response["error"], expected_error.clone());
+
+    // try to create a index via add settings route
+    let settings = json!({ "distinctAttribute": "test"});
+
+    let (response, code) = index.update_settings(settings).await;
+    assert_eq!(code, 202);
+    let task_id = response["uid"].as_u64().unwrap();
+
+    let response = index.wait_task(task_id).await;
+
+    assert_eq!(response["status"], "failed");
+    assert_eq!(response["error"], expected_error.clone());
+
+    // try to create a index via add specialized settings route
+    let (response, code) = index.update_distinct_attribute(json!("test")).await;
+    assert_eq!(code, 202);
+    let task_id = response["uid"].as_u64().unwrap();
+
+    let response = index.wait_task(task_id).await;
+
+    assert_eq!(response["status"], "failed");
+    assert_eq!(response["error"], expected_error.clone());
+}
+
+#[actix_rt::test]
+async fn lazy_create_index() {
+    let mut server = Server::new_auth().await;
+    server.use_api_key("MASTER_KEY");
+
+    // create key with access on all indexes.
+    let content = json!({
+        "indexes": ["*"],
+        "actions": ["*"],
+        "expiresAt": "2050-11-13T00:00:00Z"
+    });
+
+    let (response, code) = server.add_api_key(content).await;
+    assert_eq!(code, 201);
+    assert!(response["key"].is_string());
+
+    // use created key.
+    let key = response["key"].as_str().unwrap();
+    server.use_api_key(&key);
+
+    // try to create a index via add documents route
+    let index = server.index("test");
+    let documents = json!([
+        {
+            "id": 1,
+            "content": "foo",
+        }
+    ]);
+
+    let (response, code) = index.add_documents(documents, None).await;
+    assert_eq!(code, 202, "{:?}", response);
+    let task_id = response["uid"].as_u64().unwrap();
+
+    index.wait_task(task_id).await;
+
+    let (response, code) = index.get_task(task_id).await;
+    assert_eq!(code, 200);
+    assert_eq!(response["status"], "succeeded");
+
+    // try to create a index via add settings route
+    let index = server.index("test1");
+    let settings = json!({ "distinctAttribute": "test"});
+
+    let (response, code) = index.update_settings(settings).await;
+    assert_eq!(code, 202);
+    let task_id = response["uid"].as_u64().unwrap();
+
+    index.wait_task(task_id).await;
+
+    let (response, code) = index.get_task(task_id).await;
+    assert_eq!(code, 200);
+    assert_eq!(response["status"], "succeeded");
+
+    // try to create a index via add specialized settings route
+    let index = server.index("test2");
+    let (response, code) = index.update_distinct_attribute(json!("test")).await;
+    assert_eq!(code, 202);
+    let task_id = response["uid"].as_u64().unwrap();
+
+    index.wait_task(task_id).await;
+
+    let (response, code) = index.get_task(task_id).await;
+    assert_eq!(code, 200);
+    assert_eq!(response["status"], "succeeded");
+}
--- a/meilisearch-http/tests/auth/mod.rs
+++ b/meilisearch-http/tests/auth/mod.rs
@ -2,29 +2,12 @@ mod api_keys;
 mod authorization;
 mod payload;

-use crate::common::server::default_settings;
-use crate::common::server::TEST_TEMP_DIR;
 use crate::common::Server;
 use actix_web::http::StatusCode;
+
 use serde_json::{json, Value};
-use tempfile::TempDir;

 impl Server {
-    pub async fn new_auth() -> Self {
-        let dir = TempDir::new().unwrap();
-
-        if cfg!(windows) {
-            std::env::set_var("TMP", TEST_TEMP_DIR.path());
-        } else {
-            std::env::set_var("TMPDIR", TEST_TEMP_DIR.path());
-        }
-
-        let mut options = default_settings(dir.path());
-        options.master_key = Some("MASTER_KEY".to_string());
-
-        Self::new_with_options(options).await
-    }
-
    pub fn use_api_key(&mut self, api_key: impl AsRef<str>) {
        self.service.api_key = Some(api_key.as_ref().to_string());
    }
--- a/meilisearch-http/tests/common/server.rs
+++ b/meilisearch-http/tests/common/server.rs
@ -50,6 +50,33 @@ impl Server {
        }
    }

+    pub async fn new_auth() -> Self {
+        let dir = TempDir::new().unwrap();
+
+        if cfg!(windows) {
+            std::env::set_var("TMP", TEST_TEMP_DIR.path());
+        } else {
+            std::env::set_var("TMPDIR", TEST_TEMP_DIR.path());
+        }
+
+        let mut options = default_settings(dir.path());
+        options.master_key = Some("MASTER_KEY".to_string());
+
+        let meilisearch = setup_meilisearch(&options).unwrap();
+        let auth = AuthController::new(&options.db_path, &options.master_key).unwrap();
+        let service = Service {
+            meilisearch,
+            auth,
+            options,
+            api_key: None,
+        };
+
+        Server {
+            service,
+            _dir: Some(dir),
+        }
+    }
+
    pub async fn new_with_options(options: Opt) -> Self {
        let meilisearch = setup_meilisearch(&options).unwrap();
        let auth = AuthController::new(&options.db_path, &options.master_key).unwrap();