From 987a7f892639281bd8d3fe6f98474ec74af0a11c Mon Sep 17 00:00:00 2001 From: ManyTheFish Date: Wed, 8 Jun 2022 14:04:45 +0200 Subject: [PATCH 1/3] Wrap sha256 in HMAC instead of directly use sha256 --- Cargo.lock | 17 +++++++++++++++++ meilisearch-auth/Cargo.toml | 1 + meilisearch-auth/src/store.rs | 11 +++++++---- 3 files changed, 25 insertions(+), 4 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index a1be24517..d4d977ab3 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -927,6 +927,7 @@ checksum = "f2fb860ca6fafa5552fb6d0e816a69c8e49f0908bf524e30a90d97c85892d506" dependencies = [ "block-buffer", "crypto-common", + "subtle", ] [[package]] @@ -1460,6 +1461,15 @@ version = "0.4.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70" +[[package]] +name = "hmac" +version = "0.12.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6c49c37c09c17a53d937dfbb742eb3a961d65a994e6bcdcf37e7399d0cc8ab5e" +dependencies = [ + "digest", +] + [[package]] name = "http" version = "0.2.7" @@ -1974,6 +1984,7 @@ version = "0.27.1" dependencies = [ "base64", "enum-iterator", + "hmac", "meilisearch-error", "milli", "rand", @@ -3272,6 +3283,12 @@ version = "0.10.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "73473c0e59e6d5812c5dfe2a064a6444949f089e20eec9a2e5506596494e4623" +[[package]] +name = "subtle" +version = "2.4.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6bdef32e8150c2a081110b42772ffe7d7c9032b606bc226c8260fd97e0976601" + [[package]] name = "syn" version = "0.15.44" diff --git a/meilisearch-auth/Cargo.toml b/meilisearch-auth/Cargo.toml index 29fa78a14..bb4a9382c 100644 --- a/meilisearch-auth/Cargo.toml +++ b/meilisearch-auth/Cargo.toml @@ -6,6 +6,7 @@ edition = "2021" [dependencies] base64 = "0.13.0" enum-iterator = "0.7.0" +hmac = "0.12.1" meilisearch-error = { path = "../meilisearch-error" } milli = { git = "https://github.com/meilisearch/milli.git", tag = "v0.28.0" } rand = "0.8.4" diff --git a/meilisearch-auth/src/store.rs b/meilisearch-auth/src/store.rs index 48ff6e259..dd976fd29 100644 --- a/meilisearch-auth/src/store.rs +++ b/meilisearch-auth/src/store.rs @@ -8,9 +8,10 @@ use std::str; use std::sync::Arc; use enum_iterator::IntoEnumIterator; +use hmac::{Hmac, Mac}; use milli::heed::types::{ByteSlice, DecodeIgnore, SerdeJson}; use milli::heed::{Database, Env, EnvOpenOptions, RwTxn}; -use sha2::{Digest, Sha256}; +use sha2::Sha256; use time::OffsetDateTime; use uuid::Uuid; @@ -242,9 +243,11 @@ impl<'a> milli::heed::BytesEncode<'a> for KeyIdActionCodec { } pub fn generate_key_as_base64(uid: &[u8], master_key: &[u8]) -> String { - let key = [uid, master_key].concat(); - let sha = Sha256::digest(&key); - base64::encode_config(sha, base64::URL_SAFE_NO_PAD) + let mut mac = Hmac::::new_from_slice(master_key).unwrap(); + mac.update(uid); + + let result = mac.finalize(); + base64::encode_config(result.into_bytes(), base64::URL_SAFE_NO_PAD) } /// Divides one slice into two at an index, returns `None` if mid is out of bounds. From 17f30c2b2dfeb55a47e9b997d6a580de562169ec Mon Sep 17 00:00:00 2001 From: ManyTheFish Date: Wed, 8 Jun 2022 14:52:32 +0200 Subject: [PATCH 2/3] Fix(auth): Authorization test were not testing keys unrestricted on index --- meilisearch-http/tests/auth/authorization.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meilisearch-http/tests/auth/authorization.rs b/meilisearch-http/tests/auth/authorization.rs index 7846188fb..e5826a675 100644 --- a/meilisearch-http/tests/auth/authorization.rs +++ b/meilisearch-http/tests/auth/authorization.rs @@ -249,7 +249,7 @@ async fn access_authorized_no_index_restriction() { server.use_api_key("MASTER_KEY"); let content = json!({ - "indexes": ["products"], + "indexes": ["*"], "actions": [action], "expiresAt": (OffsetDateTime::now_utc() + Duration::hours(1)).format(&Rfc3339).unwrap(), }); From 1a7631c8073cbc8fe27f8aff69b44d849a0a7848 Mon Sep 17 00:00:00 2001 From: ManyTheFish Date: Wed, 8 Jun 2022 14:14:30 +0200 Subject: [PATCH 3/3] Hash master_key before passing it to HMAC --- meilisearch-auth/src/store.rs | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/meilisearch-auth/src/store.rs b/meilisearch-auth/src/store.rs index dd976fd29..d1af1b4ab 100644 --- a/meilisearch-auth/src/store.rs +++ b/meilisearch-auth/src/store.rs @@ -11,7 +11,7 @@ use enum_iterator::IntoEnumIterator; use hmac::{Hmac, Mac}; use milli::heed::types::{ByteSlice, DecodeIgnore, SerdeJson}; use milli::heed::{Database, Env, EnvOpenOptions, RwTxn}; -use sha2::Sha256; +use sha2::{Digest, Sha256}; use time::OffsetDateTime; use uuid::Uuid; @@ -243,7 +243,8 @@ impl<'a> milli::heed::BytesEncode<'a> for KeyIdActionCodec { } pub fn generate_key_as_base64(uid: &[u8], master_key: &[u8]) -> String { - let mut mac = Hmac::::new_from_slice(master_key).unwrap(); + let master_key_sha = Sha256::digest(master_key); + let mut mac = Hmac::::new_from_slice(master_key_sha.as_slice()).unwrap(); mac.update(uid); let result = mac.finalize();