searchengines-web/MeiliSearch
searchengines-web/MeiliSearch
1
0
Fork 0
mirror of https://github.com/meilisearch/MeiliSearch synced 2025-07-04 04:17:10 +02:00
Code Issues Releases Wiki Activity

feat(auth): Extend API keys

Browse source 
- Add API keys in snapshots
- Add API keys in dumps
- Rename action indexes.add to indexes.create
- fix QA #1979

fix #1979
fix #1995
fix #2001
fix #2003
related to #1890
This commit is contained in:
many 2021-12-06 15:45:41 +01:00 committed by Maxime Legendre
parent 8096b568f0
commit ee7970f603
19 changed files with 418 additions and 204 deletions
Download patch file Download diff file Expand all files Collapse all files

213
meilisearch-http/tests/auth/api_keys.rs
View file

@ -1,6 +1,7 @@
use crate::common::Server;
use assert_json_diff::assert_json_include;
use serde_json::json;
use std::{thread, time};
#[actix_rt::test]
async fn add_valid_api_key() {
@ -15,7 +16,7 @@ async fn add_valid_api_key() {
"documents.add",
"documents.get",
"documents.delete",
"indexes.add",
"indexes.create",
"indexes.get",
"indexes.update",
"indexes.delete",
@ -43,7 +44,7 @@ async fn add_valid_api_key() {
"documents.add",
"documents.get",
"documents.delete",
"indexes.add",
"indexes.create",
"indexes.get",
"indexes.update",
"indexes.delete",
@ -71,7 +72,7 @@ async fn add_valid_api_key_no_description() {
"actions": [
"documents.add"
],
"expiresAt": "2050-11-13T00:00:00Z"
"expiresAt": "2050-11-13T00:00:00"
});
let (response, code) = server.add_api_key(content).await;
@ -153,9 +154,7 @@ async fn error_add_api_key_missing_parameter() {
// missing indexes
let content = json!({
"description": "Indexing API key",
"actions": [
"documents.add"
],
"actions": ["documents.add"],
"expiresAt": "2050-11-13T00:00:00Z"
});
let (response, code) = server.add_api_key(content).await;
@ -187,6 +186,24 @@ async fn error_add_api_key_missing_parameter() {
assert_eq!(response, expected_response);
assert_eq!(code, 400);
// missing expiration date
let content = json!({
"description": "Indexing API key",
"indexes": ["products"],
"actions": ["documents.add"],
});
let (response, code) = server.add_api_key(content).await;
let expected_response = json!({
"message": "`expiresAt` field is mandatory.",
"code": "missing_parameter",
"type": "invalid_request",
"link":"https://docs.meilisearch.com/errors#missing_parameter"
});
assert_eq!(response, expected_response);
assert_eq!(code, 400);
}
#[actix_rt::test]
@ -311,6 +328,32 @@ async fn error_add_api_key_invalid_parameters_expires_at() {
assert_eq!(code, 400);
}
#[actix_rt::test]
async fn error_add_api_key_invalid_parameters_expires_at_in_the_past() {
let mut server = Server::new_auth().await;
server.use_api_key("MASTER_KEY");
let content = json!({
"description": "Indexing API key",
"indexes": ["products"],
"actions": [
"documents.add"
],
"expiresAt": "2010-11-13T00:00:00Z"
});
let (response, code) = server.add_api_key(content).await;
let expected_response = json!({
"message": r#"expiresAt field value `"2010-11-13T00:00:00Z"` is invalid. It should be in ISO-8601 format to represents a date or datetime in the future or specified as a null value. e.g. 'YYYY-MM-DD' or 'YYYY-MM-DDTHH:MM:SS'."#,
"code": "invalid_api_key_expires_at",
"type": "invalid_request",
"link": "https://docs.meilisearch.com/errors#invalid_api_key_expires_at"
});
assert_eq!(response, expected_response);
assert_eq!(code, 400);
}
#[actix_rt::test]
async fn get_api_key() {
let mut server = Server::new_auth().await;
@ -324,7 +367,7 @@ async fn get_api_key() {
"documents.add",
"documents.get",
"documents.delete",
"indexes.add",
"indexes.create",
"indexes.get",
"indexes.update",
"indexes.delete",
@ -359,7 +402,7 @@ async fn get_api_key() {
"documents.add",
"documents.get",
"documents.delete",
"indexes.add",
"indexes.create",
"indexes.get",
"indexes.update",
"indexes.delete",
@ -449,7 +492,7 @@ async fn list_api_keys() {
"documents.add",
"documents.get",
"documents.delete",
"indexes.add",
"indexes.create",
"indexes.get",
"indexes.update",
"indexes.delete",
@ -468,19 +511,9 @@ async fn list_api_keys() {
assert_eq!(code, 201);
let (response, code) = server.list_api_keys().await;
assert!(response.is_array());
let response = &response.as_array().unwrap();
let created_key = response
.iter()
.find(|x| x["description"] == "Indexing API key")
.unwrap();
assert!(created_key["key"].is_string());
assert!(created_key["expiresAt"].is_string());
assert!(created_key["createdAt"].is_string());
assert!(created_key["updatedAt"].is_string());
let expected_response = json!({
let expected_response = json!([
{
"description": "Indexing API key",
"indexes": ["products"],
"actions": [
@ -488,7 +521,7 @@ async fn list_api_keys() {
"documents.add",
"documents.get",
"documents.delete",
"indexes.add",
"indexes.create",
"indexes.get",
"indexes.update",
"indexes.delete",
@ -500,49 +533,21 @@ async fn list_api_keys() {
"dumps.get"
],
"expiresAt": "2050-11-13T00:00:00Z"
});
assert_json_include!(actual: created_key, expected: expected_response);
assert_eq!(code, 200);
// check if default admin key is present.
let admin_key = response
.iter()
.find(|x| x["description"] == "Default Admin API Key (Use it for all other operations. Caution! Do not use it on a public frontend)")
.unwrap();
assert!(created_key["key"].is_string());
assert!(created_key["expiresAt"].is_string());
assert!(created_key["createdAt"].is_string());
assert!(created_key["updatedAt"].is_string());
let expected_response = json!({
"description": "Default Admin API Key (Use it for all other operations. Caution! Do not use it on a public frontend)",
"indexes": ["*"],
"actions": ["*"],
"expiresAt": serde_json::Value::Null,
});
assert_json_include!(actual: admin_key, expected: expected_response);
assert_eq!(code, 200);
// check if default search key is present.
let admin_key = response
.iter()
.find(|x| x["description"] == "Default Search API Key (Use it to search from the frontend)")
.unwrap();
assert!(created_key["key"].is_string());
assert!(created_key["expiresAt"].is_string());
assert!(created_key["createdAt"].is_string());
assert!(created_key["updatedAt"].is_string());
let expected_response = json!({
},
{
"description": "Default Search API Key (Use it to search from the frontend)",
"indexes": ["*"],
"actions": ["search"],
"expiresAt": serde_json::Value::Null,
});
},
{
"description": "Default Admin API Key (Use it for all other operations. Caution! Do not use it on a public frontend)",
"indexes": ["*"],
"actions": ["*"],
"expiresAt": serde_json::Value::Null,
}]);
assert_json_include!(actual: admin_key, expected: expected_response);
assert_json_include!(actual: response, expected: expected_response);
assert_eq!(code, 200);
}
@ -594,7 +599,7 @@ async fn delete_api_key() {
"documents.add",
"documents.get",
"documents.delete",
"indexes.add",
"indexes.create",
"indexes.get",
"indexes.update",
"indexes.delete",
@ -694,7 +699,7 @@ async fn patch_api_key_description() {
"documents.add",
"documents.get",
"documents.delete",
"indexes.add",
"indexes.create",
"indexes.get",
"indexes.update",
"indexes.delete",
@ -719,6 +724,7 @@ async fn patch_api_key_description() {
// Add a description
let content = json!({ "description": "Indexing API key" });
thread::sleep(time::Duration::new(1, 0));
let (response, code) = server.patch_api_key(&key, content).await;
assert!(response["key"].is_string());
assert!(response["expiresAt"].is_string());
@ -734,7 +740,7 @@ async fn patch_api_key_description() {
"documents.add",
"documents.get",
"documents.delete",
"indexes.add",
"indexes.create",
"indexes.get",
"indexes.update",
"indexes.delete",
@ -764,7 +770,7 @@ async fn patch_api_key_description() {
"documents.add",
"documents.get",
"documents.delete",
"indexes.add",
"indexes.create",
"indexes.get",
"indexes.update",
"indexes.delete",
@ -793,7 +799,7 @@ async fn patch_api_key_description() {
"documents.add",
"documents.get",
"documents.delete",
"indexes.add",
"indexes.create",
"indexes.get",
"indexes.update",
"indexes.delete",
@ -821,7 +827,7 @@ async fn patch_api_key_indexes() {
"documents.add",
"documents.get",
"documents.delete",
"indexes.add",
"indexes.create",
"indexes.get",
"indexes.update",
"indexes.delete",
@ -845,6 +851,7 @@ async fn patch_api_key_indexes() {
let content = json!({ "indexes": ["products", "prices"] });
thread::sleep(time::Duration::new(1, 0));
let (response, code) = server.patch_api_key(&key, content).await;
assert!(response["key"].is_string());
assert!(response["expiresAt"].is_string());
@ -860,7 +867,7 @@ async fn patch_api_key_indexes() {
"documents.add",
"documents.get",
"documents.delete",
"indexes.add",
"indexes.create",
"indexes.get",
"indexes.update",
"indexes.delete",
@ -888,7 +895,7 @@ async fn patch_api_key_actions() {
"documents.add",
"documents.get",
"documents.delete",
"indexes.add",
"indexes.create",
"indexes.get",
"indexes.update",
"indexes.delete",
@ -920,6 +927,7 @@ async fn patch_api_key_actions() {
],
});
thread::sleep(time::Duration::new(1, 0));
let (response, code) = server.patch_api_key(&key, content).await;
assert!(response["key"].is_string());
assert!(response["expiresAt"].is_string());
@ -957,7 +965,7 @@ async fn patch_api_key_expiration_date() {
"documents.add",
"documents.get",
"documents.delete",
"indexes.add",
"indexes.create",
"indexes.get",
"indexes.update",
"indexes.delete",
@ -965,7 +973,7 @@ async fn patch_api_key_expiration_date() {
"dumps.create",
"dumps.get"
],
"expiresAt": "205-11-13T00:00:00Z"
"expiresAt": "2050-11-13T00:00:00Z"
});
let (response, code) = server.add_api_key(content).await;
@ -981,6 +989,7 @@ async fn patch_api_key_expiration_date() {
let content = json!({ "expiresAt": "2055-11-13T00:00:00Z" });
thread::sleep(time::Duration::new(1, 0));
let (response, code) = server.patch_api_key(&key, content).await;
assert!(response["key"].is_string());
assert!(response["expiresAt"].is_string());
@ -996,7 +1005,7 @@ async fn patch_api_key_expiration_date() {
"documents.add",
"documents.get",
"documents.delete",
"indexes.add",
"indexes.create",
"indexes.get",
"indexes.update",
"indexes.delete",
@ -1166,3 +1175,65 @@ async fn error_patch_api_key_indexes_invalid_parameters() {
assert_eq!(response, expected_response);
assert_eq!(code, 400);
}
#[actix_rt::test]
async fn error_access_api_key_routes_no_master_key_set() {
let mut server = Server::new().await;
let expected_response = json!({
"message": "The Authorization header is missing. It must use the bearer authorization method.",
"code": "missing_authorization_header",
"type": "auth",
"link": "https://docs.meilisearch.com/errors#missing_authorization_header"
});
let expected_code = 401;
let (response, code) = server.add_api_key(json!({})).await;
assert_eq!(response, expected_response);
assert_eq!(code, expected_code);
let (response, code) = server.patch_api_key("content", json!({})).await;
assert_eq!(response, expected_response);
assert_eq!(code, expected_code);
let (response, code) = server.get_api_key("content").await;
assert_eq!(response, expected_response);
assert_eq!(code, expected_code);
let (response, code) = server.list_api_keys().await;
assert_eq!(response, expected_response);
assert_eq!(code, expected_code);
server.use_api_key("MASTER_KEY");
let expected_response = json!({"message": "The provided API key is invalid.",
"code": "invalid_api_key",
"type": "auth",
"link": "https://docs.meilisearch.com/errors#invalid_api_key"
});
let expected_code = 403;
let (response, code) = server.add_api_key(json!({})).await;
assert_eq!(response, expected_response);
assert_eq!(code, expected_code);
let (response, code) = server.patch_api_key("content", json!({})).await;
assert_eq!(response, expected_response);
assert_eq!(code, expected_code);
let (response, code) = server.get_api_key("content").await;
assert_eq!(response, expected_response);
assert_eq!(code, expected_code);
let (response, code) = server.list_api_keys().await;
assert_eq!(response, expected_response);
assert_eq!(code, expected_code);
}

106
meilisearch-http/tests/auth/authorization.rs
View file

@ -1,4 +1,5 @@
use crate::common::Server;
use chrono::{Duration, Utc};
use maplit::hashmap;
use once_cell::sync::Lazy;
use serde_json::{json, Value};
@ -19,7 +20,7 @@ static AUTHORIZATIONS: Lazy<HashMap<(&'static str, &'static str), &'static str>>
("PUT", "/indexes/products/") => "indexes.update",
("GET", "/indexes/products/") => "indexes.get",
("DELETE", "/indexes/products/") => "indexes.delete",
("POST", "/indexes") => "indexes.add",
("POST", "/indexes") => "indexes.create",
("GET", "/indexes") => "indexes.get",
("GET", "/indexes/products/settings") => "settings.get",
("GET", "/indexes/products/settings/displayed-attributes") => "settings.get",
@ -61,13 +62,15 @@ static INVALID_RESPONSE: Lazy<Value> = Lazy::new(|| {
#[actix_rt::test]
async fn error_access_expired_key() {
use std::{thread, time};
let mut server = Server::new_auth().await;
server.use_api_key("MASTER_KEY");
let content = json!({
"indexes": ["products"],
"actions": ALL_ACTIONS.clone(),
"expiresAt": "2020-11-13T00:00:00Z"
"expiresAt": (Utc::now() + Duration::seconds(1)),
});
let (response, code) = server.add_api_key(content).await;
@ -77,6 +80,9 @@ async fn error_access_expired_key() {
let key = response["key"].as_str().unwrap();
server.use_api_key(&key);
// wait until the key is expired.
thread::sleep(time::Duration::new(1, 0));
for (method, route) in AUTHORIZATIONS.keys() {
let (response, code) = server.dummy_request(method, route).await;
@ -93,7 +99,7 @@ async fn error_access_unauthorized_index() {
let content = json!({
"indexes": ["sales"],
"actions": ALL_ACTIONS.clone(),
"expiresAt": "2050-11-13T00:00:00Z"
"expiresAt": Utc::now() + Duration::hours(1),
});
let (response, code) = server.add_api_key(content).await;
@ -123,7 +129,7 @@ async fn error_access_unauthorized_action() {
let content = json!({
"indexes": ["products"],
"actions": [],
"expiresAt": "2050-11-13T00:00:00Z"
"expiresAt": Utc::now() + Duration::hours(1),
});
let (response, code) = server.add_api_key(content).await;
@ -159,7 +165,7 @@ async fn access_authorized_restricted_index() {
let content = json!({
"indexes": ["products"],
"actions": [],
"expiresAt": "2050-11-13T00:00:00Z"
"expiresAt": Utc::now() + Duration::hours(1),
});
let (response, code) = server.add_api_key(content).await;
@ -210,7 +216,7 @@ async fn access_authorized_no_index_restriction() {
let content = json!({
"indexes": ["*"],
"actions": [],
"expiresAt": "2050-11-13T00:00:00Z"
"expiresAt": Utc::now() + Duration::hours(1),
});
let (response, code) = server.add_api_key(content).await;
@ -272,7 +278,7 @@ async fn access_authorized_stats_restricted_index() {
let content = json!({
"indexes": ["products"],
"actions": ["stats.get"],
"expiresAt": "2050-11-13T00:00:00Z"
"expiresAt": Utc::now() + Duration::hours(1),
});
let (response, code) = server.add_api_key(content).await;
assert_eq!(code, 201);
@ -311,7 +317,7 @@ async fn access_authorized_stats_no_index_restriction() {
let content = json!({
"indexes": ["*"],
"actions": ["stats.get"],
"expiresAt": "2050-11-13T00:00:00Z"
"expiresAt": Utc::now() + Duration::hours(1),
});
let (response, code) = server.add_api_key(content).await;
assert_eq!(code, 201);
@ -350,7 +356,7 @@ async fn list_authorized_indexes_restricted_index() {
let content = json!({
"indexes": ["products"],
"actions": ["indexes.get"],
"expiresAt": "2050-11-13T00:00:00Z"
"expiresAt": Utc::now() + Duration::hours(1),
});
let (response, code) = server.add_api_key(content).await;
assert_eq!(code, 201);
@ -390,7 +396,7 @@ async fn list_authorized_indexes_no_index_restriction() {
let content = json!({
"indexes": ["*"],
"actions": ["indexes.get"],
"expiresAt": "2050-11-13T00:00:00Z"
"expiresAt": Utc::now() + Duration::hours(1),
});
let (response, code) = server.add_api_key(content).await;
assert_eq!(code, 201);
@ -410,3 +416,83 @@ async fn list_authorized_indexes_no_index_restriction() {
// key should have access on `test` index.
assert!(response.iter().any(|index| index["uid"] == "test"));
}
#[actix_rt::test]
async fn list_authorized_tasks_restricted_index() {
let mut server = Server::new_auth().await;
server.use_api_key("MASTER_KEY");
// create index `test`
let index = server.index("test");
let (_, code) = index.create(Some("id")).await;
assert_eq!(code, 202);
// create index `products`
let index = server.index("products");
let (_, code) = index.create(Some("product_id")).await;
assert_eq!(code, 202);
index.wait_task(0).await;
// create key with access on `products` index only.
let content = json!({
"indexes": ["products"],
"actions": ["tasks.get"],
"expiresAt": Utc::now() + Duration::hours(1),
});
let (response, code) = server.add_api_key(content).await;
assert_eq!(code, 201);
assert!(response["key"].is_string());
// use created key.
let key = response["key"].as_str().unwrap();
server.use_api_key(&key);
let (response, code) = server.service.get("/tasks").await;
assert_eq!(code, 200);
println!("{}", response);
let response = response["results"].as_array().unwrap();
// key should have access on `products` index.
assert!(response.iter().any(|task| task["indexUid"] == "products"));
// key should not have access on `test` index.
assert!(!response.iter().any(|task| task["indexUid"] == "test"));
}
#[actix_rt::test]
async fn list_authorized_tasks_no_index_restriction() {
let mut server = Server::new_auth().await;
server.use_api_key("MASTER_KEY");
// create index `test`
let index = server.index("test");
let (_, code) = index.create(Some("id")).await;
assert_eq!(code, 202);
// create index `products`
let index = server.index("products");
let (_, code) = index.create(Some("product_id")).await;
assert_eq!(code, 202);
index.wait_task(0).await;
// create key with access on all indexes.
let content = json!({
"indexes": ["*"],
"actions": ["tasks.get"],
"expiresAt": Utc::now() + Duration::hours(1),
});
let (response, code) = server.add_api_key(content).await;
assert_eq!(code, 201);
assert!(response["key"].is_string());
// use created key.
let key = response["key"].as_str().unwrap();
server.use_api_key(&key);
let (response, code) = server.service.get("/tasks").await;
assert_eq!(code, 200);
let response = response["results"].as_array().unwrap();
// key should have access on `products` index.
assert!(response.iter().any(|task| task["indexUid"] == "products"));
// key should have access on `test` index.
assert!(response.iter().any(|task| task["indexUid"] == "test"));
}