From f82d05607258cff6ed716585d09024ef294c5fb7 Mon Sep 17 00:00:00 2001 From: Louis Dureuil Date: Tue, 26 Mar 2024 10:36:24 +0100 Subject: [PATCH] Hide secrets in settings and task queue --- index-scheduler/src/batch.rs | 6 ++- meilisearch-types/src/settings.rs | 53 +++++++++++++++++++++- meilisearch-types/src/task_view.rs | 3 +- meilisearch/src/routes/indexes/settings.rs | 6 +-- meilitool/src/main.rs | 6 ++- 5 files changed, 66 insertions(+), 8 deletions(-) diff --git a/index-scheduler/src/batch.rs b/index-scheduler/src/batch.rs index b7e31c136..3161dc499 100644 --- a/index-scheduler/src/batch.rs +++ b/index-scheduler/src/batch.rs @@ -920,7 +920,11 @@ impl IndexScheduler { } // 3.2. Dump the settings - let settings = meilisearch_types::settings::settings(index, &rtxn)?; + let settings = meilisearch_types::settings::settings( + index, + &rtxn, + meilisearch_types::settings::SecretPolicy::RevealSecrets, + )?; index_dumper.settings(&settings)?; Ok(()) })?; diff --git a/meilisearch-types/src/settings.rs b/meilisearch-types/src/settings.rs index 5480e72c6..ce3a74d69 100644 --- a/meilisearch-types/src/settings.rs +++ b/meilisearch-types/src/settings.rs @@ -211,6 +211,43 @@ pub struct Settings { pub _kind: PhantomData, } +impl Settings { + pub fn hide_secrets(&mut self) { + let Setting::Set(embedders) = &mut self.embedders else { + return; + }; + + for mut embedder in embedders.values_mut() { + let Setting::Set(embedder) = &mut embedder else { + continue; + }; + + let Setting::Set(api_key) = &mut embedder.api_key else { + continue; + }; + + Self::hide_secret(api_key); + } + } + + fn hide_secret(secret: &mut String) { + match secret.len() { + x if x < 10 => { + secret.replace_range(.., "XXX..."); + } + x if x < 20 => { + secret.replace_range(2.., "XXXX..."); + } + x if x < 30 => { + secret.replace_range(3.., "XXXXX..."); + } + _x => { + secret.replace_range(5.., "XXXXXX..."); + } + } + } +} + impl Settings { pub fn cleared() -> Settings { Settings { @@ -555,9 +592,15 @@ pub fn apply_settings_to_builder( } } +pub enum SecretPolicy { + RevealSecrets, + HideSecrets, +} + pub fn settings( index: &Index, rtxn: &crate::heed::RoTxn, + secret_policy: SecretPolicy, ) -> Result, milli::Error> { let displayed_attributes = index.displayed_fields(rtxn)?.map(|fields| fields.into_iter().map(String::from).collect()); @@ -643,7 +686,7 @@ pub fn settings( let search_cutoff_ms = index.search_cutoff(rtxn)?; - Ok(Settings { + let mut settings = Settings { displayed_attributes: match displayed_attributes { Some(attrs) => Setting::Set(attrs), None => Setting::Reset, @@ -674,7 +717,13 @@ pub fn settings( None => Setting::Reset, }, _kind: PhantomData, - }) + }; + + if let SecretPolicy::HideSecrets = secret_policy { + settings.hide_secrets() + } + + Ok(settings) } #[derive(Debug, Clone, PartialEq, Eq, Deserr)] diff --git a/meilisearch-types/src/task_view.rs b/meilisearch-types/src/task_view.rs index 02be91a88..659427c9d 100644 --- a/meilisearch-types/src/task_view.rs +++ b/meilisearch-types/src/task_view.rs @@ -86,7 +86,8 @@ impl From
for DetailsView { ..DetailsView::default() } } - Details::SettingsUpdate { settings } => { + Details::SettingsUpdate { mut settings } => { + settings.hide_secrets(); DetailsView { settings: Some(settings), ..DetailsView::default() } } Details::IndexInfo { primary_key } => { diff --git a/meilisearch/src/routes/indexes/settings.rs b/meilisearch/src/routes/indexes/settings.rs index 99c3d0fbb..0918444ef 100644 --- a/meilisearch/src/routes/indexes/settings.rs +++ b/meilisearch/src/routes/indexes/settings.rs @@ -7,7 +7,7 @@ use meilisearch_types::error::ResponseError; use meilisearch_types::facet_values_sort::FacetValuesSort; use meilisearch_types::index_uid::IndexUid; use meilisearch_types::milli::update::Setting; -use meilisearch_types::settings::{settings, RankingRuleView, Settings, Unchecked}; +use meilisearch_types::settings::{settings, RankingRuleView, SecretPolicy, Settings, Unchecked}; use meilisearch_types::tasks::KindWithContent; use serde_json::json; use tracing::debug; @@ -134,7 +134,7 @@ macro_rules! make_setting_route { let index = index_scheduler.index(&index_uid)?; let rtxn = index.read_txn()?; - let settings = settings(&index, &rtxn)?; + let settings = settings(&index, &rtxn, meilisearch_types::settings::SecretPolicy::HideSecrets)?; debug!(returns = ?settings, "Update settings"); let mut json = serde_json::json!(&settings); @@ -819,7 +819,7 @@ pub async fn get_all( let index = index_scheduler.index(&index_uid)?; let rtxn = index.read_txn()?; - let new_settings = settings(&index, &rtxn)?; + let new_settings = settings(&index, &rtxn, SecretPolicy::HideSecrets)?; debug!(returns = ?new_settings, "Get all settings"); Ok(HttpResponse::Ok().json(new_settings)) } diff --git a/meilitool/src/main.rs b/meilitool/src/main.rs index f199df216..bace7d16b 100644 --- a/meilitool/src/main.rs +++ b/meilitool/src/main.rs @@ -291,7 +291,11 @@ fn export_a_dump( } // 4.2. Dump the settings - let settings = meilisearch_types::settings::settings(&index, &rtxn)?; + let settings = meilisearch_types::settings::settings( + &index, + &rtxn, + meilisearch_types::settings::SecretPolicy::RevealSecrets, + )?; index_dumper.settings(&settings)?; count += 1; }