feat(auth): API keys

implements: https://github.com/meilisearch/specifications/blob/develop/text/0085-api-keys.md - Add tests on API keys management route (meilisearch-http/tests/auth/api_keys.rs) - Add tests checking authorizations on each meilisearch routes (meilisearch-http/tests/auth/authorization.rs) - Implement API keys management routes (meilisearch-http/src/routes/api_key.rs) - Create module to manage API keys and authorizations (meilisearch-auth) - Reimplement GuardedData to extend authorizations (meilisearch-http/src/extractors/authentication/mod.rs) - Change X-MEILI-API-KEY by Authorization Bearer (meilisearch-http/src/extractors/authentication/mod.rs) - Change meilisearch routes to fit to the new authorization feature (meilisearch-http/src/routes/) - close #1867
2025-07-04 04:17:10 +02:00 · 2021-11-08 18:31:27 +01:00 · 2021-11-08 18:31:27 +01:00 · ffefd0caf2
commit ffefd0caf2
parent fa196986c2
44 changed files with 3155 additions and 361 deletions
--- a/meilisearch-auth/src/lib.rs
+++ b/meilisearch-auth/src/lib.rs
@ -0,0 +1,136 @@
+mod action;
+pub mod error;
+mod key;
+mod store;
+
+use std::path::Path;
+use std::str::from_utf8;
+use std::sync::Arc;
+
+use chrono::Utc;
+use serde_json::Value;
+use sha2::{Digest, Sha256};
+
+pub use action::{actions, Action};
+use error::{AuthControllerError, Result};
+pub use key::Key;
+use store::HeedAuthStore;
+
+#[derive(Clone)]
+pub struct AuthController {
+    store: Arc<HeedAuthStore>,
+    master_key: Option<String>,
+}
+
+impl AuthController {
+    pub fn new(db_path: impl AsRef<Path>, master_key: &Option<String>) -> Result<Self> {
+        let store = HeedAuthStore::new(db_path)?;
+
+        if store.is_empty()? {
+            generate_default_keys(&store)?;
+        }
+
+        Ok(Self {
+            store: Arc::new(store),
+            master_key: master_key.clone(),
+        })
+    }
+
+    pub async fn create_key(&self, value: Value) -> Result<Key> {
+        let key = Key::create_from_value(value)?;
+        self.store.put_api_key(key)
+    }
+
+    pub async fn update_key(&self, key: impl AsRef<str>, value: Value) -> Result<Key> {
+        let mut key = self.get_key(key).await?;
+        key.update_from_value(value)?;
+        self.store.put_api_key(key)
+    }
+
+    pub async fn get_key(&self, key: impl AsRef<str>) -> Result<Key> {
+        self.store
+            .get_api_key(&key)?
+            .ok_or_else(|| AuthControllerError::ApiKeyNotFound(key.as_ref().to_string()))
+    }
+
+    pub fn get_key_filters(&self, key: impl AsRef<str>) -> Result<AuthFilter> {
+        let mut filters = AuthFilter::default();
+        if self
+            .master_key
+            .as_ref()
+            .map_or(false, |master_key| master_key != key.as_ref())
+        {
+            let key = self
+                .store
+                .get_api_key(&key)?
+                .ok_or_else(|| AuthControllerError::ApiKeyNotFound(key.as_ref().to_string()))?;
+
+            if !key.indexes.iter().any(|i| i.as_str() == "*") {
+                filters.indexes = Some(key.indexes);
+            }
+        }
+
+        Ok(filters)
+    }
+
+    pub async fn list_keys(&self) -> Result<Vec<Key>> {
+        self.store.list_api_keys()
+    }
+
+    pub async fn delete_key(&self, key: impl AsRef<str>) -> Result<()> {
+        if self.store.delete_api_key(&key)? {
+            Ok(())
+        } else {
+            Err(AuthControllerError::ApiKeyNotFound(
+                key.as_ref().to_string(),
+            ))
+        }
+    }
+
+    pub fn get_master_key(&self) -> Option<&String> {
+        self.master_key.as_ref()
+    }
+
+    pub fn authenticate(&self, token: &[u8], action: Action, index: Option<&[u8]>) -> Result<bool> {
+        if let Some(master_key) = &self.master_key {
+            if let Some((id, exp)) = self
+                .store
+                // check if the key has access to all indexes.
+                .get_expiration_date(token, action, None)?
+                .or(match index {
+                    // else check if the key has access to the requested index.
+                    Some(index) => self.store.get_expiration_date(token, action, Some(index))?,
+                    // or to any index if no index has been requested.
+                    None => self.store.prefix_first_expiration_date(token, action)?,
+                })
+            {
+                let id = from_utf8(&id).map_err(|e| AuthControllerError::Internal(Box::new(e)))?;
+                if exp.map_or(true, |exp| Utc::now() < exp)
+                    && generate_key(master_key.as_bytes(), id).as_bytes() == token
+                {
+                    return Ok(true);
+                }
+            }
+        }
+
+        Ok(false)
+    }
+}
+
+#[derive(Default)]
+pub struct AuthFilter {
+    pub indexes: Option<Vec<String>>,
+}
+
+pub fn generate_key(master_key: &[u8], uid: &str) -> String {
+    let key = [uid.as_bytes(), master_key].concat();
+    let sha = Sha256::digest(&key);
+    format!("{}{:x}", uid, sha)
+}
+
+fn generate_default_keys(store: &HeedAuthStore) -> Result<()> {
+    store.put_api_key(Key::default_admin())?;
+    store.put_api_key(Key::default_search())?;
+
+    Ok(())
+}