Restrict master key access to /keys routes

2024-11-23 02:27:40 +08:00 · 2022-05-25 16:35:00 +02:00 · 2022-05-25 16:35:00 +02:00 · a57b2d9538
commit a57b2d9538
parent 34c8888f56
1 changed files with 9 additions and 17 deletions
--- a/meilisearch-http/src/extractors/authentication/mod.rs
+++ b/meilisearch-http/src/extractors/authentication/mod.rs
@ -159,22 +159,9 @@ pub mod policies {
        Some(uid)
    }

-    pub struct MasterPolicy;
-
-    impl Policy for MasterPolicy {
-        fn authenticate(
-            auth: AuthController,
-            token: &str,
-            _index: Option<&str>,
-        ) -> Option<AuthFilter> {
-            if let Some(master_key) = auth.get_master_key() {
-                if master_key == token {
-                    return Some(AuthFilter::default());
-                }
-            }
-
-            None
-        }
+    fn is_keys_action(action: u8) -> bool {
+        use actions::*;
+        matches!(action, KEYS_GET | KEYS_CREATE | KEYS_UPDATE | KEYS_DELETE)
    }

    pub struct ActionPolicy<const A: u8>;
@ -186,7 +173,12 @@ pub mod policies {
            index: Option<&str>,
        ) -> Option<AuthFilter> {
            // authenticate if token is the master key.
-            if auth.get_master_key().map_or(true, |mk| mk == token) {
+            // master key can only have access to keys routes.
+            // if master key is None only keys routes are inaccessible.
+            if auth
+                .get_master_key()
+                .map_or_else(|| !is_keys_action(A), |mk| mk == token && is_keys_action(A))
+            {
                return Some(AuthFilter::default());
            }