Merge #231

231: Changes related to the next Meilisearch release (v0.26.0) r=brunoocasali a=meili-bot

Related to this issue: meilisearch/integration-guides#181

This PR:
- gathers the changes related to the next Meilisearch release (v0.26.0) so that this package is ready when the official release is out.
- should pass the tests against the [latest pre-release of Meilisearch](https://github.com/meilisearch/meilisearch/releases).
- might eventually contain test failures until the Meilisearch v0.26.0 is out.

⚠️ This PR should NOT be merged until the next release of Meilisearch (v0.26.0) is out.

_This PR is auto-generated for the [pre-release week](https://github.com/meilisearch/integration-guides/blob/master/guides/pre-release-week.md) purpose._


Co-authored-by: meili-bot <[email protected]>
Co-authored-by: Bruno Casali <[email protected]>

Author: 3 people

.code-samples.meilisearch.yaml

@@ -792,3 +792,17 @@ landing_getting_started_1: |-
     Movie { "id": "5".to_string(), "title": "Moana".to_string() },
     Movie { "id": "6".to_string(), "title": "Philadelphia".to_string() }
   ], Some("reference_number")).await.unwrap();
+tenant_token_guide_generate_sdk_1: |-
+  let api_key = "B5KdX2MY2jV6EXfUs6scSfmC...";
+  let expires_at = time::macros::datetime!(2025 - 12 - 20 00:00:00 UTC);
+  let search_rules = json!({ "patient_medical_records": { "filter": "user_id = 1" } });
+
+  let token = client.generate_tenant_token(search_rules, api_key, expires_at).unwrap();
+tenant_token_guide_search_sdk_1: |-
+  let front_end_client = Client::new("http://127.0.0.1:7700", token);
+  let results: SearchResults<Patient> = front_end_client.index("patient_medical_records")
+    .search()
+    .with_query("blood test")
+    .execute()
+    .await
+    .unwrap();

.github/workflows/pre-release-tests.yml

@@ -22,6 +22,6 @@ jobs:
     - name: Get the latest Meilisearch RC
       run: echo "MEILISEARCH_VERSION=$(curl https://raw.githubusercontent.com/meilisearch/integration-guides/main/scripts/get-latest-meilisearch-rc.sh | bash)" >> $GITHUB_ENV
     - name: Meilisearch (${{ env.MEILISEARCH_VERSION }}) setup with Docker
-      run: docker run -d -p 7700:7700 getmeili/meilisearch:${{ env.MEILISEARCH_VERSION }} ./meilisearch --master-key=masterKey --no-analytics=true
+      run: docker run -d -p 7700:7700 getmeili/meilisearch:${{ env.MEILISEARCH_VERSION }} ./meilisearch --master-key=masterKey --no-analytics
     - name: Run tests
       run: cargo test --verbose -- --test-threads=1

Cargo.toml

@@ -15,6 +15,7 @@ log = "0.4"
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0"
 time = { version = "0.3.7", features = ["serde-well-known", "formatting", "parsing"] }
+jsonwebtoken = { version = "8", default-features = false }
 
 [target.'cfg(not(target_arch = "wasm32"))'.dependencies]
 futures = "0.3"

README.md

@@ -242,7 +242,7 @@ WARNING: `meilisearch-sdk` will panic if no Window is available (ex: Web extensi
 
 ## 🤖 Compatibility with Meilisearch
 
-This package only guarantees the compatibility with the [version v0.25.0 of MeiliSearch](https://github.com/meilisearch/meilisearch/releases/tag/v0.25.0).
+This package only guarantees the compatibility with the [version v0.26.0 of Meilisearch](https://github.com/meilisearch/meilisearch/releases/tag/v0.26.0).
 
 ## ⚙️ Development Workflow and Contributing
 

README.tpl

@@ -97,7 +97,7 @@ WARNING: `meilisearch-sdk` will panic if no Window is available (ex: Web extensi
 
 ## 🤖 Compatibility with Meilisearch
 
-This package only guarantees the compatibility with the [version v0.25.0 of MeiliSearch](https://github.com/meilisearch/meilisearch/releases/tag/v0.25.0).
+This package only guarantees the compatibility with the [version v0.26.0 of Meilisearch](https://github.com/meilisearch/meilisearch/releases/tag/v0.26.0).
 
 ## ⚙️ Development Workflow and Contributing
 

src/client.rs

@@ -576,6 +576,24 @@ impl Client {
 
         Ok(tasks.results)
     }
+
+    /// Generates a new tenant token.
+    ///
+    /// # Example
+    ///
+    /// ```
+    /// # use meilisearch_sdk::*;
+    /// # futures::executor::block_on(async move {
+    /// # let client = client::Client::new("http://localhost:7700", "masterKey");
+    /// let token = client.generate_tenant_token(serde_json::json!(["*"]), None, None).unwrap();
+    /// let client = client::Client::new("http://localhost:7700", token);
+    /// # });
+    /// ```
+    pub fn generate_tenant_token(&self, search_rules: serde_json::Value, api_key: Option<&str>, expires_at: Option<OffsetDateTime>) -> Result<String, Error> {
+        let api_key = api_key.unwrap_or(&self.api_key);
+
+        crate::tenant_tokens::generate_tenant_token(search_rules, api_key, expires_at)
+    }
 }
 
 #[derive(Deserialize)]

src/errors.rs

@@ -19,6 +19,15 @@ pub enum Error {
     /// It probably comes from an invalid API key resulting in an invalid HTTP header.
     InvalidRequest,
 
+    /// It is not possible to generate a tenant token with a invalid api key.
+    /// Empty strings or with less than 8 characters are considered invalid.
+    TenantTokensInvalidApiKey,
+    /// It is not possible to generate an already expired tenant token.
+    TenantTokensExpiredSignature,
+    
+    /// When jsonwebtoken cannot generate the token successfully.
+    InvalidTenantToken(jsonwebtoken::errors::Error),
+
     /// The http client encountered an error.
     #[cfg(not(target_arch = "wasm32"))]
     HttpError(isahc::Error),
@@ -52,6 +61,12 @@ impl From<MeilisearchError> for Error {
     }
 }
 
+impl From<jsonwebtoken::errors::Error> for Error {
+    fn from(error: jsonwebtoken::errors::Error) -> Error {
+        Error::InvalidTenantToken(error)
+    }
+}
+
 /// The type of error that was encountered.
 #[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
 #[serde(rename_all = "snake_case")]
@@ -168,6 +183,9 @@ impl std::fmt::Display for Error {
             Error::ParseError(e) => write!(fmt, "Error parsing response JSON: {}", e),
             Error::HttpError(e) => write!(fmt, "HTTP request failed: {}", e),
             Error::Timeout => write!(fmt, "A task did not succeed in time."),
+            Error::TenantTokensInvalidApiKey => write!(fmt, "The provided api_key is invalid."),
+            Error::TenantTokensExpiredSignature => write!(fmt, "The provided expires_at is already expired."),
+            Error::InvalidTenantToken(e) => write!(fmt, "Impossible to generate the token, jsonwebtoken encountered an error: {}", e)
         }
     }
 }

src/lib.rs

@@ -230,6 +230,8 @@ pub mod search;
 pub mod settings;
 /// Module representing the [tasks::Task]s.
 pub mod tasks;
+/// Module that generates tenant tokens.
+mod tenant_tokens;
 
 #[cfg(feature = "sync")]
 pub(crate) type Rc<T> = std::sync::Arc<T>;

src/search.rs

@@ -283,7 +283,7 @@ mod tests {
     use crate::{client::*, search::*};
     use meilisearch_test_macro::meilisearch_test;
     use serde::{Deserialize, Serialize};
-    use serde_json::{Map, Value};
+    use serde_json::{Map, Value, json};
 
     #[derive(Debug, Serialize, Deserialize, PartialEq)]
     struct Document {
@@ -571,4 +571,39 @@ mod tests {
         assert_eq!(results.hits.len(), 1);
         Ok(())
     }
+
+    #[meilisearch_test]
+    async fn test_generate_tenant_token_from_client(client: Client, index: Index) -> Result<(), Error> {
+        use crate::key::{KeyBuilder, Action};
+
+        setup_test_index(&client, &index).await?;
+
+        let key = KeyBuilder::new("key for generate_tenant_token test")
+            .with_action(Action::All)
+            .with_index("*")
+            .create(&client).await.unwrap();
+        let allowed_client = Client::new("http://localhost:7700", key.key);
+
+        let search_rules = vec![
+            json!({ "*": {}}),
+            json!({ "*": Value::Null }),
+            json!(["*"]),
+            json!({ "*": { "filter": "kind = text" } }),
+            json!([index.uid.to_string()]),
+        ];
+
+        for rules in search_rules {
+            let token = allowed_client.generate_tenant_token(rules, None, None).expect("Cannot generate tenant token.");
+            let new_client = Client::new("http://localhost:7700", token);
+
+            let result: SearchResults<Document> = new_client.index(index.uid.to_string())
+                .search()
+                .execute()
+                .await?;
+
+            assert!(!result.hits.is_empty());
+        }
+
+        Ok(())
+    }
 }

src/tenant_tokens.rs

@@ -0,0 +1,127 @@
+use crate::{
+    errors::* 
+};
+use serde::{Serialize, Deserialize};
+use jsonwebtoken::{encode, Header, EncodingKey};
+use time::{OffsetDateTime};
+use serde_json::Value;
+
+#[derive(Debug, Serialize, Deserialize)]
+#[serde(rename_all = "camelCase")] 
+struct TenantTokenClaim {
+    api_key_prefix: String,
+    search_rules: Value,
+    #[serde(with = "time::serde::timestamp::option")]
+    exp: Option<OffsetDateTime>,
+}
+
+pub fn generate_tenant_token(search_rules: Value, api_key: impl AsRef<str>, expires_at: Option<OffsetDateTime>) -> Result<String, Error> {
+    if api_key.as_ref().chars().count() < 8 {
+        return Err(Error::TenantTokensInvalidApiKey)
+    }
+
+    if expires_at.map_or(false, |expires_at| OffsetDateTime::now_utc() > expires_at) {
+        return Err(Error::TenantTokensExpiredSignature)
+    }
+
+    let key_prefix = api_key.as_ref().chars().take(8).collect();
+    let claims = TenantTokenClaim {
+        api_key_prefix: key_prefix,
+        exp: expires_at,
+        search_rules
+    };
+
+    let token = encode(
+        &Header::default(),
+        &claims,
+        &EncodingKey::from_secret(api_key.as_ref().as_bytes()),
+    );
+
+    Ok(token?)
+}
+
+#[cfg(test)]
+mod tests {
+    use serde_json::json;
+    use crate::tenant_tokens::*;
+    use jsonwebtoken::{decode, DecodingKey, Validation, Algorithm};
+    use std::collections::HashSet;
+
+    const SEARCH_RULES: [&str; 1] = ["*"];
+    const VALID_KEY: &str = "a19b6ec84ee31324efa560cd1f7e6939";
+
+    fn build_validation() -> Validation {
+        let mut validation = Validation::new(Algorithm::HS256);
+        validation.validate_exp = false;
+        validation.required_spec_claims = HashSet::new();
+
+        validation
+    }
+
+    #[test]
+    fn test_generate_token_with_given_key() {
+        let token = generate_tenant_token(json!(SEARCH_RULES), VALID_KEY, None).unwrap();
+
+        let valid_key = decode::<TenantTokenClaim>(
+            &token, &DecodingKey::from_secret(VALID_KEY.as_ref()), &build_validation()
+        );
+        let invalid_key = decode::<TenantTokenClaim>(
+            &token, &DecodingKey::from_secret("not-the-same-key".as_ref()), &build_validation()
+        );
+
+        assert!(valid_key.is_ok());
+        assert!(invalid_key.is_err());
+    }
+
+    #[test]
+    fn test_generate_token_without_key() {
+        let key = String::from("");
+        let token = generate_tenant_token(json!(SEARCH_RULES), &key, None);
+
+        assert!(token.is_err());
+    }
+
+    #[test]
+    fn test_generate_token_with_expiration() {
+        let exp = OffsetDateTime::now_utc() + time::Duration::HOUR;
+        let token = generate_tenant_token(json!(SEARCH_RULES), VALID_KEY, Some(exp)).unwrap();
+
+        let decoded = decode::<TenantTokenClaim>(
+            &token, &DecodingKey::from_secret(VALID_KEY.as_ref()), &Validation::new(Algorithm::HS256)
+        );
+
+        assert!(decoded.is_ok());
+    }
+
+    #[test]
+    fn test_generate_token_with_expires_at_in_the_past() {
+        let exp = OffsetDateTime::now_utc() - time::Duration::HOUR;
+        let token = generate_tenant_token(json!(SEARCH_RULES), VALID_KEY, Some(exp));
+
+        assert!(token.is_err());
+    }
+
+    #[test]
+    fn test_generate_token_contains_claims() {
+        let token = generate_tenant_token(json!(SEARCH_RULES), VALID_KEY, None).unwrap();
+
+        let decoded = decode::<TenantTokenClaim>(
+            &token, &DecodingKey::from_secret(VALID_KEY.as_ref()), &build_validation()
+        ).expect("Cannot decode the token");
+
+        assert_eq!(decoded.claims.api_key_prefix, &VALID_KEY[..8]);
+        assert_eq!(decoded.claims.search_rules, json!(SEARCH_RULES));
+    }
+
+    #[test]
+    fn test_generate_token_with_multi_byte_chars() {
+        let key = "Ëa1ทt9bVcL-vãUทtP3OpXW5qPc%bWH5ทvw09";
+        let token = generate_tenant_token(json!(SEARCH_RULES), key, None).unwrap();
+
+        let decoded = decode::<TenantTokenClaim>(
+            &token, &DecodingKey::from_secret(key.as_ref()), &build_validation()
+        ).expect("Cannot decode the token");
+
+        assert_eq!(decoded.claims.api_key_prefix, "Ëa1ทt9bV");
+    }
+}