mudhorn/n8n
1
0
Fork 0
mirror of https://github.com/n8n-io/n8n.git synced 2024-11-15 00:54:06 -08:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
n8n/packages/cli/test/unit/PermissionChecker.test.ts

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

132 lines
5.1 KiB
TypeScript
Raw Normal View History

feat(core): Move execution permission checks earlier in the lifecycle (#8677)
2024-02-21 05:47:02 -08:00
import type { INode } from 'n8n-workflow';
fix(core): Fix PermissionChecker.check, and add additional unit tests (#8528)
2024-02-02 03:21:53 -08:00
import { mock } from 'jest-mock-extended';
import type { User } from '@db/entities/User';
import type { UserRepository } from '@db/repositories/user.repository';
import type { SharedCredentialsRepository } from '@db/repositories/sharedCredentials.repository';
import type { SharedWorkflowRepository } from '@db/repositories/sharedWorkflow.repository';
import type { License } from '@/License';
refactor(core): Use DI in PermissionChecker (no-changelog) (#8344)
2024-01-16 05:15:29 -08:00
import { PermissionChecker } from '@/UserManagement/PermissionChecker';
ci: Refactor cli tests to speed up CI (no-changelog) (#5718) * ci: Refactor cli tests to speed up CI (no-changelog) * upgrade jest to address memory leaks
2023-03-17 09:24:05 -07:00
fix(core): Fix PermissionChecker.check, and add additional unit tests (#8528)
2024-02-02 03:21:53 -08:00
describe('PermissionChecker', () => {
const user = mock<User>();
const userRepo = mock<UserRepository>();
const sharedCredentialsRepo = mock<SharedCredentialsRepository>();
const sharedWorkflowRepo = mock<SharedWorkflowRepository>();
const license = mock<License>();
const permissionChecker = new PermissionChecker(
userRepo,
sharedCredentialsRepo,
sharedWorkflowRepo,
mock(),
license,
);
feat(core): Move execution permission checks earlier in the lifecycle (#8677)
2024-02-21 05:47:02 -08:00
const workflowId = '1';
const nodes: INode[] = [
{
id: 'node-id',
name: 'HTTP Request',
type: 'n8n-nodes-base.httpRequest',
parameters: {},
typeVersion: 1,
position: [0, 0],
credentials: {
oAuth2Api: {
id: 'cred-id',
name: 'Custom oAuth2',
feat(core): Add credential runtime checks and prevent tampering in manual run (#4481) * :sparkles: Create `PermissionChecker` * :zap: Adjust helper * :fire: Remove superseded helpers * :zap: Use `PermissionChecker` * :test_tube: Add test for dynamic router switching * :zap: Simplify checks * :zap: Export utils * :zap: Add missing `init` method * :test_tube: Write tests for `PermissionChecker` * :blue_book: Update types * :test_tube: Fix tests * :sparkles: Set up `runManually()` * :zap: Refactor to reuse methods * :test_tube: Clear shared tables first * :twisted_rightwards_arrows: Adjust merge * :zap: Adjust imports
2022-11-11 02:14:45 -08:00
},
fix(core): Fix PermissionChecker.check, and add additional unit tests (#8528)
2024-02-02 03:21:53 -08:00
},
feat(core): Move execution permission checks earlier in the lifecycle (#8677)
2024-02-21 05:47:02 -08:00
},
];
fix(core): Fix user comparison in same-user subworkflow caller policy (#7913) https://linear.app/n8n/issue/PAY-992 https://community.n8n.io/t/executing-workflow-using-owner-role-created-by-another-user-fails/33443 --------- Co-authored-by: Omar Ajoue <krynble@gmail.com>
2023-12-06 04:27:11 -08:00
fix(core): Fix PermissionChecker.check, and add additional unit tests (#8528)
2024-02-02 03:21:53 -08:00
beforeEach(() => jest.clearAllMocks());
test: Ensure all subworkflow execution policies are tested (#5010)
2022-12-22 09:28:23 -08:00
fix(core): Fix PermissionChecker.check, and add additional unit tests (#8528)
2024-02-02 03:21:53 -08:00
describe('check', () => {
it('should throw if no user is found', async () => {
userRepo.findOneOrFail.mockRejectedValue(new Error('Fail'));
feat(core): Move execution permission checks earlier in the lifecycle (#8677)
2024-02-21 05:47:02 -08:00
await expect(permissionChecker.check(workflowId, '123', nodes)).rejects.toThrow();
fix(core): Fix PermissionChecker.check, and add additional unit tests (#8528)
2024-02-02 03:21:53 -08:00
expect(license.isSharingEnabled).not.toHaveBeenCalled();
expect(sharedWorkflowRepo.getSharedUserIds).not.toBeCalled();
expect(sharedCredentialsRepo.getOwnedCredentialIds).not.toHaveBeenCalled();
expect(sharedCredentialsRepo.getAccessibleCredentialIds).not.toHaveBeenCalled();
test: Ensure all subworkflow execution policies are tested (#5010)
2022-12-22 09:28:23 -08:00
});
fix(core): Fix PermissionChecker.check, and add additional unit tests (#8528)
2024-02-02 03:21:53 -08:00
it('should allow a user if they have a global `workflow:execute` scope', async () => {
userRepo.findOneOrFail.mockResolvedValue(user);
user.hasGlobalScope.calledWith('workflow:execute').mockReturnValue(true);
feat(core): Move execution permission checks earlier in the lifecycle (#8677)
2024-02-21 05:47:02 -08:00
await expect(permissionChecker.check(workflowId, user.id, nodes)).resolves.not.toThrow();
fix(core): Fix PermissionChecker.check, and add additional unit tests (#8528)
2024-02-02 03:21:53 -08:00
expect(license.isSharingEnabled).not.toHaveBeenCalled();
expect(sharedWorkflowRepo.getSharedUserIds).not.toBeCalled();
expect(sharedCredentialsRepo.getOwnedCredentialIds).not.toHaveBeenCalled();
expect(sharedCredentialsRepo.getAccessibleCredentialIds).not.toHaveBeenCalled();
test: Ensure all subworkflow execution policies are tested (#5010)
2022-12-22 09:28:23 -08:00
});
fix(core): Fix PermissionChecker.check, and add additional unit tests (#8528)
2024-02-02 03:21:53 -08:00
describe('When sharing is disabled', () => {
beforeEach(() => {
userRepo.findOneOrFail.mockResolvedValue(user);
user.hasGlobalScope.calledWith('workflow:execute').mockReturnValue(false);
license.isSharingEnabled.mockReturnValue(false);
test(core): Improve tests for subworkflow caller policy checks (no-changelog) (#7954) ## Summary Deduplicate, separate, organize and speed up tests for subworkflow caller policy checks. Follow-up to: https://github.com/n8n-io/n8n/pull/7913 ``` PASS test/unit/PermissionChecker.test.ts check() ✓ should allow if workflow has no creds (3 ms) ✓ should allow if requesting user is instance owner (83 ms) ✓ should allow if workflow creds are valid subset (151 ms) ✓ should deny if workflow creds are not valid subset (85 ms) checkSubworkflowExecutePolicy() no caller policy ✓ should fall back to N8N_WORKFLOW_CALLER_POLICY_DEFAULT_OPTION (1 ms) overridden caller policy ✓ if no sharing, policy becomes workflows-from-same-owner (1 ms) workflows-from-list caller policy ✓ should allow if caller list contains parent workflow ID ✓ should deny if caller list does not contain parent workflow ID (1 ms) any caller policy ✓ should not throw workflows-from-same-owner caller policy ✓ should deny if the two workflows are owned by different users (1 ms) ✓ should allow if both workflows are owned by the same user ``` ... #### How to test the change: 1. ... ## Issues fixed Include links to Github issue or Community forum post or **Linear ticket**: > Important in order to close automatically and provide context to reviewers ... ## Review / Merge checklist - [ ] PR title and summary are descriptive. **Remember, the title automatically goes into the changelog. Use `(no-changelog)` otherwise.** ([conventions](https://github.com/n8n-io/n8n/blob/master/.github/pull_request_title_conventions.md)) - [ ] [Docs updated](https://github.com/n8n-io/n8n-docs) or follow-up ticket created. - [ ] Tests included. > A bug is not considered fixed, unless a test is added to prevent it from happening again. A feature is not complete without tests. > > *(internal)* You can use Slack commands to trigger [e2e tests](https://www.notion.so/n8n/How-to-use-Test-Instances-d65f49dfc51f441ea44367fb6f67eb0a?pvs=4#a39f9e5ba64a48b58a71d81c837e8227) or [deploy test instance](https://www.notion.so/n8n/How-to-use-Test-Instances-d65f49dfc51f441ea44367fb6f67eb0a?pvs=4#f6a177d32bde4b57ae2da0b8e454bfce) or [deploy early access version on Cloud](https://www.notion.so/n8n/Cloudbot-3dbe779836004972b7057bc989526998?pvs=4#fef2d36ab02247e1a0f65a74f6fb534e).
2023-12-08 02:21:43 -08:00
});
fix(core): Fix PermissionChecker.check, and add additional unit tests (#8528)
2024-02-02 03:21:53 -08:00
it('should validate credential access using only owned credentials', async () => {
sharedCredentialsRepo.getOwnedCredentialIds.mockResolvedValue(['cred-id']);
test: Add test case for when policy is set to any and fix a few others (#5019) * :rotating_light: - testing subworkflow policies * test: Add test case for workflow policy 'any' * refactor: Remove unnecessary information in tests * test: Improve types and lint * fix: Add not throw to tests * fix: Adding missing await statements Co-authored-by: freyamade <freya@n8n.io>
2022-12-23 06:23:36 -08:00
feat(core): Move execution permission checks earlier in the lifecycle (#8677)
2024-02-21 05:47:02 -08:00
await expect(permissionChecker.check(workflowId, user.id, nodes)).resolves.not.toThrow();
fix(core): Fix user comparison in same-user subworkflow caller policy (#7913) https://linear.app/n8n/issue/PAY-992 https://community.n8n.io/t/executing-workflow-using-owner-role-created-by-another-user-fails/33443 --------- Co-authored-by: Omar Ajoue <krynble@gmail.com>
2023-12-06 04:27:11 -08:00
fix(core): Fix PermissionChecker.check, and add additional unit tests (#8528)
2024-02-02 03:21:53 -08:00
expect(sharedWorkflowRepo.getSharedUserIds).not.toBeCalled();
expect(sharedCredentialsRepo.getOwnedCredentialIds).toBeCalledWith([user.id]);
expect(sharedCredentialsRepo.getAccessibleCredentialIds).not.toHaveBeenCalled();
test(core): Improve tests for subworkflow caller policy checks (no-changelog) (#7954) ## Summary Deduplicate, separate, organize and speed up tests for subworkflow caller policy checks. Follow-up to: https://github.com/n8n-io/n8n/pull/7913 ``` PASS test/unit/PermissionChecker.test.ts check() ✓ should allow if workflow has no creds (3 ms) ✓ should allow if requesting user is instance owner (83 ms) ✓ should allow if workflow creds are valid subset (151 ms) ✓ should deny if workflow creds are not valid subset (85 ms) checkSubworkflowExecutePolicy() no caller policy ✓ should fall back to N8N_WORKFLOW_CALLER_POLICY_DEFAULT_OPTION (1 ms) overridden caller policy ✓ if no sharing, policy becomes workflows-from-same-owner (1 ms) workflows-from-list caller policy ✓ should allow if caller list contains parent workflow ID ✓ should deny if caller list does not contain parent workflow ID (1 ms) any caller policy ✓ should not throw workflows-from-same-owner caller policy ✓ should deny if the two workflows are owned by different users (1 ms) ✓ should allow if both workflows are owned by the same user ``` ... #### How to test the change: 1. ... ## Issues fixed Include links to Github issue or Community forum post or **Linear ticket**: > Important in order to close automatically and provide context to reviewers ... ## Review / Merge checklist - [ ] PR title and summary are descriptive. **Remember, the title automatically goes into the changelog. Use `(no-changelog)` otherwise.** ([conventions](https://github.com/n8n-io/n8n/blob/master/.github/pull_request_title_conventions.md)) - [ ] [Docs updated](https://github.com/n8n-io/n8n-docs) or follow-up ticket created. - [ ] Tests included. > A bug is not considered fixed, unless a test is added to prevent it from happening again. A feature is not complete without tests. > > *(internal)* You can use Slack commands to trigger [e2e tests](https://www.notion.so/n8n/How-to-use-Test-Instances-d65f49dfc51f441ea44367fb6f67eb0a?pvs=4#a39f9e5ba64a48b58a71d81c837e8227) or [deploy test instance](https://www.notion.so/n8n/How-to-use-Test-Instances-d65f49dfc51f441ea44367fb6f67eb0a?pvs=4#f6a177d32bde4b57ae2da0b8e454bfce) or [deploy early access version on Cloud](https://www.notion.so/n8n/Cloudbot-3dbe779836004972b7057bc989526998?pvs=4#fef2d36ab02247e1a0f65a74f6fb534e).
2023-12-08 02:21:43 -08:00
});
test: Add test case for when policy is set to any and fix a few others (#5019) * :rotating_light: - testing subworkflow policies * test: Add test case for workflow policy 'any' * refactor: Remove unnecessary information in tests * test: Improve types and lint * fix: Add not throw to tests * fix: Adding missing await statements Co-authored-by: freyamade <freya@n8n.io>
2022-12-23 06:23:36 -08:00
fix(core): Fix PermissionChecker.check, and add additional unit tests (#8528)
2024-02-02 03:21:53 -08:00
it('should throw when the user does not have access to the credential', async () => {
sharedCredentialsRepo.getOwnedCredentialIds.mockResolvedValue(['cred-id2']);
fix(core): Fix user comparison in same-user subworkflow caller policy (#7913) https://linear.app/n8n/issue/PAY-992 https://community.n8n.io/t/executing-workflow-using-owner-role-created-by-another-user-fails/33443 --------- Co-authored-by: Omar Ajoue <krynble@gmail.com>
2023-12-06 04:27:11 -08:00
feat(core): Move execution permission checks earlier in the lifecycle (#8677)
2024-02-21 05:47:02 -08:00
await expect(permissionChecker.check(workflowId, user.id, nodes)).rejects.toThrow(
fix(core): Fix PermissionChecker.check, and add additional unit tests (#8528)
2024-02-02 03:21:53 -08:00
'Node has no access to credential',
);
test(core): Improve tests for subworkflow caller policy checks (no-changelog) (#7954) ## Summary Deduplicate, separate, organize and speed up tests for subworkflow caller policy checks. Follow-up to: https://github.com/n8n-io/n8n/pull/7913 ``` PASS test/unit/PermissionChecker.test.ts check() ✓ should allow if workflow has no creds (3 ms) ✓ should allow if requesting user is instance owner (83 ms) ✓ should allow if workflow creds are valid subset (151 ms) ✓ should deny if workflow creds are not valid subset (85 ms) checkSubworkflowExecutePolicy() no caller policy ✓ should fall back to N8N_WORKFLOW_CALLER_POLICY_DEFAULT_OPTION (1 ms) overridden caller policy ✓ if no sharing, policy becomes workflows-from-same-owner (1 ms) workflows-from-list caller policy ✓ should allow if caller list contains parent workflow ID ✓ should deny if caller list does not contain parent workflow ID (1 ms) any caller policy ✓ should not throw workflows-from-same-owner caller policy ✓ should deny if the two workflows are owned by different users (1 ms) ✓ should allow if both workflows are owned by the same user ``` ... #### How to test the change: 1. ... ## Issues fixed Include links to Github issue or Community forum post or **Linear ticket**: > Important in order to close automatically and provide context to reviewers ... ## Review / Merge checklist - [ ] PR title and summary are descriptive. **Remember, the title automatically goes into the changelog. Use `(no-changelog)` otherwise.** ([conventions](https://github.com/n8n-io/n8n/blob/master/.github/pull_request_title_conventions.md)) - [ ] [Docs updated](https://github.com/n8n-io/n8n-docs) or follow-up ticket created. - [ ] Tests included. > A bug is not considered fixed, unless a test is added to prevent it from happening again. A feature is not complete without tests. > > *(internal)* You can use Slack commands to trigger [e2e tests](https://www.notion.so/n8n/How-to-use-Test-Instances-d65f49dfc51f441ea44367fb6f67eb0a?pvs=4#a39f9e5ba64a48b58a71d81c837e8227) or [deploy test instance](https://www.notion.so/n8n/How-to-use-Test-Instances-d65f49dfc51f441ea44367fb6f67eb0a?pvs=4#f6a177d32bde4b57ae2da0b8e454bfce) or [deploy early access version on Cloud](https://www.notion.so/n8n/Cloudbot-3dbe779836004972b7057bc989526998?pvs=4#fef2d36ab02247e1a0f65a74f6fb534e).
2023-12-08 02:21:43 -08:00
fix(core): Fix PermissionChecker.check, and add additional unit tests (#8528)
2024-02-02 03:21:53 -08:00
expect(sharedWorkflowRepo.getSharedUserIds).not.toBeCalled();
expect(sharedCredentialsRepo.getOwnedCredentialIds).toBeCalledWith([user.id]);
expect(sharedCredentialsRepo.getAccessibleCredentialIds).not.toHaveBeenCalled();
});
fix(core): Fix user comparison in same-user subworkflow caller policy (#7913) https://linear.app/n8n/issue/PAY-992 https://community.n8n.io/t/executing-workflow-using-owner-role-created-by-another-user-fails/33443 --------- Co-authored-by: Omar Ajoue <krynble@gmail.com>
2023-12-06 04:27:11 -08:00
});
fix(core): Fix PermissionChecker.check, and add additional unit tests (#8528)
2024-02-02 03:21:53 -08:00
describe('When sharing is enabled', () => {
beforeEach(() => {
userRepo.findOneOrFail.mockResolvedValue(user);
user.hasGlobalScope.calledWith('workflow:execute').mockReturnValue(false);
license.isSharingEnabled.mockReturnValue(true);
sharedWorkflowRepo.getSharedUserIds.mockResolvedValue([user.id, 'another-user']);
});
fix(core): Fix user comparison in same-user subworkflow caller policy (#7913) https://linear.app/n8n/issue/PAY-992 https://community.n8n.io/t/executing-workflow-using-owner-role-created-by-another-user-fails/33443 --------- Co-authored-by: Omar Ajoue <krynble@gmail.com>
2023-12-06 04:27:11 -08:00
fix(core): Fix PermissionChecker.check, and add additional unit tests (#8528)
2024-02-02 03:21:53 -08:00
it('should validate credential access using only owned credentials', async () => {
sharedCredentialsRepo.getAccessibleCredentialIds.mockResolvedValue(['cred-id']);
fix(core): Fix user comparison in same-user subworkflow caller policy (#7913) https://linear.app/n8n/issue/PAY-992 https://community.n8n.io/t/executing-workflow-using-owner-role-created-by-another-user-fails/33443 --------- Co-authored-by: Omar Ajoue <krynble@gmail.com>
2023-12-06 04:27:11 -08:00
feat(core): Move execution permission checks earlier in the lifecycle (#8677)
2024-02-21 05:47:02 -08:00
await expect(permissionChecker.check(workflowId, user.id, nodes)).resolves.not.toThrow();
fix(core): Fix user comparison in same-user subworkflow caller policy (#7913) https://linear.app/n8n/issue/PAY-992 https://community.n8n.io/t/executing-workflow-using-owner-role-created-by-another-user-fails/33443 --------- Co-authored-by: Omar Ajoue <krynble@gmail.com>
2023-12-06 04:27:11 -08:00
feat(core): Move execution permission checks earlier in the lifecycle (#8677)
2024-02-21 05:47:02 -08:00
expect(sharedWorkflowRepo.getSharedUserIds).toBeCalledWith(workflowId);
fix(core): Fix PermissionChecker.check, and add additional unit tests (#8528)
2024-02-02 03:21:53 -08:00
expect(sharedCredentialsRepo.getAccessibleCredentialIds).toBeCalledWith([
user.id,
'another-user',
]);
expect(sharedCredentialsRepo.getOwnedCredentialIds).not.toHaveBeenCalled();
});
fix(core): Fix user comparison in same-user subworkflow caller policy (#7913) https://linear.app/n8n/issue/PAY-992 https://community.n8n.io/t/executing-workflow-using-owner-role-created-by-another-user-fails/33443 --------- Co-authored-by: Omar Ajoue <krynble@gmail.com>
2023-12-06 04:27:11 -08:00
fix(core): Fix PermissionChecker.check, and add additional unit tests (#8528)
2024-02-02 03:21:53 -08:00
it('should throw when the user does not have access to the credential', async () => {
sharedCredentialsRepo.getAccessibleCredentialIds.mockResolvedValue(['cred-id2']);
fix(core): Fix user comparison in same-user subworkflow caller policy (#7913) https://linear.app/n8n/issue/PAY-992 https://community.n8n.io/t/executing-workflow-using-owner-role-created-by-another-user-fails/33443 --------- Co-authored-by: Omar Ajoue <krynble@gmail.com>
2023-12-06 04:27:11 -08:00
feat(core): Move execution permission checks earlier in the lifecycle (#8677)
2024-02-21 05:47:02 -08:00
await expect(permissionChecker.check(workflowId, user.id, nodes)).rejects.toThrow(
fix(core): Fix PermissionChecker.check, and add additional unit tests (#8528)
2024-02-02 03:21:53 -08:00
'Node has no access to credential',
);
fix(core): Fix user comparison in same-user subworkflow caller policy (#7913) https://linear.app/n8n/issue/PAY-992 https://community.n8n.io/t/executing-workflow-using-owner-role-created-by-another-user-fails/33443 --------- Co-authored-by: Omar Ajoue <krynble@gmail.com>
2023-12-06 04:27:11 -08:00
fix(core): Fix PermissionChecker.check, and add additional unit tests (#8528)
2024-02-02 03:21:53 -08:00
expect(sharedWorkflowRepo.find).not.toBeCalled();
expect(sharedCredentialsRepo.getAccessibleCredentialIds).toBeCalledWith([
user.id,
'another-user',
]);
expect(sharedCredentialsRepo.getOwnedCredentialIds).not.toHaveBeenCalled();
});
fix(core): Fix user comparison in same-user subworkflow caller policy (#7913) https://linear.app/n8n/issue/PAY-992 https://community.n8n.io/t/executing-workflow-using-owner-role-created-by-another-user-fails/33443 --------- Co-authored-by: Omar Ajoue <krynble@gmail.com>
2023-12-06 04:27:11 -08:00
});
});
test: Ensure all subworkflow execution policies are tested (#5010)
2022-12-22 09:28:23 -08:00
});
Reference in a new issue Copy permalink