n8n/packages/cli/test/integration/ldap/ldap.api.test.ts

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

577 lines
18 KiB
TypeScript
Raw Normal View History

import type { SuperAgentTest } from 'supertest';
2023-01-24 17:18:39 -08:00
import type { Entry as LdapUser } from 'ldapts';
import { Not } from 'typeorm';
2023-01-24 17:18:39 -08:00
import { jsonParse } from 'n8n-workflow';
import config from '@/config';
import * as Db from '@/Db';
import type { Role } from '@db/entities/Role';
import type { User } from '@db/entities/User';
import { LDAP_DEFAULT_CONFIGURATION, LDAP_FEATURE_NAME } from '@/Ldap/constants';
2023-01-24 17:18:39 -08:00
import { LdapManager } from '@/Ldap/LdapManager.ee';
import { LdapService } from '@/Ldap/LdapService.ee';
import { encryptPassword, saveLdapSynchronization } from '@/Ldap/helpers';
import type { LdapConfig } from '@/Ldap/types';
import { getCurrentAuthenticationMethod, setCurrentAuthenticationMethod } from '@/sso/ssoHelpers';
2023-01-24 17:18:39 -08:00
import { randomEmail, randomName, uniqueId } from './../shared/random';
import * as testDb from './../shared/testDb';
import * as utils from '../shared/utils/';
2023-01-24 17:18:39 -08:00
refactor(core): Implement soft-deletions for executions (#7092) Based on #7065 | Story: https://linear.app/n8n/issue/PAY-771 n8n on filesystem mode marks binary data to delete on manual execution deletion, on unsaved execution completion, and on every execution pruning cycle. We later prune binary data in a separate cycle via these marker files, based on the configured TTL. In the context of introducing an S3 client to manage binary data, the filesystem mode's mark-and-prune setup is too tightly coupled to the general binary data management client interface. This PR... - Ensures the deletion of an execution causes the deletion of any binary data associated to it. This does away with the need for binary data TTL and simplifies the filesystem mode's mark-and-prune setup. - Refactors all execution deletions (including pruning) to cause soft deletions, hard-deletes soft-deleted executions based on the existing pruning config, and adjusts execution endpoints to filter out soft-deleted executions. This reduces DB load, and keeps binary data around long enough for users to access it when building workflows with unsaved executions. - Moves all execution pruning work from an execution lifecycle hook to `execution.repository.ts`. This keeps related logic in a single place. - Removes all marking logic from the binary data manager. This simplifies the interface that the S3 client will meet. - Adds basic sanity-check tests to pruning logic and execution deletion. Out of scope: - Improving existing pruning logic. - Improving existing execution repository logic. - Adjusting dir structure for filesystem mode. --------- Co-authored-by: कारतोफ्फेलस्क्रिप्ट™ <aditya@netroy.in>
2023-09-20 06:21:42 -07:00
import { LoggerProxy } from 'n8n-workflow';
import { getLogger } from '@/Logger';
2023-01-24 17:18:39 -08:00
jest.mock('@/telemetry');
jest.mock('@/UserManagement/email/NodeMailer');
let globalMemberRole: Role;
let owner: User;
let authOwnerAgent: SuperAgentTest;
2023-01-24 17:18:39 -08:00
refactor(core): Implement soft-deletions for executions (#7092) Based on #7065 | Story: https://linear.app/n8n/issue/PAY-771 n8n on filesystem mode marks binary data to delete on manual execution deletion, on unsaved execution completion, and on every execution pruning cycle. We later prune binary data in a separate cycle via these marker files, based on the configured TTL. In the context of introducing an S3 client to manage binary data, the filesystem mode's mark-and-prune setup is too tightly coupled to the general binary data management client interface. This PR... - Ensures the deletion of an execution causes the deletion of any binary data associated to it. This does away with the need for binary data TTL and simplifies the filesystem mode's mark-and-prune setup. - Refactors all execution deletions (including pruning) to cause soft deletions, hard-deletes soft-deleted executions based on the existing pruning config, and adjusts execution endpoints to filter out soft-deleted executions. This reduces DB load, and keeps binary data around long enough for users to access it when building workflows with unsaved executions. - Moves all execution pruning work from an execution lifecycle hook to `execution.repository.ts`. This keeps related logic in a single place. - Removes all marking logic from the binary data manager. This simplifies the interface that the S3 client will meet. - Adds basic sanity-check tests to pruning logic and execution deletion. Out of scope: - Improving existing pruning logic. - Improving existing execution repository logic. - Adjusting dir structure for filesystem mode. --------- Co-authored-by: कारतोफ्फेलस्क्रिप्ट™ <aditya@netroy.in>
2023-09-20 06:21:42 -07:00
LoggerProxy.init(getLogger());
2023-01-24 17:18:39 -08:00
const defaultLdapConfig = {
...LDAP_DEFAULT_CONFIGURATION,
loginEnabled: true,
loginLabel: '',
ldapIdAttribute: 'uid',
firstNameAttribute: 'givenName',
lastNameAttribute: 'sn',
emailAttribute: 'mail',
loginIdAttribute: 'mail',
baseDn: 'baseDn',
bindingAdminDn: 'adminDn',
bindingAdminPassword: 'adminPassword',
};
const testServer = utils.setupTestServer({
endpointGroups: ['auth', 'ldap'],
enabledFeatures: ['feat:ldap'],
});
2023-01-24 17:18:39 -08:00
beforeAll(async () => {
const [globalOwnerRole, fetchedGlobalMemberRole] = await testDb.getAllRoles();
2023-01-24 17:18:39 -08:00
globalMemberRole = fetchedGlobalMemberRole;
owner = await testDb.createUser({ globalRole: globalOwnerRole });
authOwnerAgent = testServer.authAgentFor(owner);
2023-01-24 17:18:39 -08:00
defaultLdapConfig.bindingAdminPassword = await encryptPassword(
defaultLdapConfig.bindingAdminPassword,
);
await utils.initEncryptionKey();
await setCurrentAuthenticationMethod('email');
2023-01-24 17:18:39 -08:00
});
beforeEach(async () => {
await testDb.truncate([
'AuthIdentity',
'AuthProviderSyncHistory',
'SharedCredentials',
'Credentials',
'SharedWorkflow',
'Workflow',
]);
await Db.collections.User.delete({ id: Not(owner.id) });
2023-01-24 17:18:39 -08:00
jest.mock('@/telemetry');
config.set('userManagement.isInstanceOwnerSetUp', true);
config.set('userManagement.emails.mode', '');
});
const createLdapConfig = async (attributes: Partial<LdapConfig> = {}): Promise<LdapConfig> => {
const { value: ldapConfig } = await Db.collections.Settings.save({
key: LDAP_FEATURE_NAME,
value: JSON.stringify({
...defaultLdapConfig,
...attributes,
}),
loadOnStartup: true,
});
return jsonParse(ldapConfig);
};
test('Member role should not be able to access ldap routes', async () => {
const member = await testDb.createUser({ globalRole: globalMemberRole });
const authAgent = testServer.authAgentFor(member);
await authAgent.get('/ldap/config').expect(403);
await authAgent.put('/ldap/config').expect(403);
await authAgent.post('/ldap/test-connection').expect(403);
await authAgent.post('/ldap/sync').expect(403);
await authAgent.get('/ldap/sync').expect(403);
2023-01-24 17:18:39 -08:00
});
describe('PUT /ldap/config', () => {
test('route should validate payload', async () => {
const invalidValuePayload = {
...LDAP_DEFAULT_CONFIGURATION,
loginEnabled: '', // enabled property only allows boolean
loginLabel: '',
};
const invalidExtraPropertyPayload = {
...LDAP_DEFAULT_CONFIGURATION,
example: true, // property not defined in the validation schema
};
const missingPropertyPayload = {
loginEnabled: true,
loginLabel: '',
// missing all other properties defined in the schema
};
const invalidPayloads = [
invalidValuePayload,
invalidExtraPropertyPayload,
missingPropertyPayload,
];
for (const invalidPayload of invalidPayloads) {
const response = await authOwnerAgent.put('/ldap/config').send(invalidPayload);
2023-01-24 17:18:39 -08:00
expect(response.statusCode).toBe(400);
expect(response.body).toHaveProperty('message');
}
});
test('route should update model', async () => {
const validPayload = {
...LDAP_DEFAULT_CONFIGURATION,
loginEnabled: true,
loginLabel: '',
};
const response = await authOwnerAgent.put('/ldap/config').send(validPayload);
2023-01-24 17:18:39 -08:00
expect(response.statusCode).toBe(200);
expect(response.body.data.loginEnabled).toBe(true);
expect(response.body.data.loginLabel).toBe('');
});
test('should apply "Convert all LDAP users to email users" strategy when LDAP login disabled', async () => {
const ldapConfig = await createLdapConfig();
LdapManager.updateConfig(ldapConfig);
const member = await testDb.createLdapUser({ globalRole: globalMemberRole }, uniqueId());
const configuration = ldapConfig;
// disable the login, so the strategy is applied
await authOwnerAgent.put('/ldap/config').send({ ...configuration, loginEnabled: false });
2023-01-24 17:18:39 -08:00
const emailUser = await Db.collections.User.findOneByOrFail({ id: member.id });
const localLdapIdentities = await testDb.getLdapIdentities();
expect(getCurrentAuthenticationMethod()).toBe('email');
2023-01-24 17:18:39 -08:00
expect(emailUser.email).toBe(member.email);
expect(emailUser.lastName).toBe(member.lastName);
expect(emailUser.firstName).toBe(member.firstName);
expect(localLdapIdentities.length).toEqual(0);
});
});
test('GET /ldap/config route should retrieve current configuration', async () => {
const validPayload = {
...LDAP_DEFAULT_CONFIGURATION,
loginEnabled: true,
loginLabel: '',
};
let response = await authOwnerAgent.put('/ldap/config').send(validPayload);
2023-01-24 17:18:39 -08:00
expect(response.statusCode).toBe(200);
expect(getCurrentAuthenticationMethod()).toBe('ldap');
2023-01-24 17:18:39 -08:00
response = await authOwnerAgent.get('/ldap/config');
2023-01-24 17:18:39 -08:00
expect(response.body.data).toMatchObject(validPayload);
});
describe('POST /ldap/test-connection', () => {
test('route should success', async () => {
jest.spyOn(LdapService.prototype, 'testConnection').mockResolvedValue();
2023-01-24 17:18:39 -08:00
await authOwnerAgent.post('/ldap/test-connection').expect(200);
2023-01-24 17:18:39 -08:00
});
test('route should fail', async () => {
const errorMessage = 'Invalid connection';
jest.spyOn(LdapService.prototype, 'testConnection').mockRejectedValue(new Error(errorMessage));
2023-01-24 17:18:39 -08:00
const response = await authOwnerAgent.post('/ldap/test-connection');
2023-01-24 17:18:39 -08:00
expect(response.statusCode).toBe(400);
expect(response.body).toHaveProperty('message');
expect(response.body.message).toStrictEqual(errorMessage);
});
});
describe('POST /ldap/sync', () => {
beforeEach(async () => {
const ldapConfig = await createLdapConfig({
ldapIdAttribute: 'uid',
firstNameAttribute: 'givenName',
lastNameAttribute: 'sn',
emailAttribute: 'mail',
});
LdapManager.updateConfig(ldapConfig);
});
describe('dry mode', () => {
const runTest = async (ldapUsers: LdapUser[]) => {
jest.spyOn(LdapService.prototype, 'searchWithAdminBinding').mockResolvedValue(ldapUsers);
2023-01-24 17:18:39 -08:00
await authOwnerAgent.post('/ldap/sync').send({ type: 'dry' }).expect(200);
2023-01-24 17:18:39 -08:00
const synchronization = await Db.collections.AuthProviderSyncHistory.findOneByOrFail({});
expect(synchronization.id).toBeDefined();
expect(synchronization.startedAt).toBeDefined();
expect(synchronization.endedAt).toBeDefined();
expect(synchronization.created).toBeDefined();
expect(synchronization.updated).toBeDefined();
expect(synchronization.disabled).toBeDefined();
expect(synchronization.status).toBeDefined();
expect(synchronization.scanned).toBeDefined();
expect(synchronization.error).toBeDefined();
expect(synchronization.runMode).toBeDefined();
expect(synchronization.runMode).toBe('dry');
expect(synchronization.scanned).toBe(ldapUsers.length);
return synchronization;
};
test('should detect new user but not persist change in model', async () => {
const synchronization = await runTest([
{
dn: '',
mail: randomEmail(),
sn: randomName(),
givenName: randomName(),
uid: uniqueId(),
},
]);
expect(synchronization.created).toBe(1);
// Make sure only the instance owner is on the DB
const localDbUsers = await Db.collections.User.find();
expect(localDbUsers.length).toBe(1);
expect(localDbUsers[0].id).toBe(owner.id);
});
test('should detect updated user but not persist change in model', async () => {
const ldapUserEmail = randomEmail();
const ldapUserId = uniqueId();
const member = await testDb.createLdapUser(
{ globalRole: globalMemberRole, email: ldapUserEmail },
ldapUserId,
);
const synchronization = await runTest([
{
dn: '',
mail: ldapUserEmail,
sn: randomName(),
givenName: 'updated',
uid: ldapUserId,
},
]);
expect(synchronization.updated).toBe(1);
// Make sure the changes in the "LDAP server" were not persisted in the database
const localLdapIdentities = await testDb.getLdapIdentities();
const localLdapUsers = localLdapIdentities.map(({ user }) => user);
expect(localLdapUsers.length).toBe(1);
expect(localLdapUsers[0].id).toBe(member.id);
expect(localLdapUsers[0].lastName).toBe(member.lastName);
});
test('should detect disabled user but not persist change in model', async () => {
const ldapUserEmail = randomEmail();
const ldapUserId = uniqueId();
const member = await testDb.createLdapUser(
{ globalRole: globalMemberRole, email: ldapUserEmail },
ldapUserId,
);
const synchronization = await runTest([]);
expect(synchronization.disabled).toBe(1);
// Make sure the changes in the "LDAP server" were not persisted in the database
const localLdapIdentities = await testDb.getLdapIdentities();
const localLdapUsers = localLdapIdentities.map(({ user }) => user);
expect(localLdapUsers.length).toBe(1);
expect(localLdapUsers[0].id).toBe(member.id);
expect(localLdapUsers[0].disabled).toBe(false);
});
});
describe('live mode', () => {
const runTest = async (ldapUsers: LdapUser[]) => {
jest.spyOn(LdapService.prototype, 'searchWithAdminBinding').mockResolvedValue(ldapUsers);
2023-01-24 17:18:39 -08:00
await authOwnerAgent.post('/ldap/sync').send({ type: 'live' }).expect(200);
2023-01-24 17:18:39 -08:00
const synchronization = await Db.collections.AuthProviderSyncHistory.findOneByOrFail({});
expect(synchronization.id).toBeDefined();
expect(synchronization.startedAt).toBeDefined();
expect(synchronization.endedAt).toBeDefined();
expect(synchronization.created).toBeDefined();
expect(synchronization.updated).toBeDefined();
expect(synchronization.disabled).toBeDefined();
expect(synchronization.status).toBeDefined();
expect(synchronization.scanned).toBeDefined();
expect(synchronization.error).toBeDefined();
expect(synchronization.runMode).toBeDefined();
expect(synchronization.runMode).toBe('live');
expect(synchronization.scanned).toBe(ldapUsers.length);
return synchronization;
};
test('should detect new user and persist change in model', async () => {
const ldapUser = {
mail: randomEmail(),
dn: '',
sn: randomName(),
givenName: randomName(),
uid: uniqueId(),
};
const synchronization = await runTest([ldapUser]);
expect(synchronization.created).toBe(1);
// Make sure the changes in the "LDAP server" were persisted in the database
const allUsers = await testDb.getAllUsers();
expect(allUsers.length).toBe(2);
const ownerUser = allUsers.find((u) => u.email === owner.email)!;
expect(ownerUser.email).toBe(owner.email);
const memberUser = allUsers.find((u) => u.email !== owner.email)!;
expect(memberUser.email).toBe(ldapUser.mail);
expect(memberUser.lastName).toBe(ldapUser.sn);
expect(memberUser.firstName).toBe(ldapUser.givenName);
const authIdentities = await testDb.getLdapIdentities();
expect(authIdentities.length).toBe(1);
expect(authIdentities[0].providerId).toBe(ldapUser.uid);
expect(authIdentities[0].providerType).toBe('ldap');
});
test('should detect updated user and persist change in model', async () => {
const ldapUser = {
mail: randomEmail(),
dn: '',
sn: 'updated',
givenName: randomName(),
uid: uniqueId(),
};
await testDb.createLdapUser(
{
globalRole: globalMemberRole,
email: ldapUser.mail,
firstName: ldapUser.givenName,
lastName: randomName(),
},
ldapUser.uid,
);
const synchronization = await runTest([ldapUser]);
expect(synchronization.updated).toBe(1);
// Make sure the changes in the "LDAP server" were persisted in the database
const localLdapIdentities = await testDb.getLdapIdentities();
const localLdapUsers = localLdapIdentities.map(({ user }) => user);
expect(localLdapUsers.length).toBe(1);
expect(localLdapUsers[0].email).toBe(ldapUser.mail);
expect(localLdapUsers[0].lastName).toBe(ldapUser.sn);
expect(localLdapUsers[0].firstName).toBe(ldapUser.givenName);
expect(localLdapIdentities[0].providerId).toBe(ldapUser.uid);
});
test('should detect disabled user and persist change in model', async () => {
const ldapUser = {
mail: randomEmail(),
dn: '',
sn: 'updated',
givenName: randomName(),
uid: uniqueId(),
};
await testDb.createLdapUser(
{
globalRole: globalMemberRole,
email: ldapUser.mail,
firstName: ldapUser.givenName,
lastName: ldapUser.sn,
},
ldapUser.uid,
);
const synchronization = await runTest([]);
expect(synchronization.disabled).toBe(1);
// Make sure the changes in the "LDAP server" were persisted in the database
const allUsers = await testDb.getAllUsers();
expect(allUsers.length).toBe(2);
const ownerUser = allUsers.find((u) => u.email === owner.email)!;
expect(ownerUser.email).toBe(owner.email);
const memberUser = allUsers.find((u) => u.email !== owner.email)!;
expect(memberUser.email).toBe(ldapUser.mail);
expect(memberUser.lastName).toBe(ldapUser.sn);
expect(memberUser.firstName).toBe(ldapUser.givenName);
expect(memberUser.disabled).toBe(true);
const authIdentities = await testDb.getLdapIdentities();
expect(authIdentities.length).toBe(0);
});
test('should remove user instance access once the user is disabled during synchronization', async () => {
const member = await testDb.createLdapUser({ globalRole: globalMemberRole }, uniqueId());
jest.spyOn(LdapService.prototype, 'searchWithAdminBinding').mockResolvedValue([]);
2023-01-24 17:18:39 -08:00
await authOwnerAgent.post('/ldap/sync').send({ type: 'live' });
2023-01-24 17:18:39 -08:00
const response = await testServer.authAgentFor(member).get('/login');
2023-01-24 17:18:39 -08:00
expect(response.body.code).toBe(401);
});
});
});
test('GET /ldap/sync should return paginated synchronizations', async () => {
for (let i = 0; i < 2; i++) {
await saveLdapSynchronization({
created: 0,
scanned: 0,
updated: 0,
disabled: 0,
startedAt: new Date(),
endedAt: new Date(),
status: 'success',
error: '',
runMode: 'dry',
});
}
let response = await authOwnerAgent.get('/ldap/sync?perPage=1&page=0');
2023-01-24 17:18:39 -08:00
expect(response.body.data.length).toBe(1);
response = await authOwnerAgent.get('/ldap/sync?perPage=1&page=1');
2023-01-24 17:18:39 -08:00
expect(response.body.data.length).toBe(1);
});
describe('POST /login', () => {
const runTest = async (ldapUser: LdapUser) => {
const ldapConfig = await createLdapConfig();
LdapManager.updateConfig(ldapConfig);
jest.spyOn(LdapService.prototype, 'searchWithAdminBinding').mockResolvedValue([ldapUser]);
2023-01-24 17:18:39 -08:00
jest.spyOn(LdapService.prototype, 'validUser').mockResolvedValue();
2023-01-24 17:18:39 -08:00
const response = await testServer.authlessAgent
2023-01-24 17:18:39 -08:00
.post('/login')
.send({ email: ldapUser.mail, password: 'password' });
expect(response.statusCode).toBe(200);
expect(response.headers['set-cookie']).toBeDefined();
expect(response.headers['set-cookie'][0] as string).toContain('n8n-auth=');
// Make sure the changes in the "LDAP server" were persisted in the database
const localLdapIdentities = await testDb.getLdapIdentities();
const localLdapUsers = localLdapIdentities.map(({ user }) => user);
expect(localLdapUsers.length).toBe(1);
expect(localLdapUsers[0].email).toBe(ldapUser.mail);
expect(localLdapUsers[0].lastName).toBe(ldapUser.sn);
expect(localLdapUsers[0].firstName).toBe(ldapUser.givenName);
expect(localLdapIdentities[0].providerId).toBe(ldapUser.uid);
expect(localLdapUsers[0].disabled).toBe(false);
};
test('should allow new LDAP user to login and synchronize data', async () => {
const ldapUser = {
mail: randomEmail(),
dn: '',
sn: '',
givenName: randomName(),
uid: uniqueId(),
};
await runTest(ldapUser);
});
test('should allow existing LDAP user to login and synchronize data', async () => {
const ldapUser = {
mail: randomEmail(),
dn: '',
sn: 'updated',
givenName: 'updated',
uid: uniqueId(),
};
await testDb.createLdapUser(
{
globalRole: globalMemberRole,
email: ldapUser.mail,
firstName: 'firstname',
lastName: 'lastname',
},
ldapUser.uid,
);
await runTest(ldapUser);
});
test('should transform email user into LDAP user when match found', async () => {
const ldapUser = {
mail: randomEmail(),
dn: '',
sn: randomName(),
givenName: randomName(),
uid: uniqueId(),
};
await testDb.createUser({
globalRole: globalMemberRole,
email: ldapUser.mail,
firstName: ldapUser.givenName,
lastName: 'lastname',
});
await runTest(ldapUser);
});
});
describe('Instance owner should able to delete LDAP users', () => {
test("don't transfer workflows", async () => {
const ldapConfig = await createLdapConfig();
LdapManager.updateConfig(ldapConfig);
const member = await testDb.createLdapUser({ globalRole: globalMemberRole }, uniqueId());
await authOwnerAgent.post(`/users/${member.id}`);
2023-01-24 17:18:39 -08:00
});
test('transfer workflows and credentials', async () => {
const ldapConfig = await createLdapConfig();
LdapManager.updateConfig(ldapConfig);
const member = await testDb.createLdapUser({ globalRole: globalMemberRole }, uniqueId());
// delete the LDAP member and transfer its workflows/credentials to instance owner
await authOwnerAgent.post(`/users/${member.id}?transferId=${owner.id}`);
2023-01-24 17:18:39 -08:00
});
});