n8n/packages/cli/test/integration/security-audit/utils.ts

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

132 lines
3.7 KiB
TypeScript
Raw Normal View History

feat(core): Security audit (#5034) * :sparkles: Implement security audit * :zap: Use logger * :test_tube: Fix test * :zap: Switch logger with stdout * :art: Set new logo * :zap: Fill out Public API schema * :pencil2: Fix typo * :zap: Break dependency cycle * :zap: Add security settings values * :test_tube: Test security settings * :zap: Add publicly accessible instance warning * :zap: Add metric to CLI command * :pencil2: Fix typo * :fire: Remove unneeded path alias * :blue_book: Add type import * :fire: Remove inferrable output type * :zap: Set description at correct level * :zap: Rename constant for consistency * :zap: Sort URLs * :zap: Rename local var * :zap: Shorten name * :pencil2: Improve phrasing * :zap: Improve naming * :zap: Fix casing * :pencil2: Add docline * :pencil2: Relocate comment * :zap: Add singular/plurals * :fire: Remove unneeded await * :pencil2: Improve test description * :zap: Optimize with sets * :zap: Adjust post master merge * :pencil2: Improve naming * :zap: Adjust in spy * :test_tube: Fix outdated instance test * :test_tube: Make diagnostics check consistent * :zap: Refactor `getAllExistingCreds` * :zap: Create helper `getNodeTypes` * :bug: Fix `InternalHooksManager` call * :truck: Rename `execution` to `nodes` risk * :zap: Add options to CLI command * :zap: Make days configurable * :revert: Undo changes to `BaseCommand` * :zap: Improve CLI command UX * :zap: Change no-report return value Empty array to trigger empty state on FE. * :zap: Add empty check to `reportInstanceRisk` * :test_tube: Extend Jest `expect` * :blue_book: Augment `jest.Matchers` * :test_tube: Set extend as setup file * :wrench: Override lint rule for `.d.ts` * :zap: Use new matcher * :zap: Update check * :blue_book: Improve typings * :zap: Adjust instance risk check * :pencil2: Rename `execution` → `nodes` in Public API schema * :pencil2: Add clarifying comment * :pencil2: Fix typo * :zap: Validate categories in CLI command * :pencil2: Improve naming * :pencil2: Make audit reference consistent * :blue_book: Fix typing * :zap: Use `finally` in CLI command
2023-01-05 04:28:40 -08:00
import nock from 'nock';
import config from '@/config';
import { v4 as uuid } from 'uuid';
import { toReportTitle } from '@/security-audit/utils';
feat(core): Security audit (#5034) * :sparkles: Implement security audit * :zap: Use logger * :test_tube: Fix test * :zap: Switch logger with stdout * :art: Set new logo * :zap: Fill out Public API schema * :pencil2: Fix typo * :zap: Break dependency cycle * :zap: Add security settings values * :test_tube: Test security settings * :zap: Add publicly accessible instance warning * :zap: Add metric to CLI command * :pencil2: Fix typo * :fire: Remove unneeded path alias * :blue_book: Add type import * :fire: Remove inferrable output type * :zap: Set description at correct level * :zap: Rename constant for consistency * :zap: Sort URLs * :zap: Rename local var * :zap: Shorten name * :pencil2: Improve phrasing * :zap: Improve naming * :zap: Fix casing * :pencil2: Add docline * :pencil2: Relocate comment * :zap: Add singular/plurals * :fire: Remove unneeded await * :pencil2: Improve test description * :zap: Optimize with sets * :zap: Adjust post master merge * :pencil2: Improve naming * :zap: Adjust in spy * :test_tube: Fix outdated instance test * :test_tube: Make diagnostics check consistent * :zap: Refactor `getAllExistingCreds` * :zap: Create helper `getNodeTypes` * :bug: Fix `InternalHooksManager` call * :truck: Rename `execution` to `nodes` risk * :zap: Add options to CLI command * :zap: Make days configurable * :revert: Undo changes to `BaseCommand` * :zap: Improve CLI command UX * :zap: Change no-report return value Empty array to trigger empty state on FE. * :zap: Add empty check to `reportInstanceRisk` * :test_tube: Extend Jest `expect` * :blue_book: Augment `jest.Matchers` * :test_tube: Set extend as setup file * :wrench: Override lint rule for `.d.ts` * :zap: Use new matcher * :zap: Update check * :blue_book: Improve typings * :zap: Adjust instance risk check * :pencil2: Rename `execution` → `nodes` in Public API schema * :pencil2: Add clarifying comment * :pencil2: Fix typo * :zap: Validate categories in CLI command * :pencil2: Improve naming * :pencil2: Make audit reference consistent * :blue_book: Fix typing * :zap: Use `finally` in CLI command
2023-01-05 04:28:40 -08:00
import * as constants from '@/constants';
import type { Risk } from '@/security-audit/types';
import type { InstalledNodes } from '@db/entities/InstalledNodes';
import type { InstalledPackages } from '@db/entities/InstalledPackages';
import { WorkflowRepository } from '@db/repositories/workflow.repository';
import Container from 'typedi';
feat(core): Security audit (#5034) * :sparkles: Implement security audit * :zap: Use logger * :test_tube: Fix test * :zap: Switch logger with stdout * :art: Set new logo * :zap: Fill out Public API schema * :pencil2: Fix typo * :zap: Break dependency cycle * :zap: Add security settings values * :test_tube: Test security settings * :zap: Add publicly accessible instance warning * :zap: Add metric to CLI command * :pencil2: Fix typo * :fire: Remove unneeded path alias * :blue_book: Add type import * :fire: Remove inferrable output type * :zap: Set description at correct level * :zap: Rename constant for consistency * :zap: Sort URLs * :zap: Rename local var * :zap: Shorten name * :pencil2: Improve phrasing * :zap: Improve naming * :zap: Fix casing * :pencil2: Add docline * :pencil2: Relocate comment * :zap: Add singular/plurals * :fire: Remove unneeded await * :pencil2: Improve test description * :zap: Optimize with sets * :zap: Adjust post master merge * :pencil2: Improve naming * :zap: Adjust in spy * :test_tube: Fix outdated instance test * :test_tube: Make diagnostics check consistent * :zap: Refactor `getAllExistingCreds` * :zap: Create helper `getNodeTypes` * :bug: Fix `InternalHooksManager` call * :truck: Rename `execution` to `nodes` risk * :zap: Add options to CLI command * :zap: Make days configurable * :revert: Undo changes to `BaseCommand` * :zap: Improve CLI command UX * :zap: Change no-report return value Empty array to trigger empty state on FE. * :zap: Add empty check to `reportInstanceRisk` * :test_tube: Extend Jest `expect` * :blue_book: Augment `jest.Matchers` * :test_tube: Set extend as setup file * :wrench: Override lint rule for `.d.ts` * :zap: Use new matcher * :zap: Update check * :blue_book: Improve typings * :zap: Adjust instance risk check * :pencil2: Rename `execution` → `nodes` in Public API schema * :pencil2: Add clarifying comment * :pencil2: Fix typo * :zap: Validate categories in CLI command * :pencil2: Improve naming * :pencil2: Make audit reference consistent * :blue_book: Fix typing * :zap: Use `finally` in CLI command
2023-01-05 04:28:40 -08:00
type GetSectionKind<C extends Risk.Category> = C extends 'instance'
? Risk.InstanceSection
: Risk.StandardSection;
export function getRiskSection<C extends Risk.Category>(
testAudit: Risk.Audit | never[],
riskCategory: C,
sectionTitle: string,
): GetSectionKind<C> {
if (Array.isArray(testAudit)) {
throw new Error('Expected test audit not to be an array');
}
const report = testAudit[toReportTitle(riskCategory)];
if (!report) throw new Error(`Expected risk "${riskCategory}"`);
for (const section of report.sections) {
if (section.title === sectionTitle) {
return section as GetSectionKind<C>;
}
}
throw new Error(`Expected section "${sectionTitle}" for risk "${riskCategory}"`);
}
export async function saveManualTriggerWorkflow() {
const details = {
id: '1',
name: 'My Test Workflow',
active: false,
connections: {},
nodeTypes: {},
nodes: [
{
id: uuid(),
name: 'My Node',
type: 'n8n-nodes-base.manualTrigger',
typeVersion: 1,
position: [0, 0] as [number, number],
},
],
};
return await Container.get(WorkflowRepository).save(details);
feat(core): Security audit (#5034) * :sparkles: Implement security audit * :zap: Use logger * :test_tube: Fix test * :zap: Switch logger with stdout * :art: Set new logo * :zap: Fill out Public API schema * :pencil2: Fix typo * :zap: Break dependency cycle * :zap: Add security settings values * :test_tube: Test security settings * :zap: Add publicly accessible instance warning * :zap: Add metric to CLI command * :pencil2: Fix typo * :fire: Remove unneeded path alias * :blue_book: Add type import * :fire: Remove inferrable output type * :zap: Set description at correct level * :zap: Rename constant for consistency * :zap: Sort URLs * :zap: Rename local var * :zap: Shorten name * :pencil2: Improve phrasing * :zap: Improve naming * :zap: Fix casing * :pencil2: Add docline * :pencil2: Relocate comment * :zap: Add singular/plurals * :fire: Remove unneeded await * :pencil2: Improve test description * :zap: Optimize with sets * :zap: Adjust post master merge * :pencil2: Improve naming * :zap: Adjust in spy * :test_tube: Fix outdated instance test * :test_tube: Make diagnostics check consistent * :zap: Refactor `getAllExistingCreds` * :zap: Create helper `getNodeTypes` * :bug: Fix `InternalHooksManager` call * :truck: Rename `execution` to `nodes` risk * :zap: Add options to CLI command * :zap: Make days configurable * :revert: Undo changes to `BaseCommand` * :zap: Improve CLI command UX * :zap: Change no-report return value Empty array to trigger empty state on FE. * :zap: Add empty check to `reportInstanceRisk` * :test_tube: Extend Jest `expect` * :blue_book: Augment `jest.Matchers` * :test_tube: Set extend as setup file * :wrench: Override lint rule for `.d.ts` * :zap: Use new matcher * :zap: Update check * :blue_book: Improve typings * :zap: Adjust instance risk check * :pencil2: Rename `execution` → `nodes` in Public API schema * :pencil2: Add clarifying comment * :pencil2: Fix typo * :zap: Validate categories in CLI command * :pencil2: Improve naming * :pencil2: Make audit reference consistent * :blue_book: Fix typing * :zap: Use `finally` in CLI command
2023-01-05 04:28:40 -08:00
}
export const MOCK_09990_N8N_VERSION = {
name: '0.999.0',
nodes: [
{
name: 'n8n-nodes-base.testNode',
displayName: 'Test Node',
icon: 'file:testNode.svg',
defaults: {
name: 'Test Node',
},
},
],
createdAt: '2022-11-11T11:11:11.111Z',
description:
'Includes <strong>new nodes</strong>, <strong>node enhancements</strong>, <strong>core functionality</strong> and <strong>bug fixes</strong>',
documentationUrl: 'https://docs.n8n.io/reference/release-notes/#n8n09990',
hasBreakingChange: false,
hasSecurityFix: false,
hasSecurityIssue: false,
securityIssueFixVersion: null,
};
export const MOCK_01110_N8N_VERSION = {
name: '0.111.0',
nodes: [],
createdAt: '2022-01-01T00:00:00.000Z',
description:
'Includes <strong>new nodes</strong>, <strong>node enhancements</strong>, <strong>core functionality</strong> and <strong>bug fixes</strong>',
documentationUrl: 'https://docs.n8n.io/reference/release-notes/#n8n01110',
hasBreakingChange: false,
hasSecurityFix: false,
hasSecurityIssue: false,
securityIssueFixVersion: null,
};
export const MOCK_PACKAGE: InstalledPackages[] = [
{
createdAt: new Date(),
updatedAt: new Date(),
packageName: 'n8n-nodes-test',
installedVersion: '1.1.2',
authorName: 'test',
authorEmail: 'test@test.com',
setUpdateDate: () => {},
installedNodes: [
{
name: 'My Test Node',
type: 'myTestNode',
latestVersion: '1',
} as InstalledNodes,
],
},
];
export function simulateOutdatedInstanceOnce(versionName = MOCK_01110_N8N_VERSION.name) {
const baseUrl = config.getEnv('versionNotifications.endpoint') + '/';
jest
.spyOn(constants, 'getN8nPackageJson')
.mockReturnValueOnce({ name: 'n8n', version: versionName });
nock(baseUrl).get(versionName).reply(200, [MOCK_01110_N8N_VERSION, MOCK_09990_N8N_VERSION]);
}
export function simulateUpToDateInstance(versionName = MOCK_09990_N8N_VERSION.name) {
const baseUrl = config.getEnv('versionNotifications.endpoint') + '/';
jest
.spyOn(constants, 'getN8nPackageJson')
.mockReturnValueOnce({ name: 'n8n', version: versionName });
nock(baseUrl).persist().get(versionName).reply(200, [MOCK_09990_N8N_VERSION]);
}