n8n/packages/cli/test/integration/permission-checker.test.ts

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

275 lines
7.4 KiB
TypeScript
Raw Normal View History

import { v4 as uuid } from 'uuid';
import { Container } from 'typedi';
import type { INode, INodeTypeData } from 'n8n-workflow';
import { randomInt } from 'n8n-workflow';
import type { User } from '@db/entities/User';
import { WorkflowRepository } from '@db/repositories/workflow.repository';
import { SharedWorkflowRepository } from '@db/repositories/sharedWorkflow.repository';
import { LoadNodesAndCredentials } from '@/load-nodes-and-credentials';
import { NodeTypes } from '@/node-types';
import { OwnershipService } from '@/services/ownership.service';
import { PermissionChecker } from '@/user-management/permission-checker';
import { mockInstance } from '../shared/mocking';
import { randomCredentialPayload as randomCred } from './shared/random';
import * as testDb from './shared/testDb';
import type { SaveCredentialFunction } from './shared/types';
import { affixRoleToSaveCredential } from './shared/db/credentials';
import { createOwner, createUser } from './shared/db/users';
import { SharedCredentialsRepository } from '@/databases/repositories/sharedCredentials.repository';
import { getPersonalProject } from './shared/db/projects';
import type { WorkflowEntity } from '@/databases/entities/WorkflowEntity';
import type { Project } from '@/databases/entities/Project';
import { ProjectRepository } from '@/databases/repositories/project.repository';
const ownershipService = mockInstance(OwnershipService);
function mockNodeTypesData(
nodeNames: string[],
options?: {
addTrigger?: boolean;
},
) {
return nodeNames.reduce<INodeTypeData>((acc, nodeName) => {
return (
(acc[`n8n-nodes-base.${nodeName}`] = {
sourcePath: '',
type: {
description: {
displayName: nodeName,
name: nodeName,
group: [],
description: '',
version: 1,
defaults: {},
inputs: [],
outputs: [],
properties: [],
},
trigger: options?.addTrigger ? async () => undefined : undefined,
},
}),
acc
);
}, {});
}
const createWorkflow = async (nodes: INode[], workflowOwner?: User): Promise<WorkflowEntity> => {
const workflowDetails = {
id: randomInt(1, 10).toString(),
name: 'test',
active: false,
connections: {},
nodeTypes: mockNodeTypes,
nodes,
};
const workflowEntity = await Container.get(WorkflowRepository).save(workflowDetails);
if (workflowOwner) {
const project = await getPersonalProject(workflowOwner);
await Container.get(SharedWorkflowRepository).save({
workflow: workflowEntity,
user: workflowOwner,
project,
role: 'workflow:owner',
});
}
return workflowEntity;
};
let saveCredential: SaveCredentialFunction;
let owner: User;
let member: User;
let ownerPersonalProject: Project;
let memberPersonalProject: Project;
const mockNodeTypes = mockInstance(NodeTypes);
mockInstance(LoadNodesAndCredentials, {
loadedNodes: mockNodeTypesData(['start', 'actionNetwork']),
});
let permissionChecker: PermissionChecker;
beforeAll(async () => {
await testDb.init();
saveCredential = affixRoleToSaveCredential('credential:owner');
permissionChecker = Container.get(PermissionChecker);
[owner, member] = await Promise.all([createOwner(), createUser()]);
ownerPersonalProject = await Container.get(ProjectRepository).getPersonalProjectForUserOrFail(
owner.id,
);
memberPersonalProject = await Container.get(ProjectRepository).getPersonalProjectForUserOrFail(
member.id,
);
});
describe('check()', () => {
beforeEach(async () => {
await testDb.truncate(['Workflow', 'Credentials']);
});
afterAll(async () => {
await testDb.terminate();
});
test('should allow if workflow has no creds', async () => {
const nodes: INode[] = [
{
id: uuid(),
name: 'Start',
type: 'n8n-nodes-base.start',
typeVersion: 1,
parameters: {},
position: [0, 0],
},
];
const workflow = await createWorkflow(nodes, member);
ownershipService.getWorkflowProjectCached.mockResolvedValueOnce(memberPersonalProject);
await expect(permissionChecker.check(workflow.id, nodes)).resolves.not.toThrow();
});
test('should allow if workflow creds are valid subset', async () => {
const ownerCred = await saveCredential(randomCred(), { user: owner });
const memberCred = await saveCredential(randomCred(), { user: member });
await Container.get(SharedCredentialsRepository).save(
Container.get(SharedCredentialsRepository).create({
projectId: (await getPersonalProject(member)).id,
credentialsId: ownerCred.id,
role: 'credential:user',
}),
);
const nodes: INode[] = [
{
id: uuid(),
name: 'Action Network',
type: 'n8n-nodes-base.actionNetwork',
parameters: {},
typeVersion: 1,
position: [0, 0],
credentials: {
actionNetworkApi: {
id: ownerCred.id,
name: ownerCred.name,
},
},
},
{
id: uuid(),
name: 'Action Network 2',
type: 'n8n-nodes-base.actionNetwork',
parameters: {},
typeVersion: 1,
position: [0, 0],
credentials: {
actionNetworkApi: {
id: memberCred.id,
name: memberCred.name,
},
},
},
];
const workflowEntity = await createWorkflow(nodes, member);
ownershipService.getWorkflowProjectCached.mockResolvedValueOnce(memberPersonalProject);
await expect(permissionChecker.check(workflowEntity.id, nodes)).resolves.not.toThrow();
});
test('should deny if workflow creds are not valid subset', async () => {
const memberCred = await saveCredential(randomCred(), { user: member });
const ownerCred = await saveCredential(randomCred(), { user: owner });
const nodes = [
{
id: uuid(),
name: 'Action Network',
type: 'n8n-nodes-base.actionNetwork',
parameters: {},
typeVersion: 1,
position: [0, 0] as [number, number],
credentials: {
actionNetworkApi: {
id: memberCred.id,
name: memberCred.name,
},
},
},
{
id: uuid(),
name: 'Action Network 2',
type: 'n8n-nodes-base.actionNetwork',
parameters: {},
typeVersion: 1,
position: [0, 0] as [number, number],
credentials: {
actionNetworkApi: {
id: ownerCred.id,
name: ownerCred.name,
},
},
},
];
const workflowEntity = await createWorkflow(nodes, member);
await expect(
permissionChecker.check(workflowEntity.id, workflowEntity.nodes),
).rejects.toThrow();
});
test('should allow all credentials if current user is instance owner', async () => {
const memberCred = await saveCredential(randomCred(), { user: member });
const ownerCred = await saveCredential(randomCred(), { user: owner });
const nodes = [
{
id: uuid(),
name: 'Action Network',
type: 'n8n-nodes-base.actionNetwork',
parameters: {},
typeVersion: 1,
position: [0, 0] as [number, number],
credentials: {
actionNetworkApi: {
id: memberCred.id,
name: memberCred.name,
},
},
},
{
id: uuid(),
name: 'Action Network 2',
type: 'n8n-nodes-base.actionNetwork',
parameters: {},
typeVersion: 1,
position: [0, 0] as [number, number],
credentials: {
actionNetworkApi: {
id: ownerCred.id,
name: ownerCred.name,
},
},
},
];
const workflowEntity = await createWorkflow(nodes, owner);
ownershipService.getWorkflowProjectCached.mockResolvedValueOnce(ownerPersonalProject);
ownershipService.getProjectOwnerCached.mockResolvedValueOnce(owner);
await expect(
permissionChecker.check(workflowEntity.id, workflowEntity.nodes),
).resolves.not.toThrow();
});
});