n8n/packages/cli/test/integration/audit/credentials.risk.test.ts

import { v4 as uuid } from 'uuid';
import * as Db from '@/Db';
import config from '@/config';
import { audit } from '@/audit';
import { CREDENTIALS_REPORT } from '@/audit/constants';
import { getRiskSection } from './utils';
import * as testDb from '../shared/testDb';

let testDbName = '';

beforeAll(async () => {
	const initResult = await testDb.init();
	testDbName = initResult.testDbName;
});

beforeEach(async () => {
	await testDb.truncate(['Workflow', 'Credentials', 'Execution'], testDbName);
});

afterAll(async () => {
	await testDb.terminate(testDbName);
});

test('should report credentials not in any use', async () => {
	const credentialDetails = {
		name: 'My Slack Credential',
		data: 'U2FsdGVkX18WjITBG4IDqrGB1xE/uzVNjtwDAG3lP7E=',
		type: 'slackApi',
		nodesAccess: [{ nodeType: 'n8n-nodes-base.slack', date: '2022-12-21T11:23:00.561Z' }],
	};

	const workflowDetails = {
		name: 'My Test Workflow',
		active: false,
		connections: {},
		nodeTypes: {},
		nodes: [
			{
				id: uuid(),
				name: 'My Node',
				type: 'n8n-nodes-base.slack',
				typeVersion: 1,
				position: [0, 0] as [number, number],
			},
		],
	};

	await Promise.all([
		Db.collections.Credentials.save(credentialDetails),
		Db.collections.Workflow.save(workflowDetails),
	]);

	const testAudit = await audit(['credentials']);

	const section = getRiskSection(
		testAudit,
		CREDENTIALS_REPORT.RISK,
		CREDENTIALS_REPORT.SECTIONS.CREDS_NOT_IN_ANY_USE,
	);

	expect(section.location).toHaveLength(1);
	expect(section.location[0]).toMatchObject({
		id: '1',
		name: 'My Slack Credential',
	});
});

test('should report credentials not in active use', async () => {
	const credentialDetails = {
		name: 'My Slack Credential',
		data: 'U2FsdGVkX18WjITBG4IDqrGB1xE/uzVNjtwDAG3lP7E=',
		type: 'slackApi',
		nodesAccess: [{ nodeType: 'n8n-nodes-base.slack', date: '2022-12-21T11:23:00.561Z' }],
	};

	const credential = await Db.collections.Credentials.save(credentialDetails);

	const workflowDetails = {
		name: 'My Test Workflow',
		active: false,
		connections: {},
		nodeTypes: {},
		nodes: [
			{
				id: uuid(),
				name: 'My Node',
				type: 'n8n-nodes-base.slack',
				typeVersion: 1,
				position: [0, 0] as [number, number],
			},
		],
	};

	await Db.collections.Workflow.save(workflowDetails);

	const testAudit = await audit(['credentials']);

	const section = getRiskSection(
		testAudit,
		CREDENTIALS_REPORT.RISK,
		CREDENTIALS_REPORT.SECTIONS.CREDS_NOT_IN_ACTIVE_USE,
	);

	expect(section.location).toHaveLength(1);
	expect(section.location[0]).toMatchObject({
		id: credential.id,
		name: 'My Slack Credential',
	});
});

test('should report credential in not recently executed workflow', async () => {
	const credentialDetails = {
		name: 'My Slack Credential',
		data: 'U2FsdGVkX18WjITBG4IDqrGB1xE/uzVNjtwDAG3lP7E=',
		type: 'slackApi',
		nodesAccess: [{ nodeType: 'n8n-nodes-base.slack', date: '2022-12-21T11:23:00.561Z' }],
	};

	const credential = await Db.collections.Credentials.save(credentialDetails);

	const workflowDetails = {
		name: 'My Test Workflow',
		active: false,
		connections: {},
		nodeTypes: {},
		nodes: [
			{
				id: uuid(),
				name: 'My Node',
				type: 'n8n-nodes-base.slack',
				typeVersion: 1,
				position: [0, 0] as [number, number],
				credentials: {
					slackApi: {
						id: credential.id,
						name: credential.name,
					},
				},
			},
		],
	};

	const workflow = await Db.collections.Workflow.save(workflowDetails);

	const date = new Date();
	date.setDate(date.getDate() - config.getEnv('security.audit.daysAbandonedWorkflow') - 1);

	await Db.collections.Execution.save({
		data: '[]',
		finished: true,
		mode: 'manual',
		startedAt: date,
		stoppedAt: date,
		workflowData: workflow,
		workflowId: workflow.id,
		waitTill: null,
	});

	const testAudit = await audit(['credentials']);

	const section = getRiskSection(
		testAudit,
		CREDENTIALS_REPORT.RISK,
		CREDENTIALS_REPORT.SECTIONS.CREDS_NOT_RECENTLY_EXECUTED,
	);

	expect(section.location).toHaveLength(1);
	expect(section.location[0]).toMatchObject({
		id: credential.id,
		name: credential.name,
	});
});

test('should not report credentials in recently executed workflow', async () => {
	const credentialDetails = {
		name: 'My Slack Credential',
		data: 'U2FsdGVkX18WjITBG4IDqrGB1xE/uzVNjtwDAG3lP7E=',
		type: 'slackApi',
		nodesAccess: [{ nodeType: 'n8n-nodes-base.slack', date: '2022-12-21T11:23:00.561Z' }],
	};

	const credential = await Db.collections.Credentials.save(credentialDetails);

	const workflowDetails = {
		name: 'My Test Workflow',
		active: true,
		connections: {},
		nodeTypes: {},
		nodes: [
			{
				id: uuid(),
				name: 'My Node',
				type: 'n8n-nodes-base.slack',
				typeVersion: 1,
				position: [0, 0] as [number, number],
				credentials: {
					slackApi: {
						id: credential.id,
						name: credential.name,
					},
				},
			},
		],
	};

	const workflow = await Db.collections.Workflow.save(workflowDetails);

	const date = new Date();
	date.setDate(date.getDate() - config.getEnv('security.audit.daysAbandonedWorkflow') + 1);

	await Db.collections.Execution.save({
		data: '[]',
		finished: true,
		mode: 'manual',
		startedAt: date,
		stoppedAt: date,
		workflowData: workflow,
		workflowId: workflow.id,
		waitTill: null,
	});

	const testAudit = await audit(['credentials']);

	expect(testAudit).toBeEmptyArray();
});
feat(core): Security audit (#5034) * :sparkles: Implement security audit * :zap: Use logger * :test_tube: Fix test * :zap: Switch logger with stdout * :art: Set new logo * :zap: Fill out Public API schema * :pencil2: Fix typo * :zap: Break dependency cycle * :zap: Add security settings values * :test_tube: Test security settings * :zap: Add publicly accessible instance warning * :zap: Add metric to CLI command * :pencil2: Fix typo * :fire: Remove unneeded path alias * :blue_book: Add type import * :fire: Remove inferrable output type * :zap: Set description at correct level * :zap: Rename constant for consistency * :zap: Sort URLs * :zap: Rename local var * :zap: Shorten name * :pencil2: Improve phrasing * :zap: Improve naming * :zap: Fix casing * :pencil2: Add docline * :pencil2: Relocate comment * :zap: Add singular/plurals * :fire: Remove unneeded await * :pencil2: Improve test description * :zap: Optimize with sets * :zap: Adjust post master merge * :pencil2: Improve naming * :zap: Adjust in spy * :test_tube: Fix outdated instance test * :test_tube: Make diagnostics check consistent * :zap: Refactor `getAllExistingCreds` * :zap: Create helper `getNodeTypes` * :bug: Fix `InternalHooksManager` call * :truck: Rename `execution` to `nodes` risk * :zap: Add options to CLI command * :zap: Make days configurable * :revert: Undo changes to `BaseCommand` * :zap: Improve CLI command UX * :zap: Change no-report return value Empty array to trigger empty state on FE. * :zap: Add empty check to `reportInstanceRisk` * :test_tube: Extend Jest `expect` * :blue_book: Augment `jest.Matchers` * :test_tube: Set extend as setup file * :wrench: Override lint rule for `.d.ts` * :zap: Use new matcher * :zap: Update check * :blue_book: Improve typings * :zap: Adjust instance risk check * :pencil2: Rename `execution` → `nodes` in Public API schema * :pencil2: Add clarifying comment * :pencil2: Fix typo * :zap: Validate categories in CLI command * :pencil2: Improve naming * :pencil2: Make audit reference consistent * :blue_book: Fix typing * :zap: Use `finally` in CLI command 2023-01-05 04:28:40 -08:00			`import { v4 as uuid } from 'uuid';`
			`import * as Db from '@/Db';`
			`import config from '@/config';`
			`import { audit } from '@/audit';`
			`import { CREDENTIALS_REPORT } from '@/audit/constants';`
			`import { getRiskSection } from './utils';`
			`import * as testDb from '../shared/testDb';`

			`let testDbName = '';`

			`beforeAll(async () => {`
			`const initResult = await testDb.init();`
			`testDbName = initResult.testDbName;`
			`});`

			`beforeEach(async () => {`
			`await testDb.truncate(['Workflow', 'Credentials', 'Execution'], testDbName);`
			`});`

			`afterAll(async () => {`
			`await testDb.terminate(testDbName);`
			`});`

			`test('should report credentials not in any use', async () => {`
			`const credentialDetails = {`
			`name: 'My Slack Credential',`
			`data: 'U2FsdGVkX18WjITBG4IDqrGB1xE/uzVNjtwDAG3lP7E=',`
			`type: 'slackApi',`
			`nodesAccess: [{ nodeType: 'n8n-nodes-base.slack', date: '2022-12-21T11:23:00.561Z' }],`
			`};`

			`const workflowDetails = {`
			`name: 'My Test Workflow',`
			`active: false,`
			`connections: {},`
			`nodeTypes: {},`
			`nodes: [`
			`{`
			`id: uuid(),`
			`name: 'My Node',`
			`type: 'n8n-nodes-base.slack',`
			`typeVersion: 1,`
			`position: [0, 0] as [number, number],`
			`},`
			`],`
			`};`

			`await Promise.all([`
			`Db.collections.Credentials.save(credentialDetails),`
			`Db.collections.Workflow.save(workflowDetails),`
			`]);`

			`const testAudit = await audit(['credentials']);`

			`const section = getRiskSection(`
			`testAudit,`
			`CREDENTIALS_REPORT.RISK,`
			`CREDENTIALS_REPORT.SECTIONS.CREDS_NOT_IN_ANY_USE,`
			`);`

			`expect(section.location).toHaveLength(1);`
			`expect(section.location[0]).toMatchObject({`
			`id: '1',`
			`name: 'My Slack Credential',`
			`});`
			`});`

			`test('should report credentials not in active use', async () => {`
			`const credentialDetails = {`
			`name: 'My Slack Credential',`
			`data: 'U2FsdGVkX18WjITBG4IDqrGB1xE/uzVNjtwDAG3lP7E=',`
			`type: 'slackApi',`
			`nodesAccess: [{ nodeType: 'n8n-nodes-base.slack', date: '2022-12-21T11:23:00.561Z' }],`
			`};`

			`const credential = await Db.collections.Credentials.save(credentialDetails);`

			`const workflowDetails = {`
			`name: 'My Test Workflow',`
			`active: false,`
			`connections: {},`
			`nodeTypes: {},`
			`nodes: [`
			`{`
			`id: uuid(),`
			`name: 'My Node',`
			`type: 'n8n-nodes-base.slack',`
			`typeVersion: 1,`
			`position: [0, 0] as [number, number],`
			`},`
			`],`
			`};`

			`await Db.collections.Workflow.save(workflowDetails);`

			`const testAudit = await audit(['credentials']);`

			`const section = getRiskSection(`
			`testAudit,`
			`CREDENTIALS_REPORT.RISK,`
			`CREDENTIALS_REPORT.SECTIONS.CREDS_NOT_IN_ACTIVE_USE,`
			`);`

			`expect(section.location).toHaveLength(1);`
			`expect(section.location[0]).toMatchObject({`
			`id: credential.id,`
			`name: 'My Slack Credential',`
			`});`
			`});`

			`test('should report credential in not recently executed workflow', async () => {`
			`const credentialDetails = {`
			`name: 'My Slack Credential',`
			`data: 'U2FsdGVkX18WjITBG4IDqrGB1xE/uzVNjtwDAG3lP7E=',`
			`type: 'slackApi',`
			`nodesAccess: [{ nodeType: 'n8n-nodes-base.slack', date: '2022-12-21T11:23:00.561Z' }],`
			`};`

			`const credential = await Db.collections.Credentials.save(credentialDetails);`

			`const workflowDetails = {`
			`name: 'My Test Workflow',`
			`active: false,`
			`connections: {},`
			`nodeTypes: {},`
			`nodes: [`
			`{`
			`id: uuid(),`
			`name: 'My Node',`
			`type: 'n8n-nodes-base.slack',`
			`typeVersion: 1,`
			`position: [0, 0] as [number, number],`
			`credentials: {`
			`slackApi: {`
			`id: credential.id,`
			`name: credential.name,`
			`},`
			`},`
			`},`
			`],`
			`};`

			`const workflow = await Db.collections.Workflow.save(workflowDetails);`

			`const date = new Date();`
			`date.setDate(date.getDate() - config.getEnv('security.audit.daysAbandonedWorkflow') - 1);`

			`await Db.collections.Execution.save({`
			`data: '[]',`
			`finished: true,`
			`mode: 'manual',`
			`startedAt: date,`
			`stoppedAt: date,`
			`workflowData: workflow,`
			`workflowId: workflow.id,`
			`waitTill: null,`
			`});`

			`const testAudit = await audit(['credentials']);`

			`const section = getRiskSection(`
			`testAudit,`
			`CREDENTIALS_REPORT.RISK,`
			`CREDENTIALS_REPORT.SECTIONS.CREDS_NOT_RECENTLY_EXECUTED,`
			`);`

			`expect(section.location).toHaveLength(1);`
			`expect(section.location[0]).toMatchObject({`
			`id: credential.id,`
			`name: credential.name,`
			`});`
			`});`

			`test('should not report credentials in recently executed workflow', async () => {`
			`const credentialDetails = {`
			`name: 'My Slack Credential',`
			`data: 'U2FsdGVkX18WjITBG4IDqrGB1xE/uzVNjtwDAG3lP7E=',`
			`type: 'slackApi',`
			`nodesAccess: [{ nodeType: 'n8n-nodes-base.slack', date: '2022-12-21T11:23:00.561Z' }],`
			`};`

			`const credential = await Db.collections.Credentials.save(credentialDetails);`

			`const workflowDetails = {`
			`name: 'My Test Workflow',`
			`active: true,`
			`connections: {},`
			`nodeTypes: {},`
			`nodes: [`
			`{`
			`id: uuid(),`
			`name: 'My Node',`
			`type: 'n8n-nodes-base.slack',`
			`typeVersion: 1,`
			`position: [0, 0] as [number, number],`
			`credentials: {`
			`slackApi: {`
			`id: credential.id,`
			`name: credential.name,`
			`},`
			`},`
			`},`
			`],`
			`};`

			`const workflow = await Db.collections.Workflow.save(workflowDetails);`

			`const date = new Date();`
			`date.setDate(date.getDate() - config.getEnv('security.audit.daysAbandonedWorkflow') + 1);`

			`await Db.collections.Execution.save({`
			`data: '[]',`
			`finished: true,`
			`mode: 'manual',`
			`startedAt: date,`
			`stoppedAt: date,`
			`workflowData: workflow,`
			`workflowId: workflow.id,`
			`waitTill: null,`
			`});`

			`const testAudit = await audit(['credentials']);`

			`expect(testAudit).toBeEmptyArray();`
			`});`