mirror of
https://github.com/n8n-io/n8n.git
synced 2025-01-20 09:01:39 -08:00
138 lines
5.1 KiB
TypeScript
138 lines
5.1 KiB
TypeScript
import { type INodeTypes, Workflow } from 'n8n-workflow';
|
|
import { mock } from 'jest-mock-extended';
|
|
import type { User } from '@db/entities/User';
|
|
import type { UserRepository } from '@db/repositories/user.repository';
|
|
import type { SharedCredentialsRepository } from '@db/repositories/sharedCredentials.repository';
|
|
import type { SharedWorkflowRepository } from '@db/repositories/sharedWorkflow.repository';
|
|
import type { License } from '@/License';
|
|
import { PermissionChecker } from '@/UserManagement/PermissionChecker';
|
|
|
|
describe('PermissionChecker', () => {
|
|
const user = mock<User>();
|
|
const userRepo = mock<UserRepository>();
|
|
const sharedCredentialsRepo = mock<SharedCredentialsRepository>();
|
|
const sharedWorkflowRepo = mock<SharedWorkflowRepository>();
|
|
const license = mock<License>();
|
|
const permissionChecker = new PermissionChecker(
|
|
userRepo,
|
|
sharedCredentialsRepo,
|
|
sharedWorkflowRepo,
|
|
mock(),
|
|
license,
|
|
);
|
|
|
|
const workflow = new Workflow({
|
|
id: '1',
|
|
name: 'test',
|
|
active: false,
|
|
connections: {},
|
|
nodeTypes: mock<INodeTypes>(),
|
|
nodes: [
|
|
{
|
|
id: 'node-id',
|
|
name: 'HTTP Request',
|
|
type: 'n8n-nodes-base.httpRequest',
|
|
parameters: {},
|
|
typeVersion: 1,
|
|
position: [0, 0],
|
|
credentials: {
|
|
oAuth2Api: {
|
|
id: 'cred-id',
|
|
name: 'Custom oAuth2',
|
|
},
|
|
},
|
|
},
|
|
],
|
|
});
|
|
|
|
beforeEach(() => jest.clearAllMocks());
|
|
|
|
describe('check', () => {
|
|
it('should throw if no user is found', async () => {
|
|
userRepo.findOneOrFail.mockRejectedValue(new Error('Fail'));
|
|
await expect(permissionChecker.check(workflow, '123')).rejects.toThrow();
|
|
expect(license.isSharingEnabled).not.toHaveBeenCalled();
|
|
expect(sharedWorkflowRepo.getSharedUserIds).not.toBeCalled();
|
|
expect(sharedCredentialsRepo.getOwnedCredentialIds).not.toHaveBeenCalled();
|
|
expect(sharedCredentialsRepo.getAccessibleCredentialIds).not.toHaveBeenCalled();
|
|
});
|
|
|
|
it('should allow a user if they have a global `workflow:execute` scope', async () => {
|
|
userRepo.findOneOrFail.mockResolvedValue(user);
|
|
user.hasGlobalScope.calledWith('workflow:execute').mockReturnValue(true);
|
|
await expect(permissionChecker.check(workflow, user.id)).resolves.not.toThrow();
|
|
expect(license.isSharingEnabled).not.toHaveBeenCalled();
|
|
expect(sharedWorkflowRepo.getSharedUserIds).not.toBeCalled();
|
|
expect(sharedCredentialsRepo.getOwnedCredentialIds).not.toHaveBeenCalled();
|
|
expect(sharedCredentialsRepo.getAccessibleCredentialIds).not.toHaveBeenCalled();
|
|
});
|
|
|
|
describe('When sharing is disabled', () => {
|
|
beforeEach(() => {
|
|
userRepo.findOneOrFail.mockResolvedValue(user);
|
|
user.hasGlobalScope.calledWith('workflow:execute').mockReturnValue(false);
|
|
license.isSharingEnabled.mockReturnValue(false);
|
|
});
|
|
|
|
it('should validate credential access using only owned credentials', async () => {
|
|
sharedCredentialsRepo.getOwnedCredentialIds.mockResolvedValue(['cred-id']);
|
|
|
|
await expect(permissionChecker.check(workflow, user.id)).resolves.not.toThrow();
|
|
|
|
expect(sharedWorkflowRepo.getSharedUserIds).not.toBeCalled();
|
|
expect(sharedCredentialsRepo.getOwnedCredentialIds).toBeCalledWith([user.id]);
|
|
expect(sharedCredentialsRepo.getAccessibleCredentialIds).not.toHaveBeenCalled();
|
|
});
|
|
|
|
it('should throw when the user does not have access to the credential', async () => {
|
|
sharedCredentialsRepo.getOwnedCredentialIds.mockResolvedValue(['cred-id2']);
|
|
|
|
await expect(permissionChecker.check(workflow, user.id)).rejects.toThrow(
|
|
'Node has no access to credential',
|
|
);
|
|
|
|
expect(sharedWorkflowRepo.getSharedUserIds).not.toBeCalled();
|
|
expect(sharedCredentialsRepo.getOwnedCredentialIds).toBeCalledWith([user.id]);
|
|
expect(sharedCredentialsRepo.getAccessibleCredentialIds).not.toHaveBeenCalled();
|
|
});
|
|
});
|
|
|
|
describe('When sharing is enabled', () => {
|
|
beforeEach(() => {
|
|
userRepo.findOneOrFail.mockResolvedValue(user);
|
|
user.hasGlobalScope.calledWith('workflow:execute').mockReturnValue(false);
|
|
license.isSharingEnabled.mockReturnValue(true);
|
|
sharedWorkflowRepo.getSharedUserIds.mockResolvedValue([user.id, 'another-user']);
|
|
});
|
|
|
|
it('should validate credential access using only owned credentials', async () => {
|
|
sharedCredentialsRepo.getAccessibleCredentialIds.mockResolvedValue(['cred-id']);
|
|
|
|
await expect(permissionChecker.check(workflow, user.id)).resolves.not.toThrow();
|
|
|
|
expect(sharedWorkflowRepo.getSharedUserIds).toBeCalledWith(workflow.id);
|
|
expect(sharedCredentialsRepo.getAccessibleCredentialIds).toBeCalledWith([
|
|
user.id,
|
|
'another-user',
|
|
]);
|
|
expect(sharedCredentialsRepo.getOwnedCredentialIds).not.toHaveBeenCalled();
|
|
});
|
|
|
|
it('should throw when the user does not have access to the credential', async () => {
|
|
sharedCredentialsRepo.getAccessibleCredentialIds.mockResolvedValue(['cred-id2']);
|
|
|
|
await expect(permissionChecker.check(workflow, user.id)).rejects.toThrow(
|
|
'Node has no access to credential',
|
|
);
|
|
|
|
expect(sharedWorkflowRepo.find).not.toBeCalled();
|
|
expect(sharedCredentialsRepo.getAccessibleCredentialIds).toBeCalledWith([
|
|
user.id,
|
|
'another-user',
|
|
]);
|
|
expect(sharedCredentialsRepo.getOwnedCredentialIds).not.toHaveBeenCalled();
|
|
});
|
|
});
|
|
});
|
|
});
|