chore(core): Introduce license feature flag for custom roles (#19038)

packages/cli/test/integration/controllers/role.controller.test.ts

@@ -25,6 +25,8 @@ describe('RoleController', () => {
 
 	beforeEach(() => {
 		jest.clearAllMocks();
+		// Enable CUSTOM_ROLES license for all tests by default
+		testServer.license.enable('feat:customRoles');
 	});
 
 	afterEach(async () => {
@@ -626,4 +628,105 @@ describe('RoleController', () => {
 			expect(response.body).toEqual({ data: mockRole });
 		});
 	});
+
+	describe('License enforcement for @Licensed(LICENSE_FEATURES.CUSTOM_ROLES)', () => {
+		describe('POST /roles', () => {
+			it('should return 403 when CUSTOM_ROLES license is disabled', async () => {
+				//
+				// ARRANGE
+				//
+				testServer.license.disable('feat:customRoles');
+
+				const createRoleDto = {
+					displayName: 'Test Role',
+					roleType: 'project' as const,
+					scopes: ['workflow:read'],
+				};
+
+				//
+				// ACT & ASSERT
+				//
+				await ownerAgent.post('/roles').send(createRoleDto).expect(403);
+
+				// Verify service method was not called due to license check
+				expect(roleService.createCustomRole).not.toHaveBeenCalled();
+			});
+		});
+
+		describe('PATCH /roles/:slug', () => {
+			it('should return 403 when CUSTOM_ROLES license is disabled', async () => {
+				//
+				// ARRANGE
+				//
+				testServer.license.disable('feat:customRoles');
+
+				const roleSlug = 'project:test-role';
+				const updateRoleDto = {
+					displayName: 'Updated Role',
+					scopes: ['workflow:read', 'workflow:edit'],
+				};
+
+				//
+				// ACT & ASSERT
+				//
+				await ownerAgent.patch(`/roles/${roleSlug}`).send(updateRoleDto).expect(403);
+
+				// Verify service method was not called due to license check
+				expect(roleService.updateCustomRole).not.toHaveBeenCalled();
+			});
+		});
+
+		describe('DELETE /roles/:slug', () => {
+			it('should return 403 when CUSTOM_ROLES license is disabled', async () => {
+				//
+				// ARRANGE
+				//
+				testServer.license.disable('feat:customRoles');
+
+				const roleSlug = 'project:test-role';
+
+				//
+				// ACT & ASSERT
+				//
+				await ownerAgent.delete(`/roles/${roleSlug}`).expect(403);
+
+				// Verify service method was not called due to license check
+				expect(roleService.removeCustomRole).not.toHaveBeenCalled();
+			});
+		});
+
+		it('should allow non-licensed methods to work when CUSTOM_ROLES is disabled', async () => {
+			//
+			// ARRANGE
+			//
+			testServer.license.disable('feat:customRoles');
+
+			const mockRoles = [
+				{
+					slug: 'project:admin',
+					displayName: 'Project Admin',
+					description: 'Project administrator',
+					systemRole: true,
+					roleType: 'project' as const,
+					scopes: ['project:manage'],
+					licensed: true,
+				},
+			];
+
+			roleService.getAllRoles.mockResolvedValue(mockRoles);
+
+			//
+			// ACT & ASSERT
+			//
+			// GET /roles should work (no @Licensed decorator)
+			await ownerAgent.get('/roles').expect(200);
+			expect(roleService.getAllRoles).toHaveBeenCalledTimes(1);
+
+			// GET /roles/:slug should work (no @Licensed decorator)
+			const mockRole = mockRoles[0];
+			roleService.getRole.mockResolvedValue(mockRole);
+			await ownerAgent.get('/roles/project:admin').expect(200);
+			expect(roleService.getRole).toHaveBeenCalledTimes(1);
+		});
+	});
 });

packages/cli/test/integration/project.service.integration.test.ts

@@ -13,6 +13,7 @@ import { ProjectService } from '@/services/project.service.ee';
 import { LicenseMocker } from '@test-integration/license';
 
 import { createUser } from './shared/db/users';
+import { LicenseState } from '@n8n/backend-common';
 
 describe('ProjectService', () => {
 	let projectService: ProjectService;
@@ -26,6 +27,7 @@ describe('ProjectService', () => {
 
 		const license: LicenseMocker = new LicenseMocker();
 		license.mock(Container.get(License));
+		license.mockLicenseState(Container.get(LicenseState));
 		license.enable('feat:projectRole:editor');
 	});
 

packages/cli/test/integration/services/project.service.test.ts

@@ -1,3 +1,4 @@
+import { LicenseState } from '@n8n/backend-common';
 import { testDb } from '@n8n/backend-test-utils';
 import { ProjectRelationRepository, ProjectRepository } from '@n8n/db';
 import { Container } from '@n8n/di';
@@ -8,11 +9,11 @@ import { ProjectService } from '@/services/project.service.ee';
 import { createRole } from '@test-integration/db/roles';
 
 import { createMember } from '../shared/db/users';
+import { LicenseMocker } from '@test-integration/license';
 
 let projectRepository: ProjectRepository;
 let projectService: ProjectService;
 let projectRelationRepository: ProjectRelationRepository;
-let license: License;
 
 beforeAll(async () => {
 	await testDb.init();
@@ -20,7 +21,12 @@ beforeAll(async () => {
 	projectRepository = Container.get(ProjectRepository);
 	projectService = Container.get(ProjectService);
 	projectRelationRepository = Container.get(ProjectRelationRepository);
-	license = Container.get(License);
+	const license: LicenseMocker = new LicenseMocker();
+	license.mock(Container.get(License));
+	license.mockLicenseState(Container.get(LicenseState));
+	license.enable('feat:projectRole:editor');
+	license.enable('feat:projectRole:viewer');
+	license.enable('feat:customRoles');
 });
 
 afterAll(async () => {
@@ -287,7 +293,6 @@ describe('ProjectService', () => {
 					type: 'team',
 				}),
 			);
-			jest.spyOn(license, 'isProjectRoleEditorLicensed').mockReturnValue(true);
 
 			//
 			// ACT
@@ -342,7 +347,6 @@ describe('ProjectService', () => {
 					type: 'team',
 				}),
 			);
-			jest.spyOn(license, 'isProjectRoleEditorLicensed').mockReturnValue(true);
 
 			//
 			// ACT
@@ -371,7 +375,6 @@ describe('ProjectService', () => {
 					type: 'team',
 				}),
 			);
-			jest.spyOn(license, 'isProjectRoleEditorLicensed').mockReturnValue(true);
 
 			//
 			// ACT

packages/cli/test/integration/services/role.service.test.ts

@@ -1,4 +1,5 @@
 import type { CreateRoleDto, UpdateRoleDto } from '@n8n/api-types';
+import { LicenseState } from '@n8n/backend-common';
 import { testDb } from '@n8n/backend-test-utils';
 import { RoleRepository } from '@n8n/db';
 import { Container } from '@n8n/di';
@@ -21,6 +22,7 @@ import { createMember } from '../shared/db/users';
 let roleService: RoleService;
 let roleRepository: RoleRepository;
 let license: License;
+let licenseState: LicenseState;
 
 const ALL_ROLES_SET = ALL_ROLES.global.concat(
 	ALL_ROLES.project,
@@ -34,6 +36,8 @@ beforeAll(async () => {
 	roleService = Container.get(RoleService);
 	roleRepository = Container.get(RoleRepository);
 	license = Container.get(License);
+	licenseState = Container.get(LicenseState);
+	licenseState.setLicenseProvider(license);
 });
 
 afterAll(async () => {
@@ -504,30 +508,62 @@ describe('RoleService', () => {
 			{ role: 'project:editor', licenseMethod: 'isProjectRoleEditorLicensed' },
 			{ role: 'project:viewer', licenseMethod: 'isProjectRoleViewerLicensed' },
 			{ role: 'global:admin', licenseMethod: 'isAdvancedPermissionsLicensed' },
-		] as const)('should check license for built-in role $role', async ({ role, licenseMethod }) => {
-			//
-			// ARRANGE
-			//
-			const mockLicenseResult = Math.random() > 0.5; // Random boolean
-			jest.spyOn(license, licenseMethod).mockReturnValue(mockLicenseResult);
+		] as const)(
+			'should pass license check for built-in role $role',
+			async ({ role, licenseMethod }) => {
+				//
+				// ARRANGE
+				//
+				const mockLicenseResult = true;
+				jest.spyOn(licenseState, licenseMethod).mockReturnValue(mockLicenseResult);
 
-			//
-			// ACT
-			//
-			const result = roleService.isRoleLicensed(role);
+				//
+				// ACT
+				//
+				const result = roleService.isRoleLicensed(role);
 
-			//
-			// ASSERT
-			//
-			expect(result).toBe(mockLicenseResult);
-			expect(license[licenseMethod]).toHaveBeenCalledTimes(1);
-		});
+				//
+				// ASSERT
+				//
+				expect(result).toBe(mockLicenseResult);
+				expect(licenseState[licenseMethod]).toHaveBeenCalledTimes(1);
+			},
+		);
 
-		it('should return true for custom roles', async () => {
+		it.each([
+			{ role: 'project:admin', licenseMethod: 'isProjectRoleAdminLicensed' },
+			{ role: 'project:editor', licenseMethod: 'isProjectRoleEditorLicensed' },
+			{ role: 'project:viewer', licenseMethod: 'isProjectRoleViewerLicensed' },
+			{ role: 'global:admin', licenseMethod: 'isAdvancedPermissionsLicensed' },
+		] as const)(
+			'should fail license state check for built-in role $role',
+			async ({ role, licenseMethod }) => {
+				//
+				// ARRANGE
+				//
+				const mockLicenseResult = false;
+				jest.spyOn(licenseState, licenseMethod).mockReturnValue(mockLicenseResult);
+
+				//
+				// ACT
+				//
+				const result = roleService.isRoleLicensed(role);
+
+				//
+				// ASSERT
+				//
+				expect(result).toBe(mockLicenseResult);
+				expect(licenseState[licenseMethod]).toHaveBeenCalledTimes(1);
+			},
+		);
+
+		it('should return true for custom roles if licensed', async () => {
 			//
 			// ARRANGE
 			//
 			const customRoleSlug = 'custom:test-role';
+			const mockLicenseResult = true; // Random boolean
+			jest.spyOn(licenseState, 'isCustomRolesLicensed').mockReturnValue(mockLicenseResult);
 
 			//
 			// ACT
@@ -537,24 +573,28 @@ describe('RoleService', () => {
 			//
 			// ASSERT
 			//
-			expect(result).toBe(true);
+			expect(result).toBe(mockLicenseResult);
+			expect(licenseState.isCustomRolesLicensed).toHaveBeenCalledTimes(1);
 		});
 
-		it('should return true for unknown role types', async () => {
+		it('should return false for custom roles if not licensed', async () => {
 			//
 			// ARRANGE
 			//
-			const unknownRole = 'unknown:role' as any;
+			const customRoleSlug = 'custom:test-role';
+			const mockLicenseResult = false; // Random boolean
+			jest.spyOn(licenseState, 'isCustomRolesLicensed').mockReturnValue(mockLicenseResult);
 
 			//
 			// ACT
 			//
-			const result = roleService.isRoleLicensed(unknownRole);
+			const result = roleService.isRoleLicensed(customRoleSlug as any);
 
 			//
 			// ASSERT
 			//
-			expect(result).toBe(true);
+			expect(result).toBe(mockLicenseResult);
+			expect(licenseState.isCustomRolesLicensed).toHaveBeenCalledTimes(1);
 		});
 	});