chore(core): Expose owner information for environment changes (#16466)

Co-authored-by: Guillaume Jacquart <jacquart.guillaume@gmail.com>

packages/@n8n/api-types/src/schemas/source-controlled-file.schema.ts

@@ -19,6 +19,12 @@ export const SOURCE_CONTROL_FILE_STATUS = FileStatusSchema.Values;
 const FileLocationSchema = z.enum(['local', 'remote']);
 export const SOURCE_CONTROL_FILE_LOCATION = FileLocationSchema.Values;
 
+const ResourceOwnerSchema = z.object({
+	type: z.enum(['personal', 'team']),
+	projectId: z.string(),
+	projectName: z.string(),
+});
+
 export const SourceControlledFileSchema = z.object({
 	file: z.string(),
 	id: z.string(),
@@ -29,6 +35,7 @@ export const SourceControlledFileSchema = z.object({
 	conflict: z.boolean(),
 	updatedAt: z.string(),
 	pushed: z.boolean().optional(),
+	owner: ResourceOwnerSchema.optional(), // Resource owner can be a personal email or team information
 });
 
 export type SourceControlledFile = z.infer<typeof SourceControlledFileSchema>;

packages/cli/src/environments.ee/source-control/__tests__/source-control-import.service.ee.test.ts

@@ -66,9 +66,14 @@ describe('SourceControlImportService', () => {
 				id: 'workflow1',
 				versionId: 'v1',
 				name: 'Test Workflow',
+				owner: {
+					type: 'personal',
+					personalEmail: 'email@email.com',
+				},
 			};
 
 			fsReadFile.mockResolvedValue(JSON.stringify(mockWorkflowData));
+			sourceControlScopedService.getAdminProjectsFromContext.mockResolvedValueOnce([]);
 
 			const result = await service.getRemoteVersionIdsFromFiles(globalAdminContext);
 			expect(fsReadFile).toHaveBeenCalledWith(mockWorkflowFile, { encoding: 'utf8' });

packages/cli/src/environments.ee/source-control/__tests__/source-control.service.test.ts

@@ -14,7 +14,7 @@ import { SourceControlService } from '@/environments.ee/source-control/source-co
 import { ForbiddenError } from '@/errors/response-errors/forbidden.error';
 
 import type { SourceControlImportService } from '../source-control-import.service.ee';
-import type { ExportableCredential } from '../types/exportable-credential';
+import type { StatusExportableCredential } from '../types/exportable-credential';
 import type { SourceControlWorkflowVersionId } from '../types/source-control-workflow-version-id';
 
 describe('SourceControlService', () => {
@@ -157,7 +157,7 @@ describe('SourceControlService', () => {
 			// Pushing this is conflict free.
 			sourceControlImportService.getRemoteCredentialsFromFiles.mockResolvedValue([]);
 			sourceControlImportService.getLocalCredentialsFromDb.mockResolvedValue([
-				mock<ExportableCredential & { filename: string }>(),
+				mock<StatusExportableCredential>(),
 			]);
 
 			// Define a variable that does only exist locally.

packages/cli/src/environments.ee/source-control/source-control-export.service.ee.ts

@@ -40,7 +40,7 @@ import { SourceControlScopedService } from './source-control-scoped.service';
 import type { ExportResult } from './types/export-result';
 import type { ExportableCredential } from './types/exportable-credential';
 import type { ExportableWorkflow } from './types/exportable-workflow';
-import type { ResourceOwner } from './types/resource-owner';
+import type { RemoteResourceOwner } from './types/resource-owner';
 import type { SourceControlContext } from './types/source-control-context';
 import { VariablesService } from '../variables/variables.service.ee';
 
@@ -99,7 +99,7 @@ export class SourceControlExportService {
 
 	private async writeExportableWorkflowsToExportFolder(
 		workflowsToBeExported: IWorkflowDb[],
-		owners: Record<string, ResourceOwner>,
+		owners: Record<string, RemoteResourceOwner>,
 	) {
 		await Promise.all(
 			workflowsToBeExported.map(async (e) => {
@@ -133,7 +133,7 @@ export class SourceControlExportService {
 			});
 
 			// determine owner of each workflow to be exported
-			const owners: Record<string, ResourceOwner> = {};
+			const owners: Record<string, RemoteResourceOwner> = {};
 			sharedWorkflows.forEach((sharedWorkflow) => {
 				const project = sharedWorkflow.project;
 
@@ -154,6 +154,8 @@ export class SourceControlExportService {
 					}
 					owners[sharedWorkflow.workflowId] = {
 						type: 'personal',
+						projectId: project.id,
+						projectName: project.name,
 						personalEmail: ownerRelation.user.email,
 					};
 				} else if (project.type === 'team') {
@@ -256,12 +258,11 @@ export class SourceControlExportService {
 
 			// keep all folders that are not accessible by the current user
 			// if allowedProjects is undefined, all folders are accessible by the current user
-			const foldersToKeepUnchanged =
+			const foldersToKeepUnchanged = context.hasAccessToAllProjects()
-				allowedProjects === undefined
+				? existingFolders.folders
-					? []
+				: existingFolders.folders.filter((folder) => {
-					: existingFolders.folders.filter((folder) => {
+						return !allowedProjects.some((project) => project.id === folder.homeProjectId);
-							return !allowedProjects.some((project) => project.id === folder.homeProjectId);
+					});
-						});
 
 			const newFolders = foldersToKeepUnchanged.concat(
 				...folders.map((f) => ({
@@ -402,7 +403,7 @@ export class SourceControlExportService {
 					const { name, type, data, id } = sharing.credentials;
 					const credentials = new Credentials({ id, name }, type, data);
 
-					let owner: ResourceOwner | null = null;
+					let owner: RemoteResourceOwner | null = null;
 					if (sharing.project.type === 'personal') {
 						const ownerRelation = sharing.project.projectRelations.find(
 							(pr) => pr.role === 'project:personalOwner',
@@ -410,6 +411,8 @@ export class SourceControlExportService {
 						if (ownerRelation) {
 							owner = {
 								type: 'personal',
+								projectId: sharing.project.id,
+								projectName: sharing.project.name,
 								personalEmail: ownerRelation.user.email,
 							};
 						}

packages/cli/src/environments.ee/source-control/source-control-import.service.ee.ts

@@ -41,14 +41,67 @@ import {
 } from './constants';
 import { getCredentialExportPath, getWorkflowExportPath } from './source-control-helper.ee';
 import { SourceControlScopedService } from './source-control-scoped.service';
-import type { ExportableCredential } from './types/exportable-credential';
+import type {
+	ExportableCredential,
+	StatusExportableCredential,
+} from './types/exportable-credential';
 import type { ExportableFolder } from './types/exportable-folders';
 import type { ExportableTags } from './types/exportable-tags';
-import type { ResourceOwner } from './types/resource-owner';
+import type { StatusResourceOwner, RemoteResourceOwner } from './types/resource-owner';
 import type { SourceControlContext } from './types/source-control-context';
 import type { SourceControlWorkflowVersionId } from './types/source-control-workflow-version-id';
 import { VariablesService } from '../variables/variables.service.ee';
 
+const findOwnerProject = (
+	owner: RemoteResourceOwner,
+	accessibleProjects: Project[],
+): Project | undefined => {
+	if (typeof owner === 'string') {
+		return accessibleProjects.find((project) =>
+			project.projectRelations.some(
+				(r) => r.role === 'project:personalOwner' && r.user.email === owner,
+			),
+		);
+	}
+	if (owner.type === 'personal') {
+		return accessibleProjects.find(
+			(project) =>
+				project.type === 'personal' &&
+				project.projectRelations.some(
+					(r) => r.role === 'project:personalOwner' && r.user.email === owner.personalEmail,
+				),
+		);
+	}
+	return accessibleProjects.find(
+		(project) => project.type === 'team' && project.id === owner.teamId,
+	);
+};
+
+const getOwnerFromProject = (remoteOwnerProject: Project): StatusResourceOwner | undefined => {
+	let owner: StatusResourceOwner | undefined = undefined;
+
+	if (remoteOwnerProject?.type === 'personal') {
+		const personalEmail = remoteOwnerProject.projectRelations?.find(
+			(r) => r.role === 'project:personalOwner',
+		)?.user?.email;
+
+		if (personalEmail) {
+			owner = {
+				type: 'personal',
+				projectId: remoteOwnerProject.id,
+				projectName: remoteOwnerProject.name,
+			};
+		}
+	} else if (remoteOwnerProject?.type === 'team') {
+		owner = {
+			type: 'team',
+			projectId: remoteOwnerProject.id,
+			projectName: remoteOwnerProject.name,
+		};
+	}
+	return owner;
+};
+
 @Service()
 export class SourceControlImportService {
 	private gitFolder: string;
@@ -109,26 +162,21 @@ export class SourceControlImportService {
 				if (!remote?.id) {
 					return false;
 				}
-				if (Array.isArray(accessibleProjects)) {
+				return (
-					const owner = remote.owner;
+					context.hasAccessToAllProjects() || findOwnerProject(remote.owner, accessibleProjects)
-					// The workflow `remote` belongs not to a project, that the context has access to
+				);
-					return (
-						typeof owner === 'object' &&
-						owner?.type === 'team' &&
-						accessibleProjects.some((project) => project.id === owner.teamId)
-					);
-				}
-				return true;
 			})
 			.map((remote) => {
+				const project = findOwnerProject(remote.owner, accessibleProjects);
 				return {
 					id: remote.id,
-					versionId: remote.versionId,
+					versionId: remote.versionId ?? '',
 					name: remote.name,
 					parentFolderId: remote.parentFolderId,
 					remoteId: remote.id,
 					filename: getWorkflowExportPath(remote.id, this.workflowExportFolder),
-				} as SourceControlWorkflowVersionId;
+					owner: project ? getOwnerFromProject(project) : undefined,
+				};
 			});
 
 		return remoteWorkflowFilesParsed;
@@ -178,6 +226,13 @@ export class SourceControlImportService {
 		const localWorkflows = await this.workflowRepository.find({
 			relations: {
 				parentFolder: true,
+				shared: {
+					project: {
+						projectRelations: {
+							user: true,
+						},
+					},
+				},
 			},
 			select: {
 				id: true,
@@ -187,9 +242,24 @@ export class SourceControlImportService {
 				parentFolder: {
 					id: true,
 				},
+				shared: {
+					project: {
+						id: true,
+						name: true,
+						type: true,
+						projectRelations: {
+							role: true,
+							user: {
+								email: true,
+							},
+						},
+					},
+					role: true,
+				},
 			},
 			where: this.sourceControlScopedService.getWorkflowsInAdminProjectsFromContextFilter(context),
 		});
+
 		return localWorkflows.map((local) => {
 			let updatedAt: Date;
 			if (local.updatedAt instanceof Date) {
@@ -203,6 +273,8 @@ export class SourceControlImportService {
 				});
 				updatedAt = isNaN(Date.parse(local.updatedAt)) ? new Date() : new Date(local.updatedAt);
 			}
+			const remoteOwnerProject = local.shared?.find((s) => s.role === 'workflow:owner')?.project;
+
 			return {
 				id: local.id,
 				versionId: local.versionId,
@@ -211,13 +283,14 @@ export class SourceControlImportService {
 				parentFolderId: local.parentFolder?.id ?? null,
 				filename: getWorkflowExportPath(local.id, this.workflowExportFolder),
 				updatedAt: updatedAt.toISOString(),
+				owner: remoteOwnerProject ? getOwnerFromProject(remoteOwnerProject) : undefined,
 			};
-		}) as SourceControlWorkflowVersionId[];
+		});
 	}
 
 	async getRemoteCredentialsFromFiles(
 		context: SourceControlContext,
-	): Promise<Array<ExportableCredential & { filename: string }>> {
+	): Promise<StatusExportableCredential[]> {
 		const remoteCredentialFiles = await glob('*.json', {
 			cwd: this.credentialExportFolder,
 			absolute: true,
@@ -241,43 +314,79 @@ export class SourceControlImportService {
 				if (!remote?.id) {
 					return false;
 				}
-				if (Array.isArray(accessibleProjects)) {
+				const owner = remote.ownedBy;
-					const owner = remote.ownedBy;
+				// The credential `remote` belongs not to a project, that the context has access to
-					// The credential `remote` belongs not to a project, that the context has access to
+				return (
-					return (
+					!owner || context.hasAccessToAllProjects() || findOwnerProject(owner, accessibleProjects)
-						typeof owner === 'object' &&
+				);
-						owner?.type === 'team' &&
-						accessibleProjects.some((project) => project.id === owner.teamId)
-					);
-				}
-				return true;
 			})
 			.map((remote) => {
+				const project = remote.ownedBy
+					? findOwnerProject(remote.ownedBy, accessibleProjects)
+					: null;
 				return {
 					...remote,
+					ownedBy: project
+						? {
+								type: project.type,
+								projectId: project.id,
+								projectName: project.name,
+							}
+						: undefined,
 					filename: getCredentialExportPath(remote.id, this.credentialExportFolder),
 				};
 			});
 
-		return remoteCredentialFilesParsed.filter((e) => e !== undefined) as Array<
+		return remoteCredentialFilesParsed.filter(
-			ExportableCredential & { filename: string }
+			(e) => e !== undefined,
-		>;
+		) as StatusExportableCredential[];
 	}
 
 	async getLocalCredentialsFromDb(
 		context: SourceControlContext,
-	): Promise<Array<ExportableCredential & { filename: string }>> {
+	): Promise<StatusExportableCredential[]> {
 		const localCredentials = await this.credentialsRepository.find({
-			select: ['id', 'name', 'type'],
+			relations: {
+				shared: {
+					project: {
+						projectRelations: {
+							user: true,
+						},
+					},
+				},
+			},
+			select: {
+				id: true,
+				name: true,
+				type: true,
+				shared: {
+					project: {
+						id: true,
+						name: true,
+						type: true,
+						projectRelations: {
+							role: true,
+							user: {
+								email: true,
+							},
+						},
+					},
+					role: true,
+				},
+			},
 			where:
 				this.sourceControlScopedService.getCredentialsInAdminProjectsFromContextFilter(context),
 		});
-		return localCredentials.map((local) => ({
+		return localCredentials.map((local) => {
-			id: local.id,
+			const remoteOwnerProject = local.shared?.find((s) => s.role === 'credential:owner')?.project;
-			name: local.name,
+			return {
-			type: local.type,
+				id: local.id,
-			filename: getCredentialExportPath(local.id, this.credentialExportFolder),
+				name: local.name,
-		})) as Array<ExportableCredential & { filename: string }>;
+				type: local.type,
+				filename: getCredentialExportPath(local.id, this.credentialExportFolder),
+				ownedBy: remoteOwnerProject ? getOwnerFromProject(remoteOwnerProject) : undefined,
+			};
+		}) as StatusExportableCredential[];
 	}
 
 	async getRemoteVariablesFromFile(): Promise<Variables[]> {
@@ -316,11 +425,11 @@ export class SourceControlImportService {
 			const accessibleProjects =
 				await this.sourceControlScopedService.getAdminProjectsFromContext(context);
 
-			if (Array.isArray(accessibleProjects)) {
+			mappedFolders.folders = mappedFolders.folders.filter(
-				mappedFolders.folders = mappedFolders.folders.filter((folder) =>
+				(folder) =>
+					context.hasAccessToAllProjects() ||
 					accessibleProjects.some((project) => project.id === folder.homeProjectId),
-				);
+			);
-			}
 
 			return mappedFolders;
 		}
@@ -796,7 +905,7 @@ export class SourceControlImportService {
 		}
 	}
 
-	private async findOrCreateOwnerProject(owner: ResourceOwner): Promise<Project | null> {
+	private async findOrCreateOwnerProject(owner: RemoteResourceOwner): Promise<Project | null> {
 		if (typeof owner === 'string' || owner.type === 'personal') {
 			const email = typeof owner === 'string' ? owner : owner.personalEmail;
 			const user = await this.userRepository.findOne({
@@ -834,7 +943,7 @@ export class SourceControlImportService {
 
 		assertNever(owner);
 
-		const errorOwner = owner as ResourceOwner;
+		const errorOwner = owner as RemoteResourceOwner;
 		throw new UnexpectedError(
 			`Unknown resource owner type "${
 				typeof errorOwner !== 'string' ? errorOwner.type : 'UNKNOWN'

packages/cli/src/environments.ee/source-control/source-control-scoped.service.ts

@@ -37,19 +37,28 @@ export class SourceControlScopedService {
 		}
 	}
 
-	async getAdminProjectsFromContext(context: SourceControlContext): Promise<Project[] | undefined> {
+	async getAdminProjectsFromContext(context: SourceControlContext): Promise<Project[]> {
 		if (context.hasAccessToAllProjects()) {
 			// In case the user is a global admin or owner, we don't need a filter
-			return;
+			return await this.projectRepository.find({
+				relations: {
+					projectRelations: {
+						user: true,
+					},
+				},
+			});
 		}
 
 		return await this.projectRepository.find({
 			relations: {
-				projectRelations: true,
+				projectRelations: {
+					user: true,
+				},
 			},
 			select: {
 				id: true,
 				name: true,
+				type: true,
 			},
 			where: this.getAdminProjectsByContextFilter(context),
 		});

packages/cli/src/environments.ee/source-control/source-control.service.ee.ts

@@ -42,7 +42,7 @@ import {
 } from './source-control-helper.ee';
 import { SourceControlImportService } from './source-control-import.service.ee';
 import { SourceControlPreferencesService } from './source-control-preferences.service.ee';
-import type { ExportableCredential } from './types/exportable-credential';
+import type { StatusExportableCredential } from './types/exportable-credential';
 import type { ExportableFolder } from './types/exportable-folders';
 import type { ImportResult } from './types/import-result';
 import { SourceControlContext } from './types/source-control-context';
@@ -663,6 +663,7 @@ export class SourceControlService {
 				conflict: false,
 				file: item.filename,
 				updatedAt: item.updatedAt ?? new Date().toISOString(),
+				owner: item.owner,
 			});
 		});
 
@@ -676,6 +677,7 @@ export class SourceControlService {
 				conflict: options.direction === 'push' ? false : true,
 				file: item.filename,
 				updatedAt: item.updatedAt ?? new Date().toISOString(),
+				owner: item.owner,
 			});
 		});
 
@@ -689,6 +691,7 @@ export class SourceControlService {
 				conflict: true,
 				file: item.filename,
 				updatedAt: item.updatedAt ?? new Date().toISOString(),
+				owner: item.owner,
 			});
 		});
 
@@ -719,11 +722,7 @@ export class SourceControlService {
 		);
 
 		// only compares the name, since that is the only change synced for credentials
-		const credModifiedInEither: Array<
+		const credModifiedInEither: StatusExportableCredential[] = [];
-			ExportableCredential & {
-				filename: string;
-			}
-		> = [];
 		credLocalIds.forEach((local) => {
 			const mismatchingCreds = credRemoteIds.find((remote) => {
 				return remote.id === local.id && (remote.name !== local.name || remote.type !== local.type);
@@ -746,6 +745,7 @@ export class SourceControlService {
 				conflict: false,
 				file: item.filename,
 				updatedAt: new Date().toISOString(),
+				owner: item.ownedBy,
 			});
 		});
 
@@ -759,6 +759,7 @@ export class SourceControlService {
 				conflict: options.direction === 'push' ? false : true,
 				file: item.filename,
 				updatedAt: new Date().toISOString(),
+				owner: item.ownedBy,
 			});
 		});
 
@@ -772,6 +773,7 @@ export class SourceControlService {
 				conflict: true,
 				file: item.filename,
 				updatedAt: new Date().toISOString(),
+				owner: item.ownedBy,
 			});
 		});
 		return {

packages/cli/src/environments.ee/source-control/types/exportable-credential.ts

@@ -1,6 +1,6 @@
 import type { ICredentialDataDecryptedObject } from 'n8n-workflow';
 
-import type { ResourceOwner } from './resource-owner';
+import type { RemoteResourceOwner, StatusResourceOwner } from './resource-owner';
 
 export interface ExportableCredential {
 	id: string;
@@ -12,5 +12,10 @@ export interface ExportableCredential {
 	 * Email of the user who owns this credential at the source instance.
 	 * Ownership is mirrored at target instance if user is also present there.
 	 */
-	ownedBy: ResourceOwner | null;
+	ownedBy: RemoteResourceOwner | null;
 }
+
+export type StatusExportableCredential = ExportableCredential & {
+	filename: string;
+	ownedBy?: StatusResourceOwner;
+};

packages/cli/src/environments.ee/source-control/types/exportable-workflow.ts

@@ -1,6 +1,6 @@
 import type { INode, IConnections, IWorkflowSettings } from 'n8n-workflow';
 
-import type { ResourceOwner } from './resource-owner';
+import type { RemoteResourceOwner } from './resource-owner';
 
 export interface ExportableWorkflow {
 	id: string;
@@ -10,7 +10,7 @@ export interface ExportableWorkflow {
 	settings?: IWorkflowSettings;
 	triggerCount: number;
 	versionId?: string;
-	owner: ResourceOwner;
+	owner: RemoteResourceOwner;
 	parentFolderId: string | null;
 	isArchived: boolean;
 }

packages/cli/src/environments.ee/source-control/types/resource-owner.ts

@@ -1,7 +1,9 @@
-export type ResourceOwner =
+export type RemoteResourceOwner =
 	| string
 	| {
 			type: 'personal';
+			projectId?: string; // Optional for retrocompatibility
+			projectName?: string; // Optional for retrocompatibility
 			personalEmail: string;
 	  }
 	| {
@@ -9,3 +11,9 @@ export type ResourceOwner =
 			teamId: string;
 			teamName: string;
 	  };
+
+export type StatusResourceOwner = {
+	type: 'personal' | 'team';
+	projectId: string;
+	projectName: string;
+};

packages/cli/src/environments.ee/source-control/types/source-control-workflow-version-id.ts

@@ -1,3 +1,5 @@
+import type { StatusResourceOwner } from './resource-owner';
+
 export interface SourceControlWorkflowVersionId {
 	id: string;
 	versionId: string;
@@ -7,4 +9,5 @@ export interface SourceControlWorkflowVersionId {
 	remoteId?: string;
 	parentFolderId: string | null;
 	updatedAt?: string;
+	owner?: StatusResourceOwner;
 }

packages/cli/test/integration/environments/source-control.service.test.ts

@@ -30,7 +30,7 @@ import { SourceControlService } from '@/environments.ee/source-control/source-co
 import type { ExportableCredential } from '@/environments.ee/source-control/types/exportable-credential';
 import type { ExportableFolder } from '@/environments.ee/source-control/types/exportable-folders';
 import type { ExportableWorkflow } from '@/environments.ee/source-control/types/exportable-workflow';
-import type { ResourceOwner } from '@/environments.ee/source-control/types/resource-owner';
+import type { RemoteResourceOwner } from '@/environments.ee/source-control/types/resource-owner';
 import { BadRequestError } from '@/errors/response-errors/bad-request.error';
 import { ForbiddenError } from '@/errors/response-errors/forbidden.error';
 import { EventService } from '@/events/event.service';
@@ -68,7 +68,7 @@ function toExportableCredential(
 	cred: CredentialsEntity,
 	owner: Project | User,
 ): ExportableCredential {
-	let resourceOwner: ResourceOwner;
+	let resourceOwner: RemoteResourceOwner;
 
 	if (owner instanceof Project) {
 		resourceOwner = {
@@ -97,7 +97,7 @@ function toExportableWorkflow(
 	owner: Project | User,
 	versionId?: string,
 ): ExportableWorkflow {
-	let resourceOwner: ResourceOwner;
+	let resourceOwner: RemoteResourceOwner;
 
 	if (owner instanceof Project) {
 		resourceOwner = {