feat: RBAC (#8922)

Signed-off-by: Oleg Ivaniv <me@olegivaniv.com> Co-authored-by: Val <68596159+valya@users.noreply.github.com> Co-authored-by: कारतोफ्फेलस्क्रिप्ट™ <aditya@netroy.in> Co-authored-by: Valya Bullions <valya@n8n.io> Co-authored-by: Danny Martini <danny@n8n.io> Co-authored-by: Danny Martini <despair.blue@gmail.com> Co-authored-by: Iván Ovejero <ivov.src@gmail.com> Co-authored-by: Omar Ajoue <krynble@gmail.com> Co-authored-by: oleg <me@olegivaniv.com> Co-authored-by: Michael Kret <michael.k@radency.com> Co-authored-by: Michael Kret <88898367+michael-radency@users.noreply.github.com> Co-authored-by: Elias Meire <elias@meire.dev> Co-authored-by: Giulio Andreini <andreini@netseven.it> Co-authored-by: Giulio Andreini <g.andreini@gmail.com> Co-authored-by: Ayato Hayashi <go12limchangyong@gmail.com>
2025-12-17 10:02:05 +00:00 · 2024-05-17 10:53:15 +02:00
parent b1f977ebd0
commit 596c472ecc
292 changed files with 14129 additions and 3989 deletions
--- a/packages/cli/test/integration/commands/credentials.cmd.test.ts
+++ b/packages/cli/test/integration/commands/credentials.cmd.test.ts
@@ -8,6 +8,8 @@ import { mockInstance } from '../../shared/mocking';
 import * as testDb from '../shared/testDb';
 import { getAllCredentials, getAllSharedCredentials } from '../shared/db/credentials';
 import { createMember, createOwner } from '../shared/db/users';
+import { getPersonalProject } from '../shared/db/projects';
+import { nanoid } from 'nanoid';

 const oclifConfig = new Config({ root: __dirname });

@@ -36,6 +38,7 @@ test('import:credentials should import a credential', async () => {
 	// ARRANGE
 	//
 	const owner = await createOwner();
+	const ownerProject = await getPersonalProject(owner);

 	//
 	// ACT
@@ -54,7 +57,11 @@ test('import:credentials should import a credential', async () => {
 	expect(after).toMatchObject({
 		credentials: [expect.objectContaining({ id: '123', name: 'cred-aws-test' })],
 		sharings: [
-			expect.objectContaining({ credentialsId: '123', userId: owner.id, role: 'credential:owner' }),
+			expect.objectContaining({
+				credentialsId: '123',
+				projectId: ownerProject.id,
+				role: 'credential:owner',
+			}),
 		],
 	});
 });
@@ -64,6 +71,7 @@ test('import:credentials should import a credential from separated files', async
 	// ARRANGE
 	//
 	const owner = await createOwner();
+	const ownerProject = await getPersonalProject(owner);

 	//
 	// ACT
@@ -92,7 +100,7 @@ test('import:credentials should import a credential from separated files', async
 		sharings: [
 			expect.objectContaining({
 				credentialsId: '123',
-				userId: owner.id,
+				projectId: ownerProject.id,
 				role: 'credential:owner',
 			}),
 		],
@@ -104,6 +112,7 @@ test('`import:credentials --userId ...` should fail if the credential exists alr
 	// ARRANGE
 	//
 	const owner = await createOwner();
+	const ownerProject = await getPersonalProject(owner);
 	const member = await createMember();

 	// import credential the first time, assigning it to the owner
@@ -122,7 +131,7 @@ test('`import:credentials --userId ...` should fail if the credential exists alr
 		sharings: [
 			expect.objectContaining({
 				credentialsId: '123',
-				userId: owner.id,
+				projectId: ownerProject.id,
 				role: 'credential:owner',
 			}),
 		],
@@ -140,7 +149,7 @@ test('`import:credentials --userId ...` should fail if the credential exists alr
 			`--userId=${member.id}`,
 		]),
 	).rejects.toThrowError(
-		`The credential with id "123" is already owned by the user with the id "${owner.id}". It can't be re-owned by the user with the id "${member.id}"`,
+		`The credential with ID "123" is already owned by the user with the ID "${owner.id}". It can't be re-owned by the user with the ID "${member.id}"`,
 	);

 	//
@@ -162,19 +171,20 @@ test('`import:credentials --userId ...` should fail if the credential exists alr
 		sharings: [
 			expect.objectContaining({
 				credentialsId: '123',
-				userId: owner.id,
+				projectId: ownerProject.id,
 				role: 'credential:owner',
 			}),
 		],
 	});
 });

-test("only update credential, don't create or update owner if `--userId` is not passed", async () => {
+test("only update credential, don't create or update owner if neither `--userId` nor `--projectId` is passed", async () => {
 	//
 	// ARRANGE
 	//
 	await createOwner();
 	const member = await createMember();
+	const memberProject = await getPersonalProject(member);

 	// import credential the first time, assigning it to a member
 	await importCredential([
@@ -192,7 +202,7 @@ test("only update credential, don't create or update owner if `--userId` is not
 		sharings: [
 			expect.objectContaining({
 				credentialsId: '123',
-				userId: member.id,
+				projectId: memberProject.id,
 				role: 'credential:owner',
 			}),
 		],
@@ -225,9 +235,93 @@ test("only update credential, don't create or update owner if `--userId` is not
 		sharings: [
 			expect.objectContaining({
 				credentialsId: '123',
-				userId: member.id,
+				projectId: memberProject.id,
 				role: 'credential:owner',
 			}),
 		],
 	});
 });
+
+test('`import:credential --projectId ...` should fail if the credential already exists and is owned by another project', async () => {
+	//
+	// ARRANGE
+	//
+	const owner = await createOwner();
+	const ownerProject = await getPersonalProject(owner);
+	const member = await createMember();
+	const memberProject = await getPersonalProject(member);
+
+	// import credential the first time, assigning it to the owner
+	await importCredential([
+		'--input=./test/integration/commands/importCredentials/credentials.json',
+		`--userId=${owner.id}`,
+	]);
+
+	// making sure the import worked
+	const before = {
+		credentials: await getAllCredentials(),
+		sharings: await getAllSharedCredentials(),
+	};
+	expect(before).toMatchObject({
+		credentials: [expect.objectContaining({ id: '123', name: 'cred-aws-test' })],
+		sharings: [
+			expect.objectContaining({
+				credentialsId: '123',
+				projectId: ownerProject.id,
+				role: 'credential:owner',
+			}),
+		],
+	});
+
+	//
+	// ACT
+	//
+
+	// Import again while updating the name we try to assign the
+	// credential to another user.
+	await expect(
+		importCredential([
+			'--input=./test/integration/commands/importCredentials/credentials-updated.json',
+			`--projectId=${memberProject.id}`,
+		]),
+	).rejects.toThrowError(
+		`The credential with ID "123" is already owned by the user with the ID "${owner.id}". It can't be re-owned by the project with the ID "${memberProject.id}".`,
+	);
+
+	//
+	// ASSERT
+	//
+	const after = {
+		credentials: await getAllCredentials(),
+		sharings: await getAllSharedCredentials(),
+	};
+
+	expect(after).toMatchObject({
+		credentials: [
+			expect.objectContaining({
+				id: '123',
+				// only the name was updated
+				name: 'cred-aws-test',
+			}),
+		],
+		sharings: [
+			expect.objectContaining({
+				credentialsId: '123',
+				projectId: ownerProject.id,
+				role: 'credential:owner',
+			}),
+		],
+	});
+});
+
+test('`import:credential --projectId ... --userId ...` fails explaining that only one of the options can be used at a time', async () => {
+	await expect(
+		importCredential([
+			'--input=./test/integration/commands/importCredentials/credentials-updated.json',
+			`--projectId=${nanoid()}`,
+			`--userId=${nanoid()}`,
+		]),
+	).rejects.toThrowError(
+		'You cannot use `--userId` and `--projectId` together. Use one or the other.',
+	);
+});