feat: RBAC (#8922)

Signed-off-by: Oleg Ivaniv <me@olegivaniv.com> Co-authored-by: Val <68596159+valya@users.noreply.github.com> Co-authored-by: कारतोफ्फेलस्क्रिप्ट™ <aditya@netroy.in> Co-authored-by: Valya Bullions <valya@n8n.io> Co-authored-by: Danny Martini <danny@n8n.io> Co-authored-by: Danny Martini <despair.blue@gmail.com> Co-authored-by: Iván Ovejero <ivov.src@gmail.com> Co-authored-by: Omar Ajoue <krynble@gmail.com> Co-authored-by: oleg <me@olegivaniv.com> Co-authored-by: Michael Kret <michael.k@radency.com> Co-authored-by: Michael Kret <88898367+michael-radency@users.noreply.github.com> Co-authored-by: Elias Meire <elias@meire.dev> Co-authored-by: Giulio Andreini <andreini@netseven.it> Co-authored-by: Giulio Andreini <g.andreini@gmail.com> Co-authored-by: Ayato Hayashi <go12limchangyong@gmail.com>
2025-12-17 10:02:05 +00:00 · 2024-05-17 10:53:15 +02:00
parent b1f977ebd0
commit 596c472ecc
292 changed files with 14129 additions and 3989 deletions
--- a/packages/cli/test/integration/commands/import.cmd.test.ts
+++ b/packages/cli/test/integration/commands/import.cmd.test.ts
@@ -8,6 +8,8 @@ import { mockInstance } from '../../shared/mocking';
 import * as testDb from '../shared/testDb';
 import { getAllSharedWorkflows, getAllWorkflows } from '../shared/db/workflows';
 import { createMember, createOwner } from '../shared/db/users';
+import { getPersonalProject } from '../shared/db/projects';
+import { nanoid } from 'nanoid';

 const oclifConfig = new Config({ root: __dirname });

@@ -36,6 +38,7 @@ test('import:workflow should import active workflow and deactivate it', async ()
 	// ARRANGE
 	//
 	const owner = await createOwner();
+	const ownerProject = await getPersonalProject(owner);

 	//
 	// ACT
@@ -58,8 +61,16 @@ test('import:workflow should import active workflow and deactivate it', async ()
 			expect.objectContaining({ name: 'inactive-workflow', active: false }),
 		],
 		sharings: [
-			expect.objectContaining({ workflowId: '998', userId: owner.id, role: 'workflow:owner' }),
-			expect.objectContaining({ workflowId: '999', userId: owner.id, role: 'workflow:owner' }),
+			expect.objectContaining({
+				workflowId: '998',
+				projectId: ownerProject.id,
+				role: 'workflow:owner',
+			}),
+			expect.objectContaining({
+				workflowId: '999',
+				projectId: ownerProject.id,
+				role: 'workflow:owner',
+			}),
 		],
 	});
 });
@@ -69,6 +80,7 @@ test('import:workflow should import active workflow from combined file and deact
 	// ARRANGE
 	//
 	const owner = await createOwner();
+	const ownerProject = await getPersonalProject(owner);

 	//
 	// ACT
@@ -90,8 +102,16 @@ test('import:workflow should import active workflow from combined file and deact
 			expect.objectContaining({ name: 'inactive-workflow', active: false }),
 		],
 		sharings: [
-			expect.objectContaining({ workflowId: '998', userId: owner.id, role: 'workflow:owner' }),
-			expect.objectContaining({ workflowId: '999', userId: owner.id, role: 'workflow:owner' }),
+			expect.objectContaining({
+				workflowId: '998',
+				projectId: ownerProject.id,
+				role: 'workflow:owner',
+			}),
+			expect.objectContaining({
+				workflowId: '999',
+				projectId: ownerProject.id,
+				role: 'workflow:owner',
+			}),
 		],
 	});
 });
@@ -101,6 +121,7 @@ test('`import:workflow --userId ...` should fail if the workflow exists already
 	// ARRANGE
 	//
 	const owner = await createOwner();
+	const ownerProject = await getPersonalProject(owner);
 	const member = await createMember();

 	// Import workflow the first time, assigning it to a member.
@@ -119,7 +140,7 @@ test('`import:workflow --userId ...` should fail if the workflow exists already
 		sharings: [
 			expect.objectContaining({
 				workflowId: '998',
-				userId: owner.id,
+				projectId: ownerProject.id,
 				role: 'workflow:owner',
 			}),
 		],
@@ -136,7 +157,7 @@ test('`import:workflow --userId ...` should fail if the workflow exists already
 			`--userId=${member.id}`,
 		]),
 	).rejects.toThrowError(
-		`The credential with id "998" is already owned by the user with the id "${owner.id}". It can't be re-owned by the user with the id "${member.id}"`,
+		`The credential with ID "998" is already owned by the user with the ID "${owner.id}". It can't be re-owned by the user with the ID "${member.id}"`,
 	);

 	//
@@ -152,7 +173,7 @@ test('`import:workflow --userId ...` should fail if the workflow exists already
 		sharings: [
 			expect.objectContaining({
 				workflowId: '998',
-				userId: owner.id,
+				projectId: ownerProject.id,
 				role: 'workflow:owner',
 			}),
 		],
@@ -165,6 +186,7 @@ test("only update the workflow, don't create or update the owner if `--userId` i
 	//
 	await createOwner();
 	const member = await createMember();
+	const memberProject = await getPersonalProject(member);

 	// Import workflow the first time, assigning it to a member.
 	await importWorkflow([
@@ -182,7 +204,7 @@ test("only update the workflow, don't create or update the owner if `--userId` i
 		sharings: [
 			expect.objectContaining({
 				workflowId: '998',
-				userId: member.id,
+				projectId: memberProject.id,
 				role: 'workflow:owner',
 			}),
 		],
@@ -209,9 +231,86 @@ test("only update the workflow, don't create or update the owner if `--userId` i
 		sharings: [
 			expect.objectContaining({
 				workflowId: '998',
-				userId: member.id,
+				projectId: memberProject.id,
 				role: 'workflow:owner',
 			}),
 		],
 	});
 });
+
+test('`import:workflow --projectId ...` should fail if the credential already exists and is owned by another project', async () => {
+	//
+	// ARRANGE
+	//
+	const owner = await createOwner();
+	const ownerProject = await getPersonalProject(owner);
+	const member = await createMember();
+	const memberProject = await getPersonalProject(member);
+
+	// Import workflow the first time, assigning it to a member.
+	await importWorkflow([
+		'--input=./test/integration/commands/importWorkflows/combined-with-update/original.json',
+		`--userId=${owner.id}`,
+	]);
+
+	const before = {
+		workflows: await getAllWorkflows(),
+		sharings: await getAllSharedWorkflows(),
+	};
+	// Make sure the workflow and sharing have been created.
+	expect(before).toMatchObject({
+		workflows: [expect.objectContaining({ id: '998', name: 'active-workflow' })],
+		sharings: [
+			expect.objectContaining({
+				workflowId: '998',
+				projectId: ownerProject.id,
+				role: 'workflow:owner',
+			}),
+		],
+	});
+
+	//
+	// ACT
+	//
+	// Import the same workflow again, with another name but the same ID, and try
+	// to assign it to the member.
+	await expect(
+		importWorkflow([
+			'--input=./test/integration/commands/importWorkflows/combined-with-update/updated.json',
+			`--projectId=${memberProject.id}`,
+		]),
+	).rejects.toThrowError(
+		`The credential with ID "998" is already owned by the user with the ID "${owner.id}". It can't be re-owned by the project with the ID "${memberProject.id}"`,
+	);
+
+	//
+	// ASSERT
+	//
+	const after = {
+		workflows: await getAllWorkflows(),
+		sharings: await getAllSharedWorkflows(),
+	};
+	// Make sure there is no new sharing and that the name DID NOT change.
+	expect(after).toMatchObject({
+		workflows: [expect.objectContaining({ id: '998', name: 'active-workflow' })],
+		sharings: [
+			expect.objectContaining({
+				workflowId: '998',
+				projectId: ownerProject.id,
+				role: 'workflow:owner',
+			}),
+		],
+	});
+});
+
+test('`import:workflow --projectId ... --userId ...` fails explaining that only one of the options can be used at a time', async () => {
+	await expect(
+		importWorkflow([
+			'--input=./test/integration/commands/importWorkflows/combined-with-update/updated.json',
+			`--userId=${nanoid()}`,
+			`--projectId=${nanoid()}`,
+		]),
+	).rejects.toThrowError(
+		'You cannot use `--userId` and `--projectId` together. Use one or the other.',
+	);
+});