admin/n8n-enterprise-unlocked
1
0
Fork 0
mirror of https://github.com/Abdulazizzn/n8n-enterprise-unlocked.git synced 2025-12-17 10:02:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: RBAC (#8922)

Browse Source 
Signed-off-by: Oleg Ivaniv <me@olegivaniv.com>
Co-authored-by: Val <68596159+valya@users.noreply.github.com>
Co-authored-by: कारतोफ्फेलस्क्रिप्ट™ <aditya@netroy.in>
Co-authored-by: Valya Bullions <valya@n8n.io>
Co-authored-by: Danny Martini <danny@n8n.io>
Co-authored-by: Danny Martini <despair.blue@gmail.com>
Co-authored-by: Iván Ovejero <ivov.src@gmail.com>
Co-authored-by: Omar Ajoue <krynble@gmail.com>
Co-authored-by: oleg <me@olegivaniv.com>
Co-authored-by: Michael Kret <michael.k@radency.com>
Co-authored-by: Michael Kret <88898367+michael-radency@users.noreply.github.com>
Co-authored-by: Elias Meire <elias@meire.dev>
Co-authored-by: Giulio Andreini <andreini@netseven.it>
Co-authored-by: Giulio Andreini <g.andreini@gmail.com>
Co-authored-by: Ayato Hayashi <go12limchangyong@gmail.com>
This commit is contained in:
Csaba Tuncsik
2024-05-17 10:53:15 +02:00
committed by GitHub
parent b1f977ebd0
commit 596c472ecc
292 changed files with 14129 additions and 3989 deletions
Download Patch File Download Diff File Expand all files Collapse all files

489
packages/cli/test/integration/workflows/workflows.controller.test.ts
View File

@@ -17,13 +17,22 @@ import * as testDb from '../shared/testDb';
import { makeWorkflow, MOCK_PINDATA } from '../shared/utils/';
import { randomCredentialPayload } from '../shared/random';
import { saveCredential } from '../shared/db/credentials';
import { createOwner } from '../shared/db/users';
import { createWorkflow } from '../shared/db/workflows';
import { createManyUsers, createMember, createOwner } from '../shared/db/users';
import { createWorkflow, shareWorkflowWithProjects } from '../shared/db/workflows';
import { createTag } from '../shared/db/tags';
import { License } from '@/License';
import { SharedWorkflowRepository } from '@/databases/repositories/sharedWorkflow.repository';
import { ProjectRepository } from '@/databases/repositories/project.repository';
import { ProjectService } from '@/services/project.service';
import { createTeamProject, linkUserToProject } from '../shared/db/projects';
import type { Scope } from '@n8n/permissions';
let owner: User;
let member: User;
let anotherMember: User;
let authOwnerAgent: SuperAgentTest;
let authMemberAgent: SuperAgentTest;
jest.spyOn(License.prototype, 'isSharingEnabled').mockReturnValue(false);
@@ -34,9 +43,15 @@ const { objectContaining, arrayContaining, any } = expect;
const activeWorkflowManagerLike = mockInstance(ActiveWorkflowManager);
let projectRepository: ProjectRepository;
beforeAll(async () => {
projectRepository = Container.get(ProjectRepository);
owner = await createOwner();
authOwnerAgent = testServer.authAgentFor(owner);
member = await createMember();
authMemberAgent = testServer.authAgentFor(member);
anotherMember = await createMember();
});
beforeEach(async () => {
@@ -62,6 +77,52 @@ describe('POST /workflows', () => {
expect(pinData).toBeNull();
});
test('should return scopes on created workflow', async () => {
const payload = {
name: 'testing',
nodes: [
{
id: 'uuid-1234',
parameters: {},
name: 'Start',
type: 'n8n-nodes-base.start',
typeVersion: 1,
position: [240, 300],
},
],
connections: {},
staticData: null,
settings: {
saveExecutionProgress: true,
saveManualExecutions: true,
saveDataErrorExecution: 'all',
saveDataSuccessExecution: 'all',
executionTimeout: 3600,
timezone: 'America/New_York',
},
active: false,
};
const response = await authMemberAgent.post('/workflows').send(payload);
expect(response.statusCode).toBe(200);
const {
data: { id, scopes },
} = response.body;
expect(id).toBeDefined();
expect(scopes).toEqual(
[
'workflow:delete',
'workflow:execute',
'workflow:read',
'workflow:share',
'workflow:update',
].sort(),
);
});
test('should create workflow history version when licensed', async () => {
license.enable('feat:workflowHistory');
const payload = {
@@ -151,6 +212,151 @@ describe('POST /workflows', () => {
await Container.get(WorkflowHistoryRepository).count({ where: { workflowId: id } }),
).toBe(0);
});
test('create workflow in personal project by default', async () => {
//
// ARRANGE
//
const tag = await createTag({ name: 'A' });
const workflow = makeWorkflow();
const personalProject = await projectRepository.getPersonalProjectForUserOrFail(owner.id);
//
// ACT
//
const response = await authOwnerAgent
.post('/workflows')
.send({ ...workflow, tags: [tag.id] })
.expect(200);
//
// ASSERT
//
await Container.get(SharedWorkflowRepository).findOneOrFail({
where: {
projectId: personalProject.id,
workflowId: response.body.data.id,
},
});
expect(response.body.data).toMatchObject({
active: false,
id: expect.any(String),
name: workflow.name,
sharedWithProjects: [],
usedCredentials: [],
homeProject: {
id: personalProject.id,
name: personalProject.name,
type: personalProject.type,
},
tags: [{ id: tag.id, name: tag.name }],
});
expect(response.body.data.shared).toBeUndefined();
});
test('creates workflow in a specific project if the projectId is passed', async () => {
//
// ARRANGE
//
const tag = await createTag({ name: 'A' });
const workflow = makeWorkflow();
const project = await projectRepository.save(
projectRepository.create({
name: 'Team Project',
type: 'team',
}),
);
await Container.get(ProjectService).addUser(project.id, owner.id, 'project:admin');
//
// ACT
//
const response = await authOwnerAgent
.post('/workflows')
.send({ ...workflow, projectId: project.id, tags: [tag.id] })
.expect(200);
//
// ASSERT
//
await Container.get(SharedWorkflowRepository).findOneOrFail({
where: {
projectId: project.id,
workflowId: response.body.data.id,
},
});
expect(response.body.data).toMatchObject({
active: false,
id: expect.any(String),
name: workflow.name,
sharedWithProjects: [],
usedCredentials: [],
homeProject: {
id: project.id,
name: project.name,
type: project.type,
},
tags: [{ id: tag.id, name: tag.name }],
});
expect(response.body.data.shared).toBeUndefined();
});
test('does not create the workflow in a specific project if the user is not part of the project', async () => {
//
// ARRANGE
//
const workflow = makeWorkflow();
const project = await projectRepository.save(
projectRepository.create({
name: 'Team Project',
type: 'team',
}),
);
//
// ACT
//
await testServer
.authAgentFor(member)
.post('/workflows')
.send({ ...workflow, projectId: project.id })
//
// ASSERT
//
.expect(400, {
code: 400,
message: "You don't have the permissions to save the workflow in this project.",
});
});
test('does not create the workflow in a specific project if the user does not have the right role to do so', async () => {
//
// ARRANGE
//
const workflow = makeWorkflow();
const project = await projectRepository.save(
projectRepository.create({
name: 'Team Project',
type: 'team',
}),
);
await Container.get(ProjectService).addUser(project.id, member.id, 'project:viewer');
//
// ACT
//
await testServer
.authAgentFor(member)
.post('/workflows')
.send({ ...workflow, projectId: project.id })
//
// ASSERT
//
.expect(400, {
code: 400,
message: "You don't have the permissions to save the workflow in this project.",
});
});
});
describe('GET /workflows/:id', () => {
@@ -165,6 +371,17 @@ describe('GET /workflows/:id', () => {
const { pinData } = workflowRetrievalResponse.body.data as { pinData: IPinData };
expect(pinData).toMatchObject(MOCK_PINDATA);
});
test('should return tags', async () => {
const tag = await createTag({ name: 'A' });
const workflow = await createWorkflow({ tags: [tag] }, owner);
const response = await authOwnerAgent.get(`/workflows/${workflow.id}`).expect(200);
expect(response.body.data).toMatchObject({
tags: [expect.objectContaining({ id: tag.id, name: tag.name })],
});
});
});
describe('GET /workflows', () => {
@@ -179,6 +396,7 @@ describe('GET /workflows', () => {
user: owner,
role: 'credential:owner',
});
const ownerPersonalProject = await projectRepository.getPersonalProjectForUserOrFail(owner.id);
const nodes: INode[] = [
{
@@ -215,13 +433,12 @@ describe('GET /workflows', () => {
updatedAt: any(String),
tags: [{ id: any(String), name: 'A' }],
versionId: any(String),
ownedBy: {
id: owner.id,
email: any(String),
firstName: any(String),
lastName: any(String),
homeProject: {
id: ownerPersonalProject.id,
name: owner.createPersonalProjectName(),
type: ownerPersonalProject.type,
},
sharedWith: [],
sharedWithProjects: [],
}),
objectContaining({
id: any(String),
@@ -231,13 +448,12 @@ describe('GET /workflows', () => {
updatedAt: any(String),
tags: [],
versionId: any(String),
ownedBy: {
id: owner.id,
email: any(String),
firstName: any(String),
lastName: any(String),
homeProject: {
id: ownerPersonalProject.id,
name: owner.createPersonalProjectName(),
type: ownerPersonalProject.type,
},
sharedWith: [],
sharedWithProjects: [],
}),
]),
});
@@ -247,10 +463,142 @@ describe('GET /workflows', () => {
);
expect(found.nodes).toBeUndefined();
expect(found.sharedWith).toHaveLength(0);
expect(found.sharedWithProjects).toHaveLength(0);
expect(found.usedCredentials).toBeUndefined();
});
test('should return workflows with scopes when ?includeScopes=true', async () => {
const [member1, member2] = await createManyUsers(2, {
role: 'global:member',
});
const teamProject = await createTeamProject(undefined, member1);
await linkUserToProject(member2, teamProject, 'project:editor');
const credential = await saveCredential(randomCredentialPayload(), {
user: owner,
role: 'credential:owner',
});
const nodes: INode[] = [
{
id: uuid(),
name: 'Action Network',
type: 'n8n-nodes-base.actionNetwork',
parameters: {},
typeVersion: 1,
position: [0, 0],
credentials: {
actionNetworkApi: {
id: credential.id,
name: credential.name,
},
},
},
];
const tag = await createTag({ name: 'A' });
const [savedWorkflow1, savedWorkflow2] = await Promise.all([
createWorkflow({ name: 'First', nodes, tags: [tag] }, teamProject),
createWorkflow({ name: 'Second' }, member2),
]);
await shareWorkflowWithProjects(savedWorkflow2, [{ project: teamProject }]);
{
const response = await testServer.authAgentFor(member1).get('/workflows?includeScopes=true');
expect(response.statusCode).toBe(200);
expect(response.body.data.length).toBe(2);
const workflows = response.body.data as Array<WorkflowEntity & { scopes: Scope[] }>;
const wf1 = workflows.find((w) => w.id === savedWorkflow1.id)!;
const wf2 = workflows.find((w) => w.id === savedWorkflow2.id)!;
// Team workflow
expect(wf1.id).toBe(savedWorkflow1.id);
expect(wf1.scopes).toEqual(
['workflow:read', 'workflow:update', 'workflow:delete', 'workflow:execute'].sort(),
);
// Shared workflow
expect(wf2.id).toBe(savedWorkflow2.id);
expect(wf2.scopes).toEqual(['workflow:read', 'workflow:update', 'workflow:execute'].sort());
}
{
const response = await testServer.authAgentFor(member2).get('/workflows?includeScopes=true');
expect(response.statusCode).toBe(200);
expect(response.body.data.length).toBe(2);
const workflows = response.body.data as Array<WorkflowEntity & { scopes: Scope[] }>;
const wf1 = workflows.find((w) => w.id === savedWorkflow1.id)!;
const wf2 = workflows.find((w) => w.id === savedWorkflow2.id)!;
// Team workflow
expect(wf1.id).toBe(savedWorkflow1.id);
expect(wf1.scopes).toEqual([
'workflow:delete',
'workflow:execute',
'workflow:read',
'workflow:update',
]);
// Shared workflow
expect(wf2.id).toBe(savedWorkflow2.id);
expect(wf2.scopes).toEqual(
[
'workflow:read',
'workflow:update',
'workflow:delete',
'workflow:execute',
'workflow:share',
].sort(),
);
}
{
const response = await testServer.authAgentFor(owner).get('/workflows?includeScopes=true');
expect(response.statusCode).toBe(200);
expect(response.body.data.length).toBe(2);
const workflows = response.body.data as Array<WorkflowEntity & { scopes: Scope[] }>;
const wf1 = workflows.find((w) => w.id === savedWorkflow1.id)!;
const wf2 = workflows.find((w) => w.id === savedWorkflow2.id)!;
// Team workflow
expect(wf1.id).toBe(savedWorkflow1.id);
expect(wf1.scopes).toEqual(
[
'workflow:create',
'workflow:read',
'workflow:update',
'workflow:delete',
'workflow:list',
'workflow:share',
'workflow:execute',
].sort(),
);
// Shared workflow
expect(wf2.id).toBe(savedWorkflow2.id);
expect(wf2.scopes).toEqual(
[
'workflow:create',
'workflow:read',
'workflow:update',
'workflow:delete',
'workflow:list',
'workflow:share',
'workflow:execute',
].sort(),
);
}
});
describe('filter', () => {
test('should filter workflows by field: name', async () => {
await createWorkflow({ name: 'First' }, owner);
@@ -298,6 +646,26 @@ describe('GET /workflows', () => {
data: [objectContaining({ name: 'First', tags: [{ id: any(String), name: 'A' }] })],
});
});
test('should filter workflows by projectId', async () => {
const workflow = await createWorkflow({ name: 'First' }, owner);
const pp = await Container.get(ProjectRepository).getPersonalProjectForUserOrFail(owner.id);
const response1 = await authOwnerAgent
.get('/workflows')
.query(`filter={ "projectId": "${pp.id}" }`)
.expect(200);
expect(response1.body.data).toHaveLength(1);
expect(response1.body.data[0].id).toBe(workflow.id);
const response2 = await authOwnerAgent
.get('/workflows')
.query('filter={ "projectId": "Non-Existing Project ID" }')
.expect(200);
expect(response2.body.data).toHaveLength(0);
});
});
describe('select', () => {
@@ -419,6 +787,9 @@ describe('GET /workflows', () => {
test('should select workflow field: ownedBy', async () => {
await createWorkflow({}, owner);
await createWorkflow({}, owner);
const ownerPersonalProject = await projectRepository.getPersonalProjectForUserOrFail(
owner.id,
);
const response = await authOwnerAgent
.get('/workflows')
@@ -430,23 +801,21 @@ describe('GET /workflows', () => {
data: arrayContaining([
{
id: any(String),
ownedBy: {
id: owner.id,
email: any(String),
firstName: any(String),
lastName: any(String),
homeProject: {
id: ownerPersonalProject.id,
name: owner.createPersonalProjectName(),
type: ownerPersonalProject.type,
},
sharedWith: [],
sharedWithProjects: [],
},
{
id: any(String),
ownedBy: {
id: owner.id,
email: any(String),
firstName: any(String),
lastName: any(String),
homeProject: {
id: ownerPersonalProject.id,
name: owner.createPersonalProjectName(),
type: ownerPersonalProject.type,
},
sharedWith: [],
sharedWithProjects: [],
},
]),
});
@@ -645,7 +1014,7 @@ describe('POST /workflows/run', () => {
test('should prevent tampering if sharing is enabled', async () => {
sharingSpy.mockReturnValue(true);
await authOwnerAgent.post('/workflows/run').send({ workflowData: workflow });
await authOwnerAgent.post(`/workflows/${workflow.id}/run`).send({ workflowData: workflow });
expect(tamperingSpy).toHaveBeenCalledTimes(1);
});
@@ -653,8 +1022,70 @@ describe('POST /workflows/run', () => {
test('should skip tampering prevention if sharing is disabled', async () => {
sharingSpy.mockReturnValue(false);
await authOwnerAgent.post('/workflows/run').send({ workflowData: workflow });
await authOwnerAgent.post(`/workflows/${workflow.id}/run`).send({ workflowData: workflow });
expect(tamperingSpy).not.toHaveBeenCalled();
});
});
describe('DELETE /workflows/:id', () => {
test('deletes a workflow owned by the user', async () => {
const workflow = await createWorkflow({}, owner);
await authOwnerAgent.delete(`/workflows/${workflow.id}`).send().expect(200);
const workflowInDb = await Container.get(WorkflowRepository).findById(workflow.id);
const sharedWorkflowsInDb = await Container.get(SharedWorkflowRepository).findBy({
workflowId: workflow.id,
});
expect(workflowInDb).toBeNull();
expect(sharedWorkflowsInDb).toHaveLength(0);
});
test('deletes a workflow owned by the user, even if the user is just a member', async () => {
const workflow = await createWorkflow({}, member);
await testServer.authAgentFor(member).delete(`/workflows/${workflow.id}`).send().expect(200);
const workflowInDb = await Container.get(WorkflowRepository).findById(workflow.id);
const sharedWorkflowsInDb = await Container.get(SharedWorkflowRepository).findBy({
workflowId: workflow.id,
});
expect(workflowInDb).toBeNull();
expect(sharedWorkflowsInDb).toHaveLength(0);
});
test('does not delete a workflow that is not owned by the user', async () => {
const workflow = await createWorkflow({}, member);
await testServer
.authAgentFor(anotherMember)
.delete(`/workflows/${workflow.id}`)
.send()
.expect(403);
const workflowsInDb = await Container.get(WorkflowRepository).findById(workflow.id);
const sharedWorkflowsInDb = await Container.get(SharedWorkflowRepository).findBy({
workflowId: workflow.id,
});
expect(workflowsInDb).not.toBeNull();
expect(sharedWorkflowsInDb).toHaveLength(1);
});
test("allows the owner to delete workflows they don't own", async () => {
const workflow = await createWorkflow({}, member);
await authOwnerAgent.delete(`/workflows/${workflow.id}`).send().expect(200);
const workflowsInDb = await Container.get(WorkflowRepository).findById(workflow.id);
const sharedWorkflowsInDb = await Container.get(SharedWorkflowRepository).findBy({
workflowId: workflow.id,
});
expect(workflowsInDb).toBeNull();
expect(sharedWorkflowsInDb).toHaveLength(0);
});
});