feat(core): Add credential runtime checks and prevent tampering in manual run (#4481)

* ✨ Create `PermissionChecker` * ⚡ Adjust helper * 🔥 Remove superseded helpers * ⚡ Use `PermissionChecker` * 🧪 Add test for dynamic router switching * ⚡ Simplify checks * ⚡ Export utils * ⚡ Add missing `init` method * 🧪 Write tests for `PermissionChecker` * 📘 Update types * 🧪 Fix tests * ✨ Set up `runManually()` * ⚡ Refactor to reuse methods * 🧪 Clear shared tables first * 🔀 Adjust merge * ⚡ Adjust imports
2025-12-22 20:29:08 +00:00 · 2022-11-11 11:14:45 +01:00
parent 50f7538779
commit d35d63a855
16 changed files with 497 additions and 233 deletions
--- a/packages/cli/test/integration/shared/random.ts
+++ b/packages/cli/test/integration/shared/random.ts
@@ -17,7 +17,13 @@ export function randomApiKey() {

 const chooseRandomly = <T>(array: T[]) => array[Math.floor(Math.random() * array.length)];

-const randomDigit = () => Math.floor(Math.random() * 10);
+export const randomDigit = () => Math.floor(Math.random() * 10);
+
+export const randomPositiveDigit = (): number => {
+	const digit = randomDigit();
+
+	return digit === 0 ? randomPositiveDigit() : digit;
+};

 const randomUppercaseLetter = () => chooseRandomly('ABCDEFGHIJKLMNOPQRSTUVWXYZ'.split(''));

--- a/packages/cli/test/integration/shared/testDb.ts
+++ b/packages/cli/test/integration/shared/testDb.ts
@@ -322,6 +322,10 @@ export async function createUser(attributes: Partial<User> = {}): Promise<User>
 	return Db.collections.User.save(user);
 }

+export async function createOwner() {
+	return createUser({ globalRole: await getGlobalOwnerRole() });
+}
+
 export function createUserShell(globalRole: Role): Promise<User> {
 	if (globalRole.scope !== 'global') {
 		throw new Error(`Invalid role received: ${JSON.stringify(globalRole)}`);
--- a/packages/cli/test/integration/workflows.controller.ee.test.ts
+++ b/packages/cli/test/integration/workflows.controller.ee.test.ts
@@ -17,12 +17,12 @@ jest.mock('@/telemetry');

 let app: express.Application;
 let testDbName = '';
-
 let globalOwnerRole: Role;
 let globalMemberRole: Role;
 let credentialOwnerRole: Role;
 let authAgent: AuthAgent;
 let saveCredential: SaveCredentialFunction;
+let isSharingEnabled: jest.SpyInstance<boolean>;
 let workflowRunner: ActiveWorkflowRunner;
 let sharingSpy: jest.SpyInstance<boolean>;

@@ -45,7 +45,9 @@ beforeAll(async () => {
 	utils.initTestLogger();
 	utils.initTestTelemetry();

-	config.set('enterprise.workflowSharingEnabled', true);
+	isSharingEnabled = jest.spyOn(UserManagementHelpers, 'isSharingEnabled').mockReturnValue(true);
+
+	config.set('enterprise.workflowSharingEnabled', true); // @TODO: Remove once temp flag is removed

 	await utils.initNodeTypes();
 	workflowRunner = await utils.initActiveWorkflowRunner();
@@ -62,6 +64,32 @@ afterAll(async () => {
 	await testDb.terminate(testDbName);
 });

+test('Router should switch dynamically', async () => {
+	const owner = await testDb.createUser({ globalRole: globalOwnerRole });
+	const member = await testDb.createUser({ globalRole: globalMemberRole });
+
+	const createWorkflowResponse = await authAgent(owner).post('/workflows').send(makeWorkflow());
+	const { id } = createWorkflowResponse.body.data;
+
+	// free router
+
+	isSharingEnabled.mockReturnValueOnce(false);
+
+	const freeShareResponse = await authAgent(owner)
+		.put(`/workflows/${id}/share`)
+		.send({ shareWithIds: [member.id] });
+
+	expect(freeShareResponse.status).toBe(404);
+
+	// EE router
+
+	const paidShareResponse = await authAgent(owner)
+		.put(`/workflows/${id}/share`)
+		.send({ shareWithIds: [member.id] });
+
+	expect(paidShareResponse.status).toBe(200);
+});
+
 describe('PUT /workflows/:id', () => {
 	test('PUT /workflows/:id/share should save sharing with new users', async () => {
 		const owner = await testDb.createUser({ globalRole: globalOwnerRole });