feat(core): Add credential runtime checks and prevent tampering in manual run (#4481)

* ✨ Create `PermissionChecker` * ⚡ Adjust helper * 🔥 Remove superseded helpers * ⚡ Use `PermissionChecker` * 🧪 Add test for dynamic router switching * ⚡ Simplify checks * ⚡ Export utils * ⚡ Add missing `init` method * 🧪 Write tests for `PermissionChecker` * 📘 Update types * 🧪 Fix tests * ✨ Set up `runManually()` * ⚡ Refactor to reuse methods * 🧪 Clear shared tables first * 🔀 Adjust merge * ⚡ Adjust imports
2025-12-17 10:02:05 +00:00 · 2022-11-11 11:14:45 +01:00
parent 50f7538779
commit d35d63a855
16 changed files with 497 additions and 233 deletions
--- a/packages/cli/test/integration/workflows.controller.ee.test.ts
+++ b/packages/cli/test/integration/workflows.controller.ee.test.ts
@@ -17,12 +17,12 @@ jest.mock('@/telemetry');

 let app: express.Application;
 let testDbName = '';
-
 let globalOwnerRole: Role;
 let globalMemberRole: Role;
 let credentialOwnerRole: Role;
 let authAgent: AuthAgent;
 let saveCredential: SaveCredentialFunction;
+let isSharingEnabled: jest.SpyInstance<boolean>;
 let workflowRunner: ActiveWorkflowRunner;
 let sharingSpy: jest.SpyInstance<boolean>;

@@ -45,7 +45,9 @@ beforeAll(async () => {
 	utils.initTestLogger();
 	utils.initTestTelemetry();

-	config.set('enterprise.workflowSharingEnabled', true);
+	isSharingEnabled = jest.spyOn(UserManagementHelpers, 'isSharingEnabled').mockReturnValue(true);
+
+	config.set('enterprise.workflowSharingEnabled', true); // @TODO: Remove once temp flag is removed

 	await utils.initNodeTypes();
 	workflowRunner = await utils.initActiveWorkflowRunner();
@@ -62,6 +64,32 @@ afterAll(async () => {
 	await testDb.terminate(testDbName);
 });

+test('Router should switch dynamically', async () => {
+	const owner = await testDb.createUser({ globalRole: globalOwnerRole });
+	const member = await testDb.createUser({ globalRole: globalMemberRole });
+
+	const createWorkflowResponse = await authAgent(owner).post('/workflows').send(makeWorkflow());
+	const { id } = createWorkflowResponse.body.data;
+
+	// free router
+
+	isSharingEnabled.mockReturnValueOnce(false);
+
+	const freeShareResponse = await authAgent(owner)
+		.put(`/workflows/${id}/share`)
+		.send({ shareWithIds: [member.id] });
+
+	expect(freeShareResponse.status).toBe(404);
+
+	// EE router
+
+	const paidShareResponse = await authAgent(owner)
+		.put(`/workflows/${id}/share`)
+		.send({ shareWithIds: [member.id] });
+
+	expect(paidShareResponse.status).toBe(200);
+});
+
 describe('PUT /workflows/:id', () => {
 	test('PUT /workflows/:id/share should save sharing with new users', async () => {
 		const owner = await testDb.createUser({ globalRole: globalOwnerRole });