feat(core): Security audit (#5034)

* ✨ Implement security audit * ⚡ Use logger * 🧪 Fix test * ⚡ Switch logger with stdout * 🎨 Set new logo * ⚡ Fill out Public API schema * ✏️ Fix typo * ⚡ Break dependency cycle * ⚡ Add security settings values * 🧪 Test security settings * ⚡ Add publicly accessible instance warning * ⚡ Add metric to CLI command * ✏️ Fix typo * 🔥 Remove unneeded path alias * 📘 Add type import * 🔥 Remove inferrable output type * ⚡ Set description at correct level * ⚡ Rename constant for consistency * ⚡ Sort URLs * ⚡ Rename local var * ⚡ Shorten name * ✏️ Improve phrasing * ⚡ Improve naming * ⚡ Fix casing * ✏️ Add docline * ✏️ Relocate comment * ⚡ Add singular/plurals * 🔥 Remove unneeded await * ✏️ Improve test description * ⚡ Optimize with sets * ⚡ Adjust post master merge * ✏️ Improve naming * ⚡ Adjust in spy * 🧪 Fix outdated instance test * 🧪 Make diagnostics check consistent * ⚡ Refactor `getAllExistingCreds` * ⚡ Create helper `getNodeTypes` * 🐛 Fix `InternalHooksManager` call * 🚚 Rename `execution` to `nodes` risk * ⚡ Add options to CLI command * ⚡ Make days configurable * :revert: Undo changes to `BaseCommand` * ⚡ Improve CLI command UX * ⚡ Change no-report return value Empty array to trigger empty state on FE. * ⚡ Add empty check to `reportInstanceRisk` * 🧪 Extend Jest `expect` * 📘 Augment `jest.Matchers` * 🧪 Set extend as setup file * 🔧 Override lint rule for `.d.ts` * ⚡ Use new matcher * ⚡ Update check * 📘 Improve typings * ⚡ Adjust instance risk check * ✏️ Rename `execution` → `nodes` in Public API schema * ✏️ Add clarifying comment * ✏️ Fix typo * ⚡ Validate categories in CLI command * ✏️ Improve naming * ✏️ Make audit reference consistent * 📘 Fix typing * ⚡ Use `finally` in CLI command
2025-12-17 01:56:46 +00:00 · 2023-01-05 13:28:40 +01:00
parent 59004fe7bb
commit d548161632
34 changed files with 2335 additions and 18 deletions
--- a/packages/cli/test/integration/audit/credentials.risk.test.ts
+++ b/packages/cli/test/integration/audit/credentials.risk.test.ts
@@ -0,0 +1,225 @@
+import { v4 as uuid } from 'uuid';
+import * as Db from '@/Db';
+import config from '@/config';
+import { audit } from '@/audit';
+import { CREDENTIALS_REPORT } from '@/audit/constants';
+import { getRiskSection } from './utils';
+import * as testDb from '../shared/testDb';
+
+let testDbName = '';
+
+beforeAll(async () => {
+	const initResult = await testDb.init();
+	testDbName = initResult.testDbName;
+});
+
+beforeEach(async () => {
+	await testDb.truncate(['Workflow', 'Credentials', 'Execution'], testDbName);
+});
+
+afterAll(async () => {
+	await testDb.terminate(testDbName);
+});
+
+test('should report credentials not in any use', async () => {
+	const credentialDetails = {
+		name: 'My Slack Credential',
+		data: 'U2FsdGVkX18WjITBG4IDqrGB1xE/uzVNjtwDAG3lP7E=',
+		type: 'slackApi',
+		nodesAccess: [{ nodeType: 'n8n-nodes-base.slack', date: '2022-12-21T11:23:00.561Z' }],
+	};
+
+	const workflowDetails = {
+		name: 'My Test Workflow',
+		active: false,
+		connections: {},
+		nodeTypes: {},
+		nodes: [
+			{
+				id: uuid(),
+				name: 'My Node',
+				type: 'n8n-nodes-base.slack',
+				typeVersion: 1,
+				position: [0, 0] as [number, number],
+			},
+		],
+	};
+
+	await Promise.all([
+		Db.collections.Credentials.save(credentialDetails),
+		Db.collections.Workflow.save(workflowDetails),
+	]);
+
+	const testAudit = await audit(['credentials']);
+
+	const section = getRiskSection(
+		testAudit,
+		CREDENTIALS_REPORT.RISK,
+		CREDENTIALS_REPORT.SECTIONS.CREDS_NOT_IN_ANY_USE,
+	);
+
+	expect(section.location).toHaveLength(1);
+	expect(section.location[0]).toMatchObject({
+		id: '1',
+		name: 'My Slack Credential',
+	});
+});
+
+test('should report credentials not in active use', async () => {
+	const credentialDetails = {
+		name: 'My Slack Credential',
+		data: 'U2FsdGVkX18WjITBG4IDqrGB1xE/uzVNjtwDAG3lP7E=',
+		type: 'slackApi',
+		nodesAccess: [{ nodeType: 'n8n-nodes-base.slack', date: '2022-12-21T11:23:00.561Z' }],
+	};
+
+	const credential = await Db.collections.Credentials.save(credentialDetails);
+
+	const workflowDetails = {
+		name: 'My Test Workflow',
+		active: false,
+		connections: {},
+		nodeTypes: {},
+		nodes: [
+			{
+				id: uuid(),
+				name: 'My Node',
+				type: 'n8n-nodes-base.slack',
+				typeVersion: 1,
+				position: [0, 0] as [number, number],
+			},
+		],
+	};
+
+	await Db.collections.Workflow.save(workflowDetails);
+
+	const testAudit = await audit(['credentials']);
+
+	const section = getRiskSection(
+		testAudit,
+		CREDENTIALS_REPORT.RISK,
+		CREDENTIALS_REPORT.SECTIONS.CREDS_NOT_IN_ACTIVE_USE,
+	);
+
+	expect(section.location).toHaveLength(1);
+	expect(section.location[0]).toMatchObject({
+		id: credential.id,
+		name: 'My Slack Credential',
+	});
+});
+
+test('should report credential in not recently executed workflow', async () => {
+	const credentialDetails = {
+		name: 'My Slack Credential',
+		data: 'U2FsdGVkX18WjITBG4IDqrGB1xE/uzVNjtwDAG3lP7E=',
+		type: 'slackApi',
+		nodesAccess: [{ nodeType: 'n8n-nodes-base.slack', date: '2022-12-21T11:23:00.561Z' }],
+	};
+
+	const credential = await Db.collections.Credentials.save(credentialDetails);
+
+	const workflowDetails = {
+		name: 'My Test Workflow',
+		active: false,
+		connections: {},
+		nodeTypes: {},
+		nodes: [
+			{
+				id: uuid(),
+				name: 'My Node',
+				type: 'n8n-nodes-base.slack',
+				typeVersion: 1,
+				position: [0, 0] as [number, number],
+				credentials: {
+					slackApi: {
+						id: credential.id,
+						name: credential.name,
+					},
+				},
+			},
+		],
+	};
+
+	const workflow = await Db.collections.Workflow.save(workflowDetails);
+
+	const date = new Date();
+	date.setDate(date.getDate() - config.getEnv('security.audit.daysAbandonedWorkflow') - 1);
+
+	await Db.collections.Execution.save({
+		data: '[]',
+		finished: true,
+		mode: 'manual',
+		startedAt: date,
+		stoppedAt: date,
+		workflowData: workflow,
+		workflowId: workflow.id,
+		waitTill: null,
+	});
+
+	const testAudit = await audit(['credentials']);
+
+	const section = getRiskSection(
+		testAudit,
+		CREDENTIALS_REPORT.RISK,
+		CREDENTIALS_REPORT.SECTIONS.CREDS_NOT_RECENTLY_EXECUTED,
+	);
+
+	expect(section.location).toHaveLength(1);
+	expect(section.location[0]).toMatchObject({
+		id: credential.id,
+		name: credential.name,
+	});
+});
+
+test('should not report credentials in recently executed workflow', async () => {
+	const credentialDetails = {
+		name: 'My Slack Credential',
+		data: 'U2FsdGVkX18WjITBG4IDqrGB1xE/uzVNjtwDAG3lP7E=',
+		type: 'slackApi',
+		nodesAccess: [{ nodeType: 'n8n-nodes-base.slack', date: '2022-12-21T11:23:00.561Z' }],
+	};
+
+	const credential = await Db.collections.Credentials.save(credentialDetails);
+
+	const workflowDetails = {
+		name: 'My Test Workflow',
+		active: true,
+		connections: {},
+		nodeTypes: {},
+		nodes: [
+			{
+				id: uuid(),
+				name: 'My Node',
+				type: 'n8n-nodes-base.slack',
+				typeVersion: 1,
+				position: [0, 0] as [number, number],
+				credentials: {
+					slackApi: {
+						id: credential.id,
+						name: credential.name,
+					},
+				},
+			},
+		],
+	};
+
+	const workflow = await Db.collections.Workflow.save(workflowDetails);
+
+	const date = new Date();
+	date.setDate(date.getDate() - config.getEnv('security.audit.daysAbandonedWorkflow') + 1);
+
+	await Db.collections.Execution.save({
+		data: '[]',
+		finished: true,
+		mode: 'manual',
+		startedAt: date,
+		stoppedAt: date,
+		workflowData: workflow,
+		workflowId: workflow.id,
+		waitTill: null,
+	});
+
+	const testAudit = await audit(['credentials']);
+
+	expect(testAudit).toBeEmptyArray();
+});