feat: RBAC (#8922)

Signed-off-by: Oleg Ivaniv <me@olegivaniv.com> Co-authored-by: Val <68596159+valya@users.noreply.github.com> Co-authored-by: कारतोफ्फेलस्क्रिप्ट™ <aditya@netroy.in> Co-authored-by: Valya Bullions <valya@n8n.io> Co-authored-by: Danny Martini <danny@n8n.io> Co-authored-by: Danny Martini <despair.blue@gmail.com> Co-authored-by: Iván Ovejero <ivov.src@gmail.com> Co-authored-by: Omar Ajoue <krynble@gmail.com> Co-authored-by: oleg <me@olegivaniv.com> Co-authored-by: Michael Kret <michael.k@radency.com> Co-authored-by: Michael Kret <88898367+michael-radency@users.noreply.github.com> Co-authored-by: Elias Meire <elias@meire.dev> Co-authored-by: Giulio Andreini <andreini@netseven.it> Co-authored-by: Giulio Andreini <g.andreini@gmail.com> Co-authored-by: Ayato Hayashi <go12limchangyong@gmail.com>
2024-05-17 10:53:15 +02:00
parent b1f977ebd0
commit 596c472ecc
292 changed files with 14129 additions and 3989 deletions
--- a/packages/cli/test/unit/repositories/sharedCredentials.repository.test.ts
+++ b/packages/cli/test/unit/repositories/sharedCredentials.repository.test.ts
@@ -1,4 +1,5 @@
 import { Container } from 'typedi';
+import { In } from '@n8n/typeorm';
 import { mock } from 'jest-mock-extended';
 import { hasScope } from '@n8n/permissions';

@@ -6,7 +7,7 @@ import type { User } from '@db/entities/User';
 import type { CredentialsEntity } from '@db/entities/CredentialsEntity';
 import { SharedCredentials } from '@db/entities/SharedCredentials';
 import { SharedCredentialsRepository } from '@db/repositories/sharedCredentials.repository';
-import { memberPermissions, ownerPermissions } from '@/permissions/roles';
+import { GLOBAL_MEMBER_SCOPES, GLOBAL_OWNER_SCOPES } from '@/permissions/global-roles';
 import { mockEntityManager } from '../../shared/mocking';

 describe('SharedCredentialsRepository', () => {
@@ -21,7 +22,7 @@ describe('SharedCredentialsRepository', () => {
 			isOwner: true,
 			hasGlobalScope: (scope) =>
 				hasScope(scope, {
-					global: ownerPermissions,
+					global: GLOBAL_OWNER_SCOPES,
 				}),
 		});
 		const member = mock<User>({
@@ -29,7 +30,7 @@ describe('SharedCredentialsRepository', () => {
 			id: 'test',
 			hasGlobalScope: (scope) =>
 				hasScope(scope, {
-					global: memberPermissions,
+					global: GLOBAL_MEMBER_SCOPES,
 				}),
 		});

@@ -39,9 +40,11 @@ describe('SharedCredentialsRepository', () => {

 		test('should allow instance owner access to all credentials', async () => {
 			entityManager.findOne.mockResolvedValueOnce(sharedCredential);
-			const credential = await repository.findCredentialForUser(credentialsId, owner);
+			const credential = await repository.findCredentialForUser(credentialsId, owner, [
+				'credential:read',
+			]);
 			expect(entityManager.findOne).toHaveBeenCalledWith(SharedCredentials, {
-				relations: ['credentials'],
+				relations: { credentials: { shared: { project: { projectRelations: { user: true } } } } },
 				where: { credentialsId },
 			});
 			expect(credential).toEqual(sharedCredential.credentials);
@@ -49,20 +52,42 @@ describe('SharedCredentialsRepository', () => {

 		test('should allow members', async () => {
 			entityManager.findOne.mockResolvedValueOnce(sharedCredential);
-			const credential = await repository.findCredentialForUser(credentialsId, member);
+			const credential = await repository.findCredentialForUser(credentialsId, member, [
+				'credential:read',
+			]);
 			expect(entityManager.findOne).toHaveBeenCalledWith(SharedCredentials, {
-				relations: ['credentials'],
-				where: { credentialsId, userId: member.id },
+				relations: { credentials: { shared: { project: { projectRelations: { user: true } } } } },
+				where: {
+					credentialsId,
+					role: In(['credential:owner', 'credential:user']),
+					project: {
+						projectRelations: {
+							role: In(['project:admin', 'project:personalOwner', 'project:editor']),
+							userId: member.id,
+						},
+					},
+				},
 			});
 			expect(credential).toEqual(sharedCredential.credentials);
 		});

 		test('should return null when no shared credential is found', async () => {
 			entityManager.findOne.mockResolvedValueOnce(null);
-			const credential = await repository.findCredentialForUser(credentialsId, member);
+			const credential = await repository.findCredentialForUser(credentialsId, member, [
+				'credential:read',
+			]);
 			expect(entityManager.findOne).toHaveBeenCalledWith(SharedCredentials, {
-				relations: ['credentials'],
-				where: { credentialsId, userId: member.id },
+				relations: { credentials: { shared: { project: { projectRelations: { user: true } } } } },
+				where: {
+					credentialsId,
+					role: In(['credential:owner', 'credential:user']),
+					project: {
+						projectRelations: {
+							role: In(['project:admin', 'project:personalOwner', 'project:editor']),
+							userId: member.id,
+						},
+					},
+				},
 			});
 			expect(credential).toEqual(null);
 		});