UNPKG

n8n

Version:

n8n Workflow Automation Tool

n8n.io

n8n-io/n8n

105 lines 5.97 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
"use strict"; var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) { var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d; if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc); else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r; return c > 3 && r && Object.defineProperty(target, key, r), r; }; var __metadata = (this && this.__metadata) || function (k, v) { if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v); }; var __importDefault = (this && this.__importDefault) || function (mod) { return (mod && mod.__esModule) ? mod : { "default": mod }; }; Object.defineProperty(exports, "__esModule", { value: true }); exports.PermissionChecker = void 0; const typedi_1 = require("typedi"); const n8n_workflow_1 = require("n8n-workflow"); const config_1 = __importDefault(require("../config")); const License_1 = require("../License"); const ownership_service_1 = require("../services/ownership.service"); const sharedCredentials_repository_1 = require("../databases/repositories/sharedCredentials.repository"); const project_service_1 = require("../services/project.service"); let PermissionChecker = class PermissionChecker { constructor(sharedCredentialsRepository, ownershipService, license, projectService) { this.sharedCredentialsRepository = sharedCredentialsRepository; this.ownershipService = ownershipService; this.license = license; this.projectService = projectService; } async check(workflowId, nodes) { const homeProject = await this.ownershipService.getWorkflowProjectCached(workflowId); const homeProjectOwner = await this.ownershipService.getProjectOwnerCached(homeProject.id); if (homeProject.type === 'personal' && (homeProjectOwner === null || homeProjectOwner === void 0 ? void 0 : homeProjectOwner.hasGlobalScope('credential:list'))) { return; } const projectIds = await this.projectService.findProjectsWorkflowIsIn(workflowId); const credIdsToNodes = this.mapCredIdsToNodes(nodes); const workflowCredIds = Object.keys(credIdsToNodes); if (workflowCredIds.length === 0) return; const accessible = await this.sharedCredentialsRepository.getFilteredAccessibleCredentials(projectIds, workflowCredIds); for (const credentialsId of workflowCredIds) { if (!accessible.includes(credentialsId)) { const nodeToFlag = credIdsToNodes[credentialsId][0]; throw new n8n_workflow_1.CredentialAccessError(nodeToFlag, credentialsId, workflowId); } } } async checkSubworkflowExecutePolicy(subworkflow, parentWorkflowId, node) { var _a, _b, _c; if (!subworkflow.id) { return; } let policy = (_b = (_a = subworkflow.settings) === null || _a === void 0 ? void 0 : _a.callerPolicy) !== null && _b !== void 0 ? _b : config_1.default.getEnv('workflows.callerPolicyDefaultOption'); if (!this.license.isSharingEnabled()) { policy = 'workflowsFromSameOwner'; } const parentWorkflowOwner = await this.ownershipService.getWorkflowProjectCached(parentWorkflowId); const subworkflowOwner = await this.ownershipService.getWorkflowProjectCached(subworkflow.id); const description = subworkflowOwner.id === parentWorkflowOwner.id ? 'Change the settings of the sub-workflow so it can be called by this one.' : `An admin for the ${subworkflowOwner.name} project can make this change. You may need to tell them the ID of the sub-workflow, which is ${subworkflow.id}`; const errorToThrow = new n8n_workflow_1.WorkflowOperationError(`Target workflow ID ${subworkflow.id} may not be called`, node, description); if (policy === 'none') { throw errorToThrow; } if (policy === 'workflowsFromAList') { if (parentWorkflowId === undefined) { throw errorToThrow; } const allowedCallerIds = (_c = subworkflow.settings.callerIds) === null || _c === void 0 ? void 0 : _c.split(',').map((id) => id.trim()).filter((id) => id !== ''); if (!(allowedCallerIds === null || allowedCallerIds === void 0 ? void 0 : allowedCallerIds.includes(parentWorkflowId))) { throw errorToThrow; } } if (policy === 'workflowsFromSameOwner' && (subworkflowOwner === null || subworkflowOwner === void 0 ? void 0 : subworkflowOwner.id) !== parentWorkflowOwner.id) { throw errorToThrow; } } mapCredIdsToNodes(nodes) { return nodes.reduce((map, node) => { if (node.disabled || !node.credentials) return map; Object.values(node.credentials).forEach((cred) => { if (!cred.id) { throw new n8n_workflow_1.NodeOperationError(node, 'Node uses invalid credential', { description: 'Please recreate the credential.', level: 'warning', }); } map[cred.id] = map[cred.id] ? [...map[cred.id], node] : [node]; }); return map; }, {}); } }; exports.PermissionChecker = PermissionChecker; exports.PermissionChecker = PermissionChecker = __decorate([ (0, typedi_1.Service)(), __metadata("design:paramtypes", [sharedCredentials_repository_1.SharedCredentialsRepository, ownership_service_1.OwnershipService, License_1.License, project_service_1.ProjectService]) ], PermissionChecker); //# sourceMappingURL=PermissionChecker.js.map