UNPKG

n8n

Version:

n8n Workflow Automation Tool

n8n.io

n8n-io/n8n

132 lines 6.56 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
"use strict"; var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) { var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d; if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc); else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r; return c > 3 && r && Object.defineProperty(target, key, r), r; }; var __metadata = (this && this.__metadata) || function (k, v) { if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v); }; Object.defineProperty(exports, "__esModule", { value: true }); exports.CredentialsRiskReporter = void 0; const config_1 = require("@n8n/config"); const di_1 = require("@n8n/di"); const credentials_repository_1 = require("../../databases/repositories/credentials.repository"); const execution_data_repository_1 = require("../../databases/repositories/execution-data.repository"); const execution_repository_1 = require("../../databases/repositories/execution.repository"); const constants_1 = require("../../security-audit/constants"); let CredentialsRiskReporter = class CredentialsRiskReporter { constructor(credentialsRepository, executionRepository, executionDataRepository, securityConfig) { this.credentialsRepository = credentialsRepository; this.executionRepository = executionRepository; this.executionDataRepository = executionDataRepository; this.securityConfig = securityConfig; } async report(workflows) { const days = this.securityConfig.daysAbandonedWorkflow; const allExistingCreds = await this.getAllExistingCreds(); const { credsInAnyUse, credsInActiveUse } = await this.getAllCredsInUse(workflows); const recentlyExecutedCreds = await this.getCredsInRecentlyExecutedWorkflows(days); const credsNotInAnyUse = allExistingCreds.filter((c) => !credsInAnyUse.has(c.id)); const credsNotInActiveUse = allExistingCreds.filter((c) => !credsInActiveUse.has(c.id)); const credsNotRecentlyExecuted = allExistingCreds.filter((c) => !recentlyExecutedCreds.has(c.id)); const issues = [credsNotInAnyUse, credsNotInActiveUse, credsNotRecentlyExecuted]; if (issues.every((i) => i.length === 0)) return null; const report = { risk: constants_1.CREDENTIALS_REPORT.RISK, sections: [], }; const hint = 'Keeping unused credentials in your instance is an unneeded security risk.'; const recommendation = 'Consider deleting these credentials if you no longer need them.'; const sentenceStart = ({ length }) => length > 1 ? 'These credentials are' : 'This credential is'; if (credsNotInAnyUse.length > 0) { report.sections.push({ title: constants_1.CREDENTIALS_REPORT.SECTIONS.CREDS_NOT_IN_ANY_USE, description: [sentenceStart(credsNotInAnyUse), 'not used in any workflow.', hint].join(' '), recommendation, location: credsNotInAnyUse, }); } if (credsNotInActiveUse.length > 0) { report.sections.push({ title: constants_1.CREDENTIALS_REPORT.SECTIONS.CREDS_NOT_IN_ACTIVE_USE, description: [ sentenceStart(credsNotInActiveUse), 'not used in active workflows.', hint, ].join(' '), recommendation, location: credsNotInActiveUse, }); } if (credsNotRecentlyExecuted.length > 0) { report.sections.push({ title: constants_1.CREDENTIALS_REPORT.SECTIONS.CREDS_NOT_RECENTLY_EXECUTED, description: [ sentenceStart(credsNotRecentlyExecuted), `not used in recently executed workflows, i.e. workflows executed in the past ${days} days.`, hint, ].join(' '), recommendation, location: credsNotRecentlyExecuted, }); } return report; } async getAllCredsInUse(workflows) { const credsInAnyUse = new Set(); const credsInActiveUse = new Set(); workflows.forEach((workflow) => { workflow.nodes.forEach((node) => { if (!node.credentials) return; Object.values(node.credentials).forEach((cred) => { if (!cred?.id) return; credsInAnyUse.add(cred.id); if (workflow.active) credsInActiveUse.add(cred.id); }); }); }); return { credsInAnyUse, credsInActiveUse, }; } async getAllExistingCreds() { const credentials = await this.credentialsRepository.find({ select: ['id', 'name'] }); return credentials.map(({ id, name }) => ({ kind: 'credential', id, name })); } async getExecutedWorkflowsInPastDays(days) { const date = new Date(); date.setDate(date.getDate() - days); const executionIds = await this.executionRepository.getIdsSince(date); return await this.executionDataRepository.findByExecutionIds(executionIds); } async getCredsInRecentlyExecutedWorkflows(days) { const executedWorkflows = await this.getExecutedWorkflowsInPastDays(days); return executedWorkflows.reduce((acc, { nodes }) => { nodes.forEach((node) => { if (node.credentials) { Object.values(node.credentials).forEach((c) => { if (c.id) acc.add(c.id); }); } }); return acc; }, new Set()); } }; exports.CredentialsRiskReporter = CredentialsRiskReporter; exports.CredentialsRiskReporter = CredentialsRiskReporter = __decorate([ (0, di_1.Service)(), __metadata("design:paramtypes", [credentials_repository_1.CredentialsRepository, execution_repository_1.ExecutionRepository, execution_data_repository_1.ExecutionDataRepository, config_1.SecurityConfig]) ], CredentialsRiskReporter); //# sourceMappingURL=credentials-risk-reporter.js.map