feat: Add initial scope checks via decorators (#7737)

packages/@n8n/permissions/src/types.ts

@@ -6,7 +6,14 @@ export type Resource =
 	| 'credential'
 	| 'variable'
 	| 'sourceControl'
-	| 'externalSecretsStore';
+	| 'externalSecretsProvider'
+	| 'externalSecret'
+	| 'eventBusEvent'
+	| 'eventBusDestination'
+	| 'orchestration'
+	| 'communityPackage'
+	| 'ldap'
+	| 'saml';
 
 export type ResourceScope<
 	R extends Resource,
@@ -17,14 +24,27 @@ export type WildcardScope = `${Resource}:*` | '*';
 
 export type WorkflowScope = ResourceScope<'workflow', DefaultOperations | 'share'>;
 export type TagScope = ResourceScope<'tag'>;
-export type UserScope = ResourceScope<'user'>;
+export type UserScope = ResourceScope<'user', DefaultOperations | 'resetPassword'>;
 export type CredentialScope = ResourceScope<'credential', DefaultOperations | 'share'>;
 export type VariableScope = ResourceScope<'variable'>;
 export type SourceControlScope = ResourceScope<'sourceControl', 'pull' | 'push' | 'manage'>;
-export type ExternalSecretStoreScope = ResourceScope<
-	'externalSecretsStore',
-	DefaultOperations | 'refresh'
+export type ExternalSecretProviderScope = ResourceScope<
+	'externalSecretsProvider',
+	DefaultOperations | 'sync'
 >;
+export type ExternalSecretScope = ResourceScope<'externalSecret', 'list'>;
+export type EventBusEventScope = ResourceScope<'eventBusEvent', DefaultOperations | 'query'>;
+export type EventBusDestinationScope = ResourceScope<
+	'eventBusDestination',
+	DefaultOperations | 'test'
+>;
+export type OrchestrationScope = ResourceScope<'orchestration', 'read' | 'list'>;
+export type CommunityPackageScope = ResourceScope<
+	'communityPackage',
+	'install' | 'uninstall' | 'update' | 'list'
+>;
+export type LdapScope = ResourceScope<'ldap', 'manage' | 'sync'>;
+export type SamlScope = ResourceScope<'saml', 'manage'>;
 
 export type Scope =
 	| WorkflowScope
@@ -33,7 +53,14 @@ export type Scope =
 	| CredentialScope
 	| VariableScope
 	| SourceControlScope
-	| ExternalSecretStoreScope;
+	| ExternalSecretProviderScope
+	| ExternalSecretScope
+	| EventBusEventScope
+	| EventBusDestinationScope
+	| OrchestrationScope
+	| CommunityPackageScope
+	| LdapScope
+	| SamlScope;
 
 export type ScopeLevel = 'global' | 'project' | 'resource';
 export type GetScopeLevel<T extends ScopeLevel> = Record<T, Scope[]>;

packages/cli/src/ExternalSecrets/ExternalSecrets.controller.ee.ts

@@ -1,4 +1,4 @@
-import { Authorized, Get, Post, RestController } from '@/decorators';
+import { Authorized, Get, Post, RestController, RequireGlobalScope } from '@/decorators';
 import { ExternalSecretsRequest } from '@/requests';
 import { Response } from 'express';
 import { Service } from 'typedi';
@@ -7,17 +7,19 @@ import { ExternalSecretsProviderNotFoundError } from '@/errors/external-secrets-
 import { NotFoundError } from '@/errors/response-errors/not-found.error';
 
 @Service()
-@Authorized(['global', 'owner'])
+@Authorized()
 @RestController('/external-secrets')
 export class ExternalSecretsController {
 	constructor(private readonly secretsService: ExternalSecretsService) {}
 
 	@Get('/providers')
+	@RequireGlobalScope('externalSecretsProvider:list')
 	async getProviders() {
 		return this.secretsService.getProviders();
 	}
 
 	@Get('/providers/:provider')
+	@RequireGlobalScope('externalSecretsProvider:read')
 	async getProvider(req: ExternalSecretsRequest.GetProvider) {
 		const providerName = req.params.provider;
 		try {
@@ -31,6 +33,7 @@ export class ExternalSecretsController {
 	}
 
 	@Post('/providers/:provider/test')
+	@RequireGlobalScope('externalSecretsProvider:read')
 	async testProviderSettings(req: ExternalSecretsRequest.TestProviderSettings, res: Response) {
 		const providerName = req.params.provider;
 		try {
@@ -50,6 +53,7 @@ export class ExternalSecretsController {
 	}
 
 	@Post('/providers/:provider')
+	@RequireGlobalScope('externalSecretsProvider:create')
 	async setProviderSettings(req: ExternalSecretsRequest.SetProviderSettings) {
 		const providerName = req.params.provider;
 		try {
@@ -64,6 +68,7 @@ export class ExternalSecretsController {
 	}
 
 	@Post('/providers/:provider/connect')
+	@RequireGlobalScope('externalSecretsProvider:update')
 	async setProviderConnected(req: ExternalSecretsRequest.SetProviderConnected) {
 		const providerName = req.params.provider;
 		try {
@@ -78,6 +83,7 @@ export class ExternalSecretsController {
 	}
 
 	@Post('/providers/:provider/update')
+	@RequireGlobalScope('externalSecretsProvider:sync')
 	async updateProvider(req: ExternalSecretsRequest.UpdateProvider, res: Response) {
 		const providerName = req.params.provider;
 		try {
@@ -97,6 +103,7 @@ export class ExternalSecretsController {
 	}
 
 	@Get('/secrets')
+	@RequireGlobalScope('externalSecret:list')
 	getSecretNames() {
 		return this.secretsService.getAllSecrets();
 	}

packages/cli/src/Server.ts

@@ -288,6 +288,7 @@ export class Server extends AbstractServer {
 			Container.get(OrchestrationController),
 			Container.get(WorkflowHistoryController),
 			Container.get(BinaryDataController),
+			Container.get(VariablesController),
 			new InvitationController(
 				config,
 				logger,

packages/cli/src/controllers/communityPackages.controller.ts

@@ -6,7 +6,16 @@ import {
 	STARTER_TEMPLATE_NAME,
 	UNKNOWN_FAILURE_REASON,
 } from '@/constants';
-import { Authorized, Delete, Get, Middleware, Patch, Post, RestController } from '@/decorators';
+import {
+	Authorized,
+	Delete,
+	Get,
+	Middleware,
+	Patch,
+	Post,
+	RestController,
+	RequireGlobalScope,
+} from '@/decorators';
 import { NodeRequest } from '@/requests';
 import type { InstalledPackages } from '@db/entities/InstalledPackages';
 import type { CommunityPackages } from '@/Interfaces';
@@ -34,7 +43,7 @@ export function isNpmError(error: unknown): error is { code: number; stdout: str
 }
 
 @Service()
-@Authorized(['global', 'owner'])
+@Authorized()
 @RestController('/community-packages')
 export class CommunityPackagesController {
 	constructor(
@@ -55,6 +64,7 @@ export class CommunityPackagesController {
 	}
 
 	@Post('/')
+	@RequireGlobalScope('communityPackage:install')
 	async installPackage(req: NodeRequest.Post) {
 		const { name } = req.body;
 
@@ -151,6 +161,7 @@ export class CommunityPackagesController {
 	}
 
 	@Get('/')
+	@RequireGlobalScope('communityPackage:list')
 	async getInstalledPackages() {
 		const installedPackages = await this.communityPackagesService.getAllInstalledPackages();
 
@@ -185,6 +196,7 @@ export class CommunityPackagesController {
 	}
 
 	@Delete('/')
+	@RequireGlobalScope('communityPackage:uninstall')
 	async uninstallPackage(req: NodeRequest.Delete) {
 		const { name } = req.query;
 
@@ -236,6 +248,7 @@ export class CommunityPackagesController {
 	}
 
 	@Patch('/')
+	@RequireGlobalScope('communityPackage:update')
 	async updatePackage(req: NodeRequest.Update) {
 		const { name } = req.body;
 

packages/cli/src/controllers/invitation.controller.ts

@@ -1,6 +1,6 @@
 import { In } from 'typeorm';
 import Container, { Service } from 'typedi';
-import { Authorized, NoAuthRequired, Post, RestController } from '@/decorators';
+import { Authorized, NoAuthRequired, Post, RequireGlobalScope, RestController } from '@/decorators';
 import { issueCookie } from '@/auth/jwt';
 import { RESPONSE_ERROR_MESSAGES } from '@/constants';
 import { Response } from 'express';
@@ -19,6 +19,7 @@ import { BadRequestError } from '@/errors/response-errors/bad-request.error';
 import { UnauthorizedError } from '@/errors/response-errors/unauthorized.error';
 
 @Service()
+@Authorized()
 @RestController('/invitations')
 export class InvitationController {
 	constructor(
@@ -34,8 +35,8 @@ export class InvitationController {
 	 * Send email invite(s) to one or multiple users and create user shell(s).
 	 */
 
-	@Authorized(['global', 'owner'])
 	@Post('/')
+	@RequireGlobalScope('user:create')
 	async inviteUser(req: UserRequest.Invite) {
 		const isWithinUsersLimit = Container.get(License).isWithinUsersLimit();
 

packages/cli/src/controllers/ldap.controller.ts

@@ -1,5 +1,5 @@
 import pick from 'lodash/pick';
-import { Authorized, Get, Post, Put, RestController } from '@/decorators';
+import { Authorized, Get, Post, Put, RestController, RequireGlobalScope } from '@/decorators';
 import { getLdapConfig, getLdapSynchronizations, updateLdapConfig } from '@/Ldap/helpers';
 import { LdapService } from '@/Ldap/LdapService.ee';
 import { LdapSync } from '@/Ldap/LdapSync.ee';
@@ -8,7 +8,7 @@ import { NON_SENSIBLE_LDAP_CONFIG_PROPERTIES } from '@/Ldap/constants';
 import { InternalHooks } from '@/InternalHooks';
 import { BadRequestError } from '@/errors/response-errors/bad-request.error';
 
-@Authorized(['global', 'owner'])
+@Authorized()
 @RestController('/ldap')
 export class LdapController {
 	constructor(
@@ -18,11 +18,13 @@ export class LdapController {
 	) {}
 
 	@Get('/config')
+	@RequireGlobalScope('ldap:manage')
 	async getConfig() {
 		return getLdapConfig();
 	}
 
 	@Post('/test-connection')
+	@RequireGlobalScope('ldap:manage')
 	async testConnection() {
 		try {
 			await this.ldapService.testConnection();
@@ -32,6 +34,7 @@ export class LdapController {
 	}
 
 	@Put('/config')
+	@RequireGlobalScope('ldap:manage')
 	async updateConfig(req: LdapConfiguration.Update) {
 		try {
 			await updateLdapConfig(req.body);
@@ -50,12 +53,14 @@ export class LdapController {
 	}
 
 	@Get('/sync')
+	@RequireGlobalScope('ldap:sync')
 	async getLdapSync(req: LdapConfiguration.GetSync) {
 		const { page = '0', perPage = '20' } = req.query;
 		return getLdapSynchronizations(parseInt(page, 10), parseInt(perPage, 10));
 	}
 
 	@Post('/sync')
+	@RequireGlobalScope('ldap:sync')
 	async syncLdap(req: LdapConfiguration.Sync) {
 		try {
 			await this.ldapSync.run(req.body.type);

packages/cli/src/controllers/orchestration.controller.ts

@@ -1,10 +1,10 @@
-import { Authorized, Post, RestController } from '@/decorators';
+import { Authorized, Post, RestController, RequireGlobalScope } from '@/decorators';
 import { OrchestrationRequest } from '@/requests';
 import { Service } from 'typedi';
 import { SingleMainSetup } from '@/services/orchestration/main/SingleMainSetup';
 import { License } from '../License';
 
-@Authorized('any')
+@Authorized()
 @RestController('/orchestration')
 @Service()
 export class OrchestrationController {
@@ -17,19 +17,22 @@ export class OrchestrationController {
 	 * These endpoints do not return anything, they just trigger the messsage to
 	 * the workers to respond on Redis with their status.
 	 */
+	@RequireGlobalScope('orchestration:read')
 	@Post('/worker/status/:id')
 	async getWorkersStatus(req: OrchestrationRequest.Get) {
 		if (!this.licenseService.isWorkerViewLicensed()) return;
 		const id = req.params.id;
 		return this.singleMainSetup.getWorkerStatus(id);
 	}
 
+	@RequireGlobalScope('orchestration:read')
 	@Post('/worker/status')
 	async getWorkersStatusAll() {
 		if (!this.licenseService.isWorkerViewLicensed()) return;
 		return this.singleMainSetup.getWorkerStatus();
 	}
 
+	@RequireGlobalScope('orchestration:list')
 	@Post('/worker/ids')
 	async getWorkerIdsAll() {
 		if (!this.licenseService.isWorkerViewLicensed()) return;

packages/cli/src/controllers/tags.controller.ts

@@ -1,6 +1,15 @@
 import { Request, Response, NextFunction } from 'express';
 import config from '@/config';
-import { Authorized, Delete, Get, Middleware, Patch, Post, RestController } from '@/decorators';
+import {
+	Authorized,
+	Delete,
+	Get,
+	Middleware,
+	Patch,
+	Post,
+	RestController,
+	RequireGlobalScope,
+} from '@/decorators';
 import { TagService } from '@/services/tag.service';
 import { TagsRequest } from '@/requests';
 import { Service } from 'typedi';
@@ -23,26 +32,29 @@ export class TagsController {
 	}
 
 	@Get('/')
+	@RequireGlobalScope('tag:list')
 	async getAll(req: TagsRequest.GetAll) {
 		return this.tagService.getAll({ withUsageCount: req.query.withUsageCount === 'true' });
 	}
 
 	@Post('/')
+	@RequireGlobalScope('tag:create')
 	async createTag(req: TagsRequest.Create) {
 		const tag = this.tagService.toEntity({ name: req.body.name });
 
 		return this.tagService.save(tag, 'create');
 	}
 
 	@Patch('/:id(\\w+)')
+	@RequireGlobalScope('tag:update')
 	async updateTag(req: TagsRequest.Update) {
 		const newTag = this.tagService.toEntity({ id: req.params.id, name: req.body.name.trim() });
 
 		return this.tagService.save(newTag, 'update');
 	}
 
-	@Authorized(['global', 'owner'])
 	@Delete('/:id(\\w+)')
+	@RequireGlobalScope('tag:delete')
 	async deleteTag(req: TagsRequest.Delete) {
 		const { id } = req.params;