feat: External Secrets storage for credentials (#6477)

Github issue / Community forum post (link here to close automatically): --------- Co-authored-by: Romain Minaud <romain.minaud@gmail.com> Co-authored-by: Valya Bullions <valya@n8n.io> Co-authored-by: Csaba Tuncsik <csaba@n8n.io> Co-authored-by: Giulio Andreini <g.andreini@gmail.com> Co-authored-by: Omar Ajoue <krynble@gmail.com>
n8n-io · Aug 25, 2023 · ed927d3 · ed927d3
1 parent c833078
commit ed927d3
Show file tree

Hide file tree

Showing 89 changed files with 4,164 additions and 57 deletions.
diff --git a/packages/cli/package.json b/packages/cli/package.json
@@ -139,6 +139,7 @@
     "formidable": "^3.5.0",
     "google-timezones-json": "^1.1.0",
     "handlebars": "4.7.7",
+    "infisical-node": "^1.3.0",
     "inquirer": "^7.0.1",
     "ioredis": "^5.2.4",
     "json-diff": "^1.0.6",

diff --git a/packages/cli/src/CredentialsHelper.ts b/packages/cli/src/CredentialsHelper.ts
@@ -31,6 +31,7 @@ import type {
 	IHttpRequestHelper,
 	INodeTypeData,
 	INodeTypes,
+	IWorkflowExecuteAdditionalData,
 	ICredentialTestFunctions,
 } from 'n8n-workflow';
 import {
@@ -342,6 +343,7 @@ export class CredentialsHelper extends ICredentialsHelper {
 	 * @param {boolean} [raw] Return the data as supplied without defaults or overwrites
 	 */
 	async getDecrypted(
+		additionalData: IWorkflowExecuteAdditionalData,
 		nodeCredentials: INodeCredentialsDetails,
 		type: string,
 		mode: WorkflowExecuteMode,
@@ -356,24 +358,32 @@ export class CredentialsHelper extends ICredentialsHelper {
 			return decryptedDataOriginal;
 		}
 
+		await additionalData?.secretsHelpers?.waitForInit();
+
+		const canUseSecrets = await this.credentialOwnedByOwner(nodeCredentials);
+
 		return this.applyDefaultsAndOverwrites(
+			additionalData,
 			decryptedDataOriginal,
 			type,
 			mode,
 			defaultTimezone,
 			expressionResolveValues,
+			canUseSecrets,
 		);
 	}
 
 	/**
 	 * Applies credential default data and overwrites
 	 */
 	applyDefaultsAndOverwrites(
+		additionalData: IWorkflowExecuteAdditionalData,
 		decryptedDataOriginal: ICredentialDataDecryptedObject,
 		type: string,
 		mode: WorkflowExecuteMode,
 		defaultTimezone: string,
 		expressionResolveValues?: ICredentialsExpressionResolveValues,
+		canUseSecrets?: boolean,
 	): ICredentialDataDecryptedObject {
 		const credentialsProperties = this.getCredentialsProperties(type);
 
@@ -395,6 +405,10 @@ export class CredentialsHelper extends ICredentialsHelper {
 			decryptedData.oauthTokenData = decryptedDataOriginal.oauthTokenData;
 		}
 
+		const additionalKeys = NodeExecuteFunctions.getAdditionalKeys(additionalData, mode, null, {
+			secretsEnabled: canUseSecrets,
+		});
+
 		if (expressionResolveValues) {
 			const timezone = expressionResolveValues.workflow.settings.timezone ?? defaultTimezone;
 
@@ -408,7 +422,7 @@ export class CredentialsHelper extends ICredentialsHelper {
 					expressionResolveValues.connectionInputData,
 					mode,
 					timezone,
-					{},
+					additionalKeys,
 					undefined,
 					false,
 					decryptedData,
@@ -431,7 +445,7 @@ export class CredentialsHelper extends ICredentialsHelper {
 				decryptedData as INodeParameters,
 				mode,
 				defaultTimezone,
-				{},
+				additionalKeys,
 				undefined,
 				undefined,
 				decryptedData,
@@ -573,10 +587,24 @@ export class CredentialsHelper extends ICredentialsHelper {
 		}
 
 		if (credentialsDecrypted.data) {
-			credentialsDecrypted.data = CredentialsOverwrites().applyOverwrite(
-				credentialType,
-				credentialsDecrypted.data,
-			);
+			try {
+				const additionalData = await WorkflowExecuteAdditionalData.getBase(user.id);
+				credentialsDecrypted.data = this.applyDefaultsAndOverwrites(
+					additionalData,
+					credentialsDecrypted.data,
+					credentialType,
+					'internal' as WorkflowExecuteMode,
+					additionalData.timezone,
+					undefined,
+					user.isOwner,
+				);
+			} catch (error) {
+				Logger.debug('Credential test failed', error);
+				return {
+					status: 'Error',
+					message: error.message.toString(),
+				};
+			}
 		}
 
 		if (typeof credentialTestFunction === 'function') {
@@ -759,6 +787,36 @@ export class CredentialsHelper extends ICredentialsHelper {
 			message: 'Connection successful!',
 		};
 	}
+
+	async credentialOwnedByOwner(nodeCredential: INodeCredentialsDetails): Promise<boolean> {
+		if (!nodeCredential.id) {
+			return false;
+		}
+
+		const credential = await Db.collections.SharedCredentials.findOne({
+			where: {
+				role: {
+					scope: 'credential',
+					name: 'owner',
+				},
+				user: {
+					globalRole: {
+						scope: 'global',
+						name: 'owner',
+					},
+				},
+				credentials: {
+					id: nodeCredential.id,
+				},
+			},
+		});
+
+		if (!credential) {
+			return false;
+		}
+
+		return true;
+	}
 }
 
 /**

diff --git a/packages/cli/src/ExternalSecrets/ExternalSecrets.controller.ee.ts b/packages/cli/src/ExternalSecrets/ExternalSecrets.controller.ee.ts
@@ -0,0 +1,102 @@
+import { Authorized, Get, Post, RestController } from '@/decorators';
+import { ExternalSecretsRequest } from '@/requests';
+import { NotFoundError } from '@/ResponseHelper';
+import { Response } from 'express';
+import { Service } from 'typedi';
+import { ProviderNotFoundError, ExternalSecretsService } from './ExternalSecrets.service.ee';
+
+@Service()
+@Authorized(['global', 'owner'])
+@RestController('/external-secrets')
+export class ExternalSecretsController {
+	constructor(private readonly secretsService: ExternalSecretsService) {}
+
+	@Get('/providers')
+	async getProviders() {
+		return this.secretsService.getProviders();
+	}
+
+	@Get('/providers/:provider')
+	async getProvider(req: ExternalSecretsRequest.GetProvider) {
+		const providerName = req.params.provider;
+		try {
+			return this.secretsService.getProvider(providerName);
+		} catch (e) {
+			if (e instanceof ProviderNotFoundError) {
+				throw new NotFoundError(`Could not find provider "${e.providerName}"`);
+			}
+			throw e;
+		}
+	}
+
+	@Post('/providers/:provider/test')
+	async testProviderSettings(req: ExternalSecretsRequest.TestProviderSettings, res: Response) {
+		const providerName = req.params.provider;
+		try {
+			const result = await this.secretsService.testProviderSettings(providerName, req.body);
+			if (result.success) {
+				res.statusCode = 200;
+			} else {
+				res.statusCode = 400;
+			}
+			return result;
+		} catch (e) {
+			if (e instanceof ProviderNotFoundError) {
+				throw new NotFoundError(`Could not find provider "${e.providerName}"`);
+			}
+			throw e;
+		}
+	}
+
+	@Post('/providers/:provider')
+	async setProviderSettings(req: ExternalSecretsRequest.SetProviderSettings) {
+		const providerName = req.params.provider;
+		try {
+			await this.secretsService.saveProviderSettings(providerName, req.body, req.user.id);
+		} catch (e) {
+			if (e instanceof ProviderNotFoundError) {
+				throw new NotFoundError(`Could not find provider "${e.providerName}"`);
+			}
+			throw e;
+		}
+		return {};
+	}
+
+	@Post('/providers/:provider/connect')
+	async setProviderConnected(req: ExternalSecretsRequest.SetProviderConnected) {
+		const providerName = req.params.provider;
+		try {
+			await this.secretsService.saveProviderConnected(providerName, req.body.connected);
+		} catch (e) {
+			if (e instanceof ProviderNotFoundError) {
+				throw new NotFoundError(`Could not find provider "${e.providerName}"`);
+			}
+			throw e;
+		}
+		return {};
+	}
+
+	@Post('/providers/:provider/update')
+	async updateProvider(req: ExternalSecretsRequest.UpdateProvider, res: Response) {
+		const providerName = req.params.provider;
+		try {
+			const resp = await this.secretsService.updateProvider(providerName);
+			if (resp) {
+				res.statusCode = 200;
+			} else {
+				res.statusCode = 400;
+			}
+			return { updated: resp };
+		} catch (e) {
+			if (e instanceof ProviderNotFoundError) {
+				throw new NotFoundError(`Could not find provider "${e.providerName}"`);
+			}
+			throw e;
+		}
+	}
+
+	@Get('/secrets')
+	getSecretNames() {
+		return this.secretsService.getAllSecrets();
+	}
+}