ToolJet/server/test/controllers/data_sources.e2e-spec.ts

import * as request from 'supertest';
import { INestApplication } from '@nestjs/common';
import {
  clearDB,
  createApplication,
  createUser,
  createNestAppInstance,
  createDataSource,
  createDataQuery,
  createAppGroupPermission,
  createApplicationVersion,
  generateAppDefaults,
  authenticateUser,
  createDatasourceGroupPermission,
} from '../test.helper';
import { Credential } from 'src/entities/credential.entity';
import { getManager, getRepository } from 'typeorm';
import { GroupPermission } from 'src/entities/group_permission.entity';
import { DataSource } from 'src/entities/data_source.entity';

describe('data sources controller', () => {
  let app: INestApplication;

  beforeEach(async () => {
    await clearDB();
  });

  beforeAll(async () => {
    app = await createNestAppInstance();
  });

  it('should be able to create data sources only if user has admin group or app update permission in same organization or has instance user type', async () => {
    const adminUserData = await createUser(app, {
      email: 'admin@tooljet.io',
      groups: ['all_users', 'admin'],
    });
    const superAdminUserData = await createUser(app, {
      email: 'superadmin@tooljet.io',
      groups: ['all_users', 'admin'],
      userType: 'instance',
    });
    const developerUserData = await createUser(app, {
      email: 'developer@tooljet.io',
      groups: ['all_users', 'developer'],
      organization: adminUserData.organization,
    });
    const viewerUserData = await createUser(app, {
      email: 'viewer@tooljet.io',
      groups: ['all_users'],
      organization: adminUserData.organization,
    });
    const anotherOrgAdminUserData = await createUser(app, {
      email: 'another@tooljet.io',
      groups: ['all_users', 'admin'],
    });

    let loggedUser = await authenticateUser(app, adminUserData.user.email);
    adminUserData['tokenCookie'] = loggedUser.tokenCookie;
    loggedUser = await authenticateUser(app, developerUserData.user.email);
    developerUserData['tokenCookie'] = loggedUser.tokenCookie;
    loggedUser = await authenticateUser(app, viewerUserData.user.email);
    viewerUserData['tokenCookie'] = loggedUser.tokenCookie;
    loggedUser = await authenticateUser(app, anotherOrgAdminUserData.user.email);
    anotherOrgAdminUserData['tokenCookie'] = loggedUser.tokenCookie;
    loggedUser = await authenticateUser(
      app,
      superAdminUserData.user.email,
      'password',
      adminUserData.user.defaultOrganizationId
    );
    superAdminUserData['tokenCookie'] = loggedUser.tokenCookie;

    const { application, appVersion: applicationVersion } = await generateAppDefaults(app, adminUserData.user, {
      isDataSourceNeeded: false,
      isQueryNeeded: false,
    });

    const developerUserGroup = await getRepository(GroupPermission).findOneOrFail({
      where: {
        group: 'developer',
      },
    });
    await createAppGroupPermission(app, application, developerUserGroup.id, {
      read: false,
      update: true,
      delete: false,
    });

    const dataSourceParams = {
      name: 'name',
      options: [{ key: 'foo', value: 'bar', encrypted: 'true' }],
      kind: 'postgres',
      app_version_id: applicationVersion.id,
    };

    for (const userData of [adminUserData, developerUserData, superAdminUserData]) {
      const response = await request(app.getHttpServer())
        .post(`/api/data_sources`)
        .set('tj-workspace-id', adminUserData.user.defaultOrganizationId)
        .set('Cookie', userData['tokenCookie'])
        .send(dataSourceParams);

      expect(response.statusCode).toBe(201);
      expect(response.body.id).toBeDefined();
      expect(response.body.app_version_id).toBe(applicationVersion.id);
      expect(response.body.kind).toBe('postgres');
      expect(response.body.name).toBe('name');
      expect(response.body.created_at).toBeDefined();
      expect(response.body.updated_at).toBeDefined();
    }

    // encrypted data source options will create credentials
    expect(await Credential.count()).toBe(9);

    // Should not update if viewer or if user of another org
    for (const userData of [anotherOrgAdminUserData, viewerUserData]) {
      const response = await request(app.getHttpServer())
        .post(`/api/data_sources`)
        .set('tj-workspace-id', userData.user.defaultOrganizationId)
        .set('Cookie', userData['tokenCookie'])
        .send(dataSourceParams);

      expect(response.statusCode).toBe(403);
    }
  });

  it('should be able to update data sources only if user has group admin or app update permission in same organization or has instance user type', async () => {
    const adminUserData = await createUser(app, {
      email: 'admin@tooljet.io',
      groups: ['all_users', 'admin'],
    });
    const superAdminUserData = await createUser(app, {
      email: 'superadmin@tooljet.io',
      groups: ['all_users', 'admin'],
      userType: 'instance',
    });
    const developerUserData = await createUser(app, {
      email: 'developer@tooljet.io',
      groups: ['all_users', 'developer'],
      organization: adminUserData.organization,
    });
    const viewerUserData = await createUser(app, {
      email: 'viewer@tooljet.io',
      groups: ['all_users', 'viewer'],
      organization: adminUserData.organization,
    });
    const anotherOrgAdminUserData = await createUser(app, {
      email: 'another@tooljet.io',
      groups: ['all_users', 'admin'],
    });

    let loggedUser = await authenticateUser(app, adminUserData.user.email);
    adminUserData['tokenCookie'] = loggedUser.tokenCookie;
    loggedUser = await authenticateUser(app, developerUserData.user.email);
    developerUserData['tokenCookie'] = loggedUser.tokenCookie;
    loggedUser = await authenticateUser(app, viewerUserData.user.email);
    viewerUserData['tokenCookie'] = loggedUser.tokenCookie;
    loggedUser = await authenticateUser(app, anotherOrgAdminUserData.user.email);
    anotherOrgAdminUserData['tokenCookie'] = loggedUser.tokenCookie;
    loggedUser = await authenticateUser(
      app,
      superAdminUserData.user.email,
      'password',
      adminUserData.user.defaultOrganizationId
    );
    superAdminUserData['tokenCookie'] = loggedUser.tokenCookie;

    const { application, dataSource, appEnvironments } = await generateAppDefaults(app, adminUserData.user, {
      isQueryNeeded: false,
      dsOptions: [{ key: 'foo', value: 'bar', encrypted: 'true' }],
      dsKind: 'postgres',
    });
    const developerUserGroup = await getRepository(GroupPermission).findOneOrFail({
      where: {
        group: 'developer',
      },
    });
    await createAppGroupPermission(app, application, developerUserGroup.id, {
      read: false,
      update: true,
      delete: false,
    });

    // encrypted data source options will create credentials
    expect(await Credential.count()).toBe(3);

    for (const userData of [adminUserData, developerUserData, superAdminUserData]) {
      const newOptions = [
        { key: 'email', value: userData.user.email },
        { key: 'foo', value: 'baz', encrypted: 'true' },
      ];
      const response = await request(app.getHttpServer())
        .put(`/api/data_sources/${dataSource.id}`)
        .set('tj-workspace-id', adminUserData.user.defaultOrganizationId)
        .set('Cookie', userData['tokenCookie'])
        .send({
          options: newOptions,
        });

      const updatedDs = await getManager()
        .createQueryBuilder(DataSource, 'data_source')
        .innerJoinAndSelect('data_source.dataSourceOptions', 'dataSourceOptions')
        .where('data_source.id = :dataSourceId', { dataSourceId: dataSource.id })
        .getOneOrFail();

      const updatedOptions = updatedDs.dataSourceOptions.find(
        (option) => option.environmentId === appEnvironments.find((env) => env.isDefault).id
      );

      expect(response.statusCode).toBe(200);
      expect(updatedOptions.options['email']['value']).toBe(userData.user.email);
    }

    // new credentials will not be created upon data source update
    expect(await Credential.count()).toBe(3);

    // Should not update if viewer or if user of another org
    for (const userData of [anotherOrgAdminUserData, viewerUserData]) {
      const newOptions = [
        { key: 'email', value: userData.user.email },
        { key: 'foo', value: 'baz', encrypted: 'true' },
      ];
      const response = await request(app.getHttpServer())
        .put(`/api/data_sources/${dataSource.id}`)
        .set('tj-workspace-id', userData.user.defaultOrganizationId)
        .set('Cookie', userData['tokenCookie'])
        .send({
          options: newOptions,
        });

      expect(response.statusCode).toBe(403);
    }
  });

  it('should be able to list (get) datasources for an app by all users of same organization or has instance user type', async () => {
    const adminUserData = await createUser(app, {
      email: 'admin@tooljet.io',
      groups: ['all_users', 'admin'],
    });
    const superAdminUserData = await createUser(app, {
      email: 'superadmin@tooljet.io',
      groups: ['all_users', 'admin'],
      userType: 'instance',
      organization: adminUserData.organization,
    });
    const developerUserData = await createUser(app, {
      email: 'developer@tooljet.io',
      groups: ['all_users'],
      organization: adminUserData.organization,
    });
    const viewerUserData = await createUser(app, {
      email: 'viewer@tooljet.io',
      groups: ['all_users'],
      organization: adminUserData.organization,
    });
    const anotherOrgAdminUserData = await createUser(app, {
      email: 'another@tooljet.io',
      groups: ['all_users', 'admin'],
    });

    let loggedUser = await authenticateUser(app, adminUserData.user.email);
    adminUserData['tokenCookie'] = loggedUser.tokenCookie;
    loggedUser = await authenticateUser(app, developerUserData.user.email);
    developerUserData['tokenCookie'] = loggedUser.tokenCookie;
    loggedUser = await authenticateUser(app, viewerUserData.user.email);
    viewerUserData['tokenCookie'] = loggedUser.tokenCookie;
    loggedUser = await authenticateUser(app, anotherOrgAdminUserData.user.email);
    anotherOrgAdminUserData['tokenCookie'] = loggedUser.tokenCookie;
    loggedUser = await authenticateUser(app, superAdminUserData.user.email, 'password', adminUserData.organization.id);
    superAdminUserData['tokenCookie'] = loggedUser.tokenCookie;

    const { application, appVersion, dataSource } = await generateAppDefaults(app, adminUserData.user, {
      isQueryNeeded: false,
    });

    const allUserGroup = await getRepository(GroupPermission).findOneOrFail({
      where: {
        group: 'all_users',
        organizationId: adminUserData.organization.id,
      },
    });
    await createAppGroupPermission(app, application, allUserGroup.id, {
      read: true,
      update: true,
      delete: false,
    });

    await createDatasourceGroupPermission(app, dataSource.id, allUserGroup.id, {
      read: true,
      update: false,
      delete: false,
    });

    for (const userData of [adminUserData, developerUserData, viewerUserData]) {
      const response = await request(app.getHttpServer())
        .get(`/api/data_sources?app_version_id=${appVersion.id}`)
        .set('tj-workspace-id', userData.user.defaultOrganizationId)
        .set('Cookie', userData['tokenCookie']);

      expect(response.statusCode).toBe(200);
      expect(response.body.data_sources.length).toBe(1);
    }

    // Forbidden if user of another organization
    const response = await request(app.getHttpServer())
      .get(`/api/data_sources?app_version_id=${appVersion.id}`)
      .set('tj-workspace-id', anotherOrgAdminUserData.user.defaultOrganizationId)
      .set('Cookie', anotherOrgAdminUserData['tokenCookie']);

    expect(response.statusCode).toBe(403);
  });

  it('should be able to delete data sources of an app only if admin/developer of same organization or the user is a super admin', async () => {
    const adminUserData = await createUser(app, {
      email: 'admin@tooljet.io',
      groups: ['all_users', 'admin'],
    });
    const superAdminUserData = await createUser(app, {
      email: 'superadmin@tooljet.io',
      groups: ['all_users', 'admin'],
      userType: 'instance',
      organization: adminUserData.organization,
    });
    const developerUserData = await createUser(app, {
      email: 'developer@tooljet.io',
      groups: ['all_users', 'developer'],
      organization: adminUserData.organization,
    });
    const viewerUserData = await createUser(app, {
      email: 'viewer@tooljet.io',
      groups: ['all_users', 'viewer'],
      organization: adminUserData.organization,
    });
    const anotherOrgAdminUserData = await createUser(app, {
      email: 'another@tooljet.io',
      groups: ['all_users', 'admin'],
    });

    let loggedUser = await authenticateUser(app, adminUserData.user.email);
    adminUserData['tokenCookie'] = loggedUser.tokenCookie;
    loggedUser = await authenticateUser(app, developerUserData.user.email);
    developerUserData['tokenCookie'] = loggedUser.tokenCookie;
    loggedUser = await authenticateUser(app, viewerUserData.user.email);
    viewerUserData['tokenCookie'] = loggedUser.tokenCookie;
    loggedUser = await authenticateUser(app, anotherOrgAdminUserData.user.email);
    anotherOrgAdminUserData['tokenCookie'] = loggedUser.tokenCookie;
    loggedUser = await authenticateUser(
      app,
      superAdminUserData.user.email,
      'password',
      adminUserData.user.defaultOrganizationId
    );
    superAdminUserData['tokenCookie'] = loggedUser.tokenCookie;

    const { application, appVersion } = await generateAppDefaults(app, adminUserData.user, {
      isQueryNeeded: false,
      isDataSourceNeeded: false,
    });

    // setup app permissions for developer
    const developerUserGroup = await getRepository(GroupPermission).findOne({
      where: {
        group: 'developer',
      },
    });
    await createAppGroupPermission(app, application, developerUserGroup.id, {
      read: true,
      update: true,
      delete: false,
    });

    for (const userData of [adminUserData, developerUserData, superAdminUserData]) {
      const dataSource = await createDataSource(app, {
        name: 'name',
        options: [{ key: 'foo', value: 'bar', encrypted: 'true' }],
        kind: 'postgres',
        appVersion,
      });

      const response = await request(app.getHttpServer())
        .delete(`/api/data_sources/${dataSource.id}`)
        .set('tj-workspace-id', userData.user.defaultOrganizationId)
        .set('Cookie', userData['tokenCookie'])
        .send();

      expect(response.statusCode).toBe(200);
    }

    // Should not delete if viewer or if user of another org
    for (const userData of [anotherOrgAdminUserData, viewerUserData]) {
      const dataSource = await createDataSource(app, {
        name: 'name',
        options: [{ key: 'foo', value: 'bar', encrypted: 'true' }],
        kind: 'postgres',
        appVersion,
      });

      const response = await request(app.getHttpServer())
        .delete(`/api/data_sources/${dataSource.id}`)
        .set('tj-workspace-id', userData.user.defaultOrganizationId)
        .set('Cookie', userData['tokenCookie'])
        .send();

      expect(response.statusCode).toBe(403);
    }
  });

  it('should be able to a delete data sources from a specific version of an app', async () => {
    const adminUserData = await createUser(app, {
      email: 'admin@tooljet.io',
      groups: ['all_users', 'admin'],
    });
    const application = await createApplication(app, {
      name: 'name',
      user: adminUserData.user,
    });

    const appVersion1 = await createApplicationVersion(app, application);
    const dataSource1 = await createDataSource(app, {
      name: 'api',
      kind: 'restapi',
      appVersion: appVersion1,
    });

    await createDataQuery(app, {
      dataSource: dataSource1,
      options: {
        method: 'get',
        url: 'https://api.github.com/repos/tooljet/tooljet/stargazers',
        url_params: [],
        headers: [],
        body: [],
      },
    });

    const appVersion2 = await createApplicationVersion(app, application, { name: 'v2', definition: null });
    const dataSource2 = await createDataSource(app, {
      name: 'api2',
      kind: 'restapi',
      appVersion: appVersion2,
    });

    const dataSource2Temp = dataSource2;

    const query2 = await createDataQuery(app, {
      name: 'restapi2',
      dataSource: dataSource2,
      options: {
        method: 'get',
        url: 'https://api.github.com/repos/tooljet/tooljet/stargazers',
        url_params: [],
        headers: [],
        body: [],
      },
    });

    const dataQuery2Temp = query2;

    const loggedUser = await authenticateUser(app, adminUserData.user.email);

    const response = await request(app.getHttpServer())
      .delete(`/api/data_sources/${dataSource1.id}`)
      .set('tj-workspace-id', adminUserData.user.defaultOrganizationId)
      .set('Cookie', loggedUser.tokenCookie)
      .send();

    expect(response.statusCode).toBe(200);

    await dataSource2.reload();
    await query2.reload();

    expect(dataSource2.id).toBe(dataSource2Temp.id);
    expect(query2.id).toBe(dataQuery2Temp.id);
  });

  it('should be able to search data sources with application version id', async () => {
    const adminUserData = await createUser(app, {
      email: 'admin@tooljet.io',
      groups: ['all_users', 'admin'],
    });

    const loggedUser = await authenticateUser(app, adminUserData.user.email);

    const { dataSource } = await generateAppDefaults(app, adminUserData.user, {
      isQueryNeeded: false,
    });

    let response = await request(app.getHttpServer())
      .get(`/api/data_sources?app_version_id=${dataSource.appVersionId}`)
      .set('tj-workspace-id', adminUserData.user.defaultOrganizationId)
      .set('Cookie', loggedUser.tokenCookie);

    expect(response.statusCode).toBe(200);
    expect(response.body.data_sources.length).toBe(1);

    response = await request(app.getHttpServer())
      .get(`/api/data_sources?app_version_id=62929ad6-11ae-4655-bb3e-2d2465b58950`)
      .set('tj-workspace-id', adminUserData.user.defaultOrganizationId)
      .set('Cookie', loggedUser.tokenCookie);

    expect(response.statusCode).toBe(500);
  });

  it('should not be able to authorize OAuth code for a REST API source if user of another organization', async () => {
    const adminUserData = await createUser(app, {
      email: 'admin@tooljet.io',
      groups: ['all_users', 'admin'],
    });
    const anotherOrgAdminUserData = await createUser(app, {
      email: 'another@tooljet.io',
      groups: ['all_users', 'admin'],
    });
    const { dataSource } = await generateAppDefaults(app, adminUserData.user, {
      isQueryNeeded: false,
    });

    const loggedUser = await authenticateUser(app, anotherOrgAdminUserData.user.email);

    // Should not update if user of another org
    const response = await request(app.getHttpServer())
      .post(`/api/data_sources/${dataSource.id}/authorize_oauth2`)
      .set('tj-workspace-id', anotherOrgAdminUserData.user.defaultOrganizationId)
      .set('Cookie', loggedUser.tokenCookie)
      .send({
        code: 'oauth-auth-code',
      });

    expect(response.statusCode).toBe(400);
  });

  afterAll(async () => {
    await app.close();
  });
});