ToolJet/server/test/controllers/org_environment_variables.e2e-spec.ts

/* eslint-disable @typescript-eslint/no-unused-vars */
import * as request from 'supertest';
import { INestApplication } from '@nestjs/common';
import { authHeaderForUser, clearDB, createUser, createNestAppInstance, createGroupPermission } from '../test.helper';
import { getManager } from 'typeorm';
import { GroupPermission } from 'src/entities/group_permission.entity';
import { OrgEnvironmentVariable } from 'src/entities/org_envirnoment_variable.entity';

const createVariable = async (app: INestApplication, adminUserData: any, body: any) => {
  return await request(app.getHttpServer())
    .post(`/api/organization-variables/`)
    .set('Authorization', authHeaderForUser(adminUserData.user))
    .send(body);
};

describe('organization environment variables controller', () => {
  let app: INestApplication;

  beforeEach(async () => {
    await clearDB();
  });

  beforeAll(async () => {
    app = await createNestAppInstance();
  });

  describe('GET /api/organization-variables', () => {
    it('should allow only authenticated users to list org users', async () => {
      await request(app.getHttpServer()).get('/api/organization-variables/').expect(401);
    });

    it('should list decrypted organization environment variables', async () => {
      const adminUserData = await createUser(app, {
        email: 'admin@tooljet.io',
        groups: ['admin', 'all_users'],
      });

      const organization = adminUserData.organization;

      const developerUserData = await createUser(app, {
        email: 'developer@tooljet.io',
        groups: ['developer', 'all_users'],
        organization,
      });

      const viewerUserData = await createUser(app, {
        email: 'viewer@tooljet.io',
        groups: ['viewer', 'all_users'],
        organization,
      });

      const bodyArray = [
        {
          variable_name: 'email',
          variable_type: 'server',
          value: 'test@tooljet.io',
          encrypted: true,
        },
        {
          variable_name: 'name',
          variable_type: 'client',
          value: 'demo_user',
          encrypted: false,
        },
      ];

      const variableArray = [];
      for (const body in bodyArray) {
        const result = await createVariable(app, adminUserData, body);
        variableArray.push(result.body.variable);
      }

      await request(app.getHttpServer())
        .get(`/api/organization-variables/`)
        .set('Authorization', authHeaderForUser(developerUserData.user))
        .send()
        .expect(200);

      await request(app.getHttpServer())
        .get(`/api/organization-variables/`)
        .set('Authorization', authHeaderForUser(viewerUserData.user))
        .send()
        .expect(200);

      const listResponse = await request(app.getHttpServer())
        .get(`/api/organization-variables/`)
        .set('Authorization', authHeaderForUser(adminUserData.user))
        .send()
        .expect(200);

      listResponse.body.variables.map((variable: any, index: any) => {
        expect(variable).toStrictEqual({
          variableName: bodyArray[index].variable_name,
          value: variable.variableType === 'server' ? undefined : bodyArray[index].value,
          variableType: bodyArray[index].variable_type,
          encrypted: bodyArray[index].encrypted,
        });
      });
    });
  });

  describe('POST /api/organization-variables/', () => {
    it('should be able to create a new variable if group is admin or has create permission in the same organization', async () => {
      const adminUserData = await createUser(app, {
        email: 'admin@tooljet.io',
        groups: ['all_users', 'admin'],
      });
      const developerUserData = await createUser(app, {
        email: 'dev@tooljet.io',
        groups: ['all_users', 'developer'],
        organization: adminUserData.organization,
      });

      const viewerUserData = await createUser(app, {
        email: 'viewer@tooljet.io',
        groups: ['viewer', 'all_users'],
        organization: adminUserData.organization,
      });

      const developerGroup = await getManager().findOneOrFail(GroupPermission, {
        where: { group: 'developer' },
      });

      await getManager().update(GroupPermission, developerGroup.id, {
        orgEnvironmentVariableCreate: true,
      });

      await request(app.getHttpServer())
        .post(`/api/organization-variables/`)
        .set('Authorization', authHeaderForUser(adminUserData.user))
        .send({ variable_name: 'email', variable_type: 'server', value: 'test@tooljet.io', encrypted: true })
        .expect(201);

      await request(app.getHttpServer())
        .post(`/api/organization-variables/`)
        .set('Authorization', authHeaderForUser(developerUserData.user))
        .send({ variable_name: 'name', variable_type: 'client', value: 'demo user', encrypted: false })
        .expect(201);

      await request(app.getHttpServer())
        .post(`/api/organization-variables/`)
        .set('Authorization', authHeaderForUser(viewerUserData.user))
        .send({ variable_name: 'pi', variable_type: 'server', value: '3.14', encrypted: true })
        .expect(403);
    });
  });

  describe('PATCH /api/organization-variables/:id', () => {
    it('should be able to update an existing variable if group is admin or has update permission in the same organization', async () => {
      const adminUserData = await createUser(app, {
        email: 'admin@tooljet.io',
        groups: ['all_users', 'admin'],
      });
      const developerUserData = await createUser(app, {
        email: 'dev@tooljet.io',
        groups: ['all_users', 'developer'],
        organization: adminUserData.organization,
      });

      const viewerUserData = await createUser(app, {
        email: 'viewer@tooljet.io',
        groups: ['viewer', 'all_users'],
        organization: adminUserData.organization,
      });

      const developerGroup = await getManager().findOneOrFail(GroupPermission, {
        where: { group: 'developer' },
      });

      await getManager().update(GroupPermission, developerGroup.id, {
        orgEnvironmentVariableUpdate: true,
      });

      const response = await createVariable(app, adminUserData, {
        variable_name: 'email',
        value: 'test@tooljet.io',
        variable_type: 'server',
        encrypted: true,
      });

      for (const userData of [adminUserData, developerUserData]) {
        await request(app.getHttpServer())
          .patch(`/api/organization-variables/${response.body.variable.id}`)
          .set('Authorization', authHeaderForUser(userData.user))
          .send({ variable_name: 'secret_email' })
          .expect(200);

        const updatedVariable = await getManager().findOne(OrgEnvironmentVariable, response.body.variable.id);

        expect(updatedVariable.variableName).toEqual('secret_email');
      }

      await request(app.getHttpServer())
        .patch(`/api/organization-variables/${response.body.variable.id}`)
        .set('Authorization', authHeaderForUser(viewerUserData.user))
        .send({ variable_name: 'email', value: 'test3@tooljet.io' })
        .expect(403);
    });
  });

  describe('DELETE /api/organization-variables/:id', () => {
    it('should be able to delete an existing variable if group is admin or has delete permission in the same organization', async () => {
      const adminUserData = await createUser(app, {
        email: 'admin@tooljet.io',
        groups: ['all_users', 'admin'],
      });
      const developerUserData = await createUser(app, {
        email: 'dev@tooljet.io',
        groups: ['all_users', 'developer'],
        organization: adminUserData.organization,
      });

      const viewerUserData = await createUser(app, {
        email: 'viewer@tooljet.io',
        groups: ['viewer', 'all_users'],
        organization: adminUserData.organization,
      });

      const developerGroup = await getManager().findOneOrFail(GroupPermission, {
        where: { group: 'developer' },
      });

      await getManager().update(GroupPermission, developerGroup.id, {
        orgEnvironmentVariableDelete: true,
      });

      for (const userData of [adminUserData, developerUserData]) {
        const response = await createVariable(app, adminUserData, {
          variable_name: 'email',
          value: 'test@tooljet.io',
          variable_type: 'server',
          encrypted: true,
        });

        const preCount = await getManager().count(OrgEnvironmentVariable);

        await request(app.getHttpServer())
          .delete(`/api/organization-variables/${response.body.variable.id}`)
          .set('Authorization', authHeaderForUser(userData.user))
          .send()
          .expect(200);

        const postCount = await getManager().count(OrgEnvironmentVariable);
        expect(postCount).toEqual(preCount - 1);
      }

      const response = await createVariable(app, adminUserData, {
        variable_name: 'email',
        value: 'test@tooljet.io',
        variable_type: 'server',
        encrypted: true,
      });

      await request(app.getHttpServer())
        .delete(`/api/organization-variables/${response.body.variable.id}`)
        .set('Authorization', authHeaderForUser(viewerUserData.user))
        .send()
        .expect(403);
    });
  });

  afterAll(async () => {
    await app.close();
  });
});
[Feature] Organisation level environment variables 🚀 (#3068) * Added new page for env vars * Changed a field name * Added some backend files - Entity, Dto, services * Started working with api endpoints - implmented create - added ability * Added fields validation - Added env variables into module * Added update, delete, get apis - Also implemented delete feature in frontend * Implemented update operation on frontend - Solved an api problem * Added encryption * Added encryption to update operation - Exposed env vars to editor - working on viewer * Exposed env vars in viewer also - Resolved a bug * Updated edit & delete icon sizes * Added specs - Resolved issues that occurred while testing * removed logout code * Changed api endpoint * splitted page into 3 different parts, Form & table * Now, non-admin users can see all org env vars * Resolved divider missing issue * Added variable_type field * Now secret server values will be shown as 'SecureValue' * Now you can't update variable_type * Now server will resolve the secret env values * Resolved variable name issue * Added unique constraints * Resolved some frontend bugs * Changed error text * Fixed failing specs * Added group permissions for org env vars * Added permission checking in the backend * Implemented permission checking in the frontend * Edited spec for new changes * Changed some specs and fixed failing specs * Resolved failing case that showed up after merging with the latest develop * Added default admin seed permissions * Refactored some code * Changed value to organization_id * Fixed a bug * Resolved a failing case * Resolved PR changes - Changed permission name - Changed column type to enum - Fixed some errors - Refactored the code * minor code change * added scope * Fixed: hide table when 0 no of vars available * Fixed table dark theme issues * Fixed encryption switch style * Fixed failing cases and updated a spec * Added %% for environment variables * Added code to resolve single variable * Fixed multi-variable usage * resolved an issue * removed extra divider * Suggestions will also show up for %% too * now, suggestions dropdown will only show env variables results * env vars suggestions will not be included in js search results * You can't resolve env variables from js code - Also, we can't resolve js code from env variable enclosures * added an info text * Resolved variables issue * fixed Viewer issue * Resolved a bug - client variable was not working on query preview and run actions * Update error message while using server variable on canvas * Revert "Update error message while using server variable on canvas" This reverts commit 081e1c9e295509a2db1010ddce0841c60e57387a. * Resolved all PR changes - removed prefix 'environmentVariable' - redefined variable evaluation - removed environmentVariable object from inspector - fixed a small bug * Fixed a server side issue Co-authored-by: Sherfin Shamsudeen <sherfin94@gmail.com> 2022-07-01 10:50:37 +00:00			`/* eslint-disable @typescript-eslint/no-unused-vars */`
			`import * as request from 'supertest';`
			`import { INestApplication } from '@nestjs/common';`
			`import { authHeaderForUser, clearDB, createUser, createNestAppInstance, createGroupPermission } from '../test.helper';`
			`import { getManager } from 'typeorm';`
			`import { GroupPermission } from 'src/entities/group_permission.entity';`
			`import { OrgEnvironmentVariable } from 'src/entities/org_envirnoment_variable.entity';`

			`const createVariable = async (app: INestApplication, adminUserData: any, body: any) => {`
			`return await request(app.getHttpServer())`
			.post(`/api/organization-variables/`)
			`.set('Authorization', authHeaderForUser(adminUserData.user))`
			`.send(body);`
			`};`

			`describe('organization environment variables controller', () => {`
			`let app: INestApplication;`

			`beforeEach(async () => {`
			`await clearDB();`
			`});`

			`beforeAll(async () => {`
			`app = await createNestAppInstance();`
			`});`

			`describe('GET /api/organization-variables', () => {`
			`it('should allow only authenticated users to list org users', async () => {`
			`await request(app.getHttpServer()).get('/api/organization-variables/').expect(401);`
			`});`

			`it('should list decrypted organization environment variables', async () => {`
			`const adminUserData = await createUser(app, {`
			`email: 'admin@tooljet.io',`
			`groups: ['admin', 'all_users'],`
			`});`

			`const organization = adminUserData.organization;`

			`const developerUserData = await createUser(app, {`
			`email: 'developer@tooljet.io',`
			`groups: ['developer', 'all_users'],`
			`organization,`
			`});`

			`const viewerUserData = await createUser(app, {`
			`email: 'viewer@tooljet.io',`
			`groups: ['viewer', 'all_users'],`
			`organization,`
			`});`

			`const bodyArray = [`
			`{`
			`variable_name: 'email',`
			`variable_type: 'server',`
			`value: 'test@tooljet.io',`
			`encrypted: true,`
			`},`
			`{`
			`variable_name: 'name',`
			`variable_type: 'client',`
			`value: 'demo_user',`
			`encrypted: false,`
			`},`
			`];`

			`const variableArray = [];`
			`for (const body in bodyArray) {`
			`const result = await createVariable(app, adminUserData, body);`
			`variableArray.push(result.body.variable);`
			`}`

			`await request(app.getHttpServer())`
			.get(`/api/organization-variables/`)
			`.set('Authorization', authHeaderForUser(developerUserData.user))`
			`.send()`
			`.expect(200);`

			`await request(app.getHttpServer())`
			.get(`/api/organization-variables/`)
			`.set('Authorization', authHeaderForUser(viewerUserData.user))`
			`.send()`
			`.expect(200);`

			`const listResponse = await request(app.getHttpServer())`
			.get(`/api/organization-variables/`)
			`.set('Authorization', authHeaderForUser(adminUserData.user))`
			`.send()`
			`.expect(200);`

			`listResponse.body.variables.map((variable: any, index: any) => {`
			`expect(variable).toStrictEqual({`
			`variableName: bodyArray[index].variable_name,`
			`value: variable.variableType === 'server' ? undefined : bodyArray[index].value,`
			`variableType: bodyArray[index].variable_type,`
			`encrypted: bodyArray[index].encrypted,`
			`});`
			`});`
			`});`
			`});`

			`describe('POST /api/organization-variables/', () => {`
			`it('should be able to create a new variable if group is admin or has create permission in the same organization', async () => {`
			`const adminUserData = await createUser(app, {`
			`email: 'admin@tooljet.io',`
			`groups: ['all_users', 'admin'],`
			`});`
			`const developerUserData = await createUser(app, {`
			`email: 'dev@tooljet.io',`
			`groups: ['all_users', 'developer'],`
			`organization: adminUserData.organization,`
			`});`

			`const viewerUserData = await createUser(app, {`
			`email: 'viewer@tooljet.io',`
			`groups: ['viewer', 'all_users'],`
			`organization: adminUserData.organization,`
			`});`

			`const developerGroup = await getManager().findOneOrFail(GroupPermission, {`
			`where: { group: 'developer' },`
			`});`

			`await getManager().update(GroupPermission, developerGroup.id, {`
			`orgEnvironmentVariableCreate: true,`
			`});`

			`await request(app.getHttpServer())`
			.post(`/api/organization-variables/`)
			`.set('Authorization', authHeaderForUser(adminUserData.user))`
			`.send({ variable_name: 'email', variable_type: 'server', value: 'test@tooljet.io', encrypted: true })`
			`.expect(201);`

			`await request(app.getHttpServer())`
			.post(`/api/organization-variables/`)
			`.set('Authorization', authHeaderForUser(developerUserData.user))`
			`.send({ variable_name: 'name', variable_type: 'client', value: 'demo user', encrypted: false })`
			`.expect(201);`

			`await request(app.getHttpServer())`
			.post(`/api/organization-variables/`)
			`.set('Authorization', authHeaderForUser(viewerUserData.user))`
			`.send({ variable_name: 'pi', variable_type: 'server', value: '3.14', encrypted: true })`
			`.expect(403);`
			`});`
			`});`

			`describe('PATCH /api/organization-variables/:id', () => {`
			`it('should be able to update an existing variable if group is admin or has update permission in the same organization', async () => {`
			`const adminUserData = await createUser(app, {`
			`email: 'admin@tooljet.io',`
			`groups: ['all_users', 'admin'],`
			`});`
			`const developerUserData = await createUser(app, {`
			`email: 'dev@tooljet.io',`
			`groups: ['all_users', 'developer'],`
			`organization: adminUserData.organization,`
			`});`

			`const viewerUserData = await createUser(app, {`
			`email: 'viewer@tooljet.io',`
			`groups: ['viewer', 'all_users'],`
			`organization: adminUserData.organization,`
			`});`

			`const developerGroup = await getManager().findOneOrFail(GroupPermission, {`
			`where: { group: 'developer' },`
			`});`

			`await getManager().update(GroupPermission, developerGroup.id, {`
			`orgEnvironmentVariableUpdate: true,`
			`});`

			`const response = await createVariable(app, adminUserData, {`
			`variable_name: 'email',`
			`value: 'test@tooljet.io',`
			`variable_type: 'server',`
			`encrypted: true,`
			`});`

			`for (const userData of [adminUserData, developerUserData]) {`
			`await request(app.getHttpServer())`
			.patch(`/api/organization-variables/${response.body.variable.id}`)
			`.set('Authorization', authHeaderForUser(userData.user))`
			`.send({ variable_name: 'secret_email' })`
			`.expect(200);`

			`const updatedVariable = await getManager().findOne(OrgEnvironmentVariable, response.body.variable.id);`

			`expect(updatedVariable.variableName).toEqual('secret_email');`
			`}`

			`await request(app.getHttpServer())`
			.patch(`/api/organization-variables/${response.body.variable.id}`)
			`.set('Authorization', authHeaderForUser(viewerUserData.user))`
			`.send({ variable_name: 'email', value: 'test3@tooljet.io' })`
			`.expect(403);`
			`});`
			`});`

			`describe('DELETE /api/organization-variables/:id', () => {`
			`it('should be able to delete an existing variable if group is admin or has delete permission in the same organization', async () => {`
			`const adminUserData = await createUser(app, {`
			`email: 'admin@tooljet.io',`
			`groups: ['all_users', 'admin'],`
			`});`
			`const developerUserData = await createUser(app, {`
			`email: 'dev@tooljet.io',`
			`groups: ['all_users', 'developer'],`
			`organization: adminUserData.organization,`
			`});`

			`const viewerUserData = await createUser(app, {`
			`email: 'viewer@tooljet.io',`
			`groups: ['viewer', 'all_users'],`
			`organization: adminUserData.organization,`
			`});`

			`const developerGroup = await getManager().findOneOrFail(GroupPermission, {`
			`where: { group: 'developer' },`
			`});`

			`await getManager().update(GroupPermission, developerGroup.id, {`
			`orgEnvironmentVariableDelete: true,`
			`});`

			`for (const userData of [adminUserData, developerUserData]) {`
			`const response = await createVariable(app, adminUserData, {`
			`variable_name: 'email',`
			`value: 'test@tooljet.io',`
			`variable_type: 'server',`
			`encrypted: true,`
			`});`

			`const preCount = await getManager().count(OrgEnvironmentVariable);`

			`await request(app.getHttpServer())`
			.delete(`/api/organization-variables/${response.body.variable.id}`)
			`.set('Authorization', authHeaderForUser(userData.user))`
			`.send()`
			`.expect(200);`

			`const postCount = await getManager().count(OrgEnvironmentVariable);`
			`expect(postCount).toEqual(preCount - 1);`
			`}`

			`const response = await createVariable(app, adminUserData, {`
			`variable_name: 'email',`
			`value: 'test@tooljet.io',`
			`variable_type: 'server',`
			`encrypted: true,`
			`});`

			`await request(app.getHttpServer())`
			.delete(`/api/organization-variables/${response.body.variable.id}`)
			`.set('Authorization', authHeaderForUser(viewerUserData.user))`
			`.send()`
			`.expect(403);`
			`});`
			`});`

			`afterAll(async () => {`
			`await app.close();`
			`});`
			`});`