d25d482dc2
Publish CLI Package / publish-npm (push) Waiting to run
Publish Python SDK / publish-pypi (push) Waiting to run
Publish TypeScript SDK / publish-npm (push) Waiting to run
CI / Migrate Dev DB (push) Has been skipped
CI / Detect Version (push) Has been cancelled
CI / Migrate DB (push) Has been cancelled
CI / Build Dev ECR (./docker/app.Dockerfile, ECR_APP) (push) Has been cancelled
CI / Build Dev ECR (./docker/db.Dockerfile, ECR_MIGRATIONS) (push) Has been cancelled
CI / Build Dev ECR (./docker/pii.Dockerfile, ECR_PII) (push) Has been cancelled
CI / Build Dev ECR (./docker/realtime.Dockerfile, ECR_REALTIME) (push) Has been cancelled
CI / Deploy Trigger.dev (Dev) (push) Has been cancelled
CI / Build AMD64 (./docker/app.Dockerfile, ECR_APP, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build AMD64 (./docker/db.Dockerfile, ECR_MIGRATIONS, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build AMD64 (./docker/pii.Dockerfile, ECR_PII, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build AMD64 (./docker/realtime.Dockerfile, ECR_REALTIME, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/app.Dockerfile, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/db.Dockerfile, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/pii.Dockerfile, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/realtime.Dockerfile, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Check Docs Changes (push) Has been cancelled
CI / Process Docs (push) Has been cancelled
CI / Create GitHub Release (push) Has been cancelled
CI / Test and Build (push) Has been cancelled
144 lines
4.6 KiB
TypeScript
144 lines
4.6 KiB
TypeScript
/**
|
|
* @vitest-environment node
|
|
*/
|
|
import { createMockRequest } from '@sim/testing'
|
|
import { beforeEach, describe, expect, it, vi } from 'vitest'
|
|
|
|
const {
|
|
mockGetSession,
|
|
mockGetWorkspaceById,
|
|
mockGetUserEntityPermissions,
|
|
mockGetPersonalAndWorkspaceEnv,
|
|
mockGetWorkspaceEnvKeyAdminAccess,
|
|
} = vi.hoisted(() => ({
|
|
mockGetSession: vi.fn(),
|
|
mockGetWorkspaceById: vi.fn(),
|
|
mockGetUserEntityPermissions: vi.fn(),
|
|
mockGetPersonalAndWorkspaceEnv: vi.fn(),
|
|
mockGetWorkspaceEnvKeyAdminAccess: vi.fn(),
|
|
}))
|
|
|
|
vi.mock('@/lib/auth', () => ({
|
|
auth: { api: { getSession: vi.fn() } },
|
|
getSession: mockGetSession,
|
|
}))
|
|
|
|
vi.mock('@/lib/workspaces/permissions/utils', () => ({
|
|
getWorkspaceById: mockGetWorkspaceById,
|
|
getUserEntityPermissions: mockGetUserEntityPermissions,
|
|
}))
|
|
|
|
vi.mock('@/lib/environment/utils', () => ({
|
|
getPersonalAndWorkspaceEnv: mockGetPersonalAndWorkspaceEnv,
|
|
invalidateEffectiveDecryptedEnvCache: vi.fn(),
|
|
}))
|
|
|
|
vi.mock('@/lib/credentials/environment', () => ({
|
|
getWorkspaceEnvKeyAdminAccess: mockGetWorkspaceEnvKeyAdminAccess,
|
|
createWorkspaceEnvCredentials: vi.fn(),
|
|
deleteWorkspaceEnvCredentials: vi.fn(),
|
|
}))
|
|
|
|
import { GET } from '@/app/api/workspaces/[id]/environment/route'
|
|
|
|
const WORKSPACE_ID = 'ws-1'
|
|
|
|
function buildParams() {
|
|
return { params: Promise.resolve({ id: WORKSPACE_ID }) }
|
|
}
|
|
|
|
async function callGet() {
|
|
const request = createMockRequest('GET')
|
|
const response = await GET(request, buildParams())
|
|
return { status: response.status, body: await response.json() }
|
|
}
|
|
|
|
describe('GET /api/workspaces/[id]/environment', () => {
|
|
beforeEach(() => {
|
|
vi.clearAllMocks()
|
|
mockGetSession.mockResolvedValue({ user: { id: 'u-1' } })
|
|
mockGetWorkspaceById.mockResolvedValue({ id: WORKSPACE_ID })
|
|
mockGetPersonalAndWorkspaceEnv.mockResolvedValue({
|
|
workspaceDecrypted: { OPENAI_API_KEY: 'sk-secret', DATABASE_URL: 'postgres://secret' },
|
|
personalDecrypted: { PERSONAL: { value: 'p' } },
|
|
conflicts: [],
|
|
})
|
|
})
|
|
|
|
it('returns 401 when the caller has no workspace permission', async () => {
|
|
mockGetUserEntityPermissions.mockResolvedValue(null)
|
|
|
|
const { status, body } = await callGet()
|
|
|
|
expect(status).toBe(401)
|
|
expect(body.error).toBe('Unauthorized')
|
|
expect(mockGetPersonalAndWorkspaceEnv).not.toHaveBeenCalled()
|
|
})
|
|
|
|
it('masks workspace secret values for a read-only member', async () => {
|
|
mockGetUserEntityPermissions.mockResolvedValue('read')
|
|
mockGetWorkspaceEnvKeyAdminAccess.mockResolvedValue({
|
|
adminKeys: new Set<string>(),
|
|
knownKeys: new Set(['OPENAI_API_KEY', 'DATABASE_URL']),
|
|
})
|
|
|
|
const { status, body } = await callGet()
|
|
|
|
expect(status).toBe(200)
|
|
expect(Object.keys(body.data.workspace).sort()).toEqual(['DATABASE_URL', 'OPENAI_API_KEY'])
|
|
expect(body.data.workspace.OPENAI_API_KEY).toBe('')
|
|
expect(body.data.workspace.DATABASE_URL).toBe('')
|
|
})
|
|
|
|
it('reveals only the workspace values the caller is a credential admin of', async () => {
|
|
mockGetUserEntityPermissions.mockResolvedValue('write')
|
|
mockGetWorkspaceEnvKeyAdminAccess.mockResolvedValue({
|
|
adminKeys: new Set(['OPENAI_API_KEY']),
|
|
knownKeys: new Set(['OPENAI_API_KEY', 'DATABASE_URL']),
|
|
})
|
|
|
|
const { body } = await callGet()
|
|
|
|
expect(body.data.workspace.OPENAI_API_KEY).toBe('sk-secret')
|
|
expect(body.data.workspace.DATABASE_URL).toBe('')
|
|
})
|
|
|
|
it('reveals legacy keys (no per-secret ACL) only to workspace admins', async () => {
|
|
mockGetUserEntityPermissions.mockResolvedValue('admin')
|
|
mockGetWorkspaceEnvKeyAdminAccess.mockResolvedValue({
|
|
adminKeys: new Set<string>(),
|
|
knownKeys: new Set<string>(),
|
|
})
|
|
|
|
const { body } = await callGet()
|
|
|
|
expect(body.data.workspace.OPENAI_API_KEY).toBe('sk-secret')
|
|
expect(body.data.workspace.DATABASE_URL).toBe('postgres://secret')
|
|
})
|
|
|
|
it('does not reveal legacy keys to a non-admin member', async () => {
|
|
mockGetUserEntityPermissions.mockResolvedValue('write')
|
|
mockGetWorkspaceEnvKeyAdminAccess.mockResolvedValue({
|
|
adminKeys: new Set<string>(),
|
|
knownKeys: new Set<string>(),
|
|
})
|
|
|
|
const { body } = await callGet()
|
|
|
|
expect(body.data.workspace.OPENAI_API_KEY).toBe('')
|
|
expect(body.data.workspace.DATABASE_URL).toBe('')
|
|
})
|
|
|
|
it('always returns personal values untouched', async () => {
|
|
mockGetUserEntityPermissions.mockResolvedValue('read')
|
|
mockGetWorkspaceEnvKeyAdminAccess.mockResolvedValue({
|
|
adminKeys: new Set<string>(),
|
|
knownKeys: new Set(['OPENAI_API_KEY', 'DATABASE_URL']),
|
|
})
|
|
|
|
const { body } = await callGet()
|
|
|
|
expect(body.data.personal).toEqual({ PERSONAL: { value: 'p' } })
|
|
})
|
|
})
|