mirror of
https://github.com/danny-avila/LibreChat.git
synced 2026-01-03 17:18:51 +01:00
4b9c6ab1cb
- Added permission checks for agent file uploads to ensure only authorized users can upload files. - Admin users bypass permission checks, while other users must be the agent author or have EDIT permissions. - Enhanced error handling for non-existent agents and insufficient permissions. - Updated tests to cover various scenarios for file uploads, including permission validation and message attachments.
612 lines
18 KiB
JavaScript
612 lines
18 KiB
JavaScript
const express = require('express');
|
|
const request = require('supertest');
|
|
const mongoose = require('mongoose');
|
|
const { v4: uuidv4 } = require('uuid');
|
|
const { createMethods } = require('@librechat/data-schemas');
|
|
const { MongoMemoryServer } = require('mongodb-memory-server');
|
|
const {
|
|
SystemRoles,
|
|
AccessRoleIds,
|
|
ResourceType,
|
|
PrincipalType,
|
|
} = require('librechat-data-provider');
|
|
const { createAgent } = require('~/models/Agent');
|
|
const { createFile } = require('~/models');
|
|
|
|
// Only mock the external dependencies that we don't want to test
|
|
jest.mock('~/server/services/Files/process', () => ({
|
|
processDeleteRequest: jest.fn().mockResolvedValue({}),
|
|
filterFile: jest.fn(),
|
|
processFileUpload: jest.fn(),
|
|
processAgentFileUpload: jest.fn().mockImplementation(async ({ res }) => {
|
|
// processAgentFileUpload sends response directly via res.json()
|
|
return res.status(200).json({
|
|
message: 'Agent file uploaded and processed successfully',
|
|
file_id: 'test-file-id',
|
|
});
|
|
}),
|
|
}));
|
|
|
|
jest.mock('~/server/services/Files/strategies', () => ({
|
|
getStrategyFunctions: jest.fn(() => ({})),
|
|
}));
|
|
|
|
jest.mock('~/server/controllers/assistants/helpers', () => ({
|
|
getOpenAIClient: jest.fn(),
|
|
}));
|
|
|
|
jest.mock('~/server/services/Tools/credentials', () => ({
|
|
loadAuthValues: jest.fn(),
|
|
}));
|
|
|
|
jest.mock('~/server/services/Files/S3/crud', () => ({
|
|
refreshS3FileUrls: jest.fn(),
|
|
}));
|
|
|
|
jest.mock('~/cache', () => ({
|
|
getLogStores: jest.fn(() => ({
|
|
get: jest.fn(),
|
|
set: jest.fn(),
|
|
})),
|
|
}));
|
|
|
|
// Mock fs.promises.unlink to prevent file cleanup errors in tests
|
|
jest.mock('fs', () => {
|
|
const actualFs = jest.requireActual('fs');
|
|
return {
|
|
...actualFs,
|
|
promises: {
|
|
...actualFs.promises,
|
|
unlink: jest.fn().mockResolvedValue(undefined),
|
|
},
|
|
};
|
|
});
|
|
|
|
const { processAgentFileUpload } = require('~/server/services/Files/process');
|
|
|
|
// Import the router
|
|
const router = require('~/server/routes/files/files');
|
|
|
|
describe('File Routes - Agent Files Endpoint', () => {
|
|
let app;
|
|
let mongoServer;
|
|
let authorId;
|
|
let otherUserId;
|
|
let agentId;
|
|
let fileId1;
|
|
let fileId2;
|
|
let fileId3;
|
|
let File;
|
|
let User;
|
|
let Agent;
|
|
let methods;
|
|
let AclEntry;
|
|
// eslint-disable-next-line no-unused-vars
|
|
let AccessRole;
|
|
let modelsToCleanup = [];
|
|
|
|
beforeAll(async () => {
|
|
mongoServer = await MongoMemoryServer.create();
|
|
const mongoUri = mongoServer.getUri();
|
|
await mongoose.connect(mongoUri);
|
|
|
|
// Initialize all models using createModels
|
|
const { createModels } = require('@librechat/data-schemas');
|
|
const models = createModels(mongoose);
|
|
|
|
// Track which models we're adding
|
|
modelsToCleanup = Object.keys(models);
|
|
|
|
// Register models on mongoose.models so methods can access them
|
|
Object.assign(mongoose.models, models);
|
|
|
|
// Create methods with our test mongoose instance
|
|
methods = createMethods(mongoose);
|
|
|
|
// Now we can access models from the db/models
|
|
File = models.File;
|
|
Agent = models.Agent;
|
|
AclEntry = models.AclEntry;
|
|
User = models.User;
|
|
AccessRole = models.AccessRole;
|
|
|
|
// Seed default roles using our methods
|
|
await methods.seedDefaultRoles();
|
|
|
|
app = express();
|
|
app.use(express.json());
|
|
|
|
// Mock authentication middleware
|
|
app.use((req, res, next) => {
|
|
req.user = { id: otherUserId || 'default-user' };
|
|
req.app = { locals: {} };
|
|
next();
|
|
});
|
|
|
|
app.use('/files', router);
|
|
});
|
|
|
|
afterAll(async () => {
|
|
// Clean up all collections before disconnecting
|
|
const collections = mongoose.connection.collections;
|
|
for (const key in collections) {
|
|
await collections[key].deleteMany({});
|
|
}
|
|
|
|
// Clear only the models we added
|
|
for (const modelName of modelsToCleanup) {
|
|
if (mongoose.models[modelName]) {
|
|
delete mongoose.models[modelName];
|
|
}
|
|
}
|
|
|
|
await mongoose.disconnect();
|
|
await mongoServer.stop();
|
|
});
|
|
|
|
beforeEach(async () => {
|
|
// Clean up all test data
|
|
await File.deleteMany({});
|
|
await Agent.deleteMany({});
|
|
await User.deleteMany({});
|
|
await AclEntry.deleteMany({});
|
|
// Don't delete AccessRole as they are seeded defaults needed for tests
|
|
|
|
// Create test users
|
|
authorId = new mongoose.Types.ObjectId();
|
|
otherUserId = new mongoose.Types.ObjectId();
|
|
agentId = uuidv4();
|
|
fileId1 = uuidv4();
|
|
fileId2 = uuidv4();
|
|
fileId3 = uuidv4();
|
|
|
|
// Create users in database
|
|
await User.create({
|
|
_id: authorId,
|
|
username: 'author',
|
|
email: 'author@test.com',
|
|
});
|
|
|
|
await User.create({
|
|
_id: otherUserId,
|
|
username: 'other',
|
|
email: 'other@test.com',
|
|
});
|
|
|
|
// Create files
|
|
await createFile({
|
|
user: authorId,
|
|
file_id: fileId1,
|
|
filename: 'file1.txt',
|
|
filepath: '/uploads/file1.txt',
|
|
bytes: 100,
|
|
type: 'text/plain',
|
|
});
|
|
|
|
await createFile({
|
|
user: authorId,
|
|
file_id: fileId2,
|
|
filename: 'file2.txt',
|
|
filepath: '/uploads/file2.txt',
|
|
bytes: 200,
|
|
type: 'text/plain',
|
|
});
|
|
|
|
await createFile({
|
|
user: otherUserId,
|
|
file_id: fileId3,
|
|
filename: 'file3.txt',
|
|
filepath: '/uploads/file3.txt',
|
|
bytes: 300,
|
|
type: 'text/plain',
|
|
});
|
|
});
|
|
|
|
describe('GET /files/agent/:agent_id', () => {
|
|
it('should return files accessible through the agent for non-author with EDIT permission', async () => {
|
|
// Create an agent with files attached
|
|
const agent = await createAgent({
|
|
id: agentId,
|
|
name: 'Test Agent',
|
|
provider: 'openai',
|
|
model: 'gpt-4',
|
|
author: authorId,
|
|
tool_resources: {
|
|
file_search: {
|
|
file_ids: [fileId1, fileId2],
|
|
},
|
|
},
|
|
});
|
|
|
|
// Grant EDIT permission to user on the agent using PermissionService
|
|
const { grantPermission } = require('~/server/services/PermissionService');
|
|
await grantPermission({
|
|
principalType: PrincipalType.USER,
|
|
principalId: otherUserId,
|
|
resourceType: ResourceType.AGENT,
|
|
resourceId: agent._id,
|
|
accessRoleId: AccessRoleIds.AGENT_EDITOR,
|
|
grantedBy: authorId,
|
|
});
|
|
|
|
// Mock req.user for this request
|
|
app.use((req, res, next) => {
|
|
req.user = { id: otherUserId.toString() };
|
|
next();
|
|
});
|
|
|
|
const response = await request(app).get(`/files/agent/${agentId}`);
|
|
|
|
expect(response.status).toBe(200);
|
|
expect(Array.isArray(response.body)).toBe(true);
|
|
expect(response.body).toHaveLength(2);
|
|
expect(response.body.map((f) => f.file_id)).toContain(fileId1);
|
|
expect(response.body.map((f) => f.file_id)).toContain(fileId2);
|
|
});
|
|
|
|
it('should return 400 when agent_id is not provided', async () => {
|
|
const response = await request(app).get('/files/agent/');
|
|
|
|
expect(response.status).toBe(404); // Express returns 404 for missing route parameter
|
|
});
|
|
|
|
it('should return empty array for non-existent agent', async () => {
|
|
const response = await request(app).get('/files/agent/non-existent-agent');
|
|
|
|
expect(response.status).toBe(200);
|
|
expect(Array.isArray(response.body)).toBe(true);
|
|
expect(response.body).toEqual([]);
|
|
});
|
|
|
|
it('should return empty array when user only has VIEW permission', async () => {
|
|
// Create an agent with files attached
|
|
const agent = await createAgent({
|
|
id: agentId,
|
|
name: 'Test Agent',
|
|
provider: 'openai',
|
|
model: 'gpt-4',
|
|
author: authorId,
|
|
tool_resources: {
|
|
file_search: {
|
|
file_ids: [fileId1, fileId2],
|
|
},
|
|
},
|
|
});
|
|
|
|
// Grant only VIEW permission to user on the agent
|
|
const { grantPermission } = require('~/server/services/PermissionService');
|
|
await grantPermission({
|
|
principalType: PrincipalType.USER,
|
|
principalId: otherUserId,
|
|
resourceType: ResourceType.AGENT,
|
|
resourceId: agent._id,
|
|
accessRoleId: AccessRoleIds.AGENT_VIEWER,
|
|
grantedBy: authorId,
|
|
});
|
|
|
|
const response = await request(app).get(`/files/agent/${agentId}`);
|
|
|
|
expect(response.status).toBe(200);
|
|
expect(Array.isArray(response.body)).toBe(true);
|
|
expect(response.body).toEqual([]);
|
|
});
|
|
|
|
it('should return agent files for agent author', async () => {
|
|
// Create an agent with files attached
|
|
await createAgent({
|
|
id: agentId,
|
|
name: 'Test Agent',
|
|
provider: 'openai',
|
|
model: 'gpt-4',
|
|
author: authorId,
|
|
tool_resources: {
|
|
file_search: {
|
|
file_ids: [fileId1, fileId2],
|
|
},
|
|
},
|
|
});
|
|
|
|
// Create a new app instance with author authentication
|
|
const authorApp = express();
|
|
authorApp.use(express.json());
|
|
authorApp.use((req, res, next) => {
|
|
req.user = { id: authorId.toString() };
|
|
req.app = { locals: {} };
|
|
next();
|
|
});
|
|
authorApp.use('/files', router);
|
|
|
|
const response = await request(authorApp).get(`/files/agent/${agentId}`);
|
|
|
|
expect(response.status).toBe(200);
|
|
expect(Array.isArray(response.body)).toBe(true);
|
|
expect(response.body).toHaveLength(2);
|
|
});
|
|
|
|
it('should return files uploaded by other users to shared agent for author', async () => {
|
|
const anotherUserId = new mongoose.Types.ObjectId();
|
|
const otherUserFileId = uuidv4();
|
|
|
|
await User.create({
|
|
_id: anotherUserId,
|
|
username: 'another',
|
|
email: 'another@test.com',
|
|
});
|
|
|
|
await createFile({
|
|
user: anotherUserId,
|
|
file_id: otherUserFileId,
|
|
filename: 'other-user-file.txt',
|
|
filepath: '/uploads/other-user-file.txt',
|
|
bytes: 400,
|
|
type: 'text/plain',
|
|
});
|
|
|
|
// Create agent to include the file uploaded by another user
|
|
await createAgent({
|
|
id: agentId,
|
|
name: 'Test Agent',
|
|
provider: 'openai',
|
|
model: 'gpt-4',
|
|
author: authorId,
|
|
tool_resources: {
|
|
file_search: {
|
|
file_ids: [fileId1, otherUserFileId],
|
|
},
|
|
},
|
|
});
|
|
|
|
// Create a new app instance with author authentication
|
|
const authorApp = express();
|
|
authorApp.use(express.json());
|
|
authorApp.use((req, res, next) => {
|
|
req.user = { id: authorId.toString() };
|
|
req.app = { locals: {} };
|
|
next();
|
|
});
|
|
authorApp.use('/files', router);
|
|
|
|
const response = await request(authorApp).get(`/files/agent/${agentId}`);
|
|
|
|
expect(response.status).toBe(200);
|
|
expect(Array.isArray(response.body)).toBe(true);
|
|
expect(response.body).toHaveLength(2);
|
|
expect(response.body.map((f) => f.file_id)).toContain(fileId1);
|
|
expect(response.body.map((f) => f.file_id)).toContain(otherUserFileId);
|
|
});
|
|
});
|
|
|
|
describe('POST /files - Agent File Upload Permission Check', () => {
|
|
let agentCustomId;
|
|
|
|
beforeEach(async () => {
|
|
agentCustomId = `agent_${uuidv4().replace(/-/g, '').substring(0, 21)}`;
|
|
jest.clearAllMocks();
|
|
});
|
|
|
|
/**
|
|
* Helper to create an Express app with specific user context
|
|
*/
|
|
const createAppWithUser = (userId, userRole = SystemRoles.USER) => {
|
|
const testApp = express();
|
|
testApp.use(express.json());
|
|
|
|
// Mock multer - populate req.file
|
|
testApp.use((req, res, next) => {
|
|
if (req.method === 'POST') {
|
|
req.file = {
|
|
originalname: 'test.txt',
|
|
mimetype: 'text/plain',
|
|
size: 100,
|
|
path: '/tmp/test.txt',
|
|
};
|
|
req.file_id = uuidv4();
|
|
}
|
|
next();
|
|
});
|
|
|
|
testApp.use((req, res, next) => {
|
|
req.user = { id: userId.toString(), role: userRole };
|
|
req.app = { locals: {} };
|
|
req.config = { fileStrategy: 'local' };
|
|
next();
|
|
});
|
|
|
|
testApp.use('/files', router);
|
|
return testApp;
|
|
};
|
|
|
|
it('should deny file upload to agent when user has no permission', async () => {
|
|
// Create an agent owned by authorId
|
|
await createAgent({
|
|
id: agentCustomId,
|
|
name: 'Test Agent',
|
|
provider: 'openai',
|
|
model: 'gpt-4',
|
|
author: authorId,
|
|
});
|
|
|
|
const testApp = createAppWithUser(otherUserId);
|
|
|
|
const response = await request(testApp).post('/files').send({
|
|
endpoint: 'agents',
|
|
agent_id: agentCustomId,
|
|
tool_resource: 'context',
|
|
file_id: uuidv4(),
|
|
});
|
|
|
|
expect(response.status).toBe(403);
|
|
expect(response.body.error).toBe('Forbidden');
|
|
expect(response.body.message).toBe('Insufficient permissions to upload files to this agent');
|
|
expect(processAgentFileUpload).not.toHaveBeenCalled();
|
|
});
|
|
|
|
it('should allow file upload to agent for agent author', async () => {
|
|
// Create an agent owned by authorId
|
|
await createAgent({
|
|
id: agentCustomId,
|
|
name: 'Test Agent',
|
|
provider: 'openai',
|
|
model: 'gpt-4',
|
|
author: authorId,
|
|
});
|
|
|
|
const testApp = createAppWithUser(authorId);
|
|
|
|
const response = await request(testApp).post('/files').send({
|
|
endpoint: 'agents',
|
|
agent_id: agentCustomId,
|
|
tool_resource: 'context',
|
|
file_id: uuidv4(),
|
|
});
|
|
|
|
expect(response.status).toBe(200);
|
|
expect(processAgentFileUpload).toHaveBeenCalled();
|
|
});
|
|
|
|
it('should allow file upload to agent for user with EDIT permission', async () => {
|
|
// Create an agent owned by authorId
|
|
const agent = await createAgent({
|
|
id: agentCustomId,
|
|
name: 'Test Agent',
|
|
provider: 'openai',
|
|
model: 'gpt-4',
|
|
author: authorId,
|
|
});
|
|
|
|
// Grant EDIT permission to otherUserId
|
|
const { grantPermission } = require('~/server/services/PermissionService');
|
|
await grantPermission({
|
|
principalType: PrincipalType.USER,
|
|
principalId: otherUserId,
|
|
resourceType: ResourceType.AGENT,
|
|
resourceId: agent._id,
|
|
accessRoleId: AccessRoleIds.AGENT_EDITOR,
|
|
grantedBy: authorId,
|
|
});
|
|
|
|
const testApp = createAppWithUser(otherUserId);
|
|
|
|
const response = await request(testApp).post('/files').send({
|
|
endpoint: 'agents',
|
|
agent_id: agentCustomId,
|
|
tool_resource: 'context',
|
|
file_id: uuidv4(),
|
|
});
|
|
|
|
expect(response.status).toBe(200);
|
|
expect(processAgentFileUpload).toHaveBeenCalled();
|
|
});
|
|
|
|
it('should deny file upload to agent for user with only VIEW permission', async () => {
|
|
// Create an agent owned by authorId
|
|
const agent = await createAgent({
|
|
id: agentCustomId,
|
|
name: 'Test Agent',
|
|
provider: 'openai',
|
|
model: 'gpt-4',
|
|
author: authorId,
|
|
});
|
|
|
|
// Grant only VIEW permission to otherUserId
|
|
const { grantPermission } = require('~/server/services/PermissionService');
|
|
await grantPermission({
|
|
principalType: PrincipalType.USER,
|
|
principalId: otherUserId,
|
|
resourceType: ResourceType.AGENT,
|
|
resourceId: agent._id,
|
|
accessRoleId: AccessRoleIds.AGENT_VIEWER,
|
|
grantedBy: authorId,
|
|
});
|
|
|
|
const testApp = createAppWithUser(otherUserId);
|
|
|
|
const response = await request(testApp).post('/files').send({
|
|
endpoint: 'agents',
|
|
agent_id: agentCustomId,
|
|
tool_resource: 'file_search',
|
|
file_id: uuidv4(),
|
|
});
|
|
|
|
expect(response.status).toBe(403);
|
|
expect(response.body.error).toBe('Forbidden');
|
|
expect(processAgentFileUpload).not.toHaveBeenCalled();
|
|
});
|
|
|
|
it('should allow file upload for admin user regardless of agent ownership', async () => {
|
|
// Create an agent owned by authorId
|
|
await createAgent({
|
|
id: agentCustomId,
|
|
name: 'Test Agent',
|
|
provider: 'openai',
|
|
model: 'gpt-4',
|
|
author: authorId,
|
|
});
|
|
|
|
// Create app with admin user (otherUserId as admin)
|
|
const testApp = createAppWithUser(otherUserId, SystemRoles.ADMIN);
|
|
|
|
const response = await request(testApp).post('/files').send({
|
|
endpoint: 'agents',
|
|
agent_id: agentCustomId,
|
|
tool_resource: 'context',
|
|
file_id: uuidv4(),
|
|
});
|
|
|
|
expect(response.status).toBe(200);
|
|
expect(processAgentFileUpload).toHaveBeenCalled();
|
|
});
|
|
|
|
it('should return 404 when uploading to non-existent agent', async () => {
|
|
const testApp = createAppWithUser(otherUserId);
|
|
|
|
const response = await request(testApp).post('/files').send({
|
|
endpoint: 'agents',
|
|
agent_id: 'agent_nonexistent123456789',
|
|
tool_resource: 'context',
|
|
file_id: uuidv4(),
|
|
});
|
|
|
|
expect(response.status).toBe(404);
|
|
expect(response.body.error).toBe('Not Found');
|
|
expect(response.body.message).toBe('Agent not found');
|
|
expect(processAgentFileUpload).not.toHaveBeenCalled();
|
|
});
|
|
|
|
it('should allow file upload without agent_id (message attachment)', async () => {
|
|
const testApp = createAppWithUser(otherUserId);
|
|
|
|
const response = await request(testApp).post('/files').send({
|
|
endpoint: 'agents',
|
|
file_id: uuidv4(),
|
|
// No agent_id or tool_resource - this is a message attachment
|
|
});
|
|
|
|
expect(response.status).toBe(200);
|
|
expect(processAgentFileUpload).toHaveBeenCalled();
|
|
});
|
|
|
|
it('should allow file upload with agent_id but no tool_resource (message attachment)', async () => {
|
|
// Create an agent owned by authorId
|
|
await createAgent({
|
|
id: agentCustomId,
|
|
name: 'Test Agent',
|
|
provider: 'openai',
|
|
model: 'gpt-4',
|
|
author: authorId,
|
|
});
|
|
|
|
const testApp = createAppWithUser(otherUserId);
|
|
|
|
const response = await request(testApp).post('/files').send({
|
|
endpoint: 'agents',
|
|
agent_id: agentCustomId,
|
|
file_id: uuidv4(),
|
|
// No tool_resource - permission check should not apply
|
|
});
|
|
|
|
expect(response.status).toBe(200);
|
|
expect(processAgentFileUpload).toHaveBeenCalled();
|
|
});
|
|
});
|
|
});
|