Merge pull request #1711 from CVEProject/dev

Updating Test from Dev

Author: jdaigneau5

api-docs/openapi.json

@@ -1,7 +1,7 @@
 {
   "openapi": "3.0.2",
-  "info": { 
-    "version": "2.7.0",
+  "info": {
+    "version": "2.7.1",
     "title": "CVE Services API",
     "description": "The CVE Services API supports automation tooling for the CVE Program. Credentials are     required for most service endpoints. Representatives of     <a href='https://www.cve.org/ProgramOrganization/CNAs'>CVE Numbering Authorities (CNAs)</a> should     use one of the methods below to obtain credentials:    <ul><li>If your organization already has an Organizational Administrator (OA) account for the CVE     Services, ask your admin for credentials</li>     <li>Contact your Root (<a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/Google'>Google</a>,     <a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/INCIBE'>INCIBE</a>,     <a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/jpcert'>JPCERT/CC</a>, or     <a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/redhat'>Red Hat</a>) or     Top-Level Root (<a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/icscert'>CISA ICS</a>     or <a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/mitre'>MITRE</a>) to request credentials     </ul>     <p>CVE data is to be in the JSON 5.2 CVE Record format. Details of the JSON 5.2 schema are     located <a href='https://github.com/CVEProject/cve-schema/releases/tag/v5.2.0' target='_blank'>here</a>.</p>    <a href='https://cveform.mitre.org/' class='link' target='_blank'>Contact the CVE Services team</a>",
     "contact": {
@@ -2605,7 +2605,7 @@
           "Registry Organization"
         ],
         "summary": "Updates information about the organization specified by short name (accessible Temporarily to Secretariat only)",
-        "description": "  <h2>Access Control</h2>  <p>User must belong to an organization with the <b>Secretariat</b> role temporarily.</p>  <p>In the future, only the organization's admin will be able to request changes to its information.</p>  <p>With Joint Approval required for the following fields:</p>  <h2>Expected Behavior</h2>  <b>This endpoint expects a full organization object in the request body.</b>  <p><b>Secretariat:</b> Updates any organization's information</p>  <p><b>Organization Admin:</b> Requests changes to its organization's information</p>  <ul>  <li>short_name</li>  <li>long_name</li>  <li>authority</li>  <li>aliases</li>  <li>oversees</li>  <li>root_or_tlr</li>  <li>charter_or</li>  <li>product_list</li>  <li>disclosure_policy</li>  <li>contact_info.poc</li>  <li>contact_info.poc_email</li>  <li>contact_info.poc_phone</li>  <li>contact_info.org_email</li>  <li>cna_role_type</li>  <li>cna_country</li>  <li>vulnerability_advisory_locations</li>  <li>advisory_location_require_credentials</li>  <li>industry</li>  <li>tl_root_start_date</li>  <li>is_cna_discussion_list</li>  </ul>",
+        "description": "  <h2>Access Control</h2>  <p>User must belong to an organization with the <b>Secretariat</b> role temporarily.</p>  <p>In the future, only the organization's admin will be able to request changes to its information.</p>  <p>With Joint Approval required for the following fields:</p>  <h2>Expected Behavior</h2>  <b>This endpoint expects a full organization object in the request body.</b>  <p><b>Secretariat:</b> Updates any organization's information</p>  <p><b>Organization Admin:</b> Requests changes to its organization's information</p>  <ul>  <li>short_name</li>  <li>long_name</li>  <li>authority</li>  <li>aliases</li>  <li>oversees</li>  <li>root_or_tlr</li>  <li>charter_or_scope</li>  <li>product_list</li>  <li>disclosure_policy</li>  <li>contact_info.poc</li>  <li>contact_info.poc_email</li>  <li>contact_info.poc_phone</li>  <li>contact_info.org_email</li>  <li>cna_role_type</li>  <li>cna_country</li>  <li>vulnerability_advisory_locations</li>  <li>advisory_location_require_credentials</li>  <li>industry</li>  <li>tl_root_start_date</li>  <li>is_cna_discussion_list</li>  </ul>",
         "operationId": "orgUpdateSingle",
         "parameters": [
           {

package-lock.json

@@ -1,11 +1,10 @@
 {
     "name": "cve-services",
     "author": "Automation Working Group",
-    "version": "2.7.0",
+    "version": "2.7.1",
     "license": "(CC0)",
     "devDependencies": {
         "@faker-js/faker": "^7.6.0",
-        "apidoc": "^0.53.1",
         "chai": "^4.2.0",
         "chai-arrays": "^2.0.0",
         "chai-http": "^4.3.0",
@@ -21,7 +20,7 @@
         "eslint-plugin-node": "^11.0.0",
         "eslint-plugin-promise": "^4.2.1",
         "eslint-plugin-standard": "^4.0.1",
-        "mocha": "^10.1.0",
+        "mocha": "^10.8.2",
         "nyc": "^15.1.0",
         "sinon": "^15.0.4",
         "standard": "^16.0.3"
@@ -64,13 +63,8 @@
     "overrides": {
         "mongo-cursor-pagination": {
             "bson": "^6.10.1"
-        }
-    },
-    "apidoc": {
-        "name": "CVE-Services",
-        "version": "0.0.0",
-        "description": "Some Future Description",
-        "title": "CVE API Services"
+        },
+        "serialize-javascript": "^7.0.3"
     },
     "nyc": {
         "exclude": "test-utils/"

package.json

@@ -46,6 +46,15 @@
       "format": "date-time",
       "description": "Timestamp when the message was posted"
     },
+    "edited_at": {
+      "type": "string",
+      "format": "date-time",
+      "description": "Timestamp when the message was last edited"
+    },
+    "editor_id": {
+      "type": "string",
+      "description": "UUID of the user who last edited the message"
+    },
     "last_updated": {
       "type": "string",
       "format": "date-time",

schemas/conversation/conversation.json

@@ -0,0 +1,17 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "$id": "https://cve.mitre.org/schema/conversation/update-conversation-response.json",
+  "type": "object",
+  "title": "Update Conversation Response",
+  "description": "JSON Schema for the response when updating a conversation",
+  "properties": {
+    "message": {
+      "type": "string",
+      "description": "Response message"
+    },
+    "conversation": {
+      "$ref": "conversation.json",
+      "description": "The updated conversation message"
+    }
+  }
+}

schemas/conversation/update-conversation-response.json

@@ -44,8 +44,8 @@ function getConstants () {
     USER_ROLES: [
       'ADMIN'
     ],
-    JOINT_APPROVAL_FIELDS: ['short_name', 'long_name', 'authority', 'aliases', 'oversees', 'root_or_tlr', 'charter_or', 'product_list', 'disclosure_policy', 'contact_info.poc', 'contact_info.poc_email', 'contact_info.poc_phone', 'contact_info.org_email', 'cna_role_type', 'cna_country', 'vulnerability_advisory_locations', 'advisory_location_require_credentials', 'industry', 'tl_root_start_date', 'is_cna_discussion_list'],
-    JOINT_APPROVAL_FIELDS_LEGACY: ['short_name', 'name', 'authority.active_roles'],
+    JOINT_APPROVAL_FIELDS: ['short_name', 'long_name', 'authority', 'aliases', 'oversees', 'root_or_tlr', 'charter_or_scope', 'product_list', 'disclosure_policy', 'contact_info.poc', 'contact_info.poc_email', 'contact_info.poc_phone', 'contact_info.org_email', 'cna_role_type', 'cna_country', 'vulnerability_advisory_locations', 'advisory_location_require_credentials', 'industry', 'tl_root_start_date', 'is_cna_discussion_list', 'hard_quota'],
+    JOINT_APPROVAL_FIELDS_LEGACY: ['short_name', 'name', 'authority.active_roles', 'policies.id_quota'],
     USER_ROLE_ENUM: {
       ADMIN: 'ADMIN'
     },

src/constants/index.js

@@ -549,7 +549,7 @@ router.put('/registry/org/:shortname',
           <li>aliases</li>
           <li>oversees</li>
           <li>root_or_tlr</li>
-          <li>charter_or</li>
+          <li>charter_or_scope</li>
           <li>product_list</li>
           <li>disclosure_policy</li>
           <li>contact_info.poc</li>
@@ -1079,6 +1079,81 @@ router.post('/registry/org/:shortname/user/:username/revoke-role',
   registryUserController.REVOKE_ROLE
 )
 
+router.put('/registry/org/:shortname/conversation/:index',
+  /*
+  #swagger.tags = ['Registry Organization']
+  #swagger.operationId = 'registryUserUpdateConversation'
+  #swagger.summary = "Update the conversation at the given index for the given organization (accessible to Secretariat or Org Admin)"
+  #swagger.description = "
+        <h2>Access Control</h2>
+        <p>User must belong to an organization with the <b>Secretariat</b> role or be an <b>Admin</b> of the organization</p>
+        <h2>Expected Behavior</h2>
+        <p><b>Admin User:</b> Allowed to update only the message body of any conversation posted by them</p>
+        <p><b>Secretariat:</b> Allowed to update the message body and/or visibility of any conversation</p>"
+  #swagger.parameters['shortname'] = { description: 'The shortname of the organization' }
+  #swagger.parameters['index'] = { description: 'The index of the conversation to update' }
+  #swagger.parameters['$ref'] = [
+    '#/components/parameters/apiEntityHeader',
+    '#/components/parameters/apiUserHeader',
+    '#/components/parameters/apiSecretHeader'
+  ]
+  #swagger.responses[200] = {
+    description: 'Returns the updated conversation',
+    content: {
+      "application/json": {
+        schema: { $ref: '../schemas/conversation/update-conversation-response.json' }
+      }
+    }
+  }
+  #swagger.responses[400] = {
+    description: 'Bad Request',
+    content: {
+      "application/json": {
+        schema: { $ref: '../schemas/errors/bad-request.json' }
+      }
+    }
+  }
+  #swagger.responses[401] = {
+    description: 'Not Authenticated',
+    content: {
+      "application/json": {
+        schema: { $ref: '../schemas/errors/generic.json' }
+      }
+    }
+  }
+  #swagger.responses[403] = {
+    description: 'Forbidden',
+    content: {
+      "application/json": {
+        schema: { $ref: '../schemas/errors/generic.json' }
+      }
+    }
+  }
+  #swagger.responses[404] = {
+    description: 'Not Found',
+    content: {
+      "application/json": {
+        schema: { $ref: '../schemas/errors/generic.json' }
+      }
+    }
+  }
+  #swagger.responses[500] = {
+    description: 'Internal Server Error',
+    content: {
+      "application/json": {
+        schema: { $ref: '../schemas/errors/generic.json' }
+      }
+    }
+  }
+  */
+  mw.useRegistry(),
+  mw.validateUser,
+  mw.onlyOrgWithPartnerRole,
+  parseError,
+  parsePostParams,
+  registryOrgController.EDIT_CONVERSATION
+)
+
 router.get('/org',
   /*
   #swagger.tags = ['Organization']

src/controller/org.controller/index.js

@@ -199,36 +199,27 @@ async function getUser (req, res, next) {
  */
 async function getOrgIdQuota (req, res, next) {
   try {
-    const session = await mongoose.startSession()
     const orgRepo = req.ctx.repositories.getBaseOrgRepository()
     const requesterOrgShortName = req.ctx.org
     const shortName = req.ctx.params.shortname
 
-    try {
-      session.startTransaction()
-      const requesterOrg = await orgRepo.findOneByShortName(requesterOrgShortName, { session })
-      const isSecretariat = await orgRepo.isSecretariat(requesterOrg, !req.useRegistry)
-
-      if (requesterOrgShortName !== shortName && !isSecretariat) {
-        logger.info({ uuid: req.ctx.uuid, message: shortName + ' organization id quota can only be viewed by the users of the same organization or the Secretariat.' })
-        return res.status(403).json(error.notSameOrgOrSecretariat())
-      }
+    const requesterOrg = await orgRepo.findOneByShortName(requesterOrgShortName)
+    const isSecretariat = await orgRepo.isSecretariat(requesterOrg, !req.useRegistry)
 
-      const org = await orgRepo.getOrg(shortName, false, { session }, !req.useRegistry)
-      if (!org) { // a null org can only happen if the requestor is the Secretariat
-        logger.info({ uuid: req.ctx.uuid, message: shortName + ' organization does not exist.' })
-        return res.status(404).json(error.orgDnePathParam(shortName))
-      }
+    if (requesterOrgShortName !== shortName && !isSecretariat) {
+      logger.info({ uuid: req.ctx.uuid, message: shortName + ' organization id quota can only be viewed by the users of the same organization or the Secretariat.' })
+      return res.status(403).json(error.notSameOrgOrSecretariat())
+    }
 
-      const returnPayload = await orgRepo.getOrgIdQuota(org, !req.useRegistry)
-      logger.info({ uuid: req.ctx.uuid, message: 'The organization\'s id quota was returned to the user.', details: returnPayload })
-      return res.status(200).json(returnPayload)
-    } catch (error) {
-      await session.abortTransaction()
-      throw error
-    } finally {
-      await session.endSession()
+    const org = await orgRepo.getOrg(shortName, false, {}, !req.useRegistry)
+    if (!org) { // a null org can only happen if the requestor is the Secretariat
+      logger.info({ uuid: req.ctx.uuid, message: shortName + ' organization does not exist.' })
+      return res.status(404).json(error.orgDnePathParam(shortName))
     }
+
+    const returnPayload = await orgRepo.getOrgIdQuota(org, !req.useRegistry)
+    logger.info({ uuid: req.ctx.uuid, message: 'The organization\'s id quota was returned to the user.', details: returnPayload })
+    return res.status(200).json(returnPayload)
   } catch (err) {
     next(err)
   }
@@ -301,8 +292,6 @@ async function createOrg (req, res, next) {
       org: returnValue
     }
 
-    // const userRepo = req.ctx.repositories.getUserRepository()
-    // payload.user_UUID = await userRepo.getUserUUID(req.ctx.user, payload.org_UUID)
     logger.info(JSON.stringify(payload))
     return res.status(200).json(responseMessage)
   } catch (err) {
@@ -664,7 +653,7 @@ async function updateUser (req, res, next) {
  */
 async function resetSecret (req, res, next) {
   try {
-    const session = await mongoose.startSession()
+    const session = await mongoose.startSession({ causalConsistency: false })
     const requesterOrgShortName = req.ctx.org
     const requesterUsername = req.ctx.user
     const targetOrgShortName = req.ctx.params.shortname

src/controller/org.controller/org.controller.js

@@ -333,7 +333,6 @@ const QUERY_PARAMETERS = {
 }
 
 function parsePutParams (req, res, next) {
-  console.log('DEBUG: parsePutParams req.body:', JSON.stringify(req.body))
   req.body = utils.deepRemoveEmpty(req.body)
   utils.reqCtxMapping(req, 'body', [])
   // Extract all possible query parameters

src/controller/org.controller/org.middleware.js

@@ -91,6 +91,34 @@ class RegistryOrgControllerError extends idrErr.IDRError {
     err.message = 'The requested user can not be created and added to the organization because the organization has hit its limit of 100 users. Contact the Secretariat.'
     return err
   }
+
+  conversationDne (shortname, index) {
+    const err = {}
+    err.error = 'CONVERSATION_DNE'
+    err.message = `The conversation at index ${index} does not exist for the ${shortname} organization.`
+    return err
+  }
+
+  notAllowedToEditConversation () {
+    const err = {}
+    err.error = 'NOT_ALLOWED_TO_EDIT_CONVERSATION'
+    err.message = 'You must be the original author or Secretariat to edit this conversation.'
+    return err
+  }
+
+  notAllowedToChangeConversationVisibility () {
+    const err = {}
+    err.error = 'NOT_ALLOWED_TO_CHANGE_CONVERSATION_VISIBILITY'
+    err.message = 'Only the Secretariat is allowed to change the visibility of a conversation.'
+    return err
+  }
+
+  invalidConversationObject () {
+    const err = {}
+    err.error = 'BAD_INPUT'
+    err.message = 'Parameters were invalid: conversation must be an object with a body.'
+    return err
+  }
 }
 
 module.exports = {