Merge branch 'dev' into emathew/testing

Author: emathew5

api-docs/openapi.json

@@ -1,7 +1,7 @@
 {
   "openapi": "3.0.2",
   "info": {
-    "version": "ur-v0.2.0-beta.3",
+    "version": "ur-v0.3.0",
     "title": "CVE Services API",
     "description": "The CVE Services API supports automation tooling for the CVE Program. Credentials are     required for most service endpoints. Representatives of     <a href='https://www.cve.org/ProgramOrganization/CNAs'>CVE Numbering Authorities (CNAs)</a> should     use one of the methods below to obtain credentials:    <ul><li>If your organization already has an Organizational Administrator (OA) account for the CVE     Services, ask your admin for credentials</li>     <li>Contact your Root (<a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/Google'>Google</a>,     <a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/INCIBE'>INCIBE</a>,     <a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/jpcert'>JPCERT/CC</a>, or     <a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/redhat'>Red Hat</a>) or     Top-Level Root (<a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/icscert'>CISA ICS</a>     or <a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/mitre'>MITRE</a>) to request credentials     </ul>     <p>CVE data is to be in the JSON 5.2 CVE Record format. Details of the JSON 5.2 schema are     located <a href='https://github.com/CVEProject/cve-schema/releases/tag/v5.2.0' target='_blank'>here</a>.</p>    <a href='https://cveform.mitre.org/' class='link' target='_blank'>Contact the CVE Services team</a>",
     "contact": {

package-lock.json

@@ -1,7 +1,7 @@
 {
     "name": "cve-services",
     "author": "Automation Working Group",
-    "version": "ur-v0.2.0-beta.3",
+    "version": "ur-v0.3.0",
     "license": "(CC0)",
     "devDependencies": {
         "@faker-js/faker": "^7.6.0",

package.json

@@ -178,16 +178,13 @@ async function updateUser (req, res, next) {
 
 async function deleteUser (req, res, next) {
   try {
-    const userRepo = req.ctx.repositories.getUserRepository()
-    const orgRepo = req.ctx.repositories.getOrgRepository()
-    const registryUserRepo = req.ctx.repositories.getRegistryUserRepository()
+    const userRepo = req.ctx.repositories.getBaseUserRepository()
+    const orgRepo = req.ctx.repositories.getBaseOrgRepository()
     const userUUID = req.ctx.params.identifier
 
-    const user = await registryUserRepo.findOneByUUID(userUUID)
-
-    // TODO: check permissions
+    const user = await userRepo.findOneByUUID(userUUID)
 
-    await registryUserRepo.deleteByUUID(userUUID)
+    await userRepo.deleteByUUID(userUUID)
 
     const payload = {
       action: 'delete_registry_user',

src/controller/registry-user.controller/registry-user.controller.js

@@ -43,14 +43,15 @@ async function approveReviewObject (req, res, next) {
   const repo = req.ctx.repositories.getReviewObjectRepository()
   const userRepo = req.ctx.repositories.getBaseUserRepository()
   const UUID = req.params.uuid
+  const body = req.body
   const session = await mongoose.startSession()
   let value
 
   try {
     session.startTransaction()
     const requestingUserUUID = await userRepo.getUserUUID(req.ctx.user, req.ctx.org, { session })
 
-    value = await repo.approveReviewOrgObject(UUID, requestingUserUUID, { session })
+    value = await repo.approveReviewOrgObject(UUID, requestingUserUUID, { session }, body)
     await session.commitTransaction()
   } catch (updateErr) {
     await session.abortTransaction()

src/controller/review-object.controller/review-object.controller.js

@@ -44,8 +44,8 @@ async function optionallyValidateUser (req, res, next) {
   const org = req.ctx.org
   const user = req.ctx.user
   const key = req.ctx.key
-  const userRepo = req.ctx.repositories.getUserRepository()
-  const orgRepo = req.ctx.repositories.getOrgRepository()
+  const userRepo = req.ctx.repositories.getBaseUserRepository()
+  const orgRepo = req.ctx.repositories.getBaseOrgRepository()
   let authenticated = true
 
   try {
@@ -127,7 +127,7 @@ async function validateUser (req, res, next) {
       return res.status(401).json(error.unauthorized())
     }
 
-    const result = await userRepo.findOneByUsernameAndOrgUUID(user, orgUUID)
+    const result = await userRepo.findOneByUserNameAndOrgUUID(user, orgUUID)
     if (!result) {
       logger.warn(JSON.stringify({ uuid: req.ctx.uuid, message: 'User not found. User authentication FAILED for ' + user }))
       return res.status(401).json(error.unauthorized())
@@ -176,24 +176,6 @@ async function onlySecretariatOrBulkDownload (req, res, next) {
   }
 }
 
-async function onlySecretariatUserRegistry (req, res, next) {
-  const org = req.ctx.org
-  const registryOrgRepo = req.ctx.repositories.getRegistryOrgRepository()
-  const CONSTANTS = getConstants()
-
-  try {
-    const isSec = await registryOrgRepo.isSecretariat(org)
-    if (!isSec) {
-      logger.info({ uuid: req.ctx.uuid, message: org + ' is NOT a ' + CONSTANTS.AUTH_ROLE_ENUM.SECRETARIAT })
-      return res.status(403).json(error.secretariatOnly())
-    }
-    logger.info({ uuid: req.ctx.uuid, message: 'Confirmed ' + org + 'as a Secretariat' })
-    next()
-  } catch (err) {
-    next(err)
-  }
-}
-
 // Checks that the requester belongs to an org that has the 'SECRETARIAT' role
 
 async function onlySecretariat (req, res, next) {
@@ -577,7 +559,6 @@ module.exports = {
   onlySecretariat,
   onlySecretariatOrBulkDownload,
   onlySecretariatOrAdmin,
-  onlySecretariatUserRegistry,
   onlyCnas,
   onlyAdps,
   onlyOrgWithPartnerRole,

src/middleware/middleware.js

@@ -98,7 +98,7 @@ class BaseUserRepository extends BaseRepository {
     return user || null
   }
 
-  async findOneByUsernameAndOrgUUID (username, orgUUID, options = {}, isLegacyObject = false) {
+  async findOneByUserNameAndOrgUUID (username, orgUUID, options = {}, isLegacyObject = false) {
     const legacyUserRepo = new UserRepository()
     const users = await BaseUser.find({ username: username }, null, options)
     if (!users || users.length === 0) {
@@ -125,6 +125,34 @@ class BaseUserRepository extends BaseRepository {
     return user || null
   }
 
+  /**
+   * Delete a user by UUID from both BaseUser and RegistryUser collections,
+   * and remove the user reference from any organizations.
+   *
+   * @param {string} uuid - The UUID of the user to delete.
+   * @param {object} options - Mongoose options for the delete operations.
+   * @returns {Promise<number>} Number of deleted documents (should be 1 if successful).
+   */
+  async deleteUserByUUID (uuid, options = {}) {
+    // Delete from BaseUser collection
+    const deleteResult = await BaseUser.deleteOne({ UUID: uuid }, options)
+
+    // Delete from RegistryUser collection
+    await RegistryUser.deleteOne({ UUID: uuid }, options)
+
+    // Remove user from any organization’s users and admins arrays
+    const orgs = await BaseOrgModel.find({ $or: [{ users: uuid }, { admins: uuid }] })
+    for (const org of orgs) {
+      org.users = org.users.filter(u => u !== uuid)
+      if (Array.isArray(org.admins)) {
+        org.admins = org.admins.filter(a => a !== uuid)
+      }
+      await org.save({ options })
+    }
+
+    return deleteResult.deletedCount
+  }
+
   async getUserUUID (username, orgShortname, options = {}, isLegacyObject = false) {
     const user = await this.findOneByUsernameAndOrgShortname(username, orgShortname, options, isLegacyObject)
     if (user) {

src/repositories/baseUserRepository.js

@@ -2,6 +2,7 @@ const ReviewObjectModel = require('../model/reviewobject')
 const BaseRepository = require('./baseRepository')
 const BaseOrgRepository = require('./baseOrgRepository')
 const uuid = require('uuid')
+const _ = require('lodash')
 
 class ReviewObjectRepository extends BaseRepository {
   async findOneByOrgShortName (orgShortName, options = {}) {
@@ -115,7 +116,7 @@ class ReviewObjectRepository extends BaseRepository {
     return result.toObject()
   }
 
-  async approveReviewOrgObject (UUID, requestingUserUUID, options = {}) {
+  async approveReviewOrgObject (UUID, requestingUserUUID, options = {}, newReviewData) {
     console.log('Approving review object with UUID:', UUID)
     const reviewObject = await this.findOneByUUID(UUID, options)
     if (!reviewObject) {
@@ -129,13 +130,20 @@ class ReviewObjectRepository extends BaseRepository {
     }
 
     // We need to trigger the org to update
-    await baseOrgRepository.updateOrgFull(org.short_name, reviewObject.new_review_data, options, false, requestingUserUUID, false, true)
+    let dataToUpdate
+    if (newReviewData && Object.keys(newReviewData).length) {
+      dataToUpdate = _.merge(org.toObject(), newReviewData)
+    } else {
+      dataToUpdate = reviewObject.new_review_data
+    }
+    await baseOrgRepository.updateOrgFull(org.short_name, dataToUpdate, options, false, requestingUserUUID, false, true)
 
-    reviewObject.status = 'approved'
+    // Delete the review object after approval
+    await this.deleteReviewObjectByUUID(UUID, options)
 
-    await reviewObject.save({ options })
-    const result = reviewObject.toObject()
-    return result
+    // Return the updated organization
+    const updatedOrg = await baseOrgRepository.findOneByUUID(reviewObject.target_object_uuid, options)
+    return updatedOrg ? updatedOrg.toObject() : null
   }
 }
 

src/repositories/reviewObjectRepository.js

@@ -20,7 +20,7 @@ const fullCnaContainerRequest = require('../schemas/cve/create-cve-record-cna-re
 /* eslint-disable no-multi-str */
 const doc = {
   info: {
-    version: 'ur-v0.2.0-beta.3',
+    version: 'ur-v0.3.0',
     title: 'CVE Services API',
     description: "The CVE Services API supports automation tooling for the CVE Program. Credentials are \
     required for most service endpoints. Representatives of \

src/swagger.js

@@ -43,7 +43,7 @@ async function getUserUUID (userIdentifier, orgUUID, useRegistry = false, option
     return userDocument ? userDocument.UUID : null
   } else {
     const baseUserRepository = new BaseUserRepository()
-    const userDocument = await baseUserRepository.findOneByUsernameAndOrgUUID(userIdentifier, orgUUID, options)
+    const userDocument = await baseUserRepository.findOneByUserNameAndOrgUUID(userIdentifier, orgUUID, options)
     return userDocument ? userDocument.UUID : null
   }
 }
@@ -113,7 +113,7 @@ async function isAdmin (requesterUsername, requesterShortName, isRegistry = fals
 
   const baseUserRepository = new BaseUserRepository()
   if (requesterOrgUUID) {
-    const user = isRegistry ? await baseUserRepository.findOneByUsernameAndOrgUUID(requesterUsername, requesterOrgUUID) : await User.findOne().byUserNameAndOrgUUID(requesterUsername, requesterOrgUUID)
+    const user = isRegistry ? await baseUserRepository.findOneByUserNameAndOrgUUID(requesterUsername, requesterOrgUUID) : await User.findOne().byUserNameAndOrgUUID(requesterUsername, requesterOrgUUID)
 
     if (user) {
       if (isRegistry) {
@@ -135,7 +135,7 @@ async function isAdminUUID (requesterUsername, requesterOrgUUID, isRegistry = fa
   const baseOrgRepository = new BaseOrgRepository()
   if (requesterOrgUUID) {
     const orgObject = await baseOrgRepository.findOneByUUID(requesterOrgUUID, options)
-    const user = isRegistry ? await baseUserRepository.findOneByUsernameAndOrgUUID(requesterUsername, requesterOrgUUID) : await User.findOne().byUserNameAndOrgUUID(requesterUsername, requesterOrgUUID)
+    const user = isRegistry ? await baseUserRepository.findOneByUserNameAndOrgUUID(requesterUsername, requesterOrgUUID) : await User.findOne().byUserNameAndOrgUUID(requesterUsername, requesterOrgUUID)
 
     if (user && orgObject) {
       if (isRegistry) {