feat: impl MVP of new authz API

This adds a new API for authorization, defined in `src/middleware/authz.js`,
which is centered around two key functions: `authz` and `authzLevel`. Each
returns a middleware function which applies the requested authorization
checks. For `authz`, if the authorization checks fail, then the request
fails. For `authzLevel`, if the authorization checks fail, then the request
continues but without an authorization level being set on the request
context.

In addition to these top-level APIs, this introduces a set of pre-defined
checks, plus two check combinators, which collectively will enable
CVE Services endpoints to define the authorization checks they require,
all in one place.

This is intended to replace the combination of existing authorization
middleware functions and ad-hoc authorization checks performed throughout
a number of endpoints. This commit *does not* include any replacement of
existing authorization checks, only the introduction of the new API.

We also shim the method Set.prototype.intersection.

The Set.prototype.intersection method was added to the Set
type in Node.js version 22. Currently, CVE Services uses an
older version of Node and so we need this shim to ensure
the API runs.

We are planning to upgrade to Node 24 soon, in which case
this shim will become unecessary.

This also includes initial, bare-bones tests for the new authz
API. As we continue to work to integrate the new API into more
endpoints, we'll expand the testing here to be more thorough.

Mocha doesn't isolate tests in their own process, which means when
the tests are running they're actually all sharing a singleton
instance of the Express app. This is a problem for the authz
testing specifically, because it modifies a piece of global
state (`useNewAuthzApi`) to select at runtime whether to use
the old or new versions of the authorization API.

To deal with this, this commit also ensures that authz tests
are isolated in their own, separate run of Mocha.

Signed-off-by: Andrew Lilley Brinker <abrinker@mitre.org>

Author: alilleybrinker

package-lock.json

@@ -54,6 +54,7 @@
         "prompt-sync": "^4.2.0",
         "replace-in-file": "6.3.5",
         "replace-json-property": "^1.8.0",
+        "set.prototype.intersection": "^1.1.8",
         "swagger-autogen": "^2.19.0",
         "swagger-ui-express": "^4.3.0",
         "uuid": "^8.3.2",
@@ -99,8 +100,8 @@
         "start:prd": "node src/swagger.js && NODE_ENV=production node src/scripts/updateOpenapiHost.js && NODE_ENV=production node src/index.js",
         "swagger-autogen": "node src/swagger.js",
         "test": "NODE_ENV=test mocha --recursive --exit || true",
-        "test:integration": "NODE_ENV=test node-dev src/scripts/populate.mjs y; NODE_ENV=test MONGO_CONN_STRING=mongodb://docdb:27017 MONGO_DB_NAME=cve_test node-dev src/scripts/migrate.js; NODE_ENV=test mocha test/integration-tests --recursive --exit",
-        "test:integration-local": "NODE_ENV=test node-dev src/scripts/populate.mjs y; NODE_ENV=test MONGO_CONN_STRING=mongodb://localhost:27017 MONGO_DB_NAME=cve_test node-dev src/scripts/migrate.js; NODE_ENV=test mocha test/integration-tests --recursive --exit",
+        "test:integration": "NODE_ENV=test node-dev src/scripts/populate.mjs y; NODE_ENV=test MONGO_CONN_STRING=mongodb://docdb:27017 MONGO_DB_NAME=cve_test node-dev src/scripts/migrate.js; NODE_ENV=test mocha test/integration-tests --exclude test/integration-tests/cve/authzValidation.js --recursive --exit && NODE_ENV=test mocha test/integration-tests/cve/authzValidation.js --recursive --exit",
+        "test:integration-local": "NODE_ENV=test node-dev src/scripts/populate.mjs y; NODE_ENV=test MONGO_CONN_STRING=mongodb://localhost:27017 MONGO_DB_NAME=cve_test node-dev src/scripts/migrate.js; NODE_ENV=test mocha test/integration-tests --exclude test/integration-tests/cve/authzValidation.js --recursive --exit && NODE_ENV=test mocha test/integration-tests/cve/authzValidation.js --recursive --exit",
         "test:unit-tests": "NODE_ENV=test mocha test/unit-tests --recursive --exit || true",
         "test:coverage": "NODE_ENV=test nyc --reporter=text mocha src/* --recursive --exit || true",
         "test:coverage-html": "NODE_ENV=test nyc --reporter=html mocha src/* --recursive --exit || true",

package.json

@@ -8,7 +8,20 @@ const mw = require('../../middleware/middleware')
 const errorMsgs = require('../../middleware/errorMessages')
 const controller = require('./cve.controller')
 const { body, param, query } = require('express-validator')
-const { parseGetParams, parsePostParams, parseError, validateCveCnaContainerJsonSchema, validateCveAdpContainerJsonSchema, validateRejectBody, validateUniqueEnglishEntry, validateDescription, validateDatePublic, validateTimelineDates, validatePURL } = require('./cve.middleware')
+const {
+  parseGetParams,
+  parsePostParams,
+  parseError,
+  validateCveCnaContainerJsonSchema,
+  validateCveAdpContainerJsonSchema,
+  validateRejectBody,
+  validateUniqueEnglishEntry,
+  validateDescription,
+  validateDatePublic,
+  validateTimelineDates,
+  validatePURL
+} = require('./cve.middleware')
+const { authz, orgHasRole, OrgRoles } = require('../../middleware/authz')
 const getConstants = require('../../constants').getConstants
 const CONSTANTS = getConstants()
 const CHOICES = [CONSTANTS.CVE_STATES.REJECTED, CONSTANTS.CVE_STATES.PUBLISHED]
@@ -584,6 +597,10 @@ router.put('/cve/:id',
   }
   */
   mw.validateUser,
+  mw.authzApiSelector({
+    oldAuthz: mw.onlySecretariat,
+    newAuthz: authz(orgHasRole(OrgRoles.SECRETARIAT))
+  }),
   mw.onlySecretariat,
   mw.trimJSONWhitespace,
   mw.validateCveJsonSchema,

src/controller/cve.controller/index.js

@@ -46,6 +46,9 @@ app.use((req, res, next) => {
   res.status(404).json(error.notFound())
 })
 
+// TODO(alilleybrinker): Remove this when done testing the new Authz API.
+app.set('useNewAuthzApi', false)
+
 // Connect to MongoDB database
 const dbConnectionStr = dbUtils.getMongoConnectionString()
 const dbConnectionOptions = dbUtils.getMongoConnectionOptions()