Merge branch 'dev' into emathew/fix-org-get-single-test

Author: david-rocca

src/controller/org.controller/index.js

@@ -79,6 +79,18 @@ router.post('/registry/org/:shortname/user',
   mw.validateUser,
   mw.onlySecretariatOrAdmin,
   mw.onlyOrgWithPartnerRole,
+  param(['shortname']).isString().trim().notEmpty().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }),
+  body(['org_uuid']).optional().isString().trim(),
+  body(['uuid']).optional().isString().trim(),
+  body(['name.first']).optional().isString().trim().isLength({ max: CONSTANTS.MAX_FIRSTNAME_LENGTH }).withMessage(errorMsgs.FIRSTNAME_LENGTH),
+  body(['name.last']).optional().isString().trim().isLength({ max: CONSTANTS.MAX_LASTNAME_LENGTH }).withMessage(errorMsgs.LASTNAME_LENGTH),
+  body(['name.middle']).optional().isString().trim().isLength({ max: CONSTANTS.MAX_MIDDLENAME_LENGTH }).withMessage(errorMsgs.MIDDLENAME_LENGTH),
+  body(['name.suffix']).optional().isString().trim().isLength({ max: CONSTANTS.MAX_SUFFIX_LENGTH }).withMessage(errorMsgs.SUFFIX_LENGTH),
+  body(['authority.active_roles']).optional()
+    .custom(mw.isFlatStringArray)
+    .bail()
+    .customSanitizer(toUpperCaseArray)
+    .custom(isUserRole),
   parseError,
   parsePostParams,
   controller.USER_CREATE_SINGLE

src/controller/org.controller/org.controller.js

@@ -281,7 +281,7 @@ async function createOrg (req, res, next) {
     const body = req.ctx.body
     let returnValue
     // Do not allow the user to pass in a UUID
-    if (body?.UUID ?? null) return res.status(400).json(error.uuidProvided('org'))
+    if ((body?.UUID ?? null) || (body?.uuid ?? null)) return res.status(400).json(error.uuidProvided('org'))
 
     try {
       session.startTransaction()
@@ -441,14 +441,26 @@ async function createUser (req, res, next) {
   try {
     const body = req.ctx.body
     const userRepo = req.ctx.repositories.getBaseUserRepository()
+    const orgRepo = req.ctx.repositories.getBaseOrgRepository()
     const orgShortName = req.ctx.params.shortname
     let returnValue
 
+    // Check to make sure Org Exists first
+    const orgUUID = await orgRepo.getOrgUUID(orgShortName)
+    if (!orgUUID) {
+      logger.info({ uuid: req.ctx.uuid, message: 'The user could not be created because ' + orgShortName + ' organization does not exist.' })
+      return res.status(404).json(error.orgDnePathParam(orgShortName))
+    }
+
     // Do not allow the user to pass in a UUID
-    if (body?.UUID ?? null) {
+    if ((body?.UUID ?? null) || (body?.uuid ?? null)) {
       return res.status(400).json(error.uuidProvided('user'))
     }
 
+    if ((body?.org_UUID ?? null) || (body?.org_uuid ?? null)) {
+      return res.status(400).json(error.uuidProvided('org'))
+    }
+
     try {
       session.startTransaction()
       if (req.useRegistry) {
@@ -461,6 +473,10 @@ async function createUser (req, res, next) {
           await session.abortTransaction()
           return res.status(400).json({ message: 'Parameters were invalid', errors: result.errors })
         }
+      } else {
+        if (!body?.username || typeof body?.username !== 'string' || !body?.username.length > 0) {
+          return res.status(400).json({ message: 'Parameters were invalid', details: [{ param: 'username', msg: 'Parameter must be a non empty string' }] })
+        }
       }
 
       // Ask repo if user already exists
@@ -476,7 +492,7 @@ async function createUser (req, res, next) {
       }
 
       const users = await userRepo.findUsersByOrgShortname(orgShortName, { session })
-      if (users.toObject().length >= 100) {
+      if (users.length >= 100) {
         await session.abortTransaction()
         return res.status(400).json(error.userLimitReached())
       }
@@ -552,6 +568,19 @@ async function updateUser (req, res, next) {
       return res.status(404).json(error.orgDnePathParam(shortNameParams))
     }
 
+    if (shortNameParams !== requesterShortName && !isRequesterSecretariat) {
+      logger.info({ uuid: req.ctx.uuid, message: `${shortNameParams} organization data can only be modified by users of the same organization or the Secretariat.` })
+      await session.abortTransaction()
+      return res.status(403).json(error.notSameOrgOrSecretariat())
+    }
+
+    // Specific check for org_short_name (Secretariat only)
+    if (queryParametersJson.org_short_name && !isRequesterSecretariat) {
+      logger.info({ uuid: req.ctx.uuid, message: 'Only Secretariat can reassign user organization.' })
+      await session.abortTransaction()
+      return res.status(403).json(error.notAllowedToChangeOrganization())
+    }
+
     if (!isRequesterSecretariat && !isAdmin) {
       if (targetUserUUID !== requesterUUID) {
         if (!targetUserUUID) {
@@ -565,29 +594,41 @@ async function updateUser (req, res, next) {
       }
     }
 
-    if (!targetUserUUID) {
-      logger.info({ uuid: req.ctx.uuid, message: 'User DNE' })
-      await session.abortTransaction()
-      return res.status(404).json(error.userDne(usernameParams))
+    const newOrgShortNameToMoveTo = queryParametersJson.org_short_name
+
+    if (newOrgShortNameToMoveTo) {
+      if (newOrgShortNameToMoveTo === shortNameParams) {
+        logger.info({ uuid: req.ctx.uuid, message: `User ${usernameParams} is already in organization ${newOrgShortNameToMoveTo}.` })
+        await session.abortTransaction()
+        return res.status(403).json(error.alreadyInOrg(newOrgShortNameToMoveTo, usernameParams))
+      }
+
+      const newTargetRegistryOrgUUID = await orgRepo.getOrgUUID(newOrgShortNameToMoveTo, { session })
+
+      if (!newTargetRegistryOrgUUID) {
+        logger.info({ uuid: req.ctx.uuid, message: `New target organization ${newOrgShortNameToMoveTo} does not exist.` })
+        await session.abortTransaction()
+        return res.status(404).json(error.orgDne(newOrgShortNameToMoveTo, 'org_short_name', 'query'))
+      }
     }
 
-    if (shortNameParams !== requesterShortName && !isRequesterSecretariat) {
-      logger.info({ uuid: req.ctx.uuid, message: `${shortNameParams} organization data can only be modified by users of the same organization or the Secretariat.` })
-      await session.abortTransaction()
-      return res.status(403).json(error.notSameOrgOrSecretariat())
+    if (queryParametersJson.active) {
+      if (requesterUUID === targetUserUUID) {
+        await session.abortTransaction()
+        return res.status(403).json(error.notOrgAdminOrSecretariatUpdate())
+      }
     }
 
-    if (await userRepo.orgHasUser(shortNameParams, targetUserUUID, { session })) {
-      logger.info({ uuid: req.ctx.uuid, message: `User ${usernameParams} does not exist for ${shortNameParams} organization.` })
+    if (!targetUserUUID) {
+      logger.info({ uuid: req.ctx.uuid, message: 'User DNE' })
       await session.abortTransaction()
       return res.status(404).json(error.userDne(usernameParams))
     }
 
-    // Specific check for org_short_name (Secretariat only)
-    if (queryParametersJson.org_short_name && !isRequesterSecretariat) {
-      logger.info({ uuid: req.ctx.uuid, message: 'Only Secretariat can reassign user organization.' })
+    if (!await userRepo.orgHasUserByUUID(shortNameParams, targetUserUUID, { session })) {
+      logger.info({ uuid: req.ctx.uuid, message: `User ${usernameParams} does not exist for ${shortNameParams} organization.` })
       await session.abortTransaction()
-      return res.status(403).json(error.notAllowedToChangeOrganization())
+      return res.status(404).json(error.userDne(usernameParams))
     }
 
     // General permission check for fields requiring admin/secretariat
@@ -609,13 +650,6 @@ async function updateUser (req, res, next) {
       }
     }
 
-    if (queryParametersJson.active) {
-      if (requesterUUID === targetUserUUID) {
-        await session.abortTransaction()
-        return res.status(403).json(error.notOrgAdminOrSecretariatUpdate())
-      }
-    }
-
     // This is a special case, and needs to be handled in the controller, and not in the repository
     const rolesFromQuery = queryParametersJson['active_roles.remove'] ?? []
     const removeRolesCollector = []
@@ -633,25 +667,7 @@ async function updateUser (req, res, next) {
       }
     }
 
-    const newOrgShortNameToMoveTo = queryParametersJson.org_short_name
-
-    if (newOrgShortNameToMoveTo) {
-      if (newOrgShortNameToMoveTo === shortNameParams) {
-        logger.info({ uuid: req.ctx.uuid, message: `User ${usernameParams} is already in organization ${newOrgShortNameToMoveTo}.` })
-        await session.abortTransaction()
-        return res.status(403).json(error.alreadyInOrg(newOrgShortNameToMoveTo, usernameParams))
-      }
-
-      const newTargetRegistryOrgUUID = await orgRepo.getOrgUUID(newOrgShortNameToMoveTo, { session })
-
-      if (!newTargetRegistryOrgUUID) {
-        logger.info({ uuid: req.ctx.uuid, message: `New target organization ${newOrgShortNameToMoveTo} does not exist.` })
-        await session.abortTransaction()
-        return res.status(404).json(error.orgDne(newOrgShortNameToMoveTo, 'org_short_name', 'query'))
-      }
-    }
-
-    const payload = await userRepo.updateUser(usernameParams, shortNameParams, queryParametersJson, { session })
+    const payload = await userRepo.updateUser(usernameParams, shortNameParams, queryParametersJson, { session }, !req.useRegistry)
     await session.commitTransaction()
     return res.status(200).json({ message: `${usernameParams} was successfully updated.`, updated: payload })
   } catch (err) {
@@ -707,24 +723,29 @@ async function resetSecret (req, res, next) {
       const requesterUserUUID = await userRepo.getUserUUID(requesterUsername, requesterOrgShortName, { session }, !req.useRegistry)
 
       const isRequesterSecretariat = await orgRepo.isSecretariatByShortName(requesterOrgShortName, { session })
-      // const isAdmin = await userRepo.isAdmin(requesterUsername, targetOrgShortName, { session })
-      if (!isRequesterSecretariat && (requesterOrgShortName !== targetOrgShortName)) {
+
+      if (!isRequesterSecretariat) {
+        // If they are in the same organization, they must be the target user themselves OR an admin of the target org.
+
+        // 1. WE are not the same user
         if (requesterUserUUID !== targetUserUUID) {
-          logger.info({ uuid: req.ctx.uuid, message: 'The api secret can only be reset by the Secretariat, an Org admin or if the requester is the user.' })
-          await session.abortTransaction()
-          return res.status(403).json(error.notSameUserOrSecretariat())
+          // Check to see if we are the admin of the target organization
+          const isAdminOfTargetOrg = await userRepo.isAdmin(requesterUsername, targetOrgShortName, { session })
+          // The tests say we have to check the org next:
+          if (requesterOrgShortName !== targetOrgShortName && !isAdminOfTargetOrg) {
+            logger.info({ uuid: req.ctx.uuid, message: 'The api secret can only be reset by the Secretariat, an Org admin or if the requester is the user.' })
+            await session.abortTransaction()
+            return res.status(403).json(error.notSameOrgOrSecretariat())
+          }
+
+          if (!isAdminOfTargetOrg) {
+            logger.info({ uuid: req.ctx.uuid, message: 'The api secret can only be reset by the Secretariat, an Org admin or if the requester is the user.' })
+            await session.abortTransaction()
+            return res.status(403).json(error.notSameUserOrSecretariat())
+          }
         }
-        logger.info({ uuid: req.ctx.uuid, message: 'The api secret can only be reset by the Secretariat, an Org admin or if the requester is the user.' })
-        await session.abortTransaction()
-        return res.status(403).json(error.notSameOrgOrSecretariat())
-      }
-      // Check if requester is either admin of target org or secretariat, or is same as target user
-      const isAdminOrSecretariat = await userRepo.isAdminOrSecretariat(targetOrgShortName, requesterUsername, requesterOrgShortName, { session }, !req.useRegistry)
-      if (!isAdminOrSecretariat && (requesterUserUUID !== targetUserUUID)) {
-        logger.info({ uuid: req.ctx.uuid, message: 'The api secret can only be reset by the Secretariat, an Org admin or if the requester is the user.' })
-        await session.abortTransaction()
-        return res.status(403).json(error.notSameUserOrSecretariat())
       }
+
       const updatedSecret = await userRepo.resetSecret(targetUsername, targetOrgShortName, { session }, !req.useRegistry)
 
       logger.info({ uuid: req.ctx.uuid, message: `The API secret was successfully reset and sent to ${targetUsername}` })

src/middleware/schemas/BulkDownloadOrg.json

@@ -1,11 +1,11 @@
 {
   "$schema": "http://json-schema.org/draft-07/schema#",
-  "$id": "https://cve.org/schemas/org/bulkdownload",
+  "$id": "BaseOrg",
   "type": "object",
   "title": "CVE Bulk Download Organization",
   "description": "Schema for a CVE Bulk Download Organization",
   "allOf": [
-    { "$ref": "/schemas/org/base" },
+    { "$ref": "BaseOrg" },
     {
       "properties": {
         "authority": {

src/model/adporg.js

@@ -24,6 +24,6 @@ ADPSchema.statics.validateOrg = function (record) {
   }
   return validateObject
 }
-const CNAOrg = BaseOrg.discriminator('ADPOrg', ADPSchema, options)
+const ADPOrg = BaseOrg.discriminator('ADPOrg', ADPSchema, options)
 
-module.exports = CNAOrg
+module.exports = ADPOrg

src/model/bulkdownloadorg.js

@@ -0,0 +1,29 @@
+const mongoose = require('mongoose')
+const BaseOrg = require('./baseorg')
+const fs = require('fs')
+const Ajv = require('ajv')
+const addFormats = require('ajv-formats')
+const BaseOrgSchema = JSON.parse(fs.readFileSync('src/middleware/schemas/BaseOrg.json'))
+const BulkDownloadOrgSchema = JSON.parse(fs.readFileSync('src/middleware/schemas/BulkDownloadOrg.json'))
+const ajv = new Ajv({ allErrors: false })
+addFormats(ajv)
+ajv.addSchema(BaseOrgSchema)
+
+const validate = ajv.compile(BulkDownloadOrgSchema)
+
+const schema = {}
+
+const options = { discriminatorKey: 'kind' }
+const BulkDownloadSchema = new mongoose.Schema(schema, options)
+BulkDownloadSchema.statics.validateOrg = function (record) {
+  const validateObject = {}
+  validateObject.isValid = validate(record)
+
+  if (!validateObject.isValid) {
+    validateObject.errors = validate.errors
+  }
+  return validateObject
+}
+const BulkDownloadOrg = BaseOrg.discriminator('BulkDownloadOrg', BulkDownloadSchema, options)
+
+module.exports = BulkDownloadOrg

src/repositories/baseOrgRepository.js

@@ -2,6 +2,7 @@ const BaseRepository = require('./baseRepository')
 const BaseOrgModel = require('../model/baseorg')
 const CNAOrgModel = require('../model/cnaorg')
 const ADPOrgModel = require('../model/adporg')
+const BulkDownloadModel = require('../model/bulkdownloadorg')
 const SecretariatOrgModel = require('../model/secretariatorg')
 const CveIdRepository = require('./cveIdRepository')
 const uuid = require('uuid')
@@ -32,30 +33,6 @@ function setAggregateRegistryOrgObj (query) {
   return [
     {
       $match: query
-    },
-    {
-      $project: {
-        _id: false,
-        UUID: true,
-        long_name: true,
-        short_name: true,
-        aliases: true,
-        authority: true,
-        reports_to: true,
-        oversees: true,
-        root_or_tlr: true,
-        users: true,
-        admins: true,
-        charter_or_scope: true,
-        disclosure_policy: true,
-        product_list: true,
-        soft_quota: true,
-        hard_quota: true,
-        contact_info: true,
-        in_use: true,
-        created: true,
-        last_updated: true
-      }
     }
   ]
 }
@@ -113,10 +90,11 @@ class BaseOrgRepository extends BaseRepository {
 
   async getAllOrgs (options = {}, returnLegacyFormat = false) {
     const OrgRepository = require('./orgRepository')
+    const orgRepo = new OrgRepository()
     let pg
     if (returnLegacyFormat) {
       const agt = setAggregateOrgObj({})
-      pg = await OrgRepository.aggregatePaginate(agt, options)
+      pg = await orgRepo.aggregatePaginate(agt, options)
     } else {
       const agt = setAggregateRegistryOrgObj({})
       pg = await this.aggregatePaginate(agt, options)
@@ -234,7 +212,7 @@ class BaseOrgRepository extends BaseRepository {
       registryObject = await SecretariatObjectToSave.save(options)
     } else if (registryObjectRaw.authority.includes('CNA')) {
       // A special case, we should make sure we have the default quota if it is not set
-      if (registryObjectRaw.hard_quota === undefined) {
+      if (!registryObjectRaw.hard_quota) {
       // set to default quota if none is specified
         registryObjectRaw.hard_quota = CONSTANTS.DEFAULT_ID_QUOTA
       }
@@ -245,6 +223,10 @@ class BaseOrgRepository extends BaseRepository {
       registryObjectRaw.hard_quota = 0
       const adpObjectToSave = new ADPOrgModel(registryObjectRaw)
       registryObject = await adpObjectToSave.save(options)
+    } else if (registryObjectRaw.authority.includes('BULK_DOWNLOAD')) {
+      registryObjectRaw.hard_quota = 0
+      const bulkDownloadObjectToSave = new BulkDownloadModel(registryObjectRaw)
+      registryObject = await bulkDownloadObjectToSave.save(options)
     } else {
       // eslint-disable-next-line no-throw-literal
       throw 'dave you screwed up'
@@ -255,16 +237,17 @@ class BaseOrgRepository extends BaseRepository {
 
     //* ******* Legacy has some special cases that we have to deal with here.**************
     legacyObjectRaw.inUse = false
-    if (legacyObjectRaw.policies.id_quota === undefined) {
+    if (!legacyObjectRaw?.policies?.id_quota) {
       // set to default quota if none is specified
-      legacyObjectRaw.policies.id_quota = CONSTANTS.DEFAULT_ID_QUOTA
+      _.set(legacyObjectRaw, 'policies.id_quota', CONSTANTS.DEFAULT_ID_QUOTA)
     }
     if (
-      legacyObjectRaw.authority.active_roles.length === 1 &&
-      legacyObjectRaw.authority.active_roles[0] === 'ADP'
+      legacyObjectRaw.authority.active_roles.length === 1 && (
+        legacyObjectRaw.authority.active_roles[0] === 'ADP' ||
+      legacyObjectRaw.authority.active_roles[0] === 'BULK_DOWNLOAD')
     ) {
       // ADPs have quota of 0
-      legacyObjectRaw.policies.id_quota = 0
+      _.set(legacyObjectRaw, 'policies.id_quota', 0)
     }
 
     // The legacy way of doing this, the way this is written under the hood there is no other way