updating createUser controller/baseUser repository

Author: emathew5

src/controller/org.controller/org.controller.js

@@ -557,181 +557,246 @@ async function updateOrg (req, res, next) {
   }
 }
 
+// /**
+//  * Creates a user only if the org exists and
+//  * the user does not exist for the specified shortname and username
+//  * Called by POST /api/org/{shortname}/user
+//  **/
+// async function createUser (req, res, next) {
+//   const session = await mongoose.startSession() // Start a Mongoose session for transaction
+//   const isRegistry = req.query.registry === 'true'
+
+//   try {
+//     session.startTransaction()
+//     const orgShortName = req.ctx.params.shortname
+//     const requesterUsername = req.ctx.user
+//     const requesterShortName = req.ctx.org
+
+//     const orgRepo = req.ctx.repositories.getOrgRepository()
+//     const userRepo = req.ctx.repositories.getUserRepository()
+
+//     const orgRegistryRepo = req.ctx.repositories.getRegistryOrgRepository()
+//     const userRegistryRepo = req.ctx.repositories.getRegistryUserRepository()
+
+//     const newUser = new User()
+//     const newRegistryUser = new RegistryUser()
+
+//     const orgUUID = await orgRepo.getOrgUUID(orgShortName, { session })
+//     const orgRegUUID = await orgRegistryRepo.getOrgUUID(orgShortName, { session })
+
+//     if (!orgUUID && !orgRegUUID) { // the org can only be non-existent if the requestor is the Secretariat
+//       logger.info({ uuid: req.ctx.uuid, message: 'The user could not be created because ' + orgShortName + ' organization does not exist.' })
+//       return res.status(404).json(error.orgDnePathParam(orgShortName))
+//     }
+
+//     const users = await userRepo.findUsersByOrgUUID(orgUUID, { session })
+//     const regUsers = await userRegistryRepo.findUsersByOrgUUID(orgUUID, { session })
+
+//     if (users && regUsers && users !== regUsers) {
+//       await session.abortTransaction()
+//       return res.status(500).json({ message: 'Data inconsistency' })
+//     }
+
+//     if (users >= 100) {
+//       await session.abortTransaction()
+//       return res.status(400).json(error.userLimitReached())
+//     }
+
+//     const body = req.ctx.body
+//     const keys = Object.keys(body)
+
+//     newRegistryUser.cve_program_org_membership = [{
+//       program_org: orgUUID,
+//       roles: [],
+//       status: 'active'
+//     }]
+
+//     for (const keyRaw of keys) {
+//       const key = keyRaw.toLowerCase()
+
+//       if (key === 'uuid') {
+//         await session.abortTransaction()
+//         return res.status(400).json(error.uuidProvided('user'))
+//       }
+
+//       if (key === 'org_uuid') {
+//         await session.abortTransaction()
+//         return res.status(400).json(error.uuidProvided('org'))
+//       }
+
+//       const handlers = {
+//         username: () => {
+//           newUser.username = body.username
+//           newRegistryUser.user_id = body.username
+//         },
+//         user_id: () => {
+//           newUser.username = body.user_id
+//           newRegistryUser.user_id = body.user_id
+//         },
+//         authority: () => {
+//           if (body.authority?.active_roles) {
+//             newUser.authority.active_roles = [...new Set(body.authority.active_roles)]
+//             newRegistryUser.cve_program_org_membership = [{ program_org: orgUUID, status: 'active', roles: [...new Set(body.authority.active_roles)] }]
+//           }
+//         },
+//         name: () => {
+//           const name = body.name || {}
+//           if (name.first) {
+//             newUser.name.first = name.first
+//             newRegistryUser.name.first = name.first
+//           }
+//           if (name.last) {
+//             newUser.name.last = name.last
+//             newRegistryUser.name.last = name.last
+//           }
+//           if (name.middle) {
+//             newUser.name.middle = name.middle
+//             newRegistryUser.name.middle = name.middle
+//           }
+//           if (name.suffix) {
+//             newUser.name.suffix = name.suffix
+//             newRegistryUser.name.suffix = name.suffix
+//           }
+//         }
+//       }
+
+//       if (handlers[key]) {
+//         handlers[key]() // execute the appropriate handler
+//       }
+//     }
+
+//     // This UUID will match across collections
+//     const requesterOrgUUID = await orgRepo.getOrgUUID(requesterShortName, { session })
+
+//     // Double check sec / admin
+//     const isSecretariat = await orgRepo.isSecretariatUUID(requesterOrgUUID, { session }) && await orgRegistryRepo.isSecretariat(requesterShortName, { session })
+//     const isAdmin = await userRepo.isAdminUUID(requesterUsername, requesterOrgUUID, { session }) && await userRegistryRepo.isAdminUUID(requesterUsername, requesterOrgUUID, { session })
+//     // check if user is only an Admin (not Secretatiat) and the user does not belong to the same organization as the new user
+//     if (!isSecretariat && isAdmin) {
+//       if (requesterOrgUUID !== orgUUID) {
+//         await session.abortTransaction()
+//         return res.status(403).json(error.notOrgAdminOrSecretariat()) // The Admin user must belong to the new user's organization
+//       }
+//     }
+
+//     const sharedKey = uuid.v4()
+//     newUser.org_UUID = orgUUID
+//     newUser.UUID = sharedKey
+//     newRegistryUser.UUID = sharedKey
+//     newUser.active = true
+//     const randomKey = cryptoRandomString({ length: getConstants().CRYPTO_RANDOM_STRING_LENGTH })
+//     const secret = await argon2.hash(randomKey)
+//     newUser.secret = secret
+//     newRegistryUser.secret = secret
+
+//     const resultLeg = await userRepo.findOneByUserNameAndOrgUUID(newUser.username, newUser.org_UUID, null, { session }) // Find user in MongoDB
+//     const resultReg = await userRegistryRepo.findOneByUserNameAndOrgUUID(newRegistryUser.user_id, orgUUID, null, { session })
+//     if (resultLeg || resultReg) {
+//       logger.info({ uuid: req.ctx.uuid, message: newUser.username + ' was not created because it already exists.' })
+//       await session.abortTransaction()
+//       return res.status(400).json(error.userExists(newUser.username))
+//     }
+
+//     // Parsing all user name fields
+//     newUser.name = parseUserName(newUser)
+//     newRegistryUser.name = parseUserName(newRegistryUser)
+
+//     await userRepo.updateByUserNameAndOrgUUID(newUser.username, newUser.org_UUID, newUser, { upsert: true, session }) // Create user in MongoDB if it doesn't exist
+//     await userRegistryRepo.updateByUserNameAndOrgUUID(newRegistryUser.user_id, orgUUID, newRegistryUser, { upsert: true, session })
+//     await userRegistryRepo.addOrgToUserAffiliation(newUser.UUID, orgUUID, { session })
+//     await orgRegistryRepo.addUserToOrgList(orgUUID, newRegistryUser.UUID, body.authority?.active_roles ? [...new Set(body.authority.active_roles)].includes('ADMIN') : false, { upsert: true, session })
+//     const agt = isRegistry ? setAggregateRegistryUserObj({ 'cve_program_org_membership.program_org': orgUUID, user_id: newRegistryUser.user_id }) : setAggregateUserObj({ org_UUID: orgUUID, username: newUser.username })
+//     let result = isRegistry ? await userRegistryRepo.aggregate(agt, { session }) : await userRepo.aggregate(agt, { session })
+//     result = result.length > 0 ? result[0] : null
+
+//     const payloadUsername = isRegistry ? result.user_id : result.username
+
+//     const payload = {
+//       action: 'create_user',
+//       change: payloadUsername + ' was successfully created.',
+//       req_UUID: req.ctx.uuid,
+//       org_UUID: await orgRepo.getOrgUUID(req.ctx.org),
+//       user: result
+//     }
+//     payload.user_UUID = isRegistry ? await userRegistryRepo.getUserUUID(req.ctx.user, payload.org_UUID, { session }) : await userRepo.getUserUUID(req.ctx.user, payload.org_UUID, { session })
+//     logger.info(JSON.stringify(payload))
+
+//     result.secret = randomKey
+//     const responseMessage = {
+//       message: payloadUsername + ' was successfully created.',
+//       created: result
+//     }
+//     await session.commitTransaction()
+//     return res.status(200).json(responseMessage)
+//   } catch (err) {
+//     next(err)
+//   } finally {
+//     await session.endSession()
+//   }
+// }
+
 /**
- * Creates a user only if the org exists and
+ *  Creates a user only if the org exists and
  * the user does not exist for the specified shortname and username
  * Called by POST /api/org/{shortname}/user
  **/
 async function createUser (req, res, next) {
-  const session = await mongoose.startSession() // Start a Mongoose session for transaction
-  const isRegistry = req.query.registry === 'true'
-
   try {
-    session.startTransaction()
+    const session = await mongoose.startSession()
+    const body = req.ctx.body
+    const repo = req.ctx.repositories.getBaseUserRepository()
     const orgShortName = req.ctx.params.shortname
-    const requesterUsername = req.ctx.user
-    const requesterShortName = req.ctx.org
+    // const isRegistry = req.query.registry === 'true'
+    let returnValue
 
-    const orgRepo = req.ctx.repositories.getOrgRepository()
-    const userRepo = req.ctx.repositories.getUserRepository()
-
-    const orgRegistryRepo = req.ctx.repositories.getRegistryOrgRepository()
-    const userRegistryRepo = req.ctx.repositories.getRegistryUserRepository()
-
-    const newUser = new User()
-    const newRegistryUser = new RegistryUser()
-
-    const orgUUID = await orgRepo.getOrgUUID(orgShortName, { session })
-    const orgRegUUID = await orgRegistryRepo.getOrgUUID(orgShortName, { session })
-
-    if (!orgUUID && !orgRegUUID) { // the org can only be non-existent if the requestor is the Secretariat
-      logger.info({ uuid: req.ctx.uuid, message: 'The user could not be created because ' + orgShortName + ' organization does not exist.' })
-      return res.status(404).json(error.orgDnePathParam(orgShortName))
-    }
-
-    const users = await userRepo.findUsersByOrgUUID(orgUUID, { session })
-    const regUsers = await userRegistryRepo.findUsersByOrgUUID(orgUUID, { session })
-
-    if (users && regUsers && users !== regUsers) {
-      await session.abortTransaction()
-      return res.status(500).json({ message: 'Data inconsistency' })
-    }
-
-    if (users >= 100) {
-      await session.abortTransaction()
-      return res.status(400).json(error.userLimitReached())
+    // Do not allow the user to pass in a UUID
+    if (body?.UUID ?? null) {
+      return res.status(400).json(error.uuidProvided('user'))
     }
 
-    const body = req.ctx.body
-    const keys = Object.keys(body)
-
-    newRegistryUser.cve_program_org_membership = [{
-      program_org: orgUUID,
-      roles: [],
-      status: 'active'
-    }]
-
-    for (const keyRaw of keys) {
-      const key = keyRaw.toLowerCase()
+    // Do not allow the user to pass in an org_UUID
+    // if (body?.org_UUID ?? null) {
+    //   return res.status(400).json(error.uuidProvided('org'))
+    // }
 
-      if (key === 'uuid') {
-        await session.abortTransaction()
-        return res.status(400).json(error.uuidProvided('user'))
-      }
+    try {
+      session.startTransaction()
 
-      if (key === 'org_uuid') {
+      // Ask repo if user already exists
+      if (await repo.orgHasUser(orgShortName, body?.username, { session })) {
+        logger.info({ uuid: req.ctx.uuid, message: `${body?.username} user was not created because it already exists.` })
         await session.abortTransaction()
-        return res.status(400).json(error.uuidProvided('org'))
+        return res.status(400).json(error.userExists(body?.username))
       }
 
-      const handlers = {
-        username: () => {
-          newUser.username = body.username
-          newRegistryUser.user_id = body.username
-        },
-        user_id: () => {
-          newUser.username = body.user_id
-          newRegistryUser.user_id = body.user_id
-        },
-        authority: () => {
-          if (body.authority?.active_roles) {
-            newUser.authority.active_roles = [...new Set(body.authority.active_roles)]
-            newRegistryUser.cve_program_org_membership = [{ program_org: orgUUID, status: 'active', roles: [...new Set(body.authority.active_roles)] }]
-          }
-        },
-        name: () => {
-          const name = body.name || {}
-          if (name.first) {
-            newUser.name.first = name.first
-            newRegistryUser.name.first = name.first
-          }
-          if (name.last) {
-            newUser.name.last = name.last
-            newRegistryUser.name.last = name.last
-          }
-          if (name.middle) {
-            newUser.name.middle = name.middle
-            newRegistryUser.name.middle = name.middle
-          }
-          if (name.suffix) {
-            newUser.name.suffix = name.suffix
-            newRegistryUser.name.suffix = name.suffix
-          }
-        }
-      }
+      returnValue = await repo.createUser(orgShortName, body, { session, upsert: true }, true)
 
-      if (handlers[key]) {
-        handlers[key]() // execute the appropriate handler
-      }
-    }
-
-    // This UUID will match across collections
-    const requesterOrgUUID = await orgRepo.getOrgUUID(requesterShortName, { session })
-
-    // Double check sec / admin
-    const isSecretariat = await orgRepo.isSecretariatUUID(requesterOrgUUID, { session }) && await orgRegistryRepo.isSecretariat(requesterShortName, { session })
-    const isAdmin = await userRepo.isAdminUUID(requesterUsername, requesterOrgUUID, { session }) && await userRegistryRepo.isAdminUUID(requesterUsername, requesterOrgUUID, { session })
-    // check if user is only an Admin (not Secretatiat) and the user does not belong to the same organization as the new user
-    if (!isSecretariat && isAdmin) {
-      if (requesterOrgUUID !== orgUUID) {
-        await session.abortTransaction()
-        return res.status(403).json(error.notOrgAdminOrSecretariat()) // The Admin user must belong to the new user's organization
-      }
-    }
-
-    const sharedKey = uuid.v4()
-    newUser.org_UUID = orgUUID
-    newUser.UUID = sharedKey
-    newRegistryUser.UUID = sharedKey
-    newUser.active = true
-    const randomKey = cryptoRandomString({ length: getConstants().CRYPTO_RANDOM_STRING_LENGTH })
-    const secret = await argon2.hash(randomKey)
-    newUser.secret = secret
-    newRegistryUser.secret = secret
-
-    const resultLeg = await userRepo.findOneByUserNameAndOrgUUID(newUser.username, newUser.org_UUID, null, { session }) // Find user in MongoDB
-    const resultReg = await userRegistryRepo.findOneByUserNameAndOrgUUID(newRegistryUser.user_id, orgUUID, null, { session })
-    if (resultLeg || resultReg) {
-      logger.info({ uuid: req.ctx.uuid, message: newUser.username + ' was not created because it already exists.' })
+      await session.commitTransaction()
+    } catch (error) {
       await session.abortTransaction()
-      return res.status(400).json(error.userExists(newUser.username))
+      throw error
+    } finally {
+      await session.endSession()
     }
 
-    // Parsing all user name fields
-    newUser.name = parseUserName(newUser)
-    newRegistryUser.name = parseUserName(newRegistryUser)
-
-    await userRepo.updateByUserNameAndOrgUUID(newUser.username, newUser.org_UUID, newUser, { upsert: true, session }) // Create user in MongoDB if it doesn't exist
-    await userRegistryRepo.updateByUserNameAndOrgUUID(newRegistryUser.user_id, orgUUID, newRegistryUser, { upsert: true, session })
-    await userRegistryRepo.addOrgToUserAffiliation(newUser.UUID, orgUUID, { session })
-    await orgRegistryRepo.addUserToOrgList(orgUUID, newRegistryUser.UUID, body.authority?.active_roles ? [...new Set(body.authority.active_roles)].includes('ADMIN') : false, { upsert: true, session })
-    const agt = isRegistry ? setAggregateRegistryUserObj({ 'cve_program_org_membership.program_org': orgUUID, user_id: newRegistryUser.user_id }) : setAggregateUserObj({ org_UUID: orgUUID, username: newUser.username })
-    let result = isRegistry ? await userRegistryRepo.aggregate(agt, { session }) : await userRepo.aggregate(agt, { session })
-    result = result.length > 0 ? result[0] : null
-
-    const payloadUsername = isRegistry ? result.user_id : result.username
+    const responseMessage = {
+      message: `${body?.username} was successfully created.`,
+      created: returnValue
+    }
 
     const payload = {
       action: 'create_user',
-      change: payloadUsername + ' was successfully created.',
+      change: `${body?.username} was successfully created.`,
       req_UUID: req.ctx.uuid,
-      org_UUID: await orgRepo.getOrgUUID(req.ctx.org),
-      user: result
+      org_UUID: returnValue.org_UUID,
+      user_UUID: returnValue.UUID,
+      user: returnValue
     }
-    payload.user_UUID = isRegistry ? await userRegistryRepo.getUserUUID(req.ctx.user, payload.org_UUID, { session }) : await userRepo.getUserUUID(req.ctx.user, payload.org_UUID, { session })
-    logger.info(JSON.stringify(payload))
 
-    result.secret = randomKey
-    const responseMessage = {
-      message: payloadUsername + ' was successfully created.',
-      created: result
-    }
-    await session.commitTransaction()
+    logger.info(JSON.stringify(payload))
     return res.status(200).json(responseMessage)
   } catch (err) {
     next(err)
-  } finally {
-    await session.endSession()
   }
 }