schema violation after active_roles.add

[ElectricNroff]

If an organization has the ADP role and then PUT /org/:shortname?active_roles.add=CNA is used, the outcome of that PUT API call includes:

"authority": {"active_roles": ["ADP", "CNA"]}

and then calling GET /registry/org/:shortname produces output that includes:

"authority":["ADP","CNA"]

However, src/middleware/schemas/ADPOrg.json says authority is "const": ["ADP"] and src/middleware/schemas/CNAOrg.json says authority is "const": ["CNA"]

In other words, a PUT /org/:shortname?active_roles.add= call apparently allows the caller to assign roles with no assurance that the schema-based data requirements and constraints for that role have been satisfied (i.e., validateOrg is never called).

[david-rocca]

Developer Notes

Thoughts

There is no validateOrg available for the legacy endpoints. This is an allowed action by the current CVE endpoints today:

cve-services/src/controller/org.controller/org.controller.js

Line 366 in 995d90e

if (org) {

While in practice, and by policy, orgs should not have multiple options. There is nothing stopping it from happening. In the registry based endpoints we do prevent this using the rule that Secretariat > CNA > ADP > Bulk download.

This is more of an issue with cve-services proper than user registry stuff.

Action

Discuss if this is something we should fix.