CVEProject · athu-tran · Aug 26, 2024 · Jul 24, 2024 · Jul 26, 2024 · Jul 29, 2024
diff --git a/.github/workflows/test-http.yml b/.github/workflows/test-http.yml
@@ -14,30 +14,30 @@ jobs:
     - name: Build and Run Services and Mongo Containers
       run: |
         cp docker/.docker-env.example docker/.docker-env
-        docker-compose --file docker/docker-compose.yml build
-        docker-compose --file docker/docker-compose.yml up -d
+        docker compose --file docker/docker-compose.yml build
+        docker compose --file docker/docker-compose.yml up -d
     - name: Build Test Container
       run: |
         cp test-http/docker/.docker-env.example test-http/docker/.docker-env
-        docker-compose --file test-http/docker/docker-compose.yml build
+        docker compose --file test-http/docker/docker-compose.yml build
     - name: Run Test Container
       run: |
-        docker-compose --file test-http/docker/docker-compose.yml up -d
+        docker compose --file test-http/docker/docker-compose.yml up -d
     - name: Sleep
-      run: bash -c "while ! docker-compose --file docker/docker-compose.yml logs --tail=10 cveawg | grep -q 'Serving on port'; do sleep 1; done"
+      run: bash -c "while ! docker compose --file docker/docker-compose.yml logs --tail=10 cveawg | grep -q 'Serving on port'; do sleep 1; done"
     - name: Load Data into MongoDb
-      run: docker-compose -f docker/docker-compose.yml exec -T cveawg npm run populate:dev y
+      run: docker compose -f docker/docker-compose.yml exec -T cveawg npm run populate:dev y
     - name: Run Black Box Tests
       run: |
-        docker-compose --file test-http/docker/docker-compose.yml exec -T demon pytest src/ | tee test-http/src/testOutput.txt
+        docker compose --file test-http/docker/docker-compose.yml exec -T demon pytest src/ | tee test-http/src/testOutput.txt
     - name: Archive Test Results
       uses: actions/upload-artifact@v2
       with:
         name: test-results
         path: test-http/src/testOutput.txt
         retention-days: 1
     - name: Extract Tests Results
-      run: docker-compose --file test-http/docker/docker-compose.yml exec -T demon /bin/bash src/parse_tests_output.sh | (read foo; echo "##[set-output name=result;]$(echo $foo)")
+      run: docker compose --file test-http/docker/docker-compose.yml exec -T demon /bin/bash src/parse_tests_output.sh | (read foo; echo "##[set-output name=result;]$(echo $foo)")
       id: tests_result
     - name: Evaluate Tests Results
       if: ${{ steps.tests_result.outputs.result == 'Tests failed' }}

diff --git a/.github/workflows/test-integration.yml b/.github/workflows/test-integration.yml
@@ -14,10 +14,10 @@ jobs:
     - name: Build and Run Services and Mongo Containers
       run: |
         cp docker/.docker-env.test-example docker/.docker-env
-        docker-compose --file docker/docker-compose.yml build
-        docker-compose --file docker/docker-compose.yml up -d
+        docker compose --file docker/docker-compose.yml build
+        docker compose --file docker/docker-compose.yml up -d
     - name: Sleep
-      run: bash -c "while ! docker-compose --file docker/docker-compose.yml logs --tail=10 cveawg | grep -q 'Serving on port'; do sleep 1; done"
+      run: bash -c "while ! docker compose --file docker/docker-compose.yml logs --tail=10 cveawg | grep -q 'Serving on port'; do sleep 1; done"
     - name: Run Tests
-      run: docker-compose -f docker/docker-compose.yml exec -T cveawg npm run test:integration
+      run: docker compose -f docker/docker-compose.yml exec -T cveawg npm run test:integration
       continue-on-error: false
diff --git a/api-docs/openapi.json b/api-docs/openapi.json
@@ -1,9 +1,9 @@
 {
   "openapi": "3.0.2",
   "info": {
-    "version": "2.3.3",
+    "version": "2.4.0",
     "title": "CVE Services API",
-    "description": "The CVE Services API supports automation tooling for the CVE Program. Credentials are     required for most service endpoints. Representatives of     <a href='https://www.cve.org/ProgramOrganization/CNAs'>CVE Numbering Authorities (CNAs)</a> should     use one of the methods below to obtain credentials:    <ul><li>If your organization already has an Organizational Administrator (OA) account for the CVE     Services, ask your admin for credentials</li>     <li>Contact your Root (<a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/Google'>Google</a>,     <a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/INCIBE'>INCIBE</a>,     <a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/jpcert'>JPCERT/CC</a>, or     <a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/redhat'>Red Hat</a>) or     Top-Level Root (<a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/icscert'>CISA ICS</a>     or <a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/mitre'>MITRE</a>) to request credentials     </ul>     <p>CVE data is to be in the JSON 5.1 CVE Record format. Details of the JSON 5.1 schema are     located <a href='https://github.com/CVEProject/cve-schema/tree/5.1.0/schema/v5.0' target='_blank'>here</a>.</p>    <a href='https://cveform.mitre.org/' class='link' target='_blank'>Contact the CVE Services team</a>",
+    "description": "The CVE Services API supports automation tooling for the CVE Program. Credentials are     required for most service endpoints. Representatives of     <a href='https://www.cve.org/ProgramOrganization/CNAs'>CVE Numbering Authorities (CNAs)</a> should     use one of the methods below to obtain credentials:    <ul><li>If your organization already has an Organizational Administrator (OA) account for the CVE     Services, ask your admin for credentials</li>     <li>Contact your Root (<a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/Google'>Google</a>,     <a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/INCIBE'>INCIBE</a>,     <a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/jpcert'>JPCERT/CC</a>, or     <a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/redhat'>Red Hat</a>) or     Top-Level Root (<a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/icscert'>CISA ICS</a>     or <a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/mitre'>MITRE</a>) to request credentials     </ul>     <p>CVE data is to be in the JSON 5.1 CVE Record format. Details of the JSON 5.1 schema are     located <a href='https://github.com/CVEProject/cve-schema/tree/5.1.0/schema' target='_blank'>here</a>.</p>    <a href='https://cveform.mitre.org/' class='link' target='_blank'>Contact the CVE Services team</a>",
     "contact": {
       "name": "CVE Services Overview",
       "url": "https://cveproject.github.io/automation-cve-services#services-overview"
@@ -2099,7 +2099,7 @@
           "Organization"
         ],
         "summary": "Updates information about the organization specified by short name (accessible to Secretariat)",
-        "description": "  <h2>Access Control</h2>  <p>User must belong to an organization with the <b>Secretariat</b> role</p>  <h2>Expected Behavior</h2>  <p><b>Secretariat:</b> Updates any organization's information</p>",
+        "description": "  <h2>Access Control</h2>  <p>User must belong to an organization with the <b>Secretariat</b> role, or user must belong to the organization specified by short name</p>  <h2>Expected Behavior</h2>  <p><b>Secretariat:</b> Updates any organization's information</p>  <p><b>Non-secretariat:</b> Updates 'last_active' timestamp to show that an org is still active</p>",
         "operationId": "orgUpdateSingle",
         "parameters": [
           {
@@ -2142,7 +2142,14 @@
             "content": {
               "application/json": {
                 "schema": {
-                  "$ref": "../schemas/org/update-org-response.json"
+                  "oneOf": [
+                    {
+                      "$ref": "../schemas/org/update-org-response.json"
+                    },
+                    {
+                      "$ref": "../schemas/org/am-i-alive-response.json"
+                    }
+                  ]
                 }
               }
             }

diff --git a/package-lock.json b/package-lock.json
diff --git a/schemas/org/am-i-alive-response.json b/schemas/org/am-i-alive-response.json
@@ -0,0 +1,20 @@
+{
+    "$schema": "http://json-schema.org/draft-04/schema",
+    "type": "object",
+    "properties": {
+      "message": {
+        "type": "string",
+        "description": "Success description"
+      },
+      "updated": {
+        "type": "object",
+        "properties": {
+          "last_active": {
+            "type": "string",
+            "format": "date-time",
+            "description": "The time the organization was last active."
+          }
+        }
+      }
+    }
+  }
diff --git a/src/controller/org.controller/index.js b/src/controller/org.controller/index.js
@@ -245,9 +245,10 @@ router.put('/org/:shortname',
   #swagger.summary = "Updates information about the organization specified by short name (accessible to Secretariat)"
   #swagger.description = "
         <h2>Access Control</h2>
-        <p>User must belong to an organization with the <b>Secretariat</b> role</p>
+        <p>User must belong to an organization with the <b>Secretariat</b> role, or user must belong to the organization specified by short name</p>
         <h2>Expected Behavior</h2>
-        <p><b>Secretariat:</b> Updates any organization's information</p>"
+        <p><b>Secretariat:</b> Updates any organization's information</p>
+        <p><b>Non-secretariat:</b> Updates 'last_active' timestamp to show that an org is still active</p>"
   #swagger.parameters['shortname'] = { description: 'The shortname of the organization' }
   #swagger.parameters['$ref'] = [
     '#/components/parameters/id_quota',
@@ -263,7 +264,12 @@ router.put('/org/:shortname',
     description: 'Returns information about the organization updated',
     content: {
       "application/json": {
-        schema: { $ref: '../schemas/org/update-org-response.json' }
+        schema: {
+          oneOf: [
+            { $ref: '../schemas/org/update-org-response.json' },
+            { $ref: '../schemas/org/am-i-alive-response.json' }
+          ]
+        }
       }
     }
   }
@@ -309,10 +315,10 @@ router.put('/org/:shortname',
   }
   */
   mw.validateUser,
-  mw.onlySecretariat,
+  param(['shortname']).isString().trim().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }),
+  mw.validateOrg,
   query().custom((query) => { return mw.validateQueryParameterNames(query, ['new_short_name', 'id_quota', 'name', 'active_roles.add', 'active_roles.remove']) }),
   query(['new_short_name', 'id_quota', 'name', 'active_roles.add', 'active_roles.remove']).custom((val) => { return mw.containsNoInvalidCharacters(val) }),
-  param(['shortname']).isString().trim().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }),
   query(['new_short_name']).optional().isString().trim().notEmpty().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }),
   query(['id_quota']).optional().not().isArray().isInt({ min: CONSTANTS.MONGOOSE_VALIDATION.Org_policies_id_quota_min, max: CONSTANTS.MONGOOSE_VALIDATION.Org_policies_id_quota_max }).withMessage(errorMsgs.ID_QUOTA),
   query(['name']).optional().isString().trim().notEmpty(),

diff --git a/src/controller/org.controller/org.controller.js b/src/controller/org.controller/org.controller.js
@@ -329,6 +329,7 @@ async function updateOrg (req, res, next) {
     const addRoles = []
     const orgRepo = req.ctx.repositories.getOrgRepository()
     const org = await orgRepo.findOneByShortName(shortName)
+    const orgMakingChanges = req.ctx.org
     let agt = setAggregateOrgObj({ short_name: shortName })
 
     // org doesn't exist
@@ -337,30 +338,38 @@ async function updateOrg (req, res, next) {
       return res.status(404).json(error.orgDnePathParam(shortName))
     }
 
-    Object.keys(req.ctx.query).forEach(k => {
-      const key = k.toLowerCase()
-
-      if (key === 'new_short_name') {
-        newOrg.short_name = req.ctx.query.new_short_name
-        agt = setAggregateOrgObj({ short_name: newOrg.short_name })
-      } else if (key === 'name') {
-        newOrg.name = req.ctx.query.name
-      } else if (key === 'id_quota') {
-        newOrg.policies.id_quota = req.ctx.query.id_quota
-      } else if (key === 'active_roles.add') {
-        if (Array.isArray(req.ctx.query['active_roles.add'])) {
-          req.ctx.query['active_roles.add'].forEach(r => {
-            addRoles.push(r)
-          })
-        }
-      } else if (key === 'active_roles.remove') {
-        if (Array.isArray(req.ctx.query['active_roles.remove'])) {
-          req.ctx.query['active_roles.remove'].forEach(r => {
-            removeRoles.push(r)
-          })
+    const isSec = await orgRepo.isSecretariat(orgMakingChanges)
+
+    if (isSec) {
+      Object.keys(req.ctx.query).forEach(k => {
+        const key = k.toLowerCase()
+
+        if (key === 'new_short_name') {
+          newOrg.short_name = req.ctx.query.new_short_name
+          agt = setAggregateOrgObj({ short_name: newOrg.short_name })
+        } else if (key === 'name') {
+          newOrg.name = req.ctx.query.name
+        } else if (key === 'id_quota') {
+          newOrg.policies.id_quota = req.ctx.query.id_quota
+        } else if (key === 'active_roles.add') {
+          if (Array.isArray(req.ctx.query['active_roles.add'])) {
+            req.ctx.query['active_roles.add'].forEach(r => {
+              addRoles.push(r)
+            })
+          }
+        } else if (key === 'active_roles.remove') {
+          if (Array.isArray(req.ctx.query['active_roles.remove'])) {
+            req.ctx.query['active_roles.remove'].forEach(r => {
+              removeRoles.push(r)
+            })
+          }
         }
-      }
-    })
+      })
+    }
+
+    if (shortName === orgMakingChanges) {
+      newOrg.last_active = Date.now()
+    }
 
     // updating the org's roles
     if (org) {
@@ -403,6 +412,13 @@ async function updateOrg (req, res, next) {
     result = await orgRepo.aggregate(agt)
     result = result.length > 0 ? result[0] : null
 
+    if (!isSec) {
+      if (!result || !result.last_active) {
+        return res.status(500).json(error.serverError())
+      }
+      result = { last_active: result.last_active }
+    }
+
     const responseMessage = {
       message: shortName + ' organization was successfully updated.',
       updated: result
@@ -819,7 +835,8 @@ function setAggregateOrgObj (query) {
         name: true,
         'authority.active_roles': true,
         'policies.id_quota': true,
-        time: true
+        time: true,
+        last_active: true
       }
     }
   ]

diff --git a/src/middleware/middleware.js b/src/middleware/middleware.js
@@ -135,6 +135,32 @@ async function validateUser (req, res, next) {
   }
 }
 
+async function validateOrg (req, res, next) {
+  const org = req.ctx.org
+  const reqOrg = req.params.shortname
+  const orgRepo = req.ctx.repositories.getOrgRepository()
+  const CONSTANTS = getConstants()
+
+  try {
+    logger.info({ uuid: req.ctx.uuid, message: 'Authenticating org: ' + org })
+
+    const isSec = await orgRepo.isSecretariat(org)
+    if (!isSec) {
+      if (org !== reqOrg) {
+        logger.info({ uuid: req.ctx.uuid, message: org + ' is not a ' + CONSTANTS.AUTH_ROLE_ENUM.SECRETARIAT + ' or the same as ' + reqOrg + ' and is not allowed to make these changes.' })
+        return res.status(403).json(error.secretariatOnly())
+      } else if (Object.keys(req.query).length > 0) {
+        return res.status(403).json(error.secretariatOnly())
+      }
+    }
+
+    logger.info({ uuid: req.ctx.uuid, message: 'Confirmed ' + org + ' has the authority to make changes to ' + reqOrg })
+    next()
+  } catch (err) {
+    next(err)
+  }
+}
+
 // Checks that the requester belongs to an org that has the 'BULK_DOWNLOAD' role
 async function onlySecretariatOrBulkDownload (req, res, next) {
   const org = req.ctx.org
@@ -483,6 +509,7 @@ module.exports = {
   setCacheControl,
   optionallyValidateUser,
   validateUser,
+  validateOrg,
   onlySecretariat,
   onlySecretariatOrBulkDownload,
   onlySecretariatOrAdmin,

diff --git a/src/model/org.js b/src/model/org.js
@@ -24,7 +24,8 @@ const schema = {
     created: Date,
     modified: Date
   },
-  inUse: Boolean
+  inUse: Boolean,
+  last_active: Date
 }
 
 const OrgSchema = new mongoose.Schema(schema, { collection: 'Org', timestamps: { createdAt: 'time.created', updatedAt: 'time.modified' } })

diff --git a/src/swagger.js b/src/swagger.js
@@ -18,7 +18,7 @@ const fullCnaContainerRequest = require('../schemas/cve/create-cve-record-cna-re
 /* eslint-disable no-multi-str */
 const doc = {
   info: {
-    version: '2.3.3',
+    version: '2.4.0',
     title: 'CVE Services API',
     description: "The CVE Services API supports automation tooling for the CVE Program. Credentials are \
     required for most service endpoints. Representatives of \
@@ -34,7 +34,7 @@ const doc = {
     or <a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/mitre'>MITRE</a>) to request credentials \
     </ul> \
     <p>CVE data is to be in the JSON 5.1 CVE Record format. Details of the JSON 5.1 schema are \
-    located <a href='https://github.com/CVEProject/cve-schema/tree/5.1.0/schema/v5.0' target='_blank'>here</a>.</p>\
+    located <a href='https://github.com/CVEProject/cve-schema/tree/5.1.0/schema' target='_blank'>here</a>.</p>\
     <a href='https://cveform.mitre.org/' class='link' target='_blank'>Contact the CVE Services team</a>",
     contact: {
       name: 'CVE Services Overview',