CVEProject · jdaigneau5 · Oct 30, 2024 · Oct 24, 2024 · Oct 30, 2024
diff --git a/api-docs/openapi.json b/api-docs/openapi.json
@@ -2099,7 +2099,7 @@
           "Organization"
         ],
         "summary": "Updates information about the organization specified by short name (accessible to Secretariat)",
-        "description": "  <h2>Access Control</h2>  <p>User must belong to an organization with the <b>Secretariat</b> role, or user must belong to the organization specified by short name</p>  <h2>Expected Behavior</h2>  <p><b>Secretariat:</b> Updates any organization's information</p>  <p><b>Non-secretariat:</b> Updates 'last_active' timestamp to show that an org is still active</p>",
+        "description": "  <h2>Access Control</h2>  <p>User must belong to an organization with the <b>Secretariat</b> role</p>  <h2>Expected Behavior</h2>  <p><b>Secretariat:</b> Updates any organization's information</p>",
         "operationId": "orgUpdateSingle",
         "parameters": [
           {
@@ -2142,14 +2142,7 @@
             "content": {
               "application/json": {
                 "schema": {
-                  "oneOf": [
-                    {
-                      "$ref": "../schemas/org/update-org-response.json"
-                    },
-                    {
-                      "$ref": "../schemas/org/am-i-alive-response.json"
-                    }
-                  ]
+                  "$ref": "../schemas/org/update-org-response.json"
                 }
               }
             }

diff --git a/schemas/org/am-i-alive-response.json b/schemas/org/am-i-alive-response.json
diff --git a/src/constants/index.js b/src/constants/index.js
@@ -1,5 +1,5 @@
 const fs = require('fs')
-const cveSchemaV5 = JSON.parse(fs.readFileSync('src/middleware/schemas/CVE_JSON_5.1_bundled.json'))
+const cveSchemaV5 = JSON.parse(fs.readFileSync('src/middleware/schemas/CVE_JSON_5.1.1_bundled.json'))
 
 /**
  * Return default values.
@@ -16,7 +16,7 @@ function getConstants () {
   * @lends defaults
   */
   const defaults = {
-    SCHEMA_VERSION: '5.1',
+    SCHEMA_VERSION: '5.1.1',
     MONGOOSE_VALIDATION: {
       Org_policies_id_quota_min: 0,
       Org_policies_id_quota_min_message: 'Org.policies.id_quota cannot be a negative number.',

diff --git a/src/controller/cve.controller/cve.middleware.js b/src/controller/cve.controller/cve.middleware.js
@@ -3,8 +3,8 @@ const errors = require('./error')
 const error = new errors.CveControllerError()
 const utils = require('../../utils/utils')
 const fs = require('fs')
-const RejectedSchema = JSON.parse(fs.readFileSync('src/middleware/schemas/5.1_rejected_cna_container.json'))
-const cnaContainerSchema = JSON.parse(fs.readFileSync('src/middleware/schemas/5.1_published_cna_container.json'))
+const RejectedSchema = JSON.parse(fs.readFileSync('src/middleware/schemas/5.1.1_rejected_cna_container.json'))
+const cnaContainerSchema = JSON.parse(fs.readFileSync('src/middleware/schemas/5.1.1_published_cna_container.json'))
 const logger = require('../../middleware/logger')
 const Ajv = require('ajv')
 const addFormats = require('ajv-formats')

diff --git a/src/controller/org.controller/index.js b/src/controller/org.controller/index.js
@@ -245,10 +245,9 @@ router.put('/org/:shortname',
   #swagger.summary = "Updates information about the organization specified by short name (accessible to Secretariat)"
   #swagger.description = "
         <h2>Access Control</h2>
-        <p>User must belong to an organization with the <b>Secretariat</b> role, or user must belong to the organization specified by short name</p>
+        <p>User must belong to an organization with the <b>Secretariat</b> role</p>
         <h2>Expected Behavior</h2>
-        <p><b>Secretariat:</b> Updates any organization's information</p>
-        <p><b>Non-secretariat:</b> Updates 'last_active' timestamp to show that an org is still active</p>"
+        <p><b>Secretariat:</b> Updates any organization's information</p>"
   #swagger.parameters['shortname'] = { description: 'The shortname of the organization' }
   #swagger.parameters['$ref'] = [
     '#/components/parameters/id_quota',
@@ -264,12 +263,7 @@ router.put('/org/:shortname',
     description: 'Returns information about the organization updated',
     content: {
       "application/json": {
-        schema: {
-          oneOf: [
-            { $ref: '../schemas/org/update-org-response.json' },
-            { $ref: '../schemas/org/am-i-alive-response.json' }
-          ]
-        }
+        schema: { $ref: '../schemas/org/update-org-response.json' }
       }
     }
   }
@@ -315,10 +309,10 @@ router.put('/org/:shortname',
   }
   */
   mw.validateUser,
-  param(['shortname']).isString().trim().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }),
-  mw.validateOrg,
+  mw.onlySecretariat,
   query().custom((query) => { return mw.validateQueryParameterNames(query, ['new_short_name', 'id_quota', 'name', 'active_roles.add', 'active_roles.remove']) }),
   query(['new_short_name', 'id_quota', 'name', 'active_roles.add', 'active_roles.remove']).custom((val) => { return mw.containsNoInvalidCharacters(val) }),
+  param(['shortname']).isString().trim().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }),
   query(['new_short_name']).optional().isString().trim().notEmpty().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }),
   query(['id_quota']).optional().not().isArray().isInt({ min: CONSTANTS.MONGOOSE_VALIDATION.Org_policies_id_quota_min, max: CONSTANTS.MONGOOSE_VALIDATION.Org_policies_id_quota_max }).withMessage(errorMsgs.ID_QUOTA),
   query(['name']).optional().isString().trim().notEmpty(),

diff --git a/src/controller/org.controller/org.controller.js b/src/controller/org.controller/org.controller.js
@@ -329,7 +329,6 @@ async function updateOrg (req, res, next) {
     const addRoles = []
     const orgRepo = req.ctx.repositories.getOrgRepository()
     const org = await orgRepo.findOneByShortName(shortName)
-    const orgMakingChanges = req.ctx.org
     let agt = setAggregateOrgObj({ short_name: shortName })
 
     // org doesn't exist
@@ -338,38 +337,30 @@ async function updateOrg (req, res, next) {
       return res.status(404).json(error.orgDnePathParam(shortName))
     }
 
-    const isSec = await orgRepo.isSecretariat(orgMakingChanges)
-
-    if (isSec) {
-      Object.keys(req.ctx.query).forEach(k => {
-        const key = k.toLowerCase()
-
-        if (key === 'new_short_name') {
-          newOrg.short_name = req.ctx.query.new_short_name
-          agt = setAggregateOrgObj({ short_name: newOrg.short_name })
-        } else if (key === 'name') {
-          newOrg.name = req.ctx.query.name
-        } else if (key === 'id_quota') {
-          newOrg.policies.id_quota = req.ctx.query.id_quota
-        } else if (key === 'active_roles.add') {
-          if (Array.isArray(req.ctx.query['active_roles.add'])) {
-            req.ctx.query['active_roles.add'].forEach(r => {
-              addRoles.push(r)
-            })
-          }
-        } else if (key === 'active_roles.remove') {
-          if (Array.isArray(req.ctx.query['active_roles.remove'])) {
-            req.ctx.query['active_roles.remove'].forEach(r => {
-              removeRoles.push(r)
-            })
-          }
-        }
-      })
-    }
+    Object.keys(req.ctx.query).forEach(k => {
+      const key = k.toLowerCase()
 
-    if (shortName === orgMakingChanges) {
-      newOrg.last_active = Date.now()
-    }
+      if (key === 'new_short_name') {
+        newOrg.short_name = req.ctx.query.new_short_name
+        agt = setAggregateOrgObj({ short_name: newOrg.short_name })
+      } else if (key === 'name') {
+        newOrg.name = req.ctx.query.name
+      } else if (key === 'id_quota') {
+        newOrg.policies.id_quota = req.ctx.query.id_quota
+      } else if (key === 'active_roles.add') {
+        if (Array.isArray(req.ctx.query['active_roles.add'])) {
+          req.ctx.query['active_roles.add'].forEach(r => {
+            addRoles.push(r)
+          })
+        }
+      } else if (key === 'active_roles.remove') {
+        if (Array.isArray(req.ctx.query['active_roles.remove'])) {
+          req.ctx.query['active_roles.remove'].forEach(r => {
+            removeRoles.push(r)
+          })
+        }
+      }
+    })
 
     // updating the org's roles
     if (org) {
@@ -412,13 +403,6 @@ async function updateOrg (req, res, next) {
     result = await orgRepo.aggregate(agt)
     result = result.length > 0 ? result[0] : null
 
-    if (!isSec) {
-      if (!result || !result.last_active) {
-        return res.status(500).json(error.serverError())
-      }
-      result = { last_active: result.last_active }
-    }
-
     const responseMessage = {
       message: shortName + ' organization was successfully updated.',
       updated: result
@@ -835,8 +819,7 @@ function setAggregateOrgObj (query) {
         name: true,
         'authority.active_roles': true,
         'policies.id_quota': true,
-        time: true,
-        last_active: true
+        time: true
       }
     }
   ]

diff --git a/src/middleware/middleware.js b/src/middleware/middleware.js
@@ -1,6 +1,6 @@
 const getConstants = require('../constants').getConstants
 const fs = require('fs')
-const cveSchemaV5 = JSON.parse(fs.readFileSync('src/middleware/schemas/CVE_JSON_5.1_bundled.json'))
+const cveSchemaV5 = JSON.parse(fs.readFileSync('src/middleware/schemas/CVE_JSON_5.1.1_bundled.json'))
 const argon2 = require('argon2')
 const logger = require('./logger')
 const Ajv = require('ajv')
@@ -135,32 +135,6 @@ async function validateUser (req, res, next) {
   }
 }
 
-async function validateOrg (req, res, next) {
-  const org = req.ctx.org
-  const reqOrg = req.params.shortname
-  const orgRepo = req.ctx.repositories.getOrgRepository()
-  const CONSTANTS = getConstants()
-
-  try {
-    logger.info({ uuid: req.ctx.uuid, message: 'Authenticating org: ' + org })
-
-    const isSec = await orgRepo.isSecretariat(org)
-    if (!isSec) {
-      if (org !== reqOrg) {
-        logger.info({ uuid: req.ctx.uuid, message: org + ' is not a ' + CONSTANTS.AUTH_ROLE_ENUM.SECRETARIAT + ' or the same as ' + reqOrg + ' and is not allowed to make these changes.' })
-        return res.status(403).json(error.secretariatOnly())
-      } else if (Object.keys(req.query).length > 0) {
-        return res.status(403).json(error.secretariatOnly())
-      }
-    }
-
-    logger.info({ uuid: req.ctx.uuid, message: 'Confirmed ' + org + ' has the authority to make changes to ' + reqOrg })
-    next()
-  } catch (err) {
-    next(err)
-  }
-}
-
 // Checks that the requester belongs to an org that has the 'BULK_DOWNLOAD' role
 async function onlySecretariatOrBulkDownload (req, res, next) {
   const org = req.ctx.org
@@ -509,7 +483,6 @@ module.exports = {
   setCacheControl,
   optionallyValidateUser,
   validateUser,
-  validateOrg,
   onlySecretariat,
   onlySecretariatOrBulkDownload,
   onlySecretariatOrAdmin,