diff --git a/api-docs/openapi.json b/api-docs/openapi.json index edf51039c..f9fbbb5bd 100644 --- a/api-docs/openapi.json +++ b/api-docs/openapi.json @@ -1,7 +1,7 @@ { "openapi": "3.0.2", "info": { - "version": "2.8.2", + "version": "2.8.3", "title": "CVE Services API", "description": "The CVE Services API supports automation tooling for the CVE Program. Credentials are required for most service endpoints. Representatives of CVE Numbering Authorities (CNAs) should use one of the methods below to obtain credentials:
CVE data is to be in the JSON 5.2 CVE Record format. Details of the JSON 5.2 schema are located here.
Contact the CVE Services team", "contact": { @@ -2859,6 +2859,7 @@ }, "example": { "username": "jdoe", + "status": "active", "name": { "first": "John", "last": "Doe" diff --git a/package-lock.json b/package-lock.json index 450d456e6..ecec25aef 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "cve-services", - "version": "2.8.2", + "version": "2.8.3", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "cve-services", - "version": "2.8.2", + "version": "2.8.3", "license": "(CC0)", "dependencies": { "ajv": "^8.6.2", diff --git a/package.json b/package.json index aec6fff5a..22f262218 100644 --- a/package.json +++ b/package.json @@ -1,7 +1,7 @@ { "name": "cve-services", "author": "Automation Working Group", - "version": "2.8.2", + "version": "2.8.3", "license": "(CC0)", "devDependencies": { "@faker-js/faker": "^7.6.0", diff --git a/schemas/registry-user/BaseUser.json b/schemas/registry-user/BaseUser.json index 65db8c71e..c71bb658f 100644 --- a/schemas/registry-user/BaseUser.json +++ b/schemas/registry-user/BaseUser.json @@ -99,6 +99,7 @@ } }, "required": [ - "username" + "username", + "status" ] } diff --git a/schemas/registry-user/create-registry-user-request.json b/schemas/registry-user/create-registry-user-request.json index 15277cb8b..0cb2dfce4 100644 --- a/schemas/registry-user/create-registry-user-request.json +++ b/schemas/registry-user/create-registry-user-request.json @@ -9,6 +9,11 @@ "type": "string", "description": "User's identifier or username" }, + "status": { + "type": "string", + "enum": ["active", "inactive"], + "description": "User status" + }, "name": { "type": "object", "properties": { @@ -62,6 +67,7 @@ }, "required": [ "username", + "status", "name" ] } diff --git a/schemas/registry-user/update-registry-user-request.json b/schemas/registry-user/update-registry-user-request.json index 0e305f407..b0dbcaf69 100644 --- a/schemas/registry-user/update-registry-user-request.json +++ b/schemas/registry-user/update-registry-user-request.json @@ -9,6 +9,11 @@ "type": "string", "description": "User's identifier or username" }, + "status": { + "type": "string", + "enum": ["active", "inactive"], + "description": "User status" + }, "name": { "type": "object", "properties": { @@ -57,5 +62,9 @@ } } } - } + }, + "required": [ + "username", + "status" + ] } diff --git a/src/controller/org.controller/index.js b/src/controller/org.controller/index.js index f79047ba6..8e362cf2f 100644 --- a/src/controller/org.controller/index.js +++ b/src/controller/org.controller/index.js @@ -678,6 +678,7 @@ router.post('/registry/org/:shortname/user', }, example: { "username": "jdoe", + "status": "active", "name": { "first": "John", "last": "Doe" diff --git a/src/controller/org.controller/org.controller.js b/src/controller/org.controller/org.controller.js index ac49001d7..28b7a9d37 100644 --- a/src/controller/org.controller/org.controller.js +++ b/src/controller/org.controller/org.controller.js @@ -742,6 +742,19 @@ async function resetSecret (req, res, next) { return res.status(404).json(error.orgDnePathParam(targetOrgShortName)) } + const targetOrg = { UUID: targetOrgUUID, short_name: targetOrgShortName } + const requesterUserUUID = await authContext.getRequesterUserUUID(req, userRepo, orgRepo, { session }, !!req.useRegistry) + const isRequesterSecretariat = await authContext.isRequesterSecretariat(req, orgRepo, { session }, !req.useRegistry) + + if (!isRequesterSecretariat) { + const requesterSameOrg = await authContext.isRequesterSameOrg(req, orgRepo, targetOrg, { session }, !req.useRegistry) + if (!requesterSameOrg) { + logger.info({ uuid: req.ctx.uuid, message: 'The api secret can only be reset by the Secretariat, an Org admin or if the requester is the user.' }) + await session.abortTransaction() + return res.status(403).json(error.notSameOrgOrSecretariat()) + } + } + // Check if target user exists in target org const targetUserUUID = await userRepo.getUserUUID(targetUsername, targetOrgShortName, { session }, !!req.useRegistry) if (!targetUserUUID) { @@ -750,25 +763,12 @@ async function resetSecret (req, res, next) { return res.status(404).json(error.userDne(targetUsername)) } - const requesterUserUUID = await authContext.getRequesterUserUUID(req, userRepo, orgRepo, { session }, !!req.useRegistry) - - const isRequesterSecretariat = await authContext.isRequesterSecretariat(req, orgRepo, { session }, !req.useRegistry) - if (!isRequesterSecretariat) { // If they are in the same organization, they must be the target user themselves OR an admin of the target org. - const targetOrg = { UUID: targetOrgUUID, short_name: targetOrgShortName } - // 1. WE are not the same user if (requesterUserUUID !== targetUserUUID) { // Check to see if we are the admin of the target organization const isAdminOfTargetOrg = await authContext.isRequesterAdminOfOrg(req, userRepo, orgRepo, targetOrg, { session }, !!req.useRegistry) - // The tests say we have to check the org next: - const requesterSameOrg = await authContext.isRequesterSameOrg(req, orgRepo, targetOrg, { session }, !req.useRegistry) - if (!requesterSameOrg && !isAdminOfTargetOrg) { - logger.info({ uuid: req.ctx.uuid, message: 'The api secret can only be reset by the Secretariat, an Org admin or if the requester is the user.' }) - await session.abortTransaction() - return res.status(403).json(error.notSameOrgOrSecretariat()) - } if (!isAdminOfTargetOrg) { logger.info({ uuid: req.ctx.uuid, message: 'The api secret can only be reset by the Secretariat, an Org admin or if the requester is the user.' }) diff --git a/src/controller/registry-user.controller/registry-user.controller.js b/src/controller/registry-user.controller/registry-user.controller.js index 46fcaaeee..20decb551 100644 --- a/src/controller/registry-user.controller/registry-user.controller.js +++ b/src/controller/registry-user.controller/registry-user.controller.js @@ -135,23 +135,32 @@ async function getUser (req, res, next) { username: result.username } } else { + org = await repo.findOneByShortName(req.ctx.params.shortname) + + const isSameOrg = await authContext.isRequesterSameOrg(req, repo, org) + if (!isSecretariat && !isSameOrg) { + logger.info({ uuid: req.ctx.uuid, message: userToGetParameters.org + ' organization can only be viewed by the users of the same organization or the Secretariat.' }) + return res.status(403).json(error.notSameOrgOrSecretariat()) + } + result = await userRepo.findOneByUsernameAndOrgShortname(userToGetParameters.username, userToGetParameters.org) if (!result) { logger.info({ uuid: req.ctx.uuid, message: userToGetParameters.username + ' user could not be found.' }) return res.status(404).json(error.userDne(userToGetParameters.username)) } - org = await repo.findOneByShortName(req.ctx.params.shortname) userToGetParameters = { org: org.short_name, username: result.username } } - const isSameOrg = await authContext.isRequesterSameOrg(req, repo, org) - if (!isSecretariat && !isSameOrg) { - logger.info({ uuid: req.ctx.uuid, message: identifier + ' organization can only be viewed by the users of the same organization or the Secretariat.' }) - return res.status(403).json(error.notSameOrgOrSecretariat()) + if (identifier) { + const isSameOrg = await authContext.isRequesterSameOrg(req, repo, org) + if (!isSecretariat && !isSameOrg) { + logger.info({ uuid: req.ctx.uuid, message: identifier + ' organization can only be viewed by the users of the same organization or the Secretariat.' }) + return res.status(403).json(error.notSameOrgOrSecretariat()) + } } const user = result.toObject() @@ -505,24 +514,25 @@ async function grantRole (req, res, next) { return res.status(404).json(error.orgDnePathParam(orgShortName)) } - // Check if target user exists in target org - const targetUser = await userRepo.findOneByUsernameAndOrgShortname(username, orgShortName) - if (!targetUser) { - return res.status(404).json(error.userDne(username)) - } - const isSecretariat = await authContext.isRequesterSecretariat(req, orgRepo) - const isAdmin = await authContext.isRequesterAdminOfOrg(req, userRepo, orgRepo, orgShortName) + const targetOrg = { UUID: targetOrgUUID, short_name: orgShortName } - const requesterSameOrg = await authContext.isRequesterSameOrg(req, orgRepo, { UUID: targetOrgUUID, short_name: orgShortName }) + const requesterSameOrg = await authContext.isRequesterSameOrg(req, orgRepo, targetOrg) if (!requesterSameOrg && !isSecretariat) { return res.status(403).json(error.notSameOrgOrSecretariat()) } + const isAdmin = await authContext.isRequesterAdminOfOrg(req, userRepo, orgRepo, targetOrg) if (!isSecretariat && !isAdmin) { return res.status(403).json(error.notOrgAdminOrSecretariatUpdate()) } + // Check if target user exists in target org + const targetUser = await userRepo.findOneByUsernameAndOrgShortname(username, orgShortName) + if (!targetUser) { + return res.status(404).json(error.userDne(username)) + } + const session = await mongoose.startSession({ causalConsistency: false }) try { @@ -569,24 +579,25 @@ async function revokeRole (req, res, next) { return res.status(404).json(error.orgDnePathParam(orgShortName)) } - // Check if target user exists in target org - const targetUser = await userRepo.findOneByUsernameAndOrgShortname(username, orgShortName) - if (!targetUser) { - return res.status(404).json(error.userDne(username)) - } - const isSecretariat = await authContext.isRequesterSecretariat(req, orgRepo) - const isAdmin = await authContext.isRequesterAdminOfOrg(req, userRepo, orgRepo, orgShortName) + const targetOrg = { UUID: targetOrgUUID, short_name: orgShortName } - const requesterSameOrg = await authContext.isRequesterSameOrg(req, orgRepo, { UUID: targetOrgUUID, short_name: orgShortName }) + const requesterSameOrg = await authContext.isRequesterSameOrg(req, orgRepo, targetOrg) if (!requesterSameOrg && !isSecretariat) { return res.status(403).json(error.notSameOrgOrSecretariat()) } + const isAdmin = await authContext.isRequesterAdminOfOrg(req, userRepo, orgRepo, targetOrg) if (!isSecretariat && !isAdmin) { return res.status(403).json(error.notOrgAdminOrSecretariatUpdate()) } + // Check if target user exists in target org + const targetUser = await userRepo.findOneByUsernameAndOrgShortname(username, orgShortName) + if (!targetUser) { + return res.status(404).json(error.userDne(username)) + } + // Prevent Self-Demotion const callingUserUUID = await authContext.getRequesterUserUUID(req, userRepo, orgRepo) if (callingUserUUID === targetUser.UUID) { diff --git a/src/scripts/migrate.js b/src/scripts/migrate.js index 297ff2edf..1bc3d8eb9 100644 --- a/src/scripts/migrate.js +++ b/src/scripts/migrate.js @@ -191,7 +191,7 @@ async function orgHelper (db) { // Doc to update existing org record, or to be created let type = 'CNAOrg' - if (doc.short_name.toLowerCase().includes('mitre')) { type = 'SECRETARIAT' } + if (doc.short_name.toLowerCase().includes('mitre')) { type = 'SecretariatOrg' } updateDoc = { $set: { UUID: doc.UUID, diff --git a/src/swagger.js b/src/swagger.js index 43d326604..6f491125f 100644 --- a/src/swagger.js +++ b/src/swagger.js @@ -22,7 +22,7 @@ const fullCnaContainerRequest = require('../schemas/cve/create-cve-record-cna-re /* eslint-disable no-multi-str */ const doc = { info: { - version: '2.8.2', + version: '2.8.3', title: 'CVE Services API', description: "The CVE Services API supports automation tooling for the CVE Program. Credentials are \ required for most service endpoints. Representatives of \ diff --git a/test/integration-tests/audit/registryOrgCreatesAuditTest.js b/test/integration-tests/audit/registryOrgCreatesAuditTest.js index aaf8406a7..f7611d2ac 100644 --- a/test/integration-tests/audit/registryOrgCreatesAuditTest.js +++ b/test/integration-tests/audit/registryOrgCreatesAuditTest.js @@ -280,7 +280,8 @@ describe('Create and Update Audit Collection with Org Endpoints', () => { name: { first: 'Test', last: 'User' - } + }, + status: 'active' }) expect(createUserRes).to.have.status(200) diff --git a/test/integration-tests/org/legacyAdminRoleRevokeTest.js b/test/integration-tests/org/legacyAdminRoleRevokeTest.js index 770f88adc..c80875376 100644 --- a/test/integration-tests/org/legacyAdminRoleRevokeTest.js +++ b/test/integration-tests/org/legacyAdminRoleRevokeTest.js @@ -15,7 +15,8 @@ const postNewUser = async (orgShortName, username) => { .post(`/api/registry/org/${orgShortName}/user`) .set(secretariatHeaders) .send({ - username + username, + status: 'active' }) } diff --git a/test/integration-tests/org/postOrgUsersTest.js b/test/integration-tests/org/postOrgUsersTest.js index 53dc843a5..bc2f1fda7 100644 --- a/test/integration-tests/org/postOrgUsersTest.js +++ b/test/integration-tests/org/postOrgUsersTest.js @@ -53,6 +53,7 @@ describe('Testing user post endpoint', () => { middle: 'Cool', suffix: 'Mr.' }, + status: 'active', role: 'ADMIN' }) .then((res, err) => { @@ -74,6 +75,7 @@ describe('Testing user post endpoint', () => { first: 'Authority', last: 'Admin' }, + status: 'active', authority: { active_roles: [ 'Admin' @@ -392,6 +394,7 @@ describe('Testing user post endpoint', () => { middle: 'Cool', suffix: 'Mr.' }, + status: 'active', role: 'ADMIN' }) .then((res, err) => { @@ -415,6 +418,7 @@ describe('Testing user post endpoint', () => { middle: 'MiddleName', suffix: 'Suffix' }, + status: 'active', role: 'ADMIN', test: 'additional key not in schema' }) diff --git a/test/integration-tests/org/registryOrg.js b/test/integration-tests/org/registryOrg.js index 25022acdd..49c5925f4 100644 --- a/test/integration-tests/org/registryOrg.js +++ b/test/integration-tests/org/registryOrg.js @@ -30,7 +30,8 @@ const postNewUser = async (orgShortName, username) => { .post(`/api/registry/org/${orgShortName}/user`) .set(secretariatHeaders) .send({ - username + username, + status: 'active' }) } @@ -317,6 +318,7 @@ describe('Testing Secretariat functionality for Orgs', () => { .set(secretariatHeaders) .send({ username, + status: 'active', ubiquitous: 'mendacious' }) .then((res) => { @@ -437,7 +439,7 @@ describe('Testing Secretariat functionality for Orgs', () => { await chai.request(app) .post('/api/registry/org/mitre/user') .set(secretariatHeaders) - .send({ username: '' }) + .send({ username: '', status: 'active' }) .then((res) => { expect(res).to.have.status(400) expect(res.body.message).to.equal('Parameters were invalid') @@ -452,6 +454,7 @@ describe('Testing Secretariat functionality for Orgs', () => { .set(secretariatHeaders) .send({ username: username, + status: 'active', role: roles }) .then((res) => { @@ -467,7 +470,7 @@ describe('Testing Secretariat functionality for Orgs', () => { await chai.request(app) .post('/api/registry/org/mitre/user') .set(secretariatHeaders) - .send({ username: 'test_secretariat_0@mitre.org' }) + .send({ username: 'test_secretariat_0@mitre.org', status: 'active' }) .then((res) => { expect(res).to.have.status(400) expect(res.body.message).to.equal('The user \'test_secretariat_0@mitre.org\' already exists.') diff --git a/test/integration-tests/org/registryOrgAsOrgAdmin.js b/test/integration-tests/org/registryOrgAsOrgAdmin.js index 715898822..3ed5f0c25 100644 --- a/test/integration-tests/org/registryOrgAsOrgAdmin.js +++ b/test/integration-tests/org/registryOrgAsOrgAdmin.js @@ -27,6 +27,7 @@ describe('Testing Registry Org as org admin', () => { .send( { username: userId, + status: 'active', role: 'ADMIN' } ).then((res, err) => { @@ -41,7 +42,8 @@ describe('Testing Registry Org as org admin', () => { .set(constants.headers) .send( { - username: 'second_user@beat_10.mitre.org' + username: 'second_user@beat_10.mitre.org', + status: 'active' } ).then((res, err) => { expect(err).to.be.undefined @@ -52,7 +54,8 @@ describe('Testing Registry Org as org admin', () => { .set(constants.headers) .send( { - username: 'third_user@beat_10.mitre.org' + username: 'third_user@beat_10.mitre.org', + status: 'active' } ).then((res, err) => { expect(err).to.be.undefined @@ -359,7 +362,8 @@ describe('Testing Registry Org as org admin', () => { .put('/api/registry/org/fake_org_5000/user/fake_user_1000') .set(adminHeaders) .send({ - username: userId + username: userId, + status: 'active' }) .then((res, err) => { expect(err).to.be.undefined @@ -372,7 +376,8 @@ describe('Testing Registry Org as org admin', () => { .put('/api/registry/org/beat_10/user/fake_user_1000') .set(adminHeaders) .send({ - username: userId + username: userId, + status: 'active' }) .then((res, err) => { expect(err).to.be.undefined @@ -398,7 +403,8 @@ describe('Testing Registry Org as org admin', () => { .post('/api/registry/org/beat_10/user') .set(adminHeaders) .send({ - username: userId + username: userId, + status: 'active' }) .then((res, err) => { expect(err).to.be.undefined @@ -411,7 +417,8 @@ describe('Testing Registry Org as org admin', () => { .post('/api/registry/org/range_4/user') .set(adminHeaders) .send({ - username: 'BLARG' + username: 'BLARG', + status: 'active' }) .then((res, err) => { expect(err).to.be.undefined diff --git a/test/integration-tests/org/regularUsersTestRegistry.js b/test/integration-tests/org/regularUsersTestRegistry.js index 2dda89f20..bdcb58b80 100644 --- a/test/integration-tests/org/regularUsersTestRegistry.js +++ b/test/integration-tests/org/regularUsersTestRegistry.js @@ -186,6 +186,20 @@ describe('Testing regular user permissions for /api/registry/org/ endpoints with expect(res.body.error).to.contain('NOT_ORG_ADMIN_OR_SECRETARIAT_UPDATE') }) }) + it('regular users cannot use grant-role missing users to enumerate another organization', async () => { + const org = constants.nonSecretariatUserHeaders3['CVE-API-ORG'] + const user = faker.datatype.uuid() + await chai.request(app) + .post(`/api/registry/org/${org}/user/${user}/grant-role`) + .set(constants.nonSecretariatUserHeaders) + .send({ + role: 'ADMIN' + }) + .then((res) => { + expect(res).to.have.status(403) + expect(res.body.error).to.contain('NOT_SAME_ORG_OR_SECRETARIAT') + }) + }) it('regular users cannot remove role', async () => { const org = constants.nonSecretariatUserHeaders['CVE-API-ORG'] const user = constants.nonSecretariatUserHeaders['CVE-API-USER'] @@ -200,6 +214,20 @@ describe('Testing regular user permissions for /api/registry/org/ endpoints with expect(res.body.error).to.contain('NOT_ORG_ADMIN_OR_SECRETARIAT_UPDATE') }) }) + it('regular users cannot use revoke-role missing users to enumerate another organization', async () => { + const org = constants.nonSecretariatUserHeaders3['CVE-API-ORG'] + const user = faker.datatype.uuid() + await chai.request(app) + .post(`/api/registry/org/${org}/user/${user}/revoke-role`) + .set(constants.nonSecretariatUserHeaders) + .send({ + role: 'ADMIN' + }) + .then((res) => { + expect(res).to.have.status(403) + expect(res.body.error).to.contain('NOT_SAME_ORG_OR_SECRETARIAT') + }) + }) it("regular user cannot update a user from an org that doesn't exist", async () => { const org = faker.datatype.uuid().slice(0, MAX_SHORTNAME_LENGTH) const user = constants.nonSecretariatUserHeaders['CVE-API-USER'] @@ -265,6 +293,19 @@ describe('Testing regular user permissions for /api/registry/org/ endpoints with expect(res.body.error).to.contain('USER_DNE') }) }) + it('regular users cannot use reset-secret missing users to enumerate another organization', async () => { + const org = constants.nonSecretariatUserHeaders3['CVE-API-ORG'] + const user = faker.datatype.uuid() + await chai.request(app) + .put(`/api/registry/org/${org}/user/${user}/reset_secret`) + .set(constants.nonSecretariatUserHeaders) + .send({ + }) + .then((res) => { + expect(res).to.have.status(403) + expect(res.body.error).to.contain('NOT_SAME_ORG_OR_SECRETARIAT') + }) + }) it("regular user tries resetting admin user's secret, fails and admin user's role remains preserved", async () => { const org = constants.nonSecretariatUserHeaders2['CVE-API-ORG'] const user = constants.nonSecretariatUserHeaders2['CVE-API-USER'] @@ -379,6 +420,19 @@ describe('Testing regular user permissions for /api/registry/org/ endpoints with expect(res.body.error).to.contain('NOT_SAME_ORG_OR_SECRETARIAT') }) }) + it('regular users cannot use missing users to enumerate another organization', async () => { + const org = constants.nonSecretariatUserHeaders3['CVE-API-ORG'] + const user = faker.datatype.uuid() + await chai.request(app) + .get(`/api/registry/org/${org}/user/${user}`) + .set(constants.nonSecretariatUserHeaders) + .send({ + }) + .then((res) => { + expect(res).to.have.status(403) + expect(res.body.error).to.contain('NOT_SAME_ORG_OR_SECRETARIAT') + }) + }) it("regular user cannot view user that doesn't exist", async () => { const org = constants.nonSecretariatUserHeaders['CVE-API-ORG'] const user = faker.datatype.uuid() diff --git a/test/integration-tests/registry-org/createUserByOrgTest.js b/test/integration-tests/registry-org/createUserByOrgTest.js index 3cba5a152..14f3a64cf 100644 --- a/test/integration-tests/registry-org/createUserByOrgTest.js +++ b/test/integration-tests/registry-org/createUserByOrgTest.js @@ -18,6 +18,7 @@ describe('Testing POST /api/registryOrg/:shortname/user endpoint', () => { first: 'Test', last: 'User' }, + status: 'active', role: 'ADMIN' } chai.request(app) @@ -43,7 +44,8 @@ describe('Testing POST /api/registryOrg/:shortname/user endpoint', () => { name: { first: 'Test', last: 'User' - } + }, + status: 'active' } chai.request(app) .post(`/api/registryOrg/${orgShortName}/user`) @@ -63,7 +65,8 @@ describe('Testing POST /api/registryOrg/:shortname/user endpoint', () => { name: { first: 'Test', last: 'User' - } + }, + status: 'active' } chai.request(app) .post(`/api/registryOrg/${orgShortName}/user`) @@ -79,6 +82,7 @@ describe('Testing POST /api/registryOrg/:shortname/user endpoint', () => { it('Should not create a user with a missing username', (done) => { const orgShortName = 'mitre' const invalidUser = { + status: 'active', name: { first: 'Test', last: 'User' @@ -103,6 +107,7 @@ describe('Testing POST /api/registryOrg/:shortname/user endpoint', () => { first: 'Test', last: 'User' }, + status: 'active', test: 'additional key not in schema' } chai.request(app) diff --git a/test/integration-tests/registry-org/registryOrgCRUDTest.js b/test/integration-tests/registry-org/registryOrgCRUDTest.js index c28df9910..6908d400c 100644 --- a/test/integration-tests/registry-org/registryOrgCRUDTest.js +++ b/test/integration-tests/registry-org/registryOrgCRUDTest.js @@ -373,7 +373,8 @@ describe('Testing /registryOrg endpoints', () => { name: { first: 'Expanded', last: 'User' - } + }, + status: 'active' }) .then((res) => { expect(res).to.have.status(200) diff --git a/test/integration-tests/registry-org/registryOrgWithJointReviewTest.js b/test/integration-tests/registry-org/registryOrgWithJointReviewTest.js index 1ae3fa977..d891e91c4 100644 --- a/test/integration-tests/registry-org/registryOrgWithJointReviewTest.js +++ b/test/integration-tests/registry-org/registryOrgWithJointReviewTest.js @@ -66,6 +66,7 @@ const testRegistryOrgForNewShortNameReview = { const testRegistryOrgAdminUser = { username: 'drocca_admin_user', active: 'true', + status: 'active', name: { first: 'David', last: 'Rocca', @@ -80,6 +81,7 @@ const testRegistryOrgAdminUser = { const testRegistryOrgAdminUserWithComments = { username: 'drocca_admin_user_comments', active: 'true', + status: 'active', name: { first: 'David', last: 'Rocca', @@ -94,6 +96,7 @@ const testRegistryOrgAdminUserWithComments = { const testRegistryOrgAdminUserAdvisory = { username: 'drocca_admin_user_advisory', active: 'true', + status: 'active', name: { first: 'David', last: 'Rocca', @@ -108,6 +111,7 @@ const testRegistryOrgAdminUserAdvisory = { const testRegistryOrgAdminUserNewShortName = { username: 'drocca_admin_user_new_shortname', active: 'true', + status: 'active', name: { first: 'David', last: 'Rocca', diff --git a/test/integration-tests/registry-org/rootOrgTest.js b/test/integration-tests/registry-org/rootOrgTest.js index 685248129..689a0af81 100644 --- a/test/integration-tests/registry-org/rootOrgTest.js +++ b/test/integration-tests/registry-org/rootOrgTest.js @@ -67,6 +67,7 @@ describe('Testing ROOT Organization Type', () => { first: 'Root', last: 'Admin' }, + status: 'active', role: 'ADMIN' }) .then((res) => { diff --git a/test/integration-tests/user/updateUserTest.js b/test/integration-tests/user/updateUserTest.js index 12f42db05..c9be5fd69 100644 --- a/test/integration-tests/user/updateUserTest.js +++ b/test/integration-tests/user/updateUserTest.js @@ -538,6 +538,7 @@ describe('Testing Edit user endpoint', () => { .set(constants.headers) .send({ username: 'user1', + status: 'active', test: 'additional key not in schema' }) .then((res) => { diff --git a/test/unit-tests/user/userResetSecretTest.js b/test/unit-tests/user/userResetSecretTest.js index 590acd0b8..872f554f3 100644 --- a/test/unit-tests/user/userResetSecretTest.js +++ b/test/unit-tests/user/userResetSecretTest.js @@ -105,6 +105,7 @@ describe('Testing the PUT /org/:shortname/user/:username/reset_secret endpoint', regOrgUUIDStub.resolves(userFixtures.existentOrg.UUID) isSecretariatStub.resolves(true) isRegSecretariatStub.resolves(true) + isSecretariatByShortName.resolves(true) findOneUserStub.resolves(null) const req = { @@ -206,6 +207,7 @@ describe('Testing the PUT /org/:shortname/user/:username/reset_secret endpoint', updateUserStub.resolves({ matchedCount: 1, modifiedCount: 1 }) userUUIDStub.resolves(userFixtures.userA.UUID) regUserUUIDStub.resolves(userFixtures.userA.UUID) + sinon.stub(baseOrgRepo, 'hasRoleByUUID').resolves(false) }) it('Should reset the secret if the requester is the user themselves', async () => { @@ -218,7 +220,9 @@ describe('Testing the PUT /org/:shortname/user/:username/reset_secret endpoint', ctx: { uuid: faker.datatype.uuid(), org: userFixtures.existentOrgDummy.short_name, + orgUUID: userFixtures.existentOrgDummy.UUID, user: userFixtures.userA.username, + userUUID: userFixtures.userA.UUID, repositories: { getOrgRepository, getUserRepository, getBaseOrgRepository, getBaseUserRepository }, params: { shortname: userFixtures.existentOrgDummy.short_name, @@ -271,15 +275,18 @@ describe('Testing the PUT /org/:shortname/user/:username/reset_secret endpoint', isRegSecretariatStub.resolves(false) isAdminStub.resolves(true) isRegAdminStub.resolves(true) - regUserUUIDStub.onFirstCall().resolves(userFixtures.userC.UUID) - regUserUUIDStub.onSecondCall().resolves(userFixtures.userA.UUID) + regUserUUIDStub.resolves(userFixtures.userC.UUID) + sinon.stub(baseUserRepo, 'isUserAdminOfOrgUUID').resolves(true) + sinon.stub(baseOrgRepo, 'findOneByUUID').resolves({ ...userFixtures.existentOrgDummy, admins: [userFixtures.userD.UUID] }) sinon.stub(baseUserRepo, 'resetSecret').resolves('ANEWUUID') const req = { ctx: { uuid: faker.datatype.uuid(), org: userFixtures.existentOrgDummy.short_name, - user: userFixtures.userA.username, + orgUUID: userFixtures.existentOrgDummy.UUID, + user: userFixtures.userD.username, + userUUID: userFixtures.userD.UUID, repositories: { getBaseOrgRepository, getBaseUserRepository }, params: { shortname: userFixtures.existentOrgDummy.short_name,