Get secret is now backwards compatible.

Author: david-rocca

src/controller/org.controller/index.js

@@ -620,6 +620,7 @@ router.get('/org/:shortname/user/:username',
   }
   */
   mw.validateUser,
+  param(['registry']).optional().isBoolean(),
   param(['shortname']).isString().trim().notEmpty().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }),
   param(['username']).isString().trim().notEmpty().custom(isValidUsername),
   parseError,
@@ -801,6 +802,7 @@ router.put('/org/:shortname/user/:username/reset_secret',
   */
   mw.validateUser,
   mw.onlyOrgWithPartnerRole,
+  param(['registry']).optional().isBoolean(),
   param(['shortname']).isString().trim().notEmpty().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }),
   param(['username']).isString().trim().notEmpty().custom(isValidUsername),
   parseError,

src/controller/org.controller/org.controller.js

@@ -170,10 +170,12 @@ async function getUsers (req, res, next) {
  **/
 async function getUser (req, res, next) {
   try {
+    const isRegistry = req.query.registry === 'true'
     const shortName = req.ctx.org
     const username = req.ctx.params.username
     const orgShortName = req.ctx.params.shortname
-    const orgRepo = req.ctx.repositories.getOrgRepository()
+
+    const orgRepo = isRegistry ? req.ctx.repositories.getRegistryOrgRepository() : req.ctx.repositories.getOrgRepository()
     const isSecretariat = await orgRepo.isSecretariat(shortName)
 
     if (orgShortName !== shortName && !isSecretariat) {
@@ -187,8 +189,8 @@ async function getUser (req, res, next) {
       return res.status(404).json(error.orgDnePathParam(orgShortName))
     }
 
-    const userRepo = req.ctx.repositories.getUserRepository()
-    const agt = setAggregateUserObj({ username: username, org_UUID: orgUUID })
+    const userRepo = isRegistry ? req.ctx.repositories.getRegistryUserRepository() : req.ctx.repositories.getUserRepository()
+    const agt = isRegistry ? setAggregateRegistryUserObj({ user_id: username, 'cve_program_org_membership.program_org': orgUUID }) : setAggregateUserObj({ username: username, org_UUID: orgUUID })
     let result = await userRepo.aggregate(agt)
     result = result.length > 0 ? result[0] : null
 
@@ -1016,47 +1018,84 @@ async function updateUser (req, res, next) {
 
 // Called by PUT /org/{shortname}/user/{username}/reset_secret
 async function resetSecret (req, res, next) {
+  const session = await mongoose.startSession()
+  session.startTransaction()
   try {
+    let randomKey
+
     const requesterShortName = req.ctx.org
     const requesterUsername = req.ctx.user
     const username = req.ctx.params.username
     const orgShortName = req.ctx.params.shortname
+
     const userRepo = req.ctx.repositories.getUserRepository()
     const orgRepo = req.ctx.repositories.getOrgRepository()
-    const isSecretariat = await orgRepo.isSecretariat(requesterShortName)
-    const orgUUID = await orgRepo.getOrgUUID(orgShortName) // userUUID may be null if user does not exist
-    if (!orgUUID) {
-      logger.info({ uuid: req.ctx.uuid, messsage: orgShortName + ' organization does not exist.' })
-      return res.status(404).json(error.orgDnePathParam(orgShortName))
-    }
 
-    if (orgShortName !== requesterShortName && !isSecretariat) {
-      logger.info({ uuid: req.ctx.uuid, message: orgShortName + ' organization can only be viewed by the users of the same organization or the Secretariat.' })
-      return res.status(403).json(error.notSameOrgOrSecretariat())
-    }
+    const userRegistryRepo = req.ctx.repositories.getRegistryUserRepository()
+    const orgRegistryRepo = req.ctx.repositories.getRegistryOrgRepository()
 
-    const oldUser = await userRepo.findOneByUserNameAndOrgUUID(username, orgUUID)
-    if (!oldUser) {
-      logger.info({ uuid: req.ctx.uuid, messsage: username + ' user does not exist.' })
-      return res.status(404).json(error.userDne(username))
-    }
+    try {
+      const isSecretariatLeg = await orgRepo.isSecretariat(requesterShortName, { session })
+      const isSecretariatReg = await orgRegistryRepo.isSecretariat(requesterShortName, { session })
+      const isSecretariat = isSecretariatLeg && isSecretariatReg
 
-    const isAdmin = await userRepo.isAdmin(requesterUsername, requesterShortName)
-    // check if the user is not the requester or if the requester is not a secretariat
-    if ((orgShortName !== requesterShortName || username !== requesterUsername) && !isSecretariat) {
+      const orgUUID = await orgRepo.getOrgUUID(orgShortName, { session }) // userUUID may be null if user does not exist
+      const orgRegUUID = await orgRegistryRepo.getOrgUUID(orgShortName, { session })
+
+      // check if orgUUID and orgRegUUID are the same
+      if (orgUUID.toString() !== orgRegUUID.toString()) {
+        logger.info({ uuid: req.ctx.uuid, message: 'The organization UUID and the organization registry UUID are not the same.' })
+        return res.status(500).json(error.internalServerError())
+      }
+
+      if (!orgUUID && !orgRegUUID) {
+        logger.info({ uuid: req.ctx.uuid, messsage: orgShortName + ' organization does not exist.' })
+        return res.status(404).json(error.orgDnePathParam(orgShortName))
+      }
+
+      if (orgShortName !== requesterShortName && !isSecretariat) {
+        logger.info({ uuid: req.ctx.uuid, message: orgShortName + ' organization can only be viewed by the users of the same organization or the Secretariat.' })
+        return res.status(403).json(error.notSameOrgOrSecretariat())
+      }
+
+      const oldUser = await userRepo.findOneByUserNameAndOrgUUID(username, orgUUID, null, { session })
+      const oldUserRegistry = await userRegistryRepo.findOneByUserNameAndOrgUUID(username, orgRegUUID)
+
+      if (!oldUser && !oldUserRegistry) {
+        logger.info({ uuid: req.ctx.uuid, messsage: username + ' user does not exist.' })
+        return res.status(404).json(error.userDne(username))
+      }
+
+      const isLegAdmin = await userRepo.isAdmin(requesterUsername, requesterShortName, { session })
+      const isRegAdmin = await userRegistryRepo.isAdmin(requesterUsername, orgRegUUID, { session })
+      const isAdmin = isLegAdmin && isRegAdmin
+
+      // check if the user is not the requester or if the requester is not a secretariat
+      if ((orgShortName !== requesterShortName || username !== requesterUsername) && !isSecretariat) {
       // check if the requester is not and admin; if admin, the requester must be from the same org as the user
-      if (!isAdmin || (isAdmin && orgShortName !== requesterShortName)) {
-        logger.info({ uuid: req.ctx.uuid, message: 'The api secret can only be reset by the Secretariat, an Org admin or if the requester is the user.' })
-        return res.status(403).json(error.notSameUserOrSecretariat())
+        if (!isAdmin || (isAdmin && orgShortName !== requesterShortName)) {
+          logger.info({ uuid: req.ctx.uuid, message: 'The api secret can only be reset by the Secretariat, an Org admin or if the requester is the user.' })
+          return res.status(403).json(error.notSameUserOrSecretariat())
+        }
       }
-    }
 
-    const randomKey = cryptoRandomString({ length: getConstants().CRYPTO_RANDOM_STRING_LENGTH })
-    oldUser.secret = await argon2.hash(randomKey) // store in db
-    const user = await userRepo.updateByUserNameAndOrgUUID(oldUser.username, orgUUID, oldUser)
-    if (user.n === 0) {
-      logger.info({ uuid: req.ctx.uuid, message: 'The user could not be updated because ' + username + ' does not exist for ' + orgShortName + ' organization.' })
-      return res.status(404).json(error.userDne(username))
+      randomKey = cryptoRandomString({ length: getConstants().CRYPTO_RANDOM_STRING_LENGTH })
+      oldUser.secret = await argon2.hash(randomKey) // store in db
+      oldUserRegistry.secret = await argon2.hash(randomKey) // store in db
+
+      const user = await userRepo.updateByUserNameAndOrgUUID(oldUser.username, orgUUID, oldUser, { session })
+      const userReg = await userRegistryRepo.updateByUserNameAndOrgUUID(oldUserRegistry.user_id, orgRegUUID, oldUserRegistry, { session })
+
+      if (user.matchedCount === 0 || userReg.matchedCount === 0) {
+        logger.info({ uuid: req.ctx.uuid, message: 'The user could not be updated because ' + username + ' does not exist for ' + orgShortName + ' organization.' })
+        return res.status(404).json(error.userDne(username))
+      }
+      await session.commitTransaction()
+    } catch (error) {
+      await session.abortTransaction()
+      throw error
+    } finally {
+      session.endSession()
     }
 
     logger.info({ uuid: req.ctx.uuid, message: `The API secret was successfully reset and sent to ${username}` })

src/middleware/middleware.js

@@ -131,7 +131,7 @@ async function validateUser (req, res, next) {
       // Check if user has active status organization's registry org membership list
       for (var organization of result.cve_program_org_membership) {
         if (organization.program_org === orgUUID) {
-          if (organization.status === 'active') {
+          if (organization.status === 'active' || organization.status === 'true') {
             activeInOrg = true
           }
           break

src/repositories/registryOrgRepository.js

@@ -17,8 +17,8 @@ class RegistryOrgRepository extends BaseRepository {
     return this.collection.findOne().byUUID(UUID)
   }
 
-  async getOrgUUID (shortName) {
-    return utils.getOrgUUID(shortName, true) // use registryOrgRepository to find org UUID
+  async getOrgUUID (shortName, options = {}) {
+    return utils.getOrgUUID(shortName, true, options) // use registryOrgRepository to find org UUID
   }
 
   async getAllOrgs () {

src/repositories/registryUserRepository.js

@@ -19,16 +19,27 @@ class RegistryUserRepository extends BaseRepository {
     return this.collection.find()
   }
 
-  async isSecretariat (org) {
-    return utils.isSecretariat(org, true)
+  async isSecretariat (org, options = {}) {
+    return utils.isSecretariat(org, true, options)
+  }
+
+  async isAdmin (username, orgShortname, options = {}) {
+    return utils.isAdmin(username, orgShortname, true, options)
   }
 
   async updateByUUID (uuid, user, options = {}) {
     return this.collection.findOneAndUpdate().byUUID(uuid).updateOne(user).setOptions(options)
   }
 
-  async findOneByUserNameAndOrgUUID (userName, orgUUID) {
-    return this.collection.findOne().byUserIdAndOrgUUID(userName, orgUUID)
+  async findOneByUserNameAndOrgUUID (userName, orgUUID, projection = null, options = {}) {
+    const query = { user_id: userName, 'org_affiliations.org_id': orgUUID }
+    return this.collection.findOne(query, projection, options)
+  }
+
+  async updateByUserNameAndOrgUUID (userName, orgUUID, user, options = {}) {
+    const filter = { user_id: userName, 'org_affiliations.org_id': orgUUID }
+    const updatePayload = { $set: user }
+    return this.collection.findOneAndUpdate(filter, updatePayload, options)
   }
 
   async deleteByUUID (uuid) {

src/repositories/userRepository.js

@@ -11,8 +11,8 @@ class UserRepository extends BaseRepository {
     return utils.getUserUUID(userName, orgUUID, options)
   }
 
-  async isAdmin (username, shortname) {
-    return utils.isAdmin(username, shortname)
+  async isAdmin (username, shortname, options = {}) {
+    return utils.isAdmin(username, shortname, false, options)
   }
 
   async isAdminUUID (username, orgUUID) {
@@ -28,11 +28,14 @@ class UserRepository extends BaseRepository {
   }
 
   async findOneByUserNameAndOrgUUID (userName, orgUUID, projection = null, options = {}) {
-    return this.collection.findOne().byUserNameAndOrgUUID(userName, orgUUID)
+    const query = { username: userName, org_UUID: orgUUID }
+    return this.collection.findOne(query, projection, options)
   }
 
   async updateByUserNameAndOrgUUID (username, orgUUID, user, options = {}) {
-    return this.collection.findOneAndUpdate().byUserNameAndOrgUUID(username, orgUUID).updateOne(user).setOptions(options)
+    const filter = { username: username, org_UUID: orgUUID }
+    const updatePayload = { $set: user }
+    return this.collection.findOneAndUpdate(filter, updatePayload, options)
   }
 
   async getAllUsers () {

src/utils/utils.js

@@ -51,17 +51,17 @@ async function getUserUUID (userIdentifier, orgUUID, useRegistry = false, option
   return userDocument ? userDocument.UUID : null
 }
 
-async function isSecretariat (shortName, useRegistry = false) {
+async function isSecretariat (shortName, useRegistry = false, options = {}) {
   let result = false
   let orgUUID = null
   let secretariats = []
 
   const CONSTANTS = getConstants()
   if (useRegistry) {
-    orgUUID = await getOrgUUID(shortName, useRegistry) // may be null if org does not exists
+    orgUUID = await getOrgUUID(shortName, useRegistry, options) // may be null if org does not exists
     secretariats = await RegistryOrg.find({ 'authority.active_roles': { $in: [CONSTANTS.AUTH_ROLE_ENUM.SECRETARIAT] } })
   } else {
-    orgUUID = await getOrgUUID(shortName) // may be null if org does not exists
+    orgUUID = await getOrgUUID(shortName, false, options) // may be null if org does not exists
     secretariats = await Org.find({ 'authority.active_roles': { $in: [CONSTANTS.AUTH_ROLE_ENUM.SECRETARIAT] } })
   }
 
@@ -109,13 +109,13 @@ async function isBulkDownload (shortName) {
   return result // org does not have bulk download as a role
 }
 
-async function isAdmin (requesterUsername, requesterShortName) {
+async function isAdmin (requesterUsername, requesterShortName, isRegistry = false, options = {}) {
   let result = false
   const CONSTANTS = getConstants()
-  const requesterOrgUUID = await getOrgUUID(requesterShortName) // may be null if org does not exists
+  const requesterOrgUUID = await getOrgUUID(requesterShortName, isRegistry, options) // may be null if org does not exists
 
   if (requesterOrgUUID) {
-    const user = await User.findOne().byUserNameAndOrgUUID(requesterUsername, requesterOrgUUID)
+    const user = isRegistry ? await RegistryUser.findOne().byUserNameAndOrgUUID(requesterUsername, requesterShortName) : await User.findOne().byUserNameAndOrgUUID(requesterUsername, requesterShortName)
 
     if (user) {
       result = user.authority.active_roles.includes(CONSTANTS.USER_ROLE_ENUM.ADMIN)