Merge pull request #1444 from CVEProject/dev

Update test with user registry updates from dev

Author: jdaigneau5

README.md

@@ -1,4 +1,4 @@
-*NOTE: the Test environment of CVE Services now includes the release candidate “User Registry” which adds many additional features.  See the details at the end of this ReadMe doc.*
+*6/12/2025 NOTE: the Test environment of CVE Services now includes the release candidate “User Registry” which adds many additional features.  See the details at the end of this ReadMe doc.*
 
 # CVE-API
 
@@ -143,18 +143,33 @@ In order to run the unit tests:
 npm run start:test
 ```
 
-
 ### User Registry
 
 The CVE Automation Working Group (on behalf of the CVE Program)  is currently working on a new automation capability: the User Registry.  The objective of the User Registry is to modernize how CVE Program Organizations (e.g., CNAs, Roots, Top level Roots, the Secretariat) manage/update their organizational properties and user pools.   The new capability will ultimately allow CNAs, Roots, Top Level Roots to better manage their own data/user pools with more robust information.  It is targeted to be implemented in a series of incremental deployments to CVE Services in the Fall/2025 through Summer/2026.   
 
-Current Status:  The release candidate for the first User Registry increment (termed the User Registry MVP) is now available for testing/review in the CVE Program Testing Environment. (Note that this release IS NOT a PRODUCTION Release and will not be visible in the CVE Program PRODUCTION environment).
-This release candidate establishes a new, more robust User/Organizations databases (and associated APIs) while maintaining full backwards compatibility with the current User/Organizational management functions (meaning that current CVE Services clients will not be required to be modified with the deployment of this candidate).  It was discussed at the 6/11/2025 CVE Program AWG meeting.  
+#### Current Status:  
+
+The release candidate for the first User Registry increment (termed the User Registry MVP) is now available for testing/review in the CVE Program Testing Environment. (Note that this release IS NOT a PRODUCTION Release and will not be visible in the CVE Program PRODUCTION environment).
+This release candidate establishes a new, more robust User/Organizations databases (and associated APIs) while maintaining full backwards compatibility with the current User/Organizational management functions (meaning that current CVE Services clients will not be required to be modified with the deployment of this candidate).  It was discussed at the [6/10/2025 CVE Program AWG meeting](https://github.com/CVEProject/automation-working-group/blob/master/meeting-notes/2025-06-10.md).  
+
+#### HowTo:  
+
+Credentialed users of CVE Services Test Environment will be able to use the new capabilities via the API endpoints which are described [here](https://cveawg-test.mitre.org/api-docs/) (Be sure to scroll down to the bottom of the page to review the new User Registry interfaces).  
+
+Credentialed users can access the APIs by
+
+- installing/using common web application API testing tools such as [curl](https://curl.se/) or [postman](https://www.postman.com/) OR
+
+- installing/using the [User Registry Client](https://github.com/CVEProject/cve-user-registry-client) which provides a GUI interface to exercise the basic functions of the User Registry.
+
+  Note that there is no support for these new endpoints in many currently available CVE Services “client” tools (e.g, Vulnogram) and hence they should not be relied upon to examine/test these interfaces.    
+
+#### Next Steps:  
+
+The AWG is taking comments/questions on this release candidate.   You can provide feedback in three ways:
 
-HowTo:  Credentialed users of CVE Services will be able to use the new capabilities via the API endpoints.  Note that support for new endpoints may not be immediately available in the “client” tools provided by the community.  
+- Send  comments/questions to AWG+owner@CVE-CWE-Programs.groups.io,
 
-Next Steps:  The AWG is taking comments/questions on this release candidate.   You can provide feedback in three ways:
-Send  comments/questions to AWG+owner@CVE-CWE-Programs.groups.io,
+- Post Issues/Questions to the CVE Services Issue Board (please attach a “user registry” label to your post).   
 
-Post Issues/Questions to the CVE Services Issue Board (please attach a “user registry” label to your post).   
-Attend (virtually) an AWG meeting which meets every week on Tuesday at 4:00 PM Eastern US Time.  Send a request for the link to AWG+owner@CVE-CWE-Programs.groups.io.
+- Attend (virtually) an AWG meeting which meets every week on Tuesday at 4:00 PM Eastern US Time. Send a request for the link to AWG+owner@CVE-CWE-Programs.groups.io.

api-docs/openapi.json

@@ -1448,7 +1448,7 @@
           }
         },
         "requestBody": {
-          "description": "<h3>Notes:</h3>  <ul>  <li>**providerMetadata** is set by the server. If provided, it will be overwritten.</li>  <li>**datePublished** and **assignerShortname** are optional fields in the schema, but are set by the server. </li>  </ul>",
+          "description": "<h3>Notes:</h3>   <ul>   <li>**providerMetadata** is set by the server. If provided, it will be overwritten.</li>   <li>**datePublished** and **assignerShortname** are optional fields in the schema, but are set by the server. </li>   </ul>",
           "required": true,
           "content": {
             "application/json": {
@@ -1560,7 +1560,7 @@
           }
         },
         "requestBody": {
-          "description": "<h3>Notes:</h3>  <ul>  <li>When updating a rejected record to published, it is recommended to confirm that both the Cve-Id and CVE record are in the correct state after calling this endpoint. Though very unlikely, a race condition can occur causing the two states to be out of sync. </li>  <li>**providerMetadata** is set by the server. If provided, it will be overwritten.</li>  <li>**datePublished** and **assignerShortname** are optional fields in the schema, but are set by the server. </li>  </ul>",
+          "description": "<h3>Notes:</h3>   <ul>   <li>When updating a rejected record to published, it is recommended to confirm that both the Cve-Id and CVE record are in the correct state after calling this endpoint. Though very unlikely, a race condition can occur causing the two states to be out of sync. </li>   <li>**providerMetadata** is set by the server. If provided, it will be overwritten.</li>   <li>**datePublished** and **assignerShortname** are optional fields in the schema, but are set by the server. </li>   </ul>",
           "required": true,
           "content": {
             "application/json": {
@@ -1671,7 +1671,7 @@
           }
         },
         "requestBody": {
-          "description": "<h3>Notes:</h3>  <ul>  <li>**providerMetadata** is set by the server. If provided, it will be overwritten.</li>  <li>**datePublished** and **assignerShortname** are optional fields in the schema, but are set by the server. </li>  </ul>",
+          "description": "<h3>Notes:</h3>   <ul>   <li>**providerMetadata** is set by the server. If provided, it will be overwritten.</li>   <li>**datePublished** and **assignerShortname** are optional fields in the schema, but are set by the server. </li>   </ul>",
           "required": true,
           "content": {
             "application/json": {
@@ -1772,7 +1772,7 @@
           }
         },
         "requestBody": {
-          "description": "<h3>Notes:</h3>  <ul>  <li>It is recommended to confirm that both the Cve-Id and CVE record are in the REJECTED state after calling this endpoint. Though very unlikely, a race condition can occur causing the two states to be out of sync. </li>  <li>**providerMetadata** is set by the server. If provided, it will be overwritten.</li>  <li>**datePublished** and **assignerShortname** are optional fields in the schema, but are set by the server. </li>  </ul>",
+          "description": "<h3>Notes:</h3>   <ul>   <li>It is recommended to confirm that both the Cve-Id and CVE record are in the REJECTED state after calling this endpoint. Though very unlikely, a race condition can occur causing the two states to be out of sync. </li>   <li>**providerMetadata** is set by the server. If provided, it will be overwritten.</li>   <li>**datePublished** and **assignerShortname** are optional fields in the schema, but are set by the server. </li>   </ul>",
           "required": true,
           "content": {
             "application/json": {
@@ -3130,7 +3130,7 @@
             "content": {
               "application/json": {
                 "schema": {
-                  "$ref": "../schemas/registry-org/get-registry-org-response.json"
+                  "$ref": "../schemas/registry-org/list-registry-orgs-response.json"
                 }
               }
             }
@@ -3201,7 +3201,7 @@
             "content": {
               "application/json": {
                 "schema": {
-                  "$ref": "../schemas/org/create-org-response.json"
+                  "$ref": "../schemas/registry-org/create-registry-org-response.json"
                 }
               }
             }
@@ -3252,7 +3252,7 @@
           "content": {
             "application/json": {
               "schema": {
-                "$ref": "#/components/schemas/CreateOrgPayload"
+                "$ref": "../schemas/registry-org/create-registry-org-request.json"
               }
             }
           }
@@ -3293,7 +3293,7 @@
             "content": {
               "application/json": {
                 "schema": {
-                  "$ref": "../schemas/org/get-org-response.json"
+                  "$ref": "../schemas/registry-org/get-registry-org-response.json"
                 }
               }
             }
@@ -3376,7 +3376,13 @@
             "content": {
               "application/json": {
                 "schema": {
-                  "$ref": "../schemas/org/delete-org-response.json"
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "description": "Message describing successful deletion operation"
+                    }
+                  }
                 }
               }
             }
@@ -3458,7 +3464,7 @@
             "content": {
               "application/json": {
                 "schema": {
-                  "$ref": "../schemas/org/update-org-response.json"
+                  "$ref": "../schemas/registry-org/update-registry-org-response.json"
                 }
               }
             }
@@ -3519,7 +3525,7 @@
           "content": {
             "application/json": {
               "schema": {
-                "$ref": "#/components/schemas/UpdateOrgPayload"
+                "$ref": "../schemas/registry-org/update-registry-org-request.json"
               }
             }
           }
@@ -3563,7 +3569,7 @@
             "content": {
               "application/json": {
                 "schema": {
-                  "$ref": "../schemas/user/list-users-response.json"
+                  "$ref": "../schemas/registry-user/list-registry-users-response.json"
                 }
               }
             }
@@ -3655,7 +3661,7 @@
             "content": {
               "application/json": {
                 "schema": {
-                  "$ref": "../schemas/user/create-user-response.json"
+                  "$ref": "../schemas/registry-user/create-registry-user-response.json"
                 }
               }
             }
@@ -3716,7 +3722,7 @@
           "content": {
             "application/json": {
               "schema": {
-                "$ref": "../schemas/user/create-user-request.json"
+                "$ref": "../schemas/registry-user/create-registry-user-request.json"
               }
             }
           }
@@ -3747,11 +3753,11 @@
         ],
         "responses": {
           "200": {
-            "description": "A list of all registry organizations, along with pagination fields if results span multiple pages of data",
+            "description": "A list of all registry users, along with pagination fields if results span multiple pages of data",
             "content": {
               "application/json": {
                 "schema": {
-                  "$ref": "../schemas/registry-user/get-registry-users-response.json"
+                  "$ref": "../schemas/registry-user/list-registry-users-response.json"
                 }
               }
             }
@@ -3822,7 +3828,7 @@
             "content": {
               "application/json": {
                 "schema": {
-                  "$ref": "../schemas/user/create-user-response.json"
+                  "$ref": "../schemas/registry-user/create-registry-user-response.json"
                 }
               }
             }
@@ -3873,7 +3879,7 @@
           "content": {
             "application/json": {
               "schema": {
-                "$ref": "#/components/schemas/CreateUserPayload"
+                "$ref": "../schemas/registry-user/create-registry-user-request.json"
               }
             }
           }
@@ -3914,7 +3920,7 @@
             "content": {
               "application/json": {
                 "schema": {
-                  "$ref": "../schemas/user/get-user-response.json"
+                  "$ref": "../schemas/registry-user/get-registry-user-response.json"
                 }
               }
             }
@@ -3997,7 +4003,7 @@
             "content": {
               "application/json": {
                 "schema": {
-                  "$ref": "../schemas/user/update-user-response.json"
+                  "$ref": "../schemas/registry-user/update-registry-user-response.json"
                 }
               }
             }
@@ -4058,7 +4064,7 @@
           "content": {
             "application/json": {
               "schema": {
-                "$ref": "#/components/schemas/UpdateUserPayload"
+                "$ref": "../schemas/registry-user/update-registry-user-request.json"
               }
             }
           }
@@ -4097,7 +4103,13 @@
             "content": {
               "application/json": {
                 "schema": {
-                  "$ref": "../schemas/user/delete-user-response.json"
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "description": "Message describing successful deletion operation"
+                    }
+                  }
                 }
               }
             }

schemas/registry-org/update-registry-org-request.json

@@ -0,0 +1,117 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "$id": "https://cve.mitre.org/schema/org/organization.json",
+  "type": "object",
+  "title": "CVE Update Registry Org Request",
+  "description": "JSON Schema for updating a CVE Registry organization",
+  "properties": {
+    "long_name": {
+      "type": "string",
+      "description": "Full name of the organization"
+    },
+    "short_name": {
+      "type": "string",
+      "description": "Short name or acronym of the organization"
+    },
+    "aliases": {
+      "type": "array",
+      "items": {
+        "type": "string"
+      },
+      "description": "Alternative names or aliases for the organization"
+    },
+    "cve_program_org_function": {
+      "type": "string",
+      "enum": ["CNA", "ADP", "Root", "Secretariat"],
+      "description": "The organization's function within the CVE program"
+    },
+    "authority": {
+      "type": "object",
+      "properties": {
+        "active_roles": {
+          "type": "array",
+          "items": {
+            "type": "string",
+            "enum": ["CNA", "ADP", "Root", "Secretariat"]
+          }
+        }
+      },
+      "required": ["active_roles"]
+    },
+    "reports_to": {
+      "type": ["string", "null"],
+      "description": "UUID of the parent organization, if any"
+    },
+    "oversees": {
+      "type": "array",
+      "items": {
+        "type": "string"
+      },
+      "description": "UUIDs of organizations overseen by this organization"
+    },
+    "root_or_tlr": {
+      "type": "boolean",
+      "description": "Indicates if the organization is a root or top-level root"
+    },
+    "users": {
+      "type": "array",
+      "items": {
+        "type": "string"
+      },
+      "description": "UUIDs of users associated with this organization"
+    },
+    "charter_or_scope": {
+      "type": "string",
+      "description": "Description of the organization's charter or scope"
+    },
+    "disclosure_policy": {
+      "type": "string",
+      "description": "The organization's disclosure policy"
+    },
+    "product_list": {
+      "type": "string",
+      "description": "List of products associated with the organization"
+    },
+    "contact_info": {
+      "type": "object",
+      "properties": {
+        "additional_contact_users": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
+        "poc": {
+          "type": "string",
+          "description": "Point of contact name"
+        },
+        "poc_email": {
+          "type": "string",
+          "format": "email",
+          "description": "Point of contact email"
+        },
+        "poc_phone": {
+          "type": "string",
+          "description": "Point of contact phone number"
+        },
+        "admins": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          },
+          "description": "UUIDs of admin users"
+        },
+        "org_email": {
+          "type": "string",
+          "format": "email",
+          "description": "Organization's email address"
+        },
+        "website": {
+          "type": "string",
+          "format": "uri",
+          "description": "Organization's website URL"
+        }
+      }
+    }
+  }
+}