Merge pull request #1441 from CVEProject/emathew/1400-registryOrg-createUserByOrg

david-rocca · web-flow · commit 89a8ad4a05f9 · 2025-07-17T13:40:28.000-04:00
Resolves issue 1400, Add createUserByOrg registryOrg/ endpoint
diff --git a/src/controller/registry-org.controller/index.js b/src/controller/registry-org.controller/index.js
@@ -605,9 +605,30 @@ router.post('/registryOrg/:shortname/user',
   // // mw.onlyOrgWithPartnerRole,
   mw.onlySecretariat,
   param(['shortname']).isString().trim().notEmpty().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }),
-  body(['cve_program_org_membership'])
+  // body(['cve_program_org_membership']).optional().custom(isFlatStringArray), // TO-DO: implement custom(mw.isCveProgramOrgMembershipObject),
+  body(
+    [
+      'user_id',
+      'name.first',
+      'name.last'
+    ])
+    .isString(),
+  body(
+    [
+      'name.middle',
+      'name.suffix',
+      'contact_info.phone',
+      'contact_info.email' // // TO-DO: this needs to be required only when contact-info is present?
+    ])
+    .default('')
+    .isString(),
+  body(['org_affiliations']) // TO-DO
+    .optional(),
+  body(['authority.active_roles'])
     .optional()
-    .custom(mw.isCveProgramOrgMembershipObject),
+    .custom(isFlatStringArray)
+    .customSanitizer(toUpperCaseArray)
+    .custom(isOrgRole), // TO-DO: this needs to be required only when authority is present?
   parseError,
   parsePostParams,
   controller.USER_CREATE_SINGLE)
diff --git a/src/controller/registry-org.controller/registry-org.controller.js b/src/controller/registry-org.controller/registry-org.controller.js
@@ -1,9 +1,11 @@
+const argon2 = require('argon2')
 const uuid = require('uuid')
 const logger = require('../../middleware/logger')
 const { getConstants } = require('../../constants')
 const RegistryOrg = require('../../model/registry-org')
 const RegistryUser = require('../../model/registry-user')
 const errors = require('./error')
+const cryptoRandomString = require('crypto-random-string')
 const error = new errors.RegistryOrgControllerError()
 const validateUUID = require('uuid').validate
 
@@ -202,7 +204,6 @@ async function updateOrg (req, res, next) {
     const shortName = req.ctx.params.shortname
     const userRepo = req.ctx.repositories.getRegistryUserRepository()
     const registryOrgRepo = req.ctx.repositories.getRegistryOrgRepository()
-    // const shortName = req.ctx.params.shortname
 
     const org = await registryOrgRepo.findOneByShortName(shortName)
     if (!org) {
@@ -380,8 +381,131 @@ async function getUsers (req, res, next) {
   }
 }
 
-function createUserByOrg (req, res, next) {
-  console.log('HERE')
+async function createUserByOrg (req, res, next) {
+  try {
+    const requesterUsername = req.ctx.user
+    const requesterShortName = req.ctx.org
+    const shortName = req.ctx.params.shortname
+
+    const registryUserRepo = req.ctx.repositories.getRegistryUserRepository()
+    const registryOrgRepo = req.ctx.repositories.getRegistryOrgRepository()
+    const orgUUID = await registryOrgRepo.getOrgUUID(shortName)
+    const requesterOrgUUID = await registryOrgRepo.getOrgUUID(requesterShortName)
+    const body = req.ctx.body
+
+    const isSecretariat = await registryOrgRepo.isSecretariat(requesterShortName)
+    const isAdmin = await registryUserRepo.isAdmin(requesterUsername, requesterShortName)
+
+    if (!isSecretariat && !isAdmin) { // may be redundant after validation check is implemented
+      return res.status(403).json(error.notOrgAdminOrSecretariat()) // User must be secretariat or an admin
+    }
+    if (!orgUUID) {
+      return res.status(404).json(error.orgDnePathParam(shortName)) // Org must exist
+    }
+    if (!isSecretariat) { // Admins can only create user within the same org
+      if (orgUUID !== requesterOrgUUID) {
+        return res.status(403).json(error.notOrgAdminOrSecretariat()) // The Admin user must belong to the new user's organization
+      }
+    }
+
+    const username = body.user_id || body.username
+    if (!username) {
+      return res.status(400).json({ message: 'user_id is required' })
+    }
+    const existingUser = await registryUserRepo.findOneByUserNameAndOrgUUID(username, orgUUID)
+    if (existingUser) {
+      return res.status(400).json(error.userExists(username))
+    }
+
+    const bodyKeys = Object.keys(body).map(k => k.toLowerCase())
+    if (bodyKeys.includes('uuid')) {
+      return res.status(400).json(error.uuidProvided('user'))
+    }
+
+    // Creating a new user under specific org
+    const newUser = new RegistryUser()
+    bodyKeys.forEach(k => {
+      if (k === 'user_id' || k === 'username') {
+        newUser.user_id = body[k]
+      } else if (k === 'name') {
+        newUser.name = {
+          first: '',
+          last: '',
+          middle: '',
+          suffix: '',
+          ...body.name
+        }
+      } else if (k === 'org_affiliations') {
+        newUser.org_affiliations = body[k].map(item => {
+          const {
+            orgId = '',
+            email = '',
+            phone = '',
+            ...rest
+          } = item
+
+          return {
+            org_id: orgId,
+            email,
+            phone,
+            ...rest
+          }
+        })
+      } else if (k === 'cve_program_org_membership') {
+        newUser.cve_program_org_membership = body[k].map(item => {
+          const {
+            programOrg = '',
+            roles = [],
+
+            status = false,
+            ...rest
+          } = item
+
+          return {
+            program_org: programOrg,
+            roles,
+            status,
+            ...rest
+          }
+        })
+      }
+    })
+
+    newUser.UUID = uuid.v4()
+
+    const randomKey = cryptoRandomString({ length: getConstants().CRYPTO_RANDOM_STRING_LENGTH })
+    newUser.secret = await argon2.hash(randomKey)
+    newUser.last_active = null
+    newUser.deactivation_date = null
+
+    await registryUserRepo.updateByUserNameAndOrgUUID(newUser.user_id, orgUUID, newUser, { upsert: true })
+    await registryUserRepo.addOrgToUserAffiliation(newUser.UUID, orgUUID)
+    await registryOrgRepo.addUserToOrgList(orgUUID, newUser.UUID, body.authority?.active_roles ? [...new Set(body.authority.active_roles)].includes('ADMIN') : false, { upsert: true })
+
+    const agt = setAggregateUserObj({ UUID: newUser.UUID })
+    let result = await registryUserRepo.aggregate(agt)
+    result = result.length > 0 ? result[0] : null
+
+    const payload = {
+      action: 'create_registry_user',
+      change: result.user_id + ' was successfully created.',
+      req_UUID: req.ctx.uuid,
+      org_UUID: orgUUID,
+      user: result
+    }
+    payload.user_UUID = await registryUserRepo.getUserUUID(req.ctx.user, orgUUID)
+    logger.info(JSON.stringify(payload))
+
+    result.secret = randomKey
+    const responseMessage = {
+      message: result.user_id + ' was successfully created.',
+      created: result
+    }
+
+    return res.status(200).json(responseMessage)
+  } catch (err) {
+    next(err)
+  }
 }
 
 function setAggregateUserObj (query) {
diff --git a/src/controller/registry-org.controller/registry-org.middleware.js b/src/controller/registry-org.controller/registry-org.middleware.js
@@ -6,7 +6,7 @@ const error = new errors.RegistryOrgControllerError()
 
 function parsePostParams (req, res, next) {
   utils.reqCtxMapping(req, 'body', [])
-  utils.reqCtxMapping(req, 'params', ['identifier, shortname'])
+  utils.reqCtxMapping(req, 'params', ['identifier', 'shortname'])
   utils.reqCtxMapping(req, 'query', [
     'long_name', 'short_name', 'aliases',
     'cve_program_org_function', 'authority.active_roles',
diff --git a/test/integration-tests/org/postRegistryOrgUsers.js b/test/integration-tests/org/postRegistryOrgUsers.js
@@ -0,0 +1,103 @@
+/* eslint-disable no-unused-expressions */
+const chai = require('chai')
+chai.use(require('chai-http'))
+const expect = chai.expect
+
+const constants = require('../constants.js')
+const app = require('../../../src/index.js')
+
+describe('Testing user can be created by org with /registryOrg endpoint', () => {
+  context('Positive Tests', () => {
+    it('Allows creation of user by org', async () => {
+      const payload = {
+        user_id: 'testUser',
+        name: {
+          first: 'TestFirst',
+          last: 'FakeLastName',
+          middle: 'Cool',
+          suffix: 'Mr.'
+        },
+        authority: {
+          active_roles: ['CNA']
+        }
+      }
+
+      // Create a new user by org
+      const res = await chai
+        .request(app)
+        .post('/api/registryOrg/win_5/user')
+        .set(constants.headers)
+        .send(payload)
+
+      expect(res).to.have.status(200)
+      expect(res.body).to.have.property('message', `${payload.user_id} was successfully created.`)
+      expect(res.body).to.have.property('created').that.is.an('object')
+
+      const created = res.body.created
+      expect(created).to.include({
+        user_id: payload.user_id
+      })
+      expect(created.name).to.deep.include({
+        first: payload.name.first,
+        last: payload.name.last,
+        middle: payload.name.middle,
+        suffix: payload.name.suffix
+      })
+
+      expect(created).to.have.property('UUID').that.is.a('string')
+      expect(created).to.have.property('last_active', null)
+      expect(created).to.have.property('deactivation_date', null)
+      expect(created).to.have.property('org_affiliations')
+      expect(created.org_affiliations[0]).to.have.nested.property('org_id')
+    })
+  })
+  context('Negative Tests', () => {
+    it('Fails creation of user for nonSecretariat role', async () => {
+      const payload = {
+        user_id: 'fakeregistryuser999',
+        name: {
+          first: 'TestFirstName',
+          last: 'FakeLastName',
+          middle: 'Cool',
+          suffix: 'Mr.'
+        },
+        authority: {
+          active_roles: ['CNA']
+        }
+      }
+      await chai
+        .request(app)
+        .post('/api/registryOrg/win_5/user')
+        .set(constants.nonSecretariatUserHeaders)
+        .send(payload)
+        .then((res, err) => {
+          expect(res).to.have.status(403)
+          expect(res.body.error).to.equal('SECRETARIAT_ONLY')
+        // expect(res.body.error).to.equal('NOT_ORG_ADMIN_OR_SECRETARIAT') // Will be this error when validation is fixed
+        })
+    })
+    it('Fails creation of user if they exist', async () => {
+      const payload = {
+        user_id: 'fakeregistryuser999',
+        name: {
+          first: 'TestFirstName',
+          last: 'FakeLastName',
+          middle: 'Cool',
+          suffix: 'Mr.'
+        },
+        authority: {
+          active_roles: ['CNA']
+        }
+      }
+      await chai
+        .request(app)
+        .post('/api/registryOrg/win_5/user')
+        .set(constants.headers)
+        .send(payload)
+        .then((res, err) => {
+          expect(res).to.have.status(400)
+          expect(res.body.error).to.equal('USER_EXISTS')
+        })
+    })
+  })
+})
