Merge branch 'dev' of https://github.com/CVEProject/cve-services into adp_ambig_dates

Author: jdaigneau5

api-docs/openapi.json

@@ -1,7 +1,7 @@
 {
   "openapi": "3.0.2",
   "info": {
-    "version": "ur-v0.3.0",
+    "version": "2.6.1",
     "title": "CVE Services API",
     "description": "The CVE Services API supports automation tooling for the CVE Program. Credentials are     required for most service endpoints. Representatives of     <a href='https://www.cve.org/ProgramOrganization/CNAs'>CVE Numbering Authorities (CNAs)</a> should     use one of the methods below to obtain credentials:    <ul><li>If your organization already has an Organizational Administrator (OA) account for the CVE     Services, ask your admin for credentials</li>     <li>Contact your Root (<a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/Google'>Google</a>,     <a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/INCIBE'>INCIBE</a>,     <a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/jpcert'>JPCERT/CC</a>, or     <a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/redhat'>Red Hat</a>) or     Top-Level Root (<a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/icscert'>CISA ICS</a>     or <a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/mitre'>MITRE</a>) to request credentials     </ul>     <p>CVE data is to be in the JSON 5.2 CVE Record format. Details of the JSON 5.2 schema are     located <a href='https://github.com/CVEProject/cve-schema/releases/tag/v5.2.0' target='_blank'>here</a>.</p>    <a href='https://cveform.mitre.org/' class='link' target='_blank'>Contact the CVE Services team</a>",
     "contact": {
@@ -5078,7 +5078,7 @@
         }
       }
     },
-    "/review/org/{uuid}": {
+    "/review/{uuid}": {
       "put": {
         "tags": [
           "Review Object"
@@ -5181,7 +5181,7 @@
         }
       }
     },
-    "/review/org/{uuid}/approve": {
+    "/review/{uuid}/approve": {
       "put": {
         "tags": [
           "Review Object"
@@ -5285,7 +5285,7 @@
         }
       }
     },
-    "/review/org/{uuid}/reject": {
+    "/review/{uuid}/reject": {
       "put": {
         "tags": [
           "Review Object"

package-lock.json

@@ -1,7 +1,7 @@
 {
     "name": "cve-services",
     "author": "Automation Working Group",
-    "version": "ur-v0.3.0",
+    "version": "2.6.1",
     "license": "(CC0)",
     "devDependencies": {
         "@faker-js/faker": "^7.6.0",

package.json

@@ -178,6 +178,32 @@ function datePublicHelper (datePublic) {
   return currentDate > datePublicWithGracePeriod
 }
 
+/**
+ * Checks that timeline.time fields are valid datetime objects.
+ * This accounts for invalid timezone offsets that aren't handled by the schema.
+ *
+ * @param {String} dateIndex
+ * @returns true
+ * @throws Error
+ */
+function validateTimelineDates (dateIndex) {
+  // Check if datePublic is a future date
+  return body(dateIndex).isArray().withMessage('Time must be a date string').optional({ nullable: true }).bail().custom((timelineArray) => {
+    for (const timelineObj of timelineArray) {
+      const value = new Date(timelineObj.time)
+      if (!validateTimelineHelper(value)) {
+        throw new Error(`Invalid date string: ${timelineObj.time} `)
+      }
+    }
+
+    return true
+  })
+}
+
+function validateTimelineHelper (value) {
+  return value instanceof Date && !isNaN(value)
+}
+
 // Organizations in the ADP pilot are generating JSON programatically, and thus
 // informing them about the result of the final validation (against the full
 // CVE Record schema) is currently sufficient.
@@ -290,6 +316,7 @@ module.exports = {
   validateDescription,
   validateRejectBody,
   validateDatePublic,
+  validateTimelineDates,
   datePublicHelper,
   validatePURL,
   purlValidateHelper

src/controller/cve.controller/cve.middleware.js

@@ -4,7 +4,7 @@ const mw = require('../../middleware/middleware')
 const errorMsgs = require('../../middleware/errorMessages')
 const controller = require('./cve.controller')
 const { body, param, query } = require('express-validator')
-const { parseGetParams, parsePostParams, parseError, validateCveCnaContainerJsonSchema, validateCveAdpContainerJsonSchema, validateRejectBody, validateUniqueEnglishEntry, validateDescription, validateDatePublic, validatePURL } = require('./cve.middleware')
+const { parseGetParams, parsePostParams, parseError, validateCveCnaContainerJsonSchema, validateCveAdpContainerJsonSchema, validateRejectBody, validateUniqueEnglishEntry, validateDescription, validateDatePublic, validateTimelineDates, validatePURL } = require('./cve.middleware')
 const getConstants = require('../../constants').getConstants
 const CONSTANTS = getConstants()
 const CHOICES = [CONSTANTS.CVE_STATES.REJECTED, CONSTANTS.CVE_STATES.PUBLISHED]
@@ -499,6 +499,7 @@ router.post('/cve/:id',
   validateUniqueEnglishEntry(['containers.cna.descriptions', 'containers.cna.rejectedReasons']),
   validateDescription(['containers.cna.rejectedReasons', 'containers.cna.descriptions', 'containers.cna.problemTypes[0].descriptions']),
   validateDatePublic(['containers.cna.datePublic']),
+  validateTimelineDates(['containers.cna.timeline']),
   validatePURL(['containers.cna.affected']),
   param(['id']).isString().matches(CONSTANTS.CVE_ID_REGEX),
   parseError,
@@ -586,6 +587,7 @@ router.put('/cve/:id',
   validateUniqueEnglishEntry(['containers.cna.descriptions', 'containers.cna.rejectedReasons']),
   validateDescription(['containers.cna.rejectedReasons', 'containers.cna.descriptions', 'containers.cna.problemTypes[0].descriptions']),
   validateDatePublic(['containers.cna.datePublic']),
+  validateTimelineDates(['containers.cna.timeline']),
   validatePURL(['containers.cna.affected']),
   param(['id']).isString().matches(CONSTANTS.CVE_ID_REGEX),
   parseError,
@@ -685,6 +687,7 @@ router.post('/cve/:id/cna',
   validateUniqueEnglishEntry('cnaContainer.descriptions'),
   validateDescription(['cnaContainer.descriptions', 'cnaContainer.problemTypes[0].descriptions']),
   validateDatePublic(['cnaContainer.datePublic']),
+  validateTimelineDates(['cnaContainer.timeline']),
   validatePURL(['cnaContainer.affected']),
   param(['id']).isString().matches(CONSTANTS.CVE_ID_REGEX),
   parseError,
@@ -786,6 +789,7 @@ router.put('/cve/:id/cna',
   validateUniqueEnglishEntry('cnaContainer.descriptions'),
   validateDescription(['cnaContainer.descriptions', 'cnaContainer.problemTypes[0].descriptions']),
   validateDatePublic(['cnaContainer.datePublic']),
+  validateTimelineDates(['cnaContainer.timeline']),
   validatePURL(['cnaContainer.affected']),
   param(['id']).isString().matches(CONSTANTS.CVE_ID_REGEX),
   parseError,
@@ -1058,6 +1062,7 @@ router.put('/cve/:id/adp',
   mw.trimJSONWhitespace,
   validateCveAdpContainerJsonSchema,
   validatePURL(['adpContainer.affected']),
+  validateTimelineDates(['adpContainer.timeline']),
   param(['id']).isString().matches(CONSTANTS.CVE_ID_REGEX),
   parseError,
   parsePostParams,

src/controller/cve.controller/index.js

@@ -17,10 +17,8 @@ const validateUUID = require('uuid').validate
  */
 async function getOrgs (req, res, next) {
   try {
-    const session = await mongoose.startSession()
     const repo = req.ctx.repositories.getBaseOrgRepository()
     const CONSTANTS = getConstants()
-    let returnValue
 
     // temporary measure to allow tests to work after fixing #920
     // tests required changing the global limit to force pagination
@@ -32,11 +30,7 @@ async function getOrgs (req, res, next) {
     options.sort = { short_name: 'asc' }
     options.page = req.ctx.query.page ? parseInt(req.ctx.query.page) : CONSTANTS.PAGINATOR_PAGE // if 'page' query parameter is not defined, set 'page' to the default page value
 
-    try {
-      returnValue = await repo.getAllOrgs({ ...options, session }, true)
-    } finally {
-      await session.endSession()
-    }
+    const returnValue = await repo.getAllOrgs({ ...options }, true)
 
     logger.info({ uuid: req.ctx.uuid, message: 'The orgs were sent to the user.' })
     return res.status(200).json(returnValue)
@@ -58,7 +52,6 @@ async function getOrgs (req, res, next) {
  */
 async function getOrg (req, res, next) {
   try {
-    const session = await mongoose.startSession()
     const repo = req.ctx.repositories.getBaseOrgRepository()
     const requesterOrgShortName = req.ctx.org
     const identifier = req.ctx.params.identifier
@@ -67,26 +60,21 @@ async function getOrg (req, res, next) {
     let returnValue
 
     try {
-      session.startTransaction()
-      const requesterOrg = await repo.findOneByShortName(requesterOrgShortName, { session }, returnLegacyFormat)
+      const requesterOrg = await repo.findOneByShortName(requesterOrgShortName, {}, returnLegacyFormat)
       const requesterOrgIdentifier = identifierIsUUID ? requesterOrg.UUID : requesterOrgShortName
-      const isSecretariat = await repo.isSecretariat(requesterOrg, { session }, returnLegacyFormat)
+      const isSecretariat = await repo.isSecretariat(requesterOrg, {}, returnLegacyFormat)
 
       if (requesterOrgIdentifier !== identifier && !isSecretariat) {
         logger.info({ uuid: req.ctx.uuid, message: identifier + ' organization can only be viewed by the users of the same organization or the Secretariat.' })
         return res.status(403).json(error.notSameOrgOrSecretariat())
       }
 
-      returnValue = await repo.getOrg(identifier, identifierIsUUID, { session }, returnLegacyFormat)
+      returnValue = await repo.getOrg(identifier, identifierIsUUID, {}, returnLegacyFormat)
     } catch (error) {
-      await session.abortTransaction()
       // Handle the specific error thrown by BaseOrgRepository.createOrg
       if (error.message && error.message.includes('Unknown Org type requested')) {
         return res.status(400).json({ message: error.message })
       }
-      throw error
-    } finally {
-      await session.endSession()
     }
     if (!returnValue) { // an empty result can only happen if the requestor is the Secretariat
       logger.info({ uuid: req.ctx.uuid, message: identifier + ' organization does not exist.' })
@@ -187,13 +175,13 @@ async function getUser (req, res, next) {
       return res.status(404).json(error.userDne(username))
     }
 
-    const rawResult = result
+    const rawResult = result.toObject()
 
     delete rawResult._id
     delete rawResult.__v
     delete rawResult.secret
 
-    logger.info({ uuid: req.ctx.uuid, message: username + ' was sent to the user.', user: result })
+    logger.info({ uuid: req.ctx.uuid, message: username + ' was sent to the user.', user: rawResult })
     return res.status(200).json(rawResult)
   } catch (err) {
     next(err)
@@ -202,7 +190,7 @@ async function getUser (req, res, next) {
 
 /**
  * Get details on ID quota for an org with the specified org shortname.
- * Called by GET /api/registry/org/{shortname}/id_quota, GET /api/org/{shortname}/id_quota
+ * Called by GET /api/registry/org/{shortname}/hard_quota, GET /api/org/{shortname}/id_quota
  *
  * @param {Object} req - The request object
  * @param {Object} res - The response object
@@ -336,7 +324,7 @@ async function updateOrg (req, res, next) {
   const shortNameUrlParameter = req.ctx.params.shortname
   const orgRepository = req.ctx.repositories.getBaseOrgRepository()
 
-  const session = await mongoose.startSession()
+  const session = await mongoose.startSession({ causalConsistency: false })
   let responseMessage
   // Get the query parameters as JSON
   // These are validated by the middleware in org/index.js

src/controller/org.controller/org.controller.js

@@ -71,7 +71,6 @@ async function getAllOrgs (req, res, next) {
  */
 async function getOrg (req, res, next) {
   try {
-    const session = await mongoose.startSession()
     const repo = req.ctx.repositories.getBaseOrgRepository()
     const conversationRepo = req.ctx.repositories.getConversationRepository()
     // User passed in parameter to filter for
@@ -81,32 +80,28 @@ async function getOrg (req, res, next) {
     let returnValue
 
     try {
-      session.startTransaction()
-      const requesterOrg = await repo.findOneByShortName(requesterOrgShortName, { session })
+      const requesterOrg = await repo.findOneByShortName(requesterOrgShortName)
       const requesterOrgIdentifier = identifierIsUUID ? requesterOrg.UUID : requesterOrgShortName
-      const isSecretariat = await repo.isSecretariat(requesterOrg, { session })
+      const isSecretariat = await repo.isSecretariat(requesterOrg)
 
       if (requesterOrgIdentifier !== identifier && !isSecretariat) {
         logger.info({ uuid: req.ctx.uuid, message: identifier + ' organization can only be viewed by the users of the same organization or the Secretariat.' })
         return res.status(403).json(error.notSameOrgOrSecretariat())
       }
 
-      returnValue = await repo.getOrg(identifier, identifierIsUUID, { session })
+      returnValue = await repo.getOrg(identifier, identifierIsUUID)
 
       if (returnValue) {
         // fetch conversation
-        const conversation = await conversationRepo.getAllByTargetUUID(returnValue.UUID, isSecretariat, { session })
+        const conversation = await conversationRepo.getAllByTargetUUID(returnValue.UUID, isSecretariat)
         returnValue.conversation = conversation?.length ? _.map(conversation, c => _.omit(c, ['__v', '_id', 'UUID', 'previous_conversation_uuid', 'next_conversation_uuid', 'target_uuid', 'visibility'])) : undefined
       }
     } catch (error) {
-      await session.abortTransaction()
       // Handle the specific error thrown by BaseOrgRepository.createOrg
       if (error.message && error.message.includes('Unknown Org type requested')) {
         return res.status(400).json({ message: error.message })
       }
       throw error
-    } finally {
-      await session.endSession()
     }
     if (!returnValue) { // an empty result can only happen if the requestor is the Secretariat
       logger.info({ uuid: req.ctx.uuid, message: identifier + ' organization does not exist.' })
@@ -134,7 +129,7 @@ async function getOrg (req, res, next) {
  */
 async function createOrg (req, res, next) {
   try {
-    const session = await mongoose.startSession()
+    const session = await mongoose.startSession({ causalConsistency: false })
     const repo = req.ctx.repositories.getBaseOrgRepository()
     const body = req.ctx.body
     const isSecretariat = await repo.isSecretariatByShortName(req.ctx.org, { session })
@@ -232,7 +227,7 @@ async function createOrg (req, res, next) {
  */
 async function updateOrg (req, res, next) {
   try {
-    const session = await mongoose.startSession()
+    const session = await mongoose.startSession({ causalConsistency: false })
     const shortName = req.ctx.params.shortname
     const repo = req.ctx.repositories.getBaseOrgRepository()
     const userRepo = req.ctx.repositories.getBaseUserRepository()
@@ -318,15 +313,18 @@ async function updateOrg (req, res, next) {
         }
       }
 
+      // Update Org full will cause a write to the Conversations collection, to avoid a read-after-write issue, we need to get the previous conversation data first
+      const previousConversation = await conversationRepo.getAllByTargetUUID(await repo.getOrgUUID(shortName, { session }), isSecretariat, { session }) || []
+
       updatedOrg = await repo.updateOrgFull(shortName, req.ctx.body, { session }, false, requestingUser.UUID, isAdmin, isSecretariat)
       jointApprovalRequired = _.get(updatedOrg, 'joint_approval_required', false)
       _.unset(updatedOrg, 'joint_approval_required')
-
-      await session.commitTransaction()
-      session.startTransaction()
-      // Checking for existing Conversations
-      const existingConversations = await conversationRepo.getAllByTargetUUID(updatedOrg.UUID, isSecretariat, { session }) || []
-      updatedOrg.conversation = existingConversations.map(c => _.omit(c, ['__v', '_id', 'previous_conversation_uuid', 'next_conversation_uuid']))
+      // append previous conversations to any conversations that are in the org already
+      const currentConversations = Array.isArray(updatedOrg?.conversation) ? updatedOrg.conversation : []
+      const prevConversations = Array.isArray(previousConversation) ? previousConversation : []
+      if (updatedOrg) {
+        updatedOrg.conversation = [...currentConversations, ...prevConversations].map(c => _.omit(c, ['__v', '_id', 'previous_conversation_uuid', 'next_conversation_uuid']))
+      }
 
       await session.commitTransaction()
     } catch (updateErr) {
@@ -387,7 +385,7 @@ async function updateOrg (req, res, next) {
  */
 async function deleteOrg (req, res, next) {
   try {
-    const session = await mongoose.startSession()
+    const session = await mongoose.startSession({ causalConsistency: false })
     const repo = req.ctx.repositories.getBaseOrgRepository()
     const shortName = req.ctx.params.identifier
 
@@ -500,7 +498,7 @@ async function getUsers (req, res, next) {
  *              Called by POST /api/registryOrg/:shortname/user
  */
 async function createUserByOrg (req, res, next) {
-  const session = await mongoose.startSession()
+  const session = await mongoose.startSession({ causalConsistency: false })
   try {
     const body = req.ctx.body
     const userRepo = req.ctx.repositories.getBaseUserRepository()