Skip to content

Commit

Permalink
#1176 added logic for cve-ids changing orgs, for secretariat users, a…
Browse files Browse the repository at this point in the history 
…nd added tests
  • Loading branch information
@jdaigneau5
jdaigneau5 committed Feb 1, 2024
1 parent 299a108 commit 09eeb6f
Show file tree
Hide file tree
Showing 4 changed files with 113 additions and 4 deletions.
29 changes: 28 additions & 1 deletion src/controller/cve-id.controller/cve-id.controller.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,11 +42,14 @@ async function getFilteredCveId (req, res, next) {
const users = await userRepo.getAllUsers()

const orgMap = {}
const userMap = {}

orgs.forEach(org => {
orgMap[org.UUID] = { shortname: org.short_name, users: {} }
})

users.forEach(user => {
userMap[user.UUID] = user.username
if (!orgMap[user.org_UUID]) {
orgMap[user.org_UUID] = { shortname: `MISSING ORG ${user.org_UUID}`, users: {} }
}
Expand Down Expand Up @@ -122,7 +125,31 @@ async function getFilteredCveId (req, res, next) {
cve_ids: pg.itemsList.map((i) => {
const cnaid = i.requested_by.cna
i.requested_by.cna = orgMap[cnaid].shortname
i.requested_by.user = orgMap[cnaid].users[i.requested_by.user] ? orgMap[cnaid].users[i.requested_by.user] : 'REDACTED'

// User value is redacted in certain cases
// Checks if requested_by.user is in requested_by.cna org
if (!orgMap[cnaid].users[i.requested_by.user]) {
// Never redact for secretariat users
if (isSecretariat) {
i.requested_by.user = userMap[i.requested_by.user]
} else {
// Redact because requested_by.user is not in requested_by.cna org
i.requested_by.user = 'REDACTED'
}
// Check is current owning_cna is also requested_by.cna (if a CVE-ID changes orgs)
} else if (cnaid !== i.owning_cna) {
// Never redact for secretariat
if (isSecretariat) {
i.requested_by.user = userMap[i.requested_by.user]
} else {
// Redact because current owner is not requested_by.cna and shouldn't see requested_by.user
i.requested_by.user = 'REDACTED'
}
} else {
// No redaction, original requested_by.user is in requested_by.cna and owning_cna
i.requested_by.user = orgMap[cnaid].users[i.requested_by.user]
}

i.owning_cna = orgMap[i.owning_cna].shortname
return i
})
Expand Down
14 changes: 14 additions & 0 deletions test/integration-tests/constants.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,18 @@ const nonSecretariatUserHeaders = {
'CVE-API-USER': 'jasminesmith@win_5.com'
}

const nonSecretariatUserHeaders2 = {
'CVE-API-ORG': 'win_5',
'CVE-API-Key': 'TCF25YM-39C4H6D-KA32EGF-V5XSHN3',
'CVE-API-USER': 'win_5_admin@win_5.com'
}

const nonSecretariatUserHeaders3 = {
'CVE-API-ORG': 'evidence_15',
'CVE-API-Key': 'TCF25YM-39C4H6D-KA32EGF-V5XSHN3',
'CVE-API-USER': 'timothymyers@evidence_15.com'
}

const nonSecretariatUserHeadersWithAdp2 = {
'CVE-API-ORG': 'range_4',
'CVE-API-Key': 'TCF25YM-39C4H6D-KA32EGF-V5XSHN3',
Expand Down Expand Up @@ -272,6 +284,8 @@ const existingOrg = {
module.exports = {
headers,
nonSecretariatUserHeaders,
nonSecretariatUserHeaders2,
nonSecretariatUserHeaders3,
badNonSecretariatUserHeaders,
nonSecretariatUserHeadersWithAdp2,
testCve,
Expand Down
61 changes: 59 additions & 2 deletions test/integration-tests/cve-id/getCveIdTest.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -110,27 +110,84 @@ describe('Testing Get CVE-ID endpoint', () => {
expect(res).to.have.status(200)
})
})
it('Should redact requested_by.user values not in requested_by.cna org', async () => {
it('For non Secretariat users, should redact requested_by.user values not in requested_by.cna org', async () => {
const cveId = await helpers.cveIdReserveHelper(1, '2023', constants.nonSecretariatUserHeaders['CVE-API-ORG'], 'non-sequential')

// change users org for testing
await helpers.userOrgUpdateAsSecHelper(constants.nonSecretariatUserHeaders['CVE-API-USER'], constants.nonSecretariatUserHeaders['CVE-API-ORG'], 'mitre')

await chai.request(app)
.get('/api/cve-id?state=RESERVED')
.set(constants.headers)
.set(constants.nonSecretariatUserHeaders2)
.then(async (res, err) => {
const cveIdObject = _.find(res.body.cve_ids, obj => {
return obj.cve_id === cveId
})
expect(err).to.be.undefined
expect(res).to.have.status(200)
expect(cveIdObject.requested_by.user).to.equal('REDACTED')

// Reset user to original org
await helpers.userOrgUpdateAsSecHelper(constants.nonSecretariatUserHeaders['CVE-API-USER'], 'mitre', 'win_5')
})
})
it('For non Secretariat users, should redact requested_by.user values when requested_by.cna is not owning_cna', async () => {
const cveId = await helpers.cveIdReserveHelper(1, '2023', constants.nonSecretariatUserHeaders['CVE-API-ORG'], 'non-sequential')

// change cve-id's owning_org for testing
await helpers.updateOwningOrgAsSecHelper(cveId, constants.nonSecretariatUserHeaders3['CVE-API-ORG'])

await chai.request(app)
.get('/api/cve-id?state=RESERVED')
.set(constants.nonSecretariatUserHeaders3)
.then(async (res, err) => {
const cveIdObject = _.find(res.body.cve_ids, obj => {
return obj.cve_id === cveId
})
expect(err).to.be.undefined
expect(res).to.have.status(200)
expect(cveIdObject.requested_by.user).to.equal('REDACTED')
})
})
it('For Secretariat users, should redact requested_by.user values not in requested_by.cna org', async () => {
const cveId = await helpers.cveIdReserveHelper(1, '2023', constants.nonSecretariatUserHeaders['CVE-API-ORG'], 'non-sequential')

// change users org for testing
await helpers.userOrgUpdateAsSecHelper(constants.nonSecretariatUserHeaders['CVE-API-USER'], constants.nonSecretariatUserHeaders['CVE-API-ORG'], 'mitre')

await chai.request(app)
.get('/api/cve-id?state=RESERVED')
.set(constants.headers)
.then(async (res, err) => {
const cveIdObject = _.find(res.body.cve_ids, obj => {
return obj.cve_id === cveId
})
expect(err).to.be.undefined
expect(res).to.have.status(200)
expect(cveIdObject.requested_by.user).to.equal(constants.nonSecretariatUserHeaders['CVE-API-USER'])

// Reset user to original org
await helpers.userOrgUpdateAsSecHelper(constants.nonSecretariatUserHeaders['CVE-API-USER'], 'mitre', 'win_5')
})
})
it('For Secretariat users, should redact requested_by.user values when requested_by.cna is not owning_cna', async () => {
const cveId = await helpers.cveIdReserveHelper(1, '2023', constants.nonSecretariatUserHeaders['CVE-API-ORG'], 'non-sequential')

// change cve-id's owning_org for testing
await helpers.updateOwningOrgAsSecHelper(cveId, constants.nonSecretariatUserHeaders3['CVE-API-ORG'])

await chai.request(app)
.get('/api/cve-id?state=RESERVED')
.set(constants.headers)
.then(async (res, err) => {
const cveIdObject = _.find(res.body.cve_ids, obj => {
return obj.cve_id === cveId
})
expect(err).to.be.undefined
expect(res).to.have.status(200)
expect(cveIdObject.requested_by.user).to.equal(constants.nonSecretariatUserHeaders['CVE-API-USER'])
})
})
})
context('negative tests', () => {
it('Feb 29 2100 should not be valid', async () => {
Expand Down
13 changes: 12 additions & 1 deletion test/integration-tests/helpers.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,16 @@ async function userOrgUpdateAsSecHelper (userName, orgShortName, newOrgShortName
})
}

async function updateOwningOrgAsSecHelper (cveId, newOrgShortName) {
await chai.request(app)
.put(`/api/cve-id/${cveId}?org=${newOrgShortName}`)
.set(constants.headers)
.then((res, err) => {
// Safety Expect
expect(res).to.have.status(200)
})
}

module.exports = {
cveIdReserveHelper,
cveIdBulkReserveHelper,
Expand All @@ -115,5 +125,6 @@ module.exports = {
cveUpdatetAsCnaHelperWithCnaContainer,
cveUpdateAsSecHelper,
cveUpdateAsCnaHelperWithAdpContainer,
userOrgUpdateAsSecHelper
userOrgUpdateAsSecHelper,
updateOwningOrgAsSecHelper
}

0 comments on commit 09eeb6f

Please sign in to comment.