diff --git a/test/integration-tests/org/regularUsersTestRegistryFlag.js b/test/integration-tests/org/regularUsersTestRegistryFlag.js new file mode 100644 index 000000000..7ea1ffb03 --- /dev/null +++ b/test/integration-tests/org/regularUsersTestRegistryFlag.js @@ -0,0 +1,444 @@ +const chai = require('chai') +chai.use(require('chai-http')) +const expect = chai.expect +const { faker } = require('@faker-js/faker') + +const constants = require('../constants.js') +const app = require('../../../src/index.js') +const ORG_URL = '/api/org' +const MAX_SHORTNAME_LENGTH = 32 +/** + * Unit Tests for testing regular user permissions for Org and User /api/org endpoints with the `registry=true` flag + */ + +describe('Testing regular user permissions for /api/org/ endpoints with `registry=true`', () => { + // Testing USER PUT Endpoints for regular users with `registry=true` flag + describe('Testing USER PUT endpoint with `registry=true`', () => { + /* Positive Tests */ + context('Positive Test', () => { + it('regular user can update their name', async () => { + const org = constants.nonSecretariatUserHeaders['CVE-API-ORG'] + const user = constants.nonSecretariatUserHeaders['CVE-API-USER'] + await chai.request(app) + .put(`${ORG_URL}/${org}/user/${user}?registry=true&name.first=aaa&name.last=bbb&name.middle=ccc&name.suffix=ddd`) + .set(constants.nonSecretariatUserHeaders) + .send({ + }) + .then((res) => { + expect(res).to.have.status(200) + expect(res.body.updated.name.first).contain('aaa') + expect(res.body.updated.name.last).contain('bbb') + expect(res.body.updated.name.middle).contain('ccc') + expect(res.body.updated.name.suffix).contain('ddd') + }) + }) + it('regular users can update their secret ', async () => { + const org = constants.nonSecretariatUserHeaders3['CVE-API-ORG'] + const user = constants.nonSecretariatUserHeaders3['CVE-API-USER'] + await chai.request(app) + .put(`${ORG_URL}/${org}/user/${user}/reset_secret?registry=true`) + .set(constants.nonSecretariatUserHeaders3) + .send({ + }) + .then((res) => { + expect(res).to.have.status(200) + expect(res.body).to.have.property('API-secret') + }) + }) + }) + /* Negative Tests */ + context('Negative Test', () => { + it('regular user cannot update their username', async () => { + const newUsername = faker.datatype.uuid() + const org = constants.nonSecretariatUserHeaders['CVE-API-ORG'] + const user = constants.nonSecretariatUserHeaders['CVE-API-USER'] + await chai.request(app) + .put(`${ORG_URL}/${org}/user/${user}?registry=true&new_username=${newUsername}`) + .set(constants.nonSecretariatUserHeaders) + .send({ + }) + .then((res) => { + expect(res).to.have.status(403) + expect(res.body.error).to.contain('NOT_ORG_ADMIN_OR_SECRETARIAT_UPDATE') + }) + }) + it('regular user cannot update information of another user of the same organization', async () => { + const newUsername = faker.datatype.uuid() + const org = constants.nonSecretariatUserHeaders['CVE-API-ORG'] + const user2 = constants.nonSecretariatUserHeaders2['CVE-API-USER'] + await chai.request(app) + .put(`${ORG_URL}/${org}/user/${user2}?registry=true&new_username=${newUsername}`) + .set(constants.nonSecretariatUserHeaders) + .send({ + }) + .then((res) => { + expect(res).to.have.status(403) + expect(res.body.error).to.contain('NOT_SAME_USER_OR_SECRETARIAT') + }) + }) + it("regular users cannot update a user's username if that user already exist", async () => { + const org = constants.nonSecretariatUserHeaders['CVE-API-ORG'] + const user1 = constants.nonSecretariatUserHeaders['CVE-API-USER'] + const user2 = constants.nonSecretariatUserHeaders2['CVE-API-USER'] + await chai.request(app) + .put(`${ORG_URL}/${org}/user/${user1}?registry=true&new_username=${user2}`) + .set(constants.nonSecretariatUserHeaders) + .send({ + }) + .then((res) => { + expect(res).to.have.status(403) + expect(res.body.error).to.contain('NOT_ORG_ADMIN_OR_SECRETARIAT_UPDATE') + }) + }) + it('regular users cannot update organization', async () => { + const org1 = constants.nonSecretariatUserHeaders['CVE-API-ORG'] + const user = constants.nonSecretariatUserHeaders['CVE-API-USER'] + const org2 = faker.datatype.uuid().slice(0, MAX_SHORTNAME_LENGTH) + await chai.request(app) + .put(`${ORG_URL}/${org1}/user/${user}?registry=true&org_short_name=${org2}`) + .set(constants.nonSecretariatUserHeaders) + .send({ + }) + .then((res) => { + expect(res).to.have.status(403) + expect(res.body.error).to.contain('NOT_ALLOWED_TO_CHANGE_ORGANIZATION') + }) + }) + it('regular user cannot change its own active state', async () => { + const org = constants.nonSecretariatUserHeaders['CVE-API-ORG'] + const user = constants.nonSecretariatUserHeaders['CVE-API-USER'] + await chai.request(app) + .put(`${ORG_URL}/${org}/user/${user}?registry=true&active=false`) + .set(constants.nonSecretariatUserHeaders) + .send({ + }) + .then((res) => { + expect(res).to.have.status(403) + expect(res.body.error).to.contain('NOT_ORG_ADMIN_OR_SECRETARIAT_UPDATE') + }) + }) + it('regular users cannot add role', async () => { + const org = constants.nonSecretariatUserHeaders['CVE-API-ORG'] + const user = constants.nonSecretariatUserHeaders['CVE-API-USER'] + await chai.request(app) + .put(`${ORG_URL}/${org}/user/${user}?registry=true&active_roles.add=admin`) + .set(constants.nonSecretariatUserHeaders) + .send({ + }) + .then((res) => { + expect(res).to.have.status(403) + expect(res.body.error).to.contain('NOT_ORG_ADMIN_OR_SECRETARIAT_UPDATE') + }) + }) + it('regular users cannot remove role', async () => { + const org = constants.nonSecretariatUserHeaders['CVE-API-ORG'] + const user = constants.nonSecretariatUserHeaders['CVE-API-USER'] + await chai.request(app) + .put(`${ORG_URL}/${org}/user/${user}?registry=true&active_roles.remove=admin`) + .set(constants.nonSecretariatUserHeaders) + .send({ + }) + .then((res) => { + expect(res).to.have.status(403) + expect(res.body.error).to.contain('NOT_ORG_ADMIN_OR_SECRETARIAT_UPDATE') + }) + }) + it("regular user cannot update a user from an org that doesn't exist", async () => { + const org = faker.datatype.uuid().slice(0, MAX_SHORTNAME_LENGTH) + const user = constants.nonSecretariatUserHeaders['CVE-API-USER'] + await chai.request(app) + .put(`${ORG_URL}/${org}/user/${user}?registry=true`) + .set(constants.nonSecretariatUserHeaders) + .send({ + }) + .then((res) => { + expect(res).to.have.status(404) + expect(res.body.error).to.contain('ORG_DNE_PARAM') + }) + }) + it("regular user cannot update a user that doesn't exist ", async () => { + const org = constants.nonSecretariatUserHeaders['CVE-API-ORG'] + const user = faker.datatype.uuid() + await chai.request(app) + .put(`${ORG_URL}/${org}/user/${user}?registry=true`) + .set(constants.nonSecretariatUserHeaders) + .send({ + }) + .then((res) => { + expect(res).to.have.status(404) + expect(res.body.error).to.contain('USER_DNE') + }) + }) + it('regular user cannot update the secret of another user', async () => { + const org = constants.nonSecretariatUserHeaders['CVE-API-ORG'] + const user = constants.nonSecretariatUserHeaders2['CVE-API-USER'] + await chai.request(app) + .put(`${ORG_URL}/${org}/user/${user}/reset_secret?registry=true`) + .set(constants.nonSecretariatUserHeaders) + .send({ + }) + .then((res) => { + expect(res).to.have.status(403) + expect(res.body.error).to.contain('NOT_SAME_USER_OR_SECRETARIAT') + }) + }) + it("regular user cannot reset the secret of a user from an org that doesn't exist", async () => { + const org = faker.datatype.uuid().slice(0, MAX_SHORTNAME_LENGTH) + const user = constants.nonSecretariatUserHeaders['CVE-API-USER'] + await chai.request(app) + .put(`${ORG_URL}/${org}/user/${user}/reset_secret?registry=true`) + .set(constants.nonSecretariatUserHeaders) + .send({ + }) + .then((res) => { + expect(res).to.have.status(404) + expect(res.body.error).to.contain('ORG_DNE_PARAM') + }) + }) + it("regular user cannot reset the secret of a user that doesn't exist", async () => { + const org = constants.nonSecretariatUserHeaders['CVE-API-ORG'] + const user = faker.datatype.uuid() + await chai.request(app) + .put(`${ORG_URL}/${org}/user/${user}/reset_secret?registry=true`) + .set(constants.nonSecretariatUserHeaders) + .send({ + }) + .then((res) => { + expect(res).to.have.status(404) + expect(res.body.error).to.contain('USER_DNE') + }) + }) + it("regular user tries resetting admin user's secret, fails and admin user's role remains preserved", async () => { + const org = constants.nonSecretariatUserHeaders2['CVE-API-ORG'] + const user = constants.nonSecretariatUserHeaders2['CVE-API-USER'] + await chai.request(app) + .put(`${ORG_URL}/${org}/user/${user}/reset_secret?registry=true`) + .set(constants.nonSecretariatUserHeaders) + .send({ + }) + .then((res) => { + expect(res).to.have.status(403) + expect(res.body.error).to.contain('NOT_SAME_USER_OR_SECRETARIAT') + }) + /* Commenting out since authority.active_roles are not returned in the GET request response for registry=true */ + // await chai.request(app) + // .get(`${ORG_URL}/${org}/user/${user}?registry=true`) + // .set(constants.nonSecretariatUserHeaders2) + // .send({ + // }) + // .then((res) => { + // expect(res).to.have.status(200) + // console.log(res.body) + // }) + }) + }) + }) + // Testing USER POST Endpoints for regular users with `registry=true` flag + describe('Testing USER POST endpoint with `registry=true`', () => { + /* Negative Tests */ + context('Negative Test', () => { + it('regular user cannot create another user', async () => { + const newUsername = faker.datatype.uuid() + const org = constants.nonSecretariatUserHeaders['CVE-API-ORG'] + await chai.request(app) + .post(`${ORG_URL}/${org}/user?registry=true`) + .set(constants.nonSecretariatUserHeaders) + .send({ + username: newUsername + }) + .then((res) => { + expect(res).to.have.status(403) + expect(res.body.error).to.contain('NOT_ORG_ADMIN_OR_SECRETARIAT') + }) + }) + }) + }) + // Testing USER GET Endpoints for regular users with `registry=true` flag + describe('Testing USER GET endpoint with `registry=true`', () => { + /* Positive Tests */ + context('Positive Test', () => { + it('regular users can view users of the same organization', async () => { + const org = constants.nonSecretariatUserHeaders['CVE-API-ORG'] + await chai.request(app) + .get(`${ORG_URL}/${org}/users?registry=true`) + .set(constants.nonSecretariatUserHeaders) + .send({ + }) + .then((res) => { + expect(res).to.have.status(200) + expect(res.body.users).to.have.lengthOf.above(0) + }) + }) + it('regular users can view users of the same organization ', async () => { + const org = constants.nonSecretariatUserHeaders2['CVE-API-ORG'] + const user2 = constants.nonSecretariatUserHeaders2['CVE-API-USER'] + await chai.request(app) + .get(`${ORG_URL}/${org}/user/${user2}?registry=true`) + .set(constants.nonSecretariatUserHeaders) + .send({ + }) + .then((res) => { + expect(res).to.have.status(200) + expect(res.body.user_id).to.have.lengthOf.above(0) + }) + }) + }) + /* Negative Tests */ + context('Negative Test', () => { + it("regular users cannot view users of an organization that doesn't exist", async () => { + const org = faker.datatype.uuid().slice(0, MAX_SHORTNAME_LENGTH) + await chai.request(app) + .get(`${ORG_URL}/${org}/users?registry=true`) + .set(constants.nonSecretariatUserHeaders) + .send({ + }) + .then((res) => { + expect(res).to.have.status(404) + expect(res.body.error).to.contain('ORG_DNE_PARAM') + }) + }) + it('regular users cannot view users of another organization', async () => { + const org = constants.nonSecretariatUserHeaders3['CVE-API-ORG'] + await chai.request(app) + .get(`${ORG_URL}/${org}/users?registry=true`) + .set(constants.nonSecretariatUserHeaders) + .send({ + }) + .then((res) => { + expect(res).to.have.status(403) + expect(res.body.error).to.contain('NOT_SAME_ORG_OR_SECRETARIAT') + }) + }) + it('regular users cannot view users from another organization', async () => { + const org = constants.nonSecretariatUserHeaders3['CVE-API-ORG'] + const user = constants.nonSecretariatUserHeaders3['CVE-API-USER'] + await chai.request(app) + .get(`${ORG_URL}/${org}/user/${user}?registry=true`) + .set(constants.nonSecretariatUserHeaders) + .send({ + }) + .then((res) => { + expect(res).to.have.status(403) + expect(res.body.error).to.contain('NOT_SAME_ORG_OR_SECRETARIAT') + }) + }) + it("regular user cannot view user that doesn't exist", async () => { + const org = constants.nonSecretariatUserHeaders['CVE-API-ORG'] + const user = faker.datatype.uuid() + await chai.request(app) + .get(`${ORG_URL}/${org}/user/${user}?registry=true`) + .set(constants.nonSecretariatUserHeaders) + .send({ + }) + .then((res) => { + expect(res).to.have.status(404) + expect(res.body.error).to.contain('USER_DNE') + }) + }) + }) + }) + // Testing ORG PUT Endpoints for regular users with `registry=true` flag + describe('Testing ORG PUT endpoint with `registry=true`', () => { + /* Negative Tests */ + context('Negative Test', () => { + it('regular user cannot update an organization', async () => { + const org = faker.datatype.uuid().slice(0, MAX_SHORTNAME_LENGTH) + await chai.request(app) + .put(`${ORG_URL}/${org}?registry=true`) + .set(constants.nonSecretariatUserHeaders) + .send({ + }) + .then((res) => { + expect(res).to.have.status(403) + expect(res.body.error).to.contain('SECRETARIAT_ONLY') + }) + }) + }) + }) + // Testing ORG POST Endpoints for regular users with `registry=true` flag + describe('Testing ORG POST endpoint with `registry=true`', () => { + context('Negative Test', () => { + it('regular users cannot create new org', async () => { + await chai.request(app) + .post(`${ORG_URL}?registry=true`) + .set(constants.nonSecretariatUserHeaders) + .send({ + }) + .then((res) => { + expect(res).to.have.status(403) + expect(res.body.error).to.contain('SECRETARIAT_ONLY') + }) + }) + }) + }) + // Testing ORG GET Endpoints for regular users with `registry=true` flag + describe('Testing ORG GET endpoint with `registry=true`', () => { + /* Positive Tests */ + context('Positive Test', () => { + it('regular users can view the organization they belong to', async () => { + const org = constants.nonSecretariatUserHeaders['CVE-API-ORG'] + await chai.request(app) + .get(`${ORG_URL}/${org}?registry=true`) + .set(constants.nonSecretariatUserHeaders) + .send({ + }) + .then((res) => { + expect(res).to.have.status(200) + expect(res.body.short_name).to.equal(org) + }) + }) + it("regular users can see their organization's cve id quota", async () => { + const org = constants.nonSecretariatUserHeaders['CVE-API-ORG'] + await chai.request(app) + .get(`${ORG_URL}/${org}/id_quota?registry=true`) + .set(constants.nonSecretariatUserHeaders) + .send({ + }) + .then((res) => { + expect(res).to.have.status(200) + expect(res.body.hard_quota).to.be.greaterThan(0) + expect(res.body.total_reserved).to.be.greaterThan(0) + expect(res.body.available).to.be.greaterThan(0) + }) + }) + }) + /* Negative Tests */ + context('Negative Test', () => { + it("regular users cannot view an organization they don't belong to", async () => { + const org = faker.datatype.uuid().slice(0, MAX_SHORTNAME_LENGTH) + await chai.request(app) + .get(`${ORG_URL}/${org}?registry=true`) + .set(constants.nonSecretariatUserHeaders) + .send({ + }) + .then((res) => { + expect(res).to.have.status(403) + expect(res.body.error).to.contain('NOT_SAME_ORG_OR_SECRETARIAT') + }) + }) + it('regular users cannot view all organizations', async () => { + await chai.request(app) + .get(`${ORG_URL}?registry=true`) + .set(constants.nonSecretariatUserHeaders) + .send({ + }) + .then((res) => { + expect(res).to.have.status(403) + expect(res.body.error).to.contain('SECRETARIAT_ONLY') + }) + }) + it("regular users cannot see an organization's cve id quota they don't belong to", async () => { + const org = constants.nonSecretariatUserHeaders3['CVE-API-ORG'] + await chai.request(app) + .get(`${ORG_URL}/${org}/id_quota?registry=true`) + .set(constants.nonSecretariatUserHeaders) + .send({ + }) + .then((res) => { + expect(res).to.have.status(403) + expect(res.body.error).to.contain('NOT_SAME_ORG_OR_SECRETARIAT') + }) + }) + }) + }) +})