feat(validation): add CRUD endpoints for validation bypass rules

app/api/definitions/components/system-configuration.yml

@@ -73,3 +73,59 @@ components:
         prefix:
           type: string
           example: 'MYORG'
+
+    mitre-identity-writes:
+      type: object
+      required:
+        - enabled
+      properties:
+        enabled:
+          type: boolean
+          description: Whether create and update requests for the protected MITRE identity are enabled.
+          example: false
+
+    validation-bypass-rule:
+      type: object
+      required:
+        - fieldPath
+        - errorCode
+        - stixType
+      properties:
+        _id:
+          type: string
+          description: Database id of the validation bypass rule
+        fieldPath:
+          type: array
+          description: Zod issue path to match. Path segments are compared as strings.
+          items:
+            type: string
+          example: ['x_mitre_modified_by_ref']
+        errorCode:
+          type: string
+          description: Zod issue code to match.
+          example: 'invalid_value'
+        stixType:
+          type: string
+          description: STIX type to match, or `all` to match any STIX type.
+          example: 'attack-pattern'
+        suppressError:
+          type: boolean
+          description: Whether matching validation errors should be suppressed.
+          default: true
+        autoCreated:
+          type: boolean
+          description: Whether this rule was created automatically by system configuration.
+          default: false
+        autoCreatedReason:
+          type: string
+          nullable: true
+          description: System reason for an automatically-created rule.
+          example: 'static'
+        triggerEvent:
+          type: string
+          nullable: true
+          description: Event that created this rule, when applicable.
+        warningMessage:
+          type: string
+          nullable: true
+          description: Warning emitted when a matching validation error is bypassed.

app/api/definitions/openapi.yml

@@ -58,6 +58,8 @@ tags:
     description: 'Operations on STIX bundles'
   - name: 'System Configuration'
     description: 'Operations on the system configuration'
+  - name: 'Validation Bypasses'
+    description: 'Operations on validation bypass rules'
   - name: 'Session Management'
     description: 'Operations on the current session'
   - name: 'Authentication'
@@ -429,6 +431,15 @@ paths:
   /api/config/organization-namespace:
     $ref: 'paths/system-configuration-paths.yml#/paths/~1api~1config~1organization-namespace'
 
+  /api/config/mitre-identity-writes:
+    $ref: 'paths/system-configuration-paths.yml#/paths/~1api~1config~1mitre-identity-writes'
+
+  /api/config/validation-bypasses:
+    $ref: 'paths/system-configuration-paths.yml#/paths/~1api~1config~1validation-bypasses'
+
+  /api/config/validation-bypasses/{id}:
+    $ref: 'paths/system-configuration-paths.yml#/paths/~1api~1config~1validation-bypasses~1{id}'
+
   # Session Management
   /api/session:
     $ref: 'paths/session-paths.yml#/paths/~1api~1session'

app/api/definitions/paths/system-configuration-paths.yml

@@ -171,3 +171,181 @@ paths:
           description: 'The organization namespace has been successfully set.'
         '400':
           description: 'Missing or invalid parameters were provided. The organization namespace was not set.'
+
+  /api/config/mitre-identity-writes:
+    get:
+      summary: 'Get the MITRE identity write protection setting'
+      operationId: 'config-get-mitre-identity-writes'
+      description: |
+        This endpoint gets whether create and update requests for the protected MITRE identity are enabled.
+      tags:
+        - 'System Configuration'
+      responses:
+        '200':
+          description: 'The MITRE identity write protection setting.'
+          content:
+            application/json:
+              schema:
+                $ref: '../components/system-configuration.yml#/components/schemas/mitre-identity-writes'
+    post:
+      summary: 'Set the MITRE identity write protection setting'
+      operationId: 'config-set-mitre-identity-writes'
+      description: |
+        This endpoint sets whether create and update requests for the protected MITRE identity are enabled.
+      tags:
+        - 'System Configuration'
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              $ref: '../components/system-configuration.yml#/components/schemas/mitre-identity-writes'
+      responses:
+        '204':
+          description: 'The MITRE identity write protection setting has been successfully set.'
+        '400':
+          description: 'Missing or invalid parameters were provided. The MITRE identity write protection setting was not set.'
+
+  /api/config/validation-bypasses:
+    get:
+      summary: 'Get validation bypass rules'
+      operationId: 'config-get-validation-bypasses'
+      description: |
+        This endpoint gets the validation bypass rules used to suppress or warn on ADM validation errors.
+      tags:
+        - 'Validation Bypasses'
+      parameters:
+        - name: limit
+          in: query
+          description: |
+            The number of validation bypass rules to retrieve.
+            The default (0) will retrieve all rules.
+          schema:
+            type: number
+            default: 0
+        - name: offset
+          in: query
+          description: |
+            The number of validation bypass rules to skip.
+            The default (0) will start with the first rule.
+          schema:
+            type: number
+            default: 0
+        - name: includePagination
+          in: query
+          description: |
+            Whether to include pagination data in the returned value.
+            Wraps returned objects in a larger object.
+          schema:
+            type: boolean
+            default: false
+      responses:
+        '200':
+          description: 'A list of validation bypass rules.'
+          content:
+            application/json:
+              schema:
+                type: array
+                items:
+                  $ref: '../components/system-configuration.yml#/components/schemas/validation-bypass-rule'
+    post:
+      summary: 'Create a validation bypass rule'
+      operationId: 'config-create-validation-bypass'
+      description: |
+        This endpoint creates a validation bypass rule used to suppress or warn on an ADM validation error.
+      tags:
+        - 'Validation Bypasses'
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              $ref: '../components/system-configuration.yml#/components/schemas/validation-bypass-rule'
+      responses:
+        '201':
+          description: 'The validation bypass rule was created.'
+          content:
+            application/json:
+              schema:
+                $ref: '../components/system-configuration.yml#/components/schemas/validation-bypass-rule'
+        '400':
+          description: 'Missing or invalid parameters were provided. The validation bypass rule was not created.'
+        '409':
+          description: 'A matching validation bypass rule already exists.'
+
+  /api/config/validation-bypasses/{id}:
+    get:
+      summary: 'Get a validation bypass rule'
+      operationId: 'config-get-validation-bypass'
+      description: |
+        This endpoint gets a validation bypass rule by its database id.
+      tags:
+        - 'Validation Bypasses'
+      parameters:
+        - name: id
+          in: path
+          description: 'Database id of the validation bypass rule.'
+          required: true
+          schema:
+            type: string
+      responses:
+        '200':
+          description: 'A validation bypass rule.'
+          content:
+            application/json:
+              schema:
+                $ref: '../components/system-configuration.yml#/components/schemas/validation-bypass-rule'
+        '404':
+          description: 'A validation bypass rule with the requested id was not found.'
+    put:
+      summary: 'Update a validation bypass rule'
+      operationId: 'config-update-validation-bypass'
+      description: |
+        This endpoint updates a validation bypass rule by its database id.
+      tags:
+        - 'Validation Bypasses'
+      parameters:
+        - name: id
+          in: path
+          description: 'Database id of the validation bypass rule.'
+          required: true
+          schema:
+            type: string
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              $ref: '../components/system-configuration.yml#/components/schemas/validation-bypass-rule'
+      responses:
+        '200':
+          description: 'The validation bypass rule was updated.'
+          content:
+            application/json:
+              schema:
+                $ref: '../components/system-configuration.yml#/components/schemas/validation-bypass-rule'
+        '400':
+          description: 'Missing or invalid parameters were provided. The validation bypass rule was not updated.'
+        '404':
+          description: 'A validation bypass rule with the requested id was not found.'
+        '409':
+          description: 'A matching validation bypass rule already exists.'
+    delete:
+      summary: 'Delete a validation bypass rule'
+      operationId: 'config-delete-validation-bypass'
+      description: |
+        This endpoint deletes a validation bypass rule by its database id.
+      tags:
+        - 'Validation Bypasses'
+      parameters:
+        - name: id
+          in: path
+          description: 'Database id of the validation bypass rule.'
+          required: true
+          schema:
+            type: string
+      responses:
+        '204':
+          description: 'The validation bypass rule was deleted.'
+        '404':
+          description: 'A validation bypass rule with the requested id was not found.'

app/config/allowed-values.json

@@ -308,5 +308,70 @@
         ]
       }
     ]
+  },
+  {
+    "objectType": "identity",
+    "properties": [
+      {
+        "propertyName": "identity_class",
+        "domains": [
+          {
+            "domainName": "stix",
+            "allowedValues": [
+              "individual",
+              "group",
+              "system",
+              "organization",
+              "class",
+              "unspecified"
+            ]
+          }
+        ]
+      },
+      {
+        "propertyName": "sectors",
+        "domains": [
+          {
+            "domainName": "stix",
+            "allowedValues": [
+              "agriculture",
+              "aerospace",
+              "automotive",
+              "chemical",
+              "commercial",
+              "communications",
+              "construction",
+              "defense",
+              "education",
+              "energy",
+              "entertainment",
+              "financial-services",
+              "government",
+              "government-emergency-services",
+              "government-local",
+              "government-national",
+              "government-public-services",
+              "government-regional",
+              "healthcare",
+              "hospitality-leisure",
+              "infrastructure",
+              "infrastructure-dams",
+              "infrastructure-nuclear",
+              "infrastructure-water",
+              "insurance",
+              "manufacturing",
+              "mining",
+              "non-profit",
+              "pharmaceuticals",
+              "retail",
+              "technology",
+              "telecommunications",
+              "transportation",
+              "utilities"
+            ]
+          }
+        ]
+      }
+    ]
   }
 ]

app/config/config.js

@@ -173,6 +173,12 @@ function loadConfig() {
       attackSpecVersion: {
         default: packageJson.attackSpecVersion,
       },
+      allowMitreIdentityWrites: {
+        doc: 'Allow create and update requests for the protected MITRE Corporation identity object',
+        format: Boolean,
+        default: false,
+        env: 'WB_REST_ALLOW_MITRE_IDENTITY_WRITES',
+      },
     },
     database: {
       url: {

app/controllers/identities-controller.js

@@ -137,7 +137,7 @@ exports.updateFull = async function (req, res, next) {
   }
 };
 
-exports.deleteVersionById = async function (req, res) {
+exports.deleteVersionById = async function (req, res, next) {
   try {
     const identity = await identitiesService.deleteVersionById(
       req.params.stixId,
@@ -150,12 +150,11 @@ exports.deleteVersionById = async function (req, res) {
       return res.status(204).end();
     }
   } catch (err) {
-    logger.error('Delete identity failed. ' + err);
-    return res.status(500).send('Unable to delete identity. Server error.');
+    return next(err);
   }
 };
 
-exports.deleteById = async function (req, res) {
+exports.deleteById = async function (req, res, next) {
   try {
     const identities = await identitiesService.deleteById(req.params.stixId);
     if (identities.deletedCount === 0) {
@@ -165,7 +164,6 @@ exports.deleteById = async function (req, res) {
       return res.status(204).end();
     }
   } catch (err) {
-    logger.error('Delete identity failed. ' + err);
-    return res.status(500).send('Unable to identity identity. Server error.');
+    return next(err);
   }
 };