Updating only the CNA container in a 5.x CVE #360
Description
User Story
Acceptance Criteria
User makes a request to update CNA container of the record
Scenario 1 Happy Path
Given: A user PUT a valid request to the CVE Record endpoint
And: the user is a member of the ID owning CNA
And: the changes being made are only to the CNA container of the record
When: RSUS authenticates the User
And: RSUS validates the request
And: RSUS validates the changes as permitted
Then: RSUS applies the changes to the Record (replaces the record CNA container with the provided CNA container)
And: RSUS logs the request
And: RSUS return a 200: Ok response
Scenario 2 User not a member of owning CNA
Given: A user PUT a valid request to the CVE Record endpoint
And: the user is not a member of the ID owning CNA
Then: RSUS return a 403: Forbidden with a Error object with the message "Only owning CNA is permited to update CNA container"
And: RSUS logs the request
Definition of Done
There is at least one unit test per scenario, proving the expectations of the scenario have been met.
There is at least one endpoint (black box) test per scenario, proving the code fulfills the scenario with the application set up similar to its production state.
The openapi.yml file has been updated to document proper use of the new endpoint.
This includes:
- Describing how different roles can interact with the system when applicable
- Successful response
- Possible error responses
- Additional comments made to properly convey the behavior changed or added if the Open API spec does not provide an appropriate medium to document it