Tests 5 5 (#20)

* feat: Collection export management (NUWCDIVNPT#169)

* fix: case-insensitive filename matching (NUWCDIVNPT#192)

* fix: Improved output when importing STIG XML (NUWCDIVNPT#192)

* doc: Show Export CKLs in screenshots

* chore: Bump release to 1.0.0-beta.22

* adjust path to docker readme (NUWCDIVNPT#196)

* doc: Added some documentation about new .ckl archive export feature. (NUWCDIVNPT#203)

* removed some todos

* stig archive export feature

* feat: name-match params and duplicate handling (NUWCDIVNPT#204)

* feat: case-sensitive collation for benchmarkId in MySQL (NUWCDIVNPT#206)

* Common tasks elaboration, other edits (NUWCDIVNPT#208)

* feat: progress bar styling (NUWCDIVNPT#209)

* feat: UI shows collectionId (NUWCDIVNPT#210)

* fix: remove hard-coded reference to schema (NUWCDIVNPT#211)

* chore: Bump release to 1.0.0-beta.23

* fix: reduce deadlock potential (NUWCDIVNPT#216)

* api links (NUWCDIVNPT#219)

* build(deps): bump y18n from 3.2.1 to 3.2.2 in /api/source

Bumps [y18n](https://github.com/yargs/y18n) from 3.2.1 to 3.2.2.
- [Release notes](https://github.com/yargs/y18n/releases)
- [Changelog](https://github.com/yargs/y18n/blob/master/CHANGELOG.md)
- [Commits](https://github.com/yargs/y18n/commits)

Signed-off-by: dependabot[bot] <support@github.com>

* doc: Added a little more about .ckl and data handling (NUWCDIVNPT#223)

* just rst changes

* sphinx generation

* fix: Exports on multiple reports (NUWCDIVNPT#224)

* Multiple fixes and features (NUWCDIVNPT#225)

* feat: return 401 when no token provided

* feat: home-widget-bwrap

* fix: collectionReview buttons

* fix: deadlock prevention status updates

* chore: Bump release to 1.0.0-beta.24

* fix: fetch STIG/SCAP if configured at bootstrap (NUWCDIVNPT#227)

Fixes NUWCDIVNPT#213

* Multiple fix and features (NUWCDIVNPT#228)

* feat: CKL parser retains empty comments
* feat: enable accept when selections include accept
* fix: review form button behaviors, etc. (NUWCDIVNPT#215)

* chore: remove unused oracledb dependency (NUWCDIVNPT#229)

* chore: remove unused oracledb dependency

* Remove unused require

* chore: Bump release to 1.0.0-beta.25

* feat: Manage Assets -> multi-delete (NUWCDIVNPT#232), columns (NUWCDIVNPT#236)

* fix: include promisfied confirm (NUWCDIVNPT#237)

* build(deps): bump urllib3 from 1.26.3 to 1.26.4 in /docs (NUWCDIVNPT#238)

Bumps [urllib3](https://github.com/urllib3/urllib3) from 1.26.3 to 1.26.4.
- [Release notes](https://github.com/urllib3/urllib3/releases)
- [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst)
- [Commits](urllib3/urllib3@1.26.3...1.26.4)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* doc: updates regarding ckl -> stigman field mappings, clients folder when running from source (NUWCDIVNPT#241)

doc: updates regarding ckl -> stigman field mappings, clients folder when running from source

* feat: Tooltips for Review labels and headers (NUWCDIVNPT#240) (NUWCDIVNPT#242)

* feat: mercury-medium color is more blue (NUWCDIVNPT#243)

* fix: sticky bit for world-writable dirs created by npm (NUWCDIVNPT#245)

* chore: Bump release to 1.0.0-beta.26

* fix: increased length of asset name,ip,mac,fqdn and allow more nulls  (NUWCDIVNPT#251)

* added maxLength properties of 255 for ip, mac, asset name, and fqdn; added nullable:true for collection description properties

* removed vtype specification for ip address, as we will no longer be validating ip address field.

* Added migration file to alter varchar sizes for asset ip, mac, and name

* fix: batch import continues on error, refreshes grids (NUWCDIVNPT#252)

* feat: Ext.LoadMask looks for store.smMaskDelay (NUWCDIVNPT#254)

* chore: Bump release to 1.0.0-beta.27

* fix: log servicename if present (NUWCDIVNPT#198)

* fix: Attach => Assign STIG (NUWCDIVNPT#118)

* fix: response schema for /opt/configuration (NUWCDIVNPT#147)

* fix: create date is not ISO8601 UTC (NUWCDIVNPT#189)

* fix: handle property chains with hyphens (NUWCDIVNPT#257)

* fix: cast userId as char (NUWCDIVNPT#249)

* feat: format roles claim with bracket notation and optional chaining (NUWCDIVNPT#190)

* fix: SET NAME to utf8mb4 encoding (NUWCDIVNPT#262)

* fix: New/Delete => Assign/Unassign (NUWCDIVNPT#261)

* fix: New/Delete => Assign/Unassign (NUWCDIVNPT#118)

* dump docker logs on failure or cancellation

* fix: Filter members only on .xml extension  (NUWCDIVNPT#260)

* Removed attempts to filter STIG processing based on filename, since they do not seem to follow any reliable convention. Restricted error responses to just parser error message (removed stack trace portion so it does not show up in user's import log).

* added specific try/catch blocks around xml parsing

* fix NUWCDIVNPT#264: Display feedback for rejected reviews (NUWCDIVNPT#265)

* chore: Bump release to 1.0.0-beta.28

* fix NUWCDIVNPT#256: CKL site/instance handling; UI refactor (NUWCDIVNPT#268)

* chore: Bump release to 1.0.0-beta.29

* ironbank => development sign+image

* fix NUWCDIVNPT#266: sanitize exported filenames (NUWCDIVNPT#273)

* fix NUWCDIVNPT#270: ROLE element default value 'None' (NUWCDIVNPT#272)

* chore: Bump release to 1.0.0-beta.30

* fix NUWCDIVNPT#276: remove reference to database 'stigman'

* chore: remove obsolete docker dir (NUWCDIVNPT#278)

* Docs: Added default_group to prevent guid generation, removed doctrees, added a bit of info to Contributing doc. (NUWCDIVNPT#281)

* added default_group for images to stop guid generation
* removed doctrees
* added doctrees to .gitignore
*  added a couple paragraphs to contributing doc

* Endpoint updates (NUWCDIVNPT#284)

* feat: GET /assets metadata parameter

* feat: PUT /assets/{assetId}/stigs/{benchmarkId}

* tests match OpenAPI spec

* fix NUWCDIVNPT#145: Review vetting for all users (NUWCDIVNPT#285)

* fix NUWCDIVNPT#145: Review vetting for lvl1 users

* lvl1 cross-boundary tests, xccdf test file added, workflow updated to run new folder. Removed extra folders from Collection

* refactor adminStats, scc parser, tests, workflow

Co-authored-by: cd-rite <github-rite@notdoneyet.net>

* feat: Drag from Review History (NUWCDIVNPT#288)

* fix NUWCDIVNPT#275: handle rule-result without check (NUWCDIVNPT#290)

* fix NUWCDIVNPT#275: handle rule-result without check

* asset properties and benchmarkId check

* chore: Bump release to 1.0.0-beta.31

* checks for asset with no assigned STIGs, changed lvl1 checks to look for existing rule to which it does not have access (as opposed to non-existent rule)

* marked tests as continue-on-error so remaining tests would still run.

Co-authored-by: csmig <carlsmigielski@gmail.com>
Co-authored-by: csmig <33138761+csmig@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

.github/workflows/api-tests.yml

@@ -71,24 +71,39 @@ jobs:
       -
         name: Run Newman Collection GETS
         id: newman-run-gets
+        continue-on-error: true
+        if: steps.newman-run-loadTestData.conclusion == 'success'
         working-directory: ./test/api
         run: |
           set -o pipefail
           newman run postman_collection.json -e postman_environment.json -d collectionRunnerData.json -n 7 --folder GETs -r cli,htmlextra --reporter-cli-no-assertions --reporter-cli-no-console --reporter-htmlextra-showOnlyFails --reporter-htmlextra-export ./newman/GetsReport.html | grep -A18 '┌─────'
       -
         name: Run Newman Collection Posts, Puts, Patches, Deletes
         id: newman-run-pppd
+        continue-on-error: true
+        if: steps.newman-run-loadTestData.conclusion == 'success'
         working-directory: ./test/api
         run: |
           set -o pipefail
           newman run postman_collection.json -e postman_environment.json -d collectionRunnerData.json -n 7 --folder "POSTS, Puts, Patches, and Deletes" -r cli,htmlextra --reporter-cli-no-assertions --reporter-cli-no-console --reporter-htmlextra-showOnlyFails --reporter-htmlextra-export ./newman/PPPDReport.html | grep -A18 '┌─────'
       -
         name: Run Newman Collection STIGS
         id: newman-run-stigs
+        continue-on-error: true
+        if: steps.newman-run-loadTestData.conclusion == 'success'
         working-directory: ./test/api
         run: |
           set -o pipefail
           newman run postman_collection.json -e postman_environment.json -d collectionRunnerData.json -n 2 --folder "STIGS" -r cli,htmlextra --reporter-cli-no-assertions --reporter-cli-no-console --reporter-htmlextra-showOnlyFails --reporter-htmlextra-export ./newman/stigsReport.html | grep -A18 '┌─────'
+      -
+        name: Run Newman Collection LVL1 Cross-Boundary Tests
+        id: newman-run-lvl1-cross-boundary
+        continue-on-error: true
+        if: steps.newman-run-loadTestData.conclusion == 'success'
+        working-directory: ./test/api
+        run: |
+          set -o pipefail
+          newman run postman_collection.json -e postman_environment.json -d collectionRunnerData.json -n 1 --folder "LVL1 cross-boundary tests" -r cli,htmlextra --reporter-cli-no-assertions --reporter-cli-no-console --reporter-htmlextra-showEnvironmentData --reporter-htmlextra-export ./newman/lvl1Report.html | grep -A18 '┌─────'
       - 
         name: Upload artifact
         id: artifact-upload
@@ -97,6 +112,21 @@ jobs:
         with:
           name: newman-htmlextra
           path: ./test/api/newman
+      - name: Collect docker logs on failure
+        if: ${{ cancelled() || failure() }}
+        uses: jwalton/gh-docker-logs@v1
+        with:
+          dest: './logs'
+      - name: Tar logs
+        if: ${{ cancelled() || failure() }}
+        run: tar cvzf ./logs.tgz ./logs
+      - name: Upload logs to GitHub
+        if: ${{ cancelled() || failure() }}
+        uses: actions/upload-artifact@master
+        with:
+          name: logs.tgz
+          path: ./logs.tgz
+
 
 
 

.github/workflows/pub-docker.yml

@@ -52,6 +52,7 @@ jobs:
             COMMIT_DESCRIBE=${{ steps.prep.outputs.describe }}
           tags: ${{ steps.prep.outputs.tags }}
           labels: |
+            stig-manager.last-migration.mysql=1.0.0-beta.27
             org.opencontainers.image.title=${{ fromJson(steps.repo.outputs.result).name }}
             org.opencontainers.image.description=${{ fromJson(steps.repo.outputs.result).description }}
             org.opencontainers.image.url=${{ fromJson(steps.repo.outputs.result).html_url }}
@@ -69,7 +70,7 @@ jobs:
           password: ${{ secrets.DOCKERHUB_ORG_OWNER_PW }}
           repository: nuwcdivnpt/stig-manager
           short-description: An API and Web client for managing STIG assessments.
-          readme-filepath: ./docs/DockerHub_Readme.md
+          readme-filepath: ./docs/the-project/DockerHub_Readme.md
   build-push-ironbank:
     name: Build and push from Iron Bank base
     runs-on: ubuntu-latest
@@ -83,7 +84,7 @@ jobs:
         run: |
           ZIPFILE="nodejs-ib.zip"
           IB_TAG="localhost:5000/stig-manager/nodejs-ib:latest"
-          URL="https://repo1.dso.mil/dsop/opensource/nodejs/nodejs14/-/jobs/artifacts/master/download?job=build"
+          URL="https://repo1.dso.mil/dsop/opensource/nodejs/nodejs14/-/jobs/artifacts/development/download?job=sign+image"
           echo "Fetching $URL"
           wget --quiet -O $ZIPFILE $URL
           echo "Unzipping the tarball"
@@ -143,6 +144,7 @@ jobs:
             COMMIT_DESCRIBE=${{ steps.prep.outputs.describe }}
           tags: ${{ steps.prep.outputs.tags }}
           labels: |
+            stig-manager.last-migration.mysql=1.0.0-beta.27
             org.opencontainers.image.title=${{ fromJson(steps.repo.outputs.result).name }}
             org.opencontainers.image.description=${{ fromJson(steps.repo.outputs.result).description }}
             org.opencontainers.image.url=${{ fromJson(steps.repo.outputs.result).html_url }}

.gitignore

@@ -30,4 +30,5 @@ api/source/tls/mysql2/init-tls-user.sql
 api/source/tls/mysql2/tls.cnf
 clients/extjs/js/keycloak.json
 .gitignore
-newman/
+newman/
+/docs/_build/doctrees/

Dockerfile

@@ -29,11 +29,15 @@ USER node
 # Install app dependencies
 COPY --chown=node:node ./api/source .
 RUN npm ci
-# RUN npm audit fix
 
 RUN mkdir client
 COPY --chown=node:node ./clients/extjs ./client
 
+# Ensure sticky bit is set on all world-writable directories (fixes tenable 1000749)
+USER root
+RUN df -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t 2>/dev/null | echo 'tenable 1000749'
+USER node
+
 # Set environment
 ENV COMMIT_SHA=${COMMIT_SHA} \
 COMMIT_BRANCH=${COMMIT_BRANCH} \

api/source/controllers/Asset.js

@@ -1,6 +1,7 @@
 'use strict';
 
-const writer = require('../utils/writer.js');
+const SmError = require('../utils/SmError')
+const writer = require('../utils/writer');
 const config = require('../utils/config')
 const Asset = require(`../service/${config.database.type}/AssetService`);
 const Collection = require(`../service/${config.database.type}/CollectionService`);
@@ -16,8 +17,26 @@ module.exports.createAsset = async function createAsset (req, res, next) {
     const collectionGrant = req.userObject.collectionGrants.find( g => g.collection.collectionId === body.collectionId )
 
     if ( elevate || (collectionGrant && collectionGrant.accessLevel >= 3) ) {
-      let asset = await Asset.createAsset( body, projection, elevate, req.userObject)    
-      writer.writeJson(res, asset, 201)
+      try {
+        let asset = await Asset.createAsset( body, projection, elevate, req.userObject)
+        writer.writeJson(res, asset, 201)
+      }
+      catch (err) {
+        // This is MySQL specific, should abstract with an SmError
+        if (err.code === 'ER_DUP_ENTRY') {
+          try {
+            let response = await Asset.getAssets(body.collectionId, body.name, 'exact', null, null, projection, elevate, req.userObject )
+            throw (writer.respondWithCode( 400, {
+              code: 400,
+              message: `Duplicate name`,
+              data: response[0]
+            }))
+          } finally {}
+        }
+        else {
+          throw err
+        }
+      }
     }
     else {
       // Not elevated or having collectionGrant
@@ -166,7 +185,7 @@ module.exports.removeUsersFromAssetStig = async function removeUsersFromAssetSti
 
 module.exports.exportAssets = async function exportAssets (projection, elevate, userObject) {
   try {
-    let assets =  await Asset.getAssets(null, null, projection, elevate, userObject )
+    let assets =  await Asset.getAssets(null, null, null, null, null, projection, elevate, userObject )
     return assets
   }
   catch (err) {
@@ -181,7 +200,7 @@ module.exports.getAsset = async function getAsset (req, res, next) {
     let elevate = req.swagger.params['elevate'].value
 
     // All users are permitted to query for the asset
-    // If this user has no grants permitting access to the asset, the response will be falsy
+    // If this user has no grants permitting access to the asset, the response will be undefined
     let response = await Asset.getAsset(assetId, projection, elevate, req.userObject )
 
     // If there is a response, check if the request included the stigGrants projection
@@ -203,8 +222,14 @@ module.exports.getAsset = async function getAsset (req, res, next) {
 
 module.exports.getAssets = async function getAssets (req, res, next) {
   try {
+    const predicates = {
+
+    }
     let collectionId = req.swagger.params['collectionId'].value
+    let name = req.swagger.params['name'].value
+    let nameMatch = req.swagger.params['name-match'].value
     let benchmarkId = req.swagger.params['benchmarkId'].value
+    let metadata = req.swagger.params['metadata'].value
     let projection = req.swagger.params['projection'].value
     let elevate = req.swagger.params['elevate'].value
     const collectionGrant = req.userObject.collectionGrants.find( g => g.collection.collectionId === collectionId )
@@ -219,7 +244,7 @@ module.exports.getAssets = async function getAssets (req, res, next) {
           }
         }
       }
-      let response = await Asset.getAssets(collectionId, benchmarkId, projection, elevate, req.userObject )
+      let response = await Asset.getAssets(collectionId, name, nameMatch, benchmarkId, metadata, projection, elevate, req.userObject )
       writer.writeJson(res, response)
     }
     else {
@@ -262,7 +287,7 @@ module.exports.getChecklistByAssetStig = async function getChecklistByAssetStig
     let benchmarkId = req.swagger.params['benchmarkId'].value
     let revisionStr = req.swagger.params['revisionStr'].value
     let format = req.swagger.params['format'].value || 'json'
-    if (await dbUtils.userHasAssetStig(assetId, benchmarkId, false, req.userObject)) {
+    if (await dbUtils.userHasAssetStigs(assetId, [benchmarkId], false, req.userObject)) {
       let response = await Asset.getChecklistByAssetStig(assetId, benchmarkId, revisionStr, format, false, req.userObject )
       if (format === 'json') {
         writer.writeJson(res, response)
@@ -285,8 +310,8 @@ module.exports.getChecklistByAssetStig = async function getChecklistByAssetStig
         }
         const j2x = new J2X(defaultOptions)
         let xml = `<?xml version="1.0" encoding="UTF-8"?>\n<!-- STIG Manager ${config.version} -->\n`
-        xml += j2x.parse(response)
-        writer.writeXml(res, xml, `${response.CHECKLIST.ASSET.HOST_NAME}-${benchmarkId}-${revisionStr}.ckl`)
+        xml += j2x.parse(response.cklJs)
+        writer.writeInlineFile(res, xml, `${response.assetName}-${benchmarkId}-${revisionStr}.ckl`, 'application/xml')
       }
     }
     else {
@@ -298,6 +323,59 @@ module.exports.getChecklistByAssetStig = async function getChecklistByAssetStig
   }
 }
 
+module.exports.getChecklistByAsset = async function getChecklistByAssetStig (req, res, next) {
+  try {
+    let assetId = req.swagger.params['assetId'].value
+    let requestedBenchmarkIds = req.swagger.params['benchmarkId'].value
+
+    // If this user has no grants permitting access to the asset, the response will be undefined
+    let assetResponse = await Asset.getAsset(assetId, ['stigs'], false, req.userObject )
+    if (!assetResponse) {
+      throw new SmError(403, 'User has insufficient access to complete this request.')
+    }
+    const availableBenchmarkIds = assetResponse.stigs.map( r => r.benchmarkId )
+    if (availableBenchmarkIds.length === 0) {
+      writer.writeNoContent(res)
+      return
+    }
+    if (!requestedBenchmarkIds) {
+      requestedBenchmarkIds = availableBenchmarkIds
+    }
+    else if (!requestedBenchmarkIds.every( requestedBenchmarkId => availableBenchmarkIds.includes(requestedBenchmarkId))) {
+      throw new SmError(400, 'Asset is not mapped to all requested benchmarkIds')
+    }
+
+    let cklObject = await Asset.getChecklistByAsset(assetId, requestedBenchmarkIds, 'ckl', false, req.userObject )
+    let parseOptions = {
+      attributeNamePrefix : "@_",
+      attrNodeName: "@", //default is false
+      textNodeName : "#text",
+      ignoreAttributes : true,
+      cdataTagName: "__cdata", //default is false
+      cdataPositionChar: "\\c",
+      format: true,
+      indentBy: "  ",
+      supressEmptyNode: false,
+      tagValueProcessor: a => {
+        return a ? he.encode(a.toString(), { useNamedReferences: false}) : a 
+      },
+      attrValueProcessor: a=> he.encode(a, {isAttributeValue: isAttribute, useNamedReferences: true})
+    }
+    const j2x = new J2X(parseOptions)
+    let xml = `<?xml version="1.0" encoding="UTF-8"?>\n<!-- STIG Manager ${config.version} -->\n`
+    xml += j2x.parse(cklObject.cklJs)
+    writer.writeInlineFile(res, xml, `${cklObject.assetName}.ckl`, 'application/xml')
+  }
+  catch (err) {
+    if (err.name === 'SmError') {
+      writer.writeJson(req.res, { status: err.httpStatus, message: err.message }, err.httpStatus)
+    }
+    else {
+        writer.writeJson(req.res, { status: 500, message: err.message, stack: err.stack }, 500)
+    }
+  }
+}
+
 module.exports.getAssetsByStig = async function getAssetsByStig (req, res, next) {
   try {
     let elevate = req.swagger.params['elevate'].value

api/source/controllers/Collection.js

@@ -11,8 +11,28 @@ module.exports.createCollection = async function createCollection (req, res, nex
     const elevate = req.swagger.params['elevate'].value
     const body = req.swagger.params['body'].value
     if ( elevate || req.userObject.privileges.canCreateCollection ) {
-      const response = await Collection.createCollection( body, projection, req.userObject)
-      writer.writeJson(res, response)
+      try {
+        const response = await Collection.createCollection( body, projection, req.userObject)
+        writer.writeJson(res, response)
+      }
+      catch (err) {
+        // This is MySQL specific, should abstract with an SmError
+        if (err.code === 'ER_DUP_ENTRY') {
+          try {
+            let response = await Collection.getCollections({
+              name: body.name
+            }, projection, elevate, req.userObject )
+            throw (writer.respondWithCode( 400, {
+              code: 400,
+              message: `Duplicate name`,
+              data: response[0]
+            }))
+          } finally {}
+        }
+        else {
+          throw err
+        }
+      }
     }
     else {
       throw ( writer.respondWithCode ( 403, {message: "User has insufficient privilege to complete this request."} ) )
@@ -95,10 +115,12 @@ module.exports.getCollections = async function getCollections (req, res, next) {
     const projection = req.swagger.params['projection'].value
     const elevate = req.swagger.params['elevate'].value
     const name = req.swagger.params['name'].value
+    const nameMatch = req.swagger.params['name-match'].value
     const workflow = req.swagger.params['workflow'].value
     const metadata = req.swagger.params['metadata'].value
     const response = await Collection.getCollections({
       name: name,
+      nameMatch: nameMatch,
       workflow: workflow,
       metadata: metadata
     }, projection, elevate, req.userObject)
@@ -164,7 +186,7 @@ module.exports.getPoamByCollection = async function getFindingsByCollection (req
       else {
         collectionName = collectionGrant.collection.name
       }
-      writer.writeXlsx( res, xlsx, `POAM-${collectionName}.xlsx`)
+      writer.writeInlineFile( res, xlsx, `POAM-${collectionName}.xlsx`, 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet')
     }
     else {
       throw( writer.respondWithCode ( 403, {message: "User has insufficient privilege to complete this request."} ) )
@@ -178,9 +200,11 @@ module.exports.getPoamByCollection = async function getFindingsByCollection (req
 module.exports.getStatusByCollection = async function getStatusByCollection (req, res, next) {
   try {
     const collectionId = req.swagger.params['collectionId'].value
+    const benchmarkId = req.swagger.params['benchmarkId'].value
+    const assetId = req.swagger.params['assetId'].value
     const collectionGrant = req.userObject.collectionGrants.find( g => g.collection.collectionId === collectionId )
     if (collectionGrant || req.userObject.privileges.globalAccess ) {
-      const response = await Collection.getStatusByCollection( collectionId, req.userObject )
+      const response = await Collection.getStatusByCollection( collectionId, assetId, benchmarkId, req.userObject )
       writer.writeJson(res, response)
     }
     else {
@@ -214,10 +238,9 @@ module.exports.getStigAssetsByCollectionUser = async function getStigAssetsByCol
 module.exports.getStigsByCollection = async function getStigsByCollection (req, res, next) {
   try {
     const collectionId = req.swagger.params['collectionId'].value
-    const elevate = req.swagger.params['elevate'].value
     const collectionGrant = req.userObject.collectionGrants.find( g => g.collection.collectionId === collectionId )
-    if (collectionGrant || req.userObject.privileges.globalAccess || elevate ) {
-      const response = await Collection.getStigsByCollection( collectionId, elevate, req.userObject )
+    if (collectionGrant || req.userObject.privileges.globalAccess ) {
+      const response = await Collection.getStigsByCollection( collectionId, false, req.userObject )
       writer.writeJson(res, response)
       }
     else {

api/source/controllers/Operation.js

@@ -71,8 +71,7 @@ module.exports.getAppData = async function getAppData (req, res, next) {
             level: 3
         }
       })
-      writer.writeZipFile(res, buffer, 'stig-manager-appdata.json.zip')
-      // writer.writeJsonFile(res, response, 'stig-manager-appdata.json')
+      writer.writeInlineFile(res, buffer, 'stig-manager-appdata.json.zip', 'application/zip')
     }
     else {
       throw( writer.respondWithCode ( 403, {message: `User has insufficient privilege to complete this request.`} ) )