open up get apis for non-superuser

doc/release-notes/10930-marketplace-external-tools-apis.md

@@ -1,14 +1,14 @@
 ## New APIs for External Tools Registration for Marketplace
 
-New API base path /api/externalTools created that mimics the admin APIs /api/admin/externalTools. These new apis require an authenticated superuser token.
+New API base path /api/externalTools created that mimics the admin APIs /api/admin/externalTools. These new add and delete apis require an authenticated superuser token.
 
 Example:
 ```
    API_TOKEN='xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
    export TOOL_ID=1
 
-   curl -s -H "X-Dataverse-key:$API_TOKEN" http://localhost:8080/api/externalTools
-   curl -s -H "X-Dataverse-key:$API_TOKEN" http://localhost:8080/api/externalTools/$TOOL_ID
+   curl http://localhost:8080/api/externalTools
+   curl http://localhost:8080/api/externalTools/$TOOL_ID
    curl -s -H "X-Dataverse-key:$API_TOKEN" -X POST -H 'Content-type: application/json' http://localhost:8080/api/externalTools --upload-file fabulousFileTool.json
    curl -s -H "X-Dataverse-key:$API_TOKEN" -X DELETE http://localhost:8080/api/externalTools/$TOOL_ID
 ```

doc/sphinx-guides/source/admin/external-tools.rst

@@ -52,11 +52,11 @@ To list all the external tools that are available in a Dataverse installation:
 
   curl http://localhost:8080/api/admin/externalTools
 
-This API is Superuser only. Note the endpoint difference (/api/externalTools instead of /api/admin/externalTools).
+This API is open to any user. Note the endpoint difference (/api/externalTools instead of /api/admin/externalTools).
 
 .. code-block:: bash
 
-  curl -s -H "X-Dataverse-key:$API_TOKEN" http://localhost:8080/api/externalTools
+  curl http://localhost:8080/api/externalTools
 
 Showing an External Tool in a Dataverse Installation
 ++++++++++++++++++++++++++++++++++++++++++++++++++++
@@ -68,11 +68,11 @@ To show one of the external tools that are available in a Dataverse installation
   export TOOL_ID=1
   curl http://localhost:8080/api/admin/externalTools/$TOOL_ID
 
-This API is Superuser only. Note the endpoint difference (/api/externalTools instead of /api/admin/externalTools).
+This API is open to any user. Note the endpoint difference (/api/externalTools instead of /api/admin/externalTools).
 
 .. code-block:: bash
 
-  curl -s -H "X-Dataverse-key:$API_TOKEN" http://localhost:8080/api/externalTools/$TOOL_ID
+  curl http://localhost:8080/api/externalTools/$TOOL_ID
 
 Removing an External Tool From a Dataverse Installation
 +++++++++++++++++++++++++++++++++++++++++++++++++++++++

src/main/java/edu/harvard/iq/dataverse/api/ExternalToolsApi.java

@@ -19,18 +19,14 @@ public class ExternalToolsApi extends AbstractApiBean {
     ExternalTools externalTools;
 
     @GET
-    @AuthRequired
-    public Response getExternalTools(@Context ContainerRequestContext crc) {
-        Response notAuthorized = authorize(crc);
-        return notAuthorized == null ? externalTools.getExternalTools() : notAuthorized;
+    public Response getExternalTools() {
+        return externalTools.getExternalTools();
     }
 
     @GET
-    @AuthRequired
     @Path("{id}")
-    public Response getExternalTool(@Context ContainerRequestContext crc, @PathParam("id") long externalToolIdFromUser) {
-        Response notAuthorized = authorize(crc);
-        return notAuthorized == null ? externalTools.getExternalTool(externalToolIdFromUser) : notAuthorized;
+    public Response getExternalTool(@PathParam("id") long externalToolIdFromUser) {
+        return externalTools.getExternalTool(externalToolIdFromUser);
     }
 
     @POST

src/test/java/edu/harvard/iq/dataverse/api/ExternalToolsIT.java

@@ -109,19 +109,34 @@ public void testExternalToolsNonAdminEndpoint() {
         getExternalTool.then().assertThat()
                 .statusCode(OK.getStatusCode());
 
-        //Delete the tool added by this test...
-        Response deleteExternalTool = UtilIT.deleteExternalTool(toolId, apiToken);
-        deleteExternalTool.prettyPrint();
-        deleteExternalTool.then().assertThat()
-                .statusCode(OK.getStatusCode());
-
-        // non superuser has no access
+        // non superuser can only view tools
         UtilIT.setSuperuserStatus(username, false);
         getExternalTools = UtilIT.getExternalTools(apiToken);
-        getExternalTools.prettyPrint();
         getExternalTools.then().assertThat()
+                .statusCode(OK.getStatusCode());
+        getExternalToolsByDatasetId = UtilIT.getExternalToolForDatasetById(datasetId.toString(), "configure", apiToken, toolId.toString());
+        getExternalToolsByDatasetId.prettyPrint();
+        getExternalToolsByDatasetId.then().assertThat()
+                .statusCode(OK.getStatusCode());
+
+        //Add by non-superuser will fail
+        addExternalTool = UtilIT.addExternalTool(JsonUtil.getJsonObject(toolManifest), apiToken);
+        addExternalTool.then().assertThat()
+                .statusCode(FORBIDDEN.getStatusCode())
+                .body("message", CoreMatchers.equalTo("Superusers only."));
+
+        //Delete by non-superuser will fail
+        Response deleteExternalTool = UtilIT.deleteExternalTool(toolId, apiToken);
+        deleteExternalTool.then().assertThat()
                 .statusCode(FORBIDDEN.getStatusCode())
                 .body("message", CoreMatchers.equalTo("Superusers only."));
+
+        //Delete the tool added by this test...
+        UtilIT.setSuperuserStatus(username, true);
+        deleteExternalTool = UtilIT.deleteExternalTool(toolId, apiToken);
+        deleteExternalTool.prettyPrint();
+        deleteExternalTool.then().assertThat()
+                .statusCode(OK.getStatusCode());
     }
 
     @Test