diff --git a/doc/release-notes/10930-marketplace-external-tools-apis.md b/doc/release-notes/10930-marketplace-external-tools-apis.md index 9e20c908823..e3350a8b2d2 100644 --- a/doc/release-notes/10930-marketplace-external-tools-apis.md +++ b/doc/release-notes/10930-marketplace-external-tools-apis.md @@ -1,14 +1,14 @@ ## New APIs for External Tools Registration for Marketplace -New API base path /api/externalTools created that mimics the admin APIs /api/admin/externalTools. These new apis require an authenticated superuser token. +New API base path /api/externalTools created that mimics the admin APIs /api/admin/externalTools. These new add and delete apis require an authenticated superuser token. Example: ``` API_TOKEN='xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' export TOOL_ID=1 - curl -s -H "X-Dataverse-key:$API_TOKEN" http://localhost:8080/api/externalTools - curl -s -H "X-Dataverse-key:$API_TOKEN" http://localhost:8080/api/externalTools/$TOOL_ID + curl http://localhost:8080/api/externalTools + curl http://localhost:8080/api/externalTools/$TOOL_ID curl -s -H "X-Dataverse-key:$API_TOKEN" -X POST -H 'Content-type: application/json' http://localhost:8080/api/externalTools --upload-file fabulousFileTool.json curl -s -H "X-Dataverse-key:$API_TOKEN" -X DELETE http://localhost:8080/api/externalTools/$TOOL_ID ``` diff --git a/doc/sphinx-guides/source/admin/external-tools.rst b/doc/sphinx-guides/source/admin/external-tools.rst index 3d7c057bda5..c3e71c13ac6 100644 --- a/doc/sphinx-guides/source/admin/external-tools.rst +++ b/doc/sphinx-guides/source/admin/external-tools.rst @@ -52,11 +52,11 @@ To list all the external tools that are available in a Dataverse installation: curl http://localhost:8080/api/admin/externalTools -This API is Superuser only. Note the endpoint difference (/api/externalTools instead of /api/admin/externalTools). +This API is open to any user. Note the endpoint difference (/api/externalTools instead of /api/admin/externalTools). .. code-block:: bash - curl -s -H "X-Dataverse-key:$API_TOKEN" http://localhost:8080/api/externalTools + curl http://localhost:8080/api/externalTools Showing an External Tool in a Dataverse Installation ++++++++++++++++++++++++++++++++++++++++++++++++++++ @@ -68,11 +68,11 @@ To show one of the external tools that are available in a Dataverse installation export TOOL_ID=1 curl http://localhost:8080/api/admin/externalTools/$TOOL_ID -This API is Superuser only. Note the endpoint difference (/api/externalTools instead of /api/admin/externalTools). +This API is open to any user. Note the endpoint difference (/api/externalTools instead of /api/admin/externalTools). .. code-block:: bash - curl -s -H "X-Dataverse-key:$API_TOKEN" http://localhost:8080/api/externalTools/$TOOL_ID + curl http://localhost:8080/api/externalTools/$TOOL_ID Removing an External Tool From a Dataverse Installation +++++++++++++++++++++++++++++++++++++++++++++++++++++++ diff --git a/src/main/java/edu/harvard/iq/dataverse/api/ExternalToolsApi.java b/src/main/java/edu/harvard/iq/dataverse/api/ExternalToolsApi.java index bf5634e09a8..92139d86caf 100644 --- a/src/main/java/edu/harvard/iq/dataverse/api/ExternalToolsApi.java +++ b/src/main/java/edu/harvard/iq/dataverse/api/ExternalToolsApi.java @@ -19,18 +19,14 @@ public class ExternalToolsApi extends AbstractApiBean { ExternalTools externalTools; @GET - @AuthRequired - public Response getExternalTools(@Context ContainerRequestContext crc) { - Response notAuthorized = authorize(crc); - return notAuthorized == null ? externalTools.getExternalTools() : notAuthorized; + public Response getExternalTools() { + return externalTools.getExternalTools(); } @GET - @AuthRequired @Path("{id}") - public Response getExternalTool(@Context ContainerRequestContext crc, @PathParam("id") long externalToolIdFromUser) { - Response notAuthorized = authorize(crc); - return notAuthorized == null ? externalTools.getExternalTool(externalToolIdFromUser) : notAuthorized; + public Response getExternalTool(@PathParam("id") long externalToolIdFromUser) { + return externalTools.getExternalTool(externalToolIdFromUser); } @POST diff --git a/src/test/java/edu/harvard/iq/dataverse/api/ExternalToolsIT.java b/src/test/java/edu/harvard/iq/dataverse/api/ExternalToolsIT.java index a3e2cca329d..1956e0eb8df 100644 --- a/src/test/java/edu/harvard/iq/dataverse/api/ExternalToolsIT.java +++ b/src/test/java/edu/harvard/iq/dataverse/api/ExternalToolsIT.java @@ -109,19 +109,34 @@ public void testExternalToolsNonAdminEndpoint() { getExternalTool.then().assertThat() .statusCode(OK.getStatusCode()); - //Delete the tool added by this test... - Response deleteExternalTool = UtilIT.deleteExternalTool(toolId, apiToken); - deleteExternalTool.prettyPrint(); - deleteExternalTool.then().assertThat() - .statusCode(OK.getStatusCode()); - - // non superuser has no access + // non superuser can only view tools UtilIT.setSuperuserStatus(username, false); getExternalTools = UtilIT.getExternalTools(apiToken); - getExternalTools.prettyPrint(); getExternalTools.then().assertThat() + .statusCode(OK.getStatusCode()); + getExternalToolsByDatasetId = UtilIT.getExternalToolForDatasetById(datasetId.toString(), "configure", apiToken, toolId.toString()); + getExternalToolsByDatasetId.prettyPrint(); + getExternalToolsByDatasetId.then().assertThat() + .statusCode(OK.getStatusCode()); + + //Add by non-superuser will fail + addExternalTool = UtilIT.addExternalTool(JsonUtil.getJsonObject(toolManifest), apiToken); + addExternalTool.then().assertThat() + .statusCode(FORBIDDEN.getStatusCode()) + .body("message", CoreMatchers.equalTo("Superusers only.")); + + //Delete by non-superuser will fail + Response deleteExternalTool = UtilIT.deleteExternalTool(toolId, apiToken); + deleteExternalTool.then().assertThat() .statusCode(FORBIDDEN.getStatusCode()) .body("message", CoreMatchers.equalTo("Superusers only.")); + + //Delete the tool added by this test... + UtilIT.setSuperuserStatus(username, true); + deleteExternalTool = UtilIT.deleteExternalTool(toolId, apiToken); + deleteExternalTool.prettyPrint(); + deleteExternalTool.then().assertThat() + .statusCode(OK.getStatusCode()); } @Test