Skip to content

Commit

Permalink
#5514 #5515 make commands superuser only
Browse files Browse the repository at this point in the history
  • Loading branch information
@matthew-a-dunlap
matthew-a-dunlap committed Mar 14, 2019
1 parent 7993eac commit a7ff2c9
Show file tree
Hide file tree
Showing 3 changed files with 86 additions and 21 deletions.
23 changes: 20 additions & 3 deletions src/main/java/edu/harvard/iq/dataverse/api/Users.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@

import static edu.harvard.iq.dataverse.api.AbstractApiBean.error;
import edu.harvard.iq.dataverse.authorization.users.AuthenticatedUser;
import edu.harvard.iq.dataverse.authorization.users.User;
import edu.harvard.iq.dataverse.engine.command.impl.ChangeUserIdentifierCommand;
import edu.harvard.iq.dataverse.engine.command.impl.MergeInAccountCommand;
import java.util.logging.Logger;
Expand All @@ -22,14 +23,22 @@
*/
@Stateless
@Path("users")
public class Users extends AbstractApiBean{
public class Users extends AbstractApiBean {

private static final Logger logger = Logger.getLogger(Users.class.getName());

@POST
@Path("{consumedIdentifier}/mergeIntoUser/{baseIdentifier}")
public Response mergeInAuthenticatedUser(@PathParam("consumedIdentifier") String consumedIdentifier, @PathParam("baseIdentifier") String baseIdentifier) {

try {
User u = findUserOrDie();
if(!u.isSuperuser()) {
throw new WrappedResponse(error(Response.Status.UNAUTHORIZED, "Only superusers can merge users"));
}
} catch (WrappedResponse ex) {
return ex.getResponse();
}

if(null == baseIdentifier || baseIdentifier.isEmpty()) {
return error(Response.Status.BAD_REQUEST, "Base identifier provided to change is empty.");
} else if(null == consumedIdentifier || consumedIdentifier.isEmpty()) {
Expand Down Expand Up @@ -58,7 +67,15 @@ public Response mergeInAuthenticatedUser(@PathParam("consumedIdentifier") String
@POST
@Path("{identifier}/changeIdentifier/{newIdentifier}")
public Response changeAuthenticatedUserIdentifier(@PathParam("identifier") String oldIdentifier, @PathParam("newIdentifier") String newIdentifier) {

try {
User u = findUserOrDie();
if(!u.isSuperuser()) {
throw new WrappedResponse(error(Response.Status.UNAUTHORIZED, "Only superusers can change userIdentifiers"));
}
} catch (WrappedResponse ex) {
return ex.getResponse();
}

if(null == oldIdentifier || oldIdentifier.isEmpty()) {
return error(Response.Status.BAD_REQUEST, "Old identifier provided to change is empty.");
} else if(null == newIdentifier || newIdentifier.isEmpty()) {
Expand Down
52 changes: 41 additions & 11 deletions src/test/java/edu/harvard/iq/dataverse/api/UsersIT.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@
import static javax.ws.rs.core.Response.Status.FORBIDDEN;
import static javax.ws.rs.core.Response.Status.NOT_FOUND;
import static javax.ws.rs.core.Response.Status.OK;
import static javax.ws.rs.core.Response.Status.UNAUTHORIZED;
import static junit.framework.Assert.assertEquals;
import static org.hamcrest.CoreMatchers.equalTo;
import org.junit.BeforeClass;
Expand All @@ -31,7 +32,7 @@ public static void setUp() {

}

@Test
@Test
public void testChangeAuthenticatedUserIdentifier() {
Response createSuperuser = UtilIT.createRandomUser();
String superuserUsername = UtilIT.getUsernameFromResponse(createSuperuser);
Expand All @@ -44,6 +45,7 @@ public void testChangeAuthenticatedUserIdentifier() {
createUser.prettyPrint();
assertEquals(200, createUser.getStatusCode());
String usernameOfUser = UtilIT.getUsernameFromResponse(createUser);
String userApiToken = UtilIT.getApiTokenFromResponse(createUser);

Response createUserForAlreadyExists = UtilIT.createRandomUser();
createUserForAlreadyExists.prettyPrint();
Expand All @@ -56,6 +58,17 @@ public void testChangeAuthenticatedUserIdentifier() {
changeAuthIdResponse.then().assertThat()
.statusCode(OK.getStatusCode());

//No api token
Response changeAuthIdResponseNoToken = UtilIT.changeAuthenticatedUserIdentifier(usernameOfUser, newUsername, null);
changeAuthIdResponseNoToken.prettyPrint();
changeAuthIdResponseNoToken.then().assertThat()
.statusCode(UNAUTHORIZED.getStatusCode());

//Users own api token
Response changeAuthIdResponseNormalToken = UtilIT.changeAuthenticatedUserIdentifier(usernameOfUser, newUsername, userApiToken);
changeAuthIdResponseNormalToken.prettyPrint();
changeAuthIdResponseNormalToken.then().assertThat()
.statusCode(UNAUTHORIZED.getStatusCode());

//Try changing to already existing username
Response changeAuthIdResponseBadAlreadyExists= UtilIT.changeAuthenticatedUserIdentifier(newUsername, usernameOfUserAlreadyExists, superuserApiToken);
Expand Down Expand Up @@ -86,30 +99,37 @@ public void testChangeAuthenticatedUserIdentifier() {

@Test
public void testMergeAccounts(){
Response createSuperuser = UtilIT.createRandomUser();
String superuserUsername = UtilIT.getUsernameFromResponse(createSuperuser);
String superuserApiToken = UtilIT.getApiTokenFromResponse(createSuperuser);
Response toggleSuperuser = UtilIT.makeSuperUser(superuserUsername);
toggleSuperuser.then().assertThat()
.statusCode(OK.getStatusCode());

Response createUser = UtilIT.createRandomUser();
createUser.prettyPrint();
String usernameConsumed = UtilIT.getUsernameFromResponse(createUser);
String apiToken = UtilIT.getApiTokenFromResponse(createUser);
String normalApiToken = UtilIT.getApiTokenFromResponse(createUser);


Response createDataverse = UtilIT.createRandomDataverse(apiToken);
Response createDataverse = UtilIT.createRandomDataverse(normalApiToken);
createDataverse.prettyPrint();
createDataverse.then().assertThat()
.statusCode(CREATED.getStatusCode());

String dataverseAlias = JsonPath.from(createDataverse.body().asString()).getString("data.alias");

String pathToJsonFile = "src/test/java/edu/harvard/iq/dataverse/export/ddi/dataset-hdl.json";
Response createDatasetResponse = UtilIT.createDatasetViaNativeApi(dataverseAlias, pathToJsonFile, apiToken);
Response createDatasetResponse = UtilIT.createDatasetViaNativeApi(dataverseAlias, pathToJsonFile, normalApiToken);
createDatasetResponse.prettyPrint();
Integer datasetId = JsonPath.from(createDatasetResponse.body().asString()).getInt("data.id");
Response datasetAsJson = UtilIT.nativeGet(datasetId, apiToken);
Response datasetAsJson = UtilIT.nativeGet(datasetId, normalApiToken);
datasetAsJson.then().assertThat()
.statusCode(OK.getStatusCode());

String randomString = UtilIT.getRandomIdentifier();

Response mergeAccounts = UtilIT.mergeAccounts(randomString, usernameConsumed);
Response mergeAccounts = UtilIT.mergeAccounts(randomString, usernameConsumed, superuserApiToken);
assertEquals(400, mergeAccounts.getStatusCode());
mergeAccounts.prettyPrint();

Expand All @@ -118,15 +138,27 @@ public void testMergeAccounts(){
String targetname = UtilIT.getUsernameFromResponse(targetUser);
String targetToken = UtilIT.getApiTokenFromResponse(targetUser);

mergeAccounts = UtilIT.mergeAccounts(targetname, usernameConsumed);
mergeAccounts = UtilIT.mergeAccounts(targetname, usernameConsumed, superuserApiToken);
assertEquals(200, mergeAccounts.getStatusCode());
mergeAccounts.prettyPrint();

//No api token
Response mergeResponseNoToken = UtilIT.mergeAccounts(targetname, usernameConsumed, null);
mergeResponseNoToken.prettyPrint();
mergeResponseNoToken.then().assertThat()
.statusCode(UNAUTHORIZED.getStatusCode());

//Users own api token
Response mergeResponseNormalToken = UtilIT.mergeAccounts(targetname, usernameConsumed, normalApiToken);
mergeResponseNormalToken.prettyPrint();
mergeResponseNormalToken.then().assertThat()
.statusCode(UNAUTHORIZED.getStatusCode());

//After merging user see that old one is gone and new one exists
Response getConsumedUserResponse = UtilIT.getAuthenticatedUser(usernameConsumed, apiToken);
Response getConsumedUserResponse = UtilIT.getAuthenticatedUser(usernameConsumed, normalApiToken);
assertEquals(400, getConsumedUserResponse.getStatusCode());

Response getPersistedUserResponse = UtilIT.getAuthenticatedUser(targetname, apiToken);
Response getPersistedUserResponse = UtilIT.getAuthenticatedUser(targetname, normalApiToken);
assertEquals(200, getPersistedUserResponse.getStatusCode());

//Make sure that you can publish the dataverse/dataset as the newly assigned user
Expand All @@ -140,8 +172,6 @@ public void testMergeAccounts(){
publishDatasetResponse.prettyPrint();

}



/** Note: the below commands do not actually live in Users.java. They live in Admin.java */

Expand Down
32 changes: 25 additions & 7 deletions src/test/java/edu/harvard/iq/dataverse/api/UtilIT.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1921,17 +1921,35 @@ static Response getOaiListIdentifiers(String setName, String metadataFormat) {
}

static Response changeAuthenticatedUserIdentifier(String oldIdentifier, String newIdentifier, String apiToken) {
Response response = given()
Response response;
String path = String.format("/api/users/%s/changeIdentifier/%s", oldIdentifier, newIdentifier );

if(null == apiToken) {
response = given()
.post(path);
} else {
response = given()
.header(API_TOKEN_HTTP_HEADER, apiToken)
.post("/api/users/" + oldIdentifier + "/changeIdentifier/"+ newIdentifier );
.post(path);
}

return response;
}

static Response mergeAccounts(String baseId, String consumedId) {
System.out.print(String.format("/api/users/%s/mergeIntoUser/%s", consumedId, baseId ));
String apiPath = String.format("/api/users/%s/mergeIntoUser/%s", consumedId, baseId );
return given()
.post(apiPath);
static Response mergeAccounts(String baseId, String consumedId, String apiToken) {
Response response;
String path = String.format("/api/users/%s/mergeIntoUser/%s", consumedId, baseId );

if(null == apiToken) {
response = given()
.post(path);
} else {
response = given()
.header(API_TOKEN_HTTP_HEADER, apiToken)
.post(path);
}

return response;
}


Expand Down

0 comments on commit a7ff2c9

Please sign in to comment.