Add endpoint for updating API key comment

Required for DependencyTrack/frontend#768

Signed-off-by: nscuro <[email protected]>

docs/_posts/2024-xx-xx-v4.11.0.md

@@ -58,6 +58,8 @@ environment variable `BOM_VALIDATION_ENABLED` to `false`.
 * Improve tooltip clarity for project vulnerabilities - [frontend/#733]
 * Show badges on "Policy Violations" tab - [frontend/#744]
 * Add ESLint and prettier - [frontend/#752]
+* Display *created* and *last used* timestamps for API keys - [frontend/#768]
+* Display API key comments and make them editable - [frontend/#768]
 
 **Fixes:**
 
@@ -198,6 +200,7 @@ Special thanks to everyone who contributed code to implement enhancements and fi
 [frontend/#744]: https://github.com/DependencyTrack/frontend/pull/744
 [frontend/#748]: https://github.com/DependencyTrack/frontend/pull/748
 [frontend/#752]: https://github.com/DependencyTrack/frontend/pull/752
+[frontend/#768]: https://github.com/DependencyTrack/frontend/pull/768
 
 [@acdha]: https://github.com/acdha
 [@AnthonyMastrean]: https://github.com/AnthonyMastrean

src/main/java/org/dependencytrack/resources/v1/TeamResource.java

@@ -49,6 +49,8 @@
 import javax.ws.rs.core.Response;
 import java.util.List;
 
+import static org.datanucleus.PropertyNames.PROPERTY_RETAIN_VALUES;
+
 /**
  * JAX-RS resources for processing teams.
  *
@@ -243,6 +245,36 @@ public Response regenerateApiKey(
         }
     }
 
+    @POST
+    @Path("/key/{key}/comment")
+    @Consumes(MediaType.TEXT_PLAIN)
+    @Produces(MediaType.APPLICATION_JSON)
+    @ApiOperation(value = "Updates an API key's comment", response = ApiKey.class)
+    @ApiResponses(value = {
+            @ApiResponse(code = 401, message = "Unauthorized"),
+            @ApiResponse(code = 404, message = "The API key could not be found")
+    })
+    @PermissionRequired(Permissions.Constants.ACCESS_MANAGEMENT)
+    public Response updateApiKeyComment(@PathParam("key") final String key,
+                                        final String comment) {
+        try (final var qm = new QueryManager()) {
+            qm.getPersistenceManager().setProperty(PROPERTY_RETAIN_VALUES, "true");
+
+            return qm.runInTransaction(() -> {
+                final ApiKey apiKey = qm.getApiKey(key);
+                if (apiKey == null) {
+                    return Response
+                            .status(Response.Status.NOT_FOUND)
+                            .entity("The API key could not be found.")
+                            .build();
+                }
+
+                apiKey.setComment(comment);
+                return Response.ok(apiKey).build();
+            });
+        }
+    }
+
     @DELETE
     @Path("/key/{apikey}")
     @ApiOperation(

src/test/java/org/dependencytrack/resources/v1/TeamResourceTest.java

@@ -19,15 +19,15 @@
 package org.dependencytrack.resources.v1;
 
 import alpine.common.util.UuidUtil;
+import alpine.model.ApiKey;
 import alpine.model.ConfigProperty;
+import alpine.model.Team;
 import alpine.server.filters.ApiFilter;
 import alpine.server.filters.AuthenticationFilter;
-import alpine.model.Team;
 import org.dependencytrack.ResourceTest;
 import org.dependencytrack.auth.Permissions;
 import org.dependencytrack.model.ConfigPropertyConstants;
 import org.dependencytrack.model.Project;
-import org.dependencytrack.persistence.QueryManager;
 import org.glassfish.jersey.client.ClientProperties;
 import org.glassfish.jersey.server.ResourceConfig;
 import org.glassfish.jersey.servlet.ServletContainer;
@@ -43,6 +43,10 @@
 import javax.ws.rs.core.Response;
 import java.util.UUID;
 
+import static net.javacrumbs.jsonunit.assertj.JsonAssertions.assertThatJson;
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.hamcrest.CoreMatchers.equalTo;
+
 public class TeamResourceTest extends ResourceTest {
 
     @Override
@@ -271,4 +275,43 @@ public void deleteApiKeyInvalidTest() {
         String body = getPlainTextBody(response);
         Assert.assertEquals("The API key could not be found.", body);
     }
+
+    @Test
+    public void updateApiKeyCommentTest() {
+        final Team team = qm.createTeam("foo", true);
+        final ApiKey apiKey = team.getApiKeys().get(0);
+
+        assertThat(apiKey.getCreated()).isNotNull();
+        assertThat(apiKey.getLastUsed()).isNull();
+        assertThat(apiKey.getComment()).isNull();
+
+        final Response response = target("%s/key/%s/comment".formatted(V1_TEAM, apiKey.getKey())).request()
+                .header(X_API_KEY, this.apiKey)
+                .post(Entity.entity("Some comment 123", MediaType.TEXT_PLAIN));
+
+        assertThat(response.getStatus()).isEqualTo(200);
+        assertThatJson(getPlainTextBody(response))
+                .withMatcher("key", equalTo(apiKey.getKey()))
+                .withMatcher("maskedKey", equalTo(apiKey.getMaskedKey()))
+                .isEqualTo("""
+                        {
+                          "key": "${json-unit.matches:key}",
+                          "maskedKey": "${json-unit.matches:maskedKey}",
+                          "created": "${json-unit.any-number}",
+                          "lastUsed": null,
+                          "comment": "Some comment 123"
+                        }
+                        """);
+    }
+
+    @Test
+    public void updateApiKeyCommentNotFoundTest() {
+        final Response response = target("%s/key/does-not-exist/comment".formatted(V1_TEAM)).request()
+                .header(X_API_KEY, this.apiKey)
+                .post(Entity.entity("Some comment 123", MediaType.TEXT_PLAIN));
+
+        assertThat(response.getStatus()).isEqualTo(404);
+        assertThat(getPlainTextBody(response)).isEqualTo("The API key could not be found.");
+    }
+
 }