Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feature: Add ACL check when getting Datastore keys [DHIS2-15959] #15595

Merged
merged 23 commits into from
Nov 8, 2023

Conversation

david-mackessy
Copy link
Contributor

@david-mackessy david-mackessy commented Nov 3, 2023

Summary

Add ACL (r-------) sharing check for User getting namespace keys from DataStore
3 endpoints impacted:

  • GET /api/dataStore/{namespace}/keys
  • GET /api/dataStore/{namespace}
  • GET /api/dataStore/{namespace}?fields={field} (with query params)

Change

  • add ACL filter to hql which includes these checks in the following order:
  1. User is superUser
  2. Sharing jsonb owner is null or matches User
  3. Sharing jsonb public is null or has metadata read access r-------
  4. Sharing jsonb users contains User ID
  5. Sharing jsonb userGroups contains User userGroup ID

Notes

The default public access for DatastoreEntry has been kept rw------
This work should have no adverse affect on existing implementations.
The Datastore docs already have the relevant information about default public access & sharing.

Testing

Automated

  • Integration tests added covering scenarios for /api/dataStore/{namespace} endpoint
  • e2e tests added covering scenarios for /api/dataStore/{namespace}/keys and /api/dataStore/{namespace} with query params endpoints

Manual

Any logged in User should be able to see all keys from a namespace using any of these endpoints:

  • GET /api/dataStore/{namespace}/keys
  • GET /api/dataStore/{namespace}
  • GET /api/dataStore/{namespace}?fields={field} (with query params)

A normal (non superuser) User with no explicit access should still be able to retrieve namespace keys for a namespace it has access to.
A normal User with explicit sharing access should be able to retrieve namespace keys, when the public access is removed.

To add an entry to a new namespace:

  • POST /api/dataStore/{myNamespace}/{myKey} with sample body
{
    "name": "test",
    "project": "dhis2"
}

To get the ID of a DataEntry use:
GET /api/dataStore/{namespace}/{key}/metaData

To remove public access of a DataEntry:

  • POST /api/sharing?type=dataStore&id={dataStoreEntryId} with body
{
    "object": {
        "publicAccess": "--------",
        "externalAccess": false,
        "user": {},
        "userAccesses": [],
        "userGroupAccesses": []
    }
}

To share access of a DataEntry with another User & remove public access:

  • POST /api/sharing?type=dataStore&id={dataStoreEntryId} with body
{
    "object": {
        "publicAccess": "--------",
        "externalAccess": false,
        "user": {},
        "userAccesses": [
            {
                "id": "{userId}",
                "access": "r-------"
            }
        ],
        "userGroupAccesses": []
    }
}

To share access with a UserGroup & remove public access use:

{
    "object": {
        "publicAccess": "--------",
        "externalAccess": false,
        "user": {},
        "userAccesses": [],
        "userGroupAccesses": [
            {
                "id": "{userGroupId}",
                "access": "r-------"
            }
        ]
    }
}

Copy link

codecov bot commented Nov 3, 2023

Codecov Report

Merging #15595 (5e1d7ad) into master (6a47df8) will increase coverage by 0.00%.
Report is 1 commits behind head on master.
The diff coverage is 100.00%.

@@            Coverage Diff            @@
##             master   #15595   +/-   ##
=========================================
  Coverage     66.24%   66.25%           
- Complexity    31263    31265    +2     
=========================================
  Files          3485     3485           
  Lines        129790   129798    +8     
  Branches      15146    15146           
=========================================
+ Hits          85975    85992   +17     
+ Misses        36731    36724    -7     
+ Partials       7084     7082    -2     
Flag Coverage Δ
integration 49.82% <100.00%> (+0.01%) ⬆️
integration-h2 32.43% <100.00%> (+0.01%) ⬆️
unit 30.34% <10.00%> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files Coverage Δ
...s/datastore/hibernate/HibernateDatastoreStore.java 98.24% <100.00%> (+0.20%) ⬆️
...c/main/java/org/hisp/dhis/query/JpaQueryUtils.java 82.70% <100.00%> (+3.16%) ⬆️
...hema/descriptors/KeyJsonValueSchemaDescriptor.java 100.00% <100.00%> (ø)

... and 5 files with indirect coverage changes


Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update f93bc5c...5e1d7ad. Read the comment docs.

@david-mackessy david-mackessy changed the title feature: Add User access check when getting Datastore keys [DHIS2-15959] feature: Add ACL check when getting Datastore keys [DHIS2-15959] Nov 8, 2023
Copy link

sonarqubecloud bot commented Nov 8, 2023

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

0.0% 0.0% Coverage
0.0% 0.0% Duplication

@david-mackessy david-mackessy enabled auto-merge (squash) November 8, 2023 12:24
@david-mackessy david-mackessy merged commit 1a07024 into master Nov 8, 2023
16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants