Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Add read ACL check when no namespace protection [DHS2-16134] #15754

Merged
merged 9 commits into from
Nov 27, 2023

Conversation

david-mackessy
Copy link
Contributor

@david-mackessy david-mackessy commented Nov 22, 2023

Summary

This feature adds an ACL check to DatastoreService#readProtectedIn when there is no namespace protection. The following endpoints can be used to test the feature:

  • GET /api/dataStore/{namespace}/{key}
  • GET /api/dataStore/{namespace}/{key}/metaData

Background

There was already an existing read Sharing check performed for namespace entries that had namespace protection.
The read check has been updated to incorporate scenarios where there is no namespace protection in place (namespace protection is only setup programmatically currently. All namespaces setup through the API will not have any namespace protection).

DatastoreEntry Read criteria when no namespace protection

  • Superuser can always read
  • Any user can read by default (no Sharing changes made)
  • Public access removed & User is not the owner
    • User cannot access
    • User can access when User added to Shared Users
    • User can access when User UserGroup added to Shared UserGroups

Testing

Automated

  • Multiple e2e tests added to cover different scenarios

Manual

To manually test this feature, the following endpoints can be used:

  • GET /api/dataStore/{namespace}/{key}
  • GET /api/dataStore/{namespace}/{key}/metaData

To add an entry to a new namespace:

POST /api/dataStore/{myNamespace}/{myKey} with sample body

{
    "name": "test",
    "project": "dhis2"
}

To get the ID of a DataEntry use:
GET /api/dataStore/{namespace}/{key}/metaData

To remove public access of a DataEntry:

POST /api/sharing?type=dataStore&id={dataStoreEntryId} with body

{
    "object": {
        "publicAccess": "--------",
        "externalAccess": false,
        "user": {},
        "userAccesses": [],
        "userGroupAccesses": []
    }
}

To share access of a DataEntry with another User & remove public access:

POST /api/sharing?type=dataStore&id={dataStoreEntryId} with body

{
    "object": {
        "publicAccess": "--------",
        "externalAccess": false,
        "user": {},
        "userAccesses": [
            {
                "id": "{userId}",
                "access": "r-------"
            }
        ],
        "userGroupAccesses": []
    }
}

To share access with a UserGroup & remove public access use:

{
    "object": {
        "publicAccess": "--------",
        "externalAccess": false,
        "user": {},
        "userAccesses": [],
        "userGroupAccesses": [
            {
                "id": "{userGroupId}",
                "access": "r-------"
            }
        ]
    }
}

Copy link

codecov bot commented Nov 23, 2023

Codecov Report

Merging #15754 (7cfb8cb) into master (6971c94) will increase coverage by 0.00%.
Report is 7 commits behind head on master.
The diff coverage is 100.00%.

Additional details and impacted files
@@            Coverage Diff            @@
##             master   #15754   +/-   ##
=========================================
  Coverage     66.31%   66.31%           
- Complexity    31374    31380    +6     
=========================================
  Files          3481     3481           
  Lines        129925   129930    +5     
  Branches      15197    15199    +2     
=========================================
+ Hits          86162    86166    +4     
- Misses        36672    36673    +1     
  Partials       7091     7091           
Flag Coverage Δ
integration 50.06% <44.44%> (+<0.01%) ⬆️
integration-h2 32.39% <66.66%> (+<0.01%) ⬆️
unit 30.27% <0.00%> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files Coverage Δ
...g/hisp/dhis/datastore/DefaultDatastoreService.java 93.54% <100.00%> (+1.50%) ⬆️

... and 1 file with indirect coverage changes


Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 469dc9a...7cfb8cb. Read the comment docs.

@david-mackessy david-mackessy changed the title Dhis2 16134 feat: Add Sharing check for DatastoreEntry when no namespace protection [DHS2-16134] Nov 24, 2023
@david-mackessy david-mackessy changed the title feat: Add Sharing check for DatastoreEntry when no namespace protection [DHS2-16134] feat: Add Sharing check for GET DatastoreEntry when no namespace protection [DHS2-16134] Nov 24, 2023
Copy link

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

0.0% 0.0% Coverage
0.0% 0.0% Duplication

@david-mackessy david-mackessy marked this pull request as ready for review November 24, 2023 10:59
@david-mackessy david-mackessy changed the title feat: Add Sharing check for GET DatastoreEntry when no namespace protection [DHS2-16134] feat: Add ACL check when no namespace protection [DHS2-16134] Nov 24, 2023
@david-mackessy david-mackessy changed the title feat: Add ACL check when no namespace protection [DHS2-16134] feat: Add read ACL check when no namespace protection [DHS2-16134] Nov 24, 2023
@david-mackessy david-mackessy merged commit b3e8bf3 into master Nov 27, 2023
18 checks passed
@david-mackessy david-mackessy deleted the DHIS2-16134 branch November 27, 2023 11:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants