Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feature: Add ACL check when getting Datastore keys [DHIS2-15959] #15595

Merged
merged 23 commits into from
Nov 8, 2023
Merged

feature: Add ACL check when getting Datastore keys [DHIS2-15959] #15595

merged 23 commits into from
Nov 8, 2023

Conversation

david-mackessy
Copy link
Contributor

@david-mackessy david-mackessy commented Nov 3, 2023
edited
Loading

Summary

Add ACL (r-------) sharing check for User getting namespace keys from DataStore
3 endpoints impacted:

  • GET /api/dataStore/{namespace}/keys
  • GET /api/dataStore/{namespace}
  • GET /api/dataStore/{namespace}?fields={field} (with query params)

Change

  • add ACL filter to hql which includes these checks in the following order:
  1. User is superUser
  2. Sharing jsonb owner is null or matches User
  3. Sharing jsonb public is null or has metadata read access r-------
  4. Sharing jsonb users contains User ID
  5. Sharing jsonb userGroups contains User userGroup ID

Notes

The default public access for DatastoreEntry has been kept rw------
This work should have no adverse affect on existing implementations.
The Datastore docs already have the relevant information about default public access & sharing.

Testing

Automated

  • Integration tests added covering scenarios for /api/dataStore/{namespace} endpoint
  • e2e tests added covering scenarios for /api/dataStore/{namespace}/keys and /api/dataStore/{namespace} with query params endpoints

Manual

Any logged in User should be able to see all keys from a namespace using any of these endpoints:

  • GET /api/dataStore/{namespace}/keys
  • GET /api/dataStore/{namespace}
  • GET /api/dataStore/{namespace}?fields={field} (with query params)

A normal (non superuser) User with no explicit access should still be able to retrieve namespace keys for a namespace it has access to.
A normal User with explicit sharing access should be able to retrieve namespace keys, when the public access is removed.

To add an entry to a new namespace:

  • POST /api/dataStore/{myNamespace}/{myKey} with sample body
{
    "name": "test",
    "project": "dhis2"
}

To get the ID of a DataEntry use:
GET /api/dataStore/{namespace}/{key}/metaData

To remove public access of a DataEntry:

  • POST /api/sharing?type=dataStore&id={dataStoreEntryId} with body
{
    "object": {
        "publicAccess": "--------",
        "externalAccess": false,
        "user": {},
        "userAccesses": [],
        "userGroupAccesses": []
    }
}

To share access of a DataEntry with another User & remove public access:

  • POST /api/sharing?type=dataStore&id={dataStoreEntryId} with body
{
    "object": {
        "publicAccess": "--------",
        "externalAccess": false,
        "user": {},
        "userAccesses": [
            {
                "id": "{userId}",
                "access": "r-------"
            }
        ],
        "userGroupAccesses": []
    }
}

To share access with a UserGroup & remove public access use:

{
    "object": {
        "publicAccess": "--------",
        "externalAccess": false,
        "user": {},
        "userAccesses": [],
        "userGroupAccesses": [
            {
                "id": "{userGroupId}",
                "access": "r-------"
            }
        ]
    }
}

@david-mackessy
feature: Add failing tests before starting impl [DHIS2-15959]
6ab02c9
@david-mackessy
feature: Add more failing tests [DHIS2-15959]
c3a4f0f
@david-mackessy
Merge branch 'master' into DHIS2-15959
14f3eb0
@david-mackessy
pause work to look at separate issue
9a83e39
@david-mackessy
Merge branch 'master' into DHIS2-15959
60dffac
@david-mackessy
Merge branch 'master' into DHIS2-15959
4e45251
@david-mackessy
feature: working on tests [DHIS2-15959]
72d9975
@david-mackessy
feature: Small cleanup [DHIS2-15959]
b831f42
@david-mackessy
Merge branch 'master' into DHIS2-15959
4b87fe2
@david-mackessy
feature: Fix existing tests [DHIS2-15959]
d968db6
@david-mackessy
feature: clean up tests and add javadoc [DHIS2-15959]
c7f03a5
@david-mackessy
feature: Add test for /namespace/keys endpoint [DHIS2-15959]
e85ee27
@david-mackessy
Merge branch 'master' into DHIS2-15959
b743da1
@david-mackessy
feature: Fix broken tests to reflect new behaviour [DHIS2-15959]
c1aa219
@david-mackessy
feature: Fix test and add another [DHIS2-15959]
d77229d
@codecov Codecov
Copy link

codecov bot commented Nov 3, 2023
edited
Loading

Codecov Report

Merging #15595 (5e1d7ad) into master (6a47df8) will increase coverage by 0.00%.
Report is 1 commits behind head on master.
The diff coverage is 100.00%.

@@            Coverage Diff            @@
##             master   #15595   +/-   ##
=========================================
  Coverage     66.24%   66.25%           
- Complexity    31263    31265    +2     
=========================================
  Files          3485     3485           
  Lines        129790   129798    +8     
  Branches      15146    15146           
=========================================
+ Hits          85975    85992   +17     
+ Misses        36731    36724    -7     
+ Partials       7084     7082    -2
Flag Coverage Δ
integration 49.82% <100.00%> (+0.01%) ⬆️
integration-h2 32.43% <100.00%> (+0.01%) ⬆️
unit 30.34% <10.00%> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files Coverage Δ
...s/datastore/hibernate/HibernateDatastoreStore.java 98.24% <100.00%> (+0.20%) ⬆️
...c/main/java/org/hisp/dhis/query/JpaQueryUtils.java 82.70% <100.00%> (+3.16%) ⬆️
...hema/descriptors/KeyJsonValueSchemaDescriptor.java 100.00% <100.00%> (ø)

... and 5 files with indirect coverage changes

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update f93bc5c...5e1d7ad. Read the comment docs.

@david-mackessy david-mackessy changed the title feature: Add User access check when getting Datastore keys [DHIS2-15959] feature: Add ACL check when getting Datastore keys [DHIS2-15959] Nov 8, 2023
@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Nov 8, 2023

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

0.0% 0.0% Coverage
0.0% 0.0% Duplication

@david-mackessy david-mackessy enabled auto-merge (squash) November 8, 2023 12:24
@david-mackessy david-mackessy merged commit 1a07024 into master Nov 8, 2023
16 checks passed
@david-mackessy david-mackessy deleted the DHIS2-15959 branch November 8, 2023 12:25
This was referenced Jan 24, 2024
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vietnguyen vietnguyen vietnguyen approved these changes

@jbee jbee jbee approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@david-mackessy @jbee @vietnguyen