feat: Add read ACL check when no namespace protection [DHS2-16134]

[david-mackessy]

Summary

This feature adds an ACL check to DatastoreService#readProtectedIn when there is no namespace protection. The following endpoints can be used to test the feature:

• GET /api/dataStore/{namespace}/{key}
• GET /api/dataStore/{namespace}/{key}/metaData

Background

There was already an existing read Sharing check performed for namespace entries that had namespace protection.
The read check has been updated to incorporate scenarios where there is no namespace protection in place (namespace protection is only setup programmatically currently. All namespaces setup through the API will not have any namespace protection).

DatastoreEntry Read criteria when no namespace protection

• Superuser can always read
• Any user can read by default (no Sharing changes made)
• Public access removed & User is not the owner
  • User cannot access
  • User can access when User added to Shared Users
  • User can access when User UserGroup added to Shared UserGroups

Testing

Automated

• Multiple e2e tests added to cover different scenarios

Manual

To manually test this feature, the following endpoints can be used:

• GET /api/dataStore/{namespace}/{key}
• GET /api/dataStore/{namespace}/{key}/metaData

To add an entry to a new namespace:

POST /api/dataStore/{myNamespace}/{myKey} with sample body

{
    "name": "test",
    "project": "dhis2"
}

To get the ID of a DataEntry use:
GET /api/dataStore/{namespace}/{key}/metaData

To remove public access of a DataEntry:

POST /api/sharing?type=dataStore&id={dataStoreEntryId} with body

{
    "object": {
        "publicAccess": "--------",
        "externalAccess": false,
        "user": {},
        "userAccesses": [],
        "userGroupAccesses": []
    }
}

To share access of a DataEntry with another User & remove public access:

POST /api/sharing?type=dataStore&id={dataStoreEntryId} with body

{
    "object": {
        "publicAccess": "--------",
        "externalAccess": false,
        "user": {},
        "userAccesses": [
            {
                "id": "{userId}",
                "access": "r-------"
            }
        ],
        "userGroupAccesses": []
    }
}

To share access with a UserGroup & remove public access use:

{
    "object": {
        "publicAccess": "--------",
        "externalAccess": false,
        "user": {},
        "userAccesses": [],
        "userGroupAccesses": [
            {
                "id": "{userGroupId}",
                "access": "r-------"
            }
        ]
    }
}

[codecov]

Codecov Report

Merging #15754 (7cfb8cb) into master (6971c94) will increase coverage by 0.00%.
Report is 7 commits behind head on master.
The diff coverage is 100.00%.

Additional details and impacted files

@@            Coverage Diff            @@
##             master   #15754   +/-   ##
=========================================
  Coverage     66.31%   66.31%           
- Complexity    31374    31380    +6     
=========================================
  Files          3481     3481           
  Lines        129925   129930    +5     
  Branches      15197    15199    +2     
=========================================
+ Hits          86162    86166    +4     
- Misses        36672    36673    +1     
  Partials       7091     7091           

Flag	Coverage Δ
integration	50.06% <44.44%> (+<0.01%)	⬆️
integration-h2	32.39% <66.66%> (+<0.01%)	⬆️
unit	30.27% <0.00%> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files	Coverage Δ
...g/hisp/dhis/datastore/DefaultDatastoreService.java	93.54% <100.00%> (+1.50%)	⬆️

... and 1 file with indirect coverage changes

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 469dc9a...7cfb8cb. Read the comment docs.

[sonarcloud]

Kudos, SonarCloud Quality Gate passed!   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

0.0% Coverage
0.0% Duplication