Access Control & Authorization

Access Control & Authorization

Proving the identity of a user isn’t the end of an application’s responsibilities: you must also verify the user is allowed to perform the actions they’re attempting. Conflating authentication (the act of identifying users) with authorization (the act of verifying their level of access within the system) is one of the most common ways applications have been breached in the recent past. Don’t fall victim to simple oversights and instead keep your application – and your users – safe.

46093583d8895095adb1b0071c505af2?s=128

Eric Mann

May 21, 2019
Tweet

Transcript

  1. 2.

    Hello. Adam Englander Architect, iovation Ijeoma Ezeonyebuchi Mobile Quality Assurance

    Engineer, NPR Eric Mann Director of Engineering, Vacasa
  2. 4.

    Terminology Authorization is the function of specifying access rights/privileges to

    resources. (Wikipedia) Authentication is the act of confirming the truth of an attribute of a single piece of data claimed true by an entity. (Wikipedia)
  3. 6.

    For example ... if (! isset($_SESSION['user_id'])) { header('HTTP/1.1 403 Forbidden');

    exit; } $filename = basename($_POST['filename']); $file = sprintf('/var/www/support/uploads/%s', $filename); if (file_exists($file)) { header('Content-Description: File Transfer'); header('Content-Type: application/octet-stream'); header(sprintf('Content-Disposition: attachment; filename="%s"', $filename)); header(sprintf('Content-Length: %d', filesize($file))); readfile($file); exit; }
  4. 7.

    For example ... if (! isset($_SESSION['user_id'])) { header('HTTP/1.1 403 Forbidden');

    exit; } $filename = basename($_POST['filename']); $file = sprintf('/var/www/support/uploads/%s', $filename); if (file_exists($file)) { header('Content-Description: File Transfer'); header('Content-Type: application/octet-stream'); header(sprintf('Content-Disposition: attachment; filename="%s"', $filename)); header(sprintf('Content-Length: %d', filesize($file))); readfile($file); exit; }
  5. 9.

    Authorization -vs- Authentication Authentication - proving a user is who

    they say they are Authorization - proving a user is allowed to do what they are attempting to do
  6. 10.

    Authorization -vs- Access Control Authorization - proving a user is

    allowed to do what they are attempting to do Access Control - actually enforcing authorization controls on systems or resources
  7. 12.

    Role-based Access Control (RBAC) RBAC separates the concepts of Users,

    Roles and Permissions. Roles are defined in a system, then Permissions defined separately. Then the security administrator decides what role should be permitted to do what action, by assigning that role to the permission. Finally users are assigned to roles. The system does the rest. (PHP-RBAC)
  8. 13.

    Role-based Access Control Users are each assigned to one or

    more role Each role will have one or more permission Operations are restricted based on role membership (Based on the permissions that role grants)
  9. 15.

    For example ... if (! isset($_SESSION['user_id'])) { header('HTTP/1.1 403 Forbidden');

    exit; } $rbac = new \PhpRbac\Rbac(); $rbac->enforce('downloads_manager', 105); $filename = basename($_POST['filename']); $file = sprintf('/var/www/support/uploads/%s', $filename); if (file_exists($file)) { header('Content-Description: File Transfer'); header('Content-Type: application/octet-stream'); header(sprintf('Content-Disposition: attachment; filename="%s"', $filename)); // ...
  10. 16.

    For example ... if (! isset($_SESSION['user_id'])) { header('HTTP/1.1 403 Forbidden');

    exit; } $rbac = new \PhpRbac\Rbac(); $rbac->enforce('downloads_manager', $_SESSION['user_id']); $filename = basename($_POST['filename']); $file = sprintf('/var/www/support/uploads/%s', $filename); if (file_exists($file)) { header('Content-Description: File Transfer'); header('Content-Type: application/octet-stream'); header(sprintf('Content-Disposition: attachment; filename="%s"', $filename)); // ...
  11. 17.

    Attribute-based Access Control (ABAC) Attribute-based access control, also known as

    Policy-based access control, defines an access control paradigm whereby access rights are granted to users through the use of policies which combine attributes together. (Wikipedia)
  12. 18.

    Attribute-based Access Control Users can still be assigned to one

    or more role Resources (and users) have specific attributes Users (or roles) have applied policies that use these attributes to allow or block access Policies are evaluated at request time based on current attributes
  13. 20.

    For example ... if (! isset($_SESSION['user_id'])) { header('HTTP/1.1 403 Forbidden');

    exit; } $user = new \User($_SESSION['user_id']); $filename = basename($_POST['filename']); $download = new \Download($filename); $abac = \PhpAbac\AbacFactory::getAbac(); $attributes = ['dynamic-attributes' => ['report-author' => $user->getId()]]; if ($abac->enforce('downloads-access', $user, $download, $attributes) !== true) { header('HTTP/1.1 403 Forbidden'); exit; } // ...
  14. 21.

    For example ... if (! isset($_SESSION['user_id'])) { header('HTTP/1.1 403 Forbidden');

    exit; } $user = new \User($_SESSION['user_id']); $filename = basename($_POST['filename']); $download = new \Download($filename); $abac = \PhpAbac\AbacFactory::getAbac(); $attributes = ['dynamic-attributes' => ['report-author' => $user->getId()]]; if ($abac->enforce('downloads-access', $user, $download, $attributes) !== true) { header('HTTP/1.1 403 Forbidden'); exit; } // ...
  15. 22.

    For example ... if (! isset($_SESSION['user_id'])) { header('HTTP/1.1 403 Forbidden');

    exit; } $user = new \User($_SESSION['user_id']); $filename = basename($_POST['filename']); $download = new \Download($filename); $abac = \PhpAbac\AbacFactory::getAbac(); $attributes = ['dynamic-attributes' => ['report-author' => $user->getId()]]; if ($abac->enforce('downloads-access', $user, $download, $attributes) !== true) { header('HTTP/1.1 403 Forbidden'); exit; } // ...
  16. 23.

    Risk-based Access Control In general, built upon an attribute-based system

    Leverages attributes that quantify risk • How did the user authenticate? • When and from where did they authenticate? • How risky is the operation being performed? Effectively adds environmental info to the system
  17. 24.

    Final Items to Consider What does your application do? Who

    has access to the application? What is the potential impact of a breach? What is your overall threat model?