Upgrade to Pro — share decks privately, control downloads, hide ads and more …

REST Easy — API Security Done Right

Jeff Schenck
September 07, 2015
Programming
2
790

REST Easy — API Security Done Right

As frontend web frameworks like AngularJS and Backbone.js become more common, running a REST API using Django and Django REST Framework is becoming unavoidable, and security is absolutely critical. I'll show you the tools we're working with and how to wrangle them. I'll also talk about where we need to take these tools to make the world safe for Django and frontend frameworks.

2015-09-07 — DjangoCon 2015 — https://2015.djangocon.us/schedule/presentation/76/

Jeff Schenck

September 07, 2015
Tweet

More Decks by Jeff Schenck

See All by Jeff Schenck
Vue Reactivity: Learning By Accident
jeffschenck
1
81
Development with Ansible & VMs
jeffschenck
2
340

Other Decks in Programming

See All in Programming
良いユニットテストを書こう
mototakatsu
11
3.5k
Внедряем бюджетирование, или Как сделать хорошо?
lamodatech
0
850
htmxって知っていますか?次世代のHTML
hiro_ghap1
0
390
20年もののレガシープロダクトに 0からPHPStanを入れるまで / phpcon2024
hirobe1999
0
960
生成AIでGitHubソースコード取得して仕様書を作成
shukob
0
600
見えないメモリを観測する: PHP 8.4 `pg_result_memory_size()` とSQL結果のメモリ管理
kentaroutakeda
0
880
Beyond ORM
77web
11
1.5k
各クラウドサービスにおける.NETの対応と見解
ymd65536
0
230
テストケースの名前はどうつけるべきか?
orgachem
PRO
1
180
命名をリントする
chiroruxx
1
550
KubeCon + CloudNativeCon NA 2024 Overview at Kubernetes Meetup Tokyo #68 / amsy810_k8sjp68
masayaaoyama
0
290
歴史と現在から考えるスケーラブルなソフトウェア開発のプラクティス
i10416
0
230

Featured

See All Featured
We Have a Design System, Now What?
morganepeng
51
7.3k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k
Git: the NoSQL Database
bkeepers
PRO
427
64k
Rebuilding a faster, lazier Slack
samanthasiow
79
8.7k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
27
1.5k
Large-scale JavaScript Application Architecture
addyosmani
510
110k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
47
5.1k
Documentation Writing (for coders)
carmenintech
67
4.5k
How To Stay Up To Date on Web Technology
chriscoyier
790
250k
VelocityConf: Rendering Performance Case Studies
addyosmani
327
24k
For a Future-Friendly Web
brad_frost
176
9.5k
A better future with KSS
kneath
238
17k

Transcript

  1. REST Easy

  2. REST Easy 1. WHY REST 2. STATE OF REST 3.

    REST SECURITY 4. REST WELL TODAY 5. REST EASY TOMORROW

  3. REST Easy 2. STATE OF REST 1. WHY REST 3.

    REST SECURITY 4. REST WELL TODAY 5. REST EASY TOMORROW

  4. REST Easy 3. REST SECURITY 1. WHY REST 2. STATE

    OF REST 4. REST WELL TODAY 5. REST EASY TOMORROW

  5. REST Easy 4. REST WELL TODAY 1. WHY REST 2.

    STATE OF REST 3. REST SECURITY 5. REST EASY TOMORROW

  6. REST Easy 5. REST EASY TOMORROW 1. WHY REST 2.

    STATE OF REST 3. REST SECURITY 4. REST WELL TODAY

  7. REST Easy 1. WHY REST 2. STATE OF REST 3.

    REST SECURITY 4. REST WELL TODAY 5. REST EASY TOMORROW

  8. ¯ SIMPLE ANSWER

  9. REST Easy

  10. ¯ NUANCED ANSWER

  11. REST Easy Display App Logic Datastores

  12. REST Easy Display FRONTEND BACKEND App Logic Datastores

  13. REST Easy FRONTEND BACKEND ← HTML • CSS • JavaScript

    Forms → ← → Display App Logic Datastores

  14. REST Easy FRONTEND BACKEND ← → ← HTML • CSS

    • JavaScript Forms • AJAX → Display App Logic Datastores

  15. REST Easy FRONTEND BACKEND ← → ← HTML • CSS

    • JavaScript Forms • AJAX → Display App Logic Datastores

  16. REST Easy FRONTEND BACKEND ← → ← HTML • CSS

    • JavaScript ← REST → Display App Logic Datastores

  17. REST Easy 2. STATE OF REST 1. WHY REST 3.

    REST SECURITY 4. REST WELL TODAY 5. REST EASY TOMORROW

  18. REST Easy DJANGO REST FRAMEWORK

  19. REST Easy SERIALIZERS class CatSerializer(serializers.ModelSerializer): class Meta: model = Cat

    fields = ['id', 'age', 'hair', 'grumpiness',]

  20. REST Easy VIEWS class CatViewSet(viewsets.ModelViewSet): queryset = Cat.objects.all() serializer_class =

    CatSerializer

  21. REST Easy AUTHENTICATION REST_FRAMEWORK = { 'DEFAULT_AUTHENTICATION_CLASSES': ( 'rest_framework.authentication.BasicAuthentication', 'rest_framework.authentication.SessionAuthentication',

    ) }

  22. REST Easy PERMISSIONS class CatPermission(permissions.BasePermission): def has_permission(self, request, view): return

    request.is_cat_you_are_looking_for()

  23. REST Easy 3. REST SECURITY 1. WHY REST 2. STATE

    OF REST 4. REST WELL TODAY 5. REST EASY TOMORROW

  24. REST Easy FRONTEND BACKEND ← → Display App Logic Datastores

  25. REST Easy FRONTEND BACKEND ← → Display App Logic Datastores

  26. REST Easy INSECURE SECURE ← → Display App Logic Datastores

  27. REST Easy INSECURE SECURE ← → Display App Logic Datastores

  28. REST Easy AUTHENTICATION • HTTP Basic Auth

  29. REST Easy AUTHENTICATION • HTTP Basic Auth • Django Session

    Auth

  30. REST Easy AUTHENTICATION • HTTP Basic Auth • Django Session

    Auth • Token Auth

  31. REST Easy AUTHENTICATION • HTTP Basic Auth • Django Session

    Auth • Token Auth • OAuth

  32. REST Easy AUTHENTICATION • HTTP Basic Auth • Django Session

    Auth • Token Auth • OAuth • JSON Web Token Auth

  33. REST Easy PERMISSIONS • Table Permissions

  34. REST Easy PERMISSIONS • Table Permissions • Row Permissions

  35. REST Easy PERMISSIONS • Table Permissions • Row Permissions •

    Column Permissions

  36. REST Easy PERMISSIONS • Table Permissions • Row Permissions •

    Column Permissions • HTTP Verb Permissions

  37. REST Easy 4. REST WELL TODAY 1. WHY REST 2.

    STATE OF REST 3. REST SECURITY 5. REST EASY TOMORROW

  38. ¯ SMALL COMPOSABLE PERMISSIONS

  39. REST Easy HTTP VERBS class IsPOST(permissions.BasePermission): def has_permission(self, request, view):

    return request.method == 'POST' class IsPATCH(permissions.BasePermission): def has_permission(self, request, view): return request.method == 'PATCH' # Other HTTP verbs...

  40. REST Easy HTTP VERBS class IsPOST(permissions.BasePermission): def has_permission(self, request, view):

    return request.method == 'POST' class IsPATCH(permissions.BasePermission): def has_permission(self, request, view): return request.method == 'PATCH' # Other HTTP verbs...

  41. REST Easy HTTP VERBS class IsPOST(permissions.BasePermission): def has_permission(self, request, view):

    return request.method == 'POST' class IsPATCH(permissions.BasePermission): def has_permission(self, request, view): return request.method == 'PATCH' # Other HTTP verbs...

  42. REST Easy HTTP VERBS class IsPOST(permissions.BasePermission): def has_permission(self, request, view):

    return request.method == 'POST' class IsPATCH(permissions.BasePermission): def has_permission(self, request, view): return request.method == 'PATCH' # Other HTTP verbs...

  43. REST Easy HTTP VERBS class IsPOST(permissions.BasePermission): def has_permission(self, request, view):

    return request.method == 'POST' class IsPATCH(permissions.BasePermission): def has_permission(self, request, view): return request.method == 'PATCH' # Other HTTP verbs...

  44. REST Easy HTTP VERBS class IsPOST(permissions.BasePermission): def has_permission(self, request, view):

    return request.method == 'POST' class IsPATCH(permissions.BasePermission): def has_permission(self, request, view): return request.method == 'PATCH' # Other HTTP verbs...

  45. REST Easy USER STATUS class IsAuthenticated(permissions.BasePermission): def has_permission(self, request, view):

    return request.user.is_authenticated() class IsSuperuser(permissions.BasePermission): def has_permission(self, request, view): return request.user.is_authenticated() and \ request.user.is_superuser # Other authentication methods...

  46. REST Easy USER STATUS class IsAuthenticated(permissions.BasePermission): def has_permission(self, request, view):

    return request.user.is_authenticated() class IsSuperuser(permissions.BasePermission): def has_permission(self, request, view): return request.user.is_authenticated() and \ request.user.is_superuser # Other authentication methods...

  47. REST Easy USER STATUS class IsAuthenticated(permissions.BasePermission): def has_permission(self, request, view):

    return request.user.is_authenticated() class IsSuperuser(permissions.BasePermission): def has_permission(self, request, view): return request.user.is_authenticated() and \ request.user.is_superuser # Other authentication methods...

  48. REST Easy USER STATUS class IsAuthenticated(permissions.BasePermission): def has_permission(self, request, view):

    return request.user.is_authenticated() class IsSuperuser(permissions.BasePermission): def has_permission(self, request, view): return request.user.is_authenticated() and \ request.user.is_superuser # Other authentication methods...

  49. REST Easy USER STATUS class IsAuthenticated(permissions.BasePermission): def has_permission(self, request, view):

    return request.user.is_authenticated() class IsSuperuser(permissions.BasePermission): def has_permission(self, request, view): return request.user.is_authenticated() and \ request.user.is_superuser # Other authentication methods...

  50. REST Easy USER STATUS class IsAuthenticated(permissions.BasePermission): def has_permission(self, request, view):

    return request.user.is_authenticated() class IsSuperuser(permissions.BasePermission): def has_permission(self, request, view): return request.user.is_authenticated() and \ request.user.is_superuser # Other authentication methods...

  51. REST Easy OWNERSHIP class IsCatOwner(permissions.BasePermission): def has_permission(self, request, view): #

    WARNING: List-level permissions in get_queryset return True def has_object_permission(self, request, view, obj): return obj.owner == request.user # Ownership for other objects...

  52. REST Easy OWNERSHIP class IsCatOwner(permissions.BasePermission): def has_permission(self, request, view): #

    WARNING: List-level permissions in get_queryset return True def has_object_permission(self, request, view, obj): return obj.owner == request.user # Ownership for other objects...

  53. REST Easy OWNERSHIP class IsCatOwner(permissions.BasePermission): def has_permission(self, request, view): #

    WARNING: List-level permissions in get_queryset return True def has_object_permission(self, request, view, obj): return obj.owner == request.user # Ownership for other objects...

  54. REST Easy OWNERSHIP class IsCatOwner(permissions.BasePermission): def has_permission(self, request, view): #

    WARNING: List-level permissions in get_queryset return True def has_object_permission(self, request, view, obj): return obj.owner == request.user # Ownership for other objects...

  55. REST Easy OWNERSHIP class IsCatOwner(permissions.BasePermission): def has_permission(self, request, view): #

    WARNING: List-level permissions in get_queryset return True def has_object_permission(self, request, view, obj): return obj.owner == request.user # Ownership for other objects...

  56. REST Easy OWNERSHIP class IsCatOwner(permissions.BasePermission): def has_permission(self, request, view): #

    WARNING: List-level permissions in get_queryset return True def has_object_permission(self, request, view, obj): return obj.owner == request.user # Ownership for other objects...

  57. ¯ PERMISSION POWER TOOLS

  58. REST Easy FIELD RESTRICTION def IsFields(*fields): class IsFieldsPermission(permissions.BasePermission): _fields =

    set(fields) def has_permission(self, request, view): return set(request.data.keys()) <= self._fields def has_object_permission(self, request, view, obj): return set(request.data.keys()) <= self._fields return IsFieldsPermission

  59. REST Easy FIELD RESTRICTION def IsFields(*fields): class IsFieldsPermission(permissions.BasePermission): _fields =

    set(fields) def has_permission(self, request, view): return set(request.data.keys()) <= self._fields def has_object_permission(self, request, view, obj): return set(request.data.keys()) <= self._fields return IsFieldsPermission

  60. REST Easy FIELD RESTRICTION def IsFields(*fields): class IsFieldsPermission(permissions.BasePermission): _fields =

    set(fields) def has_permission(self, request, view): return set(request.data.keys()) <= self._fields def has_object_permission(self, request, view, obj): return set(request.data.keys()) <= self._fields return IsFieldsPermission

  61. REST Easy FIELD RESTRICTION def IsFields(*fields): class IsFieldsPermission(permissions.BasePermission): _fields =

    set(fields) def has_permission(self, request, view): return set(request.data.keys()) <= self._fields def has_object_permission(self, request, view, obj): return set(request.data.keys()) <= self._fields return IsFieldsPermission

  62. REST Easy FIELD RESTRICTION def IsFields(*fields): class IsFieldsPermission(permissions.BasePermission): _fields =

    set(fields) def has_permission(self, request, view): return set(request.data.keys()) <= self._fields def has_object_permission(self, request, view, obj): return set(request.data.keys()) <= self._fields return IsFieldsPermission

  63. REST Easy FIELD RESTRICTION def IsFields(*fields): class IsFieldsPermission(permissions.BasePermission): _fields =

    set(fields) def has_permission(self, request, view): return set(request.data.keys()) <= self._fields def has_object_permission(self, request, view, obj): return set(request.data.keys()) <= self._fields return IsFieldsPermission

  64. REST Easy FIELD RESTRICTION def IsFields(*fields): class IsFieldsPermission(permissions.BasePermission): _fields =

    set(fields) def has_permission(self, request, view): return set(request.data.keys()) <= self._fields def has_object_permission(self, request, view, obj): return set(request.data.keys()) <= self._fields return IsFieldsPermission

  65. REST Easy FIELD RESTRICTION def IsFields(*fields): class IsFieldsPermission(permissions.BasePermission): _fields =

    set(fields) def has_permission(self, request, view): return set(request.data.keys()) <= self._fields def has_object_permission(self, request, view, obj): return set(request.data.keys()) <= self._fields return IsFieldsPermission

  66. REST Easy FIELD RESTRICTION def IsFields(*fields): class IsFieldsPermission(permissions.BasePermission): _fields =

    set(fields) def has_permission(self, request, view): return set(request.data.keys()) <= self._fields def has_object_permission(self, request, view, obj): return set(request.data.keys()) <= self._fields return IsFieldsPermission

  67. REST Easy REST CONDITION from rest_condition import And, Or, Not

    combined = Or( And(FooPerm, Not(BarPerm)), BazPerm, )

  68. REST Easy REST CONDITION from rest_condition import And, Or, Not

    combined = Or( And(FooPerm, Not(BarPerm)), BazPerm, )

  69. REST Easy REST CONDITION from rest_condition import And, Or, Not

    combined = Or( And(FooPerm, Not(BarPerm)), BazPerm, )

  70. REST Easy REST CONDITION from rest_condition import And, Or, Not

    combined = Or( And(FooPerm, Not(BarPerm)), BazPerm, )

  71. REST Easy REST CONDITION from rest_condition import And, Or, Not

    combined = Or( And(FooPerm, Not(BarPerm)), BazPerm, )

  72. REST Easy REST CONDITION from rest_condition import And, Or, Not

    combined = Or( And(FooPerm, Not(BarPerm)), BazPerm, )

  73. ¯ BUILD COMPLEX PERMISSIONS

  74. REST Easy COMPLEX PERMISSIONS class CatViewSet(viewsets.ModelViewSet): permission_classes = [Or( And(

    Or(IsGET, IsHEAD, IsOPTIONS), IsAuthenticated, ), And( Or(IsPOST, IsPATCH), IsCatOwner, IsFields('hair', 'grumpiness'), ), IsSuperuser, )]

  75. REST Easy COMPLEX PERMISSIONS class CatViewSet(viewsets.ModelViewSet): permission_classes = [Or( And(

    Or(IsGET, IsHEAD, IsOPTIONS), IsAuthenticated, ), And( Or(IsPOST, IsPATCH), IsCatOwner, IsFields('hair', 'grumpiness'), ), IsSuperuser, )]

  76. REST Easy COMPLEX PERMISSIONS class CatViewSet(viewsets.ModelViewSet): permission_classes = [Or( And(

    Or(IsGET, IsHEAD, IsOPTIONS), IsAuthenticated, ), And( Or(IsPOST, IsPATCH), IsCatOwner, IsFields('hair', 'grumpiness'), ), IsSuperuser, )]

  77. REST Easy COMPLEX PERMISSIONS class CatViewSet(viewsets.ModelViewSet): permission_classes = [Or( And(

    Or(IsGET, IsHEAD, IsOPTIONS), IsAuthenticated, ), And( Or(IsPOST, IsPATCH), IsCatOwner, IsFields('hair', 'grumpiness'), ), IsSuperuser, )]

  78. REST Easy COMPLEX PERMISSIONS class CatViewSet(viewsets.ModelViewSet): permission_classes = [Or( And(

    Or(IsGET, IsHEAD, IsOPTIONS), IsAuthenticated, ), And( Or(IsPOST, IsPATCH), IsCatOwner, IsFields('hair', 'grumpiness'), ), IsSuperuser, )]

  79. REST Easy COMPLEX PERMISSIONS class CatViewSet(viewsets.ModelViewSet): permission_classes = [Or( And(

    Or(IsGET, IsHEAD, IsOPTIONS), IsAuthenticated, ), And( Or(IsPOST, IsPATCH), IsCatOwner, IsFields('hair', 'grumpiness'), ), IsSuperuser, )]

  80. REST Easy COMPLEX PERMISSIONS class CatViewSet(viewsets.ModelViewSet): permission_classes = [Or( And(

    Or(IsGET, IsHEAD, IsOPTIONS), IsAuthenticated, ), And( Or(IsPOST, IsPATCH), IsCatOwner, IsFields('hair', 'grumpiness'), ), IsSuperuser, )]

  81. REST Easy 5. REST EASY TOMORROW 1. WHY REST 2.

    STATE OF REST 3. REST SECURITY 4. REST WELL TODAY

  82. ¯ SECURITY PROBLEMS

  83. REST Easy REST SECURITY ISSUES • Endpoint-based

  84. REST Easy REST SECURITY ISSUES • Endpoint-based • Scattered code

  85. REST Easy REST SECURITY ISSUES • Endpoint-based • Scattered code

    • Batteries not included

  86. REST Easy REST SECURITY ISSUES • Endpoint-based • Scattered code

    • Batteries not included • Default-confused

  87. ¯ IMAGINE A WORLD...

  88. REST Easy EASY PERMISSIONS class AnonymousUser(rest_permissions.Role): def is_active(self, request): return

    request.user.is_anonymous() def get_permissions(self): return { 'api.cats.CatViewSet': { 'list': True, 'retrieve': True, }, # Other permissions for cat owners... }

  89. REST Easy EASY PERMISSIONS class AnonymousUser(rest_permissions.Role): def is_active(self, request): return

    request.user.is_anonymous() def get_permissions(self): return { 'api.cats.CatViewSet': { 'list': True, 'retrieve': True, }, # Other permissions for cat owners... }

  90. REST Easy EASY PERMISSIONS class AnonymousUser(rest_permissions.Role): def is_active(self, request): return

    request.user.is_anonymous() def get_permissions(self): return { 'api.cats.CatViewSet': { 'list': True, 'retrieve': True, }, # Other permissions for cat owners... }

  91. REST Easy EASY PERMISSIONS class AnonymousUser(rest_permissions.Role): def is_active(self, request): return

    request.user.is_anonymous() def get_permissions(self): return { 'api.cats.CatViewSet': { 'list': True, 'retrieve': True, }, # Other permissions for cat owners... }

  92. REST Easy EASY PERMISSIONS class AnonymousUser(rest_permissions.Role): def is_active(self, request): return

    request.user.is_anonymous() def get_permissions(self): return { 'api.cats.CatViewSet': { 'list': True, 'retrieve': True, }, # Other permissions for cat owners... }

  93. REST Easy EASY PERMISSIONS class AnonymousUser(rest_permissions.Role): def is_active(self, request): return

    request.user.is_anonymous() def get_permissions(self): return { 'api.cats.CatViewSet': { 'list': True, 'retrieve': True, }, # Other permissions for cat owners... }

  94. REST Easy EASY PERMISSIONS class AnonymousUser(rest_permissions.Role): def is_active(self, request): return

    request.user.is_anonymous() def get_permissions(self): return { 'api.cats.CatViewSet': { 'list': True, 'retrieve': True, }, # Other permissions for cat owners... }

  95. REST Easy EASY PERMISSIONS class AnonymousUser(rest_permissions.Role): def is_active(self, request): return

    request.user.is_anonymous() def get_permissions(self): return { 'api.cats.CatViewSet': { 'list': True, 'retrieve': True, }, # Other permissions for cat owners... }

  96. REST Easy EASY PERMISSIONS class AnonymousUser(rest_permissions.Role): def is_active(self, request): return

    request.user.is_anonymous() def get_permissions(self): return { 'api.cats.CatViewSet': { 'list': True, 'retrieve': True, }, # Other permissions for cat owners... }

  97. REST Easy Jeff Schenck CTO & Co-Founder twitter @jeffschenck email

    jeff@chewse.com