Upgrade to Pro — share decks privately, control downloads, hide ads and more …

REST Easy — API Security Done Right

Jeff Schenck
September 07, 2015
Programming
2
770

REST Easy — API Security Done Right

As frontend web frameworks like AngularJS and Backbone.js become more common, running a REST API using Django and Django REST Framework is becoming unavoidable, and security is absolutely critical. I'll show you the tools we're working with and how to wrangle them. I'll also talk about where we need to take these tools to make the world safe for Django and frontend frameworks.

2015-09-07 — DjangoCon 2015 — https://2015.djangocon.us/schedule/presentation/76/

Jeff Schenck

September 07, 2015
Tweet

More Decks by Jeff Schenck

See All by Jeff Schenck
Vue Reactivity: Learning By Accident
jeffschenck
1
73
Development with Ansible & VMs
jeffschenck
2
330

Other Decks in Programming

See All in Programming
Amazon SQSコンシューマー疎結合への旅 - 出張! #DevelopersIO IT技術ブログの中の人が語る勉強会 #3
quiver
0
280
OpenAPIを中心に考えるAPI開発入門 / Introduction to API Development with a Focus on OpenAPI
seike460
PRO
2
170
コーンフレークから始める モデリング会話入門
ogurotakayuki
0
380
try! Swift Tokyo 2024 参加報告 / try! Swift Tokyo 2024 Report
hironytic
0
210
GitHub Copilotのススメ
marcy731
1
200
はてなにおける CSS Modules、及び CSS Modules に足りないもの / CSS Modules in Hatena, and CSS Modules missing parts
mizdra
7
950
Scalable Customer Journey Orchestration (CJO)
lewuathe
0
350
ゆるい個人開発のススメ
kuroppe1819
10
1k
Git Rebase
bkuhlmann
11
1.6k
Goのmultiple errorsについて (2024年4月版)
syumai
4
1k
AmperとFleetを使ったAndroidアプリ
yoppie
0
220
PHPの次期バージョンはこの時期どうなっているのか - Internalsの開発体制について - PHPカンファレンス小田原
youkidearitai
PRO
1
190

Featured

See All Featured
Building Adaptive Systems
keathley
31
1.9k
4 Signs Your Business is Dying
shpigford
175
21k
Designing on Purpose - Digital PM Summit 2013
jponch
110
6.5k
What's new in Ruby 2.0
geeforr
337
31k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
25
2.3k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
227
16k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
14
1.6k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
187
16k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
7
1k
10 Git Anti Patterns You Should be Aware of
lemiorhan
648
58k
Writing Fast Ruby
sferik
621
60k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
501
140k

Transcript

  1. REST Easy

  2. REST Easy 1. WHY REST 2. STATE OF REST 3.

    REST SECURITY 4. REST WELL TODAY 5. REST EASY TOMORROW

  3. REST Easy 2. STATE OF REST 1. WHY REST 3.

    REST SECURITY 4. REST WELL TODAY 5. REST EASY TOMORROW

  4. REST Easy 3. REST SECURITY 1. WHY REST 2. STATE

    OF REST 4. REST WELL TODAY 5. REST EASY TOMORROW

  5. REST Easy 4. REST WELL TODAY 1. WHY REST 2.

    STATE OF REST 3. REST SECURITY 5. REST EASY TOMORROW

  6. REST Easy 5. REST EASY TOMORROW 1. WHY REST 2.

    STATE OF REST 3. REST SECURITY 4. REST WELL TODAY

  7. REST Easy 1. WHY REST 2. STATE OF REST 3.

    REST SECURITY 4. REST WELL TODAY 5. REST EASY TOMORROW

  8. ¯ SIMPLE ANSWER

  9. REST Easy

  10. ¯ NUANCED ANSWER

  11. REST Easy Display App Logic Datastores

  12. REST Easy Display FRONTEND BACKEND App Logic Datastores

  13. REST Easy FRONTEND BACKEND ← HTML • CSS • JavaScript

    Forms → ← → Display App Logic Datastores

  14. REST Easy FRONTEND BACKEND ← → ← HTML • CSS

    • JavaScript Forms • AJAX → Display App Logic Datastores

  15. REST Easy FRONTEND BACKEND ← → ← HTML • CSS

    • JavaScript Forms • AJAX → Display App Logic Datastores

  16. REST Easy FRONTEND BACKEND ← → ← HTML • CSS

    • JavaScript ← REST → Display App Logic Datastores

  17. REST Easy 2. STATE OF REST 1. WHY REST 3.

    REST SECURITY 4. REST WELL TODAY 5. REST EASY TOMORROW

  18. REST Easy DJANGO REST FRAMEWORK

  19. REST Easy SERIALIZERS class CatSerializer(serializers.ModelSerializer): class Meta: model = Cat

    fields = ['id', 'age', 'hair', 'grumpiness',]

  20. REST Easy VIEWS class CatViewSet(viewsets.ModelViewSet): queryset = Cat.objects.all() serializer_class =

    CatSerializer

  21. REST Easy AUTHENTICATION REST_FRAMEWORK = { 'DEFAULT_AUTHENTICATION_CLASSES': ( 'rest_framework.authentication.BasicAuthentication', 'rest_framework.authentication.SessionAuthentication',

    ) }

  22. REST Easy PERMISSIONS class CatPermission(permissions.BasePermission): def has_permission(self, request, view): return

    request.is_cat_you_are_looking_for()

  23. REST Easy 3. REST SECURITY 1. WHY REST 2. STATE

    OF REST 4. REST WELL TODAY 5. REST EASY TOMORROW

  24. REST Easy FRONTEND BACKEND ← → Display App Logic Datastores

  25. REST Easy FRONTEND BACKEND ← → Display App Logic Datastores

  26. REST Easy INSECURE SECURE ← → Display App Logic Datastores

  27. REST Easy INSECURE SECURE ← → Display App Logic Datastores

  28. REST Easy AUTHENTICATION • HTTP Basic Auth

  29. REST Easy AUTHENTICATION • HTTP Basic Auth • Django Session

    Auth

  30. REST Easy AUTHENTICATION • HTTP Basic Auth • Django Session

    Auth • Token Auth

  31. REST Easy AUTHENTICATION • HTTP Basic Auth • Django Session

    Auth • Token Auth • OAuth

  32. REST Easy AUTHENTICATION • HTTP Basic Auth • Django Session

    Auth • Token Auth • OAuth • JSON Web Token Auth

  33. REST Easy PERMISSIONS • Table Permissions

  34. REST Easy PERMISSIONS • Table Permissions • Row Permissions

  35. REST Easy PERMISSIONS • Table Permissions • Row Permissions •

    Column Permissions

  36. REST Easy PERMISSIONS • Table Permissions • Row Permissions •

    Column Permissions • HTTP Verb Permissions

  37. REST Easy 4. REST WELL TODAY 1. WHY REST 2.

    STATE OF REST 3. REST SECURITY 5. REST EASY TOMORROW

  38. ¯ SMALL COMPOSABLE PERMISSIONS

  39. REST Easy HTTP VERBS class IsPOST(permissions.BasePermission): def has_permission(self, request, view):

    return request.method == 'POST' class IsPATCH(permissions.BasePermission): def has_permission(self, request, view): return request.method == 'PATCH' # Other HTTP verbs...

  40. REST Easy HTTP VERBS class IsPOST(permissions.BasePermission): def has_permission(self, request, view):

    return request.method == 'POST' class IsPATCH(permissions.BasePermission): def has_permission(self, request, view): return request.method == 'PATCH' # Other HTTP verbs...

  41. REST Easy HTTP VERBS class IsPOST(permissions.BasePermission): def has_permission(self, request, view):

    return request.method == 'POST' class IsPATCH(permissions.BasePermission): def has_permission(self, request, view): return request.method == 'PATCH' # Other HTTP verbs...

  42. REST Easy HTTP VERBS class IsPOST(permissions.BasePermission): def has_permission(self, request, view):

    return request.method == 'POST' class IsPATCH(permissions.BasePermission): def has_permission(self, request, view): return request.method == 'PATCH' # Other HTTP verbs...

  43. REST Easy HTTP VERBS class IsPOST(permissions.BasePermission): def has_permission(self, request, view):

    return request.method == 'POST' class IsPATCH(permissions.BasePermission): def has_permission(self, request, view): return request.method == 'PATCH' # Other HTTP verbs...

  44. REST Easy HTTP VERBS class IsPOST(permissions.BasePermission): def has_permission(self, request, view):

    return request.method == 'POST' class IsPATCH(permissions.BasePermission): def has_permission(self, request, view): return request.method == 'PATCH' # Other HTTP verbs...

  45. REST Easy USER STATUS class IsAuthenticated(permissions.BasePermission): def has_permission(self, request, view):

    return request.user.is_authenticated() class IsSuperuser(permissions.BasePermission): def has_permission(self, request, view): return request.user.is_authenticated() and \ request.user.is_superuser # Other authentication methods...

  46. REST Easy USER STATUS class IsAuthenticated(permissions.BasePermission): def has_permission(self, request, view):

    return request.user.is_authenticated() class IsSuperuser(permissions.BasePermission): def has_permission(self, request, view): return request.user.is_authenticated() and \ request.user.is_superuser # Other authentication methods...

  47. REST Easy USER STATUS class IsAuthenticated(permissions.BasePermission): def has_permission(self, request, view):

    return request.user.is_authenticated() class IsSuperuser(permissions.BasePermission): def has_permission(self, request, view): return request.user.is_authenticated() and \ request.user.is_superuser # Other authentication methods...

  48. REST Easy USER STATUS class IsAuthenticated(permissions.BasePermission): def has_permission(self, request, view):

    return request.user.is_authenticated() class IsSuperuser(permissions.BasePermission): def has_permission(self, request, view): return request.user.is_authenticated() and \ request.user.is_superuser # Other authentication methods...

  49. REST Easy USER STATUS class IsAuthenticated(permissions.BasePermission): def has_permission(self, request, view):

    return request.user.is_authenticated() class IsSuperuser(permissions.BasePermission): def has_permission(self, request, view): return request.user.is_authenticated() and \ request.user.is_superuser # Other authentication methods...

  50. REST Easy USER STATUS class IsAuthenticated(permissions.BasePermission): def has_permission(self, request, view):

    return request.user.is_authenticated() class IsSuperuser(permissions.BasePermission): def has_permission(self, request, view): return request.user.is_authenticated() and \ request.user.is_superuser # Other authentication methods...

  51. REST Easy OWNERSHIP class IsCatOwner(permissions.BasePermission): def has_permission(self, request, view): #

    WARNING: List-level permissions in get_queryset return True def has_object_permission(self, request, view, obj): return obj.owner == request.user # Ownership for other objects...

  52. REST Easy OWNERSHIP class IsCatOwner(permissions.BasePermission): def has_permission(self, request, view): #

    WARNING: List-level permissions in get_queryset return True def has_object_permission(self, request, view, obj): return obj.owner == request.user # Ownership for other objects...

  53. REST Easy OWNERSHIP class IsCatOwner(permissions.BasePermission): def has_permission(self, request, view): #

    WARNING: List-level permissions in get_queryset return True def has_object_permission(self, request, view, obj): return obj.owner == request.user # Ownership for other objects...

  54. REST Easy OWNERSHIP class IsCatOwner(permissions.BasePermission): def has_permission(self, request, view): #

    WARNING: List-level permissions in get_queryset return True def has_object_permission(self, request, view, obj): return obj.owner == request.user # Ownership for other objects...

  55. REST Easy OWNERSHIP class IsCatOwner(permissions.BasePermission): def has_permission(self, request, view): #

    WARNING: List-level permissions in get_queryset return True def has_object_permission(self, request, view, obj): return obj.owner == request.user # Ownership for other objects...

  56. REST Easy OWNERSHIP class IsCatOwner(permissions.BasePermission): def has_permission(self, request, view): #

    WARNING: List-level permissions in get_queryset return True def has_object_permission(self, request, view, obj): return obj.owner == request.user # Ownership for other objects...

  57. ¯ PERMISSION POWER TOOLS

  58. REST Easy FIELD RESTRICTION def IsFields(*fields): class IsFieldsPermission(permissions.BasePermission): _fields =

    set(fields) def has_permission(self, request, view): return set(request.data.keys()) <= self._fields def has_object_permission(self, request, view, obj): return set(request.data.keys()) <= self._fields return IsFieldsPermission

  59. REST Easy FIELD RESTRICTION def IsFields(*fields): class IsFieldsPermission(permissions.BasePermission): _fields =

    set(fields) def has_permission(self, request, view): return set(request.data.keys()) <= self._fields def has_object_permission(self, request, view, obj): return set(request.data.keys()) <= self._fields return IsFieldsPermission

  60. REST Easy FIELD RESTRICTION def IsFields(*fields): class IsFieldsPermission(permissions.BasePermission): _fields =

    set(fields) def has_permission(self, request, view): return set(request.data.keys()) <= self._fields def has_object_permission(self, request, view, obj): return set(request.data.keys()) <= self._fields return IsFieldsPermission

  61. REST Easy FIELD RESTRICTION def IsFields(*fields): class IsFieldsPermission(permissions.BasePermission): _fields =

    set(fields) def has_permission(self, request, view): return set(request.data.keys()) <= self._fields def has_object_permission(self, request, view, obj): return set(request.data.keys()) <= self._fields return IsFieldsPermission

  62. REST Easy FIELD RESTRICTION def IsFields(*fields): class IsFieldsPermission(permissions.BasePermission): _fields =

    set(fields) def has_permission(self, request, view): return set(request.data.keys()) <= self._fields def has_object_permission(self, request, view, obj): return set(request.data.keys()) <= self._fields return IsFieldsPermission

  63. REST Easy FIELD RESTRICTION def IsFields(*fields): class IsFieldsPermission(permissions.BasePermission): _fields =

    set(fields) def has_permission(self, request, view): return set(request.data.keys()) <= self._fields def has_object_permission(self, request, view, obj): return set(request.data.keys()) <= self._fields return IsFieldsPermission

  64. REST Easy FIELD RESTRICTION def IsFields(*fields): class IsFieldsPermission(permissions.BasePermission): _fields =

    set(fields) def has_permission(self, request, view): return set(request.data.keys()) <= self._fields def has_object_permission(self, request, view, obj): return set(request.data.keys()) <= self._fields return IsFieldsPermission

  65. REST Easy FIELD RESTRICTION def IsFields(*fields): class IsFieldsPermission(permissions.BasePermission): _fields =

    set(fields) def has_permission(self, request, view): return set(request.data.keys()) <= self._fields def has_object_permission(self, request, view, obj): return set(request.data.keys()) <= self._fields return IsFieldsPermission

  66. REST Easy FIELD RESTRICTION def IsFields(*fields): class IsFieldsPermission(permissions.BasePermission): _fields =

    set(fields) def has_permission(self, request, view): return set(request.data.keys()) <= self._fields def has_object_permission(self, request, view, obj): return set(request.data.keys()) <= self._fields return IsFieldsPermission

  67. REST Easy REST CONDITION from rest_condition import And, Or, Not

    combined = Or( And(FooPerm, Not(BarPerm)), BazPerm, )

  68. REST Easy REST CONDITION from rest_condition import And, Or, Not

    combined = Or( And(FooPerm, Not(BarPerm)), BazPerm, )

  69. REST Easy REST CONDITION from rest_condition import And, Or, Not

    combined = Or( And(FooPerm, Not(BarPerm)), BazPerm, )

  70. REST Easy REST CONDITION from rest_condition import And, Or, Not

    combined = Or( And(FooPerm, Not(BarPerm)), BazPerm, )

  71. REST Easy REST CONDITION from rest_condition import And, Or, Not

    combined = Or( And(FooPerm, Not(BarPerm)), BazPerm, )

  72. REST Easy REST CONDITION from rest_condition import And, Or, Not

    combined = Or( And(FooPerm, Not(BarPerm)), BazPerm, )

  73. ¯ BUILD COMPLEX PERMISSIONS

  74. REST Easy COMPLEX PERMISSIONS class CatViewSet(viewsets.ModelViewSet): permission_classes = [Or( And(

    Or(IsGET, IsHEAD, IsOPTIONS), IsAuthenticated, ), And( Or(IsPOST, IsPATCH), IsCatOwner, IsFields('hair', 'grumpiness'), ), IsSuperuser, )]

  75. REST Easy COMPLEX PERMISSIONS class CatViewSet(viewsets.ModelViewSet): permission_classes = [Or( And(

    Or(IsGET, IsHEAD, IsOPTIONS), IsAuthenticated, ), And( Or(IsPOST, IsPATCH), IsCatOwner, IsFields('hair', 'grumpiness'), ), IsSuperuser, )]

  76. REST Easy COMPLEX PERMISSIONS class CatViewSet(viewsets.ModelViewSet): permission_classes = [Or( And(

    Or(IsGET, IsHEAD, IsOPTIONS), IsAuthenticated, ), And( Or(IsPOST, IsPATCH), IsCatOwner, IsFields('hair', 'grumpiness'), ), IsSuperuser, )]

  77. REST Easy COMPLEX PERMISSIONS class CatViewSet(viewsets.ModelViewSet): permission_classes = [Or( And(

    Or(IsGET, IsHEAD, IsOPTIONS), IsAuthenticated, ), And( Or(IsPOST, IsPATCH), IsCatOwner, IsFields('hair', 'grumpiness'), ), IsSuperuser, )]

  78. REST Easy COMPLEX PERMISSIONS class CatViewSet(viewsets.ModelViewSet): permission_classes = [Or( And(

    Or(IsGET, IsHEAD, IsOPTIONS), IsAuthenticated, ), And( Or(IsPOST, IsPATCH), IsCatOwner, IsFields('hair', 'grumpiness'), ), IsSuperuser, )]

  79. REST Easy COMPLEX PERMISSIONS class CatViewSet(viewsets.ModelViewSet): permission_classes = [Or( And(

    Or(IsGET, IsHEAD, IsOPTIONS), IsAuthenticated, ), And( Or(IsPOST, IsPATCH), IsCatOwner, IsFields('hair', 'grumpiness'), ), IsSuperuser, )]

  80. REST Easy COMPLEX PERMISSIONS class CatViewSet(viewsets.ModelViewSet): permission_classes = [Or( And(

    Or(IsGET, IsHEAD, IsOPTIONS), IsAuthenticated, ), And( Or(IsPOST, IsPATCH), IsCatOwner, IsFields('hair', 'grumpiness'), ), IsSuperuser, )]

  81. REST Easy 5. REST EASY TOMORROW 1. WHY REST 2.

    STATE OF REST 3. REST SECURITY 4. REST WELL TODAY

  82. ¯ SECURITY PROBLEMS

  83. REST Easy REST SECURITY ISSUES • Endpoint-based

  84. REST Easy REST SECURITY ISSUES • Endpoint-based • Scattered code

  85. REST Easy REST SECURITY ISSUES • Endpoint-based • Scattered code

    • Batteries not included

  86. REST Easy REST SECURITY ISSUES • Endpoint-based • Scattered code

    • Batteries not included • Default-confused

  87. ¯ IMAGINE A WORLD...

  88. REST Easy EASY PERMISSIONS class AnonymousUser(rest_permissions.Role): def is_active(self, request): return

    request.user.is_anonymous() def get_permissions(self): return { 'api.cats.CatViewSet': { 'list': True, 'retrieve': True, }, # Other permissions for cat owners... }

  89. REST Easy EASY PERMISSIONS class AnonymousUser(rest_permissions.Role): def is_active(self, request): return

    request.user.is_anonymous() def get_permissions(self): return { 'api.cats.CatViewSet': { 'list': True, 'retrieve': True, }, # Other permissions for cat owners... }

  90. REST Easy EASY PERMISSIONS class AnonymousUser(rest_permissions.Role): def is_active(self, request): return

    request.user.is_anonymous() def get_permissions(self): return { 'api.cats.CatViewSet': { 'list': True, 'retrieve': True, }, # Other permissions for cat owners... }

  91. REST Easy EASY PERMISSIONS class AnonymousUser(rest_permissions.Role): def is_active(self, request): return

    request.user.is_anonymous() def get_permissions(self): return { 'api.cats.CatViewSet': { 'list': True, 'retrieve': True, }, # Other permissions for cat owners... }

  92. REST Easy EASY PERMISSIONS class AnonymousUser(rest_permissions.Role): def is_active(self, request): return

    request.user.is_anonymous() def get_permissions(self): return { 'api.cats.CatViewSet': { 'list': True, 'retrieve': True, }, # Other permissions for cat owners... }

  93. REST Easy EASY PERMISSIONS class AnonymousUser(rest_permissions.Role): def is_active(self, request): return

    request.user.is_anonymous() def get_permissions(self): return { 'api.cats.CatViewSet': { 'list': True, 'retrieve': True, }, # Other permissions for cat owners... }

  94. REST Easy EASY PERMISSIONS class AnonymousUser(rest_permissions.Role): def is_active(self, request): return

    request.user.is_anonymous() def get_permissions(self): return { 'api.cats.CatViewSet': { 'list': True, 'retrieve': True, }, # Other permissions for cat owners... }

  95. REST Easy EASY PERMISSIONS class AnonymousUser(rest_permissions.Role): def is_active(self, request): return

    request.user.is_anonymous() def get_permissions(self): return { 'api.cats.CatViewSet': { 'list': True, 'retrieve': True, }, # Other permissions for cat owners... }

  96. REST Easy EASY PERMISSIONS class AnonymousUser(rest_permissions.Role): def is_active(self, request): return

    request.user.is_anonymous() def get_permissions(self): return { 'api.cats.CatViewSet': { 'list': True, 'retrieve': True, }, # Other permissions for cat owners... }

  97. REST Easy Jeff Schenck CTO & Co-Founder twitter @jeffschenck email

    jeff@chewse.com