Grant Security Plugin for Rails

Transcript

1. Grant security plugin for Rails Jeff Kunkle

2. Leveraging Ruby’s Open Classes and Metaprogramming Capabilities, Combined with Active

   Record Features to Develop a Security Plugin for Ruby on Rails Jeff Kunkle

3. class EmployeesController < ApplicationController before_filter :authorize, :if => :update def

   list @employees = Employee.all end def update emp = Employee.find params[:id] emp.update_attributes params[:employee] end end

4. class EmployeesController < ApplicationController before_filter :authorize, :if => :update def

   list @employees = Employee.all end def update emp = Employee.find params[:id] emp.update_attributes params[:employee] end end class EmployeesController < ApplicationController def list @employees = Employee.all end def update if user.has_role?(:manager) emp = Employee.find params[:id] emp.update_attributes params[:employee] end end end

5. video from http://railscasts.com

6. video from http://railscasts.com

7. None
8. None

9. Is my app secure?

10. None

11. class EmployeesController < ApplicationController def list @employees = Employee.all end

    def update if user.has_role?(:manager) emp = Employee.find params[:id] emp.update_attributes params[:employee] end end end

12. class Employee < ActiveRecord::Base include Grant::ModelSecurity grant(:update) { |user, model|

    user.has_role?(:manager) } end

13. class Employee < ActiveRecord::Base include Grant::ModelSecurity grant(:update) { |user, model|

    user.has_role?(:manager) } end class EmployeesController < ApplicationController def list @employees = Employee.all end def update emp = Employee.find params[:id] emp.update_attributes params[:employee] end end

14. Quiz

15. Quiz class Employee < ActiveRecord::Base include Grant::ModelSecurity grant(:update) { |user,

    model| user.has_role?(:manager) } end

16. class User < ActiveRecord::Base def has_role?(role) [:employee, :manager].include?(role) end end

    Quiz class Employee < ActiveRecord::Base include Grant::ModelSecurity grant(:update) { |user, model| user.has_role?(:manager) } end

17. class User < ActiveRecord::Base def has_role?(role) [:employee, :manager].include?(role) end end

    Quiz class EmployeesController < ApplicationController def update emp = Employee.find params[:id] emp.update_attributes params[:employee] end end class Employee < ActiveRecord::Base include Grant::ModelSecurity grant(:update) { |user, model| user.has_role?(:manager) } end ?

18. Grant::ModelSecurityError: find permission not granted to User:7 for resource Employee:25

    from /Users/jkunkle/project/vendor/plugins/grant/ lib/grant/model_security_manager.rb:75:in `permission_not_granted' from /Users/jkunkle/project/vendor/plugins/grant/ lib/grant/model_security_manager.rb:60:in `apply_security' from /Users/jkunkle/project/vendor/plugins/grant/ lib/grant/model_security_manager.rb:44:in `after_find'

19. class Employee < ActiveRecord::Base include Grant::ModelSecurity grant(:find) grant(:destroy) { |user,

    model| user.has_role?(:admin) } grant(:update, :create) do |user, model| user.has_role?(:manager) end end Grant is all or nothing

20. class Employee < ActiveRecord::Base include Grant::ModelSecurity has_many :reviews grant(:find) grant(:destroy)

    { |user, model| user.has_role?(:admin) } grant(:update, :create) do |user, model| user.has_role?(:manager) end grant(:add => :reviews, :remove => :reviews) do |user, model| user.has_role?(:manager) end end ... associations too

21. How does it work? Hook methods Dynamic Methods Active Record

    Callbacks Around Aliases

22. Show and Tell

23. Show and Tell .. and answer lots of questions

24. Grant Security Anxiety Relief http://github.com/nearinfinity/grant