Flaskのセキュリティどうしてます？アクセス制御ライブラリCasbin入門！ #pycharity / flask-authz-with-casbin

Transcript

1. (C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ 'MBTLͷηΩϡϦςΟ 
 Ͳ͏ͯ͠·͢ʁ
   

   ΞΫηε੍ޚϥΠϒϥϦ 
 $BTCJOೖ໳ʂ ג ΧαϨΞϧ
   ଟాਅහ
   ೥݄೔
   1ZUIPO
   $IBSJUZ
   5BMLT
   JO
   +BQBO 1

2. (C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ ࣗݾ঺հ ▸ ଟాਅහʢ!TVLF@NBTBʣ
   

   ▸ ݚमτϨʔφʔ!ΧαϨΞϧ
   ▸ +BWB
   
   1ZUIPO
   
   (PMBOH 
 
   .JDSPTFSWJDFT
   
   ,VCFSOFUFT 2

3. (C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ גࣜձࣾΧαϨΞϧ ▸ ଞࣾʹ͸ແ͍৭ʑͳϓϩάϥϛϯάݴޠͷ

   
 ݚमΛఏڙ͍ͯ͠·͢ʂ 3 /&8

4. (C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ 🎉1ZUIPOݚमϦϦʔε🎉 4 1ZUIPOೖ໳

   
 جຊจ๏ɺϥΠϒϥϦͷར༻ɺ8FCεΫϨΠϐϯά 
 ʢ೔ؒʣ 'MBTLʹΑΔ1ZUIPO
   8FCΞϓϦέʔγϣϯ։ൃ 
 %#ΞΫηεɺ3&45ɺ+BWB4DSJQU࿈ܞɺηΩϡϦςΟ 
 ʢ೔ؒʣ ࠓ೔͸ίνϥͷ࿩

5. (C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ 'MBTLݚमͷΧϦΩϡϥϜ 5 1೔໨

   DBΞΫηε(MySQL Connector / Python) RESTͷ։ൃ 2೔໨ JavaScriptΫϥΠΞϯτͱͷ࿈ܞ ΤϥʔϋϯυϦϯά όϦσʔγϣϯ ϩάΠϯɺΞΫηε੍ޚ ࠓ೔͸ίνϥͷ࿩

6. (C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ 'MBTLͷΞΫηε੍ޚϥΠϒϥϦ ▸ 'MBTL4FDVSJUZ
   

   ▸ 'MBTL6TFS
   ▸ 'MBTL)551"VUI
   ▸ 'MBTL"VUIPSJ[F 6 🤔 ͲΕ΋ଟػೳ 
 ͩͳ͋…

7. (C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ ๻͕ཉ͔ͬͨ͠΋ͷ ▸ ػೳ͕γϯϓϧͰ࢖͍΍͍͢
   

   ▸ 3PMF#BTFE
   "DDFTT
   $POUSPM 3#"$ ͕Ͱ͖Δ
   ▸ ಛఆͷ03.ʹґଘ͠ͳ͍
   ▸ ͳΔ΂͘ଞͷηΩϡϦςΟϥΠϒϥϦʹґଘ͠ ͳ͍ 7

8. (C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ ͦ͜Ͱ$BTCJO 8 https://casbin.org/

9. (C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ $BTCJOͱ͸ ▸ ΋ͱ΋ͱ͸(P੡ͷΞΫηε੍ޚϥΠϒϥϦ
   

   ▸ ʮೝূʯͰ͸ͳ͘ʮೝՄʯʹಛԽ
   ▸ ಛఆͷ03.΍ͦͷଞϥΠϒϥϦʹґଘ͠ͳ͍
   ▸ pip install casbin 9

10. (C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ $BTCJO͕΍Δ͜ͱ🙆  ʮ୭

    ϩʔϧ ͕ʯʮԿʹʯʮԿΛ͢ΔʯܗࣜͰ 
 ΞΫηεՄ൱Λ൑அ
     ΞΫηε੍ޚͷϞσϧͱϙϦγʔͷετϨʔδΛ؅ཧ
     ϩʔϧϢʔβʔ΍ϩʔϧϩʔϧͷରԠ෇͚Λ؅ཧ
     ʮSPPUʯͳͲͷεʔύʔϢʔβʔΛαϙʔτ
     ϧʔϧϚονϯάΛαϙʔτ͢Δෳ਺ͷԋࢉࢠΛఏڙ 10 https://casbin.org/docs/en/overview#what-is-casbin

11. (C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ $BTCJO͕΍Βͳ͍͜ͱ🙅  ೝূʢϢʔβʔ໊ɾύεϫʔυΛϩάΠϯ࣌ʹ

    ݕূɺͱ͔ʣ
     Ϣʔβʔ΍ϩʔϧͷҰཡΛ؅ཧʢϓϩδΣΫτ ࣗ਎Ͱ؅ཧͨ͠΄͏͕ศརͳ͸ͣʣ 11 https://casbin.org/docs/en/overview#what-is-casbin

12. (C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ ϙϦγʔ 12 p,

    USER, /user, GET p, ADMIN, /admin, GET g, ADMIN, USER ▸ ΞΫηεϧʔϧΛهड़ σϑΥϧτͰ͸$47
    ▸ Ξμϓλʔ ޙड़ ΛೖΕΔ͜ͱͰɺ༷ʑͳετϨʔδ ʹରԠՄೳ 64&3ϩʔϧ͸VTFSʹ(&5ͰΞΫηεՄೳ "%.*/ϩʔϧ͸64&3ϩʔϧΛܧঝ

13. (C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ Ξμϓλʔ ▸ 3%#ͳͲ༷ʑͳετϨʔδ͔ΒϙϦγʔ৘ใΛ

    
 औಘՄೳ
    ▸ 42-"MDIFNZ
    "EBQUFS
    ▸ .POHP&OHJOF
    "EBQUFS
    ▸ %ZOBNP%#
    "EBQUFS
    ▸ ɾɾɾ 13 https://casbin.org/docs/en/adapters

14. (C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ Ϟσϧ ▸ ϙϦγʔͷهड़ํ๏΍ɺϙϦγʔʹج͍ͮͯ

    
 ΞΫηεՄ൱ͷ൑ఆϧʔϧΛςΩετͰهड़
    ▸ ͪΐͬͱॻ͖ํ͕Ή͔͍ͣ͠
    ▸ ৄࡉˠ
    IUUQTDBTCJOPSHEPDTFOTZOUBYGPS NPEFMT 14

15. (C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ Ϟσϧͷॻ͖ํͷྫ 15 [request_definition]

    # enforce()ͷҾ਺ॱΛఆٛ r = sub, obj, act [policy_definition] # ϙϦγʔͷهड़ํ๏Λఆٛ p = sub, obj, act [policy_effect] # ෳ਺ͷϙϦγʔ͕Ϛονͨ͠ࡍͷ൑ఆํ๏Λఆٛ e = some(where (p.eft == allow)) [role_definition] # ϩʔϧͷܧঝؔ܎Λఆٛ g = _, _ [matchers] # ΞΫηεՄ൱ͷ൑ఆํ๏Λఆٛ m = g(r.sub, p.sub) && keyMatch(r.obj, p.obj) && r.act == p.act

16. (C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ $BTCJOΛ'MBTLʹ૊ΈࠐΉ 16 enforcer

    = Enforcer('Ϟσϧͷύε', 'ϙϦγʔCSVͷύε') def authorize(): # ϩʔϧɺURLɺϦΫΤετϝιουΛऔಘ sub = current_user.role obj = request.path act = request.method # CasbinʹΑΓΞΫηεՄ൱Λ൑ఆ if enforcer.enforce(sub, obj, act): return None # ੒ޭͨ͠৔߹͸Կ΋͠ͳ͍ else: # ࣦഊͨ͠৔߹͸ΤϥʔΛϨεϙϯε # FlaskͷϦΫΤετલॲཧͱͯ͠ొ࿥ app.before_request(authorize)

17. (C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ ·ͱΊ ▸ $BTCJO͸
    

    ▸ ΞΫηε੍ޚʹಛԽͨ͠ϥΠϒϥϦ
    ▸ γϯϓϧͰ ɾ㱼ɾ ŘŘ 17

18. (C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ ࢀߟ৘ใ 18 ▸

    ެࣜυΩϡϝϯτ
    ▸ IUUQTDBTCJOPSHEPDTFOPWFSWJFX
    ▸ ιʔείʔυ
    ▸ IUUQTHJUIVCDPNDBTCJOQZDBTCJO

19. (C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ ͝ਗ਼ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠ʂ 19