'JSFTUPSFSVMFTͷӡ༻ͱ -PDBM&NVMBUPSΛ࢖ͬͨςετ Tomokazu Kozuma 2019 / 02 / 18 / MON Firebase Meetup #11

A B O U T M Y S E L F ࣗݾ঺հ Tomokazu Kozuma @Tomokazu106 ౦ژ޻ۀେֶେֶӃଔۀޙɺαΠόʔΤʔδΣϯτͰεϚϗήʔϜͷαʔόɺΠϯ ϑϥશൠΛ୲౰ɻԾ૝௨՟ʹ͍ٕͭͯज़ϒϩάΛॻ͍ͯΔ͏ͪʹ຅಄͠ɺຊ৬ͱ ͯ͠஫ྗ͢ΔͨΊʹ(JODPʹೖࣾɻ(JODPͰ͸ϒϩοΫνΣʔϯͷϊʔυӡ༻ɺϋʔ υϑΥʔΫରԠɺόοΫΤϯυͳͲ޿ൣғΛ୲౰ɻ

Company Profile

·ͱΊͯͻͱͭʹ BITCOIN Blockchain BITCOIN CASH Blockchain LITECOIN Blockchain XRP(Ripple) Blockchain ETHEREUM CLASSIC Blockchain ETHEREUM Blockchain

ෳ਺ͷԾ૝௨՟Λ·ͱΊͯ؅ཧ

T I T L E T E X T શମߏ੒

֓ཁ • 'JSFTUPSFͰى͍ͬͯ͜ΔηΩϡϦςΟ໰୊ • (JODPͷSVMFTӡ༻ͷมભ • -PDBM&NVMBUPSΛ࢖ͬͨςετ A G E N D A

'JSFTUPSFͰى͍ͬͯ͜Δ໰୊ P A R T 1

S e c u r i t y P r o b l e m ԯ݅ͷػີ৘ใ͕ެ։͞Ε͍ͯΔ • 'JSFCBTF%BUBCBTFΛ࢖͍ͬͯΔ಺ͷ͕࿙Ӯ • ݪҼ͸SVMFTΛ͖ͪΜͱઃఆͰ͖͍ͯͳ͍ h t t p s : / / w w w . a p p t h o r i t y . c o m / c o m p a n y / p r e s s / p r e s s - r e l e a s e s / 6 2 - o f - e n t e r p r i s e s - e x p o s e d - t o - s e n s i t i v e - d a t a - l o s s - v i a - f i r e b a s e - v u l n e r a b i l i t y

'JSFTUPSFͷηΩϡϦςΟجૅ • ΫϥΠΞϯτ͔Β௚઀'JSFTUPSFΞΫηεͰ͖Δ • ΞΫηεʹ͸"1*Ωʔ͕ඞཁ • "1*Ωʔ͸ΫϥΠΞϯτʹຒΊࠐΉͷͰ୭Ͱ΋ΈΕΔ • ୭Ͱ΋ΞΫηεͰ͖Δ͔ΒSVMFTͰ੍ޚ A b o u t F i r e s t o r e

'JSFTUPSFSVMFT • SFBEXSJUFݖݶ • σʔλͷόϦσʔγϣϯ T I T L E T E X T Firestore Cloud 3VMFT "1*ΩʔͰΞΫηε

• SFBE୯ҰEPDΛऔಘ͢ΔHFUͱෳ਺औಘ͢ΔMJTU • XSJUFDSFBUF VQEBUF EFMFUF SFBEXSJUFݖݶ R e a d R e s t r i c t i o n match /Users/{uid} { allow get: if someCondition(); allow create: if someCondition(); } function someCondition() { … }

• ϦΫΤετσʔλɿSFRVFTUSFTPVSDFEBUB • 'JSFTUPSFσʔλɿSFTPVSDFEBUB • ܕɿJOU TUSJOH CPPM UJNFTUBNQͳͲ • LFZɿIBT"MM IBT0OMZ IBT"OZ σʔλͷόϦσʔγϣϯ D a t a V a l i d a t i o n match /Users/{uid} { allow update: if request.resource.data.keys().hasAll(["name", "age"]) && request.resource.data.name is string && request.resource.data.name != "" && request.resource.data.age == resource.data.age }

5 S e t t i n g s e c u r e r u l e s ػີσʔλ͸ผ֊૚ผSVMFTʹ͢Δ ϫΠϧυΧʔυͰͷSVMFTઃఆʹؾΛ͚ͭΔ ৘ใ࿙Ӯ͠ͳ͍ͨΊͷSVMFTઃఆ

• ผ֊૚ʹͯ͠SVMFTઃఆΛݫ͘͢͠Δ ػີσʔλ͸ผ֊૚ D i v i d e S e c r e t D a t a match /Users/{uid} { // ೝূࡁϢʔβʹެ։ allow read: if isAuthUser(); // ࣗ෼ͷσʔλ͚ͩʹΞΫηεՄ match /Private/Info { allow read: if isMyData(uid); } } function isMyData(uid) { return request.auth.uid == uid; }

ϫΠϧυΧʔυͰͷSVMFTઃఆ • ϫΠϧυΧʔυͰෳ਺SVMF͕ద༻͞ΕͯڐՄ͞ΕΔ U s i n g w i l d c a r d match /Users/{uid} { // ৚݅1 match /{allChildren=**} { allow read: if isAuthUser(); } // ৚݅2 match /Private/Info { allow read: if isMyData(uid); } } function isMyData(uid) { return request.auth.uid == uid; }

(JODPͷSVMFTӡ༻ͷมભ P A R T 2

ϦϦʔεॳظ • ϦϦʔε౰ॳ͸SVMFTͷςετ͕ͳ͔ͬͨ • σϓϩΠ͔ͯ͠Βಈ࡞νΣοΫͳͷͰ͕͔͔࣌ؒΔ • ։ൃ؀ڥʹӨڹΛ༩͑ͯ͠·͏ E a r l y S t a g e

ϦϦʔεதظ • SVMFT͕ߦΛ௒͑͸͡Ίͯมߋ͕ࠔ೉ʹͳ͖ͬͯͨ • SVMFTΛมߋͰ͖ΔΑ͏ʹςετίʔυΛ࣮૷ • ςετ͢Δʹ͸ςετ༻ͷ'JSFCBTF1SPKFDU͕ඞཁ M i d d l e S t a g e

ςετ1SPKFDUΛ࢖ͬͨςετ

SVMFTͷςετํ๏ • 'JSFCBTF4%,ʹ͸$MJFOU4%,ͱ"ENJO4%,͕͋Δ • $MJFOU4%,͚ͩSVMFT͕ద༻͞ΕΔ • +BWB4DSJQU͚ͩͭͷ4%,͕͋Δ H o w t o t e s t Firestore Cloud $MJFOU4%, "ENJO4%, 3VMFT

• UFTUͷͨΊͷ'JSFCBTFϓϩδΣΫτΛ࡞੒ • 'JSFCBTF"VUIFOUJDBUJPOͰಗ໊ೝূΛ༗ޮԽ • ωοτϫʔΫӽ͠ͳͷͰ͕͔͔࣌ؒΔ • SVMFTͱςετσʔλͷڝ߹ ςετ1SPKFDUΛ࢖ͬͨํ๏ T e s t u s i n g p r o j e c t Firestore Cloud

ݱࡏ • ೥݄ʹ'JSFTUPSF-PDBM&NVMBUPSൃද • SVMFTͷςετ͸ϩʔΧϧ؀ڥ͚ͩͰ׬݁ • ଞਓͷ࡞ۀΛҙࣝ͠ͳͯ͘ྑ͘ͳͬͨͷͰSVMFTͷ௥Ճɺ मਖ਼͕͠΍͘͢ͳͬͨ P r e s e n t S t a g e

-PDBM&NVMBUPSΛ࢖ͬͨςετ P A R T 3

'JSFCBTF-PDBM&NVMBUPS • ςετʹ͸!pSFCBTFUFTUJOHϞδϡʔϧΛ࢖༻ • ೝূະೝূΞΧ΢ϯτɺ"ENJOΞΧ΢ϯτΛ؆୯ʹར ༻Ͱ͖Δ • ςετσʔλͷڝ߹͠ͳ͍͠ɺUSVODBUF͠ͳ͍͍ͯ͘ • ςετ࣮ߦ͕࣌ؒʹ࡟ݮ L o c a l E m u l a t o r

L o a d r u l e s SVMFTͷϩʔυ import * as firebase from ‘@firebase/testing’ // rulesͷϩʔυ firebase.loadFirestoreRules({ projectId: 'test-project-00', rules: fs.readFileSync("firestore.rules", "utf8") }) • SVMFTͷϩʔυ͸೚ҙͷQSPKFDU*EͰͰ͖Δ • QSPKFDU*EผʹݸผͷσʔλۭؒΛ࣋ͯΔ • ςετຖʹQSPKFDU*EΛมߋ͢Ε͹·ͬ͞Βͳঢ়ଶ

• ෳ਺ͷೝূΞΧ΢ϯτΛಉ࣌ʹѻ͑Δ L o a d r u l e s ΞΧ΢ϯτ࡞੒ // ೝূࡁΞΧ΢ϯτ const firestore = firebase .initializeTestApp({ projectId: ‘test-project-00', auth: {uid: ‘test-account’} }) .firestore(); // AdminΞΧ΢ϯτ const adminFirestore = firebase .initializeAdminApp({ projectId: 'test-project-00', auth: ‘admin-account’ }) .firestore();

·ͱΊ • SVMFTͷઃఆͰجຊతʹ৘ใ࿙Ӯ͸๷͛Δ • ػີ৘ใ͸֊૚Λ෼͚ͯϫΠϧυΧʔυΛଟ༻͠ͳ͍ • SVMFTͷςετ͸-PDBM&NVMBUPSͰޮ཰Խ S u m m a r y