Attribute-Based Access Control in Symfony

How to approach authorisation within your Symfony or PHP application. Adam Elsodaney Attribute-Based Access Control in Symfony Symfony UK Meetup 30 August 2018

This presentation is split into 4 parts …maybe 5.

Out-of-the-box Symfony SecurityBundle Access Control 0

There are 2 steps to securing a resource.

Authentication is enforced with Firewalls Authorisation is enforced with Access Controls

That’s easy! Path Role String, Regular Expression String, RoleInterface, Hierarchical

Access Control Lists ACL Role-Based Access Control RBAC Attribute-Based Access Control ABAC There are many types of access control paradigms depending on your needs

Implementing RBAC: Probably the most common variant of authorization is role-based access control (RBAC). As the name implies, • Users are assigned roles • Roles are assigned permissions. • Users inherit the permission for any roles they have been assigned. • Actions are validated for permissions. “ https://martinfowler.com/articles/web-security-basics.html

Bob Associate Editor USER ROLE Users have roles

Associate Editor ROLE Reject Article Submission PERMISSION Approve Article Submission PERMISSION Roles have permissions

Reject Article Submission PERMISSION Approve Article Submission PERMISSION Users inherit the permissions for any roles they have been assigned Bob USER

Reject Article Submission PERMISSION Approve Article Submission PERMISSION Reject Article Submission Leave Feedback Approve Article Submission Actions are validated for permissions

Bob Associate Editor USER ROLE Reject Article Submission PERMISSION Approve Article Submission PERMISSION Reject Article Submission Leave Feedback Approve Article Submission Action Role Code String, RoleInterface, Hierarchical Permission String

Editor-in-Chief ROLE Associate Editor ROLE Reviewer ROLE Author ROLE Journal Admin ROLE System Admin ROLE In some cases, roles inherit the permissions from other roles via a hierarchy…

…and/or permissions inherit the permissions from other roles via a hierarchy. Reject Article Submission PERMISSION Approve Article Submission PERMISSION Make Decision on Submission PERMISSION Do WTH you want with submissions PERMISSION Leave abusive Linus- Torvalds-style comments PERMISSION Administrate journal PERMISSION Like Sylius RBAC

$ composer require sylius/rbac $ composer require sylius/rbac-bundle Install for Symfony apps Install for non-Symfony apps

Consider RBAC When • Permissions are relatively static. • Roles in your policies actually map reasonably to roles within your domain, rather than feeling like contrived aggregations of permissions. • There isn't a terribly large number of permutations of permission, and therefore roles that will have to be maintained. • You have no compelling reason to use one of the other options. “ https://martinfowler.com/articles/web-security-basics.html

Shortcomings of RBAC 1. Cannot grant permissions per-resource, only by resource type. 2. Does not scope resource properties.

How to Use Access Control Lists (ACLs): In complex applications, you will often face the problem that access decisions cannot only be based on the person (Token) who is requesting access, but also involve a domain object that access is being requested for. This is where the ACL system comes in. “ https://symfony.com/doc/3.4/security/acl.html

ACL ACE his hers ACE ACE ACL ACE ACE ACE Access Control Lists (ACL) First, check if the domain object requested has an associated ACL. Each ACL contains one or more Access Control Entries (ACEs) that deﬁnes speciﬁc permissions for the ACL’s resource.

ACL ACE ACE ACE Second, check the domain as a whole. ACE ACLs can be associated with both objects (entities) and domains (classnames).

Using the Symfony ACL 1. Install Bundle $ composer require symfony/acl-bundle 2. Conﬁgure 3. Initialise

acl_entries table • id • class • object identity • security identity • ﬁeld name • ACE order • mask • is granting • granting strategy • audit success • audit failure

As the boss of this website I should be able to edit a particular message posted In order to moderate the content

As the boss of this website I should be able to edit a particular message all messages posted In order to moderate the content

Alternatives to ACLs Using [ACLs] isn't trivial, and for simpler use cases, it may be overkill. If your permission logic could be described by just writing some code (e.g. to check if a Blog is owned by the current User), then consider using voters. A voter is passed the object being voted on, which you can use to make complex decisions and effectively implement your own ACL. Enforcing authorization (e.g. the isGranted() part) will look similar to what you see in this article, but your voter class will handle the logic behind the scenes, instead of the ACL system. “ https://symfony.com/doc/3.4/security/acl.html

Security Voters provide a mechanism to set up ﬁne-grained restrictions in Symfony applications. The main advantage over ACLs is that they are an order of magnitude easier to set up, conﬁgure and use. “ http://symfony.com/blog/new-in-symfony-2-6-simpler-security-voters

In Symfony, an authorisation decision will always be based on the following: TOKEN When a user is authenticated (identiﬁed) they will receive a token from the ﬁrewall to hand over to the access control in the authorisation step. We can get the user’s identity from the token. SET OF ATTRIBUTES Each attribute stands for a certain right the user should have. Eg. Role, Order Number, Email Address,Time of Day RESOURCE Any object for which access control needs to be checked, like an article or a comment object (or a piggy bank object containing bitcoins)

Voter 1 Voter 2 Voter 3 Voter 4 Voter 5 Voter 6 Contains all voters. Some might be supported based on the attributes to vote on. Access Decision Manager

Voter 1 Voter 2 Voter 3 Voter 4 Voter 5 Voter 6 PERMIT DENY Not Supported PERMIT PERMIT ABSTAIN Access Decision Manager

Voter 1 Voter 2 Voter 3 Voter 4 Voter 5 Voter 6 PERMIT DENY Not Supported PERMIT PERMIT ABSTAIN Access Decision Manager Afﬁrmative Strategy grant access as soon as there is one voter granting access PERMIT

Voter 1 Voter 2 Voter 3 Voter 4 Voter 5 Voter 6 PERMIT DENY Not Supported PERMIT PERMIT ABSTAIN Access Decision Manager Consensus Strategy grant access if there are more voters granting access than there are denying PERMIT

Access Decision Manager Unanimous Strategy DENY grant access only if none of the voters have denied access Voter 1 Voter 2 Voter 3 Voter 4 Voter 5 Voter 6 PERMIT DENY Not Supported PERMIT PERMIT ABSTAIN

Built-in Symfony Voters RoleVoter RoleHierarchyVoter All are in the SymfonyComponentSecurityCoreAuthorizationVoter namespace

Built-in Symfony Voters AuthenticatedVoter ExpressionVoter

Creating custom voters First, deﬁne what attributes you want to check.

Second, check if your voter should vote on the given subject or attributes.

Finally, declare the service and it is ready to use. In this example, the customer who make a purchase order did so without creating an account or logging in, but would still need be able to access their order details on the website.

Shortcomings of Symfony Voters 1. Not necessarily runtime capable - Still requires writing code for access rules, unless you implement a Voter that loads its rules from the database.

ABAC via XACML* 4 *Pronounced “X-akamull”, “X-A-C-M-L” or “zakamull”

[What is XACML?] XACML (eXtensible Access Control Markup Language) offers a standardized way to achieve externalized and dynamic authorization. This means that authorization decisions are made by an authorization service at run-time based on policies which determine what actions a user or service can perform on a given information asset and in a speciﬁc context. “ https://www.axiomatics.com/100-pure-xacml/

http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html

XACML Administration Policy Data PAP • Create, View, Delete policies • Version policies on Update • Evaluate policies before committing Policy Administration Point (PAP) (Very similar to the IAM in Amazon Web Services) policy policy set

XACML Enforcement Flow Symfony Authorization Checker PDP XACML Request PEP Context Data PIP PRP Policy Data Allow Deny XACML Response isGranted() Policy Enforcement Point Policy Information Point Policy Retrieval Point Policy Decision Point time of day server env current user policy policy set sky is blue resource request …

PolicySet Policy PolicySetPolicy Rule Rule Rule Rule Rule Rule Rule Rule Policy Policy Policy Sets contain a collection of Policies. They may also contain or reference other Policy Sets. However, the Decision Point will only evaluate at Policy level. Rules are never evaluated by themselves. XACML 3.0 Policies

Targets and Rules Part of what [the] XACML PDP [Policy Decision Point] needs to do is find a policy that applies to a given request. To do this, XACML provides another feature called a Target. A Target is basically a set of simplified conditions for the Subject, Resource and Action that must be met for a PolicySet, Policy or Rule to apply to a given request. If all the conditions of a Target are met, then its associated PolicySet, Policy, or Rule applies to the request. In addition to being a way to check applicability, Target information also provides a way to index policies, which is useful if you need to store many policies and then quickly sift through them to find which ones apply. “ https://www.axiomatics.com/100-pure-xacml/

Policy A Request Policy B Policy C Policy D Policy E Policy F Policy G A Request must be matched to a Policy This is done using Targets

Policy Rule Rule Rule Rule XACML 3.0 Targets TARGET Subject Resource Action Policies, Policy Sets and Rules only apply if the Target matches. Policy Set TARGET Subject Resource Action Policy Policy Policy Policy Rule Permit TARGET Subject Resource Action

REQUEST POLICY Targets consist of Subject, Resource and Action behaves like Voter::supports() in Symfony TARGET Subject: Bob Resource: CJES Article #3 Action: edit TARGET Subject: Bob Resource: CJES Article Action: edit TARGET Subject: Bob Resource: CJES Article Action: create TARGET Subject:Alice Resource: FNAN Article Action: any

Policy A Request Policy B Policy C Policy D Policy E Policy F Policy G More than one policy may be matched

XACML 3.0 Rule Example * The XACML syntax is more verbose than what you see here.

Understanding XACML combining algorithms If a policy contains multiple rules, and the rules return different decisions e.g. Permit and Deny, what should the policy return? Permit? Deny? Neither? “ https://www.axiomatics.com/blog/understanding-xacml-combining-algorithms/ Policy Rule Rule Rule Rule

XACML 3.0 Rule-Combining and Policy-Combining Algorithms deny-overrides permit-overrides ﬁrst-applicable behaves like AccessDecisionManager Strategies in Symfony only-one-applicable (policy only) ordered-permit-overrides deny-unless-permit permit-unless-deny ordered-deny-overrides R1 R2 R3 D P D D P P D

XACML 3.0 Policy Example * The XACML syntax is more verbose than what you see here.

Conditions  <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-greater-than-or-equal" <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only"> <EnvironmentAttributeSelector DataType="http://www.w3.org/2001/XMLSchema#time" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time"/> </Apply> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">09:00:00</AttributeValue> </Apply> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-less-than-or-equal" <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only"> <EnvironmentAttributeSelector DataType="http://www.w3.org/2001/XMLSchema#time" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time"/> </Apply> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">17:00:00</AttributeValue> </Apply> </Condition> Allow only logins between 9am and 5pm.

Conditions  <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-greater-than-or- <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only"> <EnvironmentAttributeSelector DataType="http://www.w3.org/2001/XMLSchema#t AttributeId="urn:oasis:names:tc:xacml:1.0:en </Apply> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">09:00:00</A </Apply> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-less-than-or-equ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only"> <EnvironmentAttributeSelector DataType="http://www.w3.org/2001/XMLSchema#t AttributeId="urn:oasis:names:tc:xacml:1.0:en </Apply> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">17:00:00</A </Apply> </Condition> Allow only logins between 9am and 5pm. Apply Apply and Condition

current-time time-one- and-only: time-less-than-or-equal: 17:00:00 Conditions  <Condition f="and"> <Apply f="time-greater-than-or-equal" <Apply f="time-one-and-only"> <EnvironmentAttributeSelector DataType="#time" AttributeId="environment:current-time"/> </Apply> <AttributeValue DataType="#time">09:00:00</AttributeValue> </Apply> <Apply f="time-less-than-or-equal" <Apply f="time-one-and-only"> <EnvironmentAttributeSelector DataType=“#time" AttributeId="environment:current-time"/> </Apply> <AttributeValue DataType=#time">17:00:00</AttributeValue> </Apply> </Condition> Condition current-time time-one- and-only: time-greater-than-or-equal: * The XACML markup above has been condensed for brevity 09:00:00 and

current-time time-one- and-only: time-less-than-or-equal: 17:00:00 Conditions $timeGreaterThanOrEq = function($x, $y): bool { return $x >= $y; } $timeLessThanOrEq = function($x, $y): bool { return $x <= $y; } $timeOneAndOnly = function($x): DateTimeInterface { return new DateTimeImmutable($x); } $condition = Functionaltrue([ $timeGreaterThanOrEq( $timeOneAndOnly($env->getCurrentTime()), ’09:00:00’ ), $timeLessThanOrEq( $timeOneAndOnly($env->getCurrentTime()), ’17:00:00’ ), ]); Condition current-time time-one- and-only: time-greater-than-or-equal: 09:00:00 and

What’s a XACML Obligation? The XACML standard deﬁnes the concept of obligations which are elements which can be returned along with a XACML decision (either of Permit or Deny) in order to enrich that decision. Obligations are triggered on either Permit or Deny. The Policy Enforcement Point [PEP] must implement and enforce obligations. If it fails to do so, it must deny access to the requested resource (in the case of a Permit). “ https://www.webfarmr.eu/2015/02/tgif-xacml-whats-a-xacml-obligation/

Examples of Obligations • Auditing - Log when an action was performed on a resource. • Security Checkup - Ask the user to review their 2FA details after a remembered login. • Security Lockdown - If credentials entered incorrectly multiple times. • Break-the-Glass Scenario - Medical records may need to be accessed in emergency situations, regardless of what permissions were granted.

Shortcomings of XACML • XACML syntax is very verbose. • Is complex, though it better describes business requirements than ACL when rules are persisted. • Somewhat limited resources, or non-concise. • Perhaps overkill and Enterprise-y™ …?

and the winner is… ABAC using Symfony Voters3

• Symfony Voters solve 80% of your requirements for 20% of the work. SUMMARY • XACML would solve 100% of your requirements, would scale well, is designed for runtime and is enterprise-capable, but the learning curve is steep, and there are no well established tools in PHP. • RBAC is not compatible with single entities. • ACL is compatible with single entities, but is non-trivial.

Thank you for listening Adam Elsodaney LEAD DEVELOPER ACL Demo https://github.com/adamelso/acland Slides github.com/adamelso/symfony-uk-meetup-2018-08-30-access-control adam@veruscript.com @ArchFizz @Veruscript www.veruscript.com Publish high-quality, cost-eﬀective journals with our publishing services

Attribute-Based Access Control in Symfony

More Related Content

What's hot

Similar to Attribute-Based Access Control in Symfony

Recently uploaded

Attribute-Based Access Control in Symfony