Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Designing with capabilities
for fun and profit
@ScottWlaschin
fsharpforfunandprofit.com/cap
Good security => Complicated
I won’t like doing this
Good security => Complicated
X
Security for free!
...which is good,
because I’m lazy
Good security == Good design
I like doing this
The topic of this talk
Not about OAuth, JWT etc
Good security == Good design
Transparent
Opaque
It’s all about
security, right?
Sed ut perspiciatis unde omnis iste natus error sit voluptatem
accusantium doloremque laudantium, totam rem aperiam,
eaque...
Sed ut perspiciatis unde omnis iste natus error sit voluptatem
accusantium doloremque laudantium, totam rem aperiam,
eaque...
EVOLUTION OF AN API
Evolution of an API
(from the security point of view)
Say that the UI needs to set a
configuration option
(e.g. DontShowTh...
Version1
Give the caller the configuration file name
interface IConfiguration
{
string GetConfigFilename();
}
var filename...
Version 2
Give the caller aTextWriter
interface IConfiguration
{
TextWriter GetConfigWriter();
}
var writer = config.GetCo...
Version 3
Give the caller a key/value interface
interface IConfiguration
{
void SetConfig(string key, string value);
}
con...
Version 4
Give the caller a domain-centric interface
enum MessageFlag {
ShowThisMessageAgain,
DontShowThisMessageAgain
}
i...
Version 5
Give the caller only the interface they need
interface IWarningMessageConfiguration
{
void SetMessageFlag(Messag...
Can’t get your
work done
Too much information passed in
Just right Potential for
abuse
Principle of Least Authority
(POLA)...
Evolution of the same API
(from the design point of view)
DesignVersion1
Give the caller the configuration file name
interface IConfiguration
{
string GetConfigFilename();
}
API
Ba...
DesignVersion 2
Give the caller aTextWriter
interface IConfiguration
{
TextWriter GetConfigWriter();
}
API
Better design: ...
DesignVersion 3
Give the caller a key/value interface
interface IConfiguration
{
void SetConfig(string key, string value);...
DesignVersion 4
Give the caller a domain-centric interface
enum MessageFlag {
ShowThisMessageAgain,
DontShowThisMessageAga...
DesignVersion 5
Give the caller only the interface they need
interface IWarningMessageConfiguration
{
void SetMessageFlag(...
Can’t do
anything
Too many dependencies
Just right Unnecessary
coupling
Interface Segregation Principle
Too few dependenci...
Ak.a. Minimize your surface area
(to reduce chance of abuse)
OO Design Guidelines
Interface Segregation Principle
Single R...
Good security => Good design
Good design => Good security
INTRODUCING
“CAPABILITIES”
Capability based design
• In a cap-based design, the caller can only do
exactly one thing -- a "capability".
• In the exam...
A one method interface is a capability
interface IWarningMessageConfiguration
{
void SetMessageFlag(MessageFlag value);
}
A one method interface is a function
interface IWarningMessageConfiguration
{
void SetMessageFlag(MessageFlag value);
}
Ac...
Capability-based security
in the real world
What does “access-control” mean?
• Preventing any access at all.
• Limiting access to some things only.
• Revoking access ...
Using capabilities to
control access to a resource
Secret
Files
Alice
Bob
X
Alternative for access control
Using auth/RBAC to
control access to a resource
Secret
Files
Alice
Bob
rejected
accepted
A weakness in capabilities
Secret
Files
Alice
Bob

Anyone with the
key can get access.
A weakness in auth/RBAC
Secret
Files
Alice
Bob

A weakness in any security system!
Secret
Files
Alice
Bob
Do you trust Alice?
Then you also trust anyone
whom Alice trusts...
“Don’t prohibit what
you can’t prevent”
Supplies
Closet
Alice
Bob
Secret
Files
X
Capabilities support
decentralized delegation
Supplies
Closet
Auth/RBAC systems are
centralized
Alice
Bob accepted
rejected
Bob has only been
working there for
6 months...
Auth/RBAC systems are
centralized
Alice
“Please grant Bob access
to the supplies closet”
“Then revoke access
after 20 minu...
Supplies
Closet
Auth/RBAC systems are
centralized
Alice
Bob
“Here, Bob. You can
borrow my swipe card”
Credential Sharing
Central systems can revoke access
Secret
Files
Alice
rejected
How to revoke access in a cap-based system?
Revoke?
How to revoke access in a cap-based system?
Demo: Capabilities as functions
DESIGNING AN
API USING CAPABILITIES
Client Service
Request
Response
Tic-Tac-Toe as a service
Proper name is "Noughts and Crosses" btw
Tic-Tac-Toe API (obvious version)
type TicTacToeRequest = {
player: Player
row: Row
col: Column
}
Tic-Tac-Toe API (obvious version)
type TicTacToeResponse = {
result : MoveResult
display: DisplayInfo
}
type MoveResult =
...
Demo:Tic-Tac-Toe
What kind of errors can happen?
• A player can play an already played move
• A player can play twice in a row
• A player c...
“Make illegal operations
unrepresentable”
Don’t let me do a bad thing and
then tell me off for doing it...
Yes, you could ...
Client Service
New Game
Available Moves
Tic-Tac-Toe service with caps
Nine available
moves
Client Service
1st move
Available Moves
Tic-Tac-Toe service with caps
Eight available
moves
Client Service
Available Moves
Tic-Tac-Toe service with caps
2nd move
Seven available
moves
Client Service
Available Moves
Tic-Tac-Toe service with caps
3rd move
Six available
moves
Client Service
No available
Moves
Tic-Tac-Toe service with caps
Winning
move
Tic-Tac-Toe API (cap-based version)
type MoveCapability =
unit -> TicTacToeResponse
type NextMoveInfo = {
playerToPlay : P...
Tic-Tac-Toe API (cap-based version)
type TicTacToeResponse =
| KeepPlaying of
(DisplayInfo * NextMoveInfo list)
| GameWon ...
Tic-Tac-Toe API (cap-based version)
type TicTacToeResponse =
| KeepPlaying of
(DisplayInfo * NextMoveInfo list)
| GameWon ...
Demo: Cap-based Api
What kind of errors can happen?
• A player can play an already played move
• A player can play twice in a row
• A player c...
HATEOAS
Hypermedia As The Engine
Of Application State
“A REST client needs no prior knowledge
about how to interact with a...
How NOT to do HATEOAS
POST /customers/
GET /customer/42
If you can guess the API
you’re doing it wrong
Security problem!
A...
How to do HATEOAS
POST /81f2300b618137d21d /
GET /da3f93e69b98
You can only know what URIs
to use by parsing the page
Each...
Demo: HATEOAS
Some Benefits of HATEOAS
• Client decoupled from server
– The server owns the API model and can change it
without breaking...
Client Service
Login
Available
Capabilities
Service API with caps
Many available
actions initially
Client Service
Use a
capability
Available
Capabilities
Service API with caps
Fewer available
actions in a
given state
CAPABILITY DRIVEN DESIGN
Using these design techniques throughout your domain
Controller/
API
Business
Logic
Database
Client Where shall we put the
authorization logic?
But then any other path
has com...
Controller/
API
Business
Logic
Database
Client Where shall we put the
authorization logic?
But then it doesn’t have
enough...
Controller/
API
Business
Logic
Database
Client Where shall we put the
authorization logic?
Global
Authorizer
Are you doing...
public class CustomerController : ApiController
{
readonly ICustomerDb _db;
public CustomerController(ICustomerDb db)
{
_d...
public interface ICustomerDb
{
CustomerProfile GetProfile(CustomerId id);
void UpdateProfile(CustomerId id, CustomerProfil...
Controller
/API
Business
Logic
Database
Use Case
Controller
/API
Business
Logic
Database
Use Case
Controller
/API
Business...
Controller
/API
Business
Logic
Database
Use Case
Controller
/API
Business
Logic
Database
Use Case
Controller
/API
Business...
Controller
/API
Business
Logic
Database
Use Case
Global
Authorizer
Services
Delegation of capabilities
Delegation with restriction
type MessageFlag =
ShowThisMessageAgain | DontShowThisMessageAgain
type ConfigurationCapabilities = {
GetMessageFlag : uni...
let dontShowMessageAgainDialogBox capabilities =
let getFlag,setFlag = capabilities
let ctrl= new CheckBox(
Text="Don't sh...
Demo:
Vertical slices and delegation
Controller
/API
Business
Logic
Database
Global
Authorizer
Passing capabilities
Controller
/API
Business
Logic
Database
Global
Authorizer
Passing tokens
Overkill?
Too complicated
to implement?
Controller
/API
Business
Logic
Database
Inject a value
of specific type
Global
Authorizer
Passing tokens as types
Represen...
Demo:
Using types for access tokens
What have we covered?
• Don’t use complicated security patterns
– This will ensure that they are never used, or used
wrong...
What have we covered?
• Don’t develop first, add security later
– Right after you implement the “quality” module
• Do use ...
What have we covered?
• Don’t only do security at the outermost layer
• Do use POLA everywhere, which ensures that
you hav...
Common questions
• How do you pass these capabilities around?
– Dependency injection or equivalent
• Are you saying that a...
Common questions
• Won’t there be too many parameters?
– Less than you think!
– Encourages vertical slices (per use-case, ...
Resources for capability-based thinking
• LMGTFY “Capability based security”
• “Lazy developers guide to secure computing”...
Thanks!
@ScottWlaschin
fsharpforfunandprofit.com/cap
Contact me
Slides and video here
Let us know if you
need help with F#
Designing with Capabilities
Designing with Capabilities
Designing with Capabilities
Upcoming SlideShare
Loading in …5
×

Designing with Capabilities

9,033 views

Published on

(Demo code and video available at http://fsharpforfunandprofit.com/cap/)

We all want to produce modular and robust code that is easy to test and refactor, and we have design principles such as SOLID that help us do that.

In this talk I'll look at a very different approach to design using "capabilities" and the principle of least authority. I'll show how using these design techniques throughout your core domain (and not just at your API boundary) also leads to well-designed and modular code.

I'll demonstrate how to design and use a capability based approach, how capabilities can be quickly combined and restricted easily, and how capabilities are a natural fit with a REST API that uses HATEAOS.

Published in: Software

Designing with Capabilities

  1. 1. Designing with capabilities for fun and profit @ScottWlaschin fsharpforfunandprofit.com/cap
  2. 2. Good security => Complicated I won’t like doing this
  3. 3. Good security => Complicated X
  4. 4. Security for free! ...which is good, because I’m lazy Good security == Good design I like doing this
  5. 5. The topic of this talk Not about OAuth, JWT etc Good security == Good design
  6. 6. Transparent Opaque It’s all about security, right?
  7. 7. Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem. Ut enim ad minima veniam, quis nostrum exercitationem ullam corporis suscipit laboriosam, nisi ut aliquid ex ea commodi consequatur? Quis autem vel eum iure reprehenderit qui in ea voluptate velit esse quam nihil molestiae consequatur, Temporibus autem quibus Dacei Megasystems Tech Inc necessitatibust aut officiis debitis auteo 2799 E Dragam Suite 7 quisquam saepe Itaque enieti Los Angeles CA 90002 ut et voluptates repudiandae sint et molestiae non recusandae. Itaque earum rerum hic tenetur a sapiente delectus, ut aut reiciendis voluptatibus maiores alias consequatur aut perferendis doloribus asperiores repellat. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem. Ut enim ad minima veniam, quis nostrum exercitationem ullam corporis suscipit laboriosam, nisi ut aliquid ex ea commodi consequatur? Please deliver this letter A counterexample
  8. 8. Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem. Ut enim ad minima veniam, quis nostrum exercitationem ullam corporis suscipit laboriosam, nisi ut aliquid ex ea commodi consequatur? Quis autem vel eum iure reprehenderit qui in ea voluptate velit esse quam nihil molestiae consequatur, Temporibus autem quibus Dacei Megasystems Tech Inc necessitatibust aut officiis debitis auteo 2799 E Dragam Suite 7 quisquam saepe Itaque enieti Los Angeles CA 90002 ut et voluptates repudiandae sint et molestiae non recusandae. Itaque earum rerum hic tenetur a sapiente delectus, ut aut reiciendis voluptatibus maiores alias consequatur aut perferendis doloribus asperiores repellat. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem. Ut enim ad minima veniam, quis nostrum exercitationem ullam corporis suscipit laboriosam, nisi ut aliquid ex ea commodi consequatur? Please deliver this letter It’s not just about security... ...hiding irrelevant information is good design!
  9. 9. EVOLUTION OF AN API
  10. 10. Evolution of an API (from the security point of view) Say that the UI needs to set a configuration option (e.g. DontShowThisMessageAgain) How can we stop a malicious caller doing bad things?
  11. 11. Version1 Give the caller the configuration file name interface IConfiguration { string GetConfigFilename(); } var filename = config.GetConfigFilename(); // open file // write new config // close file API Caller  A malicious caller has the ability to open and write to any file on the filesystem
  12. 12. Version 2 Give the caller aTextWriter interface IConfiguration { TextWriter GetConfigWriter(); } var writer = config.GetConfigWriter(); // write new config API Caller  A malicious caller can corrupt the config file We control which file is opened
  13. 13. Version 3 Give the caller a key/value interface interface IConfiguration { void SetConfig(string key, string value); } config.SetConfig( "DontShowThisMessageAgain", "True"); API Caller  A malicious caller can set the value to a non-boolean
  14. 14. Version 4 Give the caller a domain-centric interface enum MessageFlag { ShowThisMessageAgain, DontShowThisMessageAgain } interface IConfiguration { void SetMessageFlag(MessageFlag value); void SetConnectionString(ConnectionString value); void SetBackgroundColor(Color value); } API  What's to stop a malicious caller changing the connection string when they were only supposed to set the flag?
  15. 15. Version 5 Give the caller only the interface they need interface IWarningMessageConfiguration { void SetMessageFlag(MessageFlag value); } API  The caller can *only* do the thing we allow them to do.
  16. 16. Can’t get your work done Too much information passed in Just right Potential for abuse Principle of Least Authority (POLA) Too little information passed in Security spectrum
  17. 17. Evolution of the same API (from the design point of view)
  18. 18. DesignVersion1 Give the caller the configuration file name interface IConfiguration { string GetConfigFilename(); } API Bad design: Using a filename means we limit ourselves to file-based config files. Better design: A TextWriter would make the design more mockable.
  19. 19. DesignVersion 2 Give the caller aTextWriter interface IConfiguration { TextWriter GetConfigWriter(); } API Better design: A generic KeyValue store would make implementation choices more flexible. Bad design: Using a TextWriter means exposing a specific storage format
  20. 20. DesignVersion 3 Give the caller a key/value interface interface IConfiguration { void SetConfig(string key, string value); } API Bad design: A KeyValue store using strings means possible bugs. So we need to write validation and tests for that  Better design: A statically typed interface means no corruption checking code. 
  21. 21. DesignVersion 4 Give the caller a domain-centric interface enum MessageFlag { ShowThisMessageAgain, DontShowThisMessageAgain } interface IConfiguration { void SetMessageFlag(MessageFlag value); void SetConnectionString(ConnectionString value); void SetBackgroundColor(Color value); } API Bad design: An interface with too many methods violates the ISP. Better design: Reduce the number of available methods to one!
  22. 22. DesignVersion 5 Give the caller only the interface they need interface IWarningMessageConfiguration { void SetMessageFlag(MessageFlag value); } API Good design: The caller has no dependencies on anything else. Bonus: easy to mock! 
  23. 23. Can’t do anything Too many dependencies Just right Unnecessary coupling Interface Segregation Principle Too few dependencies Design spectrum
  24. 24. Ak.a. Minimize your surface area (to reduce chance of abuse) OO Design Guidelines Interface Segregation Principle Single Responsibility Principle, etc Security Guidelines Principle of Least Authority (POLA) Ak.a. Minimize your surface area (to reduce coupling, dependencies, etc)
  25. 25. Good security => Good design Good design => Good security
  26. 26. INTRODUCING “CAPABILITIES”
  27. 27. Capability based design • In a cap-based design, the caller can only do exactly one thing -- a "capability". • In the example, the caller has a capability to set the message flag, and that's all. Prevents both maliciousness and stupidity!
  28. 28. A one method interface is a capability interface IWarningMessageConfiguration { void SetMessageFlag(MessageFlag value); }
  29. 29. A one method interface is a function interface IWarningMessageConfiguration { void SetMessageFlag(MessageFlag value); } Action<MessageFlag> messageFlagCapability X
  30. 30. Capability-based security in the real world
  31. 31. What does “access-control” mean? • Preventing any access at all. • Limiting access to some things only. • Revoking access when you are no longer allowed. • Granting and delegating access to some subset of things. It’s not always about saying no!
  32. 32. Using capabilities to control access to a resource Secret Files Alice Bob X
  33. 33. Alternative for access control
  34. 34. Using auth/RBAC to control access to a resource Secret Files Alice Bob rejected accepted
  35. 35. A weakness in capabilities Secret Files Alice Bob  Anyone with the key can get access.
  36. 36. A weakness in auth/RBAC Secret Files Alice Bob 
  37. 37. A weakness in any security system! Secret Files Alice Bob Do you trust Alice? Then you also trust anyone whom Alice trusts too... (Or whom Alice can be tricked into trusting)
  38. 38. “Don’t prohibit what you can’t prevent”
  39. 39. Supplies Closet Alice Bob Secret Files X Capabilities support decentralized delegation
  40. 40. Supplies Closet Auth/RBAC systems are centralized Alice Bob accepted rejected Bob has only been working there for 6 months 
  41. 41. Auth/RBAC systems are centralized Alice “Please grant Bob access to the supplies closet” “Then revoke access after 20 minutes” Authorization System Can your system do this?
  42. 42. Supplies Closet Auth/RBAC systems are centralized Alice Bob “Here, Bob. You can borrow my swipe card” Credential Sharing
  43. 43. Central systems can revoke access Secret Files Alice rejected
  44. 44. How to revoke access in a cap-based system? Revoke?
  45. 45. How to revoke access in a cap-based system?
  46. 46. Demo: Capabilities as functions
  47. 47. DESIGNING AN API USING CAPABILITIES
  48. 48. Client Service Request Response Tic-Tac-Toe as a service Proper name is "Noughts and Crosses" btw
  49. 49. Tic-Tac-Toe API (obvious version) type TicTacToeRequest = { player: Player row: Row col: Column }
  50. 50. Tic-Tac-Toe API (obvious version) type TicTacToeResponse = { result : MoveResult display: DisplayInfo } type MoveResult = | KeepPlaying | GameWon of Player | GameTied
  51. 51. Demo:Tic-Tac-Toe
  52. 52. What kind of errors can happen? • A player can play an already played move • A player can play twice in a row • A player can forget to check the Result and keep playing
  53. 53. “Make illegal operations unrepresentable” Don’t let me do a bad thing and then tell me off for doing it... Yes, you could return errors, but...
  54. 54. Client Service New Game Available Moves Tic-Tac-Toe service with caps Nine available moves
  55. 55. Client Service 1st move Available Moves Tic-Tac-Toe service with caps Eight available moves
  56. 56. Client Service Available Moves Tic-Tac-Toe service with caps 2nd move Seven available moves
  57. 57. Client Service Available Moves Tic-Tac-Toe service with caps 3rd move Six available moves
  58. 58. Client Service No available Moves Tic-Tac-Toe service with caps Winning move
  59. 59. Tic-Tac-Toe API (cap-based version) type MoveCapability = unit -> TicTacToeResponse type NextMoveInfo = { playerToPlay : Player posToPlay : CellPosition capability : MoveCapability } These are for client information only. The player and position are baked into the capability
  60. 60. Tic-Tac-Toe API (cap-based version) type TicTacToeResponse = | KeepPlaying of (DisplayInfo * NextMoveInfo list) | GameWon of (DisplayInfo * Player) | GameTied of DisplayInfo
  61. 61. Tic-Tac-Toe API (cap-based version) type TicTacToeResponse = | KeepPlaying of (DisplayInfo * NextMoveInfo list) | GameWon of (DisplayInfo * Player) | GameTied of DisplayInfo Where did the "request" type go? Where’s the authorization?
  62. 62. Demo: Cap-based Api
  63. 63. What kind of errors can happen? • A player can play an already played move • A player can play twice in a row • A player can forget to check the Result and keep playing Is this good security or good design? All fixed now! 
  64. 64. HATEOAS Hypermedia As The Engine Of Application State “A REST client needs no prior knowledge about how to interact with any particular application or server beyond a generic understanding of hypermedia.” RESTful done right
  65. 65. How NOT to do HATEOAS POST /customers/ GET /customer/42 If you can guess the API you’re doing it wrong Security problem! Also, a design problem – too much coupling.
  66. 66. How to do HATEOAS POST /81f2300b618137d21d / GET /da3f93e69b98 You can only know what URIs to use by parsing the page Each of these URIs is a capability
  67. 67. Demo: HATEOAS
  68. 68. Some Benefits of HATEOAS • Client decoupled from server – The server owns the API model and can change it without breaking any clients – E.g. Change links to point to CDN – E.g. Versioning • Simpler clients in many cases – No need for client-side checking of moves • Explorable API – Choose your own adventure!
  69. 69. Client Service Login Available Capabilities Service API with caps Many available actions initially
  70. 70. Client Service Use a capability Available Capabilities Service API with caps Fewer available actions in a given state
  71. 71. CAPABILITY DRIVEN DESIGN Using these design techniques throughout your domain
  72. 72. Controller/ API Business Logic Database Client Where shall we put the authorization logic? But then any other path has complete access to the database 
  73. 73. Controller/ API Business Logic Database Client Where shall we put the authorization logic? But then it doesn’t have enough context 
  74. 74. Controller/ API Business Logic Database Client Where shall we put the authorization logic? Global Authorizer Are you doing this already?
  75. 75. public class CustomerController : ApiController { readonly ICustomerDb _db; public CustomerController(ICustomerDb db) { _db = db; } [Route("customers/{customerId}")] [HttpGet] [GetCustomerProfileAuth] public IHttpActionResult Get(int customerId) { var custId = new CustomerId(customerId); var cust = _db.GetProfile(custId); var dto = DtoConverter.CustomerToDto(cust); return Ok(dto); }
  76. 76. public interface ICustomerDb { CustomerProfile GetProfile(CustomerId id); void UpdateProfile(CustomerId id, CustomerProfile cust); void CreateAccount(CustomerId id, CustomerProfile cust); void DeleteAccount(CustomerId id); void UpdateLoginEmail(CustomerId id, string email); void UpdatePassword(CustomerId id, string password); } How much authority do you really need?
  77. 77. Controller /API Business Logic Database Use Case Controller /API Business Logic Database Use Case Controller /API Business Logic Database Use Case Global Authorizer Every controller has one method
  78. 78. Controller /API Business Logic Database Use Case Controller /API Business Logic Database Use Case Controller /API Business Logic Database Use Case Global Authorizer Vertical slices Don’t mention microservices
  79. 79. Controller /API Business Logic Database Use Case Global Authorizer Services
  80. 80. Delegation of capabilities
  81. 81. Delegation with restriction
  82. 82. type MessageFlag = ShowThisMessageAgain | DontShowThisMessageAgain type ConfigurationCapabilities = { GetMessageFlag : unit -> MessageFlag SetMessageFlag : MessageFlag -> unit GetBackgroundColor : unit -> Color SetBackgroundColor : Color -> unit GetConnectionString : unit -> ConnectionString SetConnectionString : ConnectionString -> unit } ◘
  83. 83. let dontShowMessageAgainDialogBox capabilities = let getFlag,setFlag = capabilities let ctrl= new CheckBox( Text="Don't show this message again") ctrl.Checked <- getFlag() // etc
  84. 84. Demo: Vertical slices and delegation
  85. 85. Controller /API Business Logic Database Global Authorizer Passing capabilities
  86. 86. Controller /API Business Logic Database Global Authorizer Passing tokens Overkill? Too complicated to implement?
  87. 87. Controller /API Business Logic Database Inject a value of specific type Global Authorizer Passing tokens as types Represent tokens by types!
  88. 88. Demo: Using types for access tokens
  89. 89. What have we covered? • Don’t use complicated security patterns – This will ensure that they are never used, or used wrong. – Don’t rely on other people doing the right thing. – Don’t rely on other people reading the documentation! • Do use techniques where you get security for free. – You can be lazy! – You don’t have to remember to do anything.
  90. 90. What have we covered? • Don’t develop first, add security later – Right after you implement the “quality” module • Do use security-driven design – Bonus: get a modular architecture!
  91. 91. What have we covered? • Don’t only do security at the outermost layer • Do use POLA everywhere, which ensures that you have minimal dependencies.
  92. 92. Common questions • How do you pass these capabilities around? – Dependency injection or equivalent • Are you saying that all external IO should be passed around as capabilities? – Yes!You should never access any ambient authority. – You should be doing this anyway for mocking.
  93. 93. Common questions • Won’t there be too many parameters? – Less than you think! – Encourages vertical slices (per use-case, scenario) – “Functional core, imperative shell” • Can’t this be bypassed by reflection or other backdoors? – Yes. This is really all about design not about total security.
  94. 94. Resources for capability-based thinking • LMGTFY “Capability based security” • “Lazy developers guide to secure computing” talk by Marc Stiegler • erights.org • Google's Caja built over JavaScript • Emily, a capability based language (via Ocaml)
  95. 95. Thanks! @ScottWlaschin fsharpforfunandprofit.com/cap Contact me Slides and video here Let us know if you need help with F#

×