search

lgwillmore / warden

Kotlin Attribute Based Access Control
MIT License
19 stars 3 forks source link

How to work on the springboot #40

Open toop opened 2 years ago

toop commented 2 years ago

On the springboot, when a user accesses /books/list, I need to filter books data according to the data_scope range data of the currently logged in user and the category value of books. Please ask how to do this. Please give some collective examples. Thank you very much!

USER:

user | dept | data_scope admin | 1 | [,] Tom | 1 | [1,2,3] Sim | 2 | [1,2] Kat | 3 | null

BOOKS:

id | name | category 1 | book1 | 1 2 | book2 | 1 3 | Book3 | 2 4 | book4 | 3 5 | book5 | 4 6 | book6 | 5

when user admin to access the api /books/list, can visible all data,return the data:

id | name | category 1 | book1 | 1 2 | book2 | 1 3 | Book3 | 2 4 | book4 | 3 5 | book5 | 4 6 | book6 | 5

when user Tom to access the api /books/list, books.category in user.data_scope, return the data: id | name | category 1 | book1 | 1 2 | book2 | 1 3 | Book3 | 2 4 | book4 | 3

when user Sim to access the api /books/list, books.category in user.data_scope, return the data: id | name | category 1 | book1 | 1 2 | book2 | 1 3 | Book3 | 2

when user Kat to access the api /books/list, user.data_scope is null, return the exception: “access denied,missing permissions”

How to implement the above requirements in MVC and oauth2 environment? Please give some practical examples. Thank you very much!

lgwillmore commented 2 years ago

On holiday at the moment with bad internet, but will try to give some pointers.

For batch filtering of collection of resources there is a different function on EnforcementPoint and DecitionPoint. Not documented yet, but will do it next week.

Here https://github.com/lgwillmore/warden/blob/e3e984ccad746e0615cfb347002ad2d6b183f4d0/core/src/commonMain/kotlin/codes.laurence.warden/enforce/api.kt#L19

This dies not error if empty, it will just be empty.

It seems you also want to merge data into your subject regarding roles. Implement an InformationPoint for this.

Definately going to implement a full detailed demo project soon and work on more docs.

lgwillmore commented 2 years ago

Also, the opinion of warden is that authorization logic is key business logic. It should not be implemented at an http layer, and and so resolving authentication credentials to a user ID or application agent or user DTO with oauth or not most likely happens at layers above, typically a web framework layer. But solid examples of this will follow.

toop commented 2 years ago

Thank you very much for your reply and waiting for your solution.

lgwillmore commented 2 years ago

Will smash it out this weekend :D

Just to be clear, this is not going to include a spring boot layer. It will be a demonstration and documentation of a full Core and Ktor architecture.

The general theory is that at an HTTP layer all we want to do is make sure that no request happens without going through authorization logic without explicitly opening up that path.

Authorization is business logic, and should not exist at the web fringe of your architecture.

Hopefully a full core demo will get you to a point where you can close the gap between spring and warden authorization, and possibly help contribute to a spring plugin for the "Ensure everything is authorized" logic?