Python Authorization Anti-Patterns and How to Avoid Them

gemanor

Gabriel L. Manor

Posted on July 17, 2023

Python Authorization Anti-Patterns and How to Avoid Them

Introduction

Authorization plays a vital role in building secure and robust applications, ensuring that users possess the necessary permissions to access resources or perform particular actions.

In Python, developers often follow authorization anti-patterns that can potentially lead to security vulnerabilities, needless code complexity, and significant maintenance difficulties. This article examines these anti-patterns and provides strategies to avoid them for more effective authorization implementation.

Understanding Authentication and Authorization

Before we delve into the anti-patterns, it's crucial to differentiate between authentication and authorization. Authentication is the process of verifying a user's identity , while authorization assigns permissions and access rights to an authenticated user.

While authentication paves the way for authorization, they are separate processes. Authorization decisions should be independent of authentication , ensuring that access is granted or denied based on a user's permissions, after their authentication status is verified.

After understanding this crucial difference, we can now dive into the authorization anti-patterns.

Common Authorization Anti-Patterns

Mixing Authorization Code with Application Logic

One common way to code authorization in Python is to integrate statements such as if is_admin: into the code logic. Fortunately, this pattern isn't widespread thanks to a variety of frameworks available.

One of the main problems with this method is the difficulty it creates in understanding, debugging, and maintaining your code. It also violates the principles of single responsibility and separation of concerns.

Embedding Roles in Application Code

Another common method of handling authorization in Python involves using decorators that specify the roles with access to a function. This is a widespread pattern in many HTTP frameworks:

# Middleware
def roles_required():
    ...
            if user.role == 'admin':
                return func(*args, **kwargs)
            else:
                raise Exception('User is not admin')
    ...
@roles_required('admin')
def delete_user(user_id):
    user = User.get(user_id)
    user.delete()
Enter fullscreen mode Exit fullscreen mode

Despite being a more favorable approach than the previous one, it has its own drawbacks. For instance, every role modification necessitates code changes. As every developer knows, changing code means more bugs, a slower product lifecycle, and other issues that could break the application delivery metrics.

Writing Multiple Authorization Functions

Using decorator frameworks and declaring roles in the app’s code often doesn't provide the needed granularity on the resource level. This will likely result in us having to script the decision logic in another middleware:

# Middleware
def roles_required():
    ...
            if user.role == 'admin':
                return func(*args, **kwargs)
            else:
                raise Exception('User is not admin')
    ...
def permissions_required():
    ...
            if permissions == 'delete_user':
                return func(*args, **kwargs)
            else:
                raise Exception('User is not admin')
    ...
# Business logic
@roles_required('admin')
@permissions_required('delete_user')
def delete_user(user_id):
    ...
Enter fullscreen mode Exit fullscreen mode

As we can see here, the resulting code becomes increasingly complex and difficult to maintain. Whenever we need to add more logic, we'll be forced to create more middleware (or augment the existing ones), which is highly inefficient.

Limited Function Scope

When using middleware frameworks, we may find the function scope lacking sufficient information to make a decision. For example, our billing system may need to check if a user is a paying customer, but the function scope lacks the user's billing status:

@roles_required('admin')
def enable_workflow(user_id):
    user = User.get(user_id)
    paid_tier = billing_service.get_user_tier(user_id) == 'paid'
    if not paid_tier:
        raise Exception('User is not on the paid tier')
Enter fullscreen mode Exit fullscreen mode

As depicted above, we must integrate more logic into the function itself, thereby reverting to the issue of mixing code with app logic. The problem becomes even worse when we need to make a decision mid-function.

Lack of Centralized Authorization

Using middleware frameworks often results in authorization functions being scattered across the codebase, making the authorization logic hard to maintain and update. A critical aspect of authorization is having a centralized location where all the authorization logic is defined - ensuring easy updates and consistency across the application.

Performance Issues

Unlike authentication, authorization decisions occur frequently within the application. Using policy decisions embedded in the application code can lead to performance issues. Not only does this code impact performance, but it also becomes difficult to debug when numerous authorization functions are distributed throughout the code.

So how can we avoid all of these anti-patterns? Here are a few best practices we think could be useful -

Python Authorization Best Practices

Use Declarative Policies Instead of Imperative Statements

Adopt policy-as-code approaches, such as the Cedar language, to define authorization policies. A declarative approach allows you to articulate your desired permissions without muddling your code with intricate authorization logic.

The following code is an example of declaring a simple RBAC policy in Cedar:

permit(
    principal in Role::"admin",
    action in [
        Action::"task:update",
        Action::"task:retrieve",
        Action::"task:list"
    ],
    resource in ResourceType::"task"
);
Enter fullscreen mode Exit fullscreen mode

As you can easily read here, the policy permits users in the admin role to perform update, retrieve, and list actions on the task resource.

Using a declarative approach allows you to define your authorization policies in a single location, making them easier to manage and maintain.

Keep Your Enforcement Layer Model-Agnostic

Your enforcement layer (where you enforce policy decisions in the application) and authorization model should remain separate. The enforcement layers should be capable of handling different models, such as Role-Based Access Control (RBAC) or Attribute-Based Access Control (ABAC), without any changes to the enforcement logic.

Here's an example of how we take the same method of creating policies and create an ABAC policy in Cedar:

permit (
    principal,
    action in
        [Action::"UpdateList",
         Action::"CreateTask",
         Action::"UpdateTask",
         Action::"DeleteTask"],
    resource
)
when { principal in resource.editors };
Enter fullscreen mode Exit fullscreen mode

As you can see, the policy is very similar to the RBAC one, but it uses a different attribute to make the decision. This is the power of using declarative policy language - you can easily change the policy without changing the enforcement logic.

Choose a Framework/Language Generic Service

Your authorization service should be generic, and capable of adapting to various frameworks or applications. The easiest way to achieve this is by offering a read-only RPC (such as an HTTP API endpoint) endpoint in the decision point. This way, every application that wants to enforce authorization has to send the same structure of decision request to it.

With the examples we have seen above, we can see that the enforcement logic is the same for both RBAC and ABAC policies. The only difference is the policy itself. This is the power of having a generic authorization service - it can be used with any policy model.

Here's an example of enforcing the policy in Python:

is_authorize(user, action, resource)
Enter fullscreen mode Exit fullscreen mode

This is_authorize function is calling the Cedar-agent, an engine that can evaluate the policy and return the decision. The function is generic and can be used with any policy model.

Always Decouple Policy from Code

Avoid making policy decisions directly within the application code. Instead, encapsulate the authorization logic within a separate layer or module. This will ensure that policy decisions remain independent from application logic and are easily modifiable as needed.

Using Policy as Code makes it easy to decouple authorization logic from application code. The policy is defined in a separate environment and repository, and the enforcement logic is generic and can be used with any policy model.

Create a Unified Platform for Authorization

Consolidate all your authorization policies into a single source of truth platform. This practice simplifies the management and maintenance of permissions and ensures consistency across your application. Even if you have multiple apps, you can deploy them with multiple decision points, but the policy is still defined in a single location.

Make Sure Decisions Are Easy to Audit

Maintain a centralized audit log for all authorization decisions within your application. A clear record of who accessed what and when assists with security analysis, compliance requirements, and detection of potential unauthorized access.

Using Policy as Code makes it easy to audit the policy as it all uses the same policy engines to evaluate the authorization decision. By modeling your decision architecture with the above practices, you can easily use any logging system to centralize all your decision logs in one place.

Choosing an Authorization Service

To align with these best practices, the optimal approach involves using an authorization service that centralizes configuration and deploys decentralized policy decision points to enforce the authorization logic in your applications. There are two options for setting up an authorization service:

Using Open-Source

OPAL, an open-source tool, helps you set up a comprehensive authorization system based on the Cedar language, Open Policy Agent (OPA), and other policy engines. With OPAL, you can promptly establish an authorization service using a provided Docker file. In this article, you can find very detailed instructions for creating such an open-source, fully functional system using one Dockerfile/helm chart.

Using a Cloud Service

Permit.io is a cloud service offering a user-friendly policy editor and efficient permission management. It supports various permission models, including RBAC, ABAC, and ReBAC, and also provides synchronization capabilities to keep the data for policy decisions up-to-date in real time.

For Python applications, Permit.io offers a Python SDK to integrate the service with your application and enforce the authorization logic. The Permit SDK simplifies your policy decisions to a single function call, like so:

permit.check('user', 'read', 'resource')
Enter fullscreen mode Exit fullscreen mode

Conclusion

Building permissions and authorization can be a complex endeavor, but adhering to the best practices outlined in this article can lead to more robust and maintainable applications. It's vital to avoid the mentioned anti-patterns, adopt a declarative approach, and ensure that your authorization system is agnostic, generic, decoupled, unified, and easily auditable. By centralizing your authorization policies and leveraging open-source tools or cloud services like OPAL and Permit.io, you can streamline the implementation and management of your authorization system.

What's Next?

Creating an account in app.permit.io is free and you can get a working Python authorization service in less than 10 minutes. In the same time you've spent on reading this article, you can imply a working PoC so you can get other team member in this excitement.

If you have any questions or comments, we invite you to join our vibrant authorization community in Slack, just click here and find the right channel for your new AuthZ friends :)

Happy AuthZ!

💖 💪 🙅 🚩
gemanor
Gabriel L. Manor

Posted on July 17, 2023

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related