Forem: Oghenevwede Emeni

Understanding how Role-based Access Control works

Oghenevwede Emeni — Tue, 06 Dec 2022 16:10:16 +0000

Key Takeaways

Role-based and resource-based authorisation entails approving a request in accordance with the roles that have been given to a user or a certain resource.
The right to control who can see and access information should belong to the person who created it. Access privileges for each user should be individually customizable by organisations.
The best way to explain this resource distribution is as a division of the system's resources among various administrative areas.
Helpers can make it easier to develop role-based systems by streamlining the process of granting access depending on the roles associated with each user profile.
Roles are given permissions, and maybe granted to people or user groups.

Introduction

RBAC (Role Based Access Control) allows you to use permissions to determine what may be accessed. It adheres to the principle of giving a system rights depending on a user's position within an organisation. It does away with the need to manually or individually control access rights to a whole system or a single resource.
In this article, we'll look at role-based access control, an architecture that lets several users inside a company share resources while limiting each user group's access to data that they are authorised to see. We will explore the idea of resource isolation and system security in relation to role-based authorization logic.
To fully follow this article, we will also require the following:

Go installed, as well as a working knowledge of the language.
A MongoDB account

A RBAC scenario

Let's sketch a picture. You were given the duty of developing a blog application for your company with features like writing blog posts, posting them, editing them, and removing them. Assume that the task's additional instructions asked you to create two user groups— an editor, and a writer. Specific responsibilities and duties being allocated to each user group. A user who belongs to the writer group, for instance, should only be able to create blog posts, while a user who belongs to the editor group, should only be able to edit.
You can choose to construct the system in a variety of ways. For instance, creating unique apps for every user or creating a single application and limiting access to certain functionalities based on roles. The role-based access control method would be the ideal if you choose the latter choice since it will allow you to construct a system that is more scalable and can support several users because all of the users will be using the same infrastructure and sharing the same resources. The idea is to provide a generic login system that directs users to the appropriate dashboards according to their roles.
MongoDB, Github, and Wix are examples of systems that operate with this access logic. These applications allow you to configure role-based authorization. For instance, WIX offers a variety of user categories, including a billing manager, administrator, site owner, blog owner, and more. These positions each have a different amount of permission. Similar rights may apply to some, such as the ability of an admin user to control billing operations similarly to a billing manager.

What to consider when building RBAC Systems

Before creating RBAC Systems, there are a few aspects to take into account. Things like price, product kind, and business decisions. Following are a handful of them:

What are the system's characteristics? Is this sort of architecture truly necessary for the system?
Who are my system users, and how will I classify them?
What specific features are required by each user, and how will you manage them?
What steps will you take to scale the system when you need to create additional user roles because your system is expanding with even more functionalities?
What kind of infrastructure are you in need of?

Role-based access control Approaches

Several things take place when an access request is made in ant application. The user is initially authenticated in order to determine whether they even have permission to use the platform. The user's type must then be determined. If a user is a billing manager, they should only be able to view the dashboard's billing area; similarly, a blog post editor should only be able to access the various blog entries. Finally, after confirming the sort of user they are, you may grant them access to the information they require.
Modelling the many users that will reside in your system is quite crucial. Determining how each user will be segregated is also crucial. This article will place a lot of emphasis on logical segregation, where user groups use the same infrastructure and are identified by unique types and helper codes.

Role-based access control using the user type logic

In this context, the term "roles" is used to describe a person or set of users who carry out particular tasks within a system. When establishing roles, it's crucial to first list all the possible activities that may be taken in your application before grouping related actions together. Some user responsibilities overlap, thus it would be good practice to be aware of this. You may, for instance, have two roles in your blog application: reader and publisher. The sole right of a reader may be to read blog posts, while the publisher's primary duty may be to publish edited articles, however a publisher may also be permitted to read the blog posts. Therefore, rather than requiring them to register a whole new account in order to have reading access, this access permission may also be defined in his or her role.

Building a simple application that makes use of Role-based Access Control

To further understand how RBAC works, we will build a basic golang application.
To begin, start a new Golang project and connect it to a MongoDB database. Install mongodrivers and the gin package as well. We won't discuss project setup as the focus of this article is to illustrate Role-based Access Control. You'll also need to create your project structure and also create your authentication endpoints using the model structure shown below.

package models
import (
    "time"
    "go.mongodb.org/mongo-driver/bson/primitive"
)
type User struct {
    ID            primitive.ObjectID `bson:"_id"`
    Name          *string            `json:"name" validate:"required,min=4,max=100"`
    Password      *string            `json:"Password" validate:"required,min=8"`
    Email         *string            `json:"email" validate:"email,required"`
    Token         *string            `json:"token"`
    user_type     *string          `json:"user_type" validate:"required,eq=EDITOR|eq=WRITER"`
    Refresh_token *string            `json:"refresh_token"`
    Created_at    time.Time          `json:"created_at"`
    Updated_at    time.Time          `json:"updated_at"`
}

The user model has a field called user_type. The two possible options for this field are WRITER, or EDITOR.
Our go application will include the following features:

Creating a blog post (only admins and writers can do this)
Edit a blogpost (only editors and writers can do this)

Now to set up our blog model. Our blog model will collect data such as the blog title, content, writer’s id and category.
(blog_model.go)

package models
import (
    "time"
    "go.mongodb.org/mongo-driver/bson/primitive"
)
type Post struct {
    ID            primitive.ObjectID `bson:"_id"`
         Title          *string            `json:"title" validate:"required,min=4,max=100"`
         Category       *string            `json:"category" validate:"required,min=4,max=100"`
         Story          *string            `json:"story" validate:"required,min=4,max=100"`
         Writer_id      *string            `json:"writer_id"`
         Created_at     time.Time          `json:"created_at"`
         Updated_at     time.Time          `json:"updated_at"`
}

After we've finished our models, we'll need to make an auth_helper file. Simply put, our auth_helper file includes the functionality required to manage our various user types. It has two simple functions;

CheckUserType() - Which simply checks the user type of the user trying to access a specific resource and;
UserUid() - which checks to see the id of that user and then checks to see if it belongs to the user group that is expected. This is a very basic method of dealing with role-based access control. A more sophisticated method of managing role-based access control may entail adding elements like policies to various user groups or even a particular user id. The IAM and roles capabilities in AWS are a perfect illustration of this. Now to create our helper file (auth_helper.go).

Package helper
import (
    "errors"
    "github.com/gin-gonic/gin")

func CheckUserType(c *gin.Context, role string) (err error) {
    userType := c.GetString("user_type")
    err = nil
    if userType != role {
        err = errors.New("You are not authorised to access this!")
        return err
    }
    return err
}
//To match the user type to the id
func UserUid(c *gin.Context, userId string) (err error) {
    userType := c.GetString("user_type")
    uid := c.GetString("uid")
    err = nil

    if userType == "USER" && uid != userId {
        err = errors.New("Unauthorised to access this resource")
        return err
    }
    err = CheckUserType(c, userType)
    return err
}

The CreatePost() function first checks to see if a user belongs to the group WRITER before processing the request. It does this using the CheckUserType() helper function and It throws an error message “You are not authorised to access this!” if the user is not authorised,
(blogpost.go)

func CreatePost() gin.HandlerFunc {
    return func(c *gin.Context) {
        if err := helper.CheckUserType(c, "WRITER"); err != nil {
            c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
            return
        }
        ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
        var post models.Post
        defer cancel()

        //validate the request body
        if err := c.BindJSON(&post); err != nil {
            c.JSON(http.StatusBadRequest, gin.H{
                "Status":  http.StatusBadRequest,
                "Message": "error",
                "Data":    map[string]interface{}{"data": err.Error()}})
            return
        }
        if validationErr := validate.Struct(&post); validationErr != nil {
            c.JSON(http.StatusBadRequest, gin.H{
                "Status":  http.StatusBadRequest,
                "Message": "error",
                "Data":    map[string]interface{}{"data": validationErr.Error()}})
            return
        }

        newPost := models.Post{
            Id:   primitive.NewObjectID(),
            Title: post.Title,
            Category: post.Category,
            Story: post.Story,
            Writer_id: post.Writer_id,

        }

        result, err := postCollection.InsertOne(ctx, newPost)

        if err != nil {
            c.JSON(http.StatusBadRequest, gin.H{
                "Status":  http.StatusBadRequest,
                "Message": "error",
                "Data":    map[string]interface{}{"data": err.Error()}})
            return
        }

        if err != nil {
            c.JSON(http.StatusInternalServerError, gin.H{
                "Status":  http.StatusInternalServerError,
                "Message": "error",
                "Data":    map[string]interface{}{"data": err.Error()}})
            return
        }

        c.JSON(http.StatusCreated, gin.H{
            "Status":  http.StatusCreated,
            "Message": "success",
            "Data":    map[string]interface{}{"data": result}})
    }
}

Next we will need to create the controller function for our edit blog post function. Only users who belong to the EDITOR group may perform this function.

func EditPost() gin.HandlerFunc {
    return func(c *gin.Context) {
        if err := helper.CheckUserType(c, "EDITOR"); err != nil {
            c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
            return}
        ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
        postId := c.Param("post_id")
        var post models.Post
        defer cancel()
        objId, _ := primitive.ObjectIDFromHex(postId)

        //validate the request body
        if err := c.BindJSON(&post); err != nil {
            c.JSON(http.StatusBadRequest, gin.H{
                "Status":  http.StatusBadRequest,
                "Message": "error",
                "Data":    map[string]interface{}{"data": err.Error()}})
            return }

        //use the validator library to validate required fields
        if validationErr := validate.Struct(&post); validationErr != nil {
            c.JSON(http.StatusBadRequest, gin.H{
                "Status":  http.StatusBadRequest,
                "Message": "error",
                "Data":    map[string]interface{}{"data": validationErr.Error()}})
            return}
        update := bson.M{
            "Title": post.Title,
            "Category": post.Category,
            "Story": post.Story,
            "Writer_id": post.Writer_id
    }
        filterByID := bson.M{"_id": bson.M{"$eq": objId}}
        result, err := postCollection.UpdateOne(ctx, filterByID, bson.M{"$set": update})
        if err != nil {
            c.JSON(http.StatusInternalServerError, gin.H{
                "Status":  http.StatusInternalServerError,
                "Message": "error",
                "Data":    map[string]interface{}{"data": err.Error()}})
            return
        }

        var updatedPost models.Post
        if result.MatchedCount == 1 {
            err := postCollection.FindOne(ctx, filterByID).Decode(&updatedPost)
            if err != nil {
                c.JSON(http.StatusInternalServerError, gin.H{
                    "Status":  http.StatusInternalServerError,
                    "Message": "error",
                    "Data":    map[string]interface{}{"data": err.Error()}})
                return
            }
        }

        c.JSON(http.StatusOK, gin.H{
            "Status":  http.StatusOK,
            "Message": "success",
            "Data":    updatedPost})
    }
}

It is important to note that permission to resources in an environment with multiple users should be granted right after a user has been authenticated and checked to see if they have the required authorisation. Multi user applications typically operate on role and resource based authorisation, as stated earlier.

Identity and Access Management (IAM) and Policies

A popular idea in AWS is identity and access management (IAM). In essence, it is a framework for authorization and authentication, composed of policies that regulate who has access to what. According to the organisational structure and the roles of the users, many IAM systems employ role-based access control (RBAC) to issue permissions for who may do what within an application.
In addition to RBAC, IAM systems support other types of access control methods. These access control methods include;

Mandatory Access Control (MAC): regulates access by matching the users ids with existing clearance permission . Only the system administrators or policy administrators have the authority to allow or restrict access to certain files. When a user attempts to enter the system, the system looks at their security characteristics to evaluate if permission is granted.
Discretionary Access Control (DAC) - As the name suggests, this technique enables system administrators to provide another user access to an application at their discretion. However, DAC has a significant problem since it offers end users far more authority than they deserve, which poses a big security risk.
Rule-Based Access Control: This method grants users access to a system in accordance with predetermined rules. These restrictions are included in an Access Control List, which is associated with the user identity. It is quite similar to role-based access control, however their assignment procedures are different. For instance, if we were to design a blog system using role-based access control, we would create user groups and assign policies to each user group. If we were to accomplish this using rule-based access control, however, we would be able to take rights much farther down than just grouping. For example, you may go further and specify that only users who identify as "female" can access particular articles, as opposed to just declaring that all readers can access all categories.

Identity and Access Management (IAM) Components

Role-based access control is a feature of systems with IAM deployed that enables system administrators to manage access to systems based on the roles of certain individuals within the company. Everything pertaining to user access and management should be accessible via IAM systems. Key elements of IAM systems include:

Verifying and authenticating user IDs
Taking care of the many user IDs
Using policies or other types of control to manage user rights distribution.
Securing the system as a whole and safeguarding the system's sensitive data.

Best Practices

Here are some good practices to take note of;

Security and risks: The collection and storage of data only when necessary is a strategy to guarantee you have safe systems when designing systems with IAM functionalities. IAM has risks of its own, and because IAM systems are essentially the entrance to your data, it becomes somewhat more harmful if they are breached. Comprehensive provisioning and activity logging are two more solid strategies that may be used to provide complete security. Multi-factor authentication is also a smart technique to assure security since it requires many stages of security authentication before providing access. Getting rid of dormant accounts or accounts belonging to former workers is also a good idea to prevent those accounts from being used as gateways for unauthorised access.
Proper UI representation and communication: Users should see the appropriate messages and functionalities. For instance, if a person is not authorised to make a blog post, it would be inappropriate to display that screen to them. Even if you did, a well-designed screen that displays a warning like "You are not authorised to do this" may still prove valuable in communicating your message to the users.
Creating user groups and roles: Combining rights into roles is important and a better option. This method works well in situations when various user groups, such as marketing and finance, want access to the same resource. Instead of specifying that permission for each department individually, it would be much simpler to create a role that includes the appropriate permission and link it to each department.

Conclusion

A well designed multi-user system enables each environment to accommodate well-separated users with clearly specified configurations and policies associated with each, while also preventing the activities of one user from having an impact on those of another. This is highly significant. Less human error occurs when roles and permissions are preset, which reduces the possibility of mistakes that may occur if each user's configuration were done manually. RBAC makes it considerably less likely to accidentally grant users access to restricted resources.

My attempt to make you love Go 😊 - A quick introduction to Go

Oghenevwede Emeni — Tue, 02 Nov 2021 04:45:44 +0000

Go is a lovely language; it's quick and simple to learn, and it can make you cry now and then, but it's still a lovely language. I've been playing with Go for a few weeks and I'm completely smitten! But enough chit-chat for now; let's get this party started.

What is Go?

Go is an open-source programming language that was officially released by Google in 2012. It focuses on ease of use, reliability, accuracy, and concurrency. Go's biggest flex is its concurrent nature. Concurrency refers to the ability to perform multiple tasks at the same time. Server-side programming, game development, and cloud programming are all possible with Go.

Why do i love Go so much?

It's simple to learn
There's a lively community
There's a lot of documentation
And you should if you enjoy your bank apps making cha-ching noises!

How do i get started with Go?

Go's website is a good place to start if you want to learn more about the language. It's really simple to use! Instructions for installing Go on your PC can be found at https://go.dev/doc/install.

Go Program structure

This article is aimed at complete beginners who are either getting started with Go or have recently started. We'll talk about the bare minimum structure of Go programs so that we can use it as a starting point for future tutorials.

Consider the following code, which prints the words "I am a beast!" −

package main
import "fmt"
func main() {
/* This is my first sample program. */
//I am trying to understand the basics of Go
   fmt.Println("I am a beast!")
}

Let's analyze the code above -

The first line, which contains "package main," is required and serves as the starting point for running programs.
The "fmt" preprocessor command is imported next. This package allows you to format simple strings and print them, as well as collect user input from the console, write to a file using a writer, and even print error messages.
The main() function is where the program execution starts. It's essentially a point where a program's first instructions are executed and where the program has access to command-line arguments. When you run a Go file, it looks for the main function and executes the code inside it first.
The compiler ignores /.../ and //, which are used to add comments to the program. The purpose of comments is to explain what each part of a program is doing.
Go has a function called println(...) that displays the message "I am a beast!" on the screen. The Println method is exported by the fmt package and is used to display the message on the screen.

Let's actually test the code above -

Make a file in your text editor. beast.go is what I'm going to call mine.
Copy and paste the code above, making sure to save it!
Go to your terminal and make sure you're in the same directory as your file, then type go run beast.go. (This is the command that will allow you to run your program!)
As long as there are no errors, this will print out "I am a beast!"

$ go run beast.go
I am a beast!

Yup! You've completed your first Go program with flying colours. Remember that reading Go's documentation is a great way to learn the language. Until next time, take care!

Pushing your first code to GitHub

Oghenevwede Emeni — Fri, 10 Jul 2020 17:10:45 +0000

As a developer,having a place to store your codes is extremely important.If you are a newbie and have been looking for a place to store your codes or a place that lets you work remotely with your team (especially during this pandemic),Git-hub is the place. Would love to tell you more about GitHub, but then this article will be to long and you'll cancel it (Sad face emoji inserted). Alright.let's get started.
So in this article, I'll be discussing two methods of pushing your codes to GitHub;

Via GitHub's website or
Your command line

Most beginners prefer the first method. It's quite straight forward and really easy to use. I am going to assume that you already have an existing project that you would like to upload. If you do not have one let's create a real simple code.
I will be creating a simple HTML file. Anybody can try this you don't need any special installations or tools.

First create a project folder and name it whatever you want to. I will be naming mine "Test".
Open your notepad and insert the following;

<!Doctype html>
<html>
<head>
<title>First Github Upload</title>
</head>
<body>
<h1>This is a simple html file for upload</h1>
</body>
</html>

You can name this file whatever you want, I will be naming mine "index.html"(Just make sure you use .html as the file extension). Also make sure you save this file in the folder you created earlier.

Now login to https://github.com/. I am assuming you already have an account, if not sign up.
Navigate to the upper right corner of the GitHub website and click on the plus sign. A drop down menu will appear. Click on the New repository option. A new screen will be loaded. In the input box labeled repository name, enter your preferred repository name(I will be naming mine, github-articles). You put a description if you want to.
From the privacy option select public, if you want make the repository available for everyone to see or private if you want to be the only one (and maybe a few selected people,known as contributors) who can commit and see the repository.
Click on the checkbox displaying “Initialize this repository with a README” as well.
A new screen showing your repository content should pop up. You will now have a readme file in your repository.
Then click on the ADD FILE option and select upload files.You can then choose your files or drag and drop them to the screen,which ever you choose.
When you are done,you can decide to add a commit message with the form at the bottom of the screen. I will be adding "My first commit" as my commit message.
Then click the commit changes button to proceed. After this step, your codes will be successfully uploaded. Yhayyy!!!

That was really easy right? (I can hear your answers).I love method one (Psttt, I am not lazy, I just love Github's UI (proud face emoji inserted)), but then I love method two because making use of my terminal makes me look bad ass(Makes my non-dev friends think I am a hacker (badass wearing sunglasses emoji inserted).Anyways let's get started.

If you do not have git installed, you can download it here- https://git-scm.com/downloads. When you have it all set up, go to your project folder on your PC and right click (this is for windows users) and select the "open git bash here". You can only see this if you have git installed. A terminal will open up after this. For Linux move inside the project directory using the terminal.
Carry out steps 1 to 5 of Method 1 but don't click on the “Initialize this repository with a README” option.
A screen will appear. Don't close your browser tab Now go back to your terminal and lets start hacking, sorry uploading(lmao). Enter these code snippets
echo "#what you want write in your readme file">>README.md (Mine will be echo "#Hey Github, this is my first commit">>README.md
Next initialize the repository using; git init
Add the file to the new local repository using; git add . (yes there is a space between add and the full-stop sign, don't ignore it).
To view all the files that will be staged in the first commit use ; git status
Now create your commit message using; git commit -m "your commit message" (Mine will be git commit -m "My first commit")
Go back to your opened tab, don't close the terminal and copy your remote repository URL. It's something like this https://github.com/your_username/repo_name.git
Go back to your terminal and add the URL you copied using;** git remote add origin https://github.com/your_username/repo_name.git*(Mine will be git remote add origin https://github.com/GENESDEMON/github-articles.git)
Now push the code in your local repository to github using; git push -u origin master (This pushes your code to the master branch)
Enter your GitHub username and password, if prompted to. Yhayyy you can finally see the file hosted on github (dancing emoji inserted). Thanks for reading, if you need any clarification on anything, do not hesitate to drop a comment.