Add Role-Based Access Control (RBAC) to auth?

[SimonLab]

We discuss this morning having a role-based access control system (https://en.wikipedia.org/wiki/Role-based_access_control)

Do we want to have the RBAC implemented inside the auth package or should we create another repository/package for it?

[nelsonic]

@SimonLab good question. Thank you for opening this issue for us to capture the discussion/research.

Short/Quick Answer

Yes, we are going to have RBAC system built-in to Auth as "auth" stands for both "authentication" and "authorisation" which is synonymous for permission.

We don't need to over-think it, we just need the concept of Roles, Content Types and levels of Permissions.

Longer Answer

The best way of thinking about Auth is in the context of an Example Application: "Blog".

Let's consider a typical publishing platform like Medium. https://en.wikipedia.org/wiki/Medium_(website)
It has four Content Types:

1. Post which typically include:
   • Title - e.g: "The Arctic is Melting"
   • Slug - /arctic-melting
   • Tags/Categories: arctic, melting, climate change https://medium.com/tag/climate-change
   • Body see:
     • Images (zero or more)
2. Comment - Anyone who is authenticated (and not blocked) can comment on Posts where commenting is enabled. (Medium calls comments Response ...)
3. Reaction - In the case of Medium there is now only a "clap" which can be clicked multiple times.
   (a variety of Reaction Emojis and one "unit" of each reaction per person would be my pref.)
4. Highlight - A highlight is where a person drags their cursor over a section of text and saves it as a highlight. See: https://help.medium.com/hc/en-us/articles/214406358-Highlights

Don't worry, we aren't going to build a blogging platform, the space is way too crowded.
However, we are going to build a basic CMS so that we can publish our own content for our Learning Platform which will use the Auth (Login, Roles, Permissions and Notifications Systems).

By default we should have at least 7 Roles in the Roles table/schema:

role_id	role_name	description	created_at	created_by
0	Unauthenticated	Anyone who is not logged in. Can view public content but cannot perform any action on content until they authenticate.	1541609554	-
1	Super Admin	Can CREATE new roles. Can CREATE, UPDATE and DELETE Any content. Can PURGE deleted items. Can "ban" any user including people with "Admin" Role.	1541609554	-
2	Admin	Can create roles. Can CREATE, UPDATE and DELETE Any content. Can "ban" any user except people with "Admin" Role. Can see deleted content and un-delete it. Cannot purge deleted. This guarantees audit-trail.	1541609554	-
3	Editor	Can CREATE and UPDATE Any content. Can "DELETE" content. Cannot see deleted content.	1541609554	-
4	Content Creator	Can CREATE content. Can UPDATE their own content. Can DELETE their own content.	1541609554	-
5	Commenter	Can COMMENT on content that has commenting enabled.	1541609554	-
6	Banned	Can login and see their past content. Cannot create any new content. Can see the reason for their banning (which the Admin has to write when performing the "ban user" action. usually linked to a specific action the person performed like a particularly unacceptable comment.)	1541609554	-

[nelsonic]

Given that we need the concept of roles, privileges and grants in order to regulate access to doors @home dwyl/smart-home-auth-server#1 I'm going to focus on this today.
I have closed all other browser tabs and applications and will be focussing on RBAC exclusively until it's finished.
I will still check my notifications 3 times per day, so if anyone needs me for something else I will still respond.
But until further notice this is my highest priority: #31

[nelsonic]

If you google for "rbac database schema": https://www.google.com/search?q=rbac+database+schema&tbm=isch
There are several hundred examples you can get inspiration from:

Some are more complex than others.
This is what I've distilled from my reading:

Let's create the Database Schemas (Tables) to store our RBAC data,
starting with Roles:

mix phx.gen.html Ctx Role roles name:string desc:string person_id:references:people

Next

mix phx.gen.html Ctx Permission permissions name:string desc:string person_id:references:people

Next create the many-to-many relationship between roles and permissions.

mix ecto.gen.migration create_role_permissions

Now create the many-to-many relationship between people and roles:

mix ecto.gen.migration create_people_roles

[nelsonic]

By putting the roles and permissions resources in an auth pipeline, none of the tests pass.
Just need to write a helper function that sets up the JWT/session. BRB.

[nelsonic]

Taking a little detour to refresh my knowledge of testing as I want to add the helper function to the ConnCase file.
See: https://github.com/phoenixframework/phoenix/blob/master/guides/testing/testing.md

[nelsonic]

Didn't learn anything new from reading the official docs. Going to keep searching. 🔍

[nelsonic]

https://stackoverflow.com/questions/58902019/phoenix-exunit-where-should-i-define-global-helpers

[nelsonic]

Before:

Finished in 74.9 seconds
1 property, 79 tests, 17 failures

After:

Finished in 8.9 seconds
1 property, 79 tests, 0 failures

With 100% coverage.

Next: create associations between the Roles and Permissions Schemas.

[nelsonic]

Default roles summarised in: #82 (comment) included in next PR. 🔜 #85 🚧

[nelsonic]

@SimonLab given that you opened this issue, if you want to take a look at #85 your feedback is very welcome. 👍

[nelsonic]

Roles deployed to https://dwylauth.herokuapp.com/roles
RBAC for controlling access in apps: https://github.com/dwyl/rbac

The original question of this issue is answered:
https://github.com/dwyl/auth/blob/master/role-based-access-control.md

Closing. ✅

Any further questions: please open new issues. (thanks!)