Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security Rules Unit Testing Pipeline Integratio...

Firebase Thailand
April 01, 2023
Technology
0
110

Security Rules Unit Testing Pipeline Integration for Firestore

Making sure the quality of our apps and web to be stable all the time would be challenging especially for critical issue such as security rules, here we will talk about how developers can integrate their security rules for cloud firestore within a pipeline integration for continuous deployment for a modern web application. We will get to know about Firebase Security Rules, Firebase Rules Testing Library. Firebase Emulator Suite, Cloud Firestore and Github Pipeline Integration.

Firebase Thailand

April 01, 2023
Tweet

More Decks by Firebase Thailand

See All by Firebase Thailand
What's New in Firebase 2024
firebasethailand
1
190
Adding New Capabilities to Your Apps with Firebase and Gemini API
firebasethailand
1
150
Say Hello to Cloud Functions for Firebase 2nd Gen
firebasethailand
1
330
What's New in Firebase 2023
firebasethailand
3
560
Building a more Efficient Firestore Web App
firebasethailand
1
170
Developing with Firebase - Best Practices
firebasethailand
0
170
Analyze your production issue on Firebase Crashlytics more efficient with BigQuery
firebasethailand
0
340
What I learn from Firebase when build Saifah
firebasethailand
0
120
Building Simple Collaborative Online IDE with AngularFire and Firepad
firebasethailand
0
100

Other Decks in Technology

See All in Technology
New Relicを活用したSREの最初のステップ / NRUG OKINAWA VOL.3
isaoshimizu
3
620
DynamoDB でスロットリングが発生したとき/when_throttling_occurs_in_dynamodb_short
emiki
0
250
誰も全体を知らない ~ ロールの垣根を超えて引き上げる開発生産性 / Boosting Development Productivity Across Roles
kakehashi
1
230
エンジニア人生の拡張性を高める 「探索型キャリア設計」の提案
tenshoku_draft
1
130
リンクアンドモチベーション ソフトウェアエンジニア向け紹介資料 / Introduction to Link and Motivation for Software Engineers
lmi
4
300k
RubyのWebアプリケーションを50倍速くする方法 / How to Make a Ruby Web Application 50 Times Faster
hogelog
3
940
Amazon CloudWatch Network Monitor のススメ
yuki_ink
1
210
AWS Lambdaと歩んだ“サーバーレス”と今後 #lambda_10years
yoshidashingo
1
180
マルチプロダクトな開発組織で 「開発生産性」に向き合うために試みたこと / Improving Multi-Product Dev Productivity
sugamasao
1
310
Can We Measure Developer Productivity?
ewolff
1
150
ドメインの本質を掴む / Get the essence of the domain
sinsoku
2
160
Shopifyアプリ開発における Shopifyの機能活用
sonatard
4
250

Featured

See All Featured
Speed Design
sergeychernyshev
25
620
GitHub's CSS Performance
jonrohan
1030
460k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
44
6.8k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
109
49k
How GitHub (no longer) Works
holman
310
140k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
16
2.1k
Stop Working from a Prison Cell
hatefulcrawdad
267
20k
Statistics for Hackers
jakevdp
796
220k
Designing for humans not robots
tammielis
250
25k
The Invisible Side of Design
smashingmag
298
50k
Automating Front-end Workflow
addyosmani
1366
200k
KATA
mclloyd
29
14k

Transcript

  1. Security Rules Unit Testing Pipeline Integration for Firestore Google Developer

    Expert in Firebase Surahutomo Aziz Pradana Firebase Dev Day 2023 GDG Bangkok Firebase Thailand Organized by

  2. Let’s get to know each other! Now Web Mentor Lead

    Co-Lead 2015 2022 2019 2017

  3. Sensitive resources Realtime Database Firestore Storage

  4. Security Rules Realtime Database Firestore Storage Sensitive resources

  5. Security Rules Realtime Database Firestore Storage Sensitive resources ? Anonymous

  6. Security Rules Realtime Database Firestore Storage Sensitive resources ? Anonymous

    Admin

  7. Security Rules Realtime Database Firestore Storage Sensitive resources ? Anonymous

    Admin Developer

  8. What kind of protection that security rules can protect ?

  9. ? Anonymous Security Rules Realtime Database Firestore Storage Google Server

    - Prebuilt public and private key to prevent anomaly access X

  10. ? Anonymous Security Rules Realtime Database Firestore Storage Google Server

    - Prebuilt public and private key to prevent anomaly access - Prebuilt protect from any malicious attack X

  11. Admin Security Rules Realtime Database Firestore Storage Google Server -

    Updating the wrong record accidentally X

  12. Admin Security Rules Realtime Database Firestore Storage Google Server -

    Updating the wrong record accidentally - Manipulating the data or fraud X

  13. Admin Security Rules Realtime Database Firestore Storage Google Server -

    Updating the wrong record accidentally - Manipulating the data or fraud - Hacked admin account for suspicious action X

  14. Developer Security Rules Realtime Database Firestore Storage Google Server -

    Prevent bugs by protecting code payload consistency X

  15. rules_version = '2'; service cloud.firestore { match /databases/{database}/documents { match

    /members/{memberId} { allow write: if hasKey(["uid"]) } } } firestore.rules

  16. Developer Security Rules Realtime Database Firestore Storage Google Server -

    Prevent bugs by protecting code payload consistency - Prevent bugs when dev forget the specific rule in user flow journey X

  17. rules_version = '2'; service cloud.firestore { match /databases/{database}/documents { function

    withSpecialCondition(role) { // return some special condition } match /members/{memberId} { allow write: if withSpecialCondition("special_role") } } } firestore.rules

  18. Developer Security Rules Realtime Database Firestore Storage Google Server -

    Prevent bugs by protecting code payload consistency - Prevent bugs when dev forget the specific rule in user flow journey - Increase code quality by using strong and centralized data flow and its operation X

  19. rules_version = '2'; service cloud.firestore { match /databases/{database}/documents { function

    someFunction(role) { // return some function logic } match // collection name 1 { allow write: if // some condition 1 } match // collection name 2 { allow read: if // some condition 2 } } } firestore.rules

  20. Now, question is Is that protection enough ?

  21. Technically … YES

  22. But actually operationally … Nope

  23. There is a story, lemme introduce you to them !

  24. His name is Pyro-chan~ He is new fresh graduate engineer

  25. His name is Mr.Dart He is Senior Software Engineer

  26. They are childhood friends that has the same interest into

    tech!

  27. So, “Operationally … Nope” What might be missing i wonder

    ?

  28. Well, the factor is actually “Human Error”

  29. Oh yeahh, i remember! I think i had those mistakes

    ehehe

  30. Oh nooo! I have a product demo in a minute,

    I need to rush and finish this code ! Long time ago …

  31. Oh my, it breaks my old code :( I didn’t

    realize it! Then …

  32. Alright easy tasks, done! Let’s go home! Long time ago

  33. Oh my, it breaks my old code :( I didn’t

    realize it! Then …

  34. OKAY! This time i concentrated and not underestimate the code

    changes, looks fine! Long time ago …

  35. Oh my, it breaks my code, the library has changed

    its implementation and i didn’t realize it :( Then …

  36. See, because of those ..

  37. It might causing us : - Money Loss - Data

    breached - Anomaly data

  38. Sorry

  39. It’s okay, learning is what’s really important!

  40. Let me tell you something

  41. At least there are 3 levels Tech Testing Auto Building

    the security Testing the security level Automate the testing process Minimize human error by building this! So ..

  42. In that case what we can do is

  43. Steps : • Build our testing for security rules •

    Automate running the security rules testing • Protect the branch with the automation !

  44. Ahh.. Interesting ? ?

  45. So, Dana can you show us how ?

  46. in/retzd @retzd_ medium.com/@retzd g.dev/retzd devpost.com/retzd Thank you! Don’t forget to

    contact Dana, he is super helpful about Firebase!