etc..) UseCase Domain Masking item Execute endpoint Filter resource read/write auhorization Execute UseCase Ramification domainLogic Execute domainLogic ೝՄద༻ൣғ͕͘ɺཁ݅࣍ୈͰ1SFTFOUFSd%PNBJO·Ͱ Өڹ͠͏Δɺͱͯෳࡶͳ֓೦Ͱ͢ > Because authz is abstract, it is often implemented in close coupling with concrete requirements, resulting in inflexibility.
delegate some of the privileges or allow/deny operations through multiple paths. ݖݶͷҰ෦Λҕৡͨ͠Γɺෳͷܦ࿏Ͱૢ࡞ΛڐՄڋ൱ͨ͠ ͍߹ɺඇৗʹෳࡶʹͳΔՄೳੑ͕͋Γ·͢ɻ => decision complicated-Case && What action? What resources are targeted? Paid for? has Manual Permission? is Developer? is BAN? etc… or user|token
the permissions of multiple principals (users, API tokens, operators, etc...), without a unified management mechanism, similar implementations will increase. Authz attribute associated with the API key Authz attribute associated with the User ෳͷϓϦϯγύϧ͕ଘࡏ͢Δࡍɺ౷Ұతʹཧ͍ͯ͠ͳ͍ͱ ࣅͨΑ͏ͳϩδοΫ͕૿͑ͯ͠·͍·͢ etc…
of paths to be authorized. > If not managed in a unified manner, decisions must be made for each path, and the logic becomes huge! AuthZ attribute A - When a bill is paid successfully - When delegating to an API key - When creating a user - When manually granted ݖݶ༩͞ΕΔܦ࿏ଟذʹΘͨΓ·͢ɻ ౷Ұతʹཧ͠ͳ͍ͱɺܦ࿏ຖʹఆ͕ඞཁʹͳΓɺ ϩδοΫ͕ڊେԽ͠·͢
·Principal(ID&Type) ·Authority attributes ·Target resources Judgement Client The decision is made by recognizing and querying the principal's ID, required authorization attributes, and resource ID to obtain results. It should also be able to combine the results with the results of proprietary requirement-specific logic. Mapping of the following elements. State of this mapping. ·Allocation path ·Term ·enable/disable With this information, return a decision request from the client.
attribute assigned to Principal. - In addition to authorization information, it has resource id and other information used for id-based filters. - Store in Database. > Scope - Authorization attribute assigned to Resource. - Describe in code.
setting the return value of the interface to the specified type, the scope is automatically loaded onto the effects stack. > If the type specification is omitted, `scalafix` will generate a compile error.
> In the assembled expression, The authorization scope necessary for execution are encapsulated. > This and the user's attributes are used to determine.
authorization scopes across all tiers in a single State. Presenter Controller Repository(DB etc..) UseCase Domain Set Scope A Set Scope B Set Scope C,D Set Scope E Set Scope F State[List[A,B,C,D,E,F], X]
be collected by State monad. > Can create a situation where an authorization check is mandatory to evaluate an expression. > By placing the permission check before execution, it is no longer necessary to separate implementations based on whether permission checks are required or not.