Designing with capabilities (DDD-EU 2017)

Designing with capabilities
(DDD Europe 2017)
@ScottWlaschin
fsharpforfunandprofit.com/cap

DDD
API
Design
Security
Design
Not about OAuth, JWT etc

DDD
API
Design
Security
Design

Topics
• What does security have to do with design?
• Introducing capabilities
• API design with capabilities
• Design consequences of using capabilities
• Transforming capabilities for business rules
• Delegating authority using capabilities

WHAT DOES SECURITY
HAVETO DO WITH DESIGN?

Transparent
Opaque
It’s all about
security, right?

Sed ut perspiciatis unde omnis iste natus error sit voluptatem
accusantium doloremque laudantium, totam rem aperiam,
eaque ipsa quae ab illo inventore veritatis et quasi architecto
beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem
quia voluptas sit aspernatur aut odit aut fugit, sed quia
consequuntur magni dolores eos qui ratione voluptatem sequi
nesciunt. Neque porro quisquam est, qui dolorem ipsum quia
dolor sit amet, consectetur, adipisci velit, sed quia non
numquam eius modi tempora incidunt ut labore et dolore
magnam aliquam quaerat voluptatem. Ut enim ad minima
veniam, quis nostrum exercitationem ullam corporis suscipit
laboriosam, nisi ut aliquid ex ea commodi consequatur? Quis
autem vel eum iure reprehenderit qui in ea voluptate velit esse
quam nihil molestiae consequatur, Temporibus autem quibus
Dacei Megasystems Tech Inc necessitatibust aut officiis debitis
auteo 2799 E Dragam Suite 7 quisquam saepe Itaque
enieti Los Angeles CA 90002 ut et voluptates repudiandae sint
et molestiae non recusandae. Itaque earum rerum hic tenetur a
sapiente delectus, ut aut reiciendis voluptatibus maiores alias
consequatur aut perferendis doloribus asperiores repellat.
Neque porro quisquam est, qui dolorem ipsum quia dolor sit
amet, consectetur, adipisci velit, sed quia non numquam eius
modi tempora incidunt ut labore et dolore magnam aliquam
quaerat voluptatem. Ut enim ad minima veniam, quis nostrum
exercitationem ullam corporis suscipit laboriosam, nisi ut
aliquid ex ea commodi consequatur?
Please deliver
this letter
A counterexample

Sed ut perspiciatis unde omnis iste natus error sit voluptatem
accusantium doloremque laudantium, totam rem aperiam,
eaque ipsa quae ab illo inventore veritatis et quasi architecto
beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem
quia voluptas sit aspernatur aut odit aut fugit, sed quia
consequuntur magni dolores eos qui ratione voluptatem sequi
nesciunt. Neque porro quisquam est, qui dolorem ipsum quia
dolor sit amet, consectetur, adipisci velit, sed quia non
numquam eius modi tempora incidunt ut labore et dolore
magnam aliquam quaerat voluptatem. Ut enim ad minima
veniam, quis nostrum exercitationem ullam corporis suscipit
laboriosam, nisi ut aliquid ex ea commodi consequatur? Quis
autem vel eum iure reprehenderit qui in ea voluptate velit esse
quam nihil molestiae consequatur, Temporibus autem quibus
Dacei Megasystems Tech Inc necessitatibust aut officiis debitis
auteo 2799 E Dragam Suite 7 quisquam saepe Itaque
enieti Los Angeles CA 90002 ut et voluptates repudiandae sint
et molestiae non recusandae. Itaque earum rerum hic tenetur a
sapiente delectus, ut aut reiciendis voluptatibus maiores alias
consequatur aut perferendis doloribus asperiores repellat.
Neque porro quisquam est, qui dolorem ipsum quia dolor sit
amet, consectetur, adipisci velit, sed quia non numquam eius
modi tempora incidunt ut labore et dolore magnam aliquam
quaerat voluptatem. Ut enim ad minima veniam, quis nostrum
exercitationem ullam corporis suscipit laboriosam, nisi ut
aliquid ex ea commodi consequatur?
Please deliver
this letter
It’s not just
about security...
...hiding irrelevant
information is
good design!

David Parnas, 1971
• If you make information available:
– Programmers can’t help but make use of it
– Even if not in best interests of the design
• Solution:
– Don’t make information available!

Can’t do
anything
Just right Unnecessary
coupling
In the large: Bounded Contexts
In the small: Interface Segregation Principle
Software Design Spectrum
Too much information availableToo little information available

Can’t get your
work done
Too much information available
Just right Potential for
abuse
Principle of Least Authority (POLA)
Too little information available
Security spectrum

Ak.a. Minimize your surface area
(to reduce chance of abuse)
Good Software Design
Intention-revealing interface
Minimize coupling
Make dependencies explicit
Good Security
Principle of Least Authority (POLA)
Ak.a. Minimize your surface area
(expose only desired behavior)

Good security => Good design
Good design => Good security

Security-aware design
• "Authority" = what can you do at any point?
– Be aware of authority granted
– Assume malicious users as a design aid!

Stupid people Evil people
What’s the difference? 

Security-aware design
• "Authority" = what can you do at any point?
– Be aware of authority granted
– Assume malicious users as a design aid!
• Use POLA as a software design guideline
– Forces intention-revealing interface
– Minimizes surface area & reduces coupling

INTRODUCING
“CAPABILITIES”

Typical API
APIcallClient
call
I'm sorry,
Dave, I'm afraid
I can't do that

Rather than telling me what I can't do,
why not tell me what I can do?

Client Service
Login
Available
Capabilities
Capability-based API
Many available
actions initially

Client Service
Use a
capability
Available
Capabilities
Capability-based API
Fewer available
actions in a
given state

Client
TicTacToe
Service
Request
Response
Tic-Tac-Toe as a service
Proper name is "Noughts and Crosses" btw
TIL: "Butter, cheese and eggs" in Dutch

Tic-Tac-Toe API (obvious version)
type TicTacToeRequest = {
player: Player // X or O
row: Row
col: Column
}

Tic-Tac-Toe API (obvious version)
type TicTacToeResponse =
| KeepPlaying
| GameWon of Player
| GameTied

What kind of errors can happen?
• A player can play an already played move
• A player can play twice in a row
• A player can forget to check the response and
keep playing

Intention-revealing interface
"If a developer must consider the
implementation of a component in order to
use it, the value of encapsulation is lost."
-- Eric Evans, DDD book

“Make illegal operations
unavailable”
Don’t let me do a bad thing and
then tell me off for doing it...
Yes, you could return errors, but...

Client
TicTacToe
Service
New Game
Available Moves
Tic-Tac-Toe service with capabilities
Nine available
moves

Client
1st move
Available Moves
Eight available
moves
TicTacToe
Service

Client
Available Moves
2nd move
Seven available
moves
TicTacToe
Service

Client
Available Moves
3rd move
Six available
moves, etc
TicTacToe
Service

Client
No available
Moves
Winning
move
TicTacToe
Service

Tic-Tac-Toe API (cap-based version)
type MoveCapability =
unit -> TicTacToeResponse
// aka Func<TicTacToeResponse>
| KeepPlaying of MoveCapability list
| GameWon of Player
| GameTied

Tic-Tac-Toe API (cap-based version)
type MoveCapability =
unit -> TicTacToeResponse
// aka Func<TicTacToeResponse>
| KeepPlaying of MoveCapability list
| GameWon of Player
| GameTied
type InitialMoves = MoveCapability list
Where did the "request" type go?
Where's the authorization?

Demo:
Capability-basedTic-Tac-Toe

What kind of errors can happen?
• A player can play an already played move
• A player can play twice in a row
• A player can forget to check the response and
keep playing
Is this good security or good design?
All fixed now! 

HATEOAS
Hypermedia As The Engine
Of Application State
“A REST client needs no prior knowledge
about how to interact with any particular
application or server beyond a generic
understanding of hypermedia.”
RESTful done right

How NOT to do HATEOAS
POST /customers/
GET /customer/42
If you can guess the API
you’re doing it wrong
Security problem!
Also, a design problem –
too much coupling.

How to do HATEOAS
POST /81f2300b618137d21d /
GET /da3f93e69b98
You can only know what URIs
to use by parsing the page
Each of these URIs is a capability

Tic-Tac-Toe HATEOAS
[
{ "move": "Play (Left,Top)",
"rel": "LeftTop",
"href": "/move/ec03def5-7ea8-4ac3-baf7-b290582cd3f2" },
{ "move": "Play (Left, Middle)",
"rel": "Left Middle",
"href": "/move/d4532ca0-4e61-4fae-bbb1-fc11d4e173df" },
{ "move": "Play (Left, Bottom)",
"rel": "Left Bottom",
"href": "/move/fe1bfa98-e77b-4331-b99b-22850d35d39e" }
...
]

DESIGN CONSEQUENCES
OF USING CAPABILITIES
Not just for APIs -- use these design techniques
inside a bounded context too

Example:
Read a customer from a database

Controller/
API
Business
Logic
Database
Client
Could also be Onion architecture or
Ports and Adapters -- not important

Controller/
API
Business
Logic
Database
Client
Which component decides whether you
are allowed to read the customer?
But then any other path
has complete access to
the database 

Controller/
API
Business
Logic
Database
Client
But then it doesn’t have
enough context to decide 

Controller/
API
Business
Logic
Database
Client
Global
Authorizer
Are you doing this already?

Controller/
API
Business
Logic
Database
Client
Dependency
Injection

public class CustomerController : ApiController
{
readonly ICustomerDb _db;
public CustomerController(ICustomerDb db)
{
_db = db;
}
[Route("customers/{customerId}")]
[HttpGet]
public IHttpActionResult Get(int customerId)
{
var custId = new CustomerId(customerId);
var cust = _db.GetProfile(custId);
var dto = DtoConverter.CustomerToDto(cust);
return Ok(dto);
}

public interface ICustomerDb
{
CustomerProfile GetProfile(CustomerId id);
void UpdateProfile(CustomerId id, CustomerProfile cust);
void CreateAccount(CustomerId id, CustomerProfile cust);
void DeleteAccount(CustomerId id);
void UpdateLoginEmail(CustomerId id, string email);
void UpdatePassword(CustomerId id, string password);
}
How much authority do you really need?

public interface ICustomerDb
{
CustomerProfile GetProfile(CustomerId id);
}

Func<CustomerId,CustomerProfile>

{
Func<CustomerId,CustomerProfile> _readCust;
public CustomerController(Func<..> readCust)
{
_readCust = readCust;
}
[HttpGet]
{
var cust = _readCust(custId);
return Ok(dto);
}

Controller
/API
Business
Logic
Database
Use Case
Controller
/API
Business
Logic
Database
Use Case
Controller
/API
Business
Logic
Database
Use Case
Global
Authorizer
Every controller
is injected with
minimal capabilities
it needs
(aka functions)

Controller
/API
Business
Logic
Database
Use Case
Controller
/API
Business
Logic
Database
Use Case
Controller
/API
Business
Logic
Database
Use Case
Global
Authorizer
Vertical
slices
Don't mention
microservices

{
[HttpGet]
{
var readCust = authorizer.GetReadCustCap(custId);
if (readCust != null)
{
var cust = readCust();
return Ok(dto);
}
else
// return error
}

TRANSFORMING CAPABILITIES
FOR BUSINESS RULES

Capability
transformer
capability
constrained
capability
Capabilities are functions... ...so can be transformed to
implement business rules

With Auditingcapability
Audited
capability

Only in office
hours
capability
Time-constrained
capability

Only Oncecapability
Once-only
capability

How to revoke access in a cap-based system?
It's hard to revoke physical keys
in the real world... But this is software!

Revokablecapability
Revokable
capability
Revoker

Revoke
automatically
after 10 mins
capability
Short-lived
capability

Demo:Transforming Capabilities

DELEGATING AUTHORITY
USING CAPABILITIES

Reasons for access control
• Prevent any access at all.
• Limit access to some things only.
• Revoke access when you are no longer
allowed.
• Grant and delegate access to some subset of
things.
It’s not always
about saying no!

Designing with capabilities (DDD-EU 2017)

Supply
Room
Alice
Bob
Secret
Files
X
Capabilities support
decentralized delegation

Delegation of authority
example

Controller
/API
Business
Logic
Database
Use Case
Inject authority
to read just
one customer
Global
Authorizer
Services
(e.g. Read customer and
send them email)
Security risk
& implicit
dependency

Controller
/API
Business
Logic
Database
Use Case
Services
(e.g. Read customer and
send them email)
Inject authority
to read just
one customer
Global
Authorizer

Delegation of capabilities
Full authority
(at start up)
Parent
Component
Some capabilities
Child
Component
transformer e.g. Only once
Child
Component
Only during office hourstransformer
Delegate
capabilities
Delegate
capabilities

Common questions
• Is this overkill? Is it worth it?
– It depends....
– Useful as a thought experiment
• How does this relate to DDD?
– Intention-revealing interfaces
– Map commands from event storming to
capabilities

Common questions
• Are you saying that all external IO should be
passed around as capabilities?
– Yes!You should never access any ambient
authority.
– You should be doing this anyway for mocking.
• How do you pass these capabilities around?
– Dependency injection or equivalent

Common questions
• Won’t there be too many parameters?
– Less than you think!
– Counter force to growth of interfaces
– Encourages vertical slices (per use-case)
• Can’t this be bypassed by reflection or other
backdoors?
– Yes. This is really all about design not about total
security.

Summary
• Good security  good design
– Bonus: get a modular architecture!
• Use POLA as a design principle
– Don’t trust other people to do the right thing
– Don’t force other people to read the documentation!
• Intention revealing interfaces
– Don't force the client to know the business rules
– Make interfaces more dynamic
– Change the available capabilities when context
changes

Thanks!
@ScottWlaschin
fsharpforfunandprofit.com/cap
Contact me
Slides and video here
F# consulting

Designing with capabilities (DDD-EU 2017)

More Related Content

Similar to Designing with capabilities (DDD-EU 2017) (20)

More from Scott Wlaschin (20)

Recently uploaded (20)

Designing with capabilities (DDD-EU 2017)