# Catatan Seekor: Authorization

> **"Authorization determines what you can do, after authentication has established who you are"**

## 📚 Overview

Authorization adalah proses menentukan apa yang dapat dilakukan oleh user atau sistem yang sudah terautentikasi. Ini adalah lapisan keamanan kedua yang mengontrol akses ke resource dan menentukan permission yang dimiliki user.

## 🎯 Learning Objectives

Setelah mempelajari materi ini, Anda akan mampu:

* Memahami konsep dasar authorization dan access control
* Menerapkan berbagai model access control
* Mengimplementasikan Role-Based Access Control (RBAC)
* Mengelola JWT dan token dengan aman
* Menerapkan OAuth 2.0 dan OpenID Connect

## 📖 Table of Contents

* [Access Control Models](https://github.com/mahbubzulkarnain/catatan-seekor-the-series/blob/master/security/catatan-seekor-authorization/access-control.md)
* [Role-Based Access Control (RBAC)](https://github.com/mahbubzulkarnain/catatan-seekor-the-series/blob/master/security/catatan-seekor-authorization/rbac.md)
* [Attribute-Based Access Control (ABAC)](https://github.com/mahbubzulkarnain/catatan-seekor-the-series/blob/master/security/catatan-seekor-authorization/abac.md)
* [JWT & Token Management](https://github.com/mahbubzulkarnain/catatan-seekor-the-series/blob/master/security/catatan-seekor-authorization/jwt-tokens.md)
* [OAuth 2.0 & OpenID Connect](https://github.com/mahbubzulkarnain/catatan-seekor-the-series/blob/master/security/catatan-seekor-authorization/oauth-oidc.md)
* [Implementation Patterns](https://github.com/mahbubzulkarnain/catatan-seekor-the-series/blob/master/security/catatan-seekor-authorization/patterns.md)

## 🔐 Authorization Concepts

### 1. **Access Control**

* **Subject**: User, process, atau sistem yang meminta akses
* **Object**: Resource yang diakses (file, database, API endpoint)
* **Action**: Operasi yang dilakukan (read, write, delete, execute)
* **Context**: Kondisi atau environment saat akses diminta

### 2. **Authorization Models**

* **Discretionary Access Control (DAC)**: Owner menentukan akses
* **Mandatory Access Control (MAC)**: System administrator mengontrol akses
* **Role-Based Access Control (RBAC)**: Akses berdasarkan role
* **Attribute-Based Access Control (ABAC)**: Akses berdasarkan attributes

### 3. **Permission Levels**

* **Read**: Melihat atau membaca data
* **Write**: Membuat atau mengubah data
* **Delete**: Menghapus data
* **Execute**: Menjalankan program atau script
* **Admin**: Full control atas resource

## 🚀 Quick Start

### 🔰 **Untuk Pemula**

1. Mulai dengan [Access Control Models](https://github.com/mahbubzulkarnain/catatan-seekor-the-series/blob/master/security/catatan-seekor-authorization/access-control.md)
2. Pelajari [Role-Based Access Control (RBAC)](https://github.com/mahbubzulkarnain/catatan-seekor-the-series/blob/master/security/catatan-seekor-authorization/rbac.md)
3. Pahami [JWT & Token Management](https://github.com/mahbubzulkarnain/catatan-seekor-the-series/blob/master/security/catatan-seekor-authorization/jwt-tokens.md)

### 🎯 **Untuk Developer**

1. Implementasi [OAuth 2.0 & OpenID Connect](https://github.com/mahbubzulkarnain/catatan-seekor-the-series/blob/master/security/catatan-seekor-authorization/oauth-oidc.md)
2. Pelajari [Implementation Patterns](https://github.com/mahbubzulkarnain/catatan-seekor-the-series/blob/master/security/catatan-seekor-authorization/patterns.md)
3. Kuasai [Attribute-Based Access Control (ABAC)](https://github.com/mahbubzulkarnain/catatan-seekor-the-series/blob/master/security/catatan-seekor-authorization/abac.md)

## 📚 Referensi & Resources

### 🌟 **Essential Reading**

* [OWASP Authorization Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html)
* [NIST RBAC Standard](https://csrc.nist.gov/projects/role-based-access-control)
* [OAuth 2.0 RFC](https://tools.ietf.org/html/rfc6749)
* [OpenID Connect Core](https://openid.net/specs/openid-connect-core-1_0.html)

### 📖 **Books**

* **"Role-Based Access Control"** by David F. Ferraiolo
* **"OAuth 2 in Action"** by Justin Richer
* **"Identity and Access Management"** by Graham Williamson
* **"Web Application Security"** by Andrew van der Stock

### 🎓 **Online Courses**

* [Coursera: Access Control](https://www.coursera.org/learn/access-control)
* [edX: Identity and Access Management](https://www.edx.org/learn/identity-management)
* [OAuth 2.0 Tutorial](https://oauth.net/2/)

### 🛠️ **Tools & Frameworks**

* [Keycloak](https://www.keycloak.org/) - Open source identity management
* [Auth0](https://auth0.com/) - Identity platform
* [Spring Security](https://spring.io/projects/spring-security) - Security framework for Java
* [Passport.js](http://www.passportjs.org/) - Authentication middleware for Node.js

### 🔗 **Communities & Forums**

* [OAuth Community](https://oauth.net/community/)
* [OpenID Foundation](https://openid.net/)
* [Security Stack Exchange](https://security.stackexchange.com/questions/tagged/authorization)
* [Reddit r/cybersecurity](https://www.reddit.com/r/cybersecurity/)

## 🎯 Best Practices

### 🔐 **Access Control**

* ✅ Principle of Least Privilege
* ✅ Regular access review
* ✅ Segregation of duties
* ✅ Time-based access control
* ✅ Location-based restrictions

### 🎭 **Role Management**

* ✅ Clear role definitions
* ✅ Minimal role assignments
* ✅ Regular role review
* ✅ Role hierarchy management
* ✅ Role-based training

### 🔑 **Token Security**

* ✅ Secure token storage
* ✅ Token expiration
* ✅ Token rotation
* ✅ Secure transmission
* ✅ Token validation

### 🚫 **Security Measures**

* ✅ Input validation
* ✅ Output encoding
* ✅ Error handling
* ✅ Audit logging
* ✅ Monitoring and alerting

## 🚨 Security Checklist

### 🔍 **Pre-Implementation**

* [ ] Authorization requirements defined
* [ ] Access control model selected
* [ ] Security policies established
* [ ] Compliance requirements identified

### 🛠️ **During Implementation**

* [ ] Access control implementation
* [ ] Role-based access control
* [ ] Token management
* [ ] Error handling
* [ ] Logging and monitoring

### 🧪 **Testing & Deployment**

* [ ] Security testing completed
* [ ] Access control testing
* [ ] Penetration testing
* [ ] User acceptance testing
* [ ] Security audit

### 📊 **Maintenance**

* [ ] Regular access review
* [ ] Security updates
* [ ] User training
* [ ] Incident response plan
* [ ] Compliance monitoring

## 🔍 Common Vulnerabilities

### 🚨 **Insufficient Authorization**

* Missing access controls
* Weak permission checks
* Insecure direct object references
* Privilege escalation

### 🔓 **Token Vulnerabilities**

* Weak token generation
* Insecure token storage
* Token hijacking
* Missing token validation

### 🚫 **Role-Based Issues**

* Over-privileged roles
* Role confusion
* Missing role validation
* Insecure role assignment

### 🔐 **Access Control Bypass**

* Parameter manipulation
* URL manipulation
* Session hijacking
* Cross-site request forgery

## 🛡️ Security Controls

### 🔒 **Preventive Controls**

* Strong access controls
* Role-based permissions
* Token validation
* Input validation
* Secure coding practices

### 🔍 **Detective Controls**

* Access logging
* Permission monitoring
* Security event correlation
* Intrusion detection
* Regular audits

### 🚨 **Corrective Controls**

* Access revocation
* Incident response
* Security awareness training
* Regular assessments
* Continuous improvement

## 📊 Implementation Examples

### 🔐 **RBAC Implementation (Python)**

```python
from enum import Enum
from typing import List, Set

class Permission(Enum):
    READ = "read"
    WRITE = "write"
    DELETE = "delete"
    EXECUTE = "execute"

class Role:
    def __init__(self, name: str, permissions: Set[Permission]):
        self.name = name
        self.permissions = permissions

class User:
    def __init__(self, username: str, roles: List[Role]):
        self.username = username
        self.roles = roles
    
    def has_permission(self, permission: Permission) -> bool:
        for role in self.roles:
            if permission in role.permissions:
                return True
        return False

# Example usage
admin_role = Role("admin", {Permission.READ, Permission.WRITE, Permission.DELETE, Permission.EXECUTE})
user_role = Role("user", {Permission.READ})
admin_user = User("admin", [admin_role])
regular_user = User("user", [user_role])

print(admin_user.has_permission(Permission.DELETE))  # True
print(regular_user.has_permission(Permission.DELETE))  # False
```

### 🔑 **JWT Authorization (Node.js)**

```javascript
const jwt = require('jsonwebtoken');
const express = require('express');

const app = express();

// Middleware untuk verifikasi JWT
const authenticateToken = (req, res, next) => {
  const authHeader = req.headers['authorization'];
  const token = authHeader && authHeader.split(' ')[1];

  if (!token) {
    return res.sendStatus(401);
  }

  jwt.verify(token, process.env.JWT_SECRET, (err, user) => {
    if (err) {
      return res.sendStatus(403);
    }
    req.user = user;
    next();
  });
};

// Middleware untuk role-based authorization
const authorizeRole = (roles) => {
  return (req, res, next) => {
    if (!req.user || !roles.includes(req.user.role)) {
      return res.status(403).json({ message: 'Insufficient permissions' });
    }
    next();
  };
};

// Protected routes
app.get('/admin', authenticateToken, authorizeRole(['admin']), (req, res) => {
  res.json({ message: 'Admin access granted', user: req.user });
});

app.get('/user', authenticateToken, authorizeRole(['user', 'admin']), (req, res) => {
  res.json({ message: 'User access granted', user: req.user });
});
```

### 🔒 **OAuth 2.0 Implementation (Java)**

```java
@RestController
@RequestMapping("/api")
public class OAuthController {
    
    @Autowired
    private OAuth2Service oauth2Service;
    
    @PostMapping("/token")
    public ResponseEntity<TokenResponse> getToken(@RequestBody TokenRequest request) {
        try {
            TokenResponse token = oauth2Service.generateToken(request);
            return ResponseEntity.ok(token);
        } catch (InvalidGrantException e) {
            return ResponseEntity.status(400).body(null);
        }
    }
    
    @GetMapping("/resource")
    public ResponseEntity<ResourceResponse> getResource(
            @RequestHeader("Authorization") String authorization) {
        
        String token = authorization.replace("Bearer ", "");
        
        if (!oauth2Service.validateToken(token)) {
            return ResponseEntity.status(401).body(null);
        }
        
        // Check scopes
        if (!oauth2Service.hasScope(token, "read")) {
            return ResponseEntity.status(403).body(null);
        }
        
        return ResponseEntity.ok(new ResourceResponse("Protected resource"));
    }
}
```

## 🚀 Advanced Topics

### 🔐 **Attribute-Based Access Control (ABAC)**

* Dynamic access control
* Context-aware permissions
* Policy-based authorization
* Risk-based access control

### 🌐 **Federated Authorization**

* Cross-domain authorization
* Trust relationships
* Policy federation
* Identity federation

### 🔒 **Zero-Trust Authorization**

* Continuous verification
* Context-aware access
* Risk-based decisions
* Micro-segmentation

### 🎭 **Advanced RBAC**

* Hierarchical roles
* Dynamic role assignment
* Role inheritance
* Temporal roles

## 🔍 Authorization Patterns

### 🏗️ **Pattern 1: Resource-Based Authorization**

```python
def can_access_resource(user, resource, action):
    # Check if user has permission for specific resource
    return user.has_permission(resource.id, action)

# Usage
if can_access_resource(user, document, "read"):
    return document.content
```

### 🎭 **Pattern 2: Role-Based Authorization**

```python
def can_perform_action(user, action):
    # Check if user's role allows the action
    return any(action in role.permissions for role in user.roles)

# Usage
if can_perform_action(user, "delete_user"):
    delete_user(user_id)
```

### 🔐 **Pattern 3: Attribute-Based Authorization**

```python
def can_access(user, resource, context):
    # Check attributes for authorization decision
    if user.department == resource.department:
        if context.time.hour < 18:  # Business hours
            return True
    return False
```

## 🤝 Contributing

Kontribusi untuk memperbaiki dan menambahkan konten authorization sangat dihargai! Silakan:

1. Fork repository ini
2. Buat branch untuk fitur baru
3. Commit perubahan Anda
4. Push ke branch
5. Buat Pull Request

## 📄 License

Konten ini tersedia di bawah [MIT License](https://github.com/mahbubzulkarnain/catatan-seekor-the-series/blob/master/security/catatan-seekor-authorization/LICENSE/README.md).

## 🙏 Acknowledgments

* OWASP Foundation untuk authorization guidelines
* OAuth and OpenID Connect communities
* Security researchers dan practitioners
* Open source authorization frameworks

***

**⚠️ Disclaimer**: Catatan ini dibuat untuk tujuan pembelajaran. Selalu test authorization measures di environment yang aman dan konsultasikan dengan security experts untuk implementasi production.

**🚫 Remember**: Proper authorization is crucial for maintaining security boundaries. Implement it carefully!