Skip to main content

Django rules-based authorization framework.

Project description

Authoriz

The python module to allow rules-based authorization. Rules for allowing and disallowing actions can come from different sources.

Features

  • Easy rules parsers customization. Rules could be parsed from any source.
  • Specify required actions to your DRF ViewSet actions.
  • Action namespace definition with action params listing.
  • Fast authorization after setup is done.
  • Easy parameters getters definition.
  • Flexible configuration.

Installation

To install project with pip use:

pip install authoriz

To install it to your Django project add it to your installed apps:

INSTALLED_APPS = [
    ...
    'authoriz',
    ...
]

Usage

The main workflow of the usage are the following:

  1. Specify action namespace enum classes. You should predefine namespaces with actions to parse and use it.
  2. Specify parsers for the rules. There are default parsers, but it's possible (and recommended in many cases) to define your own with required source.
  3. Specify permissions to retrieve parameters. Views could have specific parameters for the action. So you should specify getters of those in permission class.
  4. Install authorization to your view. After all the above steps are complete, you can finally install authorization to specific view. It includes defining of actions required by the view, adding mixin to the view and adding permission classes to fetch required parameters.

1. Specify action namespace enum classes

The enum class the following structure as the example below:

from django.db import models
from authoriz.namespaces.base import ActionsNamespace


class EntityPermissions(ActionsNamespace):
    name = 'entity'

    class Actions(models.TextChoices):
        ENTITY_CREATE = 'entity:EntityCreate', 'Create entity'
        ENTITY_LIST = 'entity:EntityList', 'List entities'
        ENTITY_RETRIEVE = 'entity:EntityRetrieve', 'Retrieve entity'
        ENTITY_UPDATE = 'entity:EntityUpdate', 'Update entity'
        ENTITY_DESTROY = 'entity:EntityDestroy', 'Delete entity'

    params = {
        Actions.ENTITY_CREATE.value: [],
        Actions.ENTITY_LIST.value: [],
        Actions.ENTITY_RETRIEVE.value: ['entity_id'],
        Actions.ENTITY_UPDATE.value: ['entity_id'],
        Actions.ENTITY_DESTROY.value: ['entity_id'],
    }

Parameters:

  • name - name of the namespace.
  • Actions - enum class with actions contained by the given namespace.
  • params - specification of the params allowed by specific actions. If the action is not presented in dict, the empty list is used as a default.

2. Specify parsers for the rules

The parser class has the following structure as the example below:

from path.to import get_rules_from_some_source
from authoriz.parsing.base import PermissionsRule, PermissionsParser

class RulesFromSomeSourceParser(PermissionsParser):
    def get_rules(self) -> List[PermissionsRule]:
        rules = get_rules_from_some_source()
        return rules

So the main method is get_rules(). It is used to specify the routine to get / parse rules list from any source (database, file, API call, etc.).

After you defined your required parser classes you should specify them in settings.py of your Django project.

AUTHORIZ_RULES_PARSERS = [
    {
        'parser': 'path.to.RulesFromSomeSourceParser',
        'args': [],
        'kwargs': {},
    }
]

The parsers should be listed in the correct order. The rules parsed with last parsers could override the rules of the first ones.

Rule structure

@dataclass
class PermissionsRule:
    name: str
    effect: str
    actions: List[ParsedAction]
    target: str
    id: int  # generated

Parameters:

  • name - name of the rule.
    • 'Some rule #1'
  • effect - what exactly does the rule mean.
    • 'allow'
    • 'deny'
  • actions - list of actions on which the rule has effect.
  • target - who is the rule apply on.
    • '132342' - user ID
    • 'role:admin' - user role
  • id - ID of the rule. Used to sort rules before composing final allow/deny tree. Generated automatically.
    • 1
    • 2
    • 3

Action structure

@dataclass
class ParsedAction:
    namespace: str
    action_name: str
    params: dict  # {} by default

Parameters:

  • namespace - namespace of the action.
    • 'project'
    • 'entity'
    • 'user'
  • action_name - exact name of the action in the given namespace.
    • 'CreateProject'
    • 'UpdateUser'
    • 'DeleteEntity'
  • params - some additional data for the given action. Allowed params are specified by namespace enum class.
    • {project_id: 12, entity_id: 32}

3. Specify permissions to retrieve parameters

The permission class has the following structure:

from authoriz.permissions.base import BaseServicePermission

class EntityKwargsHasPermission(BaseServicePermission):
    def get_entity_id(self, request, view):
        return request.parser_context['kwargs']['entity_id']

Getters are all the methods that starts with get_ prefix. Everything that goes after get_ is considered as parameter name. So if we make a request to the route /entities/<entity_id> such as:

GET http://<host>:<port>/entities/1232

it will pass param entity_id with value 1232 to the permission check and find out whether your rules set allows the action with the following params or not.

4. Install authorization to your view

After all the previous steps are done we can apply in of the view:

from rest_framework import permissions, viewsets, mixins
from authoriz.mixins import APIViewPermissionsMixin
from path.to import EntityKwargsHasPermission
from path.to import EntityPermissions

class EntityViewSet(APIViewPermissionsMixin,
                     mixins.ListModelMixin,
                     mixins.RetrieveModelMixin,
                     mixins.CreateModelMixin,
                     mixins.UpdateModelMixin,
                     mixins.DestroyModelMixin,
                     viewsets.GenericViewSet):
    permission_classes = [
        permissions.IsAuthenticated,
        EntityKwargsHasPermission,
    ]
    actions_permissions = {
        'create': [
            EntityPermissions.Actions.ENTITY_CREATE
        ],
        'list': [
            EntityPermissions.Actions.ENTITY_LIST
        ],
        'retrieve': [
            EntityPermissions.Actions.ENTITY_RETRIEVE,
        ],
        'update': [
            EntityPermissions.Actions.ENTITY_UPDATE,
        ],
        'destroy': [
            EntityPermissions.Actions.ENTITY_DESTROY,
        ],
    }

To apply follow the following steps:

  1. Add APIViewPermissionsMixin as your first base class.
  2. Add EntityKwargsHasPermission to permission_classes.
  3. Specify required actions to DRF ViewSet actions in actions_permissions.

License

The project is licensed under the BSD license.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

authoriz-0.0.7.tar.gz (21.7 kB view details)

Uploaded Source

File details

Details for the file authoriz-0.0.7.tar.gz.

File metadata

  • Download URL: authoriz-0.0.7.tar.gz
  • Upload date:
  • Size: 21.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/4.0.0 CPython/3.9.13

File hashes

Hashes for authoriz-0.0.7.tar.gz
Algorithm Hash digest
SHA256 fb24d2f5722af739e4ba7d0f497855a5e9e0f83e1f96c6f0c4ec8e06fad7bfa4
MD5 7f33ea9746fdda61b118e609c91eeb94
BLAKE2b-256 6d7b6b90f7426d4d8e97205f9a3d2b58b6b375bf15d7766475fcb5230ac4d8eb

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page