Skip to main content

SAPL Policy Enforcement Point (PEP) core library for Python

Project description

sapl-base

Core SAPL Policy Enforcement Point (PEP) library for Python. Provides the async PDP client, constraint enforcement engine, and enforcement primitives used by the framework integrations (sapl-flask, sapl-django, sapl-fastapi).

Implements the SAPL 4.1 enforcement model: a planner that binds constraint handlers to lifecycle signals, the SUSPEND decision verb, an optional RSocket transport, and a library-owned transaction boundary that rolls back on post-write denial.

How It Works

Your application sends authorization subscriptions to the Policy Decision Point (PDP) and enforces the decision. The PDP evaluates SAPL policies and returns permit/deny decisions with optional obligations, advice, and resource transformations.

from sapl_base.transport import HttpPdpClient, HttpPdpClientOptions
from sapl_base.types import AuthorizationSubscription

client = HttpPdpClient(HttpPdpClientOptions(base_url="https://localhost:8443"))
decision = await client.decide_once(AuthorizationSubscription(
    subject={"user": "alice", "roles": ["DOCTOR"]},
    action="read",
    resource="patient-record",
))
print(decision.decision)  # PERMIT, DENY, INDETERMINATE, NOT_APPLICABLE, or SUSPEND
policy "permit doctors to read patient data"
permit
  action == "read";
  "DOCTOR" in subject.roles

For streaming decisions that update as policies change:

async for decision in client.decide(subscription):
    print(decision.decision)

What You Get

  • Async HTTP client for all PDP REST endpoints (decide-once, decide, multi-decide, multi-decide-all, multi-decide-all-once)
  • Streaming SSE subscriptions with automatic reconnect and exponential backoff
  • Constraint enforcement via a single ConstraintHandlerProvider, returning ScopedHandler entries whose shape is a runner (no value), a consumer (observes a value), or a mapper (transforms a value)
  • Built-in content filtering via filterJsonContent (blacken, delete, replace)
  • Pre-enforce and post-enforce primitives for request/response authorization
  • Streaming enforcement through a single stream_enforce decorator backed by the run_pipeline engine
  • Bearer token and HTTP basic auth support; HTTPS by default

Most applications should use a framework integration instead of this package directly.

Database Transactions

One-shot enforcement can own a transaction boundary. When you configure a transaction provider, pre_enforce and post_enforce wrap the protected call plus enforcement in it, so a denial that lands after a DB write rolls the write back. The three triggers are a post_enforce DENY, a post_enforce output-obligation failure, and a pre_enforce output-obligation failure (the pre-decision permits, but its output obligations run after the method writes). A clean permit commits. This is opt-in: with no provider, the PEP owns no transaction and behaviour is unchanged.

A provider is a zero-arg factory returning an async context manager that commits on clean exit and rolls back on a propagated exception, exactly the semantics of SQLAlchemy AsyncSession.begin() and Django transaction.atomic(). The framework integrations expose set_transaction_provider(provider). For a sync transaction boundary (sync SQLAlchemy session.begin or Django transaction.atomic), wrap it with from_sync_context:

from sapl_base.pep import from_sync_context

The provider factory should resolve the current request's session or transaction.

Getting Started

pip install sapl-base

For the decision-verb semantics and the unified enforcement model, see the SAPL documentation.

Links

License

Apache-2.0

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

sapl_base-4.1.0.tar.gz (51.5 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

sapl_base-4.1.0-py3-none-any.whl (59.8 kB view details)

Uploaded Python 3

File details

Details for the file sapl_base-4.1.0.tar.gz.

File metadata

  • Download URL: sapl_base-4.1.0.tar.gz
  • Upload date:
  • Size: 51.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for sapl_base-4.1.0.tar.gz
Algorithm Hash digest
SHA256 009f7cef37f594426636bf84c0e332dd191911b50db504e0c2104b0d6661a66a
MD5 51414ea10ab7b126fe9b2855964ac99b
BLAKE2b-256 41ede793433b0ac62ea57097c715848448884968756a70722b80d115654bdffd

See more details on using hashes here.

File details

Details for the file sapl_base-4.1.0-py3-none-any.whl.

File metadata

  • Download URL: sapl_base-4.1.0-py3-none-any.whl
  • Upload date:
  • Size: 59.8 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for sapl_base-4.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 0ab6d4ec90e698369cb73e9878fa0a80f07144c6a1255af1dbbf61148fe95ea4
MD5 bdae83e33613c881a05326215ac5d0a4
BLAKE2b-256 79c140cd091d9342b3903c4bd6c2685c42e9cc3c0c478269f0a91886d525c19f

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page