SAPL Policy Enforcement Point (PEP) core library for Python
Project description
sapl-base
Core SAPL Policy Enforcement Point (PEP) library for Python. Provides the async PDP client, constraint enforcement engine, and enforcement primitives used by the framework integrations (sapl-flask, sapl-django, sapl-fastapi).
How It Works
Your application sends authorization subscriptions to the Policy Decision Point (PDP) and enforces the decision. The PDP evaluates SAPL policies and returns permit/deny decisions with optional obligations, advice, and resource transformations.
from sapl_base.pdp_client import PdpClient, PdpConfig
from sapl_base.types import AuthorizationSubscription
client = PdpClient(PdpConfig(base_url="https://localhost:8443"))
decision = await client.decide_once(AuthorizationSubscription(
subject={"user": "alice", "roles": ["DOCTOR"]},
action="read",
resource="patient-record",
))
print(decision.decision) # PERMIT, DENY, INDETERMINATE, or NOT_APPLICABLE
policy "permit doctors to read patient data"
permit
action == "read"
where
"DOCTOR" in subject.roles;
For streaming decisions that update as policies change:
async for decision in client.decide(subscription):
print(decision.decision)
What You Get
- Async HTTP client for all PDP REST endpoints (
decide-once,decide,multi-decide-once,multi-decide,multi-decide-all-once,multi-decide-all) - Streaming SSE subscriptions with automatic reconnect and exponential backoff
- Constraint enforcement engine with seven handler types (runnable, consumer, mapping, filter predicate, error handler, error mapping, method invocation)
- Built-in content filtering via
filterJsonContent(blacken, delete, replace) - Pre-enforce and post-enforce primitives for request/response authorization
- Three streaming enforcement strategies: enforce-till-denied, enforce-drop-while-denied, enforce-recoverable-if-denied
- Bearer token and HTTP basic auth support; HTTPS by default
Most applications should use a framework integration instead of this package directly.
Getting Started
pip install sapl-base
For the PEP implementation specification and constraint handler reference, see the PEP documentation.
Links
License
Apache-2.0
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file sapl_base-4.0.0rc2.tar.gz.
File metadata
- Download URL: sapl_base-4.0.0rc2.tar.gz
- Upload date:
- Size: 51.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
9e353ea471c50c78d3d0e7e24684de55c0ebe873d0edaad3c765103a68673acf
|
|
| MD5 |
15039c949d4d3469d6a5714e7af200d2
|
|
| BLAKE2b-256 |
8d390cd868de6df983490c9ee84ed77df278b41985d1c1d5c22cc7e8c6e33bc1
|
File details
Details for the file sapl_base-4.0.0rc2-py3-none-any.whl.
File metadata
- Download URL: sapl_base-4.0.0rc2-py3-none-any.whl
- Upload date:
- Size: 30.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
5f166f2da0a343bfe88dc2752dd45fcdad054d73d17b98cff16ad5f4c41ad759
|
|
| MD5 |
20ba109ad72b0819fddd0c8ea8e1850e
|
|
| BLAKE2b-256 |
d8b7708d9a10672bc82fbf1a655287712fff94cbad42518519da4a0669b6a0f4
|
