SAPL Policy Enforcement Point (PEP) core library for Python
Project description
sapl-base
Core SAPL Policy Enforcement Point (PEP) library for Python. Provides the async PDP client, constraint enforcement engine, and enforcement primitives used by the framework integrations (sapl-flask, sapl-django, sapl-fastapi).
Implements the SAPL 4.1 enforcement model: a planner that binds constraint handlers to lifecycle signals, the SUSPEND decision verb, an optional RSocket transport, and a library-owned transaction boundary that rolls back on post-write denial.
How It Works
Your application sends authorization subscriptions to the Policy Decision Point (PDP) and enforces the decision. The PDP evaluates SAPL policies and returns permit/deny decisions with optional obligations, advice, and resource transformations.
from sapl_base.transport import HttpPdpClient, HttpPdpClientOptions
from sapl_base.types import AuthorizationSubscription
client = HttpPdpClient(HttpPdpClientOptions(base_url="https://localhost:8443"))
decision = await client.decide_once(AuthorizationSubscription(
subject={"user": "alice", "roles": ["DOCTOR"]},
action="read",
resource="patient-record",
))
print(decision.decision) # PERMIT, DENY, INDETERMINATE, NOT_APPLICABLE, or SUSPEND
policy "permit doctors to read patient data"
permit
action == "read";
"DOCTOR" in subject.roles
For streaming decisions that update as policies change:
async for decision in client.decide(subscription):
print(decision.decision)
What You Get
- Async HTTP client for all PDP REST endpoints (
decide-once,decide,multi-decide,multi-decide-all,multi-decide-all-once) - Streaming SSE subscriptions with automatic reconnect and exponential backoff
- Constraint enforcement via a single
ConstraintHandlerProvider, returningScopedHandlerentries whose shape is a runner (no value), a consumer (observes a value), or a mapper (transforms a value) - Built-in content filtering via
filterJsonContent(blacken, delete, replace) - Pre-enforce and post-enforce primitives for request/response authorization
- Streaming enforcement through a single
stream_enforcedecorator backed by therun_pipelineengine - Bearer token and HTTP basic auth support; HTTPS by default
Most applications should use a framework integration instead of this package directly.
Database Transactions
One-shot enforcement can own a transaction boundary. When you configure a transaction provider, pre_enforce and post_enforce wrap the protected call plus enforcement in it, so a denial that lands after a DB write rolls the write back. The three triggers are a post_enforce DENY, a post_enforce output-obligation failure, and a pre_enforce output-obligation failure (the pre-decision permits, but its output obligations run after the method writes). A clean permit commits. This is opt-in: with no provider, the PEP owns no transaction and behaviour is unchanged.
A provider is a zero-arg factory returning an async context manager that commits on clean exit and rolls back on a propagated exception, exactly the semantics of SQLAlchemy AsyncSession.begin() and Django transaction.atomic(). The framework integrations expose set_transaction_provider(provider). For a sync transaction boundary (sync SQLAlchemy session.begin or Django transaction.atomic), wrap it with from_sync_context:
from sapl_base.pep import from_sync_context
The provider factory should resolve the current request's session or transaction.
Getting Started
pip install sapl-base
For the decision-verb semantics and the unified enforcement model, see the SAPL documentation.
Links
License
Apache-2.0
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file sapl_base-4.1.0.tar.gz.
File metadata
- Download URL: sapl_base-4.1.0.tar.gz
- Upload date:
- Size: 51.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
009f7cef37f594426636bf84c0e332dd191911b50db504e0c2104b0d6661a66a
|
|
| MD5 |
51414ea10ab7b126fe9b2855964ac99b
|
|
| BLAKE2b-256 |
41ede793433b0ac62ea57097c715848448884968756a70722b80d115654bdffd
|
File details
Details for the file sapl_base-4.1.0-py3-none-any.whl.
File metadata
- Download URL: sapl_base-4.1.0-py3-none-any.whl
- Upload date:
- Size: 59.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
0ab6d4ec90e698369cb73e9878fa0a80f07144c6a1255af1dbbf61148fe95ea4
|
|
| MD5 |
bdae83e33613c881a05326215ac5d0a4
|
|
| BLAKE2b-256 |
79c140cd091d9342b3903c4bd6c2685c42e9cc3c0c478269f0a91886d525c19f
|