Skip to main content

SAPL Policy Enforcement Point (PEP) integration for Django

Project description

sapl-django

Policy-based authorization for Django. Write access control rules as external SAPL policy files and enforce them at runtime through decorators like @pre_enforce and @post_enforce. Policies can be updated without code changes or redeployment.

Built on sapl-base and the SAPL 4.1 enforcement model: planner-driven constraint handling, the SUSPEND decision verb, an optional RSocket transport, and transaction rollback on post-write denial. Data-layer query rewriting is available via sapl-sqlalchemy (SQL) and sapl-pymongo (MongoDB).

How It Works

Your application decorates views with enforcement decorators. SAPL intercepts the call, sends an authorization subscription to the Policy Decision Point (PDP), and enforces the decision, including any obligations or advice the policy attaches.

@pre_enforce(action="read", resource="patient")
async def get_patient(request, patient_id):
    return JsonResponse({"id": patient_id, "name": "Jane Doe", "ssn": "123-45-6789"})
policy "permit doctors to read patient data"
permit
  action == "read";
  "DOCTOR" in subject.roles

If the PDP permits, the view runs. If not, PermissionDenied is raised. If the decision carries obligations (like access logging or field redaction), they are enforced automatically through registered constraint handlers.

What You Get

SAPL goes beyond simple permit/deny. Decisions can carry obligations that must be fulfilled, advice that should be attempted, and resource transformations that modify return values before they reach the caller. The library handles all of this transparently.

For streaming views, the single stream_enforce decorator maintains a live connection to the PDP, so access rights update in real time as policies, attributes, or the environment change. Built-in constraint handlers cover JSON field redaction and collection filtering. Writing custom handlers follows a simple registration pattern with register_provider.

Database Transactions

If you configure a transaction provider, a denial that lands after the view has written to the database rolls the transaction back. Three triggers cause a rollback: a post_enforce DENY, a post_enforce output-obligation failure, and a pre_enforce output-obligation failure (the pre-decision permits, but its output obligations run after the method writes). A clean permit commits. It is opt-in: with no provider set, the PEP owns no transaction.

transaction.atomic is synchronous, so wrap it with from_sync_context:

from django.db import transaction
from sapl_base.pep import from_sync_context
from sapl_django.config import set_transaction_provider

set_transaction_provider(from_sync_context(transaction.atomic))

A sync SQLAlchemy session.begin is wrapped the same way: from_sync_context(lambda: get_current_session().begin()).

Getting Started

pip install sapl-django
INSTALLED_APPS = [
    "sapl_django",
    ...
]

MIDDLEWARE = [
    "sapl_django.middleware.SaplRequestMiddleware",
    ...
]

SAPL_CONFIG = {
    "base_url": "https://localhost:8443",
}

For setup instructions, configuration options, the constraint handler reference, and the full API, see the Django documentation.

Links

License

Apache-2.0

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

sapl_django-4.1.0.tar.gz (28.3 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

sapl_django-4.1.0-py3-none-any.whl (19.5 kB view details)

Uploaded Python 3

File details

Details for the file sapl_django-4.1.0.tar.gz.

File metadata

  • Download URL: sapl_django-4.1.0.tar.gz
  • Upload date:
  • Size: 28.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for sapl_django-4.1.0.tar.gz
Algorithm Hash digest
SHA256 3938d1d9344570dd636e72688c1c7350cfa30cd02c5741dc3b14db5b502eaf3c
MD5 fe3d89bd16dc0b93d265cfc59430f439
BLAKE2b-256 592d1c95d91b348294357f90dcaf235ee1a0c813f3da03f86af6f40efa378fc8

See more details on using hashes here.

File details

Details for the file sapl_django-4.1.0-py3-none-any.whl.

File metadata

  • Download URL: sapl_django-4.1.0-py3-none-any.whl
  • Upload date:
  • Size: 19.5 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for sapl_django-4.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 575a759006f7ac9d852279c80aac2d01a90c9b236450e5f204efba2dd3a5787e
MD5 c12970b484adbb73d1e2710763859dc2
BLAKE2b-256 7b3f0c5c56c300886c877e868175fae4e9c7138476f54361fff81261f3917f10

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page