Skip to main content

SAPL Policy Enforcement Point (PEP) integration for FastMCP

Project description

sapl-fastmcp

Policy-based authorization for FastMCP servers. Write access control rules as external SAPL policy files and enforce them at runtime through middleware or per-component auth= callbacks. Policies can be updated without code changes or redeployment.

Built on sapl-base and the SAPL 4.1 enforcement model: planner-driven constraint handling, the SUSPEND decision verb, and an optional RSocket transport.

How It Works

Two enforcement approaches are available. The middleware approach intercepts every tool call, resource read, and prompt get through SAPLMiddleware, giving you a single enforcement point for the entire server. The per-component approach uses auth=sapl() on individual tools, resources, and prompts for fine-grained control with decorator overrides.

Middleware

from fastmcp import FastMCP
from sapl_base.transport import HttpPdpClientOptions
from sapl_fastmcp import SAPLMiddleware, configure_sapl, get_pdp_client, get_planner

configure_sapl(HttpPdpClientOptions(base_url="https://localhost:8443"))
mcp = FastMCP("my-server")
mcp.add_middleware(SAPLMiddleware(get_pdp_client(), get_planner()))

Per-Component Auth

from fastmcp import FastMCP
from sapl_base.transport import HttpPdpClientOptions
from sapl_fastmcp import sapl, pre_enforce, configure_sapl

configure_sapl(HttpPdpClientOptions(base_url="https://localhost:8443"))
mcp = FastMCP("my-server")

@mcp.tool(auth=sapl())
@pre_enforce(action="query", resource="patients")
def query_patients(department: str) -> list[dict]:
    return [{"id": "P-001", "name": "Jane Doe"}]

If the PDP permits, the tool runs. If not, access is denied. If the decision carries obligations (like access logging or result filtering), they are enforced automatically through registered constraint handlers.

Getting Started

pip install sapl-fastmcp

For setup instructions, configuration options, and the constraint handler reference, see the FastMCP documentation.

Links

License

Apache-2.0

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

sapl_fastmcp-4.1.0.tar.gz (28.3 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

sapl_fastmcp-4.1.0-py3-none-any.whl (15.6 kB view details)

Uploaded Python 3

File details

Details for the file sapl_fastmcp-4.1.0.tar.gz.

File metadata

  • Download URL: sapl_fastmcp-4.1.0.tar.gz
  • Upload date:
  • Size: 28.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for sapl_fastmcp-4.1.0.tar.gz
Algorithm Hash digest
SHA256 1a6bdbfe2e0bcb438fc5c912504e81516692aeea89419a50ffcfd71e76ca31ae
MD5 a8a751ccf7ab1fc0f35dc9aa778e92b4
BLAKE2b-256 4f74f88ca5c63b65bcd3394351d60feb6b7c5db32b429eba1aff67103ebfdfbd

See more details on using hashes here.

File details

Details for the file sapl_fastmcp-4.1.0-py3-none-any.whl.

File metadata

  • Download URL: sapl_fastmcp-4.1.0-py3-none-any.whl
  • Upload date:
  • Size: 15.6 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for sapl_fastmcp-4.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 66c644aeb68d0d24962ea45ff24e26fb9a31a0769fcd472ac57cd559f391a080
MD5 203d7ae9074364607ebed295e5623960
BLAKE2b-256 0a8d423519d4850c6d802caa55a9fe8743d7fbc68b87a4cf15cbc17d0d692b11

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page