Skip to main content

SAPL Policy Enforcement Point (PEP) integration for Flask

Project description

sapl-flask

Policy-based authorization for Flask. Write access control rules as external SAPL policy files and enforce them at runtime through decorators like @pre_enforce and @post_enforce. Policies can be updated without code changes or redeployment.

Built on sapl-base and the SAPL 4.1 enforcement model: planner-driven constraint handling, the SUSPEND decision verb, an optional RSocket transport, and transaction rollback on post-write denial. Data-layer query rewriting is available via sapl-sqlalchemy (SQL) and sapl-pymongo (MongoDB).

How It Works

Your application decorates view functions with enforcement decorators. SAPL intercepts the call, sends an authorization subscription to the Policy Decision Point (PDP), and enforces the decision, including any obligations or advice the policy attaches.

@app.get("/patient/<patient_id>")
@pre_enforce(action="read", resource="patient")
def get_patient(patient_id):
    return {"id": patient_id, "name": "Jane Doe", "ssn": "123-45-6789"}
policy "permit doctors to read patient data"
permit
  action == "read";
  "DOCTOR" in subject.roles

If the PDP permits, the view runs. If not, HTTP 403 is returned. If the decision carries obligations (like access logging or field redaction), they are enforced automatically through registered constraint handlers.

What You Get

SAPL goes beyond simple permit/deny. Decisions can carry obligations that must be fulfilled, advice that should be attempted, and resource transformations that modify return values before they reach the caller. The library handles all of this transparently.

For SSE endpoints, the single stream_enforce decorator maintains a live connection to the PDP, so access rights update in real time as policies, attributes, or the environment change. Built-in constraint handlers cover JSON field redaction and collection filtering. Writing custom handlers follows a simple registration pattern with register_provider on the SaplFlask extension.

Database Transactions

If you configure a transaction provider, a denial that lands after the view has written to the database rolls the transaction back. Three triggers cause a rollback: a post_enforce DENY, a post_enforce output-obligation failure, and a pre_enforce output-obligation failure (the pre-decision permits, but its output obligations run after the method writes). A clean permit commits. It is opt-in: with no provider set, the PEP owns no transaction.

set_transaction_provider is a method on the extension. Flask views are synchronous, so wrap a sync session or transaction.atomic with from_sync_context:

from sapl_base.pep import from_sync_context

sapl = SaplFlask(app)
sapl.set_transaction_provider(from_sync_context(lambda: get_current_session().begin()))

The factory should resolve the current request's session. With an async SQLAlchemy session you can pass the async scope directly: sapl.set_transaction_provider(lambda: get_current_session().begin()).

Getting Started

pip install sapl-flask
from flask import Flask
from sapl_flask.extension import SaplFlask
from sapl_flask.decorators import pre_enforce

app = Flask(__name__)
app.config["SAPL_BASE_URL"] = "https://localhost:8443"

sapl = SaplFlask(app)

For setup instructions, configuration options, the constraint handler reference, and the full API, see the Flask documentation.

Links

License

Apache-2.0

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

sapl_flask-4.1.0.tar.gz (16.3 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

sapl_flask-4.1.0-py3-none-any.whl (9.3 kB view details)

Uploaded Python 3

File details

Details for the file sapl_flask-4.1.0.tar.gz.

File metadata

  • Download URL: sapl_flask-4.1.0.tar.gz
  • Upload date:
  • Size: 16.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for sapl_flask-4.1.0.tar.gz
Algorithm Hash digest
SHA256 fc8ea01b35d9c9e9d9f8e2af1ace923633f5816e6346771e0969f043093f5fd4
MD5 79aa1faafcffaae47dae24478805d08c
BLAKE2b-256 24034d77daee36111add4cadbe128464fd9e9677b102fb70d281db7a9834e3ae

See more details on using hashes here.

File details

Details for the file sapl_flask-4.1.0-py3-none-any.whl.

File metadata

  • Download URL: sapl_flask-4.1.0-py3-none-any.whl
  • Upload date:
  • Size: 9.3 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for sapl_flask-4.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 7b1e1050f4d79c9227d3c9b57d30dbe1e477277d5656e71dfaee8d523797a06c
MD5 071b68d9612c5e1dbdfde782f782b127
BLAKE2b-256 c16a4c52de1a5e1ffeec6d50bb9130be40b579bd0ac68e01807c15979ffa63ae

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page