SAPL MONGO_QUERY signal source and mongo:queryRewriting provider for PyMongo
Project description
sapl-pymongo
SAPL signal source for PyMongo. Contributes the MONGO_QUERY signal and a
mongo:queryRewriting constraint handler provider so a SAPL policy can shape
the MongoDB queries an application issues, the same way sapl-sqlalchemy
contributes SQL_QUERY for relational queries.
PyMongo's driver-monitoring API is observe-only, so there is no central mutating
query hook. The cut point is therefore a thin proxy over the collection's
query-issuing methods (find, find_one, aggregate, count_documents,
update_*, delete_*). Each wrapped call discharges MONGO_QUERY with the
structured query (a filter mapping or an aggregation pipeline) before delegating
to the driver. A synchronous proxy backs the blocking enforcement path (Flask,
sync Django); an asynchronous proxy backs the async path (FastAPI, Tornado,
async Django).
Obligation
MongoDbQueryRewritingProvider handles the mongo:queryRewriting obligation,
mirroring the Spring provider so the same obligation narrows identically on every SAPL
Mongo PEP. Two shapes, combinable, narrowing-only (criteria and conditions are AND-merged
into the user's filter, never widening it):
{
"type": "mongo:queryRewriting",
"criteria": [
{"column": "tenantId", "op": "=", "value": 7},
{"or": [{"column": "ownerId", "op": "=", "value": "alice"},
{"column": "public", "op": "=", "value": true}]}
],
"conditions": ["{\"age\": {\"$gte\": 18}}"]
}
criteria ops: =, !=, >, >=, <, <=, in, isNull, isNotNull; and / or
group nested criteria. conditions carries raw filter fragments for operators the typed
form cannot express ($regex, $exists, $geoWithin); for cross-PEP portability the
strings must be double-quoted (extended) JSON. An aggregation pipeline cannot be expressed
by this contract, so a pipeline intercept fails closed, as does a malformed condition.
Usage
from sapl_pymongo import MongoDbQueryRewritingProvider, wrap_collection
# At startup: wrap each collection once (this also registers the shim with the planner).
widgets = wrap_collection(database["widgets"])
# Register the provider with the EnforcementPlanner that backs your framework wrapper.
# providers=(MongoDbQueryRewritingProvider(),)
# In a @pre_enforce-protected handler, query the wrapped collection as usual; a
# mongo:queryRewriting obligation on the decision narrows the filter automatically.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file sapl_pymongo-4.1.0.tar.gz.
File metadata
- Download URL: sapl_pymongo-4.1.0.tar.gz
- Upload date:
- Size: 13.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
40bed79c99f2577456b43752db1e3a4284a2a532e5d959b4a1ac79743f61f006
|
|
| MD5 |
73db0a193c0fbf098377712c9bf6f087
|
|
| BLAKE2b-256 |
9751c510e871641a8ce0f4b006f6a841e38d1e5fe663bcab7f7d0e401efba18d
|
File details
Details for the file sapl_pymongo-4.1.0-py3-none-any.whl.
File metadata
- Download URL: sapl_pymongo-4.1.0-py3-none-any.whl
- Upload date:
- Size: 8.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
a443d76bc128107d9e1eb9c3cb5d18739ab315361b7221bbdad5d5612fdda63d
|
|
| MD5 |
eae44266248206fcdf06a9dbf757b829
|
|
| BLAKE2b-256 |
55e67d5984107b797be44371b64b6e09c5f048ec9724fdae48fce89397247dae
|