Skip to main content

SAPL MONGO_QUERY signal source and mongo:queryRewriting provider for PyMongo

Project description

sapl-pymongo

SAPL signal source for PyMongo. Contributes the MONGO_QUERY signal and a mongo:queryRewriting constraint handler provider so a SAPL policy can shape the MongoDB queries an application issues, the same way sapl-sqlalchemy contributes SQL_QUERY for relational queries.

PyMongo's driver-monitoring API is observe-only, so there is no central mutating query hook. The cut point is therefore a thin proxy over the collection's query-issuing methods (find, find_one, aggregate, count_documents, update_*, delete_*). Each wrapped call discharges MONGO_QUERY with the structured query (a filter mapping or an aggregation pipeline) before delegating to the driver. A synchronous proxy backs the blocking enforcement path (Flask, sync Django); an asynchronous proxy backs the async path (FastAPI, Tornado, async Django).

Obligation

MongoDbQueryRewritingProvider handles the mongo:queryRewriting obligation, mirroring the Spring provider so the same obligation narrows identically on every SAPL Mongo PEP. Two shapes, combinable, narrowing-only (criteria and conditions are AND-merged into the user's filter, never widening it):

{
  "type": "mongo:queryRewriting",
  "criteria": [
    {"column": "tenantId", "op": "=", "value": 7},
    {"or": [{"column": "ownerId", "op": "=", "value": "alice"},
            {"column": "public", "op": "=", "value": true}]}
  ],
  "conditions": ["{\"age\": {\"$gte\": 18}}"]
}

criteria ops: =, !=, >, >=, <, <=, in, isNull, isNotNull; and / or group nested criteria. conditions carries raw filter fragments for operators the typed form cannot express ($regex, $exists, $geoWithin); for cross-PEP portability the strings must be double-quoted (extended) JSON. An aggregation pipeline cannot be expressed by this contract, so a pipeline intercept fails closed, as does a malformed condition.

Usage

from sapl_pymongo import MongoDbQueryRewritingProvider, wrap_collection

# At startup: wrap each collection once (this also registers the shim with the planner).
widgets = wrap_collection(database["widgets"])

# Register the provider with the EnforcementPlanner that backs your framework wrapper.
# providers=(MongoDbQueryRewritingProvider(),)

# In a @pre_enforce-protected handler, query the wrapped collection as usual; a
# mongo:queryRewriting obligation on the decision narrows the filter automatically.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

sapl_pymongo-4.1.0.tar.gz (13.8 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

sapl_pymongo-4.1.0-py3-none-any.whl (8.2 kB view details)

Uploaded Python 3

File details

Details for the file sapl_pymongo-4.1.0.tar.gz.

File metadata

  • Download URL: sapl_pymongo-4.1.0.tar.gz
  • Upload date:
  • Size: 13.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for sapl_pymongo-4.1.0.tar.gz
Algorithm Hash digest
SHA256 40bed79c99f2577456b43752db1e3a4284a2a532e5d959b4a1ac79743f61f006
MD5 73db0a193c0fbf098377712c9bf6f087
BLAKE2b-256 9751c510e871641a8ce0f4b006f6a841e38d1e5fe663bcab7f7d0e401efba18d

See more details on using hashes here.

File details

Details for the file sapl_pymongo-4.1.0-py3-none-any.whl.

File metadata

  • Download URL: sapl_pymongo-4.1.0-py3-none-any.whl
  • Upload date:
  • Size: 8.2 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for sapl_pymongo-4.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 a443d76bc128107d9e1eb9c3cb5d18739ab315361b7221bbdad5d5612fdda63d
MD5 eae44266248206fcdf06a9dbf757b829
BLAKE2b-256 55e67d5984107b797be44371b64b6e09c5f048ec9724fdae48fce89397247dae

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page