Skip to main content

SAPL SQL_QUERY signal source and sql:queryRewriting provider for SQLAlchemy

Project description

sapl-sqlalchemy

SAPL signal source for SQLAlchemy. Contributes the SQL_QUERY signal and a sql:queryRewriting constraint handler provider so a SAPL policy can shape the relational queries an application issues, the same way sapl-pymongo contributes MONGO_QUERY for MongoDB queries.

SQLAlchemy exposes a mutating query hook, the do_orm_execute event on the Session. The cut point is therefore a listener on the ORM session that discharges SQL_QUERY with the statement before it executes and applies the rewritten statement. Registering the listener attaches to the Session class, so it covers every session, including AsyncSession through its sync-session proxy.

Obligation

SqlQueryRewritingProvider handles the sql:queryRewriting obligation (and its relational:queryRewriting alias), mirroring the Spring provider so the same obligation narrows identically on every SAPL SQL PEP. Narrowing-only (criteria and conditions are AND-merged into the user's WHERE, never widening it):

{
  "type": "sql:queryRewriting",
  "criteria": [
    {"column": "tenant_id", "op": "=", "value": 7},
    {"or": [{"column": "owner_id", "op": "=", "value": "alice"},
            {"column": "public", "op": "=", "value": true}]}
  ],
  "conditions": ["status IN ('active', 'pending')"],
  "columns": ["id", "name"]
}

criteria ops: =, !=, >, >=, <, <=, in, like, notLike, isNull, isNotNull; and / or group nested criteria. conditions carries raw SQL fragments for features the typed form cannot express (BETWEEN, EXISTS, vendor functions), and columns narrows the projection. A statement that cannot carry a WHERE clause, a raw text() statement, or a malformed criterion fails closed.

Usage

from sapl_sqlalchemy import SqlQueryRewritingProvider, register_orm_listener

# At startup: register the ORM listener once (this also registers the shim with
# the planner, so a sql:queryRewriting obligation is admissible).
register_orm_listener()

# Register the provider with the EnforcementPlanner that backs your framework
# wrapper: providers=(SqlQueryRewritingProvider(),)

# In a @pre_enforce-protected handler, query through the ORM session as usual; a
# sql:queryRewriting obligation on the decision narrows the statement automatically.

Off-session access

Execution that bypasses the ORM session (SQLAlchemy Core engine.execute(), a raw DBAPI cursor) never triggers the event, so no filter is applied. Once the listener is registered the obligation is accepted, so off-session access is left unfiltered rather than denied: you own row-level security manually for that path.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

sapl_sqlalchemy-4.1.0.tar.gz (13.4 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

sapl_sqlalchemy-4.1.0-py3-none-any.whl (7.9 kB view details)

Uploaded Python 3

File details

Details for the file sapl_sqlalchemy-4.1.0.tar.gz.

File metadata

  • Download URL: sapl_sqlalchemy-4.1.0.tar.gz
  • Upload date:
  • Size: 13.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for sapl_sqlalchemy-4.1.0.tar.gz
Algorithm Hash digest
SHA256 0f6ac1bc9fe93df2ee819a220e4cbdbc32f7dcf808cf45e8a065744c6e29f7c7
MD5 cc79bc6e8d88c774a654043ea9157800
BLAKE2b-256 3a36a8e05e31aea8e4b60ff3020742c2a99bbe59a34a7f518d85e7852772b744

See more details on using hashes here.

File details

Details for the file sapl_sqlalchemy-4.1.0-py3-none-any.whl.

File metadata

File hashes

Hashes for sapl_sqlalchemy-4.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 8b5f549ca65d30f972332547badc0bbe66fcdf0287a5b748b5c6e00f1f551646
MD5 41a1ba6944ef081e9078bf4b20d1e7f7
BLAKE2b-256 67bc477320590794dc60ed915b5e38822af70cea6cb6415aebeecf445122eebc

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page