SAPL SQL_QUERY signal source and sql:queryRewriting provider for SQLAlchemy
Project description
sapl-sqlalchemy
SAPL signal source for SQLAlchemy. Contributes the SQL_QUERY signal and a
sql:queryRewriting constraint handler provider so a SAPL policy can shape the
relational queries an application issues, the same way sapl-pymongo
contributes MONGO_QUERY for MongoDB queries.
SQLAlchemy exposes a mutating query hook, the do_orm_execute event on the
Session. The cut point is therefore a listener on the ORM session that
discharges SQL_QUERY with the statement before it executes and applies the
rewritten statement. Registering the listener attaches to the Session class,
so it covers every session, including AsyncSession through its sync-session
proxy.
Obligation
SqlQueryRewritingProvider handles the sql:queryRewriting obligation (and its
relational:queryRewriting alias), mirroring the Spring provider so the same
obligation narrows identically on every SAPL SQL PEP. Narrowing-only (criteria
and conditions are AND-merged into the user's WHERE, never widening it):
{
"type": "sql:queryRewriting",
"criteria": [
{"column": "tenant_id", "op": "=", "value": 7},
{"or": [{"column": "owner_id", "op": "=", "value": "alice"},
{"column": "public", "op": "=", "value": true}]}
],
"conditions": ["status IN ('active', 'pending')"],
"columns": ["id", "name"]
}
criteria ops: =, !=, >, >=, <, <=, in, like, notLike,
isNull, isNotNull; and / or group nested criteria. conditions carries
raw SQL fragments for features the typed form cannot express (BETWEEN,
EXISTS, vendor functions), and columns narrows the projection. A statement
that cannot carry a WHERE clause, a raw text() statement, or a malformed
criterion fails closed.
Usage
from sapl_sqlalchemy import SqlQueryRewritingProvider, register_orm_listener
# At startup: register the ORM listener once (this also registers the shim with
# the planner, so a sql:queryRewriting obligation is admissible).
register_orm_listener()
# Register the provider with the EnforcementPlanner that backs your framework
# wrapper: providers=(SqlQueryRewritingProvider(),)
# In a @pre_enforce-protected handler, query through the ORM session as usual; a
# sql:queryRewriting obligation on the decision narrows the statement automatically.
Off-session access
Execution that bypasses the ORM session (SQLAlchemy Core engine.execute(), a
raw DBAPI cursor) never triggers the event, so no filter is applied. Once the
listener is registered the obligation is accepted, so off-session access is left
unfiltered rather than denied: you own row-level security manually for that path.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file sapl_sqlalchemy-4.1.0.tar.gz.
File metadata
- Download URL: sapl_sqlalchemy-4.1.0.tar.gz
- Upload date:
- Size: 13.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
0f6ac1bc9fe93df2ee819a220e4cbdbc32f7dcf808cf45e8a065744c6e29f7c7
|
|
| MD5 |
cc79bc6e8d88c774a654043ea9157800
|
|
| BLAKE2b-256 |
3a36a8e05e31aea8e4b60ff3020742c2a99bbe59a34a7f518d85e7852772b744
|
File details
Details for the file sapl_sqlalchemy-4.1.0-py3-none-any.whl.
File metadata
- Download URL: sapl_sqlalchemy-4.1.0-py3-none-any.whl
- Upload date:
- Size: 7.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
8b5f549ca65d30f972332547badc0bbe66fcdf0287a5b748b5c6e00f1f551646
|
|
| MD5 |
41a1ba6944ef081e9078bf4b20d1e7f7
|
|
| BLAKE2b-256 |
67bc477320590794dc60ed915b5e38822af70cea6cb6415aebeecf445122eebc
|