Skip to main content

SAPL Policy Enforcement Point (PEP) integration for Tornado

Project description

sapl-tornado

Policy-based authorization for Tornado. Write access control rules as external SAPL policy files and enforce them at runtime through decorators like @pre_enforce and @post_enforce. Policies can be updated without code changes or redeployment.

Built on sapl-base and the SAPL 4.1 enforcement model: planner-driven constraint handling, the SUSPEND decision verb, an optional RSocket transport, and transaction rollback on post-write denial. Data-layer query rewriting is available via sapl-sqlalchemy (SQL) and sapl-pymongo (MongoDB).

How It Works

Your application decorates handler methods with enforcement decorators. SAPL intercepts the call, sends an authorization subscription to the Policy Decision Point (PDP), and enforces the decision, including any obligations or advice the policy attaches.

class PatientHandler(tornado.web.RequestHandler):
    @pre_enforce(action="read", resource="patient")
    async def get(self, patient_id):
        return {"id": patient_id, "name": "Jane Doe", "ssn": "123-45-6789"}
policy "permit doctors to read patient data"
permit
  action == "read";
  "DOCTOR" in subject.roles

If the PDP permits, the handler runs. If not, HTTP 403 is returned. If the decision carries obligations (like access logging or field redaction), they are enforced automatically through registered constraint handlers.

What You Get

SAPL goes beyond simple permit/deny. Decisions can carry obligations that must be fulfilled, advice that should be attempted, and resource transformations that modify return values before they reach the caller. The library handles all of this transparently.

For SSE endpoints, the single stream_enforce decorator maintains a live connection to the PDP, so access rights update in real time as policies, attributes, or the environment change. Built-in constraint handlers cover JSON field redaction and collection filtering. Writing custom handlers follows a simple registration pattern with register_provider.

Database Transactions

If you configure a transaction provider, a denial that lands after the handler has written to the database rolls the transaction back. Three triggers cause a rollback: a post_enforce DENY, a post_enforce output-obligation failure, and a pre_enforce output-obligation failure (the pre-decision permits, but its output obligations run after the method writes). A clean permit commits. It is opt-in: with no provider set, the PEP owns no transaction.

With an async SQLAlchemy session, pass session.begin() directly:

from sapl_tornado.dependencies import set_transaction_provider

set_transaction_provider(lambda: get_current_session().begin())

The factory should resolve the current request's session. For a sync session or transaction.atomic, wrap it with from_sync_context from sapl_base.pep.

Getting Started

pip install sapl-tornado
import tornado.ioloop
import tornado.web
from sapl_tornado import SaplConfig
from sapl_tornado.dependencies import configure_sapl, cleanup_sapl

configure_sapl(SaplConfig(base_url="https://localhost:8443"))

app = tornado.web.Application([...])
app.listen(8888)
tornado.ioloop.IOLoop.current().start()

For setup instructions, configuration options, the constraint handler reference, and the full API, see the Tornado documentation.

Links

License

Apache-2.0

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

sapl_tornado-4.1.0.tar.gz (14.8 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

sapl_tornado-4.1.0-py3-none-any.whl (7.9 kB view details)

Uploaded Python 3

File details

Details for the file sapl_tornado-4.1.0.tar.gz.

File metadata

  • Download URL: sapl_tornado-4.1.0.tar.gz
  • Upload date:
  • Size: 14.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for sapl_tornado-4.1.0.tar.gz
Algorithm Hash digest
SHA256 d88114cf4affb4eb6d49dbebbe70ed5b29faf3427faf2626430a55eecbba51cd
MD5 ed0a4fce90ebf1d8a0775298fc371acb
BLAKE2b-256 cc9cffe0f3da933992daeb6a71c6826d9d8fd978a813ab27dde4a8b857b29935

See more details on using hashes here.

File details

Details for the file sapl_tornado-4.1.0-py3-none-any.whl.

File metadata

  • Download URL: sapl_tornado-4.1.0-py3-none-any.whl
  • Upload date:
  • Size: 7.9 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for sapl_tornado-4.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 91f7ab2f1a35509fbe3d4ac217e355752faf1ebf142a59e3094be2c08db2bc10
MD5 b9b22158f8c460120e95f1ba1b6cebc0
BLAKE2b-256 39c9cc567248e0e2f63ed84e2610ffc9c17f3d76311745634477596033e24b03

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page