Policy document evaluator plugin for Spakky auth
Project description
spakky-policy
spakky-policy는 YAML, TOML, JSON policy document를 typed canonical model로 로드합니다.spakky-auth의 RBAC, PBAC, ABAC-style 인가 규칙을 provider contribution으로 평가합니다.
설치
pip install spakky-auth spakky-policy spakky-fastapi
사용법
SPAKKY_POLICY_DOCUMENT_PATH가 YAML, TOML, JSON 문서를 가리키면 플러그인이 해당 문서를
DI-managed PolicyDocument로 로드합니다. 경로를 설정하지 않으면 비어 있는 policy document를
등록해 인가 요청을 안전하게 거부합니다.
from fastapi import FastAPI
from spakky.auth import protected, require_policy
from spakky.core.application.application import SpakkyApplication
from spakky.core.application.application_context import ApplicationContext
from spakky.plugins.fastapi.routes import get
from spakky.plugins.fastapi.stereotypes.api_controller import ApiController
import spakky.auth
import spakky.plugins.fastapi
import spakky.plugins.policy
@ApiController("/articles")
class ArticleController:
@get("/{article_id}")
@require_policy(resource="article:1", action="article:read")
@protected
def read(self, article_id: str) -> dict[str, str]:
return {"id": article_id}
app = (
SpakkyApplication(ApplicationContext())
.load_plugins(
include={
spakky.auth.PLUGIN_NAME,
spakky.plugins.fastapi.PLUGIN_NAME,
spakky.plugins.policy.PLUGIN_NAME,
}
)
.add(ArticleController)
.start()
)
api = app.container.get(FastAPI)
Policy 의미
- 명시적 deny statement는 matching allow statement보다 우선합니다.
- matching allow statement가 없으면 default deny evidence를 반환합니다.
- condition은
all,any,notcomposition과equals,not_equals,in,contains,existsatomic operator를 지원합니다. - resource, action, tenant ref는 decorator metadata,
AuthContext, resolver output, 또는 provider-neutralAuthorizationRequest에서 온 canonical string입니다. - named policy가 OR/ANY 사용자 표면입니다. MCP/tool authorization, generic policy API, policy UI, authorized data filtering은 이 패키지 범위 밖입니다.
라이선스
MIT
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file spakky_policy-6.9.1.tar.gz.
File metadata
- Download URL: spakky_policy-6.9.1.tar.gz
- Upload date:
- Size: 9.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
f2db6ebeaa41d6da0bce14454c01022ea2ef032897534e5390466aa29ec92ac3
|
|
| MD5 |
833652a41fd09e37824796fb8b99661b
|
|
| BLAKE2b-256 |
c1265b858a284a72782fa58d33b205cf12a7893a7c399eb7439583b1998b8112
|
Provenance
The following attestation bundles were made for spakky_policy-6.9.1.tar.gz:
Publisher:
release.yml on E5presso/spakky-framework
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
spakky_policy-6.9.1.tar.gz -
Subject digest:
f2db6ebeaa41d6da0bce14454c01022ea2ef032897534e5390466aa29ec92ac3 - Sigstore transparency entry: 1878702936
- Sigstore integration time:
-
Permalink:
E5presso/spakky-framework@0733054672a6e1998d9777c17f06cbad6514015e -
Branch / Tag:
refs/heads/main - Owner: https://github.com/E5presso
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@0733054672a6e1998d9777c17f06cbad6514015e -
Trigger Event:
workflow_dispatch
-
Statement type:
File details
Details for the file spakky_policy-6.9.1-py3-none-any.whl.
File metadata
- Download URL: spakky_policy-6.9.1-py3-none-any.whl
- Upload date:
- Size: 13.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
e20bde62b3369c4bb46b01bf3ddb75548e408d93cf8ddd8351db584313a7e4d0
|
|
| MD5 |
f1f3e9e8e26446e946b6a6ef0179e516
|
|
| BLAKE2b-256 |
eb5dd071313a05c5afd068f58e1b3d4926fcabb79e6fbe6ff8155d67fcdfafcd
|
Provenance
The following attestation bundles were made for spakky_policy-6.9.1-py3-none-any.whl:
Publisher:
release.yml on E5presso/spakky-framework
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
spakky_policy-6.9.1-py3-none-any.whl -
Subject digest:
e20bde62b3369c4bb46b01bf3ddb75548e408d93cf8ddd8351db584313a7e4d0 - Sigstore transparency entry: 1878703103
- Sigstore integration time:
-
Permalink:
E5presso/spakky-framework@0733054672a6e1998d9777c17f06cbad6514015e -
Branch / Tag:
refs/heads/main - Owner: https://github.com/E5presso
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@0733054672a6e1998d9777c17f06cbad6514015e -
Trigger Event:
workflow_dispatch
-
Statement type:
