py_abac package¶
Subpackages¶
- py_abac.policy package
- Subpackages
- py_abac.policy.conditions package
- Subpackages
- py_abac.policy.conditions.attribute package
- Submodules
- py_abac.policy.conditions.attribute.all_in module
- py_abac.policy.conditions.attribute.all_not_in module
- py_abac.policy.conditions.attribute.any_in module
- py_abac.policy.conditions.attribute.any_not_in module
- py_abac.policy.conditions.attribute.base module
- py_abac.policy.conditions.attribute.equals module
- py_abac.policy.conditions.attribute.is_in module
- py_abac.policy.conditions.attribute.is_not_in module
- py_abac.policy.conditions.attribute.not_equals module
- Module contents
- py_abac.policy.conditions.collection package
- Submodules
- py_abac.policy.conditions.collection.all_in module
- py_abac.policy.conditions.collection.all_not_in module
- py_abac.policy.conditions.collection.any_in module
- py_abac.policy.conditions.collection.any_not_in module
- py_abac.policy.conditions.collection.base module
- py_abac.policy.conditions.collection.is_empty module
- py_abac.policy.conditions.collection.is_in module
- py_abac.policy.conditions.collection.is_not_empty module
- py_abac.policy.conditions.collection.is_not_in module
- Module contents
- py_abac.policy.conditions.logic package
- py_abac.policy.conditions.numeric package
- Submodules
- py_abac.policy.conditions.numeric.base module
- py_abac.policy.conditions.numeric.eq module
- py_abac.policy.conditions.numeric.gt module
- py_abac.policy.conditions.numeric.gte module
- py_abac.policy.conditions.numeric.lt module
- py_abac.policy.conditions.numeric.lte module
- py_abac.policy.conditions.numeric.neq module
- Module contents
- py_abac.policy.conditions.object package
- py_abac.policy.conditions.others package
- py_abac.policy.conditions.string package
- Submodules
- py_abac.policy.conditions.string.base module
- py_abac.policy.conditions.string.contains module
- py_abac.policy.conditions.string.ends_with module
- py_abac.policy.conditions.string.equals module
- py_abac.policy.conditions.string.not_contains module
- py_abac.policy.conditions.string.not_equals module
- py_abac.policy.conditions.string.regex_match module
- py_abac.policy.conditions.string.starts_with module
- Module contents
- py_abac.policy.conditions.attribute package
- Submodules
- py_abac.policy.conditions.base module
- py_abac.policy.conditions.schema module
- Module contents
- Subpackages
- py_abac.policy.conditions package
- Submodules
- py_abac.policy.policy module
- py_abac.policy.rules module
- py_abac.policy.targets module
- Module contents
- Subpackages
- py_abac.provider package
- py_abac.storage package
Submodules¶
py_abac.context module¶
PDP policy evaluation context
-
class
py_abac.context.
EvaluationContext
(request: py_abac.request.AccessRequest, providers: List[py_abac.provider.base.AttributeProvider] = None)[source]¶ Bases:
object
Evaluation context class
-
get_attribute_value
(ace: str, attribute_path: str)[source]¶ Get attribute value for given access control element and attribute path
- Parameters
ace – access control element
attribute_path – attribute path in ObjectPath format
- Returns
attribute value
-
property
ace
¶ Access control element being evaluated
-
property
action_id
¶ Action identifier being evaluated
-
property
attribute_path
¶ Attribute path being evaluated in ObjectPath notation
-
property
attribute_value
¶ Attribute value to evaluate
-
property
resource_id
¶ Resource identifier being evaluated
-
property
subject_id
¶ Subject identifier being evaluated
-
py_abac.exceptions module¶
All py_abac exceptions
-
exception
py_abac.exceptions.
InvalidAccessControlElementError
(element)[source]¶ Bases:
Exception
Error occurred when accessing invalid access control element
-
exception
py_abac.exceptions.
InvalidAttributePathError
(path)[source]¶ Bases:
Exception
Error occurred when invalid attribute path is found
-
exception
py_abac.exceptions.
PolicyCreateError
[source]¶ Bases:
Exception
Error occurred during Policy creation.
py_abac.pdp module¶
Policy decision point implementation
-
class
py_abac.pdp.
EvaluationAlgorithm
[source]¶ Bases:
enum.Enum
Supported evaluation algorithms
-
ALLOW_OVERRIDES
= 'allow_overrides'¶
-
DENY_OVERRIDES
= 'deny_overrides'¶
-
HIGHEST_PRIORITY
= 'highest_priority'¶
-
-
class
py_abac.pdp.
PDP
(storage: py_abac.storage.base.Storage, algorithm: py_abac.pdp.EvaluationAlgorithm = <EvaluationAlgorithm.DENY_OVERRIDES: 'deny_overrides'>, providers: List[py_abac.provider.base.AttributeProvider] = None)[source]¶ Bases:
object
Policy decision point
- Example
from py_abac import PDP, EvaluationAlgorithm from py_abac.storage.mongo import MongoStorage from py_abac.providers import AttributeProvider # A simple email attribute provider class class EmailAttributeProvider(AttributeProvider): def get_attribute_value(self, ace, attribute_path, ctx): return "example@gmail.com" # Setup storage client = MongoClient() st = MongoStorage(client) # Insert all polices to storage for p in policies: st.add(p) # Create PDP configured to use highest priority algorithm # and an additional email attribute provider pdp = PDP(st, EvaluationAlgorithm.HIGHEST_PRIORITY, [EmailAttributeProvider()])
- Parameters
storage – policy storage
algorithm – policy evaluation algorithm
providers – list of attribute providers
py_abac.request module¶
Authorization request class
-
class
py_abac.request.
AccessRequest
(subject: dict, resource: dict, action: dict, context: dict)[source]¶ Bases:
object
Authorization request sent by PEP
- Example
# Create a access request JSON from flask request object request_json = { "subject": { "id": "", "attributes": {"name": request.values.get("username")} }, "resource": { "id": "", "attributes": {"name": request.path} }, "action": { "id": "", "attributes": {"method": request.method} }, "context": {} } # Parse JSON and create access request object request = AccessRequest.from_json(request_json)
-
static
from_json
(data: dict) → py_abac.request.AccessRequest[source]¶ Create access request object from JSON
-
property
action
¶ Request action attributes
-
property
action_id
¶ Request action identifier
-
property
context
¶ Request context attributes
-
property
resource
¶ Requested resource attributes
-
property
resource_id
¶ Requested resource identifier
-
property
subject
¶ Request subject attributes
-
property
subject_id
¶ Request subject identifier
-
py_abac.request.
Request
¶ alias of
py_abac.request.AccessRequest
py_abac.version module¶
Version for py_abac package
Module contents¶
Exposed classes and methods