py_abac package

Subpackages

• py_abac.policy package
  • Subpackages
    • py_abac.policy.conditions package
      • Subpackages
        • py_abac.policy.conditions.attribute package
          • Submodules
          • py_abac.policy.conditions.attribute.all_in module
          • py_abac.policy.conditions.attribute.all_not_in module
          • py_abac.policy.conditions.attribute.any_in module
          • py_abac.policy.conditions.attribute.any_not_in module
          • py_abac.policy.conditions.attribute.base module
          • py_abac.policy.conditions.attribute.equals module
          • py_abac.policy.conditions.attribute.is_in module
          • py_abac.policy.conditions.attribute.is_not_in module
          • py_abac.policy.conditions.attribute.not_equals module
          • Module contents
        • py_abac.policy.conditions.collection package
          • Submodules
          • py_abac.policy.conditions.collection.all_in module
          • py_abac.policy.conditions.collection.all_not_in module
          • py_abac.policy.conditions.collection.any_in module
          • py_abac.policy.conditions.collection.any_not_in module
          • py_abac.policy.conditions.collection.base module
          • py_abac.policy.conditions.collection.is_empty module
          • py_abac.policy.conditions.collection.is_in module
          • py_abac.policy.conditions.collection.is_not_empty module
          • py_abac.policy.conditions.collection.is_not_in module
          • Module contents
        • py_abac.policy.conditions.logic package
          • Submodules
          • py_abac.policy.conditions.logic.all_of module
          • py_abac.policy.conditions.logic.any_of module
          • py_abac.policy.conditions.logic.base module
          • py_abac.policy.conditions.logic.not_ module
          • Module contents
        • py_abac.policy.conditions.numeric package
          • Submodules
          • py_abac.policy.conditions.numeric.base module
          • py_abac.policy.conditions.numeric.eq module
          • py_abac.policy.conditions.numeric.gt module
          • py_abac.policy.conditions.numeric.gte module
          • py_abac.policy.conditions.numeric.lt module
          • py_abac.policy.conditions.numeric.lte module
          • py_abac.policy.conditions.numeric.neq module
          • Module contents
        • py_abac.policy.conditions.object package
          • Submodules
          • py_abac.policy.conditions.object.equals_object module
          • Module contents
        • py_abac.policy.conditions.others package
          • Submodules
          • py_abac.policy.conditions.others.any module
          • py_abac.policy.conditions.others.cidr module
          • py_abac.policy.conditions.others.exists module
          • py_abac.policy.conditions.others.not_exists module
          • Module contents
        • py_abac.policy.conditions.string package
          • Submodules
          • py_abac.policy.conditions.string.base module
          • py_abac.policy.conditions.string.contains module
          • py_abac.policy.conditions.string.ends_with module
          • py_abac.policy.conditions.string.equals module
          • py_abac.policy.conditions.string.not_contains module
          • py_abac.policy.conditions.string.not_equals module
          • py_abac.policy.conditions.string.regex_match module
          • py_abac.policy.conditions.string.starts_with module
          • Module contents
      • Submodules
      • py_abac.policy.conditions.base module
      • py_abac.policy.conditions.schema module
      • Module contents
  • Submodules
  • py_abac.policy.policy module
  • py_abac.policy.rules module
  • py_abac.policy.targets module
  • Module contents
• py_abac.provider package
  • Submodules
  • py_abac.provider.base module
  • py_abac.provider.request module
  • Module contents
• py_abac.storage package
  • Subpackages
    • py_abac.storage.file package
      • Submodules
      • py_abac.storage.file.storage module
      • Module contents
    • py_abac.storage.memory package
      • Submodules
      • py_abac.storage.memory.storage module
      • Module contents
    • py_abac.storage.mongo package
      • Submodules
      • py_abac.storage.mongo.migrations module
      • py_abac.storage.mongo.model module
      • py_abac.storage.mongo.storage module
      • Module contents
    • py_abac.storage.redis package
      • Submodules
      • py_abac.storage.redis.storage module
      • Module contents
    • py_abac.storage.sql package
      • Submodules
      • py_abac.storage.sql.migrations module
      • py_abac.storage.sql.model module
      • py_abac.storage.sql.storage module
      • Module contents
  • Submodules
  • py_abac.storage.base module
  • py_abac.storage.migration module
  • py_abac.storage.utils module
  • Module contents

Submodules

py_abac.context module

PDP policy evaluation context

class py_abac.context.EvaluationContext(request: py_abac.request.AccessRequest, providers: List[py_abac.provider.base.AttributeProvider] = None)

Bases: object

Evaluation context class

get_attribute_value(ace: str, attribute_path: str)

Get attribute value for given access control element and attribute path

Parameters

• ace – access control element

• attribute_path – attribute path in ObjectPath format

Returns

attribute value

property ace

Access control element being evaluated

property action_id

Action identifier being evaluated

property attribute_path

Attribute path being evaluated in ObjectPath notation

property attribute_value

Attribute value to evaluate

property resource_id

Resource identifier being evaluated

property subject_id

Subject identifier being evaluated

py_abac.exceptions module

All py_abac exceptions

exception py_abac.exceptions.InvalidAccessControlElementError(element)

Bases: Exception

Error occurred when accessing invalid access control element

exception py_abac.exceptions.InvalidAttributePathError(path)

Bases: Exception

Error occurred when invalid attribute path is found

exception py_abac.exceptions.PolicyCreateError

Bases: Exception

Error occurred during Policy creation.

exception py_abac.exceptions.PolicyExistsError(uid)

Bases: Exception

Error when the already existing policy is attempted to be created by Storage

exception py_abac.exceptions.RequestCreateError

Bases: Exception

Error occurred during Request creation.

py_abac.pdp module

Policy decision point implementation

class py_abac.pdp.EvaluationAlgorithm

Bases: enum.Enum

Supported evaluation algorithms

ALLOW_OVERRIDES = 'allow_overrides'

DENY_OVERRIDES = 'deny_overrides'

HIGHEST_PRIORITY = 'highest_priority'

class py_abac.pdp.PDP(storage: py_abac.storage.base.Storage, algorithm: py_abac.pdp.EvaluationAlgorithm = <EvaluationAlgorithm.DENY_OVERRIDES: 'deny_overrides'>, providers: List[py_abac.provider.base.AttributeProvider] = None)

Bases: object

Policy decision point

Example

from py_abac import PDP, EvaluationAlgorithm
from py_abac.storage.mongo import MongoStorage
from py_abac.providers import AttributeProvider

# A simple email attribute provider class
class EmailAttributeProvider(AttributeProvider):
    def get_attribute_value(self, ace, attribute_path, ctx):
        return "example@gmail.com"

# Setup storage
client = MongoClient()
st = MongoStorage(client)
# Insert all polices to storage
for p in policies:
    st.add(p)

# Create PDP configured to use highest priority algorithm
# and an additional email attribute provider
pdp = PDP(st, EvaluationAlgorithm.HIGHEST_PRIORITY, [EmailAttributeProvider()])

Parameters

• storage – policy storage

• algorithm – policy evaluation algorithm

• providers – list of attribute providers

is_allowed(request: py_abac.request.AccessRequest)

Check if authorization request is allowed

Parameters

request – request object

Returns

True if authorized else False

py_abac.request module

Authorization request class

class py_abac.request.AccessRequest(subject: dict, resource: dict, action: dict, context: dict)

Bases: object

Authorization request sent by PEP

Example

# Create a access request JSON from flask request object
request_json = {
    "subject": {
        "id": "",
        "attributes": {"name": request.values.get("username")}
    },
    "resource": {
        "id": "",
        "attributes": {"name": request.path}
    },
    "action": {
        "id": "",
        "attributes": {"method": request.method}
    },
    "context": {}
}
# Parse JSON and create access request object
request = AccessRequest.from_json(request_json)

static from_json(data: dict) → py_abac.request.AccessRequest

Create access request object from JSON

property action

Request action attributes

property action_id

Request action identifier

property context

Request context attributes

property resource

Requested resource attributes

property resource_id

Requested resource identifier

property subject

Request subject attributes

property subject_id

Request subject identifier

py_abac.request.Request

alias of py_abac.request.AccessRequest

py_abac.version module

Version for py_abac package

py_abac.version.version_info()

Get version of py_abac package as tuple

Module contents

Exposed classes and methods