Skip to main content

Python Authorizer Client

Overview

This package provides a high-level interface for interacting with the Topaz Authorizer API.

Installation

Using pip:

pip install -U aserto

Using Poetry:

poetry add aserto

Usage

Creating a client

The AuthorizerClient class provides the methods for interacting with an authorizer. The constructor takes two arguments:

  • identity (required): An Identity instance that represents a user
  • options (required): An AuthorizerOptions instance that provides configuration settings.
from aserto.client import AuthorizerOptions, Identity
from aserto.client.api.authorizer import AuthorizerClient
from flask import request

client = AuthorizerClient(
    identity=Identity(type="NONE"),
    authorizer=AuthorizerOptions(url=f"https://{TOPAZ_HOSTNAME}:{TOPAZ_PORT}")
)

Client methods

decisions

Arguments

  • decisions (required): A list of decision values to request, e.g. ["allowed"]
  • policy_path (required): The path of the policy module, including the policy root
  • resource_context (optional): The resource context provided to the Authorizer as a serializable dict
  • deadline (optional): How long to wait for the request to time-out. Either a Python timedelta object representing the duration to wait or a datetime object representing when the request should time-out
  • policy_instance_name (optional): The name of the policy instance to target when calling a hosted authorizer.
  • policy_instance_label (optional): The label of the policy instance to target when calling a hosted authorizer.

Example

decisions = client.decisions(
    decisions=["allowed", "enabled"],
    policy_path="my_policy_root.GET.user.__id",
)

assert decisions ==  {
    "enabled": True,
    "allowed": False,
}

decision_tree

Arguments

  • decisions (required): A list of decision values to request, e.g. ["allowed"]
  • policy_path_root (required): The root path of all the policy modules
  • policy_path_separator (required): Either "DOT" or "SLASH", the delimiter to use in the returned policy path keys
  • resource_context (optional): The resource context provided to the Authorizer as a serializable dict
  • deadline (optional): How long to wait for the request to time-out. Either a Python timedelta object representing the duration to wait or a datetime object representing when the request should time-out
  • policy_instance_name (optional): The name of the policy instance to target when calling a hosted authorizer.
  • policy_instance_label (optional): The label of the policy instance to target when calling a hosted authorizer.

Example

decision_tree = client.decision_tree(
    decisions=["enabled", "allowed"],
    policy_path_root="my_policy_root",
    policy_path_separator="SLASH",
)

# The result given that the following policy modules exist
# - `my_policy_root.GET.user.__id`
# - `my_policy_root.PUT.user`
assert decision_tree == {
    "GET/user/__id": {"enabled": True, "allowed": False},
    "PUT/user": {"enabled": True, "allowed": False},
}

Github

This package is open source and can be found on GitHub.