콘텐츠로 이동

spakky-policy

spakky-policy는 YAML/TOML/JSON policy document 로드와 spakky-auth용 RBAC/PBAC/ABAC authorization evaluator를 제공합니다.

패키지 루트

spakky-policy plugin.

POLICY_AUTH_PROVIDER_ID = 'provider:spakky-policy' module-attribute

Stable auth provider id advertised by spakky-policy.

SpakkyPolicyAuthProvider(document)

Bases: IAuthorizationPolicyEvaluator, IPermissionChecker, IRoleChecker, IScopeChecker

Auth capability provider backed by a canonical policy document.

Source code in plugins/spakky-policy/src/spakky/plugins/policy/auth_provider.py 
42
43
def __init__(self, document: PolicyDocument) -> None:
    self._evaluator = PolicyDocumentEvaluator(document)

evaluate_policy(request)

Evaluate a resource/action authorization request.

Source code in plugins/spakky-policy/src/spakky/plugins/policy/auth_provider.py 
45
46
47
48
@override
def evaluate_policy(self, request: AuthorizationRequest) -> AuthorizationDecision:
    """Evaluate a resource/action authorization request."""
    return self._evaluator.evaluate_authorization(request)

check_permission(request)

Check whether the subject has a permission.

Source code in plugins/spakky-policy/src/spakky/plugins/policy/auth_provider.py 
50
51
52
53
54
55
56
@override
def check_permission(
    self,
    request: PermissionCheckRequest,
) -> AuthorizationDecision:
    """Check whether the subject has a permission."""
    return self._evaluator.check_permission(request)

check_role(request)

Check whether the subject has a role.

Source code in plugins/spakky-policy/src/spakky/plugins/policy/auth_provider.py 
58
59
60
61
@override
def check_role(self, request: RoleCheckRequest) -> AuthorizationDecision:
    """Check whether the subject has a role."""
    return self._evaluator.check_role(request)

check_scope(request)

Check whether the subject has a scope.

Source code in plugins/spakky-policy/src/spakky/plugins/policy/auth_provider.py 
63
64
65
66
@override
def check_scope(self, request: ScopeCheckRequest) -> AuthorizationDecision:
    """Check whether the subject has a scope."""
    return self._evaluator.check_scope(request)

SpakkyPolicyConfig()

Bases: BaseSettings

Runtime configuration for policy document loading.

Source code in plugins/spakky-policy/src/spakky/plugins/policy/config.py 
23
24
def __init__(self) -> None:
    super().__init__()

document_path = None class-attribute instance-attribute

Optional YAML, TOML, or JSON policy document path.

PolicyDocumentEvaluator(document)

Evaluate canonical Spakky policy documents.

Source code in plugins/spakky-policy/src/spakky/plugins/policy/evaluator.py 
56
57
58
59
60
61
62
63
64
65
66
def __init__(self, document: PolicyDocument) -> None:
    self._document = document
    self._subjects = {subject.ref: subject for subject in document.subjects}
    self._roles = {role.ref: role.permissions for role in document.roles}
    self._scopes = {scope.ref: scope.permissions for scope in document.scopes}
    self._policies = {policy.ref: policy for policy in document.policies}
    self._conditions = {
        condition.ref: condition
        for condition in document.conditions
        if condition.ref is not None
    }

evaluate(request)

Evaluate a request with deny precedence and default deny.

Source code in plugins/spakky-policy/src/spakky/plugins/policy/evaluator.py 
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
def evaluate(self, request: PolicyEvaluationInput) -> PolicyEvaluationResult:
    """Evaluate a request with deny precedence and default deny."""
    evidence: list[PolicyEvaluationEvidence] = []
    allow_seen = False
    for policy in self._selected_policies(request.policy):
        for statement in policy.statements:
            if self._statement_matches(statement, request, evidence, policy.ref):
                evidence.append(
                    PolicyEvaluationEvidence(
                        kind=PolicyEvidenceKind.STATEMENT_MATCHED,
                        policy=policy.ref,
                        statement=statement.ref,
                        reason=f"{statement.effect.value} statement matched",
                    )
                )
                if statement.effect is PolicyEffect.DENY:
                    return PolicyEvaluationResult(
                        allowed=False,
                        effect=PolicyEffect.DENY,
                        evidence=tuple(evidence),
                    )
                allow_seen = True
            else:
                evidence.append(
                    PolicyEvaluationEvidence(
                        kind=PolicyEvidenceKind.STATEMENT_SKIPPED,
                        policy=policy.ref,
                        statement=statement.ref,
                        reason="statement did not match request",
                    )
                )
    if allow_seen:
        return PolicyEvaluationResult(
            allowed=True,
            effect=PolicyEffect.ALLOW,
            evidence=tuple(evidence),
        )
    evidence.append(
        PolicyEvaluationEvidence(
            kind=PolicyEvidenceKind.DEFAULT_DENY,
            reason="no allow statement matched",
        )
    )
    return PolicyEvaluationResult(
        allowed=False,
        effect=None,
        evidence=tuple(evidence),
    )

evaluate_authorization(request)

Map resource/action policy evaluation to AuthorizationDecision.

Source code in plugins/spakky-policy/src/spakky/plugins/policy/evaluator.py 
117
118
119
120
121
122
123
124
125
126
127
128
129
130
def evaluate_authorization(
    self,
    request: AuthorizationRequest,
) -> AuthorizationDecision:
    """Map resource/action policy evaluation to AuthorizationDecision."""
    result = self.evaluate(
        PolicyEvaluationInput(
            auth_context=request.auth_context,
            resource=request.resource,
            action=request.action,
            tenant=request.tenant,
        )
    )
    return self._decision(result)

check_permission(request)

Check a canonical permission reference.

Source code in plugins/spakky-policy/src/spakky/plugins/policy/evaluator.py 
132
133
134
135
136
137
138
139
140
141
142
143
144
def check_permission(
    self, request: PermissionCheckRequest
) -> AuthorizationDecision:
    """Check a canonical permission reference."""
    result = self.evaluate(
        PolicyEvaluationInput(
            auth_context=request.auth_context,
            resource=request.resource,
            tenant=request.tenant,
            permission=request.permission,
        )
    )
    return self._decision(result)

check_role(request)

Check a canonical role reference.

Source code in plugins/spakky-policy/src/spakky/plugins/policy/evaluator.py 
146
147
148
149
150
151
152
153
154
155
def check_role(self, request: RoleCheckRequest) -> AuthorizationDecision:
    """Check a canonical role reference."""
    result = self.evaluate(
        PolicyEvaluationInput(
            auth_context=request.auth_context,
            tenant=request.tenant,
            role=request.role,
        )
    )
    return self._decision(result)

check_scope(request)

Check a canonical scope reference.

Source code in plugins/spakky-policy/src/spakky/plugins/policy/evaluator.py 
157
158
159
160
161
162
163
164
165
def check_scope(self, request: ScopeCheckRequest) -> AuthorizationDecision:
    """Check a canonical scope reference."""
    result = self.evaluate(
        PolicyEvaluationInput(
            auth_context=request.auth_context,
            scope=request.scope,
        )
    )
    return self._decision(result)

PolicyEvaluationInput(*, auth_context, resource=None, action=None, tenant=None, permission=None, role=None, scope=None, policy=None) dataclass

Provider-native policy evaluation input.

ConditionComposition

Bases: StrEnum

Boolean composition forms for policy conditions.

ConditionOperator

Bases: StrEnum

Operators supported by atomic conditions.

NamedPolicy(*, ref, statements, description=None) dataclass

Named policy composed from statements with OR/ANY semantics.

PolicyAction(*, ref) dataclass

Canonical action binding.

PolicyCondition(*, ref=None, operator=None, key=None, value=None, composition=None, children=()) dataclass

Atomic or composite condition.

PolicyDocument(*, version, metadata, subjects=(), resources=(), actions=(), permissions=(), roles=(), scopes=(), policies=(), conditions=()) dataclass

Typed canonical Spakky policy document.

PolicyEffect

Bases: StrEnum

Effects supported by policy statements.

PolicyEvaluationEvidence(*, kind, policy=None, statement=None, reason) dataclass

Explainable evidence emitted by policy evaluation.

PolicyEvaluationResult(*, allowed, effect, evidence) dataclass

Policy evaluator result with explainable evidence.

PolicyEvidenceKind

Bases: StrEnum

Machine-readable evidence categories emitted during evaluation.

PolicyMetadata(*, name, description=None, labels=()) dataclass

Human and operational metadata for a policy document.

PolicyPermission(*, ref, resources=(), actions=()) dataclass

Named permission expanded into resource/action requirements.

PolicyResource(*, ref, tenant=None) dataclass

Canonical resource binding.

PolicyRole(*, ref, permissions=()) dataclass

Named role expanded into permission requirements.

PolicyScope(*, ref, permissions=()) dataclass

Named scope expanded into permission requirements.

PolicyStatement(*, ref, effect, subjects=(), roles=(), scopes=(), permissions=(), resources=(), actions=(), tenants=(), condition=None) dataclass

Single allow or deny statement in a named policy.

PolicySubject(*, ref, roles=(), scopes=(), permissions=(), claims=(), tenant=None) dataclass

Canonical subject binding declared in a policy document.

policy_auth_provider_contribution()

Return the auth capabilities contributed by spakky-policy.

Source code in plugins/spakky-policy/src/spakky/plugins/policy/auth_provider.py 
82
83
84
85
86
87
88
89
90
91
92
93
94
95
@Pod(name="spakky_policy_auth_provider_contribution")
def policy_auth_provider_contribution() -> AuthProviderContribution:
    """Return the auth capabilities contributed by spakky-policy."""
    return AuthProviderContribution(
        provider_id=POLICY_AUTH_PROVIDER_ID,
        capabilities=frozenset(
            {
                AuthCapability.POLICY_EVALUATION,
                AuthCapability.PERMISSION_CHECK,
                AuthCapability.ROLE_CHECK,
                AuthCapability.SCOPE_CHECK,
            }
        ),
    )

spakky_policy_document(config)

Load the configured policy document for DI-managed auth providers.

Source code in plugins/spakky-policy/src/spakky/plugins/policy/auth_provider.py 
69
70
71
72
73
74
75
76
77
78
79
@Pod(name="spakky_policy_document")
def spakky_policy_document(config: SpakkyPolicyConfig) -> PolicyDocument:
    """Load the configured policy document for DI-managed auth providers."""
    if config.document_path is None:
        return policy_document_from_mapping(
            {
                "version": "1",
                "metadata": {"name": "spakky-policy"},
            }
        )
    return load_policy_document(config.document_path)

load_policy_document(path)

Load a policy document from YAML, TOML, or JSON.

Source code in plugins/spakky-policy/src/spakky/plugins/policy/loader.py 
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
def load_policy_document(path: str | Path) -> PolicyDocument:
    """Load a policy document from YAML, TOML, or JSON."""
    policy_path = Path(path)
    suffix = policy_path.suffix.lower()
    try:
        if suffix == ".json":
            loaded = json.loads(policy_path.read_text(encoding="UTF-8"))
        elif suffix == ".toml":
            loaded = tomllib.loads(policy_path.read_text(encoding="UTF-8"))
        elif suffix in {".yaml", ".yml"}:
            loaded = yaml.safe_load(policy_path.read_text(encoding="UTF-8"))
        else:
            raise PolicyDocumentLoadError("unsupported policy document extension")
    except PolicyDocumentLoadError:
        raise
    except Exception as exc:
        raise PolicyDocumentLoadError("policy document could not be loaded") from exc
    return policy_document_from_mapping(_mapping(loaded, "document"))

policy_document_from_mapping(payload)

Canonicalize an in-memory policy document mapping.

Source code in plugins/spakky-policy/src/spakky/plugins/policy/loader.py 
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
def policy_document_from_mapping(payload: RawMapping) -> PolicyDocument:
    """Canonicalize an in-memory policy document mapping."""
    payload = _mapping(payload, "document")
    metadata = _mapping(payload.get("metadata", {"name": "policy"}), "metadata")
    return PolicyDocument(
        version=_string(payload.get("version", "1"), "version"),
        metadata=PolicyMetadata(
            name=_string(metadata.get("name", "policy"), "metadata.name"),
            description=_optional_string(
                metadata.get("description"), "metadata.description"
            ),
            labels=_string_tuple(metadata.get("labels", ()), "metadata.labels"),
        ),
        subjects=tuple(
            _subject(item)
            for item in _sequence(payload.get("subjects", ()), "subjects")
        ),
        resources=tuple(
            _resource(item)
            for item in _sequence(payload.get("resources", ()), "resources")
        ),
        actions=tuple(
            _action(item) for item in _sequence(payload.get("actions", ()), "actions")
        ),
        permissions=tuple(
            _permission(item)
            for item in _sequence(payload.get("permissions", ()), "permissions")
        ),
        roles=tuple(
            _role(item) for item in _sequence(payload.get("roles", ()), "roles")
        ),
        scopes=tuple(
            _scope(item) for item in _sequence(payload.get("scopes", ()), "scopes")
        ),
        policies=tuple(
            _policy(item) for item in _sequence(payload.get("policies", ()), "policies")
        ),
        conditions=tuple(
            _condition(item)
            for item in _sequence(payload.get("conditions", ()), "conditions")
        ),
    )

Policy Model

Canonical policy document and evaluation evidence model.

PolicyEffect

Bases: StrEnum

Effects supported by policy statements.

ConditionOperator

Bases: StrEnum

Operators supported by atomic conditions.

ConditionComposition

Bases: StrEnum

Boolean composition forms for policy conditions.

PolicyEvidenceKind

Bases: StrEnum

Machine-readable evidence categories emitted during evaluation.

PolicyMetadata(*, name, description=None, labels=()) dataclass

Human and operational metadata for a policy document.

PolicySubject(*, ref, roles=(), scopes=(), permissions=(), claims=(), tenant=None) dataclass

Canonical subject binding declared in a policy document.

PolicyResource(*, ref, tenant=None) dataclass

Canonical resource binding.

PolicyAction(*, ref) dataclass

Canonical action binding.

PolicyPermission(*, ref, resources=(), actions=()) dataclass

Named permission expanded into resource/action requirements.

PolicyRole(*, ref, permissions=()) dataclass

Named role expanded into permission requirements.

PolicyScope(*, ref, permissions=()) dataclass

Named scope expanded into permission requirements.

PolicyCondition(*, ref=None, operator=None, key=None, value=None, composition=None, children=()) dataclass

Atomic or composite condition.

PolicyStatement(*, ref, effect, subjects=(), roles=(), scopes=(), permissions=(), resources=(), actions=(), tenants=(), condition=None) dataclass

Single allow or deny statement in a named policy.

NamedPolicy(*, ref, statements, description=None) dataclass

Named policy composed from statements with OR/ANY semantics.

PolicyDocument(*, version, metadata, subjects=(), resources=(), actions=(), permissions=(), roles=(), scopes=(), policies=(), conditions=()) dataclass

Typed canonical Spakky policy document.

PolicyEvaluationEvidence(*, kind, policy=None, statement=None, reason) dataclass

Explainable evidence emitted by policy evaluation.

PolicyEvaluationResult(*, allowed, effect, evidence) dataclass

Policy evaluator result with explainable evidence.

Loader

YAML, TOML, and JSON policy document loading.

load_policy_document(path)

Load a policy document from YAML, TOML, or JSON.

Source code in plugins/spakky-policy/src/spakky/plugins/policy/loader.py 
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
def load_policy_document(path: str | Path) -> PolicyDocument:
    """Load a policy document from YAML, TOML, or JSON."""
    policy_path = Path(path)
    suffix = policy_path.suffix.lower()
    try:
        if suffix == ".json":
            loaded = json.loads(policy_path.read_text(encoding="UTF-8"))
        elif suffix == ".toml":
            loaded = tomllib.loads(policy_path.read_text(encoding="UTF-8"))
        elif suffix in {".yaml", ".yml"}:
            loaded = yaml.safe_load(policy_path.read_text(encoding="UTF-8"))
        else:
            raise PolicyDocumentLoadError("unsupported policy document extension")
    except PolicyDocumentLoadError:
        raise
    except Exception as exc:
        raise PolicyDocumentLoadError("policy document could not be loaded") from exc
    return policy_document_from_mapping(_mapping(loaded, "document"))

policy_document_from_mapping(payload)

Canonicalize an in-memory policy document mapping.

Source code in plugins/spakky-policy/src/spakky/plugins/policy/loader.py 
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
def policy_document_from_mapping(payload: RawMapping) -> PolicyDocument:
    """Canonicalize an in-memory policy document mapping."""
    payload = _mapping(payload, "document")
    metadata = _mapping(payload.get("metadata", {"name": "policy"}), "metadata")
    return PolicyDocument(
        version=_string(payload.get("version", "1"), "version"),
        metadata=PolicyMetadata(
            name=_string(metadata.get("name", "policy"), "metadata.name"),
            description=_optional_string(
                metadata.get("description"), "metadata.description"
            ),
            labels=_string_tuple(metadata.get("labels", ()), "metadata.labels"),
        ),
        subjects=tuple(
            _subject(item)
            for item in _sequence(payload.get("subjects", ()), "subjects")
        ),
        resources=tuple(
            _resource(item)
            for item in _sequence(payload.get("resources", ()), "resources")
        ),
        actions=tuple(
            _action(item) for item in _sequence(payload.get("actions", ()), "actions")
        ),
        permissions=tuple(
            _permission(item)
            for item in _sequence(payload.get("permissions", ()), "permissions")
        ),
        roles=tuple(
            _role(item) for item in _sequence(payload.get("roles", ()), "roles")
        ),
        scopes=tuple(
            _scope(item) for item in _sequence(payload.get("scopes", ()), "scopes")
        ),
        policies=tuple(
            _policy(item) for item in _sequence(payload.get("policies", ()), "policies")
        ),
        conditions=tuple(
            _condition(item)
            for item in _sequence(payload.get("conditions", ()), "conditions")
        ),
    )

Evaluator

RBAC, PBAC, and ABAC-style policy document evaluator.

PolicyEvaluationInput(*, auth_context, resource=None, action=None, tenant=None, permission=None, role=None, scope=None, policy=None) dataclass

Provider-native policy evaluation input.

PolicyDocumentEvaluator(document)

Evaluate canonical Spakky policy documents.

Source code in plugins/spakky-policy/src/spakky/plugins/policy/evaluator.py 
56
57
58
59
60
61
62
63
64
65
66
def __init__(self, document: PolicyDocument) -> None:
    self._document = document
    self._subjects = {subject.ref: subject for subject in document.subjects}
    self._roles = {role.ref: role.permissions for role in document.roles}
    self._scopes = {scope.ref: scope.permissions for scope in document.scopes}
    self._policies = {policy.ref: policy for policy in document.policies}
    self._conditions = {
        condition.ref: condition
        for condition in document.conditions
        if condition.ref is not None
    }

evaluate(request)

Evaluate a request with deny precedence and default deny.

Source code in plugins/spakky-policy/src/spakky/plugins/policy/evaluator.py 
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
def evaluate(self, request: PolicyEvaluationInput) -> PolicyEvaluationResult:
    """Evaluate a request with deny precedence and default deny."""
    evidence: list[PolicyEvaluationEvidence] = []
    allow_seen = False
    for policy in self._selected_policies(request.policy):
        for statement in policy.statements:
            if self._statement_matches(statement, request, evidence, policy.ref):
                evidence.append(
                    PolicyEvaluationEvidence(
                        kind=PolicyEvidenceKind.STATEMENT_MATCHED,
                        policy=policy.ref,
                        statement=statement.ref,
                        reason=f"{statement.effect.value} statement matched",
                    )
                )
                if statement.effect is PolicyEffect.DENY:
                    return PolicyEvaluationResult(
                        allowed=False,
                        effect=PolicyEffect.DENY,
                        evidence=tuple(evidence),
                    )
                allow_seen = True
            else:
                evidence.append(
                    PolicyEvaluationEvidence(
                        kind=PolicyEvidenceKind.STATEMENT_SKIPPED,
                        policy=policy.ref,
                        statement=statement.ref,
                        reason="statement did not match request",
                    )
                )
    if allow_seen:
        return PolicyEvaluationResult(
            allowed=True,
            effect=PolicyEffect.ALLOW,
            evidence=tuple(evidence),
        )
    evidence.append(
        PolicyEvaluationEvidence(
            kind=PolicyEvidenceKind.DEFAULT_DENY,
            reason="no allow statement matched",
        )
    )
    return PolicyEvaluationResult(
        allowed=False,
        effect=None,
        evidence=tuple(evidence),
    )

evaluate_authorization(request)

Map resource/action policy evaluation to AuthorizationDecision.

Source code in plugins/spakky-policy/src/spakky/plugins/policy/evaluator.py 
117
118
119
120
121
122
123
124
125
126
127
128
129
130
def evaluate_authorization(
    self,
    request: AuthorizationRequest,
) -> AuthorizationDecision:
    """Map resource/action policy evaluation to AuthorizationDecision."""
    result = self.evaluate(
        PolicyEvaluationInput(
            auth_context=request.auth_context,
            resource=request.resource,
            action=request.action,
            tenant=request.tenant,
        )
    )
    return self._decision(result)

check_permission(request)

Check a canonical permission reference.

Source code in plugins/spakky-policy/src/spakky/plugins/policy/evaluator.py 
132
133
134
135
136
137
138
139
140
141
142
143
144
def check_permission(
    self, request: PermissionCheckRequest
) -> AuthorizationDecision:
    """Check a canonical permission reference."""
    result = self.evaluate(
        PolicyEvaluationInput(
            auth_context=request.auth_context,
            resource=request.resource,
            tenant=request.tenant,
            permission=request.permission,
        )
    )
    return self._decision(result)

check_role(request)

Check a canonical role reference.

Source code in plugins/spakky-policy/src/spakky/plugins/policy/evaluator.py 
146
147
148
149
150
151
152
153
154
155
def check_role(self, request: RoleCheckRequest) -> AuthorizationDecision:
    """Check a canonical role reference."""
    result = self.evaluate(
        PolicyEvaluationInput(
            auth_context=request.auth_context,
            tenant=request.tenant,
            role=request.role,
        )
    )
    return self._decision(result)

check_scope(request)

Check a canonical scope reference.

Source code in plugins/spakky-policy/src/spakky/plugins/policy/evaluator.py 
157
158
159
160
161
162
163
164
165
def check_scope(self, request: ScopeCheckRequest) -> AuthorizationDecision:
    """Check a canonical scope reference."""
    result = self.evaluate(
        PolicyEvaluationInput(
            auth_context=request.auth_context,
            scope=request.scope,
        )
    )
    return self._decision(result)

Auth Provider

Auth provider integration for policy document evaluation.

POLICY_AUTH_PROVIDER_ID = 'provider:spakky-policy' module-attribute

Stable auth provider id advertised by spakky-policy.

SpakkyPolicyAuthProvider(document)

Bases: IAuthorizationPolicyEvaluator, IPermissionChecker, IRoleChecker, IScopeChecker

Auth capability provider backed by a canonical policy document.

Source code in plugins/spakky-policy/src/spakky/plugins/policy/auth_provider.py 
42
43
def __init__(self, document: PolicyDocument) -> None:
    self._evaluator = PolicyDocumentEvaluator(document)

evaluate_policy(request)

Evaluate a resource/action authorization request.

Source code in plugins/spakky-policy/src/spakky/plugins/policy/auth_provider.py 
45
46
47
48
@override
def evaluate_policy(self, request: AuthorizationRequest) -> AuthorizationDecision:
    """Evaluate a resource/action authorization request."""
    return self._evaluator.evaluate_authorization(request)

check_permission(request)

Check whether the subject has a permission.

Source code in plugins/spakky-policy/src/spakky/plugins/policy/auth_provider.py 
50
51
52
53
54
55
56
@override
def check_permission(
    self,
    request: PermissionCheckRequest,
) -> AuthorizationDecision:
    """Check whether the subject has a permission."""
    return self._evaluator.check_permission(request)

check_role(request)

Check whether the subject has a role.

Source code in plugins/spakky-policy/src/spakky/plugins/policy/auth_provider.py 
58
59
60
61
@override
def check_role(self, request: RoleCheckRequest) -> AuthorizationDecision:
    """Check whether the subject has a role."""
    return self._evaluator.check_role(request)

check_scope(request)

Check whether the subject has a scope.

Source code in plugins/spakky-policy/src/spakky/plugins/policy/auth_provider.py 
63
64
65
66
@override
def check_scope(self, request: ScopeCheckRequest) -> AuthorizationDecision:
    """Check whether the subject has a scope."""
    return self._evaluator.check_scope(request)

spakky_policy_document(config)

Load the configured policy document for DI-managed auth providers.

Source code in plugins/spakky-policy/src/spakky/plugins/policy/auth_provider.py 
69
70
71
72
73
74
75
76
77
78
79
@Pod(name="spakky_policy_document")
def spakky_policy_document(config: SpakkyPolicyConfig) -> PolicyDocument:
    """Load the configured policy document for DI-managed auth providers."""
    if config.document_path is None:
        return policy_document_from_mapping(
            {
                "version": "1",
                "metadata": {"name": "spakky-policy"},
            }
        )
    return load_policy_document(config.document_path)

policy_auth_provider_contribution()

Return the auth capabilities contributed by spakky-policy.

Source code in plugins/spakky-policy/src/spakky/plugins/policy/auth_provider.py 
82
83
84
85
86
87
88
89
90
91
92
93
94
95
@Pod(name="spakky_policy_auth_provider_contribution")
def policy_auth_provider_contribution() -> AuthProviderContribution:
    """Return the auth capabilities contributed by spakky-policy."""
    return AuthProviderContribution(
        provider_id=POLICY_AUTH_PROVIDER_ID,
        capabilities=frozenset(
            {
                AuthCapability.POLICY_EVALUATION,
                AuthCapability.PERMISSION_CHECK,
                AuthCapability.ROLE_CHECK,
                AuthCapability.SCOPE_CHECK,
            }
        ),
    )

Contributions

Auth feature contribution for the policy provider.

initialize(app)

Register policy auth capability metadata.

Source code in plugins/spakky-policy/src/spakky/plugins/policy/contributions/auth.py 
7
8
9
def initialize(app: SpakkyApplication) -> None:
    """Register policy auth capability metadata."""
    app.add(policy_auth_provider_contribution)

에러

Errors raised while loading or evaluating policy documents.

PolicyDocumentError

Bases: AbstractSpakkyFrameworkError

Base class for policy document failures.

PolicyDocumentLoadError

Bases: PolicyDocumentError

Raised when a policy document cannot be loaded.

PolicyDocumentValidationError

Bases: PolicyDocumentError

Raised when policy document input is not canonicalizable.

PolicyEvaluationError

Bases: PolicyDocumentError

Raised when evaluation cannot be completed.

추가 모듈

Plugin initialization entry point.

initialize(app)

Register policy config, document, provider, and auth port bindings.

Source code in plugins/spakky-policy/src/spakky/plugins/policy/main.py 
17
18
19
20
21
22
23
24
25
def initialize(app: SpakkyApplication) -> None:
    """Register policy config, document, provider, and auth port bindings."""
    app.add(SpakkyPolicyConfig)
    app.add(spakky_policy_document)
    app.add(SpakkyPolicyAuthProvider)
    app.container.bind_to_type(IAuthorizationPolicyEvaluator, SpakkyPolicyAuthProvider)
    app.container.bind_to_type(IPermissionChecker, SpakkyPolicyAuthProvider)
    app.container.bind_to_type(IRoleChecker, SpakkyPolicyAuthProvider)
    app.container.bind_to_type(IScopeChecker, SpakkyPolicyAuthProvider)