Google Git
Sign in
apache/casbin-python-tornado-authz

Tornado authorization middleware based on PyCasbin

Mirrored from https://github.com/apache/casbin-python-tornado-authz.git
Clone this repo:

Branches

  1. fc8f51a feat: Make a Casbin authorization middleware for Tornado (#2) by SiuHui · 1 year, 10 months ago master
  2. 348a1a5 Initial commit by Eric Luo · 1 year, 11 months ago

tornado-authz

Discord

Installation

Clone this repo

git clone https://github.com/pycasbin/tornado-authz

Simple Example

import asyncio
import tornado
from casbin import Enforcer

from tornado_authz import CasbinMiddleware


# Create a CasbinMiddleware instance with the enforcer
enforcer = Enforcer("../examples/authz_model.conf", "../examples/authz_policy.csv")
middleware = CasbinMiddleware(enforcer)


class BaseHandler(tornado.web.RequestHandler):
    def get_current_user(self):
        user = None
        if self.get_secure_cookie("user"):
            user = self.get_secure_cookie("user").decode('utf-8')
        return user

    def prepare(self):
        # Check the permission for the current request
        middleware(self)


class MainHandler(BaseHandler):
    def get(self):
        self.write("Main Page")


class LoginHandler(BaseHandler):
    def get(self):
        self.write('<html><body><form action="/login" method="post">'
                   'Name: <input type="text" name="name">'
                   '<input type="submit" value="Sign in">'
                   '</form></body></html>')

    def post(self):
        self.set_secure_cookie("user", self.get_argument("name"))
        self.redirect("/dataset1/")


class DatasetHandler(BaseHandler):
    def get(self):
        self.write("You must be alice to see this.")


def make_app():
    return tornado.web.Application([
        (r"/", MainHandler),
        (r"/login", LoginHandler),
        (r"/dataset1/.*", DatasetHandler),
    ], cookie_secret="__TODO:_GENERATE_YOUR_OWN_RANDOM_VALUE_HERE__")


async def main():
    app = make_app()
    app.listen(8888)
    await asyncio.Event().wait()


if __name__ == "__main__":
    asyncio.run(main())

Documentation

The authorization determines a request based on {subject, object, action}, which means what subject can perform what action on what object. In this plugin, the meanings are:

  1. subject: the logged-in username
  2. object: the URL path for the web resource like dataset1/item1
  3. action: HTTP method like GET, POST, PUT, DELETE, or the high-level actions you defined like “read-file”, “write-blog”

For how to write authorization policy and other details, please refer to the Casbin's documentation.

Getting Help

License

This project is under Apache 2.0 License. See the LICENSE file for the full license text.