| 1 | """Bastionification utility.
|
|---|
| 2 |
|
|---|
| 3 | A bastion (for another object -- the 'original') is an object that has
|
|---|
| 4 | the same methods as the original but does not give access to its
|
|---|
| 5 | instance variables. Bastions have a number of uses, but the most
|
|---|
| 6 | obvious one is to provide code executing in restricted mode with a
|
|---|
| 7 | safe interface to an object implemented in unrestricted mode.
|
|---|
| 8 |
|
|---|
| 9 | The bastionification routine has an optional second argument which is
|
|---|
| 10 | a filter function. Only those methods for which the filter method
|
|---|
| 11 | (called with the method name as argument) returns true are accessible.
|
|---|
| 12 | The default filter method returns true unless the method name begins
|
|---|
| 13 | with an underscore.
|
|---|
| 14 |
|
|---|
| 15 | There are a number of possible implementations of bastions. We use a
|
|---|
| 16 | 'lazy' approach where the bastion's __getattr__() discipline does all
|
|---|
| 17 | the work for a particular method the first time it is used. This is
|
|---|
| 18 | usually fastest, especially if the user doesn't call all available
|
|---|
| 19 | methods. The retrieved methods are stored as instance variables of
|
|---|
| 20 | the bastion, so the overhead is only occurred on the first use of each
|
|---|
| 21 | method.
|
|---|
| 22 |
|
|---|
| 23 | Detail: the bastion class has a __repr__() discipline which includes
|
|---|
| 24 | the repr() of the original object. This is precomputed when the
|
|---|
| 25 | bastion is created.
|
|---|
| 26 |
|
|---|
| 27 | """
|
|---|
| 28 | from warnings import warnpy3k
|
|---|
| 29 | warnpy3k("the Bastion module has been removed in Python 3.0", stacklevel=2)
|
|---|
| 30 | del warnpy3k
|
|---|
| 31 |
|
|---|
| 32 | __all__ = ["BastionClass", "Bastion"]
|
|---|
| 33 |
|
|---|
| 34 | from types import MethodType
|
|---|
| 35 |
|
|---|
| 36 |
|
|---|
| 37 | class BastionClass:
|
|---|
| 38 |
|
|---|
| 39 | """Helper class used by the Bastion() function.
|
|---|
| 40 |
|
|---|
| 41 | You could subclass this and pass the subclass as the bastionclass
|
|---|
| 42 | argument to the Bastion() function, as long as the constructor has
|
|---|
| 43 | the same signature (a get() function and a name for the object).
|
|---|
| 44 |
|
|---|
| 45 | """
|
|---|
| 46 |
|
|---|
| 47 | def __init__(self, get, name):
|
|---|
| 48 | """Constructor.
|
|---|
| 49 |
|
|---|
| 50 | Arguments:
|
|---|
| 51 |
|
|---|
| 52 | get - a function that gets the attribute value (by name)
|
|---|
| 53 | name - a human-readable name for the original object
|
|---|
| 54 | (suggestion: use repr(object))
|
|---|
| 55 |
|
|---|
| 56 | """
|
|---|
| 57 | self._get_ = get
|
|---|
| 58 | self._name_ = name
|
|---|
| 59 |
|
|---|
| 60 | def __repr__(self):
|
|---|
| 61 | """Return a representation string.
|
|---|
| 62 |
|
|---|
| 63 | This includes the name passed in to the constructor, so that
|
|---|
| 64 | if you print the bastion during debugging, at least you have
|
|---|
| 65 | some idea of what it is.
|
|---|
| 66 |
|
|---|
| 67 | """
|
|---|
| 68 | return "<Bastion for %s>" % self._name_
|
|---|
| 69 |
|
|---|
| 70 | def __getattr__(self, name):
|
|---|
| 71 | """Get an as-yet undefined attribute value.
|
|---|
| 72 |
|
|---|
| 73 | This calls the get() function that was passed to the
|
|---|
| 74 | constructor. The result is stored as an instance variable so
|
|---|
| 75 | that the next time the same attribute is requested,
|
|---|
| 76 | __getattr__() won't be invoked.
|
|---|
| 77 |
|
|---|
| 78 | If the get() function raises an exception, this is simply
|
|---|
| 79 | passed on -- exceptions are not cached.
|
|---|
| 80 |
|
|---|
| 81 | """
|
|---|
| 82 | attribute = self._get_(name)
|
|---|
| 83 | self.__dict__[name] = attribute
|
|---|
| 84 | return attribute
|
|---|
| 85 |
|
|---|
| 86 |
|
|---|
| 87 | def Bastion(object, filter = lambda name: name[:1] != '_',
|
|---|
| 88 | name=None, bastionclass=BastionClass):
|
|---|
| 89 | """Create a bastion for an object, using an optional filter.
|
|---|
| 90 |
|
|---|
| 91 | See the Bastion module's documentation for background.
|
|---|
| 92 |
|
|---|
| 93 | Arguments:
|
|---|
| 94 |
|
|---|
| 95 | object - the original object
|
|---|
| 96 | filter - a predicate that decides whether a function name is OK;
|
|---|
| 97 | by default all names are OK that don't start with '_'
|
|---|
| 98 | name - the name of the object; default repr(object)
|
|---|
| 99 | bastionclass - class used to create the bastion; default BastionClass
|
|---|
| 100 |
|
|---|
| 101 | """
|
|---|
| 102 |
|
|---|
| 103 | raise RuntimeError, "This code is not secure in Python 2.2 and later"
|
|---|
| 104 |
|
|---|
| 105 | # Note: we define *two* ad-hoc functions here, get1 and get2.
|
|---|
| 106 | # Both are intended to be called in the same way: get(name).
|
|---|
| 107 | # It is clear that the real work (getting the attribute
|
|---|
| 108 | # from the object and calling the filter) is done in get1.
|
|---|
| 109 | # Why can't we pass get1 to the bastion? Because the user
|
|---|
| 110 | # would be able to override the filter argument! With get2,
|
|---|
| 111 | # overriding the default argument is no security loophole:
|
|---|
| 112 | # all it does is call it.
|
|---|
| 113 | # Also notice that we can't place the object and filter as
|
|---|
| 114 | # instance variables on the bastion object itself, since
|
|---|
| 115 | # the user has full access to all instance variables!
|
|---|
| 116 |
|
|---|
| 117 | def get1(name, object=object, filter=filter):
|
|---|
| 118 | """Internal function for Bastion(). See source comments."""
|
|---|
| 119 | if filter(name):
|
|---|
| 120 | attribute = getattr(object, name)
|
|---|
| 121 | if type(attribute) == MethodType:
|
|---|
| 122 | return attribute
|
|---|
| 123 | raise AttributeError, name
|
|---|
| 124 |
|
|---|
| 125 | def get2(name, get1=get1):
|
|---|
| 126 | """Internal function for Bastion(). See source comments."""
|
|---|
| 127 | return get1(name)
|
|---|
| 128 |
|
|---|
| 129 | if name is None:
|
|---|
| 130 | name = repr(object)
|
|---|
| 131 | return bastionclass(get2, name)
|
|---|
| 132 |
|
|---|
| 133 |
|
|---|
| 134 | def _test():
|
|---|
| 135 | """Test the Bastion() function."""
|
|---|
| 136 | class Original:
|
|---|
| 137 | def __init__(self):
|
|---|
| 138 | self.sum = 0
|
|---|
| 139 | def add(self, n):
|
|---|
| 140 | self._add(n)
|
|---|
| 141 | def _add(self, n):
|
|---|
| 142 | self.sum = self.sum + n
|
|---|
| 143 | def total(self):
|
|---|
| 144 | return self.sum
|
|---|
| 145 | o = Original()
|
|---|
| 146 | b = Bastion(o)
|
|---|
| 147 | testcode = """if 1:
|
|---|
| 148 | b.add(81)
|
|---|
| 149 | b.add(18)
|
|---|
| 150 | print "b.total() =", b.total()
|
|---|
| 151 | try:
|
|---|
| 152 | print "b.sum =", b.sum,
|
|---|
| 153 | except:
|
|---|
| 154 | print "inaccessible"
|
|---|
| 155 | else:
|
|---|
| 156 | print "accessible"
|
|---|
| 157 | try:
|
|---|
| 158 | print "b._add =", b._add,
|
|---|
| 159 | except:
|
|---|
| 160 | print "inaccessible"
|
|---|
| 161 | else:
|
|---|
| 162 | print "accessible"
|
|---|
| 163 | try:
|
|---|
| 164 | print "b._get_.func_defaults =", map(type, b._get_.func_defaults),
|
|---|
| 165 | except:
|
|---|
| 166 | print "inaccessible"
|
|---|
| 167 | else:
|
|---|
| 168 | print "accessible"
|
|---|
| 169 | \n"""
|
|---|
| 170 | exec testcode
|
|---|
| 171 | print '='*20, "Using rexec:", '='*20
|
|---|
| 172 | import rexec
|
|---|
| 173 | r = rexec.RExec()
|
|---|
| 174 | m = r.add_module('__main__')
|
|---|
| 175 | m.b = b
|
|---|
| 176 | r.r_exec(testcode)
|
|---|
| 177 |
|
|---|
| 178 |
|
|---|
| 179 | if __name__ == '__main__':
|
|---|
| 180 | _test()
|
|---|
