178 lines
5.7 KiB
Python
178 lines
5.7 KiB
Python
"""Bastionification utility.
|
|
|
|
A bastion (for another object -- the 'original') is an object that has
|
|
the same methods as the original but does not give access to its
|
|
instance variables. Bastions have a number of uses, but the most
|
|
obvious one is to provide code executing in restricted mode with a
|
|
safe interface to an object implemented in unrestricted mode.
|
|
|
|
The bastionification routine has an optional second argument which is
|
|
a filter function. Only those methods for which the filter method
|
|
(called with the method name as argument) returns true are accessible.
|
|
The default filter method returns true unless the method name begins
|
|
with an underscore.
|
|
|
|
There are a number of possible implementations of bastions. We use a
|
|
'lazy' approach where the bastion's __getattr__() discipline does all
|
|
the work for a particular method the first time it is used. This is
|
|
usually fastest, especially if the user doesn't call all available
|
|
methods. The retrieved methods are stored as instance variables of
|
|
the bastion, so the overhead is only occurred on the first use of each
|
|
method.
|
|
|
|
Detail: the bastion class has a __repr__() discipline which includes
|
|
the repr() of the original object. This is precomputed when the
|
|
bastion is created.
|
|
|
|
"""
|
|
|
|
__all__ = ["BastionClass", "Bastion"]
|
|
|
|
from types import MethodType
|
|
|
|
|
|
class BastionClass:
|
|
|
|
"""Helper class used by the Bastion() function.
|
|
|
|
You could subclass this and pass the subclass as the bastionclass
|
|
argument to the Bastion() function, as long as the constructor has
|
|
the same signature (a get() function and a name for the object).
|
|
|
|
"""
|
|
|
|
def __init__(self, get, name):
|
|
"""Constructor.
|
|
|
|
Arguments:
|
|
|
|
get - a function that gets the attribute value (by name)
|
|
name - a human-readable name for the original object
|
|
(suggestion: use repr(object))
|
|
|
|
"""
|
|
self._get_ = get
|
|
self._name_ = name
|
|
|
|
def __repr__(self):
|
|
"""Return a representation string.
|
|
|
|
This includes the name passed in to the constructor, so that
|
|
if you print the bastion during debugging, at least you have
|
|
some idea of what it is.
|
|
|
|
"""
|
|
return "<Bastion for %s>" % self._name_
|
|
|
|
def __getattr__(self, name):
|
|
"""Get an as-yet undefined attribute value.
|
|
|
|
This calls the get() function that was passed to the
|
|
constructor. The result is stored as an instance variable so
|
|
that the next time the same attribute is requested,
|
|
__getattr__() won't be invoked.
|
|
|
|
If the get() function raises an exception, this is simply
|
|
passed on -- exceptions are not cached.
|
|
|
|
"""
|
|
attribute = self._get_(name)
|
|
self.__dict__[name] = attribute
|
|
return attribute
|
|
|
|
|
|
def Bastion(object, filter = lambda name: name[:1] != '_',
|
|
name=None, bastionclass=BastionClass):
|
|
"""Create a bastion for an object, using an optional filter.
|
|
|
|
See the Bastion module's documentation for background.
|
|
|
|
Arguments:
|
|
|
|
object - the original object
|
|
filter - a predicate that decides whether a function name is OK;
|
|
by default all names are OK that don't start with '_'
|
|
name - the name of the object; default repr(object)
|
|
bastionclass - class used to create the bastion; default BastionClass
|
|
|
|
"""
|
|
|
|
raise RuntimeError, "This code is not secure in Python 2.2 and 2.3"
|
|
|
|
# Note: we define *two* ad-hoc functions here, get1 and get2.
|
|
# Both are intended to be called in the same way: get(name).
|
|
# It is clear that the real work (getting the attribute
|
|
# from the object and calling the filter) is done in get1.
|
|
# Why can't we pass get1 to the bastion? Because the user
|
|
# would be able to override the filter argument! With get2,
|
|
# overriding the default argument is no security loophole:
|
|
# all it does is call it.
|
|
# Also notice that we can't place the object and filter as
|
|
# instance variables on the bastion object itself, since
|
|
# the user has full access to all instance variables!
|
|
|
|
def get1(name, object=object, filter=filter):
|
|
"""Internal function for Bastion(). See source comments."""
|
|
if filter(name):
|
|
attribute = getattr(object, name)
|
|
if type(attribute) == MethodType:
|
|
return attribute
|
|
raise AttributeError, name
|
|
|
|
def get2(name, get1=get1):
|
|
"""Internal function for Bastion(). See source comments."""
|
|
return get1(name)
|
|
|
|
if name is None:
|
|
name = repr(object)
|
|
return bastionclass(get2, name)
|
|
|
|
|
|
def _test():
|
|
"""Test the Bastion() function."""
|
|
class Original:
|
|
def __init__(self):
|
|
self.sum = 0
|
|
def add(self, n):
|
|
self._add(n)
|
|
def _add(self, n):
|
|
self.sum = self.sum + n
|
|
def total(self):
|
|
return self.sum
|
|
o = Original()
|
|
b = Bastion(o)
|
|
testcode = """if 1:
|
|
b.add(81)
|
|
b.add(18)
|
|
print "b.total() =", b.total()
|
|
try:
|
|
print "b.sum =", b.sum,
|
|
except:
|
|
print "inaccessible"
|
|
else:
|
|
print "accessible"
|
|
try:
|
|
print "b._add =", b._add,
|
|
except:
|
|
print "inaccessible"
|
|
else:
|
|
print "accessible"
|
|
try:
|
|
print "b._get_.func_defaults =", map(type, b._get_.func_defaults),
|
|
except:
|
|
print "inaccessible"
|
|
else:
|
|
print "accessible"
|
|
\n"""
|
|
exec testcode
|
|
print '='*20, "Using rexec:", '='*20
|
|
import rexec
|
|
r = rexec.RExec()
|
|
m = r.add_module('__main__')
|
|
m.b = b
|
|
r.r_exec(testcode)
|
|
|
|
|
|
if __name__ == '__main__':
|
|
_test()
|