| 1 | """Bastionification utility. |
|---|
| 2 | |
|---|
| 3 | A bastion (for another object -- the 'original') is an object that has |
|---|
| 4 | the same methods as the original but does not give access to its |
|---|
| 5 | instance variables. Bastions have a number of uses, but the most |
|---|
| 6 | obvious one is to provide code executing in restricted mode with a |
|---|
| 7 | safe interface to an object implemented in unrestricted mode. |
|---|
| 8 | |
|---|
| 9 | The bastionification routine has an optional second argument which is |
|---|
| 10 | a filter function. Only those methods for which the filter method |
|---|
| 11 | (called with the method name as argument) returns true are accessible. |
|---|
| 12 | The default filter method returns true unless the method name begins |
|---|
| 13 | with an underscore. |
|---|
| 14 | |
|---|
| 15 | There are a number of possible implementations of bastions. We use a |
|---|
| 16 | 'lazy' approach where the bastion's __getattr__() discipline does all |
|---|
| 17 | the work for a particular method the first time it is used. This is |
|---|
| 18 | usually fastest, especially if the user doesn't call all available |
|---|
| 19 | methods. The retrieved methods are stored as instance variables of |
|---|
| 20 | the bastion, so the overhead is only occurred on the first use of each |
|---|
| 21 | method. |
|---|
| 22 | |
|---|
| 23 | Detail: the bastion class has a __repr__() discipline which includes |
|---|
| 24 | the repr() of the original object. This is precomputed when the |
|---|
| 25 | bastion is created. |
|---|
| 26 | |
|---|
| 27 | """ |
|---|
| 28 | from warnings import warnpy3k |
|---|
| 29 | warnpy3k("the Bastion module has been removed in Python 3.0", stacklevel=2) |
|---|
| 30 | del warnpy3k |
|---|
| 31 | |
|---|
| 32 | __all__ = ["BastionClass", "Bastion"] |
|---|
| 33 | |
|---|
| 34 | from types import MethodType |
|---|
| 35 | |
|---|
| 36 | |
|---|
| 37 | class BastionClass: |
|---|
| 38 | |
|---|
| 39 | """Helper class used by the Bastion() function. |
|---|
| 40 | |
|---|
| 41 | You could subclass this and pass the subclass as the bastionclass |
|---|
| 42 | argument to the Bastion() function, as long as the constructor has |
|---|
| 43 | the same signature (a get() function and a name for the object). |
|---|
| 44 | |
|---|
| 45 | """ |
|---|
| 46 | |
|---|
| 47 | def __init__(self, get, name): |
|---|
| 48 | """Constructor. |
|---|
| 49 | |
|---|
| 50 | Arguments: |
|---|
| 51 | |
|---|
| 52 | get - a function that gets the attribute value (by name) |
|---|
| 53 | name - a human-readable name for the original object |
|---|
| 54 | (suggestion: use repr(object)) |
|---|
| 55 | |
|---|
| 56 | """ |
|---|
| 57 | self._get_ = get |
|---|
| 58 | self._name_ = name |
|---|
| 59 | |
|---|
| 60 | def __repr__(self): |
|---|
| 61 | """Return a representation string. |
|---|
| 62 | |
|---|
| 63 | This includes the name passed in to the constructor, so that |
|---|
| 64 | if you print the bastion during debugging, at least you have |
|---|
| 65 | some idea of what it is. |
|---|
| 66 | |
|---|
| 67 | """ |
|---|
| 68 | return "<Bastion for %s>" % self._name_ |
|---|
| 69 | |
|---|
| 70 | def __getattr__(self, name): |
|---|
| 71 | """Get an as-yet undefined attribute value. |
|---|
| 72 | |
|---|
| 73 | This calls the get() function that was passed to the |
|---|
| 74 | constructor. The result is stored as an instance variable so |
|---|
| 75 | that the next time the same attribute is requested, |
|---|
| 76 | __getattr__() won't be invoked. |
|---|
| 77 | |
|---|
| 78 | If the get() function raises an exception, this is simply |
|---|
| 79 | passed on -- exceptions are not cached. |
|---|
| 80 | |
|---|
| 81 | """ |
|---|
| 82 | attribute = self._get_(name) |
|---|
| 83 | self.__dict__[name] = attribute |
|---|
| 84 | return attribute |
|---|
| 85 | |
|---|
| 86 | |
|---|
| 87 | def Bastion(object, filter = lambda name: name[:1] != '_', |
|---|
| 88 | name=None, bastionclass=BastionClass): |
|---|
| 89 | """Create a bastion for an object, using an optional filter. |
|---|
| 90 | |
|---|
| 91 | See the Bastion module's documentation for background. |
|---|
| 92 | |
|---|
| 93 | Arguments: |
|---|
| 94 | |
|---|
| 95 | object - the original object |
|---|
| 96 | filter - a predicate that decides whether a function name is OK; |
|---|
| 97 | by default all names are OK that don't start with '_' |
|---|
| 98 | name - the name of the object; default repr(object) |
|---|
| 99 | bastionclass - class used to create the bastion; default BastionClass |
|---|
| 100 | |
|---|
| 101 | """ |
|---|
| 102 | |
|---|
| 103 | raise RuntimeError, "This code is not secure in Python 2.2 and later" |
|---|
| 104 | |
|---|
| 105 | # Note: we define *two* ad-hoc functions here, get1 and get2. |
|---|
| 106 | # Both are intended to be called in the same way: get(name). |
|---|
| 107 | # It is clear that the real work (getting the attribute |
|---|
| 108 | # from the object and calling the filter) is done in get1. |
|---|
| 109 | # Why can't we pass get1 to the bastion? Because the user |
|---|
| 110 | # would be able to override the filter argument! With get2, |
|---|
| 111 | # overriding the default argument is no security loophole: |
|---|
| 112 | # all it does is call it. |
|---|
| 113 | # Also notice that we can't place the object and filter as |
|---|
| 114 | # instance variables on the bastion object itself, since |
|---|
| 115 | # the user has full access to all instance variables! |
|---|
| 116 | |
|---|
| 117 | def get1(name, object=object, filter=filter): |
|---|
| 118 | """Internal function for Bastion(). See source comments.""" |
|---|
| 119 | if filter(name): |
|---|
| 120 | attribute = getattr(object, name) |
|---|
| 121 | if type(attribute) == MethodType: |
|---|
| 122 | return attribute |
|---|
| 123 | raise AttributeError, name |
|---|
| 124 | |
|---|
| 125 | def get2(name, get1=get1): |
|---|
| 126 | """Internal function for Bastion(). See source comments.""" |
|---|
| 127 | return get1(name) |
|---|
| 128 | |
|---|
| 129 | if name is None: |
|---|
| 130 | name = repr(object) |
|---|
| 131 | return bastionclass(get2, name) |
|---|
| 132 | |
|---|
| 133 | |
|---|
| 134 | def _test(): |
|---|
| 135 | """Test the Bastion() function.""" |
|---|
| 136 | class Original: |
|---|
| 137 | def __init__(self): |
|---|
| 138 | self.sum = 0 |
|---|
| 139 | def add(self, n): |
|---|
| 140 | self._add(n) |
|---|
| 141 | def _add(self, n): |
|---|
| 142 | self.sum = self.sum + n |
|---|
| 143 | def total(self): |
|---|
| 144 | return self.sum |
|---|
| 145 | o = Original() |
|---|
| 146 | b = Bastion(o) |
|---|
| 147 | testcode = """if 1: |
|---|
| 148 | b.add(81) |
|---|
| 149 | b.add(18) |
|---|
| 150 | print "b.total() =", b.total() |
|---|
| 151 | try: |
|---|
| 152 | print "b.sum =", b.sum, |
|---|
| 153 | except: |
|---|
| 154 | print "inaccessible" |
|---|
| 155 | else: |
|---|
| 156 | print "accessible" |
|---|
| 157 | try: |
|---|
| 158 | print "b._add =", b._add, |
|---|
| 159 | except: |
|---|
| 160 | print "inaccessible" |
|---|
| 161 | else: |
|---|
| 162 | print "accessible" |
|---|
| 163 | try: |
|---|
| 164 | print "b._get_.func_defaults =", map(type, b._get_.func_defaults), |
|---|
| 165 | except: |
|---|
| 166 | print "inaccessible" |
|---|
| 167 | else: |
|---|
| 168 | print "accessible" |
|---|
| 169 | \n""" |
|---|
| 170 | exec testcode |
|---|
| 171 | print '='*20, "Using rexec:", '='*20 |
|---|
| 172 | import rexec |
|---|
| 173 | r = rexec.RExec() |
|---|
| 174 | m = r.add_module('__main__') |
|---|
| 175 | m.b = b |
|---|
| 176 | r.r_exec(testcode) |
|---|
| 177 | |
|---|
| 178 | |
|---|
| 179 | if __name__ == '__main__': |
|---|
| 180 | _test() |
|---|
