| """Bastionification utility. |
| |
| A bastion (for another object -- the 'original') is an object that has |
| the same methods as the original but does not give access to its |
| instance variables. Bastions have a number of uses, but the most |
| obvious one is to provide code executing in restricted mode with a |
| safe interface to an object implemented in unrestricted mode. |
| |
| The bastionification routine has an optional second argument which is |
| a filter function. Only those methods for which the filter method |
| (called with the method name as argument) returns true are accessible. |
| The default filter method returns true unless the method name begins |
| with an underscore. |
| |
| There are a number of possible implementations of bastions. We use a |
| 'lazy' approach where the bastion's __getattr__() discipline does all |
| the work for a particular method the first time it is used. This is |
| usually fastest, especially if the user doesn't call all available |
| methods. The retrieved methods are stored as instance variables of |
| the bastion, so the overhead is only occurred on the first use of each |
| method. |
| |
| Detail: the bastion class has a __repr__() discipline which includes |
| the repr() of the original object. This is precomputed when the |
| bastion is created. |
| |
| """ |
| from warnings import warnpy3k |
| warnpy3k("the Bastion module has been removed in Python 3.0", stacklevel=2) |
| del warnpy3k |
| |
| __all__ = ["BastionClass", "Bastion"] |
| |
| from types import MethodType |
| |
| |
| class BastionClass: |
| |
| """Helper class used by the Bastion() function. |
| |
| You could subclass this and pass the subclass as the bastionclass |
| argument to the Bastion() function, as long as the constructor has |
| the same signature (a get() function and a name for the object). |
| |
| """ |
| |
| def __init__(self, get, name): |
| """Constructor. |
| |
| Arguments: |
| |
| get - a function that gets the attribute value (by name) |
| name - a human-readable name for the original object |
| (suggestion: use repr(object)) |
| |
| """ |
| self._get_ = get |
| self._name_ = name |
| |
| def __repr__(self): |
| """Return a representation string. |
| |
| This includes the name passed in to the constructor, so that |
| if you print the bastion during debugging, at least you have |
| some idea of what it is. |
| |
| """ |
| return "<Bastion for %s>" % self._name_ |
| |
| def __getattr__(self, name): |
| """Get an as-yet undefined attribute value. |
| |
| This calls the get() function that was passed to the |
| constructor. The result is stored as an instance variable so |
| that the next time the same attribute is requested, |
| __getattr__() won't be invoked. |
| |
| If the get() function raises an exception, this is simply |
| passed on -- exceptions are not cached. |
| |
| """ |
| attribute = self._get_(name) |
| self.__dict__[name] = attribute |
| return attribute |
| |
| |
| def Bastion(object, filter = lambda name: name[:1] != '_', |
| name=None, bastionclass=BastionClass): |
| """Create a bastion for an object, using an optional filter. |
| |
| See the Bastion module's documentation for background. |
| |
| Arguments: |
| |
| object - the original object |
| filter - a predicate that decides whether a function name is OK; |
| by default all names are OK that don't start with '_' |
| name - the name of the object; default repr(object) |
| bastionclass - class used to create the bastion; default BastionClass |
| |
| """ |
| |
| raise RuntimeError, "This code is not secure in Python 2.2 and later" |
| |
| # Note: we define *two* ad-hoc functions here, get1 and get2. |
| # Both are intended to be called in the same way: get(name). |
| # It is clear that the real work (getting the attribute |
| # from the object and calling the filter) is done in get1. |
| # Why can't we pass get1 to the bastion? Because the user |
| # would be able to override the filter argument! With get2, |
| # overriding the default argument is no security loophole: |
| # all it does is call it. |
| # Also notice that we can't place the object and filter as |
| # instance variables on the bastion object itself, since |
| # the user has full access to all instance variables! |
| |
| def get1(name, object=object, filter=filter): |
| """Internal function for Bastion(). See source comments.""" |
| if filter(name): |
| attribute = getattr(object, name) |
| if type(attribute) == MethodType: |
| return attribute |
| raise AttributeError, name |
| |
| def get2(name, get1=get1): |
| """Internal function for Bastion(). See source comments.""" |
| return get1(name) |
| |
| if name is None: |
| name = repr(object) |
| return bastionclass(get2, name) |
| |
| |
| def _test(): |
| """Test the Bastion() function.""" |
| class Original: |
| def __init__(self): |
| self.sum = 0 |
| def add(self, n): |
| self._add(n) |
| def _add(self, n): |
| self.sum = self.sum + n |
| def total(self): |
| return self.sum |
| o = Original() |
| b = Bastion(o) |
| testcode = """if 1: |
| b.add(81) |
| b.add(18) |
| print "b.total() =", b.total() |
| try: |
| print "b.sum =", b.sum, |
| except: |
| print "inaccessible" |
| else: |
| print "accessible" |
| try: |
| print "b._add =", b._add, |
| except: |
| print "inaccessible" |
| else: |
| print "accessible" |
| try: |
| print "b._get_.func_defaults =", map(type, b._get_.func_defaults), |
| except: |
| print "inaccessible" |
| else: |
| print "accessible" |
| \n""" |
| exec testcode |
| print '='*20, "Using rexec:", '='*20 |
| import rexec |
| r = rexec.RExec() |
| m = r.add_module('__main__') |
| m.b = b |
| r.r_exec(testcode) |
| |
| |
| if __name__ == '__main__': |
| _test() |