Lib/Bastion.py

"""Bastionification utility.

A bastion (for another object -- the 'original') is an object that has
the same methods as the original but does not give access to its
instance variables.  Bastions have a number of uses, but the most
obvious one is to provide code executing in restricted mode with a
safe interface to an object implemented in unrestricted mode.

The bastionification routine has an optional second argument which is
a filter function.  Only those methods for which the filter method
(called with the method name as argument) returns true are accessible.
The default filter method returns true unless the method name begins
with an underscore.

There are a number of possible implementations of bastions.  We use a
'lazy' approach where the bastion's __getattr__() discipline does all
the work for a particular method the first time it is used.  This is
usually fastest, especially if the user doesn't call all available
methods.  The retrieved methods are stored as instance variables of
the bastion, so the overhead is only occurred on the first use of each
method.

Detail: the bastion class has a __repr__() discipline which includes
the repr() of the original object.  This is precomputed when the
bastion is created.

"""
from warnings import warnpy3k
warnpy3k("the Bastion module has been removed in Python 3.0", stacklevel=2)
del warnpy3k

__all__ = ["BastionClass", "Bastion"]

from types import MethodType


class BastionClass:

    """Helper class used by the Bastion() function.

    You could subclass this and pass the subclass as the bastionclass
    argument to the Bastion() function, as long as the constructor has
    the same signature (a get() function and a name for the object).

    """

    def __init__(self, get, name):
        """Constructor.

        Arguments:

        get - a function that gets the attribute value (by name)
        name - a human-readable name for the original object
               (suggestion: use repr(object))

        """
        self._get_ = get
        self._name_ = name

    def __repr__(self):
        """Return a representation string.

        This includes the name passed in to the constructor, so that
        if you print the bastion during debugging, at least you have
        some idea of what it is.

        """
        return "<Bastion for %s>" % self._name_

    def __getattr__(self, name):
        """Get an as-yet undefined attribute value.

        This calls the get() function that was passed to the
        constructor.  The result is stored as an instance variable so
        that the next time the same attribute is requested,
        __getattr__() won't be invoked.

        If the get() function raises an exception, this is simply
        passed on -- exceptions are not cached.

        """
        attribute = self._get_(name)
        self.__dict__[name] = attribute
        return attribute


def Bastion(object, filter = lambda name: name[:1] != '_',
            name=None, bastionclass=BastionClass):
    """Create a bastion for an object, using an optional filter.

    See the Bastion module's documentation for background.

    Arguments:

    object - the original object
    filter - a predicate that decides whether a function name is OK;
             by default all names are OK that don't start with '_'
    name - the name of the object; default repr(object)
    bastionclass - class used to create the bastion; default BastionClass

    """

    raise RuntimeError, "This code is not secure in Python 2.2 and later"

    # Note: we define *two* ad-hoc functions here, get1 and get2.
    # Both are intended to be called in the same way: get(name).
    # It is clear that the real work (getting the attribute
    # from the object and calling the filter) is done in get1.
    # Why can't we pass get1 to the bastion?  Because the user
    # would be able to override the filter argument!  With get2,
    # overriding the default argument is no security loophole:
    # all it does is call it.
    # Also notice that we can't place the object and filter as
    # instance variables on the bastion object itself, since
    # the user has full access to all instance variables!

    def get1(name, object=object, filter=filter):
        """Internal function for Bastion().  See source comments."""
        if filter(name):
            attribute = getattr(object, name)
            if type(attribute) == MethodType:
                return attribute
        raise AttributeError, name

    def get2(name, get1=get1):
        """Internal function for Bastion().  See source comments."""
        return get1(name)

    if name is None:
        name = repr(object)
    return bastionclass(get2, name)


def _test():
    """Test the Bastion() function."""
    class Original:
        def __init__(self):
            self.sum = 0
        def add(self, n):
            self._add(n)
        def _add(self, n):
            self.sum = self.sum + n
        def total(self):
            return self.sum
    o = Original()
    b = Bastion(o)
    testcode = """if 1:
    b.add(81)
    b.add(18)
    print "b.total() =", b.total()
    try:
        print "b.sum =", b.sum,
    except:
        print "inaccessible"
    else:
        print "accessible"
    try:
        print "b._add =", b._add,
    except:
        print "inaccessible"
    else:
        print "accessible"
    try:
        print "b._get_.func_defaults =", map(type, b._get_.func_defaults),
    except:
        print "inaccessible"
    else:
        print "accessible"
    \n"""
    exec testcode
    print '='*20, "Using rexec:", '='*20
    import rexec
    r = rexec.RExec()
    m = r.add_module('__main__')
    m.b = b
    r.r_exec(testcode)


if __name__ == '__main__':
    _test()