launchpad-dev team mailing list archive

Thread
Date

Re: Should the import fascist die or get some teeth back? (was Re: Notes about security and view code)

To: Jamu Kakar <jkakar@xxxxxxxx>
From: Bjorn Tillenius <bjorn@xxxxxxxxxxxxx>
Date: Fri, 31 Jul 2009 10:54:13 +0300
Cc: launchpad-dev@xxxxxxxxxxxxxxxxxxx
In-reply-to: <aa66e7aa0907301557k45b97c4at9b7c158ef326e208@mail.gmail.com>
User-agent: Mutt/1.5.18 (2008-05-17)

On Thu, Jul 30, 2009 at 03:57:19PM -0700, Jamu Kakar wrote:
> Hi Gary,
> 
> On Thu, Jul 30, 2009 at 3:32 PM, Gary Poster<gary.poster@xxxxxxxxxxxxx> wrote:
> > I've had similar thoughts--i.e., maybe the import fascist should die, or
> > maybe it should be made more effective.  I do think it should be one or the
> > other.
> >
> > What do others think?  Should we kill the import fascist?  Or try to make it
> > better enforce the things we care about?  Or is it fine as is?
> 
> In Landscape we have an import guardian, which is a reimplementation
> of import fascist.  It differs from the fascist in that it has a
> very simple policy plugin system that allows you to write import
> policies easily and to configure the guardian to use the particular
> policies you want.  If you're planning on making changes it might be
> nice to adopt import guardian at the same time, so that we can have
> a single incarnation of this kind of thing.

+1 to using the import guardian from Landscape and make it enforce the
things we care about it. It make sense have something like this, since
it's basically a computerized reviewer, saving time for human reviewers.
It's also of course good to share code with other projects, and without
looking at all at the code, Landscape's import guardian is probably the
better choice.

Jamu, where is the code for this located?


> Something I've wondered while reading this thread is whether or not
> you have a "safe importer" in Launchpad.  In Landscape, certain
> functions may only be imported in browser code when using the safe
> prefix.  For example:
> 
> from safe.canonical.landscape.model.main import get_person_by_id
> 
> The use of 'safe' here uses our safe importer to ensure that the
> return value of get_person_by_id is wrapped in a security policy.
> We have an import guardian policy that ensures that (1) safe is used
> in browser code whenever an unsafe function is imported and (2) that
> only a set of things from a white list is importable with safe.
> This "enforce correct use of safe" is the most important thing we
> get from import guardian, though we also have things like "only
> allow imports defined in __all__" and so on.

No, we don't have anything like this. What we usually do is to put that
function on a utility, so that it can be used using
getUtility(IFooSet).get_person_by_id(). The utility is security proxied,
so that even calling get_person_by_id() can be access controlled.


-- 
Björn Tillenius | https://launchpad.net/~bjornt

Follow ups

Re: Should the import fascist die or get some teeth back? (was Re: Notes about security and view code)
From: Jamu Kakar, 2009-07-31

References

Notes about security and view code
From: Gary Poster, 2009-07-29
Re: Notes about security and view code
From: Michael Hudson, 2009-07-30
Re: Notes about security and view code
From: Michael Hudson, 2009-07-30
Should the import fascist die or get some teeth back? (was Re: Notes about security and view code)
From: Gary Poster, 2009-07-30
Re: Should the import fascist die or get some teeth back? (was Re: Notes about security and view code)
From: Jamu Kakar, 2009-07-30