Enforcing the use of constructors in Go
Enforcing the use of constructors in Go
4 minutes read. Published: 2021-03-20
When using golang, everyone with access to an exported type can create an instance of it, bypassing the use of a constructor function.
Sometimes though you want to protect you struct data from accidental modifications and keep an always valid internal state.
Or maybe you need to prevent the forging of references (and objects) to follow the object-capability model
Let's see the problem in code
The problem
// file db.go
// Having a File struct means already having Read access
type File struct {
Path string
Write bool
Append bool
Delete bool
}
func GetFile(path string, userID int) (*File, error) {
// Check the user permissions...
userCanRead := false
if !userCanRead {
return nil, errors.New("Can't read file")
}
return &File{path, false, true, false}, nil
}
// file main.go
// Using a safe function
file, err := db.GetFile("/etc/passwd", 0)
fmt.Println("1", file, err)
// Unsafely creating the struct, violating the invariants
file := db.File{"/etc/passwd", false, true, false}
fmt.Println(file)
I shouldn't be able to create a struct File manually and neither should I be able to manipulate my permissions.
Solution 1: Unexported type
If a type is unexported, the user of the library can't create it manually The type will be named file
instead of File
// file db.go
// Having a file struct means already having Read access
type file struct {
Path string
Write bool
Append bool
Delete bool
}
func GetFile(path string, userID int) (*file, error) {
// Return private type *file
}
Problems:
- External modules can't write functions accepting
db.file
as argument because it's unexported. I can't even declare a variable of typedb.file
, so I can't save it in any data structure.
Solution 2: Unexported type + interface
I may create an interface around the file
type
type FileIntf interface {
GetPath()
CanAppend()
CanWrite()
CanDelete()
}
This is not a valid solution though because now I can create a fake type FakeFile
and implement this interface, manipulating my permissions. Also, some functions may only accept the internal file
type, so I may have to convert between the two, checking every time if the conversion was valid.
Solution 3: Unexported type + wrapper type
// file db.go
type FileWrapper struct {
file *file
}
func (fileWrapper FileWrapper) func Get() {
return *fileWrapper.file
}
I can still create a db.FileWrapper
with default values (having the file
field set to nil
). That means using the type is impractical, because every time I use the struct I should check if the internal state was contructed correctly or not.
file := db.FileWrapper{}
// This will fail, because the internal `*file` pointer is nil
fmt.Println(file.Get())
Solution 4: Unexported type + closure
By saving the data inside an anonymous function I can then pass data around safely, without doing any nil
check.
// file db.go
type FileFuncWrap func() file
func (f file) WrapFunc() FileFuncWrap {
return func() {return f}
}
// file main.go
file := db.GetFile("/etc/passwd", 0)
printFile := func(unwrapFile db.FileFuncWrap) {
fmt.Println(unwrapFile())
}
// Look! I can even pass it around!
printFile(file.WrapFunc())
Solution 5 (Final): Unexported type + identity interface
The previous solution probably works ok, but creating many anonymous functions everytime you pass data around may be a bit costly. We saw that functions returning an internal type may be useful... Let's try doing something better.
//file db.go
type FileIdentity interface {
Identity() file
}
// obviously `file` implements the interface
func (f file) Identity() file {
return f
}
The interface returns the internal file
type, so another package can't implement the interface. (That's exactly what I want)
Now we should be able to store a file by saving it as a FileIdentity
//file main.go
file, _ := db.GetFile("/etc/passwd", 0)
arr := []db.FileIdentity{file} // Look how simple it's to store it! Without conversions!
printFile := func(fI db.FileIdentity) {
fmt.Println(fI.Identity())
}
printFile(arr[0]) // YAY!
A type returning himself should be way faster than creating a closure everytime.
Working code
You can see and run the last example here
https://www.telerealrd.com/advert/free-fight-tv-vergil-ortiz-vs-maurice-hooker-live-free-stream-full-fight-boxing-free/
https://coloradohorseforum.com/advert/fight-tv-vergil-ortiz-vs-maurice-hooker-live-stream-full-fight-boxing-free/
https://www.telerealrd.com/advert/fight-tv-pablo-cesar-cano-vs-jonathan-navarro-live-stream-full-fight-boxing-free/
https://coloradohorseforum.com/advert/free-tv-pablo-cesar-cano-vs-jonathan-navarro-live-stream-full-fight-boxing-free/
https://www.telerealrd.com/advert/freetv-anabel-ortiz-vs-seniesa-estrada-live-stream-full-fight-boxing-free/
https://coloradohorseforum.com/advert/boxing-tv-anabel-ortiz-vs-seniesa-estrada-live-stream-full-fight-boxing-free/
https://www.telerealrd.com/advert/fight-tv-adam-deines-vs-artur-beterbiev-live-stream-full-fight-boxing-free/
https://coloradohorseforum.com/advert/fight-hd-tv-adam-deines-vs-artur-beterbiev-live-stream-full-fight-boxing-free/
https://www.telerealrd.com/advert/fight-tv-anthony-fowler-vs-jorge-fortea-live-stream-full-fight-boxing-free/
https://coloradohorseforum.com/advert/fight-tv-anthony-fowler-vs-jorge-fortea-live-stream-full-fight-boxing-free/
https://vocus.cc/article/60563682fd89780001d58ad6
https://blog.goo.ne.jp/lifetvs/e/d2ee7e2867f44196e20721042885411a
https://paiza.io/projects/xrK1LZCVwd5hkPSdsNyBKg
https://caribbeanfever.com/photo/albums/jut
https://www.deviantart.com/hjfgfg/journal/What-if-you-could-cut-your-hosting-costs-by-over-5-873822569
Conclusion
While the last solution is "cool", I'm still a bit sad... Other languages like Rust and Java don't have the initial problem at all. The object-capability model seems a great way to improve security of my code, but using it in golang isn't so easy.