cased-rails 0.3.1 → 0.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7d0e3655a9bc7ff8cce27657993146a0eda10999481d2c89194c88bd5f601262
-  data.tar.gz: 78a0974005fe163ff98c154a8848bbdeb280af5d757c2f6330b6de7a482b8b5e
+  metadata.gz: 6ac8f2d72b0bd9acb03474b7903c2d7d061c6a95d99beb5ea46d8b18dfa2fe37
+  data.tar.gz: 17c1ea4d0eaa1c44a365d51b1a88b04a3c5a3c479f6318ab33bdd03c5163ea02
 SHA512:
-  metadata.gz: 4deb9a511c4079537c25af408aebac3342ce39ed8706874e99e513cb1c66e05ef141d5927dabda1cd2f100930a991dbb4bef37dda340de3604456ccaf74b6aad
-  data.tar.gz: 61e3279ca41dab08c8a92cbc47876bf4f147976283e83f7c68798f637efacce07d79ecc25aacbd9fa3d5f3f2ad9517f90b472a234e2fd5ef0442454fc64792ab
+  metadata.gz: 00c9c0d383329eb6e53432458a578db0c795107822bafcdcb8249bcc5432541ac3b5c7609b288110c8e6b9d531c6ac211399a4b43aeb1988115a28ad03b1bab6
+  data.tar.gz: b9d292a6ea549455cd9f595fe4d764910abfaa9e0f5331595359fb2a3520deec48479c5bf6591606df1e74e40958825b34d3c2b98af8cd7c2a4ec37a3544258b

data/README.md

@@ -7,15 +7,19 @@ A Cased client for Ruby on Rails applications in your organization to control an
 - [Installation](#installation)
 - [Configuration](#configuration)
 - [Usage](#usage)
-  - [Publishing events to Cased](#publishing-events-to-cased)
-  - [Publishing audit events for all record creation, updates, and deletions automatically](#publishing-audit-events-for-all-record-creation-updates-and-deletions-automatically)
-  - [Retrieving events from a Cased audit trail](#retrieving-events-from-a-cased-audit-trail)
-  - [Retrieving events from multiple Cased audit trails](#retrieving-events-from-multiple-cased-audit-trails)
-  - [Exporting events](#exporting-events)
-  - [Masking & filtering sensitive information](#masking-and-filtering-sensitive-information)
-  - [Disable publishing events](#disable-publishing-events)
-  - [Context](#context)
-  - [Testing](#testing)
+  - [Cased CLI](#cased-cli)
+    - [Recording console sessions](#recording-console-sessions)
+    - [Approval workflows for sensitive operations](#approval-workflows-for-sensitive-operations)
+  - [Audit trails](#audit-trails)
+    - [Publishing events to Cased](#publishing-events-to-cased)
+    - [Publishing audit events for all record creation, updates, and deletions automatically](#publishing-audit-events-for-all-record-creation-updates-and-deletions-automatically)
+    - [Retrieving events from a Cased audit trail](#retrieving-events-from-a-cased-audit-trail)
+    - [Retrieving events from multiple Cased audit trails](#retrieving-events-from-multiple-cased-audit-trails)
+    - [Exporting events](#exporting-events)
+    - [Masking & filtering sensitive information](#masking-and-filtering-sensitive-information)
+    - [Disable publishing events](#disable-publishing-events)
+    - [Context](#context)
+    - [Testing](#testing)
 - [Customizing cased-rails](#customizing-cased-rails)
 - [Contributing](#contributing)
 
@@ -41,6 +45,26 @@ All configuration options available in cased-rails are available to be configure
 
 ```ruby
 Cased.configure do |config|
+  # GUARD_APPLICATION_KEY=guard_application_1ntKX0P4vUbKoc0lMWGiSbrBHcH
+  config.guard_application_key = 'guard_application_1ntKX0P4vUbKoc0lMWGiSbrBHcH'
+
+  # GUARD_USER_TOKEN=user_1oFqlROLNRGVLOXJSsHkJiVmylr
+  config.guard_user_token = 'user_1oFqlROLNRGVLOXJSsHkJiVmylr'
+
+  # DENY_IF_UNREACHABLE=1
+  config.guard_deny_if_unreachable = true
+
+  # Attach metadata to all CLI requests. This metadata will appear in Cased and
+  # any notification source such as email or Slack.
+  #
+  # You are limited to 20 properties and cannot be a nested dictionary. Metadata
+  # specified in the CLI request overrides any configured globally.
+  config.cli.metadata = {
+    rails_env: ENV['RAILS_ENV'],
+    heroku_application: ENV['HEROKU_APP_NAME'],
+    git_commit: ENV['GIT_COMMIT'],
+  }
+
   # CASED_POLICY_KEY=policy_live_1dQpY5JliYgHSkEntAbMVzuOROh
   config.policy_key = 'policy_live_1dQpY5JliYgHSkEntAbMVzuOROh'
 
@@ -76,7 +100,119 @@ end
 
 ## Usage
 
-### Publishing events to Cased
+### Cased CLI
+
+#### Playback console sessions
+
+Having visibility into production terminal sessions is essential to providing
+access to sensitive data and critical systems. `cased-rails` can provide complete
+command line session recordings with minimal configuration.
+
+First, enable the "Record output" option in your application's settings page on Cased.
+
+Next grab the application's key from the same settings page and configure
+`cased-rails` with it either by using an environment variable or manually.
+
+**Environment variable**
+
+```
+GUARD_APPLICATION_KEY=guard_application_1rBCh8o3YMaI1eAKxbrNvnLki3x rails console
+```
+
+**Manually**
+
+```ruby
+Cased.configure do |config|
+  config.guard_application_key = 'guard_application_1rBCh8o3YMaI1eAKxbrNvnLki3x'
+end
+```
+
+By default playback will be saved only when a Rails console is started outside
+of development and test. When the playback is being saved, by default all
+parameters other than `id`, `action`, and `controller` will be filtered out.
+For example:
+
+```
+#<User id: "user_1qwkKB8IGxQFlu3C4lI53tCIyZI", organization: "Enterprise">
+```
+
+Would become:
+
+```
+#<User id: "user_1qwkKB8IGxQFlu3C4lI53tCIyZI", organization: [FILTERED]>
+```
+
+If you'd like to configure if filtering is enabled or specify which attributes
+are not filtered you can do so with:
+
+```ruby
+Cased.configure do |config|
+  config.unfiltered_parameters = ['id', 'action', 'controller']
+  config.filter_parameters = Rails.env.production?
+end
+```
+
+#### Approval workflows for sensitive operations
+
+Adding approval workflows to your controllers is a two step process in your
+Rails applications. 
+
+First, mount the Rails engine in your routes. The included Rails engine in
+cased-rails is necessary for the approval workflow to know whether or not it has
+been requested, approved, denied, canceled or timed out.
+
+```ruby
+Rails.application.routes.draw do
+  mount Cased::Rails::Engine => '/cased'
+
+  root to: 'home#show'
+end
+```
+
+To control the requirements for an approval workflow, that must be configured
+within your CLI application settings on Cased. Some controls include restricting
+which users or groups can approve the request, if a reason is required, how long
+until the request times out, and more.
+
+To start an your approval workflow all that is needed is to call the `guard`
+method before a request using `before_action`.
+
+```ruby
+class AccountsController < ApplicationController
+  before_action :guard, only: %i[update destroy]
+
+  def update
+    if current_account.update(account_params)
+      redirect_to current_account
+    else
+      render :edit
+    end
+  end
+
+  def destroy
+    if current_account.destroy
+      redirect_to accounts_path
+    else
+      redirect_to current_account
+    end
+  end
+
+  private
+
+  def account_params
+    params.require(:account).permit(:name, :description, :email)
+  end
+end
+```
+
+Approval workflows are best started just before data is about to be created,
+updated, or destroyed. Approval workflows are not intended to control permission
+to view resources. The actions we recommend guarding are `create`, `update`, and
+`destroy` based on your needs.
+
+### Audit trails
+
+#### Publishing events to Cased
 
 Once Cased is setup there are two ways to publish your first audit trail event.
 The first is using the `cased` helper method included in all ActiveRecord models.
@@ -151,7 +287,7 @@ end
 
 By publishing the `team.create` audit event within the controller directly as shown you risk not having a complete and comprehensive audit trail for each team created in your application as it may happen in your API, model callbacks, and more.
 
-### Publishing audit events for all record creation, updates, and deletions automatically
+#### Publishing audit events for all record creation, updates, and deletions automatically
 
 Cased provides a mixin you can include in your models or in `ApplicationRecord` to automatically publish when new models are created, updated, or destroyed.
 
@@ -173,7 +309,7 @@ end
 
 This mixin is intended to get you up and running quickly. You'll likely need to configure your own callbacks to control what exactly gets published to Cased.
 
-### Retrieving events from a Cased audit trail
+#### Retrieving events from a Cased audit trail
 
 If you plan on retrieving events from your audit trails to power a user facing audit trail or API you must use a Cased API key.
 
@@ -200,7 +336,7 @@ class AuditTrailController < ApplicationController
 end
 ```
 
-### Retrieving events from multiple Cased audit trails
+#### Retrieving events from multiple Cased audit trails
 
 To retrieve events from one or more Cased audit trails you can configure multiple Cased API keys and retrieve events for each one by fetching their respective clients.
 
@@ -227,7 +363,7 @@ results.each do |event|
 end
 ```
 
-### Exporting events
+#### Exporting events
 
 Exporting events from Cased allows you to provide users with exports of their own data or to respond to data requests.
 
@@ -243,7 +379,7 @@ export = Cased.policy.exports.create(
 export.download_url # => https://api.cased.com/exports/export_1dSHQSNtAH90KA8zGTooMnmMdiD/download?token=eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoidXNlcl8xZFFwWThiQmdFd2RwbWRwVnJydER6TVg0ZkgiLCJ
 ```
 
-### Masking & filtering sensitive information
+#### Masking & filtering sensitive information
 
 If you are handling sensitive information on behalf of your users you should consider masking or filtering any sensitive information.
 
@@ -258,7 +394,7 @@ Cased.publish(
 )
 ```
 
-### Console Usage
+#### Console Usage
 
 Most Cased events will be created by users from actions on the website from
 custom defined events or lifecycle callbacks. The exception is any console
@@ -275,7 +411,7 @@ Rails.application.console do
 end
 ```
 
-### Disable publishing events
+#### Disable publishing events
 
 Although rare, there may be times where you wish to disable publishing events to Cased. To do so wrap your transaction inside of a `Cased.disable` block:
 
@@ -291,7 +427,7 @@ Or you can configure the entire process to disable publishing events.
 CASED_DISABLE_PUBLISHING=1 bundle exec ruby crawl.rb
 ```
 
-### Context
+#### Context
 
 When you include `cased-rails` in your application your Ruby on Rails application is configures a [Rack middleware](https://github.com/cased/cased-ruby/blob/master/lib/cased/rack_middleware.rb) that populates `Cased.context` with the following information for each request:
 
@@ -364,7 +500,7 @@ To clear/reset the context:
 Cased.context.clear
 ```
 
-### Testing
+#### Testing
 
 `cased-rails` provides a Cased::TestHelper test helper class that you can use to test events are being published to Cased.
 

data/app/assets/config/cased/manifest.js

@@ -0,0 +1,2 @@
+//= link_tree ../../images/cased
+//= link_directory ../../javascripts/cased .js

data/app/assets/javascripts/cased/index.js

@@ -0,0 +1,75 @@
+//= require rails-ujs
+
+let windowReference = null;
+let previousUrl = null;
+let casedCreateSession = null;
+let casedLoggedInContainer = null;
+let casedLoggedOutContainer = null;
+let casedUser = null;
+
+// receiveMessage is the callback that is triggered when an authentication
+// response is received from the new window we opened.
+//
+// We use this callback to update the user information in the UI and show the
+// logged in container.
+const receiveMessage = (event) => {
+  if (!event.isTrusted) {
+    return;
+  }
+
+  const { user } = event.data;
+  casedUser.innerText = user;
+  if (casedCreateSession) {
+    casedCreateSession.submit();
+  } else {
+    casedLoggedInContainer.classList.remove("hidden");
+    casedLoggedOutContainer.classList.add("hidden");
+  }
+};
+
+// openSignInWindow is used to present the Cased sign in window.
+const openSignInWindow = (url) => {
+  window.removeEventListener("message", receiveMessage);
+  const windowFeatures =
+    "toolbar=no, menubar=no, width=600, height=700, top=50, left=200";
+
+  if (windowReference === null || windowReference.closed) {
+    windowReference = window.open(url, "Cased", windowFeatures);
+  } else if (previousUrl !== url) {
+    // If the window is already open and the previous URL was different, we need
+    // to load a new URL and refocus.
+    windowReference = window.open(url, "Cased", windowFeatures);
+    windowReference.focus();
+  } else {
+    windowReference.focus();
+  }
+
+  window.addEventListener("message", (event) => receiveMessage(event), false);
+  previousUrl = url;
+};
+
+window.addEventListener("DOMContentLoaded", (event) => {
+  // Global elements
+  casedCreateSession = document.getElementById("cased-create-session");
+  casedLoggedInContainer = document.getElementById("cased-logged-in");
+  casedLoggedOutContainer = document.getElementById("cased-logged-out");
+  casedUser = document.getElementById("cased-user");
+
+  // Local elements
+  const casedAuthenticate = document.getElementById("cased-authenticate");
+  if (casedAuthenticate) {
+    casedAuthenticate.addEventListener("click", (event) => {
+      event.preventDefault();
+
+      openSignInWindow(event.currentTarget.href);
+    });
+  }
+
+  const casedLogout = document.getElementById("cased-logout");
+  if (casedLogout) {
+    casedLogout.addEventListener("ajax:success", (_event) => {
+      casedLoggedInContainer.classList.add("hidden");
+      casedLoggedOutContainer.classList.remove("hidden");
+    });
+  }
+});

data/app/controllers/cased/authorizations_controller.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module Cased
+  class AuthorizationsController < ApplicationController
+    def create
+      self.cased_authorization = params[:token]
+    end
+
+    def destroy
+      self.cased_authorization = nil
+    end
+  end
+end

data/app/controllers/cased/cli/sessions_controller.rb

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+
+module Cased
+  module CLI
+    class SessionsController < ApplicationController
+      def show
+        guard_session = Cased::CLI::Session.find(params[:guard_session_id])
+
+        respond_to do |format|
+          format.html do
+            render partial: 'cased/cli/sessions/form', locals: { guard_session: guard_session }
+          end
+
+          format.json do
+            render partial: 'cased/cli/sessions/guard_session', locals: { guard_session: guard_session }
+          end
+        end
+      end
+
+      def cancel
+        guard_session = Cased::CLI::Session.find(params[:guard_session_id])
+        guard_session.cancel
+
+        respond_to do |format|
+          format.html do
+            safe_redirect_back
+          end
+
+          format.json do
+            render partial: 'cased/cli/sessions/guard_session', locals: { guard_session: guard_session }
+          end
+        end
+      end
+
+      private
+
+      def safe_redirect_back(allow_other_host: false, **args)
+        referer = params[:referer]
+        redirect_to_referer = referer && (allow_other_host || url_host_allowed?(referer))
+        redirect_to redirect_to_referer ? referer : guard_fallback_location, **args
+      end
+
+      def url_host_allowed?(url)
+        uri = URI(url.to_s)
+
+        # We're redirecting to a path on app.cased.com, that is okay.
+        return true if uri.host.blank?
+
+        uri.host == request.host
+      rescue ArgumentError, URI::Error
+        false
+      end
+    end
+  end
+end

data/app/helpers/cased_helper.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module CasedHelper
+  # Guarded parameters are the original parameters when the form was first
+  # submitted. These parameters need to be preserved.
+  def guarded_parameters(form)
+    form_params = params.except(:authenticity_token, :controller, :action)
+
+    safe_join render_guarded_parameters(form, form_params.to_unsafe_h)
+  end
+
+  def render_guarded_parameters(form, form_params, prefix = nil)
+    form_params.collect do |key, value|
+      case value
+      when Hash
+        render_guarded_parameters(form, value, key)
+      else
+        name = prefix ? "#{prefix}[#{key}]" : key
+        hidden_field_tag(name, value)
+      end
+    end
+  end
+end

data/app/models/cased/authorization.rb

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+require 'jwt'
+
+module Cased
+  class Authorization
+    class MissingApplicationKey < StandardError
+      MESSAGE = <<~MSG
+        Missing GUARD_APPLICATION_KEY or Cased.config.guard_application_key.
+      MSG
+
+      def initialize
+        super(MESSAGE)
+      end
+    end
+
+    ALGORITHM = 'HS256'
+
+    def self.load!(token)
+      raise MissingApplicationKey if Cased.config.guard_application_key.blank?
+
+      # JWT.decode will raise here if the token has expired or the application
+      # key does not match meaning it has been tampered with.
+      data, = JWT.decode(token, Cased.config.guard_application_key, true, algorithm: ALGORITHM)
+
+      new(
+        user: data.fetch('user'),
+        user_id: data.fetch('user_id'),
+        expires_at: data.fetch('exp'),
+        issuer: data.fetch('iss'),
+        issued_at: data.fetch('iat'),
+      )
+    end
+
+    def self.validate!(token)
+      load!(token)
+    end
+
+    attr_reader :user
+    attr_reader :user_id
+    attr_reader :issued_at
+    attr_reader :expires_at
+    attr_reader :issuer
+
+    def initialize(user:, user_id:, issued_at:, expires_at:, issuer:)
+      @user = user
+      @user_id = user_id
+      @issued_at = Time.at(issued_at)
+      @expires_at = Time.at(expires_at)
+      @issuer = issuer
+    end
+
+    def token
+      user_id
+    end
+
+    def to_s
+      user
+    end
+
+    def to_param
+      user_id
+    end
+  end
+end

data/app/views/cased/authorizations/create.html.erb

@@ -0,0 +1,10 @@
+<script>
+// We need to let the originating window know about the new logged in user.
+// Once the originating window is notified we can close this window.
+if (window.opener) {
+  window.opener.postMessage({
+    user: "<%= cased_authorization.user %>"
+  })
+  window.close()
+}
+</script>

data/app/views/cased/cli/sessions/_form.html.erb

@@ -0,0 +1,15 @@
+<div id="guard-session-container">
+  <% if guard_session.requested? %>
+    <%= render 'cased/cli/sessions/steps/requested', guard_session: guard_session %>
+  <% elsif guard_session.denied? %>
+    <%= render 'cased/cli/sessions/steps/denied', guard_session: guard_session %>
+  <% elsif guard_session.canceled? %>
+    <%= render 'cased/cli/sessions/steps/canceled', guard_session: guard_session %>
+  <% elsif guard_session.timed_out? %>
+    <%= render 'cased/cli/sessions/steps/timed_out', guard_session: guard_session %>
+  <% elsif guard_session.reason_required? %>
+    <%= render 'cased/cli/sessions/steps/reason_required', guard_session: guard_session %>
+  <% else %>
+    <%= render 'cased/cli/sessions/steps/create', guard_session: guard_session %>
+  <% end %>
+</div>

data/app/views/cased/cli/sessions/_guard_session.json.jbuilder

@@ -0,0 +1,27 @@
+json.id guard_session.id
+json.url guard_session.url
+json.api_url guard_session.api_url
+json.state guard_session.state
+json.command guard_session.command
+json.metadata guard_session.metadata
+json.reason guard_session.reason
+json.ip_address guard_session.ip_address
+json.requester do |requester|
+  requester.id guard_session.requester['id']
+  requester.email guard_session.requester['email']
+end
+
+json.responded_at guard_session.responded_at
+json.responder do |responder|
+  responder.id guard_session.responder['id']
+  responder.email guard_session.responder['email']
+end
+
+json.guard_application do |guard_application|
+  guard_application.id guard_session.guard_application['id']
+  guard_application.name guard_session.guard_application['name']
+  guard_application.settings do |settings|
+    settings.message_of_the_day guard_session.guard_application.dig('settings', 'message_of_the_day')
+    settings.reason_required guard_session.guard_application.dig('settings', 'reason_required')
+  end
+end

data/app/views/cased/cli/sessions/new.html.erb

@@ -0,0 +1,24 @@
+<div class="min-h-screen bg-gray-50 flex flex-col justify-center py-12 sm:px-6 lg:px-8">
+  <div class="sm:mx-auto sm:w-full sm:max-w-md">
+    <%= image_tag 'cased/logo.png', class: 'mx-auto h-12 w-auto' %>
+  </div>
+
+  <div class="mt-8 sm:mx-auto sm:w-full sm:max-w-md">
+    <div id="cased-logged-in" class="<%= 'hidden' unless cased_authorization? %>">
+      <div class="bg-white py-8 px-4 shadow sm:rounded-lg sm:px-10">
+        <%= render 'cased/cli/sessions/form', guard_session: current_guard_session %>
+      </div>
+      <div class="text-center py-4 flex justify-center space-x-2">
+        <div>
+          Logged in as <span id="cased-user"><%= cased_authorization %></span>.
+        </div>
+        <%= button_to 'Logout', cased.logout_path, form: { id: 'cased-logout' }, method: :delete, remote: true, class: 'p-0 border-none bg-transparent text-blue-500 shadow-none cursor-pointer' %>
+      </div>
+    </div>
+    <div id="cased-logged-out" class="<%= 'hidden' if cased_authorization? %>">
+      <div class="bg-white py-8 px-4 shadow sm:rounded-lg sm:px-10">
+        <%= link_to 'Sign in to Cased', "#{Cased.config.url}/login/connect/#{Cased.config.guard_application_key}?return_to=#{cased.authorizations_url}", id: 'cased-authenticate', class: 'w-full flex justify-center py-2 px-4 border border-transparent rounded-md shadow-sm text-sm font-medium text-white bg-gray-600 hover:bg-gray-700 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-gray-500' %>
+      </div>
+    </div>
+  </div>
+</div>

data/app/views/cased/cli/sessions/steps/_canceled.html.erb

@@ -0,0 +1,17 @@
+<div class="sm:flex sm:items-start">
+  <div class="mx-auto flex-shrink-0 flex items-center justify-center h-12 w-12 rounded-full bg-red-100 sm:mx-0 sm:h-10 sm:w-10">
+    <svg class="h-6 w-6 text-red-600" x-description="Heroicon name: outline/exclamation" xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke="currentColor" aria-hidden="true">
+      <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-3L13.732 4c-.77-1.333-2.694-1.333-3.464 0L3.34 16c-.77 1.333.192 3 1.732 3z"></path>
+    </svg>
+  </div>
+  <div class="mt-3 text-center sm:mt-0 sm:ml-4 sm:text-left">
+    <h3 class="text-lg leading-6 font-medium text-gray-900" id="modal-headline">
+      Request Canceled
+    </h3>
+    <div class="mt-2">
+      <p class="text-sm text-gray-500">
+        You canceled the request.
+      </p>
+    </div>
+  </div>
+</div>

data/app/views/cased/cli/sessions/steps/_create.html.erb

@@ -0,0 +1,15 @@
+<%= form_with method: request.request_method_symbol, local: true, id: 'cased-create-session' do |form| %>
+  <%= guarded_parameters form %>
+
+  <div class="flex justify-center">
+    <div>
+      <svg class="animate-spin -ml-1 mr-3 h-6 w-6 text-gray" xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24">
+        <circle class="opacity-25" cx="12" cy="12" r="10" stroke="currentColor" stroke-width="4"></circle>
+        <path class="opacity-75" fill="currentColor" d="M4 12a8 8 0 018-8V0C5.373 0 0 5.373 0 12h4zm2 5.291A7.962 7.962 0 014 12H0c0 3.042 1.135 5.824 3 7.938l3-2.647z"></path>
+      </svg>
+    </div>
+    <div>
+      Loading…
+    </div>
+  </div>
+<% end %>

data/app/views/cased/cli/sessions/steps/_denied.html.erb

@@ -0,0 +1,17 @@
+<div class="sm:flex sm:items-start">
+  <div class="mx-auto flex-shrink-0 flex items-center justify-center h-12 w-12 rounded-full bg-red-100 sm:mx-0 sm:h-10 sm:w-10">
+    <svg class="h-6 w-6 text-red-600" x-description="Heroicon name: outline/exclamation" xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke="currentColor" aria-hidden="true">
+      <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-3L13.732 4c-.77-1.333-2.694-1.333-3.464 0L3.34 16c-.77 1.333.192 3 1.732 3z"></path>
+    </svg>
+  </div>
+  <div class="mt-3 text-center sm:mt-0 sm:ml-4 sm:text-left">
+    <h3 class="text-lg leading-6 font-medium text-gray-900" id="modal-headline">
+      Request Denied
+    </h3>
+    <div class="mt-2">
+      <p class="text-sm text-gray-500">
+        <strong><%= guard_session.responder['email'] %></strong> denied your request.
+      </p>
+    </div>
+  </div>
+</div>

data/app/views/cased/cli/sessions/steps/_reason_required.html.erb

@@ -0,0 +1,16 @@
+<%= form_with method: request.request_method_symbol, class: 'space-y-6', local: true, id: 'guard-reason-required-form' do |form| %>
+  <%= guarded_parameters form %>
+
+  <div>
+    <%= form.label 'guard_session[reason]', 'Reason', class: 'block text-sm font-medium text-gray-700' %>
+    <div class="mt-1">
+      <%= form.text_field 'guard_session[reason]', required: true, autocomplete: 'off', placeholder: 'Provide a reason', class: 'appearance-none block w-full px-3 py-2 border border-gray-300 rounded-md shadow-sm placeholder-gray-400 focus:outline-none focus:ring-indigo-500 focus:border-indigo-500 sm:text-sm' %>
+    </div>
+  </div>
+
+  <div>
+    <button type="submit" class="w-full flex justify-center py-2 px-4 border border-transparent rounded-md shadow-sm text-sm font-medium text-white bg-gray-600 hover:bg-gray-700 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-gray-500">
+      Submit
+    </button>
+  </div>
+<% end %>

data/app/views/cased/cli/sessions/steps/_requested.html.erb

@@ -0,0 +1,49 @@
+<%= form_with method: request.request_method_symbol, local: true, id: 'guard-session-form' do |form| %>
+  <%= guarded_parameters form %>
+
+  <div class="flex justify-center">
+    <div>
+      <svg class="animate-spin -ml-1 mr-3 h-6 w-6 text-gray" xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24">
+        <circle class="opacity-25" cx="12" cy="12" r="10" stroke="currentColor" stroke-width="4"></circle>
+        <path class="opacity-75" fill="currentColor" d="M4 12a8 8 0 018-8V0C5.373 0 0 5.373 0 12h4zm2 5.291A7.962 7.962 0 014 12H0c0 3.042 1.135 5.824 3 7.938l3-2.647z"></path>
+      </svg>
+    </div>
+    <div>
+      Waiting for approval…
+    </div>
+  </div>
+  <%= form.hidden_field 'guard_session[id]', value: guard_session.id %>
+  <%= form.hidden_field 'guard_session[referer]', value: request.referer %>
+<% end %>
+
+<script>
+  const checkState = () => {
+    fetch("<%= cased.guard_session_url(guard_session, format: :json) %>")
+      .then((response) => response.json())
+      .then((json) => {
+        switch (json.state) {
+          case 'approved':
+            document.getElementById('guard-session-form').submit()
+            break;
+
+          case 'requested':
+            setTimeout(checkState, 1000)
+            break;
+
+          default:
+            refresh()
+            break;
+        }
+      })
+  }
+
+  const refresh = () => {
+    fetch("<%= cased.guard_session_url(guard_session) %>")
+      .then((response) => response.text())
+      .then((html) => {
+        document.getElementById('guard-session-container').innerHTML = html
+      })
+  }
+
+  checkState()
+</script>

data/app/views/cased/cli/sessions/steps/_timed_out.html.erb

@@ -0,0 +1,17 @@
+<div class="sm:flex sm:items-start">
+  <div class="mx-auto flex-shrink-0 flex items-center justify-center h-12 w-12 rounded-full bg-yellow-100 sm:mx-0 sm:h-10 sm:w-10">
+    <svg class="h-6 w-6 text-yellow-600" x-description="Heroicon name: outline/exclamation" xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke="currentColor" aria-hidden="true">
+      <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-3L13.732 4c-.77-1.333-2.694-1.333-3.464 0L3.34 16c-.77 1.333.192 3 1.732 3z"></path>
+    </svg>
+  </div>
+  <div class="mt-3 text-center sm:mt-0 sm:ml-4 sm:text-left">
+    <h3 class="text-lg leading-6 font-medium text-gray-900" id="modal-headline">
+      Request Timed Out
+    </h3>
+    <div class="mt-2">
+      <p class="text-sm text-gray-500">
+        Your request timed out.
+      </p>
+    </div>
+  </div>
+</div>

data/app/views/layouts/cased/cli.html.erb

@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <title>Cased</title>
+    <%= csp_meta_tag %>
+    <%= favicon_link_tag 'cased/favicon.ico' %>
+    <%= javascript_include_tag 'cased/index' %>
+    <link href="https://unpkg.com/tailwindcss@^2/dist/tailwind.min.css" rel="stylesheet">
+  </head>
+  <body>
+    <%= yield %>
+  </body>
+</html>

data/config/initializers/inflections.rb

@@ -0,0 +1,3 @@
+ActiveSupport::Inflector.inflections(:en) do |inflect|
+  inflect.acronym 'CLI'
+end

data/config/routes.rb

@@ -0,0 +1,6 @@
+Cased::Rails::Engine.routes.draw do
+  get '/authorizations/callback' => 'cased/authorizations#create', as: :authorizations
+  delete '/logout' => 'cased/authorizations#destroy', as: :logout
+  get '/cli/sessions/:guard_session_id' => 'cased/cli/sessions#show', as: :guard_session
+  post '/cli/sessions/:guard_session_id/cancel' => 'cased/cli/sessions#cancel', as: :cancel_guard_session
+end

data/lib/cased/controller_helpers.rb

@@ -6,10 +6,107 @@ module Cased
 
     included do
       before_action :cased_setup_request_context
+      if respond_to?(:helper_method)
+        helper_method :current_guard_session
+        helper_method :cased_authorization
+        helper_method :cased_authorization?
+      end
     end
 
     private
 
+    def guard_required?
+      true
+    end
+
+    def cased_authorization
+      @cased_authorization ||= begin
+        if cookies[:cased_authorization]
+          Cased::Authorization.load!(cookies[:cased_authorization])
+        end
+      rescue JWT::ExpiredSignature
+        cookies.delete(:cased_authorization)
+        nil
+      end
+    end
+
+    def cased_authorization?
+      cased_authorization.present?
+    end
+
+    def cased_authorization=(token)
+      if token.nil?
+        cookies.delete(:cased_authorization)
+      else
+        Cased::Authorization.validate!(token)
+
+        cookies[:cased_authorization] = token
+      end
+    end
+
+    def current_guard_session
+      @current_guard_session ||= Cased::CLI::Session.new(
+        reason: params.dig(:guard_session, :reason),
+        metadata: guard_session_metadata,
+        authentication: cased_authorization,
+      )
+    end
+
+    def guard_session_approved?
+      guard_session_id = params.dig(:guard_session, :id)
+      return false unless guard_session_id.present?
+
+      session = Cased::CLI::Session.find(guard_session_id)
+      session.approved?
+    end
+
+    def guard
+      # TODO: Cancel previous session if not used
+      return true unless guard_required?
+
+      if guard_session_approved?
+        Cased.context.merge(guard_session: current_guard_session)
+        return true
+      end
+
+      if cased_authorization? && current_guard_session.create && current_guard_session.approved?
+        Cased.context.merge(guard_session: current_guard_session)
+        return true
+      end
+
+      render_guard
+    end
+
+    def guard_fallback_location
+      if respond_to?(:root_path)
+        root_path
+      else
+        '/'
+      end
+    end
+
+    def render_guard
+      respond_to do |format|
+        format.html do
+          render template: 'cased/cli/sessions/new', layout: 'cased/cli'
+        end
+
+        format.json do
+          render json: { error: true }
+        end
+      end
+    end
+
+    def guard_session_metadata
+      {
+        location: request.remote_ip,
+        request_http_method: request.method,
+        request_user_agent: request.headers['User-Agent'],
+        request_url: request.original_url,
+        request_id: request.request_id,
+      }
+    end
+
     def cased_setup_request_context
       Cased.context.merge(cased_initial_request_context)
     end

data/lib/cased/rails.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require 'cased-ruby'
+require 'cased/rails/config'
 require 'cased/rails/railtie'
 require 'cased/rails/engine'
 require 'cased/model/automatic'

data/lib/cased/rails/config.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+module Cased
+  module Rails
+    module Config
+      def unfiltered_parameters=(new_unfiltered_parameters)
+        @unfiltered_parameters = Array.wrap(new_unfiltered_parameters)
+      end
+
+      def unfiltered_parameters
+        @unfiltered_parameters ||= [
+          # Database record ID's
+          'id',
+          # Controller actions
+          'action',
+          # Controller names
+          'controller',
+        ].freeze
+      end
+
+      def filter_parameters=(new_filter_parameters)
+        @filter_parameters = new_filter_parameters
+      end
+
+      def filter_parameters?
+        return @filter_parameters if defined?(@filter_parameters)
+
+        @filter_parameters = if ENV['CASED_FILTER_PARAMETERS']
+          parse_bool(ENV['CASED_FILTER_PARAMETERS'])
+        else
+          ::Rails.env.staging? || ::Rails.env.production?
+        end
+      end
+    end
+  end
+end
+
+Cased::Config.prepend(Cased::Rails::Config)

data/lib/cased/rails/railtie.rb

@@ -5,6 +5,19 @@ require 'rails/railtie'
 module Cased
   module Rails
     class Railtie < ::Rails::Railtie
+      initializer 'cased.parameter_filter' do |app|
+        app.config.filter_parameters << proc do |key, value, _original_params|
+          next unless Cased.config.filter_parameters?
+          next if Cased.config.unfiltered_parameters.include?(key) || !value.respond_to?(:replace)
+
+          value.replace(ActiveSupport::ParameterFilter::FILTERED)
+        end
+      end
+
+      initializer 'cased.assets.precompile' do |app|
+        app.config.assets.precompile << 'cased/manifest.js'
+      end
+
       initializer 'cased.include_controller_helpers' do
         ActiveSupport.on_load(:action_controller) do
           require 'cased/controller_helpers'
@@ -43,6 +56,23 @@ module Cased
       # :nocov:
       console do
         Cased.console
+
+        # We only want to start an interactive session if Cased CLI is
+        # configured.
+        next if Cased.config.guard_application_key.blank?
+
+        session = Cased::CLI::InteractiveSession.start(command: "#{Dir.pwd}/bin/rails console")
+        Cased.context.merge(guard_session: session)
+        # If the session does not need its output recorded, we can bypass any
+        # forced exits.
+        next unless session.record_output?
+
+        # If we reach this line inside of the recorded session we don't want to
+        # exit but instead proceed to the `rails console` as usual.
+        #
+        # We don't want to enter the parent `rails console` so we exit right
+        # away as we know the child `rails console` completed successfully.
+        exit unless Cased::CLI::Session.current&.approved?
       end
     end
   end

data/lib/cased/rails/version.rb

@@ -2,6 +2,6 @@
 
 module Cased
   module Rails
-    VERSION = '0.3.1'
+    VERSION = '0.5.0'
   end
 end

data/lib/tasks/cased.rake

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+desc 'Enforce your Cased CLI controls before the Rake task is executed'
+task :guard do
+  next if Cased.config.guard_application_key.blank?
+
+  session = Cased::CLI::InteractiveSession.start
+  next unless session.record_output?
+
+  exit unless Cased::CLI::Session.current&.approved?
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cased-rails
 version: !ruby/object:Gem::Version
-  version: 0.3.1
+  version: 0.5.0
 platform: ruby
 authors:
 - Garrett Bjerkhoel
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-01-21 00:00:00.000000000 Z
+date: 2021-05-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: cased-ruby
@@ -16,14 +16,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.3.3
+        version: 0.5.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.3.3
+        version: 0.5.0
+- !ruby/object:Gem::Dependency
+  name: jbuilder
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: rails
   requirement: !ruby/object:Gem::Requirement
@@ -103,14 +117,37 @@ extra_rdoc_files: []
 files:
 - README.md
 - Rakefile
+- app/assets/config/cased/manifest.js
+- app/assets/images/cased/favicon.ico
+- app/assets/images/cased/logo.png
+- app/assets/javascripts/cased/index.js
+- app/controllers/cased/authorizations_controller.rb
+- app/controllers/cased/cli/sessions_controller.rb
+- app/helpers/cased_helper.rb
+- app/models/cased/authorization.rb
+- app/views/cased/authorizations/create.html.erb
+- app/views/cased/cli/sessions/_form.html.erb
+- app/views/cased/cli/sessions/_guard_session.json.jbuilder
+- app/views/cased/cli/sessions/new.html.erb
+- app/views/cased/cli/sessions/steps/_canceled.html.erb
+- app/views/cased/cli/sessions/steps/_create.html.erb
+- app/views/cased/cli/sessions/steps/_denied.html.erb
+- app/views/cased/cli/sessions/steps/_reason_required.html.erb
+- app/views/cased/cli/sessions/steps/_requested.html.erb
+- app/views/cased/cli/sessions/steps/_timed_out.html.erb
+- app/views/layouts/cased/cli.html.erb
+- config/initializers/inflections.rb
+- config/routes.rb
 - lib/cased/controller_helpers.rb
 - lib/cased/model/automatic.rb
 - lib/cased/rails.rb
 - lib/cased/rails/active_job.rb
+- lib/cased/rails/config.rb
 - lib/cased/rails/engine.rb
 - lib/cased/rails/model.rb
 - lib/cased/rails/railtie.rb
 - lib/cased/rails/version.rb
+- lib/tasks/cased.rake
 homepage: https://github.com/cased/cased-rails
 licenses:
 - MIT