cased-rails 0.4.1 → 0.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 970843e42b3c8b7eeb9933f981114e25627606368402744fbf3bb1cdfd9744ff
-  data.tar.gz: 23757e948654062e03b624e507b406ade8e7f40c88bdf27e90e26693392cea71
+  metadata.gz: 0ac813e954f77f140af1bd3134fb4452008e807e42aa28eadc36ec9cb0466393
+  data.tar.gz: 2e05ad602523cb8d85bb0f015ef0322729f8b3a0372ab1d94a50d08882235d79
 SHA512:
-  metadata.gz: 6fced7fbe4a8aafb597f5eb077115e53c0889d0922dbd07a8d53d4c58876b6cba9ea3de2315cb32a49e64f7dcee4993699e0e68118b97e7c649939621c395c37
-  data.tar.gz: 63e56a4c9abe8949844fcaeb854e595f0b5786441cc2183a75e1f7a3d4fe90231212bd90ffb5bf8371c3d40450cd754bf3425b84ba3b72c5e4c60a697db95abd
+  metadata.gz: 7720462c3af78d86a2c331d75b62578d049cc04a33a4c246faabed779083237e02afe05780a496e09b25f746ab136ac20eb0f19f3ff943e032c385a1b82ca6e1
+  data.tar.gz: 5fe323c945bfb912929d7c8a777763fc0071bd3f1a8f13326eca84d512f195f881be6dba40820bebb1c16cc23b4b21eb72cdb3128439000fdc2046a6f0ab6627

data/README.md

@@ -7,15 +7,19 @@ A Cased client for Ruby on Rails applications in your organization to control an
 - [Installation](#installation)
 - [Configuration](#configuration)
 - [Usage](#usage)
-  - [Publishing events to Cased](#publishing-events-to-cased)
-  - [Publishing audit events for all record creation, updates, and deletions automatically](#publishing-audit-events-for-all-record-creation-updates-and-deletions-automatically)
-  - [Retrieving events from a Cased audit trail](#retrieving-events-from-a-cased-audit-trail)
-  - [Retrieving events from multiple Cased audit trails](#retrieving-events-from-multiple-cased-audit-trails)
-  - [Exporting events](#exporting-events)
-  - [Masking & filtering sensitive information](#masking-and-filtering-sensitive-information)
-  - [Disable publishing events](#disable-publishing-events)
-  - [Context](#context)
-  - [Testing](#testing)
+  - [Cased CLI](#cased-cli)
+    - [Recording console sessions](#recording-console-sessions)
+    - [Approval workflows for sensitive operations](#approval-workflows-for-sensitive-operations)
+  - [Audit trails](#audit-trails)
+    - [Publishing events to Cased](#publishing-events-to-cased)
+    - [Publishing audit events for all record creation, updates, and deletions automatically](#publishing-audit-events-for-all-record-creation-updates-and-deletions-automatically)
+    - [Retrieving events from a Cased audit trail](#retrieving-events-from-a-cased-audit-trail)
+    - [Retrieving events from multiple Cased audit trails](#retrieving-events-from-multiple-cased-audit-trails)
+    - [Exporting events](#exporting-events)
+    - [Masking & filtering sensitive information](#masking-and-filtering-sensitive-information)
+    - [Disable publishing events](#disable-publishing-events)
+    - [Context](#context)
+    - [Testing](#testing)
 - [Customizing cased-rails](#customizing-cased-rails)
 - [Contributing](#contributing)
 
@@ -41,6 +45,26 @@ All configuration options available in cased-rails are available to be configure
 
 ```ruby
 Cased.configure do |config|
+  # GUARD_APPLICATION_KEY=guard_application_1ntKX0P4vUbKoc0lMWGiSbrBHcH
+  config.guard_application_key = 'guard_application_1ntKX0P4vUbKoc0lMWGiSbrBHcH'
+
+  # GUARD_USER_TOKEN=user_1oFqlROLNRGVLOXJSsHkJiVmylr
+  config.guard_user_token = 'user_1oFqlROLNRGVLOXJSsHkJiVmylr'
+
+  # DENY_IF_UNREACHABLE=1
+  config.guard_deny_if_unreachable = true
+
+  # Attach metadata to all CLI requests. This metadata will appear in Cased and
+  # any notification source such as email or Slack.
+  #
+  # You are limited to 20 properties and cannot be a nested dictionary. Metadata
+  # specified in the CLI request overrides any configured globally.
+  config.cli.metadata = {
+    rails_env: ENV['RAILS_ENV'],
+    heroku_application: ENV['HEROKU_APP_NAME'],
+    git_commit: ENV['GIT_COMMIT'],
+  }
+
   # CASED_POLICY_KEY=policy_live_1dQpY5JliYgHSkEntAbMVzuOROh
   config.policy_key = 'policy_live_1dQpY5JliYgHSkEntAbMVzuOROh'
 
@@ -76,7 +100,119 @@ end
 
 ## Usage
 
-### Publishing events to Cased
+### Cased CLI
+
+#### Playback console sessions
+
+Having visibility into production terminal sessions is essential to providing
+access to sensitive data and critical systems. `cased-rails` can provide complete
+command line session recordings with minimal configuration.
+
+First, enable the "Record output" option in your application's settings page on Cased.
+
+Next grab the application's key from the same settings page and configure
+`cased-rails` with it either by using an environment variable or manually.
+
+**Environment variable**
+
+```
+GUARD_APPLICATION_KEY=guard_application_1rBCh8o3YMaI1eAKxbrNvnLki3x rails console
+```
+
+**Manually**
+
+```ruby
+Cased.configure do |config|
+  config.guard_application_key = 'guard_application_1rBCh8o3YMaI1eAKxbrNvnLki3x'
+end
+```
+
+By default playback will be saved only when a Rails console is started outside
+of development and test. When the playback is being saved, by default all
+parameters other than `id`, `action`, and `controller` will be filtered out.
+For example:
+
+```
+#<User id: "user_1qwkKB8IGxQFlu3C4lI53tCIyZI", organization: "Enterprise">
+```
+
+Would become:
+
+```
+#<User id: "user_1qwkKB8IGxQFlu3C4lI53tCIyZI", organization: [FILTERED]>
+```
+
+If you'd like to configure if filtering is enabled or specify which attributes
+are not filtered you can do so with:
+
+```ruby
+Cased.configure do |config|
+  config.unfiltered_parameters = ['id', 'action', 'controller']
+  config.filter_parameters = Rails.env.production?
+end
+```
+
+#### Approval workflows for sensitive operations
+
+Adding approval workflows to your controllers is a two step process in your
+Rails applications. 
+
+First, mount the Rails engine in your routes. The included Rails engine in
+cased-rails is necessary for the approval workflow to know whether or not it has
+been requested, approved, denied, canceled or timed out.
+
+```ruby
+Rails.application.routes.draw do
+  mount Cased::Rails::Engine => '/cased'
+
+  root to: 'home#show'
+end
+```
+
+To control the requirements for an approval workflow, that must be configured
+within your CLI application settings on Cased. Some controls include restricting
+which users or groups can approve the request, if a reason is required, how long
+until the request times out, and more.
+
+To start an your approval workflow all that is needed is to call the `guard`
+method before a request using `before_action`.
+
+```ruby
+class AccountsController < ApplicationController
+  before_action :guard, only: %i[update destroy]
+
+  def update
+    if current_account.update(account_params)
+      redirect_to current_account
+    else
+      render :edit
+    end
+  end
+
+  def destroy
+    if current_account.destroy
+      redirect_to accounts_path
+    else
+      redirect_to current_account
+    end
+  end
+
+  private
+
+  def account_params
+    params.require(:account).permit(:name, :description, :email)
+  end
+end
+```
+
+Approval workflows are best started just before data is about to be created,
+updated, or destroyed. Approval workflows are not intended to control permission
+to view resources. The actions we recommend guarding are `create`, `update`, and
+`destroy` based on your needs.
+
+### Audit trails
+
+#### Publishing events to Cased
 
 Once Cased is setup there are two ways to publish your first audit trail event.
 The first is using the `cased` helper method included in all ActiveRecord models.
@@ -151,7 +287,7 @@ end
 
 By publishing the `team.create` audit event within the controller directly as shown you risk not having a complete and comprehensive audit trail for each team created in your application as it may happen in your API, model callbacks, and more.
 
-### Publishing audit events for all record creation, updates, and deletions automatically
+#### Publishing audit events for all record creation, updates, and deletions automatically
 
 Cased provides a mixin you can include in your models or in `ApplicationRecord` to automatically publish when new models are created, updated, or destroyed.
 
@@ -173,7 +309,7 @@ end
 
 This mixin is intended to get you up and running quickly. You'll likely need to configure your own callbacks to control what exactly gets published to Cased.
 
-### Retrieving events from a Cased audit trail
+#### Retrieving events from a Cased audit trail
 
 If you plan on retrieving events from your audit trails to power a user facing audit trail or API you must use a Cased API key.
 
@@ -200,7 +336,7 @@ class AuditTrailController < ApplicationController
 end
 ```
 
-### Retrieving events from multiple Cased audit trails
+#### Retrieving events from multiple Cased audit trails
 
 To retrieve events from one or more Cased audit trails you can configure multiple Cased API keys and retrieve events for each one by fetching their respective clients.
 
@@ -227,7 +363,7 @@ results.each do |event|
 end
 ```
 
-### Exporting events
+#### Exporting events
 
 Exporting events from Cased allows you to provide users with exports of their own data or to respond to data requests.
 
@@ -243,7 +379,7 @@ export = Cased.policy.exports.create(
 export.download_url # => https://api.cased.com/exports/export_1dSHQSNtAH90KA8zGTooMnmMdiD/download?token=eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoidXNlcl8xZFFwWThiQmdFd2RwbWRwVnJydER6TVg0ZkgiLCJ
 ```
 
-### Masking & filtering sensitive information
+#### Masking & filtering sensitive information
 
 If you are handling sensitive information on behalf of your users you should consider masking or filtering any sensitive information.
 
@@ -258,7 +394,7 @@ Cased.publish(
 )
 ```
 
-### Console Usage
+#### Console Usage
 
 Most Cased events will be created by users from actions on the website from
 custom defined events or lifecycle callbacks. The exception is any console
@@ -275,7 +411,7 @@ Rails.application.console do
 end
 ```
 
-### Disable publishing events
+#### Disable publishing events
 
 Although rare, there may be times where you wish to disable publishing events to Cased. To do so wrap your transaction inside of a `Cased.disable` block:
 
@@ -291,7 +427,7 @@ Or you can configure the entire process to disable publishing events.
 CASED_DISABLE_PUBLISHING=1 bundle exec ruby crawl.rb
 ```
 
-### Context
+#### Context
 
 When you include `cased-rails` in your application your Ruby on Rails application is configures a [Rack middleware](https://github.com/cased/cased-ruby/blob/master/lib/cased/rack_middleware.rb) that populates `Cased.context` with the following information for each request:
 
@@ -364,7 +500,7 @@ To clear/reset the context:
 Cased.context.clear
 ```
 
-### Testing
+#### Testing
 
 `cased-rails` provides a Cased::TestHelper test helper class that you can use to test events are being published to Cased.
 

data/app/views/cased/cli/sessions/steps/_reason_required.html.erb

@@ -4,7 +4,7 @@
   <div>
     <%= form.label 'guard_session[reason]', 'Reason', class: 'block text-sm font-medium text-gray-700' %>
     <div class="mt-1">
-      <%= form.text_field 'guard_session[reason]', required: true, autocomplete: 'none', placeholder: 'Provide a reason', class: 'appearance-none block w-full px-3 py-2 border border-gray-300 rounded-md shadow-sm placeholder-gray-400 focus:outline-none focus:ring-indigo-500 focus:border-indigo-500 sm:text-sm' %>
+      <%= form.text_field 'guard_session[reason]', required: true, autocomplete: 'off', placeholder: 'Provide a reason', class: 'appearance-none block w-full px-3 py-2 border border-gray-300 rounded-md shadow-sm placeholder-gray-400 focus:outline-none focus:ring-indigo-500 focus:border-indigo-500 sm:text-sm' %>
     </div>
   </div>
 

data/lib/cased/rails/config.rb

@@ -18,16 +18,6 @@ module Cased
         ].freeze
       end
 
-      def skip_recording_console=(should_skip_recording_console)
-        @skip_recording_console = should_skip_recording_console
-      end
-
-      def skip_recording_console?
-        return @skip_recording_console if defined?(@skip_recording_console)
-
-        @skip_recording_console = ::Rails.env.development? || ::Rails.env.test?
-      end
-
       def filter_parameters=(new_filter_parameters)
         @filter_parameters = new_filter_parameters
       end
@@ -38,19 +28,9 @@ module Cased
         @filter_parameters = if ENV['CASED_FILTER_PARAMETERS']
           parse_bool(ENV['CASED_FILTER_PARAMETERS'])
         else
-          true
+          ::Rails.env.staging? || ::Rails.env.production?
         end
       end
-
-      def url=(url)
-        @url = url
-      end
-
-      def url
-        return @url if defined?(@url)
-
-        @url = ENV.fetch('CASED_URL', 'https://app.cased.com')
-      end
     end
   end
 end

data/lib/cased/rails/railtie.rb

@@ -57,8 +57,9 @@ module Cased
       console do
         Cased.console
 
-        # We only want to record any non-development or test console sessions.
-        next if Cased.config.skip_recording_console?
+        # We only want to start an interactive session if Cased CLI is
+        # configured.
+        next if Cased.config.guard_application_key.blank?
 
         session = Cased::CLI::InteractiveSession.start(command: "#{Dir.pwd}/bin/rails console")
         Cased.context.merge(guard_session: session)

data/lib/cased/rails/version.rb

@@ -2,6 +2,6 @@
 
 module Cased
   module Rails
-    VERSION = '0.4.1'
+    VERSION = '0.6.0'
   end
 end

data/lib/tasks/cased.rake

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+desc 'Enforce your Cased CLI controls before the Rake task is executed'
+task :guard do
+  next if Cased.config.guard_application_key.blank?
+
+  session = Cased::CLI::InteractiveSession.start
+  next unless session.record_output?
+
+  exit unless Cased::CLI::Session.current&.approved?
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cased-rails
 version: !ruby/object:Gem::Version
-  version: 0.4.1
+  version: 0.6.0
 platform: ruby
 authors:
 - Garrett Bjerkhoel
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-03-03 00:00:00.000000000 Z
+date: 2022-01-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: cased-ruby
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.4.0
+        version: 0.5.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.4.0
+        version: 0.5.1
 - !ruby/object:Gem::Dependency
   name: jbuilder
   requirement: !ruby/object:Gem::Requirement
@@ -52,6 +52,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '6.0'
+- !ruby/object:Gem::Dependency
+  name: rexml
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.2.5
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.2.5
 - !ruby/object:Gem::Dependency
   name: mocha
   requirement: !ruby/object:Gem::Requirement
@@ -86,14 +100,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.77.0
+        version: 0.93.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.77.0
+        version: 0.93.1
 - !ruby/object:Gem::Dependency
   name: webmock
   requirement: !ruby/object:Gem::Requirement
@@ -147,11 +161,12 @@ files:
 - lib/cased/rails/model.rb
 - lib/cased/rails/railtie.rb
 - lib/cased/rails/version.rb
+- lib/tasks/cased.rake
 homepage: https://github.com/cased/cased-rails
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -166,8 +181,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
-signing_key: 
+rubygems_version: 3.2.15
+signing_key:
 specification_version: 4
 summary: Ruby on Rails SDK/client library for Cased
 test_files: []