console1984 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 985b93be5f065f2f12ec2e121a84d1951aa8d2d0f4e8bf628dccd4680a3581d1
+  data.tar.gz: e5e40eadddc7f44e25e1384c948897058b8fd2ddacafb6f4b2ef3f63e7cc20e8
+SHA512:
+  metadata.gz: b6d2d32d9210d20a082e7844d873e514ba61ec9e18546d4d8e353ed8a1360685c0bcde0406140c635a79b2fb34519148c988e7e5ff1a3579afb97120f5930330
+  data.tar.gz: 7b32ac9d5cd80e4f7840d12c803122ddc521f5256028e03f6f0cd401081c12dee755934393cb005d26ebe5a30a24dfc79b934acb2ee1a6d44dfa9c978137f833

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright 2020 Jorge Manrubia
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,95 @@
+# Console1984
+
+A Rails Console that audits commands and protects users privacy.
+
+> “If you want to keep a secret, you must also hide it from yourself.”
+> 
+> ― George Orwell, 1984
+
+## Usage
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'console1984'
+```
+
+By default, `console1984` will only work in `production`. [You can configure other environments](#protected-environments). 
+
+## Features
+
+### Auditing
+
+The console will ask for a reason for the console session, identifying the user via the environment
+variable `CONSOLE_USER`.
+
+After that, every command the user types will be captured and logged. `console1984` uses
+[`rails-structured-logggin`](https://github.com/basecamp/rails-structured-logging) to form
+a JSON entry that looks like this:
+
+```json
+{
+  "@timestamp": "2020-05-15T15:05:45.845642+02:00",
+  "ecs": {
+    "version": "1.2.0"
+  },
+  "event": {
+    "action": "console.audit_trail",
+    "duration": {
+      "ms": 0.01
+    }
+  },
+  "console": {
+    "user": "Jorge",
+    "reason": "fix something",
+    "commands": "Account.first\n"
+  },
+  "rails": {
+    "application": "haystack",
+    "env": "beta"
+  },
+  "ruby": {
+    "allocations": {
+      "count": 0
+    }
+  },
+  "process": {
+    "pid": 8539,
+    "name": "rails_console",
+    "working_directory": "/Users/jorge/Work/basecamp/haystack"
+  },
+  "performance": {
+    "time": {
+      "cpu": {
+        "ms": 0.01
+      },
+      "idle": {
+        "ms": 0.0
+      }
+    }
+  },
+  "original": "  Account Load (1.0ms)  SELECT `accounts`.* FROM `accounts` ORDER BY `accounts`.`id` ASC LIMIT 1\n"
+}
+```
+
+## Configuration
+
+### Protected environments
+
+<a name="protected-environments"></a>
+
+By default, `console1984` will only be enabled in `production`. You can configure the target environments with
+`config.console1984.protected_environments`:
+
+```ruby
+config.console1984.protected_environments = %i[ staging production ]
+```
+
+### Audit logger
+
+By default, the console will output JSON entries for audit trails to STDOUT. You can configure the
+used logger with `config.console1984.audit_logger`: 
+
+```ruby
+config.console1984.audit_logger = ActiveSupport::Logger.new("log/console.txt")
+```

data/Rakefile

@@ -0,0 +1,32 @@
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+
+require 'rdoc/task'
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'Console1984'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.md')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+APP_RAKEFILE = File.expand_path('test/dummy/Rakefile', __dir__)
+load 'rails/tasks/engine.rake'
+
+load 'rails/tasks/statistics.rake'
+
+require 'bundler/gem_tasks'
+
+require 'rake/testtask'
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'test'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = false
+end
+
+task default: :test

data/app/jobs/console1984/incineration_job.rb

@@ -0,0 +1,17 @@
+module Console1984
+  class IncinerationJob < ActiveJob::Base
+    queue_as { Console1984.incineration_queue }
+
+    discard_on ActiveRecord::RecordNotFound
+
+    def self.schedule(session)
+      set(wait: Console1984.incinerate_after).perform_later(session)
+    end
+
+    def perform(session)
+      session.incinerate
+    end
+  end
+end
+
+ActiveSupport.run_load_hooks(:console_1984_incineration_job, Console1984::IncinerationJob)

data/app/models/console1984/base.rb

@@ -0,0 +1,7 @@
+module Console1984
+  class Base < ApplicationRecord
+    self.abstract_class = true
+  end
+end
+
+ActiveSupport.run_load_hooks(:console_1984_base, Console1984::Base)

data/app/models/console1984/command.rb

@@ -0,0 +1,14 @@
+module Console1984
+  class Command < Base
+    belongs_to :session
+    belongs_to :sensitive_access, optional: true
+
+    encrypts :statements
+
+    scope :sorted_chronologically, -> { order(created_at: :asc, id: :asc) }
+
+    def sensitive?
+      sensitive_access.present?
+    end
+  end
+end

data/app/models/console1984/sensitive_access.rb

@@ -0,0 +1,6 @@
+module Console1984
+  class SensitiveAccess < Base
+    belongs_to :session
+    has_many :commands
+  end
+end

data/app/models/console1984/session.rb

@@ -0,0 +1,15 @@
+module Console1984
+  class Session < Base
+    include Incineratable
+
+    belongs_to :user
+    has_many :commands, dependent: :destroy
+    has_many :sensitive_accesses, dependent: :destroy
+
+    def sensitive?
+      sensitive_accesses.any?
+    end
+  end
+end
+
+ActiveSupport.run_load_hooks(:console_1984_session, Console1984::Session)

data/app/models/console1984/session/incineratable.rb

@@ -0,0 +1,30 @@
+module Console1984::Session::Incineratable
+  extend ActiveSupport::Concern
+
+  included do
+    after_create_commit :incinerate_later, if: -> { Console1984.incinerate }
+  end
+
+  def incinerate_later
+    Console1984::IncinerationJob.schedule self
+  end
+
+  def incinerate
+    if incineratable?
+      destroy
+    else
+      raise Console1984::Errors::ForbiddenIncineration,
+            "Session #{id} was created at #{created_at.utc}. It shouldn't be deleted"\
+            " until #{earliest_possible_incineration_date.utc}, and now it's #{Time.now.utc}"
+    end
+  end
+
+  private
+    def incineratable?
+      Time.now >= earliest_possible_incineration_date
+    end
+
+    def earliest_possible_incineration_date
+      created_at + Console1984.incinerate_after
+    end
+end

data/app/models/console1984/user.rb

@@ -0,0 +1,5 @@
+module Console1984
+  class User < Base
+    has_many :sessions, dependent: :destroy
+  end
+end

data/config/routes.rb

@@ -0,0 +1,9 @@
+Console1984::Engine.routes.draw do
+  resources :sessions, only: %i[ index show ] do
+    resources :audits, only: %i[ create update ]
+  end
+
+  resource :filtered_sessions, only: %i[ update ]
+
+  root to: "sessions#index"
+end

data/db/migrate/20210517203931_create_console1984_tables.rb

@@ -0,0 +1,35 @@
+class CreateConsole1984Tables < ActiveRecord::Migration[7.0]
+  def change
+    create_table :console1984_sessions do |t|
+      t.text :reason
+      t.references :user, null: false
+      t.timestamps
+
+      t.index :created_at
+      t.index [ :user_id, :created_at ]
+    end
+
+    create_table :console1984_users do |t|
+      t.string :username, null: false
+      t.timestamps
+
+      t.index [:username]
+    end
+
+    create_table :console1984_commands do |t|
+      t.text :statements
+      t.references :sensitive_access
+      t.references :session, null: false
+      t.timestamps
+
+      t.index [ :session_id, :created_at, :sensitive_access_id ], name: "on_session_and_sensitive_chronologically"
+    end
+
+    create_table :console1984_sensitive_accesses do |t|
+      t.text :justification
+      t.references :session, null: false
+
+      t.timestamps
+    end
+  end
+end

data/lib/console1984.rb

@@ -0,0 +1,86 @@
+require 'console1984/engine'
+
+require "zeitwerk"
+loader = Zeitwerk::Loader.for_gem
+loader.setup
+
+module Console1984
+  include Messages
+
+  mattr_accessor :supervisor
+  mattr_accessor :session_logger
+  mattr_accessor :username_resolver
+
+  mattr_accessor :protected_environments
+  mattr_reader :protected_urls, default: []
+
+  mattr_reader :production_data_warning, default: DEFAULT_PRODUCTION_DATA_WARNING
+  mattr_reader :enter_unprotected_encryption_mode_warning, default: DEFAULT_ENTER_UNPROTECTED_ENCRYPTION_MODE_WARNING
+  mattr_reader :enter_protected_mode_warning, default: DEFAULT_ENTER_PROTECTED_MODE_WARNING
+
+  mattr_accessor :incinerate, default: true
+  mattr_accessor :incinerate_after, default: 30.days
+  mattr_accessor :incineration_queue, default: "console1984_incineration"
+
+  mattr_accessor :debug, default: false
+
+  thread_mattr_accessor :currently_protected_urls, default: []
+
+  class << self
+    def install_support(config)
+      self.protected_environments ||= config.protected_environments
+      self.protected_urls.push(*config.protected_urls)
+      self.session_logger = config.session_logger || Console1984::SessionsLogger::Database.new
+      self.username_resolver = config.username_resolver || Console1984::Username::EnvResolver.new("CONSOLE_USER")
+
+      self.supervisor = Supervisor.new
+      self.protected_urls.freeze
+
+      extend_protected_systems
+    end
+
+    def running_protected_environment?
+      protected_environments.collect(&:to_sym).include?(Rails.env.to_sym)
+    end
+
+    def protecting(&block)
+      protecting_connections do
+        ActiveRecord::Encryption.protecting_encrypted_data(&block)
+      end
+    end
+
+    private
+      def extend_protected_systems
+        extend_active_record
+        extend_socket_classes
+      end
+
+      def extend_active_record
+        %w[ActiveRecord::ConnectionAdapters::Mysql2Adapter ActiveRecord::ConnectionAdapters::PostgreSQLAdapter ActiveRecord::ConnectionAdapters::SQLite3Adapter].each do |class_string|
+          if Object.const_defined?(class_string)
+            klass = class_string.constantize
+            klass.prepend(Console1984::ProtectedAuditableTables)
+          end
+        end
+      end
+
+      def extend_socket_classes
+        socket_classes = [TCPSocket, OpenSSL::SSL::SSLSocket]
+        if defined?(Redis::Connection)
+          socket_classes.push(*[Redis::Connection::TCPSocket, Redis::Connection::SSLSocket])
+        end
+
+        socket_classes.compact.each do |socket_klass|
+          socket_klass.prepend Console1984::ProtectedTcpSocket
+        end
+      end
+
+      def protecting_connections
+        old_currently_protected_urls = self.currently_protected_urls
+        self.currently_protected_urls = protected_urls
+        yield
+      ensure
+        self.currently_protected_urls = old_currently_protected_urls
+      end
+  end
+end

data/lib/console1984/commands.rb

@@ -0,0 +1,14 @@
+module Console1984::Commands
+  def decrypt!
+    supervisor.enable_access_to_encrypted_content
+  end
+
+  def encrypt!
+    supervisor.disable_access_to_encrypted_content
+  end
+
+  private
+    def supervisor
+      Console1984.supervisor
+    end
+end

data/lib/console1984/engine.rb

@@ -0,0 +1,29 @@
+require 'irb'
+
+module Console1984
+  class Engine < ::Rails::Engine
+    isolate_namespace Console1984
+
+    config.console1984 = ActiveSupport::OrderedOptions.new
+    config.console1984.protected_environments ||= %i[ production ]
+    config.console1984.protected_urls ||= []
+
+    initializer "console1984.config" do
+      config.console1984.each do |key, value|
+        Console1984.send("#{key}=", value) unless %i[ protected_urls protected_environments ].include?(key.to_sym)
+      end
+    end
+
+    console do
+      Console1984.install_support(config.console1984)
+      Console1984.supervisor.start if Console1984.running_protected_environment?
+
+      class OpenSSL::SSL::SSLSocket
+        # Make it serve remote address as TCPSocket so that our extension works for it
+        def remote_address
+          Addrinfo.getaddrinfo(hostname, 443).first
+        end
+      end
+    end
+  end
+end

data/lib/console1984/env_variable_username.rb

@@ -0,0 +1,9 @@
+class Console1984::EnvVariableUsername
+  def initialize(key)
+    @username = ENV[key]
+  end
+
+  def current_user_name
+    @username
+  end
+end

data/lib/console1984/errors.rb

@@ -0,0 +1,13 @@
+module Console1984
+  module Errors
+    class ProtectedConnection < StandardError
+      def initialize(details)
+        super "A connection attempt was prevented because it represents a sensitive access."\
+          "Please run decrypt! and try again. You will be asked to justify this access: #{details}"
+      end
+    end
+
+    class ForbiddenCommand < StandardError; end
+    class ForbiddenIncineration < StandardError; end
+  end
+end

data/lib/console1984/messages.rb

@@ -0,0 +1,31 @@
+require 'colorized_string'
+
+module Console1984::Messages
+  DEFAULT_PRODUCTION_DATA_WARNING = <<~TXT
+
+  You have access to production data here. That's a big deal. As part of our promise to keep customer data safe and private, we audit the commands you type here. Let's get started!
+  TXT
+
+  DEFAULT_ENTER_UNPROTECTED_ENCRYPTION_MODE_WARNING = <<~TXT
+  Ok! You have access to encrypted information now. We pay extra close attention to any commands entered while you have this access. You can go back to protected mode with 'encrypt!'
+
+  WARNING: Make sure you don't save objects that were loaded while in protected mode, as this can result in saving the encrypted texts.
+  TXT
+
+  DEFAULT_ENTER_PROTECTED_MODE_WARNING = <<~TXT
+  Great! You are back in protected mode. When we audit, we may reach out for a conversation about the commands you entered. What went well? Did you solve the problem without accessing personal data?
+  TXT
+
+  COMMANDS = {
+      "decrypt!": "enter unprotected mode with access to encrypted information",
+      "log '<reason>'": "provide further information about what you are going to do in the middle of a console session"
+  }
+
+  COMMANDS_HELP = <<~TXT
+
+  Commands:
+
+  #{COMMANDS.collect { |command, help_line| "* #{ColorizedString.new(command.to_s).light_blue}: #{help_line}" }.join("\n")}
+
+  TXT
+end

data/lib/console1984/protected_auditable_tables.rb

@@ -0,0 +1,26 @@
+module Console1984
+  module ProtectedAuditableTables
+    %i[ execute exec_query exec_insert exec_delete exec_update exec_insert_all ].each do |method|
+      define_method method do |*args|
+        sql = args.first
+        if Console1984.supervisor.executing_user_command? && sql =~ auditable_tables_regexp
+          raise Console1984::Errors::ForbiddenCommand, "#{sql}"
+        else
+          super(*args)
+        end
+      end
+    end
+
+    private
+      AUDITABLE_MODELS = [ Console1984::User, Console1984::Session, Console1984::Command, Console1984::SensitiveAccess ]
+
+      def auditable_tables_regexp
+        @auditable_tables_regexp ||= Regexp.new("#{auditable_tables.join("|")}")
+      end
+
+      def auditable_tables
+        # TODO: Not using Console1984::Base.descendants during development to make this work without eager loading
+        @auditable_tables ||= AUDITABLE_MODELS.collect(&:table_name)
+      end
+  end
+end

data/lib/console1984/protected_context.rb

@@ -0,0 +1,15 @@
+module Console1984::ProtectedContext
+  # Protect the code to show inspected objects too. This method is invoked
+  # for showing returned objects in the console
+  def inspect_last_value
+    Console1984.supervisor.execute do
+      super
+    end
+  end
+
+  def evaluate(line, line_no, exception: nil)
+    Console1984.supervisor.execute_supervised(Array(line)) do
+      super
+    end
+  end
+end

data/lib/console1984/protected_tcp_socket.rb

@@ -0,0 +1,56 @@
+module Console1984::ProtectedTcpSocket
+  def write(*args)
+    protecting do
+      super
+    end
+  end
+
+  def write_nonblock(*args)
+    protecting do
+      super
+    end
+  end
+
+  private
+    def protecting
+      if protected?
+        raise Console1984::Errors::ProtectedConnection, remote_address.inspect
+      else
+        yield
+      end
+    end
+
+    def protected?
+      protected_addresses&.include?(ComparableAddress.new(remote_address))
+    end
+
+    def protected_addresses
+      @protected_addresses ||= Console1984.currently_protected_urls.collect do |url|
+        host, port = host_and_port_from(url)
+        Array(Addrinfo.getaddrinfo(host, port)).collect { |addrinfo| ComparableAddress.new(addrinfo) if addrinfo.ip_address }
+      end.flatten.compact.uniq
+    end
+
+    def host_and_port_from(url)
+      URI(url).then do |parsed_uri|
+        if parsed_uri.host
+          [parsed_uri.host, parsed_uri.port]
+        else
+          host_and_port_from_invalid_uri(url)
+        end
+      end
+    rescue URI::InvalidURIError
+      host_and_port_from_invalid_uri(url)
+    end
+
+    def host_and_port_from_invalid_uri(url)
+      host, _, port = url.rpartition(':')
+      [host, port]
+    end
+
+    ComparableAddress = Struct.new(:ip, :port) do
+      def initialize(addrinfo)
+        super(addrinfo.ip_address, addrinfo.ip_port)
+      end
+    end
+end

data/lib/console1984/sessions_logger/database.rb

@@ -0,0 +1,57 @@
+class Console1984::SessionsLogger::Database
+  attr_reader :current_session, :current_sensitive_access
+
+  def start_session(username, reason)
+    silence_logging do
+      user = Console1984::User.create_or_find_by!(username: username)
+      @current_session = user.sessions.create! reason: reason
+    end
+  end
+
+  def finish_session
+    @current_session = nil
+    @current_sensitive_access = nil
+  end
+
+  def start_sensitive_access(justification)
+    silence_logging do
+      @current_sensitive_access = current_session.sensitive_accesses.create! justification: justification
+    end
+  end
+
+  def end_sensitive_access
+    @current_sensitive_access = nil
+  end
+
+  def before_executing(statements)
+    silence_logging do
+      @before_commands_count = @current_session.commands.count
+      record_statements statements
+    end
+  end
+
+  def after_executing(statements)
+  end
+
+  def suspicious_commands_attempted(statements)
+    silence_logging do
+      sensitive_access = start_sensitive_access "Suspicious commands attempted"
+      Console1984::Command.last.update! sensitive_access: sensitive_access
+    end
+  end
+
+  private
+    def record_statements(statements)
+      @current_session.commands.create! statements: Array(statements).join("\n"), sensitive_access: current_sensitive_access
+    end
+
+    def silence_logging(&block)
+      if Console1984.debug
+        block.call
+      else
+        Console1984::IncinerationJob.logger.silence do
+          Console1984::Base.logger.silence(&block)
+        end
+      end
+    end
+end

data/lib/console1984/supervisor.rb

@@ -0,0 +1,48 @@
+require 'colorized_string'
+require 'rails/console/app'
+
+class Console1984::Supervisor
+  include Accesses, InputOutput, Executor
+
+  attr_reader :session_id
+  delegate :session_logger, :username_resolver, to: Console1984
+
+  def initialize
+    disable_access_to_encrypted_content(silent: true)
+  end
+
+  def start
+    show_production_data_warning
+    show_commands
+
+    extend_irb
+
+    session_logger.start_session current_username, ask_for_session_reason
+  end
+
+  def stop
+    session_logger.finish_session
+  end
+
+  private
+    def current_username
+      username_resolver.current
+    end
+
+    def show_production_data_warning
+      show_warning Console1984.production_data_warning
+    end
+
+    def extend_irb
+      IRB::Context.prepend(Console1984::ProtectedContext)
+      Rails::ConsoleMethods.include(Console1984::Commands)
+    end
+
+    def ask_for_session_reason
+      ask_for_value("#{current_username}, why are you using this console today?")
+    end
+
+    def show_commands
+      puts COMMANDS_HELP
+    end
+end

data/lib/console1984/supervisor/accesses.rb

@@ -0,0 +1,41 @@
+module Console1984::Supervisor::Accesses
+  include Console1984::Messages
+
+  PROTECTED_ACCESS = Protected.new
+  UNPROTECTED_ACCESS = Unprotected.new
+
+  def enable_access_to_encrypted_content(silent: false)
+    run_system_command do
+      show_warning Console1984.enter_unprotected_encryption_mode_warning if !silent && protected_mode?
+      justification = ask_for_value "\nBefore you can access personal information, you need to ask for and get explicit consent from the user(s). #{current_username}, where can we find this consent (a URL would be great)?"
+      session_logger.start_sensitive_access justification
+      nil
+    end
+  ensure
+    @access = UNPROTECTED_ACCESS
+    nil
+  end
+
+  def disable_access_to_encrypted_content(silent: false)
+    run_system_command do
+      show_warning Console1984.enter_protected_mode_warning if !silent && unprotected_mode?
+      session_logger.end_sensitive_access
+      nil
+    end
+  ensure
+    @access = PROTECTED_ACCESS
+    nil
+  end
+
+  def with_encryption_mode(&block)
+    @access.execute(&block)
+  end
+
+  def unprotected_mode?
+    @access.is_a?(Unprotected)
+  end
+
+  def protected_mode?
+    !unprotected_mode?
+  end
+end

data/lib/console1984/supervisor/accesses/protected.rb

@@ -0,0 +1,10 @@
+class Console1984::Supervisor::Accesses::Protected
+  def execute(&block)
+    Console1984.protecting(&block)
+  end
+
+  private
+    def null_encryptor
+      @null_encryptor ||= ActiveRecord::Encryption::NullEncryptor.new
+    end
+end

data/lib/console1984/supervisor/accesses/unprotected.rb

@@ -0,0 +1,5 @@
+class Console1984::Supervisor::Accesses::Unprotected
+  def execute(&block)
+    block.call
+  end
+end

data/lib/console1984/supervisor/executor.rb

@@ -0,0 +1,41 @@
+module Console1984::Supervisor::Executor
+  extend ActiveSupport::Concern
+
+  def execute_supervised(commands, &block)
+    run_system_command { session_logger.before_executing commands }
+    execute(&block)
+  rescue Console1984::Errors::ForbiddenCommand
+    puts "Forbidden command attempted: #{commands.join("\n")}"
+    run_system_command { session_logger.suspicious_commands_attempted commands }
+    nil
+  ensure
+    run_system_command { session_logger.after_executing commands }
+  end
+
+  def execute(&block)
+    run_user_command do
+      with_encryption_mode(&block)
+    end
+  end
+
+  def executing_user_command?
+    @executing_user_command
+  end
+
+  private
+    def run_user_command(&block)
+      run_command true, &block
+    end
+
+    def run_system_command(&block)
+      run_command false, &block
+    end
+
+    def run_command(run_by_user, &block)
+      original_value = @executing_user_command
+      @executing_user_command = run_by_user
+      block.call
+    ensure
+      @executing_user_command = original_value
+    end
+end

data/lib/console1984/supervisor/input_output.rb

@@ -0,0 +1,11 @@
+module Console1984::Supervisor::InputOutput
+  def show_warning(message)
+    puts ColorizedString.new("\n#{message}\n").yellow
+  end
+
+  def ask_for_value(message)
+    puts ColorizedString.new("#{message}").green
+    reason = $stdin.gets.strip until reason.present?
+    reason
+  end
+end

data/lib/console1984/username/env_resolver.rb

@@ -0,0 +1,14 @@
+class Console1984::Username::EnvResolver
+  def initialize(key)
+    @key = key
+  end
+
+  def current
+    "#{username}"
+  end
+
+  private
+    def username
+      @username ||= ENV[@key]&.humanize || "Unnamed"
+    end
+end

data/lib/console1984/version.rb

@@ -0,0 +1,3 @@
+module Console1984
+  VERSION = '0.1.0'
+end

metadata

@@ -0,0 +1,186 @@
+--- !ruby/object:Gem::Specification
+name: console1984
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Jorge Manrubia
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2021-08-18 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: colorize
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: benchmark-ips
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: mocha
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.18.4
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.18.4
+- !ruby/object:Gem::Dependency
+  name: rubocop-performance
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rubocop-packaging
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rubocop-rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: sqlite3
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description:
+email:
+- jorge@basecamp.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- MIT-LICENSE
+- README.md
+- Rakefile
+- app/jobs/console1984/incineration_job.rb
+- app/models/console1984/base.rb
+- app/models/console1984/command.rb
+- app/models/console1984/sensitive_access.rb
+- app/models/console1984/session.rb
+- app/models/console1984/session/incineratable.rb
+- app/models/console1984/user.rb
+- config/routes.rb
+- db/migrate/20210517203931_create_console1984_tables.rb
+- lib/console1984.rb
+- lib/console1984/commands.rb
+- lib/console1984/engine.rb
+- lib/console1984/env_variable_username.rb
+- lib/console1984/errors.rb
+- lib/console1984/messages.rb
+- lib/console1984/protected_auditable_tables.rb
+- lib/console1984/protected_context.rb
+- lib/console1984/protected_tcp_socket.rb
+- lib/console1984/sessions_logger/database.rb
+- lib/console1984/supervisor.rb
+- lib/console1984/supervisor/accesses.rb
+- lib/console1984/supervisor/accesses/protected.rb
+- lib/console1984/supervisor/accesses/unprotected.rb
+- lib/console1984/supervisor/executor.rb
+- lib/console1984/supervisor/input_output.rb
+- lib/console1984/username/env_resolver.rb
+- lib/console1984/version.rb
+homepage: http://github.com/basecamp/console1984
+licenses:
+- MIT
+metadata:
+  allowed_push_host: https://rubygems.org
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.1.4
+signing_key:
+specification_version: 4
+summary: Your Rails console, 1984 style
+test_files: []