console1984 0.1.0 → 0.1.4

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 985b93be5f065f2f12ec2e121a84d1951aa8d2d0f4e8bf628dccd4680a3581d1
4
- data.tar.gz: e5e40eadddc7f44e25e1384c948897058b8fd2ddacafb6f4b2ef3f63e7cc20e8
3
+ metadata.gz: 39d8147e2b8b8fa0a20c6aec1422a28633afe80567bac0ac0c98a7d6096ae430
4
+ data.tar.gz: 760d761d4ced82752b89aa7bd1de44416d545a75bdb0f4266165718100d8a7a5
5
5
  SHA512:
6
- metadata.gz: b6d2d32d9210d20a082e7844d873e514ba61ec9e18546d4d8e353ed8a1360685c0bcde0406140c635a79b2fb34519148c988e7e5ff1a3579afb97120f5930330
7
- data.tar.gz: 7b32ac9d5cd80e4f7840d12c803122ddc521f5256028e03f6f0cd401081c12dee755934393cb005d26ebe5a30a24dfc79b934acb2ee1a6d44dfa9c978137f833
6
+ metadata.gz: 3eedbf3cc3436469edd615b397af1c5ad03195f7f1eebfcc1ed6da859a90e0fc213327f8d487841640ddec8c4d39ed1562239e9dda10360a622f59aa809b6f9a
7
+ data.tar.gz: bdd11a8580f29fd700c954c486e01dc1f8189e452565f37b281d9ee96b78bd375c2f02728df3c4ce405c047fc9fe52b5eac8b5b90a62519bfeaff4aa1465a5d9
data/README.md CHANGED
@@ -1,95 +1,151 @@
1
+ ![example workflow](https://github.com/basecamp/console1984/actions/workflows/build.yml/badge.svg)
2
+
1
3
  # Console1984
2
4
 
3
- A Rails Console that audits commands and protects users privacy.
5
+ A Rails console extension that protects sensitive accesses and makes them auditable.
4
6
 
5
7
  > “If you want to keep a secret, you must also hide it from yourself.”
6
- >
8
+ >
7
9
  > ― George Orwell, 1984
8
10
 
9
- ## Usage
11
+ If you are looking for the auditing tool, check [`audits1984`](https://github.com/basecamp/audits1984).
12
+
13
+ ![console-session-reason](docs/images/console-session-reason.png)
10
14
 
11
- Add this line to your application's Gemfile:
15
+ ## Installation
16
+
17
+ Add it to your `Gemfile`:
12
18
 
13
19
  ```ruby
14
20
  gem 'console1984'
15
21
  ```
16
22
 
17
- By default, `console1984` will only work in `production`. [You can configure other environments](#protected-environments).
18
-
19
- ## Features
20
-
21
- ### Auditing
22
-
23
- The console will ask for a reason for the console session, identifying the user via the environment
24
- variable `CONSOLE_USER`.
25
-
26
- After that, every command the user types will be captured and logged. `console1984` uses
27
- [`rails-structured-logggin`](https://github.com/basecamp/rails-structured-logging) to form
28
- a JSON entry that looks like this:
29
-
30
- ```json
31
- {
32
- "@timestamp": "2020-05-15T15:05:45.845642+02:00",
33
- "ecs": {
34
- "version": "1.2.0"
35
- },
36
- "event": {
37
- "action": "console.audit_trail",
38
- "duration": {
39
- "ms": 0.01
40
- }
41
- },
42
- "console": {
43
- "user": "Jorge",
44
- "reason": "fix something",
45
- "commands": "Account.first\n"
46
- },
47
- "rails": {
48
- "application": "haystack",
49
- "env": "beta"
50
- },
51
- "ruby": {
52
- "allocations": {
53
- "count": 0
54
- }
55
- },
56
- "process": {
57
- "pid": 8539,
58
- "name": "rails_console",
59
- "working_directory": "/Users/jorge/Work/basecamp/haystack"
60
- },
61
- "performance": {
62
- "time": {
63
- "cpu": {
64
- "ms": 0.01
65
- },
66
- "idle": {
67
- "ms": 0.0
68
- }
69
- }
70
- },
71
- "original": " Account Load (1.0ms) SELECT `accounts`.* FROM `accounts` ORDER BY `accounts`.`id` ASC LIMIT 1\n"
72
- }
23
+ Create tables to store console activity in the database:
24
+
25
+ ```ruby
26
+ rails console1984:install:migrations
27
+ rails db:migrate
73
28
  ```
74
29
 
75
- ## Configuration
30
+ By default, console1984 is only enabled in `production`. You can configure the target environments in your `application.rb`:
31
+
32
+ ```ruby
33
+ config.console1984.protected_environments = %i[ production staging ]
34
+ ```
35
+
36
+ ## How it works
37
+
38
+ ### Session activity logging
39
+
40
+ When starting a console session, it will ask for a reason. Internally, it will use this reason to document the console session and record all the commands executed in it.
41
+
42
+ ```
43
+ $ rails c
44
+
45
+ You have access to production data here. That's a big deal. As part of our promise to keep customer data safe and private, we audit the commands you type here. Let's get started!
76
46
 
77
- ### Protected environments
78
47
 
79
- <a name="protected-environments"></a>
80
48
 
81
- By default, `console1984` will only be enabled in `production`. You can configure the target environments with
82
- `config.console1984.protected_environments`:
49
+ Commands:
50
+
51
+ * decrypt!: enter unprotected mode with access to encrypted information
52
+
53
+ Unnamed, why are you using this console today?
54
+
55
+ > ...
56
+ ```
57
+
58
+ ### Auditing sessions
59
+
60
+ Check out [`audits1984`](https://github.com/basecamp/audits1984), a companion auditing tool prepared to work with `console1984` database session trails.
61
+
62
+ ### Access to encrypted data
63
+
64
+ By default, `console1984` won't decrypt data encrypted with [Active Record encryption](https://edgeguides.rubyonrails.org/active_record_encryption.html). Users will just see the ciphertexts.
65
+
66
+ To decrypt data, enter the command `decrypt!`. It will ask for a justification, and these accesses will be flagged internally as sensitive.
83
67
 
84
68
  ```ruby
85
- config.console1984.protected_environments = %i[ staging production ]
69
+ irb(main)> Topic.last.name
70
+ Topic Load (1.4ms) SELECT `topics`.* FROM `topics` ORDER BY `topics`.`id` DESC LIMIT 1
71
+ => "{\"p\":\"iu6+LfnNlurC6sL++JyOIDvedjNSz/AvnZQ=\",\"h\":{\"iv\":\"BYa86+JNM/LdkC18\",\"at\":\"r4sQNoSyIlAjJdZEKHVMow==\",\"k\":{\"p\":\"7L1l/5UiYsFQqqo4jfMZtLwp90KqcrIgS7HqgteVjuM=\",\"h\":{\"iv\":\"ItwRYxZAerKIoSZ8\",\"at\":\"ZUSNVfvtm4wAYWLBKRAx/g==\",\"e\":\"QVNDSUktOEJJVA==\"}},\"i\":\"OTdiOQ==\"}}"
72
+ irb(main):002:0> decrypt!
73
+ ```
74
+
86
75
  ```
76
+ Before you can access personal information, you need to ask for and get explicit consent from the user(s). Unnamed, where can we find this consent (a URL would be great)?
87
77
 
88
- ### Audit logger
78
+ > ...
89
79
 
90
- By default, the console will output JSON entries for audit trails to STDOUT. You can configure the
91
- used logger with `config.console1984.audit_logger`:
80
+ Ok! You have access to encrypted information now. We pay extra close attention to any commands entered while you have this access. You can go back to protected mode with 'encrypt!'
81
+
82
+ WARNING: Make sure you don`t save objects that were loaded while in protected mode, as this can result in saving the encrypted texts.
83
+ ```
92
84
 
93
85
  ```ruby
94
- config.console1984.audit_logger = ActiveSupport::Logger.new("log/console.txt")
86
+ irb(main)> Topic.last.name
87
+ Topic Load (1.2ms) SELECT `topics`.* FROM `topics` ORDER BY `topics`.`id` DESC LIMIT 1
88
+ => "Thanks for the inspiration"
95
89
  ```
90
+
91
+ You can type `encrypt!` to go back to protected mode again.
92
+
93
+ ```ruby
94
+ irb(main):004:0> encrypt!
95
+ ```
96
+
97
+ ```
98
+ Great! You are back in protected mode. When we audit, we may reach out for a conversation about the commands you entered. What went well? Did you solve the problem without accessing personal data?
99
+ ```
100
+
101
+ ```ruby
102
+ irb(main)> Topic.last.name
103
+ Topic Load (1.4ms) SELECT `topics`.* FROM `topics` ORDER BY `topics`.`id` DESC LIMIT 1
104
+ => "{\"p\":\"iu6+LfnNlurC6sL++JyOIDvedjNSz/AvnZQ=\",\"h\":{\"iv\":\"BYa86+JNM/LdkC18\",\"at\":\"r4sQNoSyIlAjJdZEKHVMow==\",\"k\":{\"p\":\"7L1l/5UiYsFQqqo4jfMZtLwp90KqcrIgS7HqgteVjuM=\",\"h\":{\"iv\":\"ItwRYxZAerKIoSZ8\",\"at\":\"ZUSNVfvtm4wAYWLBKRAx/g==\",\"e\":\"QVNDSUktOEJJVA==\"}},\"i\":\"OTdiOQ==\"}}"
105
+ ```
106
+
107
+ While in protected mode, you can't modify encrypted data, but can save unencrypted attributes normally. If you try to modify an encrypted column it will raise an error:
108
+
109
+ ```ruby
110
+ irb(main)> Rails.cache.read("some key") # raises Console1984::Errors::ProtectedConnection
111
+ ```
112
+
113
+ ### Access to external systems
114
+
115
+ While Active Record encryption can protect personal information in the database, are other systems can contain very sensitive information. For example: Elasticsearch indexing user information or Redis caching template fragments.
116
+
117
+ To protect the access to such systems, you can add their URLs to `config.console1984.protected_urls` in the corresponding environment config file (e.g: `production.rb`):
118
+
119
+ ```ruby
120
+ config.console1984.protected_urls = [ "https://my-app-us-east-1-whatever.us-east-1.es.amazonaws.com", "redis://my-app-cache-1.whatever.cache.amazonaws.com:6379" ]
121
+ ```
122
+
123
+ As with encryption data, running `decrypt!` will let you access these systems normally. The system will ask for a justfication and will flag those accesses as sensitive.
124
+
125
+ This will work for systems that use Ruby sockets as the underlying communication mechanism.
126
+
127
+ ### Automatic scheduled incineration for sessions
128
+
129
+ By default, sessions will be incinerated with a job 30 days after they are created. You can configure this period by setting `config.console1984.incinerate_after = 1.year` and you can disable incineration completely by setting `config.console1984.incinerate = false`.
130
+
131
+ ## Configuration
132
+
133
+ These config options are namespaced in `config.console1984`:
134
+
135
+ | Name | Description |
136
+ | ------------------------------------------- | ------------------------------------------------------------ |
137
+ | `protected_environments` | The list of environments where `console1984` will act on. Defaults to `%i[ production ]`. |
138
+ | `protected_urls` | The list of URLs corresponding with external systems to protect. |
139
+ | `session_logger` | The system used to record session data. The default logger is `Console1984::SessionsLogger::Database`. |
140
+ | `username_resolver` | Configure an object responsible of resolving the current database username. The default is `Console1984::Username::EnvResolver.new("CONSOLE_USER")`, which returns the value of the environment variable `CONSOLE_USER`. |
141
+ | `production_data_warning` | The text to show when a console session starts. |
142
+ | `enter_unprotected_encryption_mode_warning` | The text to show when user enters into unprotected mode. |
143
+ | `enter_protected_mode_warning` | The text to show when user go backs to protected mode. |
144
+ | `incinerate` | Whether incinerate sessions automatically after a period of time or not. Default to `true`. |
145
+ | `incinerate_after` | The period to keep sessions around before incinerate them. Default `30.days`. |
146
+ | `incineration_queue` | The name of the queue for session incineration jobs. Default `console1984_incineration`. |
147
+
148
+ ## About built-in protection mechanisms
149
+
150
+ `console1984` uses Ruby to add several protection mechanisms. However, because Ruby is highly dynamic, it's technically possible to circumvent most of these controls if you know what you are doing. We have made an effort to prevent such attempts, but if your organization needs bullet-proof protection against malicious actors using the console, you should consider additional security measures.
151
+
data/lib/console1984.rb CHANGED
@@ -7,36 +7,14 @@ loader.setup
7
7
  module Console1984
8
8
  include Messages
9
9
 
10
- mattr_accessor :supervisor
11
- mattr_accessor :session_logger
12
- mattr_accessor :username_resolver
13
-
14
- mattr_accessor :protected_environments
15
- mattr_reader :protected_urls, default: []
16
-
17
- mattr_reader :production_data_warning, default: DEFAULT_PRODUCTION_DATA_WARNING
18
- mattr_reader :enter_unprotected_encryption_mode_warning, default: DEFAULT_ENTER_UNPROTECTED_ENCRYPTION_MODE_WARNING
19
- mattr_reader :enter_protected_mode_warning, default: DEFAULT_ENTER_PROTECTED_MODE_WARNING
20
-
21
- mattr_accessor :incinerate, default: true
22
- mattr_accessor :incinerate_after, default: 30.days
23
- mattr_accessor :incineration_queue, default: "console1984_incineration"
24
-
25
- mattr_accessor :debug, default: false
10
+ mattr_reader :supervisor, default: Supervisor.new
11
+ mattr_reader :config, default: Config.new
26
12
 
27
13
  thread_mattr_accessor :currently_protected_urls, default: []
28
14
 
29
15
  class << self
30
- def install_support(config)
31
- self.protected_environments ||= config.protected_environments
32
- self.protected_urls.push(*config.protected_urls)
33
- self.session_logger = config.session_logger || Console1984::SessionsLogger::Database.new
34
- self.username_resolver = config.username_resolver || Console1984::Username::EnvResolver.new("CONSOLE_USER")
35
-
36
- self.supervisor = Supervisor.new
37
- self.protected_urls.freeze
38
-
39
- extend_protected_systems
16
+ Config::PROPERTIES.each do |property|
17
+ delegate property, to: :config
40
18
  end
41
19
 
42
20
  def running_protected_environment?
@@ -50,31 +28,6 @@ module Console1984
50
28
  end
51
29
 
52
30
  private
53
- def extend_protected_systems
54
- extend_active_record
55
- extend_socket_classes
56
- end
57
-
58
- def extend_active_record
59
- %w[ActiveRecord::ConnectionAdapters::Mysql2Adapter ActiveRecord::ConnectionAdapters::PostgreSQLAdapter ActiveRecord::ConnectionAdapters::SQLite3Adapter].each do |class_string|
60
- if Object.const_defined?(class_string)
61
- klass = class_string.constantize
62
- klass.prepend(Console1984::ProtectedAuditableTables)
63
- end
64
- end
65
- end
66
-
67
- def extend_socket_classes
68
- socket_classes = [TCPSocket, OpenSSL::SSL::SSLSocket]
69
- if defined?(Redis::Connection)
70
- socket_classes.push(*[Redis::Connection::TCPSocket, Redis::Connection::SSLSocket])
71
- end
72
-
73
- socket_classes.compact.each do |socket_klass|
74
- socket_klass.prepend Console1984::ProtectedTcpSocket
75
- end
76
- end
77
-
78
31
  def protecting_connections
79
32
  old_currently_protected_urls = self.currently_protected_urls
80
33
  self.currently_protected_urls = protected_urls
@@ -11,4 +11,6 @@ module Console1984::Commands
11
11
  def supervisor
12
12
  Console1984.supervisor
13
13
  end
14
+
15
+ include Console1984::FrozenMethods
14
16
  end
@@ -0,0 +1,49 @@
1
+ # Container for config options.
2
+ class Console1984::Config
3
+ include Console1984::Messages
4
+
5
+ PROPERTIES = %i[
6
+ session_logger username_resolver
7
+ protected_environments protected_urls
8
+ production_data_warning enter_unprotected_encryption_mode_warning enter_protected_mode_warning
9
+ incinerate incinerate_after incineration_queue
10
+ debug freeze_config
11
+ ]
12
+
13
+ attr_accessor(*PROPERTIES)
14
+
15
+ def initialize
16
+ set_defaults
17
+ end
18
+
19
+ def set_from(properties)
20
+ properties.each do |key, value|
21
+ public_send("#{key}=", value) if value.present?
22
+ end
23
+ end
24
+
25
+ def freeze
26
+ super if freeze_config
27
+ protected_urls.freeze
28
+ end
29
+
30
+ private
31
+ def set_defaults
32
+ self.protected_environments = []
33
+ self.protected_urls = []
34
+
35
+ self.session_logger = Console1984::SessionsLogger::Database.new
36
+ self.username_resolver = Console1984::Username::EnvResolver.new("CONSOLE_USER")
37
+
38
+ self.production_data_warning = DEFAULT_PRODUCTION_DATA_WARNING
39
+ self.enter_unprotected_encryption_mode_warning = DEFAULT_ENTER_UNPROTECTED_ENCRYPTION_MODE_WARNING
40
+ self.enter_protected_mode_warning = DEFAULT_ENTER_PROTECTED_MODE_WARNING
41
+
42
+ self.incinerate = true
43
+ self.incinerate_after = 30.days
44
+ self.incineration_queue = "console1984_incineration"
45
+
46
+ self.debug = false
47
+ self.freeze_config = true
48
+ end
49
+ end
@@ -10,12 +10,13 @@ module Console1984
10
10
 
11
11
  initializer "console1984.config" do
12
12
  config.console1984.each do |key, value|
13
- Console1984.send("#{key}=", value) unless %i[ protected_urls protected_environments ].include?(key.to_sym)
13
+ Console1984.config.send("#{key}=", value) unless %i[ protected_urls protected_environments ].include?(key.to_sym)
14
14
  end
15
15
  end
16
16
 
17
17
  console do
18
- Console1984.install_support(config.console1984)
18
+ Console1984.config.set_from(config.console1984)
19
+
19
20
  Console1984.supervisor.start if Console1984.running_protected_environment?
20
21
 
21
22
  class OpenSSL::SSL::SSLSocket
@@ -9,5 +9,6 @@ module Console1984
9
9
 
10
10
  class ForbiddenCommand < StandardError; end
11
11
  class ForbiddenIncineration < StandardError; end
12
+ class ForbiddenClassManipulation < StandardError; end
12
13
  end
13
14
  end
@@ -0,0 +1,17 @@
1
+ # Prevents adding new methods to classes.
2
+ #
3
+ # This prevents manipulating certain Console1984 classes
4
+ # during a console session.
5
+ module Console1984::FrozenMethods
6
+ extend ActiveSupport::Concern
7
+
8
+ module ClassMethods
9
+ def method_added(method_name)
10
+ raise Console1984::Errors::ForbiddenClassManipulation, "Can't override #{name}##{method_name}"
11
+ end
12
+
13
+ def singleton_method_added(method_name)
14
+ raise Console1984::Errors::ForbiddenClassManipulation, "Can't override #{name}.#{method_name}"
15
+ end
16
+ end
17
+ end
@@ -17,8 +17,7 @@ module Console1984::Messages
17
17
  TXT
18
18
 
19
19
  COMMANDS = {
20
- "decrypt!": "enter unprotected mode with access to encrypted information",
21
- "log '<reason>'": "provide further information about what you are going to do in the middle of a console session"
20
+ "decrypt!": "enter unprotected mode with access to encrypted information"
22
21
  }
23
22
 
24
23
  COMMANDS_HELP = <<~TXT
@@ -1,4 +1,5 @@
1
1
  module Console1984
2
+ # Prevents accessing trail model tables when executing console commands.
2
3
  module ProtectedAuditableTables
3
4
  %i[ execute exec_query exec_insert exec_delete exec_update exec_insert_all ].each do |method|
4
5
  define_method method do |*args|
@@ -23,4 +24,6 @@ module Console1984
23
24
  @auditable_tables ||= AUDITABLE_MODELS.collect(&:table_name)
24
25
  end
25
26
  end
27
+
28
+ include Console1984::FrozenMethods
26
29
  end
@@ -1,15 +1,18 @@
1
1
  module Console1984::ProtectedContext
2
- # Protect the code to show inspected objects too. This method is invoked
3
- # for showing returned objects in the console
2
+ # This method is invoked for showing returned objects in the console
3
+ # Overridden to make sure their evaluation is supervised.
4
4
  def inspect_last_value
5
5
  Console1984.supervisor.execute do
6
6
  super
7
7
  end
8
8
  end
9
9
 
10
+ #
10
11
  def evaluate(line, line_no, exception: nil)
11
12
  Console1984.supervisor.execute_supervised(Array(line)) do
12
13
  super
13
14
  end
14
15
  end
16
+
17
+ include Console1984::FrozenMethods
15
18
  end
@@ -1,3 +1,4 @@
1
+ # Wraps socket methods to execute supervised.
1
2
  module Console1984::ProtectedTcpSocket
2
3
  def write(*args)
3
4
  protecting do
@@ -53,4 +54,6 @@ module Console1984::ProtectedTcpSocket
53
54
  super(addrinfo.ip_address, addrinfo.ip_port)
54
55
  end
55
56
  end
57
+
58
+ include Console1984::FrozenMethods
56
59
  end
@@ -1,9 +1,10 @@
1
+ # A session logger that saves audit trails in the database.
1
2
  class Console1984::SessionsLogger::Database
2
3
  attr_reader :current_session, :current_sensitive_access
3
4
 
4
5
  def start_session(username, reason)
5
6
  silence_logging do
6
- user = Console1984::User.create_or_find_by!(username: username)
7
+ user = Console1984::User.find_or_create_by!(username: username)
7
8
  @current_session = user.sessions.create! reason: reason
8
9
  end
9
10
  end
@@ -1,48 +1,47 @@
1
1
  require 'colorized_string'
2
2
  require 'rails/console/app'
3
3
 
4
+ # Protects console sessions and executes code in supervised mode.
4
5
  class Console1984::Supervisor
5
- include Accesses, InputOutput, Executor
6
-
7
- attr_reader :session_id
8
- delegate :session_logger, :username_resolver, to: Console1984
9
-
10
- def initialize
11
- disable_access_to_encrypted_content(silent: true)
12
- end
6
+ include Accesses, InputOutput, Executor, Protector
13
7
 
8
+ # Starts a console session extending IRB and several systems to inject
9
+ # the protection logic, and notifies the session logger to record the
10
+ # session.
14
11
  def start
15
- show_production_data_warning
16
- show_commands
12
+ Console1984.config.freeze
13
+ extend_protected_systems
14
+ disable_access_to_encrypted_content(silent: true)
17
15
 
18
- extend_irb
16
+ show_welcome_message
19
17
 
20
- session_logger.start_session current_username, ask_for_session_reason
18
+ start_session
21
19
  end
22
20
 
23
21
  def stop
24
- session_logger.finish_session
22
+ stop_session
25
23
  end
26
24
 
27
25
  private
28
- def current_username
29
- username_resolver.current
26
+ def start_session
27
+ session_logger.start_session current_username, ask_for_session_reason
30
28
  end
31
29
 
32
- def show_production_data_warning
33
- show_warning Console1984.production_data_warning
30
+ def stop_session
31
+ session_logger.finish_session
34
32
  end
35
33
 
36
- def extend_irb
37
- IRB::Context.prepend(Console1984::ProtectedContext)
38
- Rails::ConsoleMethods.include(Console1984::Commands)
34
+ def session_logger
35
+ Console1984.session_logger
39
36
  end
40
37
 
41
- def ask_for_session_reason
42
- ask_for_value("#{current_username}, why are you using this console today?")
38
+ def current_username
39
+ Console1984.username_resolver.current
43
40
  end
44
41
 
45
- def show_commands
46
- puts COMMANDS_HELP
42
+ def username_resolver
43
+ Console1984.username_resolver
47
44
  end
45
+
46
+ include Console1984::FrozenMethods
48
47
  end
@@ -4,7 +4,7 @@ module Console1984::Supervisor::Executor
4
4
  def execute_supervised(commands, &block)
5
5
  run_system_command { session_logger.before_executing commands }
6
6
  execute(&block)
7
- rescue Console1984::Errors::ForbiddenCommand
7
+ rescue Console1984::Errors::ForbiddenCommand, Console1984::Errors::ForbiddenClassManipulation
8
8
  puts "Forbidden command attempted: #{commands.join("\n")}"
9
9
  run_system_command { session_logger.suspicious_commands_attempted commands }
10
10
  nil
@@ -1,11 +1,31 @@
1
1
  module Console1984::Supervisor::InputOutput
2
- def show_warning(message)
3
- puts ColorizedString.new("\n#{message}\n").yellow
4
- end
5
-
6
- def ask_for_value(message)
7
- puts ColorizedString.new("#{message}").green
8
- reason = $stdin.gets.strip until reason.present?
9
- reason
10
- end
2
+ include Console1984::Messages
3
+
4
+ private
5
+ def show_welcome_message
6
+ show_production_data_warning
7
+ show_commands
8
+ end
9
+
10
+ def show_production_data_warning
11
+ show_warning Console1984.production_data_warning
12
+ end
13
+
14
+ def ask_for_session_reason
15
+ ask_for_value("#{current_username}, why are you using this console today?")
16
+ end
17
+
18
+ def show_commands
19
+ puts COMMANDS_HELP
20
+ end
21
+
22
+ def show_warning(message)
23
+ puts ColorizedString.new("\n#{message}\n").yellow
24
+ end
25
+
26
+ def ask_for_value(message)
27
+ puts ColorizedString.new("#{message}").green
28
+ reason = $stdin.gets.strip until reason.present?
29
+ reason
30
+ end
11
31
  end
@@ -0,0 +1,37 @@
1
+ module Console1984::Supervisor::Protector
2
+ extend ActiveSupport::Concern
3
+
4
+ private
5
+ def extend_protected_systems
6
+ extend_irb
7
+ extend_active_record
8
+ extend_socket_classes
9
+ end
10
+
11
+ def extend_irb
12
+ IRB::Context.prepend(Console1984::ProtectedContext)
13
+ Rails::ConsoleMethods.include(Console1984::Commands)
14
+ end
15
+
16
+ ACTIVE_RECORD_CONNECTION_ADAPTERS = %w[ActiveRecord::ConnectionAdapters::Mysql2Adapter ActiveRecord::ConnectionAdapters::PostgreSQLAdapter ActiveRecord::ConnectionAdapters::SQLite3Adapter]
17
+
18
+ def extend_active_record
19
+ ACTIVE_RECORD_CONNECTION_ADAPTERS.each do |class_string|
20
+ if Object.const_defined?(class_string)
21
+ klass = class_string.constantize
22
+ klass.prepend(Console1984::ProtectedAuditableTables)
23
+ end
24
+ end
25
+ end
26
+
27
+ def extend_socket_classes
28
+ socket_classes = [TCPSocket, OpenSSL::SSL::SSLSocket]
29
+ if defined?(Redis::Connection)
30
+ socket_classes.push(*[Redis::Connection::TCPSocket, Redis::Connection::SSLSocket])
31
+ end
32
+
33
+ socket_classes.compact.each do |socket_klass|
34
+ socket_klass.prepend Console1984::ProtectedTcpSocket
35
+ end
36
+ end
37
+ end
@@ -1,3 +1,5 @@
1
+ # A username resolver that returns the value of a given
2
+ # environment variable.
1
3
  class Console1984::Username::EnvResolver
2
4
  def initialize(key)
3
5
  @key = key
@@ -1,3 +1,3 @@
1
1
  module Console1984
2
- VERSION = '0.1.0'
2
+ VERSION = '0.1.4'
3
3
  end
@@ -0,0 +1,26 @@
1
+ arithmetic_1:
2
+ session: arithmetic
3
+ statements: 1+1
4
+ arithmetic_2:
5
+ session: arithmetic
6
+ statements: 2+2
7
+ arithmetic_3:
8
+ session: arithmetic
9
+ statements: 3+3
10
+
11
+ sensitive_1:
12
+ session: sensitive_printing
13
+ statements: "puts 'so sensitive 1'"
14
+ sensitive_access: sensitive_printing
15
+ sensitive_2:
16
+ session: sensitive_printing
17
+ statements: "puts 'so sensitive 2'"
18
+ sensitive_access: sensitive_printing
19
+ sensitive_3:
20
+ session: sensitive_printing
21
+ statements: "puts 'so sensitive 3'"
22
+ sensitive_access: sensitive_printing
23
+
24
+
25
+
26
+
@@ -0,0 +1,3 @@
1
+ sensitive_printing:
2
+ session: sensitive_printing
3
+ justification: I got consent from customer
@@ -0,0 +1,9 @@
1
+ arithmetic:
2
+ user: jorge
3
+ reason: Arithmetic operations
4
+ created_at: <%= 1.day.ago %>
5
+
6
+ sensitive_printing:
7
+ user: jorge
8
+ reason: Sensitive printing
9
+ created_at: <%= 2.days.ago %>
@@ -0,0 +1,2 @@
1
+ jorge:
2
+ username: jorge
@@ -0,0 +1,6 @@
1
+ jorge:
2
+ name: jorge
3
+ email: jorge@hey.com
4
+ julia:
5
+ name: julia
6
+ email: julia@hey.com
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: console1984
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.0
4
+ version: 0.1.4
5
5
  platform: ruby
6
6
  authors:
7
7
  - Jorge Manrubia
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2021-08-18 00:00:00.000000000 Z
11
+ date: 2021-08-19 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: colorize
@@ -94,6 +94,20 @@ dependencies:
94
94
  - - ">="
95
95
  - !ruby/object:Gem::Version
96
96
  version: '0'
97
+ - !ruby/object:Gem::Dependency
98
+ name: rubocop-minitest
99
+ requirement: !ruby/object:Gem::Requirement
100
+ requirements:
101
+ - - ">="
102
+ - !ruby/object:Gem::Version
103
+ version: '0'
104
+ type: :development
105
+ prerelease: false
106
+ version_requirements: !ruby/object:Gem::Requirement
107
+ requirements:
108
+ - - ">="
109
+ - !ruby/object:Gem::Version
110
+ version: '0'
97
111
  - !ruby/object:Gem::Dependency
98
112
  name: rubocop-rails
99
113
  requirement: !ruby/object:Gem::Requirement
@@ -143,9 +157,10 @@ files:
143
157
  - db/migrate/20210517203931_create_console1984_tables.rb
144
158
  - lib/console1984.rb
145
159
  - lib/console1984/commands.rb
160
+ - lib/console1984/config.rb
146
161
  - lib/console1984/engine.rb
147
- - lib/console1984/env_variable_username.rb
148
162
  - lib/console1984/errors.rb
163
+ - lib/console1984/frozen_methods.rb
149
164
  - lib/console1984/messages.rb
150
165
  - lib/console1984/protected_auditable_tables.rb
151
166
  - lib/console1984/protected_context.rb
@@ -157,8 +172,14 @@ files:
157
172
  - lib/console1984/supervisor/accesses/unprotected.rb
158
173
  - lib/console1984/supervisor/executor.rb
159
174
  - lib/console1984/supervisor/input_output.rb
175
+ - lib/console1984/supervisor/protector.rb
160
176
  - lib/console1984/username/env_resolver.rb
161
177
  - lib/console1984/version.rb
178
+ - test/fixtures/console1984/commands.yml
179
+ - test/fixtures/console1984/sensitive_accesses.yml
180
+ - test/fixtures/console1984/sessions.yml
181
+ - test/fixtures/console1984/users.yml
182
+ - test/fixtures/people.yml
162
183
  homepage: http://github.com/basecamp/console1984
163
184
  licenses:
164
185
  - MIT
@@ -1,9 +0,0 @@
1
- class Console1984::EnvVariableUsername
2
- def initialize(key)
3
- @username = ENV[key]
4
- end
5
-
6
- def current_user_name
7
- @username
8
- end
9
- end