console1984 0.1.0 → 0.1.4
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +126 -70
- data/lib/console1984.rb +4 -51
- data/lib/console1984/commands.rb +2 -0
- data/lib/console1984/config.rb +49 -0
- data/lib/console1984/engine.rb +3 -2
- data/lib/console1984/errors.rb +1 -0
- data/lib/console1984/frozen_methods.rb +17 -0
- data/lib/console1984/messages.rb +1 -2
- data/lib/console1984/protected_auditable_tables.rb +3 -0
- data/lib/console1984/protected_context.rb +5 -2
- data/lib/console1984/protected_tcp_socket.rb +3 -0
- data/lib/console1984/sessions_logger/database.rb +2 -1
- data/lib/console1984/supervisor.rb +23 -24
- data/lib/console1984/supervisor/executor.rb +1 -1
- data/lib/console1984/supervisor/input_output.rb +29 -9
- data/lib/console1984/supervisor/protector.rb +37 -0
- data/lib/console1984/username/env_resolver.rb +2 -0
- data/lib/console1984/version.rb +1 -1
- data/test/fixtures/console1984/commands.yml +26 -0
- data/test/fixtures/console1984/sensitive_accesses.yml +3 -0
- data/test/fixtures/console1984/sessions.yml +9 -0
- data/test/fixtures/console1984/users.yml +2 -0
- data/test/fixtures/people.yml +6 -0
- metadata +24 -3
- data/lib/console1984/env_variable_username.rb +0 -9
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 39d8147e2b8b8fa0a20c6aec1422a28633afe80567bac0ac0c98a7d6096ae430
|
4
|
+
data.tar.gz: 760d761d4ced82752b89aa7bd1de44416d545a75bdb0f4266165718100d8a7a5
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 3eedbf3cc3436469edd615b397af1c5ad03195f7f1eebfcc1ed6da859a90e0fc213327f8d487841640ddec8c4d39ed1562239e9dda10360a622f59aa809b6f9a
|
7
|
+
data.tar.gz: bdd11a8580f29fd700c954c486e01dc1f8189e452565f37b281d9ee96b78bd375c2f02728df3c4ce405c047fc9fe52b5eac8b5b90a62519bfeaff4aa1465a5d9
|
data/README.md
CHANGED
@@ -1,95 +1,151 @@
|
|
1
|
+
![example workflow](https://github.com/basecamp/console1984/actions/workflows/build.yml/badge.svg)
|
2
|
+
|
1
3
|
# Console1984
|
2
4
|
|
3
|
-
A Rails
|
5
|
+
A Rails console extension that protects sensitive accesses and makes them auditable.
|
4
6
|
|
5
7
|
> “If you want to keep a secret, you must also hide it from yourself.”
|
6
|
-
>
|
8
|
+
>
|
7
9
|
> ― George Orwell, 1984
|
8
10
|
|
9
|
-
|
11
|
+
If you are looking for the auditing tool, check [`audits1984`](https://github.com/basecamp/audits1984).
|
12
|
+
|
13
|
+
![console-session-reason](docs/images/console-session-reason.png)
|
10
14
|
|
11
|
-
|
15
|
+
## Installation
|
16
|
+
|
17
|
+
Add it to your `Gemfile`:
|
12
18
|
|
13
19
|
```ruby
|
14
20
|
gem 'console1984'
|
15
21
|
```
|
16
22
|
|
17
|
-
|
18
|
-
|
19
|
-
|
20
|
-
|
21
|
-
|
22
|
-
|
23
|
-
The console will ask for a reason for the console session, identifying the user via the environment
|
24
|
-
variable `CONSOLE_USER`.
|
25
|
-
|
26
|
-
After that, every command the user types will be captured and logged. `console1984` uses
|
27
|
-
[`rails-structured-logggin`](https://github.com/basecamp/rails-structured-logging) to form
|
28
|
-
a JSON entry that looks like this:
|
29
|
-
|
30
|
-
```json
|
31
|
-
{
|
32
|
-
"@timestamp": "2020-05-15T15:05:45.845642+02:00",
|
33
|
-
"ecs": {
|
34
|
-
"version": "1.2.0"
|
35
|
-
},
|
36
|
-
"event": {
|
37
|
-
"action": "console.audit_trail",
|
38
|
-
"duration": {
|
39
|
-
"ms": 0.01
|
40
|
-
}
|
41
|
-
},
|
42
|
-
"console": {
|
43
|
-
"user": "Jorge",
|
44
|
-
"reason": "fix something",
|
45
|
-
"commands": "Account.first\n"
|
46
|
-
},
|
47
|
-
"rails": {
|
48
|
-
"application": "haystack",
|
49
|
-
"env": "beta"
|
50
|
-
},
|
51
|
-
"ruby": {
|
52
|
-
"allocations": {
|
53
|
-
"count": 0
|
54
|
-
}
|
55
|
-
},
|
56
|
-
"process": {
|
57
|
-
"pid": 8539,
|
58
|
-
"name": "rails_console",
|
59
|
-
"working_directory": "/Users/jorge/Work/basecamp/haystack"
|
60
|
-
},
|
61
|
-
"performance": {
|
62
|
-
"time": {
|
63
|
-
"cpu": {
|
64
|
-
"ms": 0.01
|
65
|
-
},
|
66
|
-
"idle": {
|
67
|
-
"ms": 0.0
|
68
|
-
}
|
69
|
-
}
|
70
|
-
},
|
71
|
-
"original": " Account Load (1.0ms) SELECT `accounts`.* FROM `accounts` ORDER BY `accounts`.`id` ASC LIMIT 1\n"
|
72
|
-
}
|
23
|
+
Create tables to store console activity in the database:
|
24
|
+
|
25
|
+
```ruby
|
26
|
+
rails console1984:install:migrations
|
27
|
+
rails db:migrate
|
73
28
|
```
|
74
29
|
|
75
|
-
|
30
|
+
By default, console1984 is only enabled in `production`. You can configure the target environments in your `application.rb`:
|
31
|
+
|
32
|
+
```ruby
|
33
|
+
config.console1984.protected_environments = %i[ production staging ]
|
34
|
+
```
|
35
|
+
|
36
|
+
## How it works
|
37
|
+
|
38
|
+
### Session activity logging
|
39
|
+
|
40
|
+
When starting a console session, it will ask for a reason. Internally, it will use this reason to document the console session and record all the commands executed in it.
|
41
|
+
|
42
|
+
```
|
43
|
+
$ rails c
|
44
|
+
|
45
|
+
You have access to production data here. That's a big deal. As part of our promise to keep customer data safe and private, we audit the commands you type here. Let's get started!
|
76
46
|
|
77
|
-
### Protected environments
|
78
47
|
|
79
|
-
<a name="protected-environments"></a>
|
80
48
|
|
81
|
-
|
82
|
-
|
49
|
+
Commands:
|
50
|
+
|
51
|
+
* decrypt!: enter unprotected mode with access to encrypted information
|
52
|
+
|
53
|
+
Unnamed, why are you using this console today?
|
54
|
+
|
55
|
+
> ...
|
56
|
+
```
|
57
|
+
|
58
|
+
### Auditing sessions
|
59
|
+
|
60
|
+
Check out [`audits1984`](https://github.com/basecamp/audits1984), a companion auditing tool prepared to work with `console1984` database session trails.
|
61
|
+
|
62
|
+
### Access to encrypted data
|
63
|
+
|
64
|
+
By default, `console1984` won't decrypt data encrypted with [Active Record encryption](https://edgeguides.rubyonrails.org/active_record_encryption.html). Users will just see the ciphertexts.
|
65
|
+
|
66
|
+
To decrypt data, enter the command `decrypt!`. It will ask for a justification, and these accesses will be flagged internally as sensitive.
|
83
67
|
|
84
68
|
```ruby
|
85
|
-
|
69
|
+
irb(main)> Topic.last.name
|
70
|
+
Topic Load (1.4ms) SELECT `topics`.* FROM `topics` ORDER BY `topics`.`id` DESC LIMIT 1
|
71
|
+
=> "{\"p\":\"iu6+LfnNlurC6sL++JyOIDvedjNSz/AvnZQ=\",\"h\":{\"iv\":\"BYa86+JNM/LdkC18\",\"at\":\"r4sQNoSyIlAjJdZEKHVMow==\",\"k\":{\"p\":\"7L1l/5UiYsFQqqo4jfMZtLwp90KqcrIgS7HqgteVjuM=\",\"h\":{\"iv\":\"ItwRYxZAerKIoSZ8\",\"at\":\"ZUSNVfvtm4wAYWLBKRAx/g==\",\"e\":\"QVNDSUktOEJJVA==\"}},\"i\":\"OTdiOQ==\"}}"
|
72
|
+
irb(main):002:0> decrypt!
|
73
|
+
```
|
74
|
+
|
86
75
|
```
|
76
|
+
Before you can access personal information, you need to ask for and get explicit consent from the user(s). Unnamed, where can we find this consent (a URL would be great)?
|
87
77
|
|
88
|
-
|
78
|
+
> ...
|
89
79
|
|
90
|
-
|
91
|
-
|
80
|
+
Ok! You have access to encrypted information now. We pay extra close attention to any commands entered while you have this access. You can go back to protected mode with 'encrypt!'
|
81
|
+
|
82
|
+
WARNING: Make sure you don`t save objects that were loaded while in protected mode, as this can result in saving the encrypted texts.
|
83
|
+
```
|
92
84
|
|
93
85
|
```ruby
|
94
|
-
|
86
|
+
irb(main)> Topic.last.name
|
87
|
+
Topic Load (1.2ms) SELECT `topics`.* FROM `topics` ORDER BY `topics`.`id` DESC LIMIT 1
|
88
|
+
=> "Thanks for the inspiration"
|
95
89
|
```
|
90
|
+
|
91
|
+
You can type `encrypt!` to go back to protected mode again.
|
92
|
+
|
93
|
+
```ruby
|
94
|
+
irb(main):004:0> encrypt!
|
95
|
+
```
|
96
|
+
|
97
|
+
```
|
98
|
+
Great! You are back in protected mode. When we audit, we may reach out for a conversation about the commands you entered. What went well? Did you solve the problem without accessing personal data?
|
99
|
+
```
|
100
|
+
|
101
|
+
```ruby
|
102
|
+
irb(main)> Topic.last.name
|
103
|
+
Topic Load (1.4ms) SELECT `topics`.* FROM `topics` ORDER BY `topics`.`id` DESC LIMIT 1
|
104
|
+
=> "{\"p\":\"iu6+LfnNlurC6sL++JyOIDvedjNSz/AvnZQ=\",\"h\":{\"iv\":\"BYa86+JNM/LdkC18\",\"at\":\"r4sQNoSyIlAjJdZEKHVMow==\",\"k\":{\"p\":\"7L1l/5UiYsFQqqo4jfMZtLwp90KqcrIgS7HqgteVjuM=\",\"h\":{\"iv\":\"ItwRYxZAerKIoSZ8\",\"at\":\"ZUSNVfvtm4wAYWLBKRAx/g==\",\"e\":\"QVNDSUktOEJJVA==\"}},\"i\":\"OTdiOQ==\"}}"
|
105
|
+
```
|
106
|
+
|
107
|
+
While in protected mode, you can't modify encrypted data, but can save unencrypted attributes normally. If you try to modify an encrypted column it will raise an error:
|
108
|
+
|
109
|
+
```ruby
|
110
|
+
irb(main)> Rails.cache.read("some key") # raises Console1984::Errors::ProtectedConnection
|
111
|
+
```
|
112
|
+
|
113
|
+
### Access to external systems
|
114
|
+
|
115
|
+
While Active Record encryption can protect personal information in the database, are other systems can contain very sensitive information. For example: Elasticsearch indexing user information or Redis caching template fragments.
|
116
|
+
|
117
|
+
To protect the access to such systems, you can add their URLs to `config.console1984.protected_urls` in the corresponding environment config file (e.g: `production.rb`):
|
118
|
+
|
119
|
+
```ruby
|
120
|
+
config.console1984.protected_urls = [ "https://my-app-us-east-1-whatever.us-east-1.es.amazonaws.com", "redis://my-app-cache-1.whatever.cache.amazonaws.com:6379" ]
|
121
|
+
```
|
122
|
+
|
123
|
+
As with encryption data, running `decrypt!` will let you access these systems normally. The system will ask for a justfication and will flag those accesses as sensitive.
|
124
|
+
|
125
|
+
This will work for systems that use Ruby sockets as the underlying communication mechanism.
|
126
|
+
|
127
|
+
### Automatic scheduled incineration for sessions
|
128
|
+
|
129
|
+
By default, sessions will be incinerated with a job 30 days after they are created. You can configure this period by setting `config.console1984.incinerate_after = 1.year` and you can disable incineration completely by setting `config.console1984.incinerate = false`.
|
130
|
+
|
131
|
+
## Configuration
|
132
|
+
|
133
|
+
These config options are namespaced in `config.console1984`:
|
134
|
+
|
135
|
+
| Name | Description |
|
136
|
+
| ------------------------------------------- | ------------------------------------------------------------ |
|
137
|
+
| `protected_environments` | The list of environments where `console1984` will act on. Defaults to `%i[ production ]`. |
|
138
|
+
| `protected_urls` | The list of URLs corresponding with external systems to protect. |
|
139
|
+
| `session_logger` | The system used to record session data. The default logger is `Console1984::SessionsLogger::Database`. |
|
140
|
+
| `username_resolver` | Configure an object responsible of resolving the current database username. The default is `Console1984::Username::EnvResolver.new("CONSOLE_USER")`, which returns the value of the environment variable `CONSOLE_USER`. |
|
141
|
+
| `production_data_warning` | The text to show when a console session starts. |
|
142
|
+
| `enter_unprotected_encryption_mode_warning` | The text to show when user enters into unprotected mode. |
|
143
|
+
| `enter_protected_mode_warning` | The text to show when user go backs to protected mode. |
|
144
|
+
| `incinerate` | Whether incinerate sessions automatically after a period of time or not. Default to `true`. |
|
145
|
+
| `incinerate_after` | The period to keep sessions around before incinerate them. Default `30.days`. |
|
146
|
+
| `incineration_queue` | The name of the queue for session incineration jobs. Default `console1984_incineration`. |
|
147
|
+
|
148
|
+
## About built-in protection mechanisms
|
149
|
+
|
150
|
+
`console1984` uses Ruby to add several protection mechanisms. However, because Ruby is highly dynamic, it's technically possible to circumvent most of these controls if you know what you are doing. We have made an effort to prevent such attempts, but if your organization needs bullet-proof protection against malicious actors using the console, you should consider additional security measures.
|
151
|
+
|
data/lib/console1984.rb
CHANGED
@@ -7,36 +7,14 @@ loader.setup
|
|
7
7
|
module Console1984
|
8
8
|
include Messages
|
9
9
|
|
10
|
-
|
11
|
-
|
12
|
-
mattr_accessor :username_resolver
|
13
|
-
|
14
|
-
mattr_accessor :protected_environments
|
15
|
-
mattr_reader :protected_urls, default: []
|
16
|
-
|
17
|
-
mattr_reader :production_data_warning, default: DEFAULT_PRODUCTION_DATA_WARNING
|
18
|
-
mattr_reader :enter_unprotected_encryption_mode_warning, default: DEFAULT_ENTER_UNPROTECTED_ENCRYPTION_MODE_WARNING
|
19
|
-
mattr_reader :enter_protected_mode_warning, default: DEFAULT_ENTER_PROTECTED_MODE_WARNING
|
20
|
-
|
21
|
-
mattr_accessor :incinerate, default: true
|
22
|
-
mattr_accessor :incinerate_after, default: 30.days
|
23
|
-
mattr_accessor :incineration_queue, default: "console1984_incineration"
|
24
|
-
|
25
|
-
mattr_accessor :debug, default: false
|
10
|
+
mattr_reader :supervisor, default: Supervisor.new
|
11
|
+
mattr_reader :config, default: Config.new
|
26
12
|
|
27
13
|
thread_mattr_accessor :currently_protected_urls, default: []
|
28
14
|
|
29
15
|
class << self
|
30
|
-
|
31
|
-
|
32
|
-
self.protected_urls.push(*config.protected_urls)
|
33
|
-
self.session_logger = config.session_logger || Console1984::SessionsLogger::Database.new
|
34
|
-
self.username_resolver = config.username_resolver || Console1984::Username::EnvResolver.new("CONSOLE_USER")
|
35
|
-
|
36
|
-
self.supervisor = Supervisor.new
|
37
|
-
self.protected_urls.freeze
|
38
|
-
|
39
|
-
extend_protected_systems
|
16
|
+
Config::PROPERTIES.each do |property|
|
17
|
+
delegate property, to: :config
|
40
18
|
end
|
41
19
|
|
42
20
|
def running_protected_environment?
|
@@ -50,31 +28,6 @@ module Console1984
|
|
50
28
|
end
|
51
29
|
|
52
30
|
private
|
53
|
-
def extend_protected_systems
|
54
|
-
extend_active_record
|
55
|
-
extend_socket_classes
|
56
|
-
end
|
57
|
-
|
58
|
-
def extend_active_record
|
59
|
-
%w[ActiveRecord::ConnectionAdapters::Mysql2Adapter ActiveRecord::ConnectionAdapters::PostgreSQLAdapter ActiveRecord::ConnectionAdapters::SQLite3Adapter].each do |class_string|
|
60
|
-
if Object.const_defined?(class_string)
|
61
|
-
klass = class_string.constantize
|
62
|
-
klass.prepend(Console1984::ProtectedAuditableTables)
|
63
|
-
end
|
64
|
-
end
|
65
|
-
end
|
66
|
-
|
67
|
-
def extend_socket_classes
|
68
|
-
socket_classes = [TCPSocket, OpenSSL::SSL::SSLSocket]
|
69
|
-
if defined?(Redis::Connection)
|
70
|
-
socket_classes.push(*[Redis::Connection::TCPSocket, Redis::Connection::SSLSocket])
|
71
|
-
end
|
72
|
-
|
73
|
-
socket_classes.compact.each do |socket_klass|
|
74
|
-
socket_klass.prepend Console1984::ProtectedTcpSocket
|
75
|
-
end
|
76
|
-
end
|
77
|
-
|
78
31
|
def protecting_connections
|
79
32
|
old_currently_protected_urls = self.currently_protected_urls
|
80
33
|
self.currently_protected_urls = protected_urls
|
data/lib/console1984/commands.rb
CHANGED
@@ -0,0 +1,49 @@
|
|
1
|
+
# Container for config options.
|
2
|
+
class Console1984::Config
|
3
|
+
include Console1984::Messages
|
4
|
+
|
5
|
+
PROPERTIES = %i[
|
6
|
+
session_logger username_resolver
|
7
|
+
protected_environments protected_urls
|
8
|
+
production_data_warning enter_unprotected_encryption_mode_warning enter_protected_mode_warning
|
9
|
+
incinerate incinerate_after incineration_queue
|
10
|
+
debug freeze_config
|
11
|
+
]
|
12
|
+
|
13
|
+
attr_accessor(*PROPERTIES)
|
14
|
+
|
15
|
+
def initialize
|
16
|
+
set_defaults
|
17
|
+
end
|
18
|
+
|
19
|
+
def set_from(properties)
|
20
|
+
properties.each do |key, value|
|
21
|
+
public_send("#{key}=", value) if value.present?
|
22
|
+
end
|
23
|
+
end
|
24
|
+
|
25
|
+
def freeze
|
26
|
+
super if freeze_config
|
27
|
+
protected_urls.freeze
|
28
|
+
end
|
29
|
+
|
30
|
+
private
|
31
|
+
def set_defaults
|
32
|
+
self.protected_environments = []
|
33
|
+
self.protected_urls = []
|
34
|
+
|
35
|
+
self.session_logger = Console1984::SessionsLogger::Database.new
|
36
|
+
self.username_resolver = Console1984::Username::EnvResolver.new("CONSOLE_USER")
|
37
|
+
|
38
|
+
self.production_data_warning = DEFAULT_PRODUCTION_DATA_WARNING
|
39
|
+
self.enter_unprotected_encryption_mode_warning = DEFAULT_ENTER_UNPROTECTED_ENCRYPTION_MODE_WARNING
|
40
|
+
self.enter_protected_mode_warning = DEFAULT_ENTER_PROTECTED_MODE_WARNING
|
41
|
+
|
42
|
+
self.incinerate = true
|
43
|
+
self.incinerate_after = 30.days
|
44
|
+
self.incineration_queue = "console1984_incineration"
|
45
|
+
|
46
|
+
self.debug = false
|
47
|
+
self.freeze_config = true
|
48
|
+
end
|
49
|
+
end
|
data/lib/console1984/engine.rb
CHANGED
@@ -10,12 +10,13 @@ module Console1984
|
|
10
10
|
|
11
11
|
initializer "console1984.config" do
|
12
12
|
config.console1984.each do |key, value|
|
13
|
-
Console1984.send("#{key}=", value) unless %i[ protected_urls protected_environments ].include?(key.to_sym)
|
13
|
+
Console1984.config.send("#{key}=", value) unless %i[ protected_urls protected_environments ].include?(key.to_sym)
|
14
14
|
end
|
15
15
|
end
|
16
16
|
|
17
17
|
console do
|
18
|
-
Console1984.
|
18
|
+
Console1984.config.set_from(config.console1984)
|
19
|
+
|
19
20
|
Console1984.supervisor.start if Console1984.running_protected_environment?
|
20
21
|
|
21
22
|
class OpenSSL::SSL::SSLSocket
|
data/lib/console1984/errors.rb
CHANGED
@@ -0,0 +1,17 @@
|
|
1
|
+
# Prevents adding new methods to classes.
|
2
|
+
#
|
3
|
+
# This prevents manipulating certain Console1984 classes
|
4
|
+
# during a console session.
|
5
|
+
module Console1984::FrozenMethods
|
6
|
+
extend ActiveSupport::Concern
|
7
|
+
|
8
|
+
module ClassMethods
|
9
|
+
def method_added(method_name)
|
10
|
+
raise Console1984::Errors::ForbiddenClassManipulation, "Can't override #{name}##{method_name}"
|
11
|
+
end
|
12
|
+
|
13
|
+
def singleton_method_added(method_name)
|
14
|
+
raise Console1984::Errors::ForbiddenClassManipulation, "Can't override #{name}.#{method_name}"
|
15
|
+
end
|
16
|
+
end
|
17
|
+
end
|
data/lib/console1984/messages.rb
CHANGED
@@ -17,8 +17,7 @@ module Console1984::Messages
|
|
17
17
|
TXT
|
18
18
|
|
19
19
|
COMMANDS = {
|
20
|
-
"decrypt!": "enter unprotected mode with access to encrypted information"
|
21
|
-
"log '<reason>'": "provide further information about what you are going to do in the middle of a console session"
|
20
|
+
"decrypt!": "enter unprotected mode with access to encrypted information"
|
22
21
|
}
|
23
22
|
|
24
23
|
COMMANDS_HELP = <<~TXT
|
@@ -1,4 +1,5 @@
|
|
1
1
|
module Console1984
|
2
|
+
# Prevents accessing trail model tables when executing console commands.
|
2
3
|
module ProtectedAuditableTables
|
3
4
|
%i[ execute exec_query exec_insert exec_delete exec_update exec_insert_all ].each do |method|
|
4
5
|
define_method method do |*args|
|
@@ -23,4 +24,6 @@ module Console1984
|
|
23
24
|
@auditable_tables ||= AUDITABLE_MODELS.collect(&:table_name)
|
24
25
|
end
|
25
26
|
end
|
27
|
+
|
28
|
+
include Console1984::FrozenMethods
|
26
29
|
end
|
@@ -1,15 +1,18 @@
|
|
1
1
|
module Console1984::ProtectedContext
|
2
|
-
#
|
3
|
-
#
|
2
|
+
# This method is invoked for showing returned objects in the console
|
3
|
+
# Overridden to make sure their evaluation is supervised.
|
4
4
|
def inspect_last_value
|
5
5
|
Console1984.supervisor.execute do
|
6
6
|
super
|
7
7
|
end
|
8
8
|
end
|
9
9
|
|
10
|
+
#
|
10
11
|
def evaluate(line, line_no, exception: nil)
|
11
12
|
Console1984.supervisor.execute_supervised(Array(line)) do
|
12
13
|
super
|
13
14
|
end
|
14
15
|
end
|
16
|
+
|
17
|
+
include Console1984::FrozenMethods
|
15
18
|
end
|
@@ -1,3 +1,4 @@
|
|
1
|
+
# Wraps socket methods to execute supervised.
|
1
2
|
module Console1984::ProtectedTcpSocket
|
2
3
|
def write(*args)
|
3
4
|
protecting do
|
@@ -53,4 +54,6 @@ module Console1984::ProtectedTcpSocket
|
|
53
54
|
super(addrinfo.ip_address, addrinfo.ip_port)
|
54
55
|
end
|
55
56
|
end
|
57
|
+
|
58
|
+
include Console1984::FrozenMethods
|
56
59
|
end
|
@@ -1,9 +1,10 @@
|
|
1
|
+
# A session logger that saves audit trails in the database.
|
1
2
|
class Console1984::SessionsLogger::Database
|
2
3
|
attr_reader :current_session, :current_sensitive_access
|
3
4
|
|
4
5
|
def start_session(username, reason)
|
5
6
|
silence_logging do
|
6
|
-
user = Console1984::User.
|
7
|
+
user = Console1984::User.find_or_create_by!(username: username)
|
7
8
|
@current_session = user.sessions.create! reason: reason
|
8
9
|
end
|
9
10
|
end
|
@@ -1,48 +1,47 @@
|
|
1
1
|
require 'colorized_string'
|
2
2
|
require 'rails/console/app'
|
3
3
|
|
4
|
+
# Protects console sessions and executes code in supervised mode.
|
4
5
|
class Console1984::Supervisor
|
5
|
-
include Accesses, InputOutput, Executor
|
6
|
-
|
7
|
-
attr_reader :session_id
|
8
|
-
delegate :session_logger, :username_resolver, to: Console1984
|
9
|
-
|
10
|
-
def initialize
|
11
|
-
disable_access_to_encrypted_content(silent: true)
|
12
|
-
end
|
6
|
+
include Accesses, InputOutput, Executor, Protector
|
13
7
|
|
8
|
+
# Starts a console session extending IRB and several systems to inject
|
9
|
+
# the protection logic, and notifies the session logger to record the
|
10
|
+
# session.
|
14
11
|
def start
|
15
|
-
|
16
|
-
|
12
|
+
Console1984.config.freeze
|
13
|
+
extend_protected_systems
|
14
|
+
disable_access_to_encrypted_content(silent: true)
|
17
15
|
|
18
|
-
|
16
|
+
show_welcome_message
|
19
17
|
|
20
|
-
|
18
|
+
start_session
|
21
19
|
end
|
22
20
|
|
23
21
|
def stop
|
24
|
-
|
22
|
+
stop_session
|
25
23
|
end
|
26
24
|
|
27
25
|
private
|
28
|
-
def
|
29
|
-
|
26
|
+
def start_session
|
27
|
+
session_logger.start_session current_username, ask_for_session_reason
|
30
28
|
end
|
31
29
|
|
32
|
-
def
|
33
|
-
|
30
|
+
def stop_session
|
31
|
+
session_logger.finish_session
|
34
32
|
end
|
35
33
|
|
36
|
-
def
|
37
|
-
|
38
|
-
Rails::ConsoleMethods.include(Console1984::Commands)
|
34
|
+
def session_logger
|
35
|
+
Console1984.session_logger
|
39
36
|
end
|
40
37
|
|
41
|
-
def
|
42
|
-
|
38
|
+
def current_username
|
39
|
+
Console1984.username_resolver.current
|
43
40
|
end
|
44
41
|
|
45
|
-
def
|
46
|
-
|
42
|
+
def username_resolver
|
43
|
+
Console1984.username_resolver
|
47
44
|
end
|
45
|
+
|
46
|
+
include Console1984::FrozenMethods
|
48
47
|
end
|
@@ -4,7 +4,7 @@ module Console1984::Supervisor::Executor
|
|
4
4
|
def execute_supervised(commands, &block)
|
5
5
|
run_system_command { session_logger.before_executing commands }
|
6
6
|
execute(&block)
|
7
|
-
rescue Console1984::Errors::ForbiddenCommand
|
7
|
+
rescue Console1984::Errors::ForbiddenCommand, Console1984::Errors::ForbiddenClassManipulation
|
8
8
|
puts "Forbidden command attempted: #{commands.join("\n")}"
|
9
9
|
run_system_command { session_logger.suspicious_commands_attempted commands }
|
10
10
|
nil
|
@@ -1,11 +1,31 @@
|
|
1
1
|
module Console1984::Supervisor::InputOutput
|
2
|
-
|
3
|
-
|
4
|
-
|
5
|
-
|
6
|
-
|
7
|
-
|
8
|
-
|
9
|
-
|
10
|
-
|
2
|
+
include Console1984::Messages
|
3
|
+
|
4
|
+
private
|
5
|
+
def show_welcome_message
|
6
|
+
show_production_data_warning
|
7
|
+
show_commands
|
8
|
+
end
|
9
|
+
|
10
|
+
def show_production_data_warning
|
11
|
+
show_warning Console1984.production_data_warning
|
12
|
+
end
|
13
|
+
|
14
|
+
def ask_for_session_reason
|
15
|
+
ask_for_value("#{current_username}, why are you using this console today?")
|
16
|
+
end
|
17
|
+
|
18
|
+
def show_commands
|
19
|
+
puts COMMANDS_HELP
|
20
|
+
end
|
21
|
+
|
22
|
+
def show_warning(message)
|
23
|
+
puts ColorizedString.new("\n#{message}\n").yellow
|
24
|
+
end
|
25
|
+
|
26
|
+
def ask_for_value(message)
|
27
|
+
puts ColorizedString.new("#{message}").green
|
28
|
+
reason = $stdin.gets.strip until reason.present?
|
29
|
+
reason
|
30
|
+
end
|
11
31
|
end
|
@@ -0,0 +1,37 @@
|
|
1
|
+
module Console1984::Supervisor::Protector
|
2
|
+
extend ActiveSupport::Concern
|
3
|
+
|
4
|
+
private
|
5
|
+
def extend_protected_systems
|
6
|
+
extend_irb
|
7
|
+
extend_active_record
|
8
|
+
extend_socket_classes
|
9
|
+
end
|
10
|
+
|
11
|
+
def extend_irb
|
12
|
+
IRB::Context.prepend(Console1984::ProtectedContext)
|
13
|
+
Rails::ConsoleMethods.include(Console1984::Commands)
|
14
|
+
end
|
15
|
+
|
16
|
+
ACTIVE_RECORD_CONNECTION_ADAPTERS = %w[ActiveRecord::ConnectionAdapters::Mysql2Adapter ActiveRecord::ConnectionAdapters::PostgreSQLAdapter ActiveRecord::ConnectionAdapters::SQLite3Adapter]
|
17
|
+
|
18
|
+
def extend_active_record
|
19
|
+
ACTIVE_RECORD_CONNECTION_ADAPTERS.each do |class_string|
|
20
|
+
if Object.const_defined?(class_string)
|
21
|
+
klass = class_string.constantize
|
22
|
+
klass.prepend(Console1984::ProtectedAuditableTables)
|
23
|
+
end
|
24
|
+
end
|
25
|
+
end
|
26
|
+
|
27
|
+
def extend_socket_classes
|
28
|
+
socket_classes = [TCPSocket, OpenSSL::SSL::SSLSocket]
|
29
|
+
if defined?(Redis::Connection)
|
30
|
+
socket_classes.push(*[Redis::Connection::TCPSocket, Redis::Connection::SSLSocket])
|
31
|
+
end
|
32
|
+
|
33
|
+
socket_classes.compact.each do |socket_klass|
|
34
|
+
socket_klass.prepend Console1984::ProtectedTcpSocket
|
35
|
+
end
|
36
|
+
end
|
37
|
+
end
|
data/lib/console1984/version.rb
CHANGED
@@ -0,0 +1,26 @@
|
|
1
|
+
arithmetic_1:
|
2
|
+
session: arithmetic
|
3
|
+
statements: 1+1
|
4
|
+
arithmetic_2:
|
5
|
+
session: arithmetic
|
6
|
+
statements: 2+2
|
7
|
+
arithmetic_3:
|
8
|
+
session: arithmetic
|
9
|
+
statements: 3+3
|
10
|
+
|
11
|
+
sensitive_1:
|
12
|
+
session: sensitive_printing
|
13
|
+
statements: "puts 'so sensitive 1'"
|
14
|
+
sensitive_access: sensitive_printing
|
15
|
+
sensitive_2:
|
16
|
+
session: sensitive_printing
|
17
|
+
statements: "puts 'so sensitive 2'"
|
18
|
+
sensitive_access: sensitive_printing
|
19
|
+
sensitive_3:
|
20
|
+
session: sensitive_printing
|
21
|
+
statements: "puts 'so sensitive 3'"
|
22
|
+
sensitive_access: sensitive_printing
|
23
|
+
|
24
|
+
|
25
|
+
|
26
|
+
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: console1984
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.1.
|
4
|
+
version: 0.1.4
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Jorge Manrubia
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2021-08-
|
11
|
+
date: 2021-08-19 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: colorize
|
@@ -94,6 +94,20 @@ dependencies:
|
|
94
94
|
- - ">="
|
95
95
|
- !ruby/object:Gem::Version
|
96
96
|
version: '0'
|
97
|
+
- !ruby/object:Gem::Dependency
|
98
|
+
name: rubocop-minitest
|
99
|
+
requirement: !ruby/object:Gem::Requirement
|
100
|
+
requirements:
|
101
|
+
- - ">="
|
102
|
+
- !ruby/object:Gem::Version
|
103
|
+
version: '0'
|
104
|
+
type: :development
|
105
|
+
prerelease: false
|
106
|
+
version_requirements: !ruby/object:Gem::Requirement
|
107
|
+
requirements:
|
108
|
+
- - ">="
|
109
|
+
- !ruby/object:Gem::Version
|
110
|
+
version: '0'
|
97
111
|
- !ruby/object:Gem::Dependency
|
98
112
|
name: rubocop-rails
|
99
113
|
requirement: !ruby/object:Gem::Requirement
|
@@ -143,9 +157,10 @@ files:
|
|
143
157
|
- db/migrate/20210517203931_create_console1984_tables.rb
|
144
158
|
- lib/console1984.rb
|
145
159
|
- lib/console1984/commands.rb
|
160
|
+
- lib/console1984/config.rb
|
146
161
|
- lib/console1984/engine.rb
|
147
|
-
- lib/console1984/env_variable_username.rb
|
148
162
|
- lib/console1984/errors.rb
|
163
|
+
- lib/console1984/frozen_methods.rb
|
149
164
|
- lib/console1984/messages.rb
|
150
165
|
- lib/console1984/protected_auditable_tables.rb
|
151
166
|
- lib/console1984/protected_context.rb
|
@@ -157,8 +172,14 @@ files:
|
|
157
172
|
- lib/console1984/supervisor/accesses/unprotected.rb
|
158
173
|
- lib/console1984/supervisor/executor.rb
|
159
174
|
- lib/console1984/supervisor/input_output.rb
|
175
|
+
- lib/console1984/supervisor/protector.rb
|
160
176
|
- lib/console1984/username/env_resolver.rb
|
161
177
|
- lib/console1984/version.rb
|
178
|
+
- test/fixtures/console1984/commands.yml
|
179
|
+
- test/fixtures/console1984/sensitive_accesses.yml
|
180
|
+
- test/fixtures/console1984/sessions.yml
|
181
|
+
- test/fixtures/console1984/users.yml
|
182
|
+
- test/fixtures/people.yml
|
162
183
|
homepage: http://github.com/basecamp/console1984
|
163
184
|
licenses:
|
164
185
|
- MIT
|