console1984 0.1.16 → 0.1.20

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 22d6415f6dbc30049954458c38027c5a33737429d93141bfdaeb3c9d654ff3a3
-  data.tar.gz: 151005da988be49ed8e46c6f73beeea4b2bc2a137d70d6d6296bd87ca4a54256
+  metadata.gz: f982f92b4547b0618ba7c124fde7ac1c26acc0618f77be753171fcff54e54043
+  data.tar.gz: 828b81e3719f909263a3e3ccc08a937ece36c6c4d2ea976ef7412413e6797be6
 SHA512:
-  metadata.gz: 3ae3c452e1cb58b863ee16f2e90a411419c8fbdb366c1c881801499846861e9a5e5d558eb08091c801b26907dbc92ffdc9f994e2a074e84e39ca98e6c6a7c0bf
-  data.tar.gz: 61fac61bac50294544c6035fa981d43fd4fc9818475d1c1132d38f09684c1e94a7bf6ac763e8295acfa12398e212508c8144a3f32ce158e4d3c606362d2cff83
+  metadata.gz: a832cb53bee3f1edd70bd5f4c469048108f4bc8cc39ef3aa452319ca1a157f145212476bc69b3ee5a215b686ed0e6f9945fb1ad497c1493a65a1531cd542b1b2
+  data.tar.gz: f6e684bf6fa011a5ba72de4a40919ffc8dc86e1d4bdcea4df2d977d85918b1871d270e2d770e9e1aae3c09dfab9af9c0f59ba4ef7d6cf6bf645851bf5881db3d

data/README.md

@@ -35,6 +35,9 @@ By default, console1984 is only enabled in `production`. You can configure the t
 config.console1984.protected_environments = %i[ production staging ]
 ```
 
+Finally, you need to [configure Active Record Encryption](https://edgeguides.rubyonrails.org/active_record_encryption.html#setup) in your
+project. This is because the library stores the tracked console commands encrypted.
+
 ## How it works
 
 ### Session activity logging
@@ -153,6 +156,27 @@ These config options are namespaced in `config.console1984`:
 | `incinerate_after`                          | The period to keep sessions around before incinerate them. Default `30.days`. |
 | `incineration_queue`                        | The name of the queue for session incineration jobs. Default `console1984_incineration`. |
 
+### SSH Config
+
+To automatically set the `CONSOLE_USER` env var for sessions, you'll need to configure SSH on the server to accept the environment variable.
+
+On the server, edit `/etc/ssh/sshd_config` to accept the environment variable:
+```
+AcceptEnv LANG LC_* CONSOLE_USER
+```
+
+Restart the SSH server to use the new config:
+```bash
+service sshd restart
+```
+
+On the client side, you can provide this env var from your clients by adding the variable to the ssh config:
+
+```
+Host *
+  SetEnv CONSOLE_USER=david
+```
+
 ## About built-in protection mechanisms
 
 `console1984` adds many protection mechanisms to prevent tampering. This includes attempts to alter data in auditing tables or monkey patching certain classes to change how the system works. If you find a way to circumvent these tampering controls, please [report an issue](https://github.com/basecamp/console1984/issues).

data/app/models/console1984/session/incineratable.rb

@@ -25,6 +25,6 @@ module Console1984::Session::Incineratable
     end
 
     def earliest_possible_incineration_date
-      created_at + Console1984.incinerate_after
+      created_at + Console1984.incinerate_after - 1.second
     end
 end

data/lib/console1984/command_executor.rb

@@ -10,6 +10,7 @@ class Console1984::CommandExecutor
   include Console1984::Freezeable
 
   delegate :username_resolver, :session_logger, :shield, to: Console1984
+  attr_reader :last_suspicious_command_error
 
   # Logs and validates +commands+, and executes the passed block in a protected environment.
   #
@@ -19,14 +20,14 @@ class Console1984::CommandExecutor
     run_as_system { session_logger.before_executing commands }
     validate_command commands
     execute_in_protected_mode(&block)
-  rescue Console1984::Errors::ForbiddenCommandAttempted, FrozenError
-    flag_suspicious(commands)
-  rescue Console1984::Errors::SuspiciousCommandAttempted
-    flag_suspicious(commands)
+  rescue Console1984::Errors::ForbiddenCommandAttempted, FrozenError => error
+    flag_suspicious(commands, error: error)
+  rescue Console1984::Errors::SuspiciousCommandAttempted => error
+    flag_suspicious(commands, error: error)
     execute_in_protected_mode(&block)
-  rescue Console1984::Errors::ForbiddenCommandExecuted
+  rescue Console1984::Errors::ForbiddenCommandExecuted => error
     # We detected that a forbidden command was executed. We exit IRB right away.
-    flag_suspicious(commands)
+    flag_suspicious(commands, error: error)
     Console1984.supervisor.exit_irb
   ensure
     run_as_system { session_logger.after_executing commands }
@@ -70,11 +71,7 @@ class Console1984::CommandExecutor
   end
 
   def from_irb?(backtrace)
-    executing_user_command? && backtrace.find do |line|
-      line_from_irb = line =~ /^[^\/]/
-      break if !(line =~ /console1984\/lib/ || line_from_irb)
-      line_from_irb
-    end
+    executing_user_command? && backtrace.first.to_s =~ /^[^\/]/
   end
 
   private
@@ -86,9 +83,10 @@ class Console1984::CommandExecutor
       Console1984::CommandValidator.from_config(Console1984.protections_config.validations)
     end
 
-    def flag_suspicious(commands)
+    def flag_suspicious(commands, error: nil)
       puts "Forbidden command attempted: #{commands.join("\n")}"
       run_as_system { session_logger.suspicious_commands_attempted commands }
+      @last_suspicious_command_error = error
       nil
     end
 

data/lib/console1984/ext/active_record/protected_auditable_tables.rb

@@ -5,7 +5,7 @@ module Console1984::Ext::ActiveRecord::ProtectedAuditableTables
   %i[ execute exec_query exec_insert exec_delete exec_update exec_insert_all ].each do |method|
     define_method method do |*args, **kwargs|
       sql = args.first
-      if Console1984.command_executor.executing_user_command? && sql =~ auditable_tables_regexp
+      if Console1984.command_executor.executing_user_command? && sql.b =~ auditable_tables_regexp
         raise Console1984::Errors::ForbiddenCommandAttempted, "#{sql}"
       else
         super(*args, **kwargs)

data/lib/console1984/ext/core/object.rb

@@ -16,7 +16,7 @@ module Console1984::Ext::Core::Object
 
   class_methods do
     def const_get(*arguments)
-      if Console1984.command_executor.executing_user_command?
+      if Console1984.command_executor.from_irb?(caller)
         begin
           # To validate if it's an invalid constant, we try to declare a class with it.
           # We essentially leverage Console1984::CommandValidator::ForbiddenReopeningValidation here:

data/lib/console1984/ext/core/string.rb

@@ -0,0 +1,24 @@
+# Prevents loading forbidden classes dynamically.
+#
+# See extension to +Console1984::Ext::Core::Object#const_get+.
+module Console1984::Ext::Core::String
+  extend ActiveSupport::Concern
+
+  include Console1984::Freezeable
+  self.prevent_instance_data_manipulation_after_freezing = false
+
+  def constantize
+    if Console1984.command_executor.from_irb?(caller)
+      begin
+        Console1984.command_executor.validate_command("class #{self}; end")
+        super
+      rescue Console1984::Errors::ForbiddenCommandAttempted
+        raise
+      rescue StandardError
+        super
+      end
+    else
+      super
+    end
+  end
+end

data/lib/console1984/ext/irb/commands.rb

@@ -13,4 +13,13 @@ module Console1984::Ext::Irb::Commands
   def encrypt!
     shield.enable_protected_mode
   end
+
+  # This returns the last error that prevented a command execution in the console
+  # or nil if there isn't any.
+  #
+  # This is meant for internal usage when debugging legit commands that are wrongly
+  # prevented.
+  def _console_last_suspicious_command_error
+    Console1984.command_executor.last_suspicious_command_error
+  end
 end

data/lib/console1984/ext/socket/tcp_socket.rb

@@ -2,13 +2,13 @@
 module Console1984::Ext::Socket::TcpSocket
   include Console1984::Freezeable
 
-  def write(*args)
+  def write(...)
     protecting do
       super
     end
   end
 
-  def write_nonblock(*args)
+  def write_nonblock(...)
     protecting do
       super
     end

data/lib/console1984/shield/modes/protected.rb

@@ -6,6 +6,11 @@ class Console1984::Shield::Modes::Protected
 
   thread_mattr_accessor :currently_protected_urls, default: []
 
+  # Materialize the thread attribute before freezing the class. +thread_mattr_accessor+ attributes rely on
+  # setting a class variable the first time they are referenced, and that will fail in frozen classes
+  # like this one.
+  currently_protected_urls
+
   def execute(&block)
     protecting(&block)
   end

data/lib/console1984/shield.rb

@@ -40,6 +40,7 @@ class Console1984::Shield
     def extend_core_ruby
       Object.prepend Console1984::Ext::Core::Object
       Module.prepend Console1984::Ext::Core::Module
+      String.prepend Console1984::Ext::Core::String
     end
 
     def extend_sockets
@@ -63,7 +64,6 @@ class Console1984::Shield
         if Object.const_defined?(class_string)
           klass = class_string.constantize
           klass.prepend(Console1984::Ext::ActiveRecord::ProtectedAuditableTables)
-          klass.include(Console1984::Freezeable)
         end
       end
     end

data/lib/console1984/version.rb

@@ -1,3 +1,3 @@
 module Console1984
-  VERSION = '0.1.16'
+  VERSION = '0.1.20'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: console1984
 version: !ruby/object:Gem::Version
-  version: 0.1.16
+  version: 0.1.20
 platform: ruby
 authors:
 - Jorge Manrubia
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-09-24 00:00:00.000000000 Z
+date: 2021-12-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: colorize
@@ -225,6 +225,7 @@ files:
 - lib/console1984/ext/active_record/protected_auditable_tables.rb
 - lib/console1984/ext/core/module.rb
 - lib/console1984/ext/core/object.rb
+- lib/console1984/ext/core/string.rb
 - lib/console1984/ext/irb/commands.rb
 - lib/console1984/ext/irb/context.rb
 - lib/console1984/ext/socket/tcp_socket.rb
@@ -260,7 +261,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 2.7.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="