console1984 0.1.17 → 0.1.21

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 58a963520fed8a86952cee9b02443b61d42ac4bf0a80d1abaabfd3ff390f431b
-  data.tar.gz: a63a68db2a2e46a129f4f97f79a59b41a88fe98ecb9d6028d67ca0e8d4b1e6fa
+  metadata.gz: d83291f898d099af3d70445ee2f7a9946fab213fcf2932629118926cb17529e9
+  data.tar.gz: 12cc2e2fffcef01d10139744015ec59857e4f1bbaa5a5a6d0c9bcbd052b82180
 SHA512:
-  metadata.gz: 2bb93f84dc7e078b4d357739b337b2277fce627408cb619c816a04fc94db7451faf7d2095d0861ca211726ce973481161ae47c4add5e185c8813904462d1c011
-  data.tar.gz: d1b623b30f72e49d744934e4623159bfabf5cd7b9a4fab94fc08c26c30fc8bf1115bd70bf4b92b12609874d6ab75dc0d978663079745df2b9b1e238cadaf11ed
+  metadata.gz: 7ea7adb1db1f616e53be2222be1afbf8830c097c50d7c21506dda2bef0fc99e5434e9c02702725068465f3b6d3d441089525b6b976b257c8cfd5d1996307ffba
+  data.tar.gz: 42d0b445e453c657c5100538cd29a7822c4aa43cfb87f94c3be6a01e3d059dfa0e4e7b060ab02e9e0fc8da939db445cad2148320b5bdd4e0fc8bf889833ca8bc

data/README.md

@@ -35,6 +35,9 @@ By default, console1984 is only enabled in `production`. You can configure the t
 config.console1984.protected_environments = %i[ production staging ]
 ```
 
+Finally, you need to [configure Active Record Encryption](https://edgeguides.rubyonrails.org/active_record_encryption.html#setup) in your
+project. This is because the library stores the tracked console commands encrypted.
+
 ## How it works
 
 ### Session activity logging
@@ -153,6 +156,27 @@ These config options are namespaced in `config.console1984`:
 | `incinerate_after`                          | The period to keep sessions around before incinerate them. Default `30.days`. |
 | `incineration_queue`                        | The name of the queue for session incineration jobs. Default `console1984_incineration`. |
 
+### SSH Config
+
+To automatically set the `CONSOLE_USER` env var for sessions, you'll need to configure SSH on the server to accept the environment variable.
+
+On the server, edit `/etc/ssh/sshd_config` to accept the environment variable:
+```
+AcceptEnv LANG LC_* CONSOLE_USER
+```
+
+Restart the SSH server to use the new config:
+```bash
+service sshd restart
+```
+
+On the client side, you can provide this env var from your clients by adding the variable to the ssh config:
+
+```
+Host *
+  SetEnv CONSOLE_USER=david
+```
+
 ## About built-in protection mechanisms
 
 `console1984` adds many protection mechanisms to prevent tampering. This includes attempts to alter data in auditing tables or monkey patching certain classes to change how the system works. If you find a way to circumvent these tampering controls, please [report an issue](https://github.com/basecamp/console1984/issues).

data/app/models/console1984/session/incineratable.rb

@@ -25,6 +25,6 @@ module Console1984::Session::Incineratable
     end
 
     def earliest_possible_incineration_date
-      created_at + Console1984.incinerate_after
+      created_at + Console1984.incinerate_after - 1.second
     end
 end

data/lib/console1984/ext/active_record/protected_auditable_tables.rb

@@ -5,7 +5,7 @@ module Console1984::Ext::ActiveRecord::ProtectedAuditableTables
   %i[ execute exec_query exec_insert exec_delete exec_update exec_insert_all ].each do |method|
     define_method method do |*args, **kwargs|
       sql = args.first
-      if Console1984.command_executor.executing_user_command? && sql =~ auditable_tables_regexp
+      if Console1984.command_executor.executing_user_command? && sql.b =~ auditable_tables_regexp
         raise Console1984::Errors::ForbiddenCommandAttempted, "#{sql}"
       else
         super(*args, **kwargs)

data/lib/console1984/ext/socket/tcp_socket.rb

@@ -2,13 +2,13 @@
 module Console1984::Ext::Socket::TcpSocket
   include Console1984::Freezeable
 
-  def write(*args)
+  def write(...)
     protecting do
       super
     end
   end
 
-  def write_nonblock(*args)
+  def write_nonblock(...)
     protecting do
       super
     end

data/lib/console1984/refrigerator.rb

@@ -17,6 +17,7 @@ class Console1984::Refrigerator
     end
 
     def freeze_internal_instances
+      Console1984.freeze # Because it's the root engine module it can't mix Freezable.
       Console1984.config.freeze unless Console1984.config.test_mode
     end
 

data/lib/console1984/shield/modes/protected.rb

@@ -6,6 +6,11 @@ class Console1984::Shield::Modes::Protected
 
   thread_mattr_accessor :currently_protected_urls, default: []
 
+  # Materialize the thread attribute before freezing the class. +thread_mattr_accessor+ attributes rely on
+  # setting a class variable the first time they are referenced, and that will fail in frozen classes
+  # like this one.
+  currently_protected_urls
+
   def execute(&block)
     protecting(&block)
   end

data/lib/console1984/shield.rb

@@ -64,7 +64,6 @@ class Console1984::Shield
         if Object.const_defined?(class_string)
           klass = class_string.constantize
           klass.prepend(Console1984::Ext::ActiveRecord::ProtectedAuditableTables)
-          klass.include(Console1984::Freezeable)
         end
       end
     end

data/lib/console1984/version.rb

@@ -1,3 +1,3 @@
 module Console1984
-  VERSION = '0.1.17'
+  VERSION = '0.1.21'
 end

data/lib/console1984.rb

@@ -38,7 +38,7 @@ class_loader.setup
 # the console. For example, to prevent the user from deleting audit trails. See
 # Console1984::Shield and Console1984::CommandValidator to learn more.
 module Console1984
-  include Messages, Freezeable
+  include Messages
 
   mattr_accessor :supervisor, default: Supervisor.new
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: console1984
 version: !ruby/object:Gem::Version
-  version: 0.1.17
+  version: 0.1.21
 platform: ruby
 authors:
 - Jorge Manrubia
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-09-24 00:00:00.000000000 Z
+date: 2021-12-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: colorize
@@ -39,19 +39,19 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: activeresource
+  name: rails
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '7.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '7.0'
 - !ruby/object:Gem::Dependency
   name: benchmark-ips
   requirement: !ruby/object:Gem::Requirement
@@ -261,14 +261,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 2.7.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.4
+rubygems_version: 3.2.32
 signing_key:
 specification_version: 4
 summary: Your Rails console, 1984 style