console1984 0.1.2 → 0.1.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 00c631a415150d26c5af9cc748900015818ca7eb78a1a958a4a92aeee572fc06
-  data.tar.gz: 05520effef693150b8a2cf1e17ab578038c1ddd02b99db4fdd5a97d54884ea36
+  metadata.gz: 0a76f26ca8567b7261e2062a9360216ebca2c230ffb48e4ecb5e5a9970339e99
+  data.tar.gz: 6a892b894d3274e9567a4fd763d9121690b889b89e7a2e7a2b9f919825e51144
 SHA512:
-  metadata.gz: 974b06da4ce3b24d837bc9e4b7488014bde82fb7597ef5eff1c261ce155b430eb91948711404844714ac94a067c6bede7a808ff3c017a3feacd546a39790f244
-  data.tar.gz: a63cf7c90b42f1d8f2ce6df8f46e4867e0f081f7073d5696704271502527a6385a330fa7413cc11dae95d72e8c30a35fade40bf9d1c878109a55a14977bc3f4d
+  metadata.gz: 125c2457aca08f4f1476db595f465a85c1b2d9dfa22634502b398456aeb0816436563372a42a1c2182a731a87b7c8552bb4429b775bd2b6f320fbc86bd74d5b3
+  data.tar.gz: bd3ed3832febd22d4f6038ee8e3bf2db7471f9bbc62a77bb8934ee0904681050b072b67c12d8bccac3b2eebc8e52c8f06f06c32cf0407be6fb9f0008248f0834

data/README.md

@@ -2,12 +2,20 @@
 
 # Console1984
 
-Console1984 is an extension for Rails consoles that protects sensitive accesses and makes them auditable.
+A Rails console extension that protects sensitive accesses and makes them auditable.
+
+> “If you want to keep a secret, you must also hide it from yourself.”
+>
+> ― George Orwell, 1984
 
 If you are looking for the auditing tool, check [`audits1984`](https://github.com/basecamp/audits1984).
 
+![Terminal screenshot showing console1984 asking for a reason for the session](docs/images/console-session-reason.png)
+
 ## Installation
 
+**Important:** `console1984` depends on [Active Record encryption](https://edgeguides.rubyonrails.org/active_record_encryption.html) which is a Rails 7 feature. Since no gem for Rails 7 has been released yet, you need to run Rails edge in your project (point the gem to latest `main` in the [repo](https://github.com/rails/rails)).
+
 Add it to your `Gemfile`:
 
 ```ruby
@@ -33,7 +41,21 @@ config.console1984.protected_environments = %i[ production staging ]
 
 When starting a console session, it will ask for a reason. Internally, it will use this reason to document the console session and record all the commands executed in it.
 
-![console-session-reason](docs/images/console-session-reason.png)
+```
+$ rails c
+
+You have access to production data here. That's a big deal. As part of our promise to keep customer data safe and private, we audit the commands you type here. Let's get started!
+
+
+
+Commands:
+
+* decrypt!: enter unprotected mode with access to encrypted information
+
+Unnamed, why are you using this console today?
+
+> ...
+```
 
 ### Auditing sessions
 
@@ -41,23 +63,58 @@ Check out [`audits1984`](https://github.com/basecamp/audits1984), a companion au
 
 ### Access to encrypted data
 
-By default, `console1984` won't decrypt data encrypted with [Active Record encryption](https://edgeguides.rubyonrails.org/active_record_encryption.html).
+By default, `console1984` won't decrypt data encrypted with [Active Record encryption](https://edgeguides.rubyonrails.org/active_record_encryption.html). Users will just see the ciphertexts.
 
 To decrypt data, enter the command `decrypt!`. It will ask for a justification, and these accesses will be flagged internally as sensitive.
 
-![console-session-reason](docs/images/console-decrypt.png)
+```ruby
+irb(main)> Topic.last.name
+  Topic Load (1.4ms)  SELECT `topics`.* FROM `topics` ORDER BY `topics`.`id` DESC LIMIT 1
+=> "{\"p\":\"iu6+LfnNlurC6sL++JyOIDvedjNSz/AvnZQ=\",\"h\":{\"iv\":\"BYa86+JNM/LdkC18\",\"at\":\"r4sQNoSyIlAjJdZEKHVMow==\",\"k\":{\"p\":\"7L1l/5UiYsFQqqo4jfMZtLwp90KqcrIgS7HqgteVjuM=\",\"h\":{\"iv\":\"ItwRYxZAerKIoSZ8\",\"at\":\"ZUSNVfvtm4wAYWLBKRAx/g==\",\"e\":\"QVNDSUktOEJJVA==\"}},\"i\":\"OTdiOQ==\"}}"
+irb(main)> decrypt!
+```
+
+```
+Before you can access personal information, you need to ask for and get explicit consent from the user(s). Unnamed, where can we find this consent (a URL would be great)?
+
+> ...
+
+Ok! You have access to encrypted information now. We pay extra close attention to any commands entered while you have this access. You can go back to protected mode with 'encrypt!'
+
+WARNING: Make sure you don`t save objects that were loaded while in protected mode, as this can result in saving the encrypted texts.
+```
+
+```ruby
+irb(main)> Topic.last.name
+  Topic Load (1.2ms)  SELECT `topics`.* FROM `topics` ORDER BY `topics`.`id` DESC LIMIT 1
+=> "Thanks for the inspiration"
+```
 
 You can type `encrypt!` to go back to protected mode again.
 
-![console-session-reason](docs/images/console-encrypt.png)
+```ruby
+irb(main):004:0> encrypt!
+```
+
+```
+Great! You are back in protected mode. When we audit, we may reach out for a conversation about the commands you entered. What went well? Did you solve the problem without accessing personal data?
+```
+
+```ruby
+irb(main)> Topic.last.name
+  Topic Load (1.4ms)  SELECT `topics`.* FROM `topics` ORDER BY `topics`.`id` DESC LIMIT 1
+=> "{\"p\":\"iu6+LfnNlurC6sL++JyOIDvedjNSz/AvnZQ=\",\"h\":{\"iv\":\"BYa86+JNM/LdkC18\",\"at\":\"r4sQNoSyIlAjJdZEKHVMow==\",\"k\":{\"p\":\"7L1l/5UiYsFQqqo4jfMZtLwp90KqcrIgS7HqgteVjuM=\",\"h\":{\"iv\":\"ItwRYxZAerKIoSZ8\",\"at\":\"ZUSNVfvtm4wAYWLBKRAx/g==\",\"e\":\"QVNDSUktOEJJVA==\"}},\"i\":\"OTdiOQ==\"}}"
+```
 
 While in protected mode, you can't modify encrypted data, but can save unencrypted attributes normally. If you try to modify an encrypted column it will raise an error:
 
-![console-session-reason](docs/images/console-protect-urls.png)
+```ruby
+irb(main)> Rails.cache.read("some key") # raises Console1984::Errors::ProtectedConnection
+```
 
 ### Access to external systems
 
-While Active Record encryption can protect personal information in the database, are other systems can contain very sensitive information. For example: Elasticsearch indexing user information or Redis caching template fragments.
+While Active Record encryption can protect personal information in the database, there are other systems can contain very sensitive information. For example: Elasticsearch indexing user information or Redis caching template fragments.
 
 To protect the access to such systems, you can add their URLs to `config.console1984.protected_urls` in the corresponding environment config file (e.g: `production.rb`):
 
@@ -69,18 +126,33 @@ As with encryption data, running `decrypt!` will let you access these systems no
 
 This will work for systems that use Ruby sockets as the underlying communication mechanism.
 
+### Automatic scheduled incineration for sessions
+
+By default, sessions will be incinerated with a job 30 days after they are created. You can configure this period by setting `config.console1984.incinerate_after = 1.year` and you can disable incineration completely by setting `config.console1984.incinerate = false`.
+
+### Eager loading
+
+When starting a console session, `console1984` will eager load all the application classes if necessary. In practice, production environments already load classes eagerly, so this won't represent any change for those.  
+
 ## Configuration
 
 These config options are namespaced in `config.console1984`:
 
-| Name                     | Description                                                  |
-| ------------------------ | ------------------------------------------------------------ |
-| `protected_environments` | The list of environments where `console1984` will act on. Defaults to `%i[ production ]` |
-| `protected_urls`         | The list of URLs corresponding with external systems to protect. |
-| `session_logger`         | The system used to record session data. The default logger is `Console1984::SessionsLogger::Database`. |
-| `username_resolver`      | Configure an object responsible of resolving the current database username. The default is `Console1984::Username::EnvResolver.new("CONSOLE_USER")`, which returns the value of the environment variable `CONSOLE_USER`. |
+| Name                                        | Description                                                  |
+| ------------------------------------------- | ------------------------------------------------------------ |
+| `protected_environments`                    | The list of environments where `console1984` will act on. Defaults to `%i[ production ]`. |
+| `protected_urls`                            | The list of URLs corresponding with external systems to protect. |
+| `session_logger`                            | The system used to record session data. The default logger is `Console1984::SessionsLogger::Database`. |
+| `username_resolver`                         | Configure how the current user is determined for a given console session. The default is `Console1984::Username::EnvResolver.new("CONSOLE_USER")`, which returns the value of the environment variable `CONSOLE_USER`. |
+| `production_data_warning`                   | The text to show when a console session starts.              |
+| `enter_unprotected_encryption_mode_warning` | The text to show when user enters into unprotected mode.     |
+| `enter_protected_mode_warning`              | The text to show when user go backs to protected mode.       |
+| `incinerate`                                | Whether incinerate sessions automatically after a period of time or not. Default to `true`. |
+| `incinerate_after`                          | The period to keep sessions around before incinerate them. Default `30.days`. |
+| `incineration_queue`                        | The name of the queue for session incineration jobs. Default `console1984_incineration`. |
 
 ## About built-in protection mechanisms
 
 `console1984` uses Ruby to add several protection mechanisms. However, because Ruby is highly dynamic, it's technically possible to circumvent most of these controls if you know what you are doing. We have made an effort to prevent such attempts, but if your organization needs bullet-proof protection against malicious actors using the console, you should consider additional security measures.
 
+The current version includes protection mechanisms to avoid tampering the tables that store console sessions. A definitive mechanism to do this would be using a read only connection when user commands are evaluated. Implementing such scheme is possible by writing a custom session logger and leveraging Rails' multi-database support. We would like that future versions of `console1984` supported this scheme directly as a configuration option.

data/lib/console1984/commands.rb

@@ -1,4 +1,6 @@
 module Console1984::Commands
+  include Console1984::Freezeable
+
   def decrypt!
     supervisor.enable_access_to_encrypted_content
   end
@@ -11,6 +13,4 @@ module Console1984::Commands
     def supervisor
       Console1984.supervisor
     end
-
-    include Console1984::FrozenMethods
 end

data/lib/console1984/config.rb

@@ -1,13 +1,13 @@
 # Container for config options.
 class Console1984::Config
-  include Console1984::Messages
+  include Console1984::Freezeable, Console1984::Messages
 
   PROPERTIES = %i[
     session_logger username_resolver
     protected_environments protected_urls
     production_data_warning enter_unprotected_encryption_mode_warning enter_protected_mode_warning
     incinerate incinerate_after incineration_queue
-    debug freeze_config
+    debug test_mode
   ]
 
   attr_accessor(*PROPERTIES)
@@ -23,7 +23,7 @@ class Console1984::Config
   end
 
   def freeze
-    super if freeze_config
+    super
     protected_urls.freeze
   end
 
@@ -44,6 +44,6 @@ class Console1984::Config
       self.incineration_queue = "console1984_incineration"
 
       self.debug = false
-      self.freeze_config = true
+      self.test_mode = false
     end
 end

data/lib/console1984/engine.rb

@@ -17,13 +17,9 @@ module Console1984
     console do
       Console1984.config.set_from(config.console1984)
 
-      Console1984.supervisor.start if Console1984.running_protected_environment?
-
-      class OpenSSL::SSL::SSLSocket
-        # Make it serve remote address as TCPSocket so that our extension works for it
-        def remote_address
-          Addrinfo.getaddrinfo(hostname, 443).first
-        end
+      if Console1984.running_protected_environment?
+        Console1984.supervisor.install
+        Console1984.supervisor.start
       end
     end
   end

data/lib/console1984/errors.rb

@@ -9,6 +9,6 @@ module Console1984
 
     class ForbiddenCommand < StandardError; end
     class ForbiddenIncineration < StandardError; end
-    class ForbiddenClassManipulation < StandardError; end
+    class ForbiddenCodeManipulation < StandardError; end
   end
 end

data/lib/console1984/freezeable.rb

@@ -0,0 +1,54 @@
+# Prevents adding new methods to classes.
+#
+# This prevents manipulating certain Console1984 classes
+# during a console session.
+module Console1984::Freezeable
+  extend ActiveSupport::Concern
+
+  mattr_reader :to_freeze, default: Set.new
+
+  included do
+    Console1984::Freezeable.to_freeze << self
+  end
+
+  class_methods do
+    SENSITIVE_INSTANCE_METHODS = %i[ instance_variable_set ]
+
+    def prevent_sensitive_overrides
+      SENSITIVE_INSTANCE_METHODS.each do |method|
+        prevent_sensitive_method method
+      end
+    end
+
+    private
+      def prevent_sensitive_method(method_name)
+        define_method method_name do |*arguments|
+          raise Console1984::Errors::ForbiddenCodeManipulation, "You can't invoke #{method_name} on #{self}"
+        end
+      end
+  end
+
+  class << self
+    def freeze_all
+      class_and_modules_to_freeze.each do |class_or_module|
+        freeze_class_or_module(class_or_module)
+      end
+    end
+
+    private
+      def class_and_modules_to_freeze
+        with_descendants(to_freeze)
+      end
+
+      def freeze_class_or_module(class_or_module)
+        class_or_module.prevent_sensitive_overrides
+        class_or_module.freeze
+      end
+
+      def with_descendants(classes_and_modules)
+        classes_and_modules + classes_and_modules.grep(Class).flat_map(&:descendants)
+      end
+  end
+
+  freeze
+end

data/lib/console1984/protected_auditable_tables.rb

@@ -1,29 +1,30 @@
-module Console1984
-  # Prevents accessing trail model tables when executing console commands.
-  module ProtectedAuditableTables
-    %i[ execute exec_query exec_insert exec_delete exec_update exec_insert_all ].each do |method|
-      define_method method do |*args|
-        sql = args.first
-        if Console1984.supervisor.executing_user_command? && sql =~ auditable_tables_regexp
-          raise Console1984::Errors::ForbiddenCommand, "#{sql}"
-        else
-          super(*args)
-        end
+# Prevents accessing trail model tables when executing console commands.
+module Console1984::ProtectedAuditableTables
+  include Console1984::Freezeable
+
+  %i[ execute exec_query exec_insert exec_delete exec_update exec_insert_all ].each do |method|
+    define_method method do |*args, **kwargs|
+      sql = args.first
+      if Console1984.supervisor.executing_user_command? && sql =~ auditable_tables_regexp
+        raise Console1984::Errors::ForbiddenCommand, "#{sql}"
+      else
+        super(*args, **kwargs)
       end
     end
+  end
 
-    private
-      AUDITABLE_MODELS = [ Console1984::User, Console1984::Session, Console1984::Command, Console1984::SensitiveAccess ]
+  private
+    def auditable_tables_regexp
+      @auditable_tables_regexp ||= Regexp.new("#{auditable_tables.join("|")}")
+    end
 
-      def auditable_tables_regexp
-        @auditable_tables_regexp ||= Regexp.new("#{auditable_tables.join("|")}")
-      end
+    def auditable_tables
+      @auditable_tables ||= auditable_models.collect(&:table_name)
+    end
 
-      def auditable_tables
-        # TODO: Not using Console1984::Base.descendants during development to make this work without eager loading
-        @auditable_tables ||= AUDITABLE_MODELS.collect(&:table_name)
-      end
-  end
+    def auditable_models
+      @auditable_models ||= Console1984::Base.descendants
+    end
 
-  include Console1984::FrozenMethods
+    include Console1984::Freezeable
 end

data/lib/console1984/protected_context.rb

@@ -1,4 +1,6 @@
 module Console1984::ProtectedContext
+  include Console1984::Freezeable
+
   # This method is invoked for showing returned objects in the console
   # Overridden to make sure their evaluation is supervised.
   def inspect_last_value
@@ -14,5 +16,5 @@ module Console1984::ProtectedContext
     end
   end
 
-  include Console1984::FrozenMethods
+  include Console1984::Freezeable
 end

data/lib/console1984/protected_object.rb

@@ -0,0 +1,15 @@
+module Console1984::ProtectedObject
+  extend ActiveSupport::Concern
+
+  include Console1984::Freezeable
+
+  class_methods do
+    def const_get(*arguments)
+      if Console1984.supervisor.executing_user_command? && arguments.first.to_s =~ /Console1984|ActiveRecord/
+        raise Console1984::Errors::ForbiddenCommand
+      else
+        super
+      end
+    end
+  end
+end

data/lib/console1984/protected_tcp_socket.rb

@@ -1,5 +1,7 @@
 # Wraps socket methods to execute supervised.
 module Console1984::ProtectedTcpSocket
+  include Console1984::Freezeable
+
   def write(*args)
     protecting do
       super
@@ -55,5 +57,5 @@ module Console1984::ProtectedTcpSocket
       end
     end
 
-    include Console1984::FrozenMethods
+    include Console1984::Freezeable
 end

data/lib/console1984/sessions_logger/database.rb

@@ -1,11 +1,13 @@
 # A session logger that saves audit trails in the database.
 class Console1984::SessionsLogger::Database
+  include Console1984::Freezeable
+
   attr_reader :current_session, :current_sensitive_access
 
   def start_session(username, reason)
     silence_logging do
-      user = Console1984::User.create_or_find_by!(username: username)
-      @current_session = user.sessions.create! reason: reason
+      user = Console1984::User.find_or_create_by!(username: username)
+      @current_session = user.sessions.create!(reason: reason)
     end
   end
 

data/lib/console1984/supervisor/accesses/protected.rb

@@ -1,4 +1,6 @@
 class Console1984::Supervisor::Accesses::Protected
+  include Console1984::Freezeable
+
   def execute(&block)
     Console1984.protecting(&block)
   end

data/lib/console1984/supervisor/accesses/unprotected.rb

@@ -1,4 +1,6 @@
 class Console1984::Supervisor::Accesses::Unprotected
+  include Console1984::Freezeable
+
   def execute(&block)
     block.call
   end

data/lib/console1984/supervisor/accesses.rb

@@ -1,5 +1,5 @@
 module Console1984::Supervisor::Accesses
-  include Console1984::Messages
+  include Console1984::Messages, Console1984::Freezeable
 
   PROTECTED_ACCESS = Protected.new
   UNPROTECTED_ACCESS = Unprotected.new

data/lib/console1984/supervisor/executor.rb

@@ -1,13 +1,16 @@
 module Console1984::Supervisor::Executor
   extend ActiveSupport::Concern
 
+  include Console1984::Freezeable
+
   def execute_supervised(commands, &block)
     run_system_command { session_logger.before_executing commands }
+    validate_commands(commands)
     execute(&block)
-  rescue Console1984::Errors::ForbiddenCommand, Console1984::Errors::ForbiddenClassManipulation
-    puts "Forbidden command attempted: #{commands.join("\n")}"
-    run_system_command { session_logger.suspicious_commands_attempted commands }
-    nil
+  rescue Console1984::Errors::ForbiddenCommand, Console1984::Errors::ForbiddenCodeManipulation, FrozenError
+    flag_forbidden(commands)
+  rescue FrozenError
+    flag_forbidden(commands)
   ensure
     run_system_command { session_logger.after_executing commands }
   end
@@ -23,6 +26,12 @@ module Console1984::Supervisor::Executor
   end
 
   private
+    def flag_forbidden(commands)
+      puts "Forbidden command attempted: #{commands.join("\n")}"
+      run_system_command { session_logger.suspicious_commands_attempted commands }
+      nil
+    end
+
     def run_user_command(&block)
       run_command true, &block
     end
@@ -31,6 +40,21 @@ module Console1984::Supervisor::Executor
       run_command false, &block
     end
 
+    def validate_commands(commands)
+      if Array(commands).find { |command| forbidden_command?(command) }
+        raise Console1984::Errors::ForbiddenCommand
+      end
+    end
+
+    def forbidden_command?(command)
+      # This is a first protection layer. Very simple for now. We'll likely make this
+      # more sophisticated and configurable in future versions.
+      #
+      # We can't use our +Freezable+ concern in ActiveRecord since it relies on code
+      # generation on the fly.
+      command =~ /Console1984|console_1984|(class|module)\s+ActiveRecord::/
+    end
+
     def run_command(run_by_user, &block)
       original_value = @executing_user_command
       @executing_user_command = run_by_user

data/lib/console1984/supervisor/input_output.rb

@@ -1,5 +1,5 @@
 module Console1984::Supervisor::InputOutput
-  include Console1984::Messages
+  include Console1984::Freezeable, Console1984::Messages
 
   private
     def show_welcome_message

data/lib/console1984/supervisor/protector.rb

@@ -1,13 +1,20 @@
 module Console1984::Supervisor::Protector
   extend ActiveSupport::Concern
 
+  include Console1984::Freezeable
+
   private
     def extend_protected_systems
+      extend_object
       extend_irb
       extend_active_record
       extend_socket_classes
     end
 
+    def extend_object
+      Object.prepend Console1984::ProtectedObject
+    end
+
     def extend_irb
       IRB::Context.prepend(Console1984::ProtectedContext)
       Rails::ConsoleMethods.include(Console1984::Commands)
@@ -20,18 +27,29 @@ module Console1984::Supervisor::Protector
         if Object.const_defined?(class_string)
           klass = class_string.constantize
           klass.prepend(Console1984::ProtectedAuditableTables)
+          klass.include(Console1984::Freezeable)
         end
       end
     end
 
     def extend_socket_classes
       socket_classes = [TCPSocket, OpenSSL::SSL::SSLSocket]
+      OpenSSL::SSL::SSLSocket.include(SSLSocketRemoteAddress)
+
       if defined?(Redis::Connection)
         socket_classes.push(*[Redis::Connection::TCPSocket, Redis::Connection::SSLSocket])
       end
 
       socket_classes.compact.each do |socket_klass|
         socket_klass.prepend Console1984::ProtectedTcpSocket
+        socket_klass.freeze
+      end
+    end
+
+    module SSLSocketRemoteAddress
+      # Make it serve remote address as TCPSocket so that our extension works for it
+      def remote_address
+        Addrinfo.getaddrinfo(hostname, 443).first
       end
     end
 end

data/lib/console1984/supervisor.rb

@@ -3,14 +3,17 @@ require 'rails/console/app'
 
 # Protects console sessions and executes code in supervised mode.
 class Console1984::Supervisor
-  include Accesses, InputOutput, Executor, Protector
+  include Accesses, Console1984::Freezeable, Executor, InputOutput, Protector
+
+  def install
+    extend_protected_systems
+    freeze_all
+  end
 
   # Starts a console session extending IRB and several systems to inject
   # the protection logic, and notifies the session logger to record the
   # session.
   def start
-    Console1984.config.freeze
-    extend_protected_systems
     disable_access_to_encrypted_content(silent: true)
 
     show_welcome_message
@@ -31,6 +34,17 @@ class Console1984::Supervisor
       session_logger.finish_session
     end
 
+    def freeze_all
+      eager_load_all_classes
+      Console1984.config.freeze unless Console1984.config.test_mode
+      Console1984::Freezeable.freeze_all
+    end
+
+    def eager_load_all_classes
+      Rails.application.eager_load! unless Rails.application.config.eager_load
+      Console1984.class_loader.eager_load
+    end
+
     def session_logger
       Console1984.session_logger
     end
@@ -43,5 +57,5 @@ class Console1984::Supervisor
       Console1984.username_resolver
     end
 
-    include Console1984::FrozenMethods
+    include Console1984::Freezeable
 end

data/lib/console1984/username/env_resolver.rb

@@ -1,6 +1,8 @@
 # A username resolver that returns the value of a given
 # environment variable.
 class Console1984::Username::EnvResolver
+  include Console1984::Freezeable
+
   def initialize(key)
     @key = key
   end

data/lib/console1984/version.rb

@@ -1,3 +1,3 @@
 module Console1984
-  VERSION = '0.1.2'
+  VERSION = '0.1.6'
 end

data/lib/console1984.rb

@@ -1,14 +1,15 @@
 require 'console1984/engine'
 
 require "zeitwerk"
-loader = Zeitwerk::Loader.for_gem
-loader.setup
+class_loader = Zeitwerk::Loader.for_gem
+class_loader.setup
 
 module Console1984
-  include Messages
+  include Messages, Freezeable
 
-  mattr_reader :supervisor, default: Supervisor.new
+  mattr_accessor :supervisor, default: Supervisor.new
   mattr_reader :config, default: Config.new
+  mattr_accessor :class_loader
 
   thread_mattr_accessor :currently_protected_urls, default: []
 
@@ -37,3 +38,5 @@ module Console1984
       end
   end
 end
+
+Console1984.class_loader = class_loader

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: console1984
 version: !ruby/object:Gem::Version
-  version: 0.1.2
+  version: 0.1.6
 platform: ruby
 authors:
 - Jorge Manrubia
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-08-18 00:00:00.000000000 Z
+date: 2021-08-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: colorize
@@ -160,10 +160,11 @@ files:
 - lib/console1984/config.rb
 - lib/console1984/engine.rb
 - lib/console1984/errors.rb
-- lib/console1984/frozen_methods.rb
+- lib/console1984/freezeable.rb
 - lib/console1984/messages.rb
 - lib/console1984/protected_auditable_tables.rb
 - lib/console1984/protected_context.rb
+- lib/console1984/protected_object.rb
 - lib/console1984/protected_tcp_socket.rb
 - lib/console1984/sessions_logger/database.rb
 - lib/console1984/supervisor.rb

data/lib/console1984/frozen_methods.rb

@@ -1,17 +0,0 @@
-# Prevents adding new methods to classes.
-#
-# This prevents manipulating certain Console1984 classes
-# during a console session.
-module Console1984::FrozenMethods
-  extend ActiveSupport::Concern
-
-  module ClassMethods
-    def method_added(method_name)
-      raise Console1984::Errors::ForbiddenClassManipulation, "Can't override #{name}##{method_name}"
-    end
-
-    def singleton_method_added(method_name)
-      raise Console1984::Errors::ForbiddenClassManipulation, "Can't override #{name}.#{method_name}"
-    end
-  end
-end