console1984 0.1.4 → 0.1.8

data/lib/console1984/config.rb

@@ -1,13 +1,18 @@
 # Container for config options.
+#
+# These config options are accessible via first-level reader methods at Console1984.
 class Console1984::Config
-  include Console1984::Messages
+  include Console1984::Freezeable, Console1984::Messages
+
+  PROTECTIONS_CONFIG_FILE_PATH = Console1984::Engine.root.join("config/protections.yml")
 
   PROPERTIES = %i[
-    session_logger username_resolver
+    session_logger username_resolver shield command_executor
     protected_environments protected_urls
     production_data_warning enter_unprotected_encryption_mode_warning enter_protected_mode_warning
     incinerate incinerate_after incineration_queue
-    debug freeze_config
+    protections_config
+    debug test_mode
   ]
 
   attr_accessor(*PROPERTIES)
@@ -22,18 +27,25 @@ class Console1984::Config
     end
   end
 
+  # Initialize lazily so that it only gets instantiated during console sessions
+  def protections_config
+    @protections_config ||= Console1984::ProtectionsConfig.new(YAML.safe_load(File.read(PROTECTIONS_CONFIG_FILE_PATH)).symbolize_keys)
+  end
+
   def freeze
-    super if freeze_config
-    protected_urls.freeze
+    super
+    [ protected_urls, protections_config ].each(&:freeze)
   end
 
   private
     def set_defaults
-      self.protected_environments = []
-      self.protected_urls = []
-
       self.session_logger = Console1984::SessionsLogger::Database.new
       self.username_resolver = Console1984::Username::EnvResolver.new("CONSOLE_USER")
+      self.shield = Console1984::Shield.new
+      self.command_executor = Console1984::CommandExecutor.new
+
+      self.protected_environments = []
+      self.protected_urls = []
 
       self.production_data_warning = DEFAULT_PRODUCTION_DATA_WARNING
       self.enter_unprotected_encryption_mode_warning = DEFAULT_ENTER_UNPROTECTED_ENCRYPTION_MODE_WARNING
@@ -44,6 +56,6 @@ class Console1984::Config
       self.incineration_queue = "console1984_incineration"
 
       self.debug = false
-      self.freeze_config = true
+      self.test_mode = false
     end
 end

data/lib/console1984/engine.rb

@@ -10,20 +10,18 @@ module Console1984
 
     initializer "console1984.config" do
       config.console1984.each do |key, value|
-        Console1984.config.send("#{key}=", value) unless %i[ protected_urls protected_environments ].include?(key.to_sym)
+        Console1984.config.send("#{key}=", value)
       end
     end
 
+    # Console 1984 setup happens when a console is started. Just including the
+    # gem won't install any protection mechanisms.
     console do
       Console1984.config.set_from(config.console1984)
 
-      Console1984.supervisor.start if Console1984.running_protected_environment?
-
-      class OpenSSL::SSL::SSLSocket
-        # Make it serve remote address as TCPSocket so that our extension works for it
-        def remote_address
-          Addrinfo.getaddrinfo(hostname, 443).first
-        end
+      if Console1984.running_protected_environment?
+        Console1984.supervisor.install
+        Console1984.supervisor.start
       end
     end
   end

data/lib/console1984/errors.rb

@@ -1,5 +1,6 @@
 module Console1984
   module Errors
+    # Attempt to access a protected url while in protected mode.
     class ProtectedConnection < StandardError
       def initialize(details)
         super "A connection attempt was prevented because it represents a sensitive access."\
@@ -7,8 +8,16 @@ module Console1984
       end
     end
 
+    # Attempt to execute a command that is not allowed. The system won't
+    # execute such commands and will flag them as sensitive.
     class ForbiddenCommand < StandardError; end
+
+    # A suspicious command was executed. The command will be flagged but the system
+    # will let it run.
+    class SuspiciousCommand < StandardError; end
+
+    # Attempt to incinerate a session ahead of time as determined by
+    # +config.console1984.incinerate_after+.
     class ForbiddenIncineration < StandardError; end
-    class ForbiddenClassManipulation < StandardError; end
   end
 end

data/lib/console1984/ext/active_record/protected_auditable_tables.rb

@@ -0,0 +1,28 @@
+# Prevents accessing trail model tables when executing console commands.
+module Console1984::Ext::ActiveRecord::ProtectedAuditableTables
+  include Console1984::Freezeable
+
+  %i[ execute exec_query exec_insert exec_delete exec_update exec_insert_all ].each do |method|
+    define_method method do |*args, **kwargs|
+      sql = args.first
+      if Console1984.command_executor.executing_user_command? && sql =~ auditable_tables_regexp
+        raise Console1984::Errors::ForbiddenCommand, "#{sql}"
+      else
+        super(*args, **kwargs)
+      end
+    end
+  end
+
+  private
+    def auditable_tables_regexp
+      @auditable_tables_regexp ||= Regexp.new("#{auditable_tables.join("|")}")
+    end
+
+    def auditable_tables
+      @auditable_tables ||= Console1984.command_executor.run_as_system { auditable_models.collect(&:table_name) }
+    end
+
+    def auditable_models
+      @auditable_models ||= Console1984::Base.descendants
+    end
+end

data/lib/console1984/ext/core/module.rb

@@ -0,0 +1,15 @@
+# Extends +Module+ to prevent invoking class_eval in user commands.
+#
+# We don't use the built-in configurable system from protections.yml because we use
+# class_eval ourselves to implement it!
+module Console1984::Ext::Core::Module
+  extend ActiveSupport::Concern
+
+  def instance_eval(*)
+    if Console1984.command_executor.executing_user_command?
+      raise Console1984::Errors::ForbiddenCommand
+    else
+      super
+    end
+  end
+end

data/lib/console1984/ext/core/object.rb

@@ -0,0 +1,43 @@
+# Prevents loading forbidden classes dynamically.
+#
+# There are classes that we don't want to allow loading dynamically
+# during a console session. For example, we don't want users to reference
+# the constant +Console1984+. We will prevent a direct constant reference
+# but users could still do:
+#
+#    MyConstant = ("Con" + "sole1984").constantize
+#
+# We prevent this by extending +Object#const_get+.
+module Console1984::Ext::Core::Object
+  extend ActiveSupport::Concern
+
+  include Console1984::Freezeable
+  self.prevent_instance_data_manipulation_after_freezing = false
+
+  class_methods do
+    def const_get(*arguments)
+      if Console1984.command_executor.executing_user_command?
+        begin
+          # To validate if it's an invalid constant, we try to declare a class with it.
+          # We essentially leverage Console1984::CommandValidator::ForbiddenReopeningValidation here:
+          # We don't let referencing constants referring modules or classes we don't allow to extend.
+          #
+          # See the list +forbidden_reopening+ in +config/command_protections.yml+.
+          Console1984.command_executor.validate_command("class #{arguments.first}; end")
+          super
+        rescue Console1984::Errors::ForbiddenCommand
+          raise
+        rescue StandardError
+          super
+        end
+      else
+        super
+      end
+    end
+  end
+
+  private
+    def banned_dynamic_constant_declaration?(arguments)
+      Console1984.command_executor.validate_command("class #{arguments.first}; end")
+    end
+end

data/lib/console1984/ext/irb/commands.rb

@@ -0,0 +1,16 @@
+# Add Console 1984 commands to IRB sessions.
+module Console1984::Ext::Irb::Commands
+  include Console1984::Freezeable
+
+  delegate :shield, to: Console1984
+
+  # Enter {unprotected mode}[rdoc-ref:Console1984::Shield::Modes] mode.
+  def decrypt!
+    shield.enable_unprotected_mode
+  end
+
+  # Enter {protected mode}[rdoc-ref:Console1984::Shield::Modes] mode.
+  def encrypt!
+    shield.enable_protected_mode
+  end
+end

data/lib/console1984/ext/irb/context.rb

@@ -0,0 +1,20 @@
+# Extends IRB execution contexts to hijack execution attempts and
+# pass them through Console1984.
+module Console1984::Ext::Irb::Context
+  include Console1984::Freezeable
+
+  # This method is invoked for showing returned objects in the console
+  # Overridden to make sure their evaluation is supervised.
+  def inspect_last_value
+    Console1984.command_executor.execute_in_protected_mode do
+      super
+    end
+  end
+
+  #
+  def evaluate(line, line_no, exception: nil)
+    Console1984.command_executor.execute(Array(line)) do
+      super
+    end
+  end
+end

data/lib/console1984/{protected_tcp_socket.rb → ext/socket/tcp_socket.rb}

@@ -1,5 +1,7 @@
-# Wraps socket methods to execute supervised.
-module Console1984::ProtectedTcpSocket
+# Wraps socket methods to execute supervised when {protected mode}[rdoc-ref:Console1984::Shield::Modes].
+module Console1984::Ext::Socket::TcpSocket
+  include Console1984::Freezeable
+
   def write(*args)
     protecting do
       super
@@ -26,12 +28,16 @@ module Console1984::ProtectedTcpSocket
     end
 
     def protected_addresses
-      @protected_addresses ||= Console1984.currently_protected_urls.collect do |url|
+      @protected_addresses ||= protected_urls.collect do |url|
         host, port = host_and_port_from(url)
         Array(Addrinfo.getaddrinfo(host, port)).collect { |addrinfo| ComparableAddress.new(addrinfo) if addrinfo.ip_address }
       end.flatten.compact.uniq
     end
 
+    def protected_urls
+      Console1984::Shield::Modes::PROTECTED_MODE.currently_protected_urls || []
+    end
+
     def host_and_port_from(url)
       URI(url).then do |parsed_uri|
         if parsed_uri.host
@@ -55,5 +61,5 @@ module Console1984::ProtectedTcpSocket
       end
     end
 
-    include Console1984::FrozenMethods
+    include Console1984::Freezeable
 end

data/lib/console1984/freezeable.rb

@@ -0,0 +1,70 @@
+# Prevents adding new methods to classes, changing class-state or
+# accessing/overridden instance variables via reflection. This is meant to
+# prevent manipulating certain Console1984 classes during a console session.
+#
+# Notice this won't prevent every state-modification command. You should
+# handle special cases by overriding +#freeze+ (if necessary) and invoking
+# freezing on the instance when it makes sense.
+#
+# For example: check Console1984::Config#freeze and Console1984::Shield#freeze_all.
+#
+# The "freezing" doesn't materialize when the mixin is included. When mixed in, it
+# will store the host class or module in a list. Then a call to Console1984::Freezeable.freeze_all
+# will look through all the modules/classes freezing them. This way, we can control
+# the moment where we stop classes from being modifiable at setup time.
+module Console1984::Freezeable
+  mattr_reader :to_freeze, default: Set.new
+
+  # Not using ActiveSupport::Concern because a bunch of classes skip its +.invoked+ hook which
+  # is terrible for our purposes. This happened because it was being included in parent classes
+  # (such as Object), so it was skipping the include block.
+  def self.included(base)
+    Console1984::Freezeable.to_freeze << base
+    base.extend ClassMethods
+
+    # Flag to control manipulating instance data via instance_variable_get and instance_variable_set.
+    # true by default.
+    base.thread_mattr_accessor :prevent_instance_data_manipulation_after_freezing, default: true
+  end
+
+  module ClassMethods
+    SENSITIVE_INSTANCE_METHODS = %i[ instance_variable_get instance_variable_set ]
+
+    def prevent_instance_data_manipulation
+      SENSITIVE_INSTANCE_METHODS.each do |method|
+        prevent_sensitive_method method
+      end
+    end
+
+    private
+      def prevent_sensitive_method(method_name)
+        define_method method_name do |*arguments|
+          raise Console1984::Errors::ForbiddenCommand, "You can't invoke #{method_name} on #{self}"
+        end
+      end
+  end
+
+  class << self
+    def freeze_all
+      class_and_modules_to_freeze.each do |class_or_module|
+        freeze_class_or_module(class_or_module)
+      end
+    end
+
+    private
+      def class_and_modules_to_freeze
+        with_descendants(to_freeze)
+      end
+
+      def freeze_class_or_module(class_or_module)
+        class_or_module.prevent_instance_data_manipulation if class_or_module.prevent_instance_data_manipulation_after_freezing
+        class_or_module.freeze
+      end
+
+      def with_descendants(classes_and_modules)
+        classes_and_modules + classes_and_modules.grep(Class).flat_map(&:descendants)
+      end
+  end
+
+  freeze
+end

data/lib/console1984/{supervisor/input_output.rb → input_output.rb}

@@ -1,5 +1,5 @@
-module Console1984::Supervisor::InputOutput
-  include Console1984::Messages
+module Console1984::InputOutput
+  include Console1984::Freezeable, Console1984::Messages
 
   private
     def show_welcome_message
@@ -16,7 +16,13 @@ module Console1984::Supervisor::InputOutput
     end
 
     def show_commands
-      puts COMMANDS_HELP
+      puts <<~TXT
+
+      Commands:
+
+      #{COMMANDS.collect { |command, help_line| "* #{ColorizedString.new(command.to_s).light_blue}: #{help_line}" }.join("\n")}
+
+      TXT
     end
 
     def show_warning(message)

data/lib/console1984/messages.rb

@@ -1,5 +1,3 @@
-require 'colorized_string'
-
 module Console1984::Messages
   DEFAULT_PRODUCTION_DATA_WARNING = <<~TXT
 
@@ -19,12 +17,4 @@ module Console1984::Messages
   COMMANDS = {
       "decrypt!": "enter unprotected mode with access to encrypted information"
   }
-
-  COMMANDS_HELP = <<~TXT
-
-  Commands:
-
-  #{COMMANDS.collect { |command, help_line| "* #{ColorizedString.new(command.to_s).light_blue}: #{help_line}" }.join("\n")}
-
-  TXT
 end

data/lib/console1984/protections_config.rb

@@ -0,0 +1,17 @@
+class Console1984::ProtectionsConfig
+  include Console1984::Freezeable
+
+  delegate :static_validations, to: :instance
+
+  attr_reader :config
+
+  def initialize(config)
+    @config = config
+  end
+
+  %i[ static_validations forbidden_methods ].each do |method_name|
+    define_method method_name do
+      config[method_name].symbolize_keys
+    end
+  end
+end

data/lib/console1984/refrigerator.rb

@@ -0,0 +1,32 @@
+# Freezes classes to prevent tampering them
+class Console1984::Refrigerator
+  include Console1984::Freezeable
+
+  def freeze_all
+    eager_load_all_classes
+    freeze_internal_instances # internal modules and classes are frozen by including Console1984::Freezable
+    freeze_external_modules_and_classes
+
+    Console1984::Freezeable.freeze_all
+  end
+
+  private
+    EXTERNAL_MODULES_AND_CLASSES_TO_FREEZE = [Parser::CurrentRuby]
+
+    def freeze_internal_instances
+      Console1984.config.freeze unless Console1984.config.test_mode
+    end
+
+    def freeze_external_modules_and_classes
+      EXTERNAL_MODULES_AND_CLASSES_TO_FREEZE.each { |klass| klass.include(Console1984::Freezeable) }
+    end
+
+    def eager_load_all_classes
+      Rails.application.eager_load! unless Rails.application.config.eager_load
+      Console1984.class_loader.eager_load
+    end
+end
+
+class Parser::Ruby27
+  include Console1984::Freezeable
+end