console1984 0.1.4 → 0.1.8

data/lib/console1984/sessions_logger/database.rb

@@ -1,11 +1,13 @@
 # A session logger that saves audit trails in the database.
 class Console1984::SessionsLogger::Database
+  include Console1984::Freezeable
+
   attr_reader :current_session, :current_sensitive_access
 
   def start_session(username, reason)
     silence_logging do
       user = Console1984::User.find_or_create_by!(username: username)
-      @current_session = user.sessions.create! reason: reason
+      @current_session = user.sessions.create!(reason: reason)
     end
   end
 

data/lib/console1984/shield/method_invocation_shell.rb

@@ -0,0 +1,52 @@
+# Prevents invoking a configurable set of methods
+class Console1984::Shield::MethodInvocationShell
+  include Console1984::Freezeable
+
+  class << self
+    def install_for(config)
+      Array(config[:user]).each { |invocation| self.new(invocation, only_for_user_commands: true).prevent_methods_invocation }
+      Array(config[:system]).each { |invocation| self.new(invocation, only_for_user_commands: false).prevent_methods_invocation }
+    end
+  end
+
+  attr_reader :class_name, :methods, :only_for_user_commands
+
+  def initialize(invocation, only_for_user_commands:)
+    @class_name, methods = invocation.to_a
+    @methods = Array(methods)
+    @only_for_user_commands = only_for_user_commands
+  end
+
+  def prevent_methods_invocation
+    class_name.constantize.prepend build_protection_module
+  end
+
+  def build_protection_module
+    source = protected_method_invocations_source
+    Module.new do
+      class_eval <<~RUBY, __FILE__, __LINE__ + 1
+        #{source}
+      RUBY
+    end
+  end
+
+  def protected_method_invocations_source
+    methods.collect { |method| protected_method_invocation_source_for(method) }.join("\n")
+  end
+
+  def protected_method_invocation_source_for(method)
+    <<~RUBY
+      def #{method}(*args)
+        if (!#{only_for_user_commands} || Console1984.command_executor.executing_user_command?) && caller.find do |line|
+            line_from_irb = line =~ /^[^\\/]/
+            break if !(line =~ /console1984\\/lib/ || line_from_irb)
+            line_from_irb
+          end
+          raise Console1984::Errors::ForbiddenCommand
+        else
+          super
+        end
+      end
+    RUBY
+  end
+end

data/lib/console1984/shield/modes/protected.rb

@@ -0,0 +1,27 @@
+# An execution mode that protects encrypted information and connection to external systems.
+class Console1984::Shield::Modes::Protected
+  include Console1984::Freezeable
+
+  delegate :protected_urls, to: Console1984
+
+  thread_mattr_accessor :currently_protected_urls, default: []
+
+  def execute(&block)
+    protecting(&block)
+  end
+
+  private
+    def protecting(&block)
+      protecting_connections do
+        ActiveRecord::Encryption.protecting_encrypted_data(&block)
+      end
+    end
+
+    def protecting_connections
+      old_currently_protected_urls = self.currently_protected_urls
+      self.currently_protected_urls = protected_urls
+      yield
+    ensure
+      self.currently_protected_urls = old_currently_protected_urls
+    end
+end

data/lib/console1984/shield/modes/unprotected.rb

@@ -0,0 +1,8 @@
+# An execution mode that doesn't protect encrypted information or external systems.
+class Console1984::Shield::Modes::Unprotected
+  include Console1984::Freezeable
+
+  def execute(&block)
+    block.call
+  end
+end

data/lib/console1984/shield/modes.rb

@@ -0,0 +1,60 @@
+# Console 1984 operates in two modes:
+#
+# * Protected: it won't reveal encrypted information, attempt to connect to protected urls will be prevented.
+# * Unprotected: it will reveal encrypted information and let all connections go through.
+#
+# Tampering attempts (such as deleting audit trails) is prevented in both modes.
+module Console1984::Shield::Modes
+  include Console1984::Messages, Console1984::InputOutput
+  include Console1984::Freezeable
+
+  PROTECTED_MODE = Protected.new
+  UNPROTECTED_MODE = Unprotected.new
+
+  # Switch to protected mode
+  #
+  # Pass +silent: true+ to hide an informative message when switching to this mode.
+  def enable_unprotected_mode(silent: false)
+    command_executor.run_as_system do
+      show_warning Console1984.enter_unprotected_encryption_mode_warning if !silent && protected_mode?
+      justification = ask_for_value "\nBefore you can access personal information, you need to ask for and get explicit consent from the user(s). #{current_username}, where can we find this consent (a URL would be great)?"
+      session_logger.start_sensitive_access justification
+      nil
+    end
+  ensure
+    @mode = UNPROTECTED_MODE
+    nil
+  end
+
+  # Switch to unprotected mode
+  #
+  # Pass +silent: true+ to hide an informative message when switching to this mode.
+  def enable_protected_mode(silent: false)
+    command_executor.run_as_system do
+      show_warning Console1984.enter_protected_mode_warning if !silent && unprotected_mode?
+      session_logger.end_sensitive_access
+      nil
+    end
+  ensure
+    @mode = PROTECTED_MODE
+    nil
+  end
+
+  # Executes the passed block in the configured mode (protected or unprotected).
+  def with_protected_mode(&block)
+    @mode.execute(&block)
+  end
+
+  def unprotected_mode?
+    @mode.is_a?(Unprotected)
+  end
+
+  def protected_mode?
+    !unprotected_mode?
+  end
+
+  private
+    def current_username
+      username_resolver.current
+    end
+end

data/lib/console1984/shield.rb

@@ -0,0 +1,85 @@
+# The shield implements the protection mechanisms while using the console:
+#
+# * It extends different systems with console1984 extensions (including IRB itself).
+# * It offers an API to the rest of the system to enable and disable protected modes and
+#   execute code on the configured mode.
+#
+# Protection happens at two levels:
+#
+# * External: preventing users from accessing encrypted data or protected systems while on
+#   protected mode.
+# * Internal: preventing users from tampering Console 1984 itself.
+class Console1984::Shield
+  include Modes
+  include Console1984::Freezeable
+
+  delegate :username_resolver, :session_logger, :command_executor, to: Console1984
+
+  # Installs the shield by extending several systems and freezing classes and modules
+  # that aren't mean to be modified once the console is running.
+  def install
+    extend_protected_systems
+    prevent_invoking_protected_methods
+
+    refrigerator.freeze_all
+  end
+
+  private
+    def extend_protected_systems
+      extend_irb
+      extend_core_ruby
+      extend_sockets
+      extend_active_record
+    end
+
+    def extend_irb
+      IRB::Context.prepend(Console1984::Ext::Irb::Context)
+      Rails::ConsoleMethods.include(Console1984::Ext::Irb::Commands)
+    end
+
+    def extend_core_ruby
+      Object.prepend Console1984::Ext::Core::Object
+      Module.prepend Console1984::Ext::Core::Module
+    end
+
+    def extend_sockets
+      socket_classes = [TCPSocket, OpenSSL::SSL::SSLSocket]
+      OpenSSL::SSL::SSLSocket.include(SSLSocketRemoteAddress)
+
+      if defined?(Redis::Connection)
+        socket_classes.push(*[Redis::Connection::TCPSocket, Redis::Connection::SSLSocket])
+      end
+
+      socket_classes.compact.each do |socket_klass|
+        socket_klass.prepend Console1984::Ext::Socket::TcpSocket
+        socket_klass.freeze
+      end
+    end
+
+    ACTIVE_RECORD_CONNECTION_ADAPTERS = %w[ActiveRecord::ConnectionAdapters::Mysql2Adapter ActiveRecord::ConnectionAdapters::PostgreSQLAdapter ActiveRecord::ConnectionAdapters::SQLite3Adapter]
+
+    def extend_active_record
+      ACTIVE_RECORD_CONNECTION_ADAPTERS.each do |class_string|
+        if Object.const_defined?(class_string)
+          klass = class_string.constantize
+          klass.prepend(Console1984::Ext::ActiveRecord::ProtectedAuditableTables)
+          klass.include(Console1984::Freezeable)
+        end
+      end
+    end
+
+    def prevent_invoking_protected_methods
+      MethodInvocationShell.install_for(Console1984.protections_config.forbidden_methods)
+    end
+
+    def refrigerator
+      @refrigerator ||= Console1984::Refrigerator.new
+    end
+
+    module SSLSocketRemoteAddress
+      # Serve remote address as TCPSocket so that our extension works with both.
+      def remote_address
+        Addrinfo.getaddrinfo(hostname, 443).first
+      end
+    end
+end

data/lib/console1984/supervisor.rb

@@ -1,28 +1,43 @@
-require 'colorized_string'
 require 'rails/console/app'
 
-# Protects console sessions and executes code in supervised mode.
+# Entry point to the system. In charge of installing everything
+# and starting and stopping sessions.
 class Console1984::Supervisor
-  include Accesses, InputOutput, Executor, Protector
+  include Console1984::Freezeable, Console1984::InputOutput
 
-  # Starts a console session extending IRB and several systems to inject
-  # the protection logic, and notifies the session logger to record the
-  # session.
-  def start
-    Console1984.config.freeze
-    extend_protected_systems
-    disable_access_to_encrypted_content(silent: true)
+  delegate :username_resolver, :session_logger, :shield, to: Console1984
 
-    show_welcome_message
+  # Installs the console protections.
+  #
+  # See Console1984::Shield
+  def install
+    require_dependencies
+    shield.install
+  end
 
+  # Starts a console session.
+  #
+  # This will enable protected mode and log the new session in the configured
+  # {session logger}[rdoc-ref:Console1984::SessionsLogger::Database].
+  def start
+    shield.enable_protected_mode(silent: true)
+    show_welcome_message
     start_session
   end
 
+  # Stops a console session
   def stop
     stop_session
   end
 
   private
+    def require_dependencies
+      Kernel.silence_warnings do
+        require 'parser/current'
+      end
+      require 'colorized_string'
+    end
+
     def start_session
       session_logger.start_session current_username, ask_for_session_reason
     end
@@ -31,17 +46,7 @@ class Console1984::Supervisor
       session_logger.finish_session
     end
 
-    def session_logger
-      Console1984.session_logger
-    end
-
     def current_username
-      Console1984.username_resolver.current
+      username_resolver.current
     end
-
-    def username_resolver
-      Console1984.username_resolver
-    end
-
-    include Console1984::FrozenMethods
 end

data/lib/console1984/username/env_resolver.rb

@@ -1,6 +1,8 @@
 # A username resolver that returns the value of a given
 # environment variable.
 class Console1984::Username::EnvResolver
+  include Console1984::Freezeable
+
   def initialize(key)
     @key = key
   end

data/lib/console1984/version.rb

@@ -1,3 +1,3 @@
 module Console1984
-  VERSION = '0.1.4'
+  VERSION = '0.1.8'
 end

data/lib/console1984.rb

@@ -1,39 +1,61 @@
 require 'console1984/engine'
 
 require "zeitwerk"
-loader = Zeitwerk::Loader.for_gem
-loader.setup
-
+class_loader = Zeitwerk::Loader.for_gem
+class_loader.setup
+
+# = Console 1984
+#
+# Console1984 is an IRB-based Rails console extension that does
+# three things:
+#
+# * Record console sessions with their user, reason and commands.
+# * Protect encrypted data by showing the ciphertexts when you visualize it.
+# * Protect access to external systems that contain sensitive information (such as Redis
+#   or Elasticsearch).
+#
+# == Session logging
+#
+# The console will record the session, its user and the commands entered. The logic to
+# persist sessions is handled by the configured session logger, which is
+# Console1984::SessionsLogger::Database by default.
+#
+# == Execution of commands
+#
+# The console will work in two modes:
+#
+# * Protected: It won't show encrypted information (it will show the ciphertexts instead)
+#   and it won't allow connections to protected urls.
+# * Unprotected: it allows access to encrypted information and protected urls. The commands
+#   executed in this mode as flagged as sensitive.
+#
+# Console1984::CommandExecutor handles the execution of commands applying the corresponding
+# protection mechanisms.´
+#
+# == Internal tampering prevention
+#
+# Finally, console1984 includes protection mechanisms against internal tampering while using
+# the console. For example, to prevent the user from deleting audit trails. See
+# Console1984::Shield and Console1984::CommandValidator to learn more.
 module Console1984
-  include Messages
+  include Messages, Freezeable
+
+  mattr_accessor :supervisor, default: Supervisor.new
 
-  mattr_reader :supervisor, default: Supervisor.new
   mattr_reader :config, default: Config.new
 
-  thread_mattr_accessor :currently_protected_urls, default: []
+  mattr_accessor :class_loader
 
   class << self
     Config::PROPERTIES.each do |property|
       delegate property, to: :config
     end
 
+    # Returns whether the console is currently running in protected mode or not.
     def running_protected_environment?
       protected_environments.collect(&:to_sym).include?(Rails.env.to_sym)
     end
-
-    def protecting(&block)
-      protecting_connections do
-        ActiveRecord::Encryption.protecting_encrypted_data(&block)
-      end
-    end
-
-    private
-      def protecting_connections
-        old_currently_protected_urls = self.currently_protected_urls
-        self.currently_protected_urls = protected_urls
-        yield
-      ensure
-        self.currently_protected_urls = old_currently_protected_urls
-      end
   end
 end
+
+Console1984.class_loader = class_loader

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: console1984
 version: !ruby/object:Gem::Version
-  version: 0.1.4
+  version: 0.1.8
 platform: ruby
 authors:
 - Jorge Manrubia
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-08-19 00:00:00.000000000 Z
+date: 2021-09-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: colorize
@@ -24,6 +24,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: parser
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: benchmark-ips
   requirement: !ruby/object:Gem::Requirement
@@ -136,6 +150,34 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: pg
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: mysql2
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description:
 email:
 - jorge@basecamp.com
@@ -153,26 +195,36 @@ files:
 - app/models/console1984/session.rb
 - app/models/console1984/session/incineratable.rb
 - app/models/console1984/user.rb
-- config/routes.rb
+- config/protections.yml
 - db/migrate/20210517203931_create_console1984_tables.rb
 - lib/console1984.rb
-- lib/console1984/commands.rb
+- lib/console1984/command_executor.rb
+- lib/console1984/command_validator.rb
+- lib/console1984/command_validator/forbidden_constant_reference_validation.rb
+- lib/console1984/command_validator/forbidden_reopening_validation.rb
+- lib/console1984/command_validator/parsed_command.rb
+- lib/console1984/command_validator/suspicious_terms_validation.rb
 - lib/console1984/config.rb
 - lib/console1984/engine.rb
 - lib/console1984/errors.rb
-- lib/console1984/frozen_methods.rb
+- lib/console1984/ext/active_record/protected_auditable_tables.rb
+- lib/console1984/ext/core/module.rb
+- lib/console1984/ext/core/object.rb
+- lib/console1984/ext/irb/commands.rb
+- lib/console1984/ext/irb/context.rb
+- lib/console1984/ext/socket/tcp_socket.rb
+- lib/console1984/freezeable.rb
+- lib/console1984/input_output.rb
 - lib/console1984/messages.rb
-- lib/console1984/protected_auditable_tables.rb
-- lib/console1984/protected_context.rb
-- lib/console1984/protected_tcp_socket.rb
+- lib/console1984/protections_config.rb
+- lib/console1984/refrigerator.rb
 - lib/console1984/sessions_logger/database.rb
+- lib/console1984/shield.rb
+- lib/console1984/shield/method_invocation_shell.rb
+- lib/console1984/shield/modes.rb
+- lib/console1984/shield/modes/protected.rb
+- lib/console1984/shield/modes/unprotected.rb
 - lib/console1984/supervisor.rb
-- lib/console1984/supervisor/accesses.rb
-- lib/console1984/supervisor/accesses/protected.rb
-- lib/console1984/supervisor/accesses/unprotected.rb
-- lib/console1984/supervisor/executor.rb
-- lib/console1984/supervisor/input_output.rb
-- lib/console1984/supervisor/protector.rb
 - lib/console1984/username/env_resolver.rb
 - lib/console1984/version.rb
 - test/fixtures/console1984/commands.yml