console1984 0.1.6 → 0.1.7

data/lib/console1984/ext/core/object.rb

@@ -0,0 +1,42 @@
+# Prevents loading forbidden classes dynamically.
+#
+# There are classes that we don't want to allow loading dynamically
+# during a console session. For example, we don't want users to reference
+# the constant +Console1984+. We will prevent a direct constant reference
+# but users could still do:
+#
+#    MyConstant = ("Con" + "sole1984").constantize
+#
+# We prevent this by extending +Object#const_get+.
+module Console1984::Ext::Core::Object
+  extend ActiveSupport::Concern
+
+  include Console1984::Freezeable
+
+  class_methods do
+    def const_get(*arguments)
+      if Console1984.command_executor.executing_user_command?
+        begin
+          # To validate if it's an invalid constant, we try to declare a class with it.
+          # We essentially leverage Console1984::CommandValidator::ForbiddenReopeningValidation here:
+          # We don't let referencing constants referring modules or classes we don't allow to extend.
+          #
+          # See the list +forbidden_reopening+ in +config/command_protections.yml+.
+          Console1984.command_executor.validate_command("class #{arguments.first}; end")
+          super
+        rescue Console1984::Errors::ForbiddenCommand
+          raise
+        rescue StandardError
+          super
+        end
+      else
+        super
+      end
+    end
+  end
+
+  private
+    def banned_dynamic_constant_declaration?(arguments)
+      Console1984.command_executor.validate_command("class #{arguments.first}; end")
+    end
+end

data/lib/console1984/ext/irb/commands.rb

@@ -0,0 +1,16 @@
+# Add Console 1984 commands to IRB sessions.
+module Console1984::Ext::Irb::Commands
+  include Console1984::Freezeable
+
+  delegate :shield, to: Console1984
+
+  # Enter {unprotected mode}[rdoc-ref:Console1984::Shield::Modes] mode.
+  def decrypt!
+    shield.enable_unprotected_mode
+  end
+
+  # Enter {protected mode}[rdoc-ref:Console1984::Shield::Modes] mode.
+  def encrypt!
+    shield.enable_protected_mode
+  end
+end

data/lib/console1984/{protected_context.rb → ext/irb/context.rb}

@@ -1,20 +1,20 @@
-module Console1984::ProtectedContext
+# Extends IRB execution contexts to hijack execution attempts and
+# pass them through Console1984.
+module Console1984::Ext::Irb::Context
   include Console1984::Freezeable
 
   # This method is invoked for showing returned objects in the console
   # Overridden to make sure their evaluation is supervised.
   def inspect_last_value
-    Console1984.supervisor.execute do
+    Console1984.command_executor.execute_in_protected_mode do
       super
     end
   end
 
   #
   def evaluate(line, line_no, exception: nil)
-    Console1984.supervisor.execute_supervised(Array(line)) do
+    Console1984.command_executor.execute(Array(line)) do
       super
     end
   end
-
-  include Console1984::Freezeable
 end

data/lib/console1984/{protected_tcp_socket.rb → ext/socket/tcp_socket.rb}

@@ -1,5 +1,5 @@
-# Wraps socket methods to execute supervised.
-module Console1984::ProtectedTcpSocket
+# Wraps socket methods to execute supervised when {protected mode}[rdoc-ref:Console1984::Shield::Modes].
+module Console1984::Ext::Socket::TcpSocket
   include Console1984::Freezeable
 
   def write(*args)
@@ -28,7 +28,7 @@ module Console1984::ProtectedTcpSocket
     end
 
     def protected_addresses
-      @protected_addresses ||= Console1984.currently_protected_urls.collect do |url|
+      @protected_addresses ||= Console1984::Shield::Modes::PROTECTED_MODE.currently_protected_urls.collect do |url|
         host, port = host_and_port_from(url)
         Array(Addrinfo.getaddrinfo(host, port)).collect { |addrinfo| ComparableAddress.new(addrinfo) if addrinfo.ip_address }
       end.flatten.compact.uniq

data/lib/console1984/freezeable.rb

@@ -1,7 +1,17 @@
-# Prevents adding new methods to classes.
+# Prevents adding new methods to classes, changing class-state or
+# accessing/overridden instance variables via reflection. This is meant to
+# prevent manipulating certain Console1984 classes during a console session.
 #
-# This prevents manipulating certain Console1984 classes
-# during a console session.
+# Notice this won't prevent every state-modification command. You should
+# handle special cases by overriding +#freeze+ (if necessary) and invoking
+# freezing on the instance when it makes sense.
+#
+# For example: check Console1984::Config#freeze and Console1984::Shield#freeze_all.
+#
+# The "freezing" doesn't materialize when the mixin is included. When mixed in, it
+# will store the host class or module in a list. Then a call to Console1984::Freezeable.freeze_all
+# will look through all the modules/classes freezing them. This way, we can control
+# the moment where we stop classes from being modifiable at setup time.
 module Console1984::Freezeable
   extend ActiveSupport::Concern
 
@@ -12,7 +22,7 @@ module Console1984::Freezeable
   end
 
   class_methods do
-    SENSITIVE_INSTANCE_METHODS = %i[ instance_variable_set ]
+    SENSITIVE_INSTANCE_METHODS = %i[ instance_variable_get instance_variable_set ]
 
     def prevent_sensitive_overrides
       SENSITIVE_INSTANCE_METHODS.each do |method|
@@ -23,7 +33,7 @@ module Console1984::Freezeable
     private
       def prevent_sensitive_method(method_name)
         define_method method_name do |*arguments|
-          raise Console1984::Errors::ForbiddenCodeManipulation, "You can't invoke #{method_name} on #{self}"
+          raise Console1984::Errors::ForbiddenCommand, "You can't invoke #{method_name} on #{self}"
         end
       end
   end

data/lib/console1984/{supervisor/input_output.rb → input_output.rb}

@@ -1,4 +1,4 @@
-module Console1984::Supervisor::InputOutput
+module Console1984::InputOutput
   include Console1984::Freezeable, Console1984::Messages
 
   private
@@ -16,7 +16,13 @@ module Console1984::Supervisor::InputOutput
     end
 
     def show_commands
-      puts COMMANDS_HELP
+      puts <<~TXT
+
+      Commands:
+
+      #{COMMANDS.collect { |command, help_line| "* #{ColorizedString.new(command.to_s).light_blue}: #{help_line}" }.join("\n")}
+
+      TXT
     end
 
     def show_warning(message)

data/lib/console1984/messages.rb

@@ -1,5 +1,3 @@
-require 'colorized_string'
-
 module Console1984::Messages
   DEFAULT_PRODUCTION_DATA_WARNING = <<~TXT
 
@@ -19,12 +17,4 @@ module Console1984::Messages
   COMMANDS = {
       "decrypt!": "enter unprotected mode with access to encrypted information"
   }
-
-  COMMANDS_HELP = <<~TXT
-
-  Commands:
-
-  #{COMMANDS.collect { |command, help_line| "* #{ColorizedString.new(command.to_s).light_blue}: #{help_line}" }.join("\n")}
-
-  TXT
 end

data/lib/console1984/shield/modes/protected.rb

@@ -0,0 +1,27 @@
+# An execution mode that protects encrypted information and connection to external systems.
+class Console1984::Shield::Modes::Protected
+  include Console1984::Freezeable
+
+  delegate :protected_urls, to: Console1984
+
+  thread_mattr_accessor :currently_protected_urls, default: []
+
+  def execute(&block)
+    protecting(&block)
+  end
+
+  private
+    def protecting(&block)
+      protecting_connections do
+        ActiveRecord::Encryption.protecting_encrypted_data(&block)
+      end
+    end
+
+    def protecting_connections
+      old_currently_protected_urls = self.currently_protected_urls
+      self.currently_protected_urls = protected_urls
+      yield
+    ensure
+      self.currently_protected_urls = old_currently_protected_urls
+    end
+end

data/lib/console1984/shield/modes/unprotected.rb

@@ -0,0 +1,8 @@
+# An execution mode that doesn't protect encrypted information or external systems.
+class Console1984::Shield::Modes::Unprotected
+  include Console1984::Freezeable
+
+  def execute(&block)
+    block.call
+  end
+end

data/lib/console1984/shield/modes.rb

@@ -0,0 +1,60 @@
+# Console 1984 operates in two modes:
+#
+# * Protected: it won't reveal encrypted information, attempt to connect to protected urls will be prevented.
+# * Unprotected: it will reveal encrypted information and let all connections go through.
+#
+# Tampering attempts (such as deleting audit trails) is prevented in both modes.
+module Console1984::Shield::Modes
+  include Console1984::Messages, Console1984::InputOutput
+  include Console1984::Freezeable
+
+  PROTECTED_MODE = Protected.new
+  UNPROTECTED_MODE = Unprotected.new
+
+  # Switch to protected mode
+  #
+  # Pass +silent: true+ to hide an informative message when switching to this mode.
+  def enable_unprotected_mode(silent: false)
+    command_executor.run_as_system do
+      show_warning Console1984.enter_unprotected_encryption_mode_warning if !silent && protected_mode?
+      justification = ask_for_value "\nBefore you can access personal information, you need to ask for and get explicit consent from the user(s). #{current_username}, where can we find this consent (a URL would be great)?"
+      session_logger.start_sensitive_access justification
+      nil
+    end
+  ensure
+    @mode = UNPROTECTED_MODE
+    nil
+  end
+
+  # Switch to unprotected mode
+  #
+  # Pass +silent: true+ to hide an informative message when switching to this mode.
+  def enable_protected_mode(silent: false)
+    command_executor.run_as_system do
+      show_warning Console1984.enter_protected_mode_warning if !silent && unprotected_mode?
+      session_logger.end_sensitive_access
+      nil
+    end
+  ensure
+    @mode = PROTECTED_MODE
+    nil
+  end
+
+  # Executes the passed block in the configured mode (protected or unprotected).
+  def with_protected_mode(&block)
+    @mode.execute(&block)
+  end
+
+  def unprotected_mode?
+    @mode.is_a?(Unprotected)
+  end
+
+  def protected_mode?
+    !unprotected_mode?
+  end
+
+  private
+    def current_username
+      username_resolver.current
+    end
+end

data/lib/console1984/shield.rb

@@ -0,0 +1,86 @@
+# The shield implements the protection mechanisms while using the console:
+#
+# * It extends different systems with console1984 extensions (including IRB itself).
+# * It offers an API to the rest of the system to enable and disable protected modes and
+#   execute code on the configured mode.
+#
+# Protection happens at two levels:
+#
+# * External: preventing users from accessing encrypted data or protected systems while on
+#   protected mode.
+# * Internal: preventing users from tampering Console 1984 itself.
+class Console1984::Shield
+  include Modes
+  include Console1984::Freezeable
+
+  delegate :username_resolver, :session_logger, :command_executor, to: Console1984
+
+  # Installs the shield by extending several systems and freezing classes and modules
+  # that aren't mean to be modified once the console is running.
+  def install
+    extend_protected_systems
+    freeze_all
+  end
+
+  private
+    def extend_protected_systems
+      extend_irb
+      extend_core_ruby
+      extend_sockets
+      extend_active_record
+    end
+
+    def extend_irb
+      IRB::Context.prepend(Console1984::Ext::Irb::Context)
+      Rails::ConsoleMethods.include(Console1984::Ext::Irb::Commands)
+    end
+
+    def extend_core_ruby
+      Object.prepend Console1984::Ext::Core::Object
+    end
+
+    def extend_sockets
+      socket_classes = [TCPSocket, OpenSSL::SSL::SSLSocket]
+      OpenSSL::SSL::SSLSocket.include(SSLSocketRemoteAddress)
+
+      if defined?(Redis::Connection)
+        socket_classes.push(*[Redis::Connection::TCPSocket, Redis::Connection::SSLSocket])
+      end
+
+      socket_classes.compact.each do |socket_klass|
+        socket_klass.prepend Console1984::Ext::Socket::TcpSocket
+        socket_klass.freeze
+      end
+    end
+
+    ACTIVE_RECORD_CONNECTION_ADAPTERS = %w[ActiveRecord::ConnectionAdapters::Mysql2Adapter ActiveRecord::ConnectionAdapters::PostgreSQLAdapter ActiveRecord::ConnectionAdapters::SQLite3Adapter]
+
+    def extend_active_record
+      ACTIVE_RECORD_CONNECTION_ADAPTERS.each do |class_string|
+        if Object.const_defined?(class_string)
+          klass = class_string.constantize
+          klass.prepend(Console1984::Ext::ActiveRecord::ProtectedAuditableTables)
+          klass.include(Console1984::Freezeable)
+        end
+      end
+    end
+
+    def freeze_all
+      eager_load_all_classes
+      Console1984.config.freeze unless Console1984.config.test_mode
+      Console1984::Freezeable.freeze_all
+      Parser::CurrentRuby.freeze
+    end
+
+    def eager_load_all_classes
+      Rails.application.eager_load! unless Rails.application.config.eager_load
+      Console1984.class_loader.eager_load
+    end
+
+    module SSLSocketRemoteAddress
+      # Serve remote address as TCPSocket so that our extension works with both.
+      def remote_address
+        Addrinfo.getaddrinfo(hostname, 443).first
+      end
+    end
+end

data/lib/console1984/supervisor.rb

@@ -1,31 +1,43 @@
-require 'colorized_string'
 require 'rails/console/app'
 
-# Protects console sessions and executes code in supervised mode.
+# Entry point to the system. In charge of installing everything
+# and starting and stopping sessions.
 class Console1984::Supervisor
-  include Accesses, Console1984::Freezeable, Executor, InputOutput, Protector
+  include Console1984::Freezeable, Console1984::InputOutput
 
+  delegate :username_resolver, :session_logger, :shield, to: Console1984
+
+  # Installs the console protections.
+  #
+  # See Console1984::Shield
   def install
-    extend_protected_systems
-    freeze_all
+    require_dependencies
+    shield.install
   end
 
-  # Starts a console session extending IRB and several systems to inject
-  # the protection logic, and notifies the session logger to record the
-  # session.
+  # Starts a console session.
+  #
+  # This will enable protected mode and log the new session in the configured
+  # {session logger}[rdoc-ref:Console1984::SessionsLogger::Database].
   def start
-    disable_access_to_encrypted_content(silent: true)
-
+    shield.enable_protected_mode(silent: true)
     show_welcome_message
-
     start_session
   end
 
+  # Stops a console session
   def stop
     stop_session
   end
 
   private
+    def require_dependencies
+      Kernel.silence_warnings do
+        require 'parser/current'
+      end
+      require 'colorized_string'
+    end
+
     def start_session
       session_logger.start_session current_username, ask_for_session_reason
     end
@@ -34,28 +46,7 @@ class Console1984::Supervisor
       session_logger.finish_session
     end
 
-    def freeze_all
-      eager_load_all_classes
-      Console1984.config.freeze unless Console1984.config.test_mode
-      Console1984::Freezeable.freeze_all
-    end
-
-    def eager_load_all_classes
-      Rails.application.eager_load! unless Rails.application.config.eager_load
-      Console1984.class_loader.eager_load
-    end
-
-    def session_logger
-      Console1984.session_logger
-    end
-
     def current_username
-      Console1984.username_resolver.current
+      username_resolver.current
     end
-
-    def username_resolver
-      Console1984.username_resolver
-    end
-
-    include Console1984::Freezeable
 end