console1984 0.1.2 → 0.1.3

Sign up to get free protection for your applications and to get access to all the features.
Files changed (4) hide show
  1. checksums.yaml +4 -4
  2. data/README.md +77 -12
  3. data/lib/console1984/version.rb +1 -1
  4. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 00c631a415150d26c5af9cc748900015818ca7eb78a1a958a4a92aeee572fc06
4
- data.tar.gz: 05520effef693150b8a2cf1e17ab578038c1ddd02b99db4fdd5a97d54884ea36
3
+ metadata.gz: be2eedd1d1d2a84d3a90ddc727bb08e4b10d9c41a47d90fa00abcbe78887c0e5
4
+ data.tar.gz: 0cf9dda87ea53c4b89a3b9cf5d9779ec6d3d59f51549e97effc84e5360a908af
5
5
  SHA512:
6
- metadata.gz: 974b06da4ce3b24d837bc9e4b7488014bde82fb7597ef5eff1c261ce155b430eb91948711404844714ac94a067c6bede7a808ff3c017a3feacd546a39790f244
7
- data.tar.gz: a63cf7c90b42f1d8f2ce6df8f46e4867e0f081f7073d5696704271502527a6385a330fa7413cc11dae95d72e8c30a35fade40bf9d1c878109a55a14977bc3f4d
6
+ metadata.gz: ca227ee62658722a5e14b1f94df78ee1ef9be764ae32ac69dbecc569f2c9db26bd7b794d94eaaf27fd85725e0d17a8ab0fc400b6ed52952fa144af3db22d0a67
7
+ data.tar.gz: 8718e459484935cc14585fd1c3ce76f7f53792169955b702e7b1e3551a63abd1327ef0e4680b2a28acaa6789d9f6a006181f653b6a518571a49972cf578baaeb
data/README.md CHANGED
@@ -2,10 +2,16 @@
2
2
 
3
3
  # Console1984
4
4
 
5
- Console1984 is an extension for Rails consoles that protects sensitive accesses and makes them auditable.
5
+ A Rails console extension that protects sensitive accesses and makes them auditable.
6
+
7
+ > “If you want to keep a secret, you must also hide it from yourself.”
8
+ >
9
+ > ― George Orwell, 1984
6
10
 
7
11
  If you are looking for the auditing tool, check [`audits1984`](https://github.com/basecamp/audits1984).
8
12
 
13
+ ![console-session-reason](docs/images/console-session-reason.png)
14
+
9
15
  ## Installation
10
16
 
11
17
  Add it to your `Gemfile`:
@@ -33,7 +39,21 @@ config.console1984.protected_environments = %i[ production staging ]
33
39
 
34
40
  When starting a console session, it will ask for a reason. Internally, it will use this reason to document the console session and record all the commands executed in it.
35
41
 
36
- ![console-session-reason](docs/images/console-session-reason.png)
42
+ ```
43
+ $ rails c
44
+
45
+ You have access to production data here. That's a big deal. As part of our promise to keep customer data safe and private, we audit the commands you type here. Let's get started!
46
+
47
+
48
+
49
+ Commands:
50
+
51
+ * decrypt!: enter unprotected mode with access to encrypted information
52
+
53
+ Unnamed, why are you using this console today?
54
+
55
+ > ...
56
+ ```
37
57
 
38
58
  ### Auditing sessions
39
59
 
@@ -41,19 +61,54 @@ Check out [`audits1984`](https://github.com/basecamp/audits1984), a companion au
41
61
 
42
62
  ### Access to encrypted data
43
63
 
44
- By default, `console1984` won't decrypt data encrypted with [Active Record encryption](https://edgeguides.rubyonrails.org/active_record_encryption.html).
64
+ By default, `console1984` won't decrypt data encrypted with [Active Record encryption](https://edgeguides.rubyonrails.org/active_record_encryption.html). Users will just see the ciphertexts.
45
65
 
46
66
  To decrypt data, enter the command `decrypt!`. It will ask for a justification, and these accesses will be flagged internally as sensitive.
47
67
 
48
- ![console-session-reason](docs/images/console-decrypt.png)
68
+ ```ruby
69
+ irb(main)> Topic.last.name
70
+ Topic Load (1.4ms) SELECT `topics`.* FROM `topics` ORDER BY `topics`.`id` DESC LIMIT 1
71
+ => "{\"p\":\"iu6+LfnNlurC6sL++JyOIDvedjNSz/AvnZQ=\",\"h\":{\"iv\":\"BYa86+JNM/LdkC18\",\"at\":\"r4sQNoSyIlAjJdZEKHVMow==\",\"k\":{\"p\":\"7L1l/5UiYsFQqqo4jfMZtLwp90KqcrIgS7HqgteVjuM=\",\"h\":{\"iv\":\"ItwRYxZAerKIoSZ8\",\"at\":\"ZUSNVfvtm4wAYWLBKRAx/g==\",\"e\":\"QVNDSUktOEJJVA==\"}},\"i\":\"OTdiOQ==\"}}"
72
+ irb(main):002:0> decrypt!
73
+ ```
74
+
75
+ ```
76
+ Before you can access personal information, you need to ask for and get explicit consent from the user(s). Unnamed, where can we find this consent (a URL would be great)?
77
+
78
+ > ...
79
+
80
+ Ok! You have access to encrypted information now. We pay extra close attention to any commands entered while you have this access. You can go back to protected mode with 'encrypt!'
81
+
82
+ WARNING: Make sure you don`t save objects that were loaded while in protected mode, as this can result in saving the encrypted texts.
83
+ ```
84
+
85
+ ```ruby
86
+ irb(main)> Topic.last.name
87
+ Topic Load (1.2ms) SELECT `topics`.* FROM `topics` ORDER BY `topics`.`id` DESC LIMIT 1
88
+ => "Thanks for the inspiration"
89
+ ```
49
90
 
50
91
  You can type `encrypt!` to go back to protected mode again.
51
92
 
52
- ![console-session-reason](docs/images/console-encrypt.png)
93
+ ```ruby
94
+ irb(main):004:0> encrypt!
95
+ ```
96
+
97
+ ```
98
+ Great! You are back in protected mode. When we audit, we may reach out for a conversation about the commands you entered. What went well? Did you solve the problem without accessing personal data?
99
+ ```
100
+
101
+ ```ruby
102
+ irb(main)> Topic.last.name
103
+ Topic Load (1.4ms) SELECT `topics`.* FROM `topics` ORDER BY `topics`.`id` DESC LIMIT 1
104
+ => "{\"p\":\"iu6+LfnNlurC6sL++JyOIDvedjNSz/AvnZQ=\",\"h\":{\"iv\":\"BYa86+JNM/LdkC18\",\"at\":\"r4sQNoSyIlAjJdZEKHVMow==\",\"k\":{\"p\":\"7L1l/5UiYsFQqqo4jfMZtLwp90KqcrIgS7HqgteVjuM=\",\"h\":{\"iv\":\"ItwRYxZAerKIoSZ8\",\"at\":\"ZUSNVfvtm4wAYWLBKRAx/g==\",\"e\":\"QVNDSUktOEJJVA==\"}},\"i\":\"OTdiOQ==\"}}"
105
+ ```
53
106
 
54
107
  While in protected mode, you can't modify encrypted data, but can save unencrypted attributes normally. If you try to modify an encrypted column it will raise an error:
55
108
 
56
- ![console-session-reason](docs/images/console-protect-urls.png)
109
+ ```ruby
110
+ irb(main)> Rails.cache.read("some key") # raises Console1984::Errors::ProtectedConnection
111
+ ```
57
112
 
58
113
  ### Access to external systems
59
114
 
@@ -69,16 +124,26 @@ As with encryption data, running `decrypt!` will let you access these systems no
69
124
 
70
125
  This will work for systems that use Ruby sockets as the underlying communication mechanism.
71
126
 
127
+ ### Automatic scheduled incineration for sessions
128
+
129
+ By default, sessions will be incinerated with a job 30 days after they are created. You can configure this period by setting `config.console1984.incinerate_after = 1.year` and you can disable incineration completely by setting `config.console1984.incinerate = false`.
130
+
72
131
  ## Configuration
73
132
 
74
133
  These config options are namespaced in `config.console1984`:
75
134
 
76
- | Name | Description |
77
- | ------------------------ | ------------------------------------------------------------ |
78
- | `protected_environments` | The list of environments where `console1984` will act on. Defaults to `%i[ production ]` |
79
- | `protected_urls` | The list of URLs corresponding with external systems to protect. |
80
- | `session_logger` | The system used to record session data. The default logger is `Console1984::SessionsLogger::Database`. |
81
- | `username_resolver` | Configure an object responsible of resolving the current database username. The default is `Console1984::Username::EnvResolver.new("CONSOLE_USER")`, which returns the value of the environment variable `CONSOLE_USER`. |
135
+ | Name | Description |
136
+ | ------------------------------------------- | ------------------------------------------------------------ |
137
+ | `protected_environments` | The list of environments where `console1984` will act on. Defaults to `%i[ production ]`. |
138
+ | `protected_urls` | The list of URLs corresponding with external systems to protect. |
139
+ | `session_logger` | The system used to record session data. The default logger is `Console1984::SessionsLogger::Database`. |
140
+ | `username_resolver` | Configure an object responsible of resolving the current database username. The default is `Console1984::Username::EnvResolver.new("CONSOLE_USER")`, which returns the value of the environment variable `CONSOLE_USER`. |
141
+ | `production_data_warning` | The text to show when a console session starts. |
142
+ | `enter_unprotected_encryption_mode_warning` | The text to show when user enters into unprotected mode. |
143
+ | `enter_protected_mode_warning` | The text to show when user go backs to protected mode. |
144
+ | `incinerate` | Whether incinerate sessions automatically after a period of time or not. Default to `true`. |
145
+ | `incinerate_after` | The period to keep sessions around before incinerate them. Default `30.days`. |
146
+ | `incineration_queue` | The name of the queue for session incineration jobs. Default `console1984_incineration`. |
82
147
 
83
148
  ## About built-in protection mechanisms
84
149
 
data/lib/console1984/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module Console1984
2
- VERSION = '0.1.2'
2
+ VERSION = '0.1.3'
3
3
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: console1984
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.2
4
+ version: 0.1.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - Jorge Manrubia
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2021-08-18 00:00:00.000000000 Z
11
+ date: 2021-08-19 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: colorize