RubyGems - console1984 - Versions diffs - 0.1.2 → 0.1.3 - Mend

console1984 0.1.2 → 0.1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 00c631a415150d26c5af9cc748900015818ca7eb78a1a958a4a92aeee572fc06
-  data.tar.gz: 05520effef693150b8a2cf1e17ab578038c1ddd02b99db4fdd5a97d54884ea36
+  metadata.gz: be2eedd1d1d2a84d3a90ddc727bb08e4b10d9c41a47d90fa00abcbe78887c0e5
+  data.tar.gz: 0cf9dda87ea53c4b89a3b9cf5d9779ec6d3d59f51549e97effc84e5360a908af
 SHA512:
-  metadata.gz: 974b06da4ce3b24d837bc9e4b7488014bde82fb7597ef5eff1c261ce155b430eb91948711404844714ac94a067c6bede7a808ff3c017a3feacd546a39790f244
-  data.tar.gz: a63cf7c90b42f1d8f2ce6df8f46e4867e0f081f7073d5696704271502527a6385a330fa7413cc11dae95d72e8c30a35fade40bf9d1c878109a55a14977bc3f4d
+  metadata.gz: ca227ee62658722a5e14b1f94df78ee1ef9be764ae32ac69dbecc569f2c9db26bd7b794d94eaaf27fd85725e0d17a8ab0fc400b6ed52952fa144af3db22d0a67
+  data.tar.gz: 8718e459484935cc14585fd1c3ce76f7f53792169955b702e7b1e3551a63abd1327ef0e4680b2a28acaa6789d9f6a006181f653b6a518571a49972cf578baaeb

data/README.md CHANGED Viewed

@@ -2,10 +2,16 @@
 # Console1984
-Console1984 is an extension for Rails consoles that protects sensitive accesses and makes them auditable.
+A Rails console extension that protects sensitive accesses and makes them auditable.
+> “If you want to keep a secret, you must also hide it from yourself.”
+>
+> ― George Orwell, 1984
 If you are looking for the auditing tool, check [`audits1984`](https://github.com/basecamp/audits1984).
+![console-session-reason](docs/images/console-session-reason.png)
 ## Installation
 Add it to your `Gemfile`:
@@ -33,7 +39,21 @@ config.console1984.protected_environments = %i[ production staging ]
 When starting a console session, it will ask for a reason. Internally, it will use this reason to document the console session and record all the commands executed in it.
-![console-session-reason](docs/images/console-session-reason.png)
+```
+$ rails c
+You have access to production data here. That's a big deal. As part of our promise to keep customer data safe and private, we audit the commands you type here. Let's get started!
+Commands:
+* decrypt!: enter unprotected mode with access to encrypted information
+Unnamed, why are you using this console today?
+> ...
+```
 ### Auditing sessions
@@ -41,19 +61,54 @@ Check out [`audits1984`](https://github.com/basecamp/audits1984), a companion au
 ### Access to encrypted data
-By default, `console1984` won't decrypt data encrypted with [Active Record encryption](https://edgeguides.rubyonrails.org/active_record_encryption.html).
+By default, `console1984` won't decrypt data encrypted with [Active Record encryption](https://edgeguides.rubyonrails.org/active_record_encryption.html). Users will just see the ciphertexts.
 To decrypt data, enter the command `decrypt!`. It will ask for a justification, and these accesses will be flagged internally as sensitive.
-![console-session-reason](docs/images/console-decrypt.png)
+```ruby
+irb(main)> Topic.last.name
+  Topic Load (1.4ms)  SELECT `topics`.* FROM `topics` ORDER BY `topics`.`id` DESC LIMIT 1
+=> "{\"p\":\"iu6+LfnNlurC6sL++JyOIDvedjNSz/AvnZQ=\",\"h\":{\"iv\":\"BYa86+JNM/LdkC18\",\"at\":\"r4sQNoSyIlAjJdZEKHVMow==\",\"k\":{\"p\":\"7L1l/5UiYsFQqqo4jfMZtLwp90KqcrIgS7HqgteVjuM=\",\"h\":{\"iv\":\"ItwRYxZAerKIoSZ8\",\"at\":\"ZUSNVfvtm4wAYWLBKRAx/g==\",\"e\":\"QVNDSUktOEJJVA==\"}},\"i\":\"OTdiOQ==\"}}"
+irb(main):002:0> decrypt!
+```
+```
+Before you can access personal information, you need to ask for and get explicit consent from the user(s). Unnamed, where can we find this consent (a URL would be great)?
+> ...
+Ok! You have access to encrypted information now. We pay extra close attention to any commands entered while you have this access. You can go back to protected mode with 'encrypt!'
+WARNING: Make sure you don`t save objects that were loaded while in protected mode, as this can result in saving the encrypted texts.
+```
+```ruby
+irb(main)> Topic.last.name
+  Topic Load (1.2ms)  SELECT `topics`.* FROM `topics` ORDER BY `topics`.`id` DESC LIMIT 1
+=> "Thanks for the inspiration"
+```
 You can type `encrypt!` to go back to protected mode again.
-![console-session-reason](docs/images/console-encrypt.png)
+```ruby
+irb(main):004:0> encrypt!
+```
+```
+Great! You are back in protected mode. When we audit, we may reach out for a conversation about the commands you entered. What went well? Did you solve the problem without accessing personal data?
+```
+```ruby
+irb(main)> Topic.last.name
+  Topic Load (1.4ms)  SELECT `topics`.* FROM `topics` ORDER BY `topics`.`id` DESC LIMIT 1
+=> "{\"p\":\"iu6+LfnNlurC6sL++JyOIDvedjNSz/AvnZQ=\",\"h\":{\"iv\":\"BYa86+JNM/LdkC18\",\"at\":\"r4sQNoSyIlAjJdZEKHVMow==\",\"k\":{\"p\":\"7L1l/5UiYsFQqqo4jfMZtLwp90KqcrIgS7HqgteVjuM=\",\"h\":{\"iv\":\"ItwRYxZAerKIoSZ8\",\"at\":\"ZUSNVfvtm4wAYWLBKRAx/g==\",\"e\":\"QVNDSUktOEJJVA==\"}},\"i\":\"OTdiOQ==\"}}"
+```
 While in protected mode, you can't modify encrypted data, but can save unencrypted attributes normally. If you try to modify an encrypted column it will raise an error:
-![console-session-reason](docs/images/console-protect-urls.png)
+```ruby
+irb(main)> Rails.cache.read("some key") # raises Console1984::Errors::ProtectedConnection
+```
 ### Access to external systems
@@ -69,16 +124,26 @@ As with encryption data, running `decrypt!` will let you access these systems no
 This will work for systems that use Ruby sockets as the underlying communication mechanism.
+### Automatic scheduled incineration for sessions
+By default, sessions will be incinerated with a job 30 days after they are created. You can configure this period by setting `config.console1984.incinerate_after = 1.year` and you can disable incineration completely by setting `config.console1984.incinerate = false`.
 ## Configuration
 These config options are namespaced in `config.console1984`:
-| Name                     | Description                                                  |
-| ------------------------ | ------------------------------------------------------------ |
-| `protected_environments` | The list of environments where `console1984` will act on. Defaults to `%i[ production ]` |
-| `protected_urls`         | The list of URLs corresponding with external systems to protect. |
-| `session_logger`         | The system used to record session data. The default logger is `Console1984::SessionsLogger::Database`. |
-| `username_resolver`      | Configure an object responsible of resolving the current database username. The default is `Console1984::Username::EnvResolver.new("CONSOLE_USER")`, which returns the value of the environment variable `CONSOLE_USER`. |
+| Name                                        | Description                                                  |
+| ------------------------------------------- | ------------------------------------------------------------ |
+| `protected_environments`                    | The list of environments where `console1984` will act on. Defaults to `%i[ production ]`. |
+| `protected_urls`                            | The list of URLs corresponding with external systems to protect. |
+| `session_logger`                            | The system used to record session data. The default logger is `Console1984::SessionsLogger::Database`. |
+| `username_resolver`                         | Configure an object responsible of resolving the current database username. The default is `Console1984::Username::EnvResolver.new("CONSOLE_USER")`, which returns the value of the environment variable `CONSOLE_USER`. |
+| `production_data_warning`                   | The text to show when a console session starts.              |
+| `enter_unprotected_encryption_mode_warning` | The text to show when user enters into unprotected mode.     |
+| `enter_protected_mode_warning`              | The text to show when user go backs to protected mode.       |
+| `incinerate`                                | Whether incinerate sessions automatically after a period of time or not. Default to `true`. |
+| `incinerate_after`                          | The period to keep sessions around before incinerate them. Default `30.days`. |
+| `incineration_queue`                        | The name of the queue for session incineration jobs. Default `console1984_incineration`. |
 ## About built-in protection mechanisms

data/lib/console1984/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module Console1984
-  VERSION = '0.1.2'
+  VERSION = '0.1.3'
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: console1984
 version: !ruby/object:Gem::Version
-  version: 0.1.2
+  version: 0.1.3
 platform: ruby
 authors:
 - Jorge Manrubia
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-08-18 00:00:00.000000000 Z
+date: 2021-08-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: colorize