console1984 0.1.5 → 0.1.6
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +5 -2
- data/lib/console1984/protected_auditable_tables.rb +2 -2
- data/lib/console1984/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 0a76f26ca8567b7261e2062a9360216ebca2c230ffb48e4ecb5e5a9970339e99
|
|
4
|
+
data.tar.gz: 6a892b894d3274e9567a4fd763d9121690b889b89e7a2e7a2b9f919825e51144
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 125c2457aca08f4f1476db595f465a85c1b2d9dfa22634502b398456aeb0816436563372a42a1c2182a731a87b7c8552bb4429b775bd2b6f320fbc86bd74d5b3
|
|
7
|
+
data.tar.gz: bd3ed3832febd22d4f6038ee8e3bf2db7471f9bbc62a77bb8934ee0904681050b072b67c12d8bccac3b2eebc8e52c8f06f06c32cf0407be6fb9f0008248f0834
|
data/README.md
CHANGED
|
@@ -14,6 +14,8 @@ If you are looking for the auditing tool, check [`audits1984`](https://github.co
|
|
|
14
14
|
|
|
15
15
|
## Installation
|
|
16
16
|
|
|
17
|
+
**Important:** `console1984` depends on [Active Record encryption](https://edgeguides.rubyonrails.org/active_record_encryption.html) which is a Rails 7 feature. Since no gem for Rails 7 has been released yet, you need to run Rails edge in your project (point the gem to latest `main` in the [repo](https://github.com/rails/rails)).
|
|
18
|
+
|
|
17
19
|
Add it to your `Gemfile`:
|
|
18
20
|
|
|
19
21
|
```ruby
|
|
@@ -112,7 +114,7 @@ irb(main)> Rails.cache.read("some key") # raises Console1984::Errors::ProtectedC
|
|
|
112
114
|
|
|
113
115
|
### Access to external systems
|
|
114
116
|
|
|
115
|
-
While Active Record encryption can protect personal information in the database, are other systems can contain very sensitive information. For example: Elasticsearch indexing user information or Redis caching template fragments.
|
|
117
|
+
While Active Record encryption can protect personal information in the database, there are other systems can contain very sensitive information. For example: Elasticsearch indexing user information or Redis caching template fragments.
|
|
116
118
|
|
|
117
119
|
To protect the access to such systems, you can add their URLs to `config.console1984.protected_urls` in the corresponding environment config file (e.g: `production.rb`):
|
|
118
120
|
|
|
@@ -141,7 +143,7 @@ These config options are namespaced in `config.console1984`:
|
|
|
141
143
|
| `protected_environments` | The list of environments where `console1984` will act on. Defaults to `%i[ production ]`. |
|
|
142
144
|
| `protected_urls` | The list of URLs corresponding with external systems to protect. |
|
|
143
145
|
| `session_logger` | The system used to record session data. The default logger is `Console1984::SessionsLogger::Database`. |
|
|
144
|
-
| `username_resolver` | Configure
|
|
146
|
+
| `username_resolver` | Configure how the current user is determined for a given console session. The default is `Console1984::Username::EnvResolver.new("CONSOLE_USER")`, which returns the value of the environment variable `CONSOLE_USER`. |
|
|
145
147
|
| `production_data_warning` | The text to show when a console session starts. |
|
|
146
148
|
| `enter_unprotected_encryption_mode_warning` | The text to show when user enters into unprotected mode. |
|
|
147
149
|
| `enter_protected_mode_warning` | The text to show when user go backs to protected mode. |
|
|
@@ -153,3 +155,4 @@ These config options are namespaced in `config.console1984`:
|
|
|
153
155
|
|
|
154
156
|
`console1984` uses Ruby to add several protection mechanisms. However, because Ruby is highly dynamic, it's technically possible to circumvent most of these controls if you know what you are doing. We have made an effort to prevent such attempts, but if your organization needs bullet-proof protection against malicious actors using the console, you should consider additional security measures.
|
|
155
157
|
|
|
158
|
+
The current version includes protection mechanisms to avoid tampering the tables that store console sessions. A definitive mechanism to do this would be using a read only connection when user commands are evaluated. Implementing such scheme is possible by writing a custom session logger and leveraging Rails' multi-database support. We would like that future versions of `console1984` supported this scheme directly as a configuration option.
|
|
@@ -3,12 +3,12 @@ module Console1984::ProtectedAuditableTables
|
|
|
3
3
|
include Console1984::Freezeable
|
|
4
4
|
|
|
5
5
|
%i[ execute exec_query exec_insert exec_delete exec_update exec_insert_all ].each do |method|
|
|
6
|
-
define_method method do |*args|
|
|
6
|
+
define_method method do |*args, **kwargs|
|
|
7
7
|
sql = args.first
|
|
8
8
|
if Console1984.supervisor.executing_user_command? && sql =~ auditable_tables_regexp
|
|
9
9
|
raise Console1984::Errors::ForbiddenCommand, "#{sql}"
|
|
10
10
|
else
|
|
11
|
-
super(*args)
|
|
11
|
+
super(*args, **kwargs)
|
|
12
12
|
end
|
|
13
13
|
end
|
|
14
14
|
end
|
data/lib/console1984/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: console1984
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.1.
|
|
4
|
+
version: 0.1.6
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Jorge Manrubia
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2021-08-
|
|
11
|
+
date: 2021-08-29 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: colorize
|