basecamp · juanm18 · Mar 7, 2024
diff --git a/README.md b/README.md
@@ -149,14 +149,17 @@ These config options are namespaced in `config.console1984`:
 | `protected_urls`                            | The list of URLs corresponding with external systems to protect.                                                                                                                                                       |
 | `session_logger`                            | The system used to record session data. The default logger is `Console1984::SessionsLogger::Database`.                                                                                                                 |
 | `username_resolver`                         | Configure how the current user is determined for a given console session. The default is `Console1984::Username::EnvResolver.new("CONSOLE_USER")`, which returns the value of the environment variable `CONSOLE_USER`. |
- | `ask_for_username_if_empty`                 | If `true`, the console will ask for a username if it is empty. If `false`, it will raise an error if no username is set. Defaults to `false`.                                                                          |
+| `ask_for_username_if_empty`                 | If `true`, the console will ask for a username if it is empty. If `false`, it will raise an error if no username is set. Defaults to `false`.                                                                          |
 | `production_data_warning`                   | The text to show when a console session starts.                                                                                                                                                                        |
 | `enter_unprotected_encryption_mode_warning` | The text to show when user enters into unprotected mode.                                                                                                                                                               |
 | `enter_protected_mode_warning`              | The text to show when user go backs to protected mode.                                                                                                                                                                 |
+| `justification_message`                     | The text to show when user is prompted for justification while accessing decrypted data.                                                                                                                               |
+| `commands_list`                             | The list of `Commands` to show when user accesses the console. Must be a Hash `{"foo": "bar"}`.                                                                                                                        |
+| `show_commands_message`                     | If `true` the `Commands` message will display, If `false` the messsage will not display. Defaults to `true`                                                                                                            |
 | `incinerate`                                | Whether incinerate sessions automatically after a period of time or not. Default to `true`.                                                                                                                            |
 | `incinerate_after`                          | The period to keep sessions around before incinerate them. Default `30.days`.                                                                                                                                          |
 | `incineration_queue`                        | The name of the queue for session incineration jobs. Default `console1984_incineration`.                                                                                                                               |
-| `base_record_class`                         | The host application base class that will be the parent of `console1984` records. By default it's `::ApplicationRecord`. |
+| `base_record_class`                         | The host application base class that will be the parent of `console1984` records. By default it's `::ApplicationRecord`.                                                                                               |
 
 ### SSH Config
 

diff --git a/lib/console1984/config.rb b/lib/console1984/config.rb
@@ -10,6 +10,7 @@ class Console1984::Config
     session_logger username_resolver ask_for_username_if_empty shield command_executor
     protected_environments protected_urls
     production_data_warning enter_unprotected_encryption_mode_warning enter_protected_mode_warning
+    justification_message commands_list show_commands_message
     incinerate incinerate_after incineration_queue
     protections_config
     base_record_class
@@ -51,6 +52,9 @@ def set_defaults
       self.production_data_warning = DEFAULT_PRODUCTION_DATA_WARNING
       self.enter_unprotected_encryption_mode_warning = DEFAULT_ENTER_UNPROTECTED_ENCRYPTION_MODE_WARNING
       self.enter_protected_mode_warning = DEFAULT_ENTER_PROTECTED_MODE_WARNING
+      self.justification_message = DEFAULT_JUSTIFICATION_MESSAGE
+      self.commands_list = COMMANDS
+      self.show_commands_message = true
 
       self.incinerate = true
       self.incinerate_after = 30.days

diff --git a/lib/console1984/input_output.rb b/lib/console1984/input_output.rb
@@ -4,7 +4,7 @@ module Console1984::InputOutput
   private
     def show_welcome_message
       show_production_data_warning
-      show_commands
+      show_commands if Console1984.show_commands_message
     end
 
     def show_production_data_warning
@@ -20,7 +20,7 @@ def show_commands
 
       Commands:
 
-      #{COMMANDS.collect { |command, help_line| "* #{Rainbow(command.to_s).blue}: #{help_line}" }.join("\n")}
+      #{Console1984.config.commands_list.collect { |command, help_line| "* #{Rainbow(command.to_s).blue}: #{help_line}" }.join("\n")}
 
       TXT
     end

diff --git a/lib/console1984/messages.rb b/lib/console1984/messages.rb
@@ -14,6 +14,10 @@ module Console1984::Messages
   Great! You are back in protected mode. When we audit, we may reach out for a conversation about the commands you entered. What went well? Did you solve the problem without accessing personal data?
   TXT
 
+  DEFAULT_JUSTIFICATION_MESSAGE = <<~TXT
+  Before you can access personal information, you need to ask for and get explicit consent from the user(s). [current_username], where can we find this consent (a URL would be great)?
+  TXT
+
   COMMANDS = {
       "decrypt!": "enter unprotected mode with access to encrypted information"
   }

diff --git a/lib/console1984/shield/modes.rb b/lib/console1984/shield/modes.rb
@@ -17,7 +17,7 @@ module Console1984::Shield::Modes
   def enable_unprotected_mode(silent: false)
     command_executor.run_as_system do
       show_warning Console1984.enter_unprotected_encryption_mode_warning if !silent && protected_mode?
-      justification = ask_for_value "\nBefore you can access personal information, you need to ask for and get explicit consent from the user(s). #{current_username}, where can we find this consent (a URL would be great)?"
+      justification = ask_for_value Console1984.justification_message.gsub('[current_username]', current_username)
       session_logger.start_sensitive_access justification
       nil
     end

diff --git a/test/config_override_test.rb b/test/config_override_test.rb
@@ -0,0 +1,42 @@
+require 'test_helper'
+
+class ConfigOverrideTest < ActiveSupport::TestCase
+  teardown do
+    @console.stop
+  end
+
+  test "setting justification_message in config overrides default message" do
+    original = Console1984.config.justification_message
+    Console1984.config.justification_message = "foobar"
+    @console = SupervisedTestConsole.new(user: "jorge", reason: "Some very good reason")
+
+    type_when_prompted "will our test pass?" do
+      @console.execute "decrypt!"
+    end
+
+    assert_includes @console.output, "foobar"
+
+    Console1984.config.justification_message = original
+  end
+
+  test "setting commands_list in config overrides default message" do
+    original = Console1984.config.commands_list
+    Console1984.config.commands_list = {"new_command": "new help line"}
+    @console = SupervisedTestConsole.new(user: "jorge", reason: "Some very good reason")
+
+    assert_includes @console.output, "new_command"
+    assert_includes @console.output, "new help line"
+
+    Console1984.config.commands_list = original
+  end
+
+  test "setting show_commands to false does not show commands list" do
+    Console1984.config.show_commands_message = false
+    @console = SupervisedTestConsole.new(user: "jorge", reason: "Some very good reason")
+
+    assert_not_includes @console.output, "decrypt!"
+
+    Console1984.config.show_commands_message = true
+  end
+end
+
diff --git a/test/support/supervised_test_console.rb b/test/support/supervised_test_console.rb
@@ -9,7 +9,16 @@ def initialize(reason: "No reason", user: "Not set")
 
     @context = Context.new
     IRB.stubs(CurrentContext: @context)
-    start_supervisor(reason)
+
+    return_value = nil
+
+    output, error = capture_io do
+      return_value = start_supervisor(reason)
+    end
+
+    @string_io << output + error
+
+    return_value
   end
 
   def stop