RubyGems - decidim-cdtb - Versions diffs - 0.5.4 → 0.5.6 - Mend

decidim-cdtb 0.5.4 → 0.5.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +9 -0
data/Gemfile.lock +1 -1
data/README.md +12 -0
data/config/initializers/cdtb_rack_attack.rb +49 -0
data/config/initializers/ip_filtering.rb +11 -0
data/lib/cdtb/ip_parser.rb +39 -0
data/lib/decidim/cdtb/users/remover.rb +3 -5
data/lib/decidim/cdtb/version.rb +1 -1
data/lib/tasks/participatory_spaces.rake +1 -1
data/lib/tasks/users.rake +2 -2
metadata +5 -3
data/config/initializers/rack_attack.rb +0 -51

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 503b64bc8fc2ef3f45edcdabff3591d23a075cfb48e25cb624f061e7019f0f03
-  data.tar.gz: 3574d5efd2e3d9f08e510f24df8f8c92ec9f45e3efea1e1308afc1ebcb58465d
+  metadata.gz: 303e4725f5b7dde9f45b5bb2c866d3cbdb118ef35f81effbd47b58767a0c1657
+  data.tar.gz: b95307923329f47530efe27d6cb77f8b9009e6a5ce70b575771116ef87e4a195
 SHA512:
-  metadata.gz: 37affa74d1f8761a42c1a6e64ecf93cbd9422208e169dc318d765b3fb650bdfc056fcf4a3a00ef2b1d95103ace679815e0fc933d5ebbda2447f3d47ba94f7902
-  data.tar.gz: ece1b559779d9a45d378afb760f4df73aeca4866ef94c6b6561b599d9dfaf4db2033b2c7e674226e6753cd662728cc6db931389f19cbae3c8973a947701fa9ff
+  metadata.gz: fb14724b3a4cf851bddeebb2404bd2473b740feda827ffb9a1ac15a2b3abe9826211b06aa95bcdede13b52d7fb12d542eaf4deac6c13143c044562dc259b4e11
+  data.tar.gz: 38da29e0a9190ae671923376168c4f45719fc3c8feb5ecf306a420485222d26da217ddfd63712eb6363bb12c22fd8a39e1cf199c64d63f1ca032f04e12992f75

data/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,14 @@
 ## [Unreleased]
+## [0.5.6] - 2025-08-11 (minor - Escola de monstres, gràcies!)
+- Wrap RackAttack IP related parsing into IpParser.
+- Allow to extend Rack::Request.ip_filter regex used internally by Rack::Request.trusted_proxy?(ip).
+## [0.5.5] - 2025-08-03 (patch - Esquelètic pero frenètic)
+- Fix params in Users::Remover task
 ## [0.5.4] - 2025-07-10 (patch - Una festa que no resta)
 - Use `main` as default git branch in CI generators

data/Gemfile.lock CHANGED Viewed

@@ -141,7 +141,7 @@ GIT
 PATH
   remote: .
   specs:
-    decidim-cdtb (0.5.4)
+    decidim-cdtb (0.5.6)
       decidim (>= 0.28.0)
       rails (>= 6)
       ruby-progressbar

data/README.md CHANGED Viewed

@@ -67,6 +67,18 @@ Fixes YouTube embeds to Decidim v0.28 format in different places, which at the m
 bin/rake cdtb:embeds:fix_youtube
 ```
+### Logging
+#### IP logging
+See `config/initializers/ip_filtering.rb` to learn how to add conditions to `Rack::Request.trusted_proxy?(ip)`.
+Example, to add your 10.2.0.4 proxy as a trusted proxy define the following ENV var:
+```
+# don't forget the OR at the beginnig
+RACK_RQ_IP_FILTER_EXT="|\A10\.2\.0\.4\Z"
+```
 ### Migrate ActiveStorage service from S3 to local

data/config/initializers/cdtb_rack_attack.rb ADDED Viewed

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+require "cdtb/ip_parser"
+unless ENV["CDTB_RACK_ATTACK_DISABLED"].to_i.positive? || %w[development test].include?(Rails.env)
+  require "rack/attack"
+  Cdtb::IpParser.decorate_rack_request
+  limit= ENV.fetch("RACK_ATTACK_THROTTLE_LIMIT", 30)
+  period= ENV.fetch("RACK_ATTACK_THROTTLE_PERIOD", 60)
+  Rails.logger.info("Configuring Rack::Attack.throttle with limit for requests by ip: #{limit}, period: #{period}")
+  Rack::Attack.throttle("cdtb:requests by ip", limit: limit.to_i, period: period.to_i) do |request|
+    # ignore requests to assets
+    next if request.path.start_with?("/rails/active_storage")
+    Cdtb::IpParser.extract_ip(request)
+  end
+  if ENV.key?("RACK_ATTACK_THROTTLE_RANGE_LIMIT") && ENV["RACK_ATTACK_THROTTLE_RANGE_LIMIT"].to_i.positive?
+    limit= ENV.fetch("RACK_ATTACK_THROTTLE_RANGE_LIMIT", 30)
+    period= ENV.fetch("RACK_ATTACK_THROTTLE_RANGE_PERIOD", 60)
+    Rails.logger.info("Configuring Rack::Attack.throttle with limit for IP Ranges: #{limit}, period: #{period}")
+    Rack::Attack.throttle("cdtb:requests by ip range", limit: limit.to_i, period: period.to_i) do |request|
+      # ignore requests to assets
+      next if request.path.start_with?("/rails/active_storage")
+      ip= Cdtb::IpParser.extract_ip(request)
+      # rubocop: disable Lint/UselessAssignment
+      range_32bit= ip.split(".")[0, 2]
+      # rubocop: enable Lint/UselessAssignment
+    end
+  end
+  Rack::Attack.blocklist("cdtb:block all /.well-known/traffic-advice") do |request|
+    request.path.start_with?("/.well-known/traffic-advice")
+  end
+  Rack::Attack.blocklist("cdtb:block all PHP RQs") do |request|
+    request.path.end_with?("*.php")
+  end
+  if ENV["RACK_ATTACK_BLOCKED_IPS"].present?
+    blocked_ips_and_subnets= ENV["RACK_ATTACK_BLOCKED_IPS"].split(",")
+    Rack::Attack.blocklist("cdtb:block all unaccepted IPs") do |request|
+      ip= Cdtb::IpParser.extract_ip(request)
+      blocked_ips_and_subnets.any? { |ip_or_subnet| ip.start_with?(ip_or_subnet) }
+    end
+  end
+end

data/config/initializers/ip_filtering.rb ADDED Viewed

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+# Used internally by Rack::Request.trusted_proxy?(ip)
+if ENV.key?("RACK_RQ_IP_FILTER_EXT") && ENV["RACK_RQ_IP_FILTER_EXT"].present?
+  ORIGINAL_REGEX= /\A127\.0\.0\.1\Z|\A(10|172\.(1[6-9]|2[0-9]|30|31)|192\.168)\.|\A::1\Z|\Afd[0-9a-f]{2}:.+|\Alocalhost\Z|\Aunix\Z|\Aunix:/i
+  Rack::Request.ip_filter = lambda do |ip|
+    regex_str= ORIGINAL_REGEX.to_s
+    regex_str << ENV.fetch("RACK_RQ_IP_FILTER_EXT", nil)
+    /#{regex_str}/i.match?(ip)
+  end
+end

data/lib/cdtb/ip_parser.rb ADDED Viewed

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+module Cdtb
+  # Parses IPs from Rack::Request objects, discarding the port.
+  module IpParser
+    def self.decorate_rack_request
+      Rack::Request.class_eval do
+        include Cdtb::IpParser
+        alias_method :original_ip_method, :ip
+        def ip
+          extract_ip(self)
+        end
+      end
+    end
+    def self.extract_ip(request)
+      # Take the IP either from the remote addr or from the forwarded for header
+      # If Rack::Request is decorated use the original method.
+      ip= defined?(request.original_ip_method) ? request.original_ip_method : request.ip
+      Rails.logger.info { ">>>>>>>>>>>>>>>>>>>> Request IP: #{ip}" }
+      Rails.logger.info { ">>>>>>>>>>>>>>>>>>>> X-Forwarded-For: #{request.get_header("HTTP_X_FORWARDED_FOR")}" }
+      num_colons= ip.scan(":").length
+      if [1, 6].include?(num_colons)
+        # is an IP (v4 or v6) with port
+        ip.rpartition(":").first
+      else
+        # standard inet4 or inet6 IP without port
+        ip
+      end
+    end
+    def extract_ip(request)
+      ::Cdtb::IpParser.extract_ip(request)
+    end
+  end
+end

data/lib/decidim/cdtb/users/remover.rb CHANGED Viewed

@@ -7,8 +7,8 @@ module Decidim
       #
       # rubocop:disable Metrics/ClassLength
       class Remover < ::Decidim::Cdtb::Task
-        def initialize(organization, csv_path, reporter_user_email)
-          @organization= organization
+        def initialize(organization_id, csv_path, reporter_user_email)
+          @organization= Decidim::Organization.find_by(id: organization_id)
           @csv_path = csv_path
           @reporter_user_email = reporter_user_email
           progress_bar = { title: "Decidim::User" }
@@ -25,9 +25,7 @@ module Decidim
         def do_execution(context)
           progress_bar = context[:progress_bar]
-          reporter_user = @organization.users.find_by(email: @reporter_user_email,
-                                                      organization: user.organization)
+          reporter_user = Decidim::User.find_by(email: @reporter_user_email, organization: @organization)
           emails_on_moderations = @organization.users.where(email_on_moderations: true).pluck(:email)
           disable_email_moderations(emails_on_moderations)

data/lib/decidim/cdtb/version.rb CHANGED Viewed

@@ -2,7 +2,7 @@
 module Decidim
   module Cdtb
-    VERSION = "0.5.4"
+    VERSION = "0.5.6"
     DECIDIM_MIN_VERSION = ">= 0.28.0"
   end
 end

data/lib/tasks/participatory_spaces.rake CHANGED Viewed

@@ -6,7 +6,7 @@ require "decidim/cdtb/tasks"
 namespace :cdtb do
   namespace :participatory_spaces do
     desc <<~EODESC
-      Add content blocks to a participatory processes
+      Add content blocks to participatory processes
     EODESC
     task :add_content_blocks, [:content_block_names] => :environment do |_task, args|
       unless Decidim.version >= "0.28"

data/lib/tasks/users.rake CHANGED Viewed

@@ -15,8 +15,8 @@ namespace :cdtb do
     desc <<~EODESC
       Remove Decidim::User's by IDs in a CSV.
     EODESC
-    task :remove, %i[csv_path reporter_user_email] => [:environment] do |_taks, args|
-      service = Decidim::Cdtb::Users::Remover.new(args.csv_path, args.reporter_user_email)
+    task :remove, %i[organization_id csv_path reporter_user_email] => [:environment] do |_taks, args|
+      service = Decidim::Cdtb::Users::Remover.new(args.organization_id, args.csv_path, args.reporter_user_email)
       service.execute!
     end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: decidim-cdtb
 version: !ruby/object:Gem::Version
-  version: 0.5.4
+  version: 0.5.6
 platform: ruby
 authors:
 - Oliver Valls
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2025-07-21 00:00:00.000000000 Z
+date: 2026-05-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: decidim
@@ -86,8 +86,10 @@ files:
 - Rakefile
 - app/jobs/application_job.rb
 - app/jobs/cdtb/fix_nickname_job.rb
-- config/initializers/rack_attack.rb
+- config/initializers/cdtb_rack_attack.rb
+- config/initializers/ip_filtering.rb
 - decidim-cdtb.gemspec
+- lib/cdtb/ip_parser.rb
 - lib/decidim/cdtb.rb
 - lib/decidim/cdtb/engine.rb
 - lib/decidim/cdtb/fixes/nickname_fixer.rb

data/config/initializers/rack_attack.rb DELETED Viewed

@@ -1,51 +0,0 @@
-# frozen_string_literal: true
-unless ENV["CDTB_RACK_ATTACK_DISABLED"].to_i.positive? || %w[development test].include?(Rails.env)
-  require "rack/attack"
-  def extract_ip(request)
-    x_forwarded_for= request.get_header("HTTP_X_FORWARDED_FOR")
-    Rails.logger.info { ">>>>>>>>>>>>>>>>>>>> X-Forwarded-For: #{x_forwarded_for}" }
-    if x_forwarded_for.present?
-      x_forwarded_for.split(":").first
-    else
-      request.ip
-    end
-  end
-  limit= ENV.fetch("RACK_ATTACK_THROTTLE_LIMIT", 30)
-  period= ENV.fetch("RACK_ATTACK_THROTTLE_PERIOD", 60)
-  Rails.logger.info("Configuring Rack::Attack.throttle with limit: #{limit}, period: #{period}")
-  Rack::Attack.throttle("cdtb: requests by ip", limit: limit.to_i, period: period.to_i) do |request|
-    # ignore requests to assets
-    next if request.path.start_with?("/rails/active_storage")
-    extract_ip(request)
-  end
-  limit= ENV.fetch("RACK_ATTACK_THROTTLE_RANGE_LIMIT", 30)
-  period= ENV.fetch("RACK_ATTACK_THROTTLE_RANGE_PERIOD", 60)
-  Rails.logger.info("Configuring Rack::Attack.throttle with limits for IP Ranges: #{limit}, period: #{period}")
-  Rack::Attack.throttle("cdtb: requests by ip range", limit: limit.to_i, period: period.to_i) do |request|
-    # ignore requests to assets
-    next if request.path.start_with?("/rails/active_storage")
-    ip= extract_ip(request)
-    # rubocop: disable Lint/UselessAssignment
-    range_32bit= ip.split(".")[0, 2]
-    # rubocop: enable Lint/UselessAssignment
-  end
-  Rack::Attack.blocklist("cdtb: block all /.well-known/traffic-advice") do |request|
-    request.path.start_with?("/.well-known/traffic-advice")
-  end
-  if ENV["RACK_ATTACK_BLOCKED_IPS"].present?
-    blocked_ips_and_subnets= ENV["RACK_ATTACK_BLOCKED_IPS"].split(",")
-    Rack::Attack.blocklist("cdtb:block all unaccepted IPs") do |request|
-      ip= extract_ip(request)
-      blocked_ips_and_subnets.any? { |ip_or_subnet| ip.start_with?(ip_or_subnet) }
-    end
-  end
-end