graph_attack 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 86f3e5cffd6d44474777d8922c3c4082d21143dd
+  data.tar.gz: 2a0ad09a08d65b22c3b97752b1ce0428cc2040e9
+SHA512:
+  metadata.gz: 830ea8dbf7fad402e69a27bc1e05189af0488fb241580e12a65bb69eca19591552411f4868cd657fd656d989a868686564c5791b0f250bded67e26ae17389d92
+  data.tar.gz: b7566c50d48645f92ad17bb2f5210346042c178bc10cbe91ea9d58514161570e364d898275b3dadee215588201372d2c38e78177318c10554b4760e523c91bfd

data/.circleci/config.yml

@@ -0,0 +1,52 @@
+# Ruby CircleCI 2.0 configuration file
+#
+# Check https://circleci.com/docs/2.0/language-ruby/ for more details
+#
+version: 2
+jobs:
+  build:
+    docker:
+       - image: circleci/ruby:2.4.1-node-browsers
+       - image: redis
+
+    working_directory: ~/repo
+
+    steps:
+      - checkout
+
+      # Download and cache dependencies
+      - restore_cache:
+          keys:
+          - v1-dependencies-{{ checksum "graph_attack.gemspec" }}
+          # fallback to using the latest cache if no exact match is found
+          - v1-dependencies-
+
+      - run:
+          name: install dependencies
+          command: |
+            bundle install --jobs=4 --retry=3 --path vendor/bundle
+
+      - save_cache:
+          paths:
+            - ./vendor/bundle
+          key: v1-dependencies-{{ checksum "graph_attack.gemspec" }}
+
+      # Run tests!
+      - run:
+          name: run tests
+          command: |
+            mkdir /tmp/test-results
+            TEST_FILES="$(circleci tests glob "spec/**/*_spec.rb" | circleci tests split --split-by=timings)"
+
+            bundle exec rspec --format progress \
+                            --format RspecJunitFormatter \
+                            --out /tmp/test-results/rspec.xml \
+                            --format progress \
+                            $TEST_FILES
+
+      # Collect reports
+      - store_test_results:
+          path: /tmp/test-results
+      - store_artifacts:
+          path: /tmp/test-results
+          destination: test-results

data/.gitignore

@@ -0,0 +1,14 @@
+/.bundle/
+/.yardoc
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+
+# rspec failure tracking
+.rspec_status
+
+# Ignore dev bundler resolution
+Gemfile.lock

data/.rspec

@@ -0,0 +1,2 @@
+--color
+--require spec_helper

data/.rubocop.yml

@@ -0,0 +1,57 @@
+AllCops:
+  TargetRubyVersion: 2.3
+  DisplayCopNames: true
+
+# Do not sort gems in Gemfile, since we are grouping them by functionality.
+Bundler/OrderedGems:
+  Enabled: false
+
+# Trailing commas are required on multiline method arguments.
+Style/TrailingCommaInArguments:
+  EnforcedStyleForMultiline: comma
+
+# Trailing commas are required in multiline arrays.
+Style/TrailingCommaInArrayLiteral:
+  EnforcedStyleForMultiline: comma
+
+# Trailing commas are required in multiline hashes.
+Style/TrailingCommaInHashLiteral:
+  EnforcedStyleForMultiline: comma
+
+# Allow indenting multiline chained operations.
+Layout/MultilineMethodCallIndentation:
+  EnforcedStyle: indented
+
+# Limit method length (default is 10).
+Metrics/MethodLength:
+  Max: 15
+
+# Do not require `# frozen_string_literal: true` at the top of every file.
+FrozenStringLiteralComment:
+  Enabled: false
+
+# Allow ASCII comments (e.g "…").
+Style/AsciiComments:
+  Enabled: false
+
+# Do not comment the class we create, since the name should be self explanatory.
+Documentation:
+  Enabled: false
+
+# Do not verify the length of the blocks in specs.
+Metrics/BlockLength:
+  Exclude:
+    - spec/**/*
+
+# Allow indenting multiline chained operations.
+Layout/MultilineMethodCallIndentation:
+  EnforcedStyle: indented
+
+# Prefer `== 0`, `< 0`, `> 0` to `zero?`, `negative?` or `positive?`,
+# since they don't exist before Ruby 2.3 or Rails 5 and can be ambiguous.
+Style/NumericPredicate:
+  EnforcedStyle: comparison
+
+# Allow shorter argument names like `ip`.
+Naming/UncommunicativeMethodParamName:
+  MinNameLength: 2

data/.travis.yml

@@ -0,0 +1,5 @@
+sudo: false
+language: ruby
+rvm:
+  - 2.4.1
+before_install: gem install bundler -v 1.16.1

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,74 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as
+contributors and maintainers pledge to making participation in our project and
+our community a harassment-free experience for everyone, regardless of age, body
+size, disability, ethnicity, gender identity and expression, level of experience,
+nationality, personal appearance, race, religion, or sexual identity and
+orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to creating a positive environment
+include:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+* Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery and unwelcome sexual attention or
+advances
+* Trolling, insulting/derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or electronic
+  address, without explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable
+behavior and are expected to take appropriate and fair corrective action in
+response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct, or to ban temporarily or
+permanently any contributor for other behaviors that they deem inappropriate,
+threatening, offensive, or harmful.
+
+## Scope
+
+This Code of Conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community. Examples of
+representing a project or community include using an official project e-mail
+address, posting via an official social media account, or acting as an appointed
+representative at an online or offline event. Representation of a project may be
+further defined and clarified by project maintainers.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting the project team at sunny@sunfox.org. All
+complaints will be reviewed and investigated and will result in a response that
+is deemed necessary and appropriate to the circumstances. The project team is
+obligated to maintain confidentiality with regard to the reporter of an incident.
+Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good
+faith may face temporary or permanent repercussions as determined by other
+members of the project's leadership.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
+available at [http://contributor-covenant.org/version/1/4][version]
+
+[homepage]: http://contributor-covenant.org
+[version]: http://contributor-covenant.org/version/1/4/

data/Gemfile

@@ -0,0 +1,6 @@
+source 'https://rubygems.org'
+
+git_source(:github) { |repo_name| "https://github.com/#{repo_name}" }
+
+# Specify your gem's dependencies in graph_attack.gemspec
+gemspec

data/LICENSE.md

@@ -0,0 +1,21 @@
+The MIT License
+
+Copyright (c) 2018 Fanny Cheung, Sunny Ripert
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,118 @@
+# GraphAttack
+
+[![CircleCI](https://circleci.com/gh/sunny/graph_attack.svg?style=svg)](https://circleci.com/gh/sunny/graph_attack)
+
+GraphQL analyser for blocking & throttling.
+
+## Usage
+
+This gem adds a method to limit access to your GraphQL fields by IP:
+
+```rb
+QueryType = GraphQL::ObjectType.define do
+  name 'Query'
+
+  field :someExpensiveField do
+    rate_limit threshold: 15, interval: 60
+
+    # …
+  end
+end
+```
+
+This would allow only 15 calls per minute by the same IP.
+
+## Requirements
+
+Requires [GraphQL Ruby](http://graphql-ruby.org/) and a running instance
+of [Redis](https://redis.io/).
+
+## Installation
+
+Add these lines to your application's `Gemfile`:
+
+```ruby
+# GraphQL analyser for blocking & throttling by IP.
+gem 'graph_attack'
+```
+
+And then execute:
+
+```sh
+$ bundle
+```
+
+Add the query analyser to your schema:
+
+```rb
+ApplicationSchema = GraphQL::Schema.define do
+  query_analyzer GraphAttack::RateLimiter.new
+
+  # …
+end
+```
+
+Finally, make sure you add the current user's IP address as `ip:` to the
+GraphQL context:
+
+```rb
+class GraphqlController < ApplicationController
+  def create
+    result = ApplicationSchema.execute(
+      params[:query],
+      variables: params[:variables],
+      context: {
+        ip: request.ip,
+      },
+    )
+    render json: result
+  end
+end
+```
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run
+`rake` to run the tests and the linter. You can also run `bin/console` for an
+interactive prompt that will allow you to experiment.
+
+## Versionning
+
+We use [SemVer](http://semver.org/) for versioning. For the versions available,
+see the tags on this repository.
+
+## Releasing
+
+To release a new version, update the version number in `version.rb`, and then
+run `bundle exec rake release`, which will create a git tag for the version,
+push git commits and tags, and push the `.gem` file to
+[rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at
+https://github.com/sunny/graph_attack. This project is intended to be a safe,
+welcoming space for collaboration, and contributors are expected to adhere to
+the [Contributor Covenant](http://contributor-covenant.org) code of conduct.
+
+## Code of Conduct
+
+Everyone interacting in the GraphAttack project’s codebases, issue trackers,
+chat rooms and mailing lists is expected to follow the
+[code of conduct](https://github.com/sunny/graph_attack/blob/master/CODE_OF_CONDUCT.md).
+
+## License
+
+This project is licensed under the MIT License - see the
+[LICENSE.md](https://github.com/sunny/graph_attack/blob/master/LICENSE.md)
+file for details.
+
+## Authors
+
+- **Fanny Cheung** - [KissKissBankBank](https://github.com/KissKissBankBank)
+- **Sunny Ripert** - [KissKissBankBank](https://github.com/KissKissBankBank)
+
+## Acknowledgments
+
+Hat tip to [Rack::Attack](https://github.com/kickstarter/rack-attack) for the
+the name.

data/Rakefile

@@ -0,0 +1,14 @@
+# Bundler
+require 'bundler/gem_tasks'
+require 'rspec/core/rake_task'
+
+# Rspec
+require 'rspec/core/rake_task'
+RSpec::Core::RakeTask.new(:spec)
+
+task default: :spec
+# Rubocop
+require 'rubocop/rake_task'
+RuboCop::RakeTask.new(:rubocop)
+
+task default: %i[spec rubocop]

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require 'bundler/setup'
+require 'graph_attack'
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require 'pry'
+# Pry.start
+
+require 'irb'
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/graph_attack.gemspec

@@ -0,0 +1,42 @@
+lib = File.expand_path('lib', __dir__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'graph_attack/version'
+
+Gem::Specification.new do |spec|
+  spec.name = 'graph_attack'
+  spec.version = GraphAttack::VERSION
+  spec.authors = ['Fanny Cheung', 'Sunny Ripert']
+  spec.email = ['fanny@ynote.hk', 'sunny@sunfox.org']
+
+  spec.summary = 'GraphQL analyser for blocking & throttling'
+  spec.description = 'GraphQL analyser for blocking & throttling'
+  spec.homepage = 'https://github.com/sunny/graph_attack'
+
+  spec.files = `git ls-files -z`.split("\x0").reject do |f|
+    f.match(%r{^(test|spec|features)/})
+  end
+  spec.bindir = 'exe'
+  spec.executables = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ['lib']
+
+  # This gem is an analyser for the GraphQL ruby gem.
+  spec.add_dependency 'graphql', '>= 1.7.9'
+
+  # A Redis-backed rate limiter.
+  spec.add_dependency 'ratelimit', '>= 1.0.3'
+
+  # Loads local dependencies.
+  spec.add_development_dependency 'bundler', '~> 1.15'
+
+  # Development tasks runner.
+  spec.add_development_dependency 'rake', '~> 10.0'
+
+  # Testing framework.
+  spec.add_development_dependency 'rspec', '~> 3.0'
+
+  # CircleCI dependency to store spec results.
+  spec.add_development_dependency 'rspec_junit_formatter', '~> 0.3'
+
+  # Ruby code linter.
+  spec.add_development_dependency 'rubocop', '~> 0.55'
+end

data/lib/graph_attack/metadata.rb

@@ -0,0 +1,4 @@
+# Add custom field metadata
+GraphQL::Field.accepts_definitions(
+  rate_limit: GraphQL::Define.assign_metadata_key(:rate_limit),
+)

data/lib/graph_attack/rate_limiter.rb

@@ -0,0 +1,89 @@
+module GraphAttack
+  # Query analyser you can add to your GraphQL schema to limit calls by IP.
+  #
+  #     ApplicationSchema = GraphQL::Schema.define do
+  #       query_analyzer GraphAttack::RateLimiter.new
+  #     end
+  #
+  class RateLimiter
+    class Error < StandardError; end
+    class RateLimited < GraphQL::AnalysisError; end
+
+    def initial_value(query)
+      {
+        ip: query.context[:ip],
+        query_rate_limits: [],
+      }
+    end
+
+    def call(memo, visit_type, irep_node)
+      if rate_limited_node?(visit_type, irep_node)
+        data = rate_limit_data(irep_node)
+
+        memo[:query_rate_limits].push(data)
+
+        increment_rate_limit(memo[:ip], data[:key])
+      end
+
+      memo
+    end
+
+    def final_value(memo)
+      handle_exceeded_calls_on_queries(memo)
+    end
+
+    private
+
+    def increment_rate_limit(ip, key)
+      raise Error, 'Missing :ip value on the GraphQL context' unless ip
+
+      rate_limit(ip).add(key)
+    end
+
+    def rate_limit_data(node)
+      data = node.definition.metadata[:rate_limit]
+
+      data.merge(
+        key: "graphql-query-#{node.name}",
+        query_name: node.name,
+      )
+    end
+
+    def handle_exceeded_calls_on_queries(memo)
+      rate_limited_queries = memo[:query_rate_limits].map do |limit_data|
+        next unless calls_exceeded_on_query?(memo[:ip], limit_data)
+
+        limit_data[:query_name]
+      end.compact
+
+      return unless rate_limited_queries.any?
+
+      queries = rate_limited_queries.join(', ')
+      RateLimited.new("Query rate limit exceeded on #{queries}")
+    end
+
+    def calls_exceeded_on_query?(ip, query_limit_data)
+      rate_limit(ip).exceeded?(
+        query_limit_data[:key],
+        threshold: query_limit_data[:threshold],
+        interval: query_limit_data[:interval],
+      )
+    end
+
+    def rate_limit(ip)
+      @rate_limit ||= {}
+      @rate_limit[ip] ||= Ratelimit.new(ip)
+    end
+
+    def rate_limited_node?(visit_type, node)
+      query_field_node?(node) &&
+        visit_type == :enter &&
+        node.definition.metadata[:rate_limit]
+    end
+
+    def query_field_node?(node)
+      node.owner_type.name == 'Query' &&
+        node.ast_node.is_a?(GraphQL::Language::Nodes::Field)
+    end
+  end
+end

data/lib/graph_attack/version.rb

@@ -0,0 +1,3 @@
+module GraphAttack
+  VERSION = '1.0.0'.freeze
+end

data/lib/graph_attack.rb

@@ -0,0 +1,7 @@
+require 'graphql'
+require 'ratelimit'
+require 'graphql/tracing'
+
+require 'graph_attack/version'
+require 'graph_attack/rate_limiter'
+require 'graph_attack/metadata'

metadata

@@ -0,0 +1,160 @@
+--- !ruby/object:Gem::Specification
+name: graph_attack
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- Fanny Cheung
+- Sunny Ripert
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2018-09-07 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: graphql
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.7.9
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.7.9
+- !ruby/object:Gem::Dependency
+  name: ratelimit
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.0.3
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.0.3
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.15'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.15'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: rspec_junit_formatter
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.3'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.55'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.55'
+description: GraphQL analyser for blocking & throttling
+email:
+- fanny@ynote.hk
+- sunny@sunfox.org
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".circleci/config.yml"
+- ".gitignore"
+- ".rspec"
+- ".rubocop.yml"
+- ".travis.yml"
+- CODE_OF_CONDUCT.md
+- Gemfile
+- LICENSE.md
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- graph_attack.gemspec
+- lib/graph_attack.rb
+- lib/graph_attack/metadata.rb
+- lib/graph_attack/rate_limiter.rb
+- lib/graph_attack/version.rb
+homepage: https://github.com/sunny/graph_attack
+licenses: []
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.6.11
+signing_key: 
+specification_version: 4
+summary: GraphQL analyser for blocking & throttling
+test_files: []