rack-attack 4.3.1 → 5.4.2

data/spec/acceptance/customizing_blocked_response_spec.rb

@@ -0,0 +1,41 @@
+require_relative "../spec_helper"
+
+describe "Customizing block responses" do
+  before do
+    Rack::Attack.blocklist("block 1.2.3.4") do |request|
+      request.ip == "1.2.3.4"
+    end
+  end
+
+  it "can be customized" do
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+    assert_equal 403, last_response.status
+
+    Rack::Attack.blocklisted_response = lambda do |_env|
+      [503, {}, ["Blocked"]]
+    end
+
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+    assert_equal 503, last_response.status
+    assert_equal "Blocked", last_response.body
+  end
+
+  it "exposes match data" do
+    matched = nil
+    match_type = nil
+
+    Rack::Attack.blocklisted_response = lambda do |env|
+      matched = env['rack.attack.matched']
+      match_type = env['rack.attack.match_type']
+
+      [503, {}, ["Blocked"]]
+    end
+
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+    assert_equal "block 1.2.3.4", matched
+    assert_equal :blocklist, match_type
+  end
+end

data/spec/acceptance/customizing_throttled_response_spec.rb

@@ -0,0 +1,59 @@
+require_relative "../spec_helper"
+
+describe "Customizing throttled response" do
+  before do
+    Rack::Attack.cache.store = ActiveSupport::Cache::MemoryStore.new
+
+    Rack::Attack.throttle("by ip", limit: 1, period: 60) do |request|
+      request.ip
+    end
+  end
+
+  it "can be customized" do
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+    assert_equal 200, last_response.status
+
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+    assert_equal 429, last_response.status
+
+    Rack::Attack.throttled_response = lambda do |_env|
+      [503, {}, ["Throttled"]]
+    end
+
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+    assert_equal 503, last_response.status
+    assert_equal "Throttled", last_response.body
+  end
+
+  it "exposes match data" do
+    matched = nil
+    match_type = nil
+    match_data = nil
+    match_discriminator = nil
+
+    Rack::Attack.throttled_response = lambda do |env|
+      matched = env['rack.attack.matched']
+      match_type = env['rack.attack.match_type']
+      match_data = env['rack.attack.match_data']
+      match_discriminator = env['rack.attack.match_discriminator']
+
+      [429, {}, ["Throttled"]]
+    end
+
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+    assert_equal "by ip", matched
+    assert_equal :throttle, match_type
+    assert_equal 60, match_data[:period]
+    assert_equal 1, match_data[:limit]
+    assert_equal 2, match_data[:count]
+    assert_equal "1.2.3.4", match_discriminator
+
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+    assert_equal 3, match_data[:count]
+  end
+end

data/spec/acceptance/extending_request_object_spec.rb

@@ -0,0 +1,34 @@
+require_relative "../spec_helper"
+
+describe "Extending the request object" do
+  before do
+    class Rack::Attack::Request
+      def authorized?
+        env["APIKey"] == "private-secret"
+      end
+    end
+
+    Rack::Attack.blocklist("unauthorized requests") do |request|
+      !request.authorized?
+    end
+  end
+
+  # We don't want the extension to leak to other test cases
+  after do
+    class Rack::Attack::Request
+      remove_method :authorized?
+    end
+  end
+
+  it "forbids request if blocklist condition is true" do
+    get "/"
+
+    assert_equal 403, last_response.status
+  end
+
+  it "succeeds if blocklist condition is false" do
+    get "/", {}, "APIKey" => "private-secret"
+
+    assert_equal 200, last_response.status
+  end
+end

data/spec/acceptance/fail2ban_spec.rb

@@ -0,0 +1,76 @@
+require_relative "../spec_helper"
+require "timecop"
+
+describe "fail2ban" do
+  before do
+    Rack::Attack.cache.store = ActiveSupport::Cache::MemoryStore.new
+
+    Rack::Attack.blocklist("fail2ban pentesters") do |request|
+      Rack::Attack::Fail2Ban.filter(request.ip, maxretry: 2, findtime: 30, bantime: 60) do
+        request.path.include?("private-place")
+      end
+    end
+  end
+
+  it "returns OK for many requests to non filtered path" do
+    get "/"
+    assert_equal 200, last_response.status
+
+    get "/"
+    assert_equal 200, last_response.status
+  end
+
+  it "forbids access to private path" do
+    get "/private-place"
+    assert_equal 403, last_response.status
+  end
+
+  it "returns OK for non filtered path if yet not reached maxretry limit" do
+    get "/private-place"
+    assert_equal 403, last_response.status
+
+    get "/"
+    assert_equal 200, last_response.status
+  end
+
+  it "forbids all access after reaching maxretry limit" do
+    get "/private-place"
+    assert_equal 403, last_response.status
+
+    get "/private-place"
+    assert_equal 403, last_response.status
+
+    get "/"
+    assert_equal 403, last_response.status
+  end
+
+  it "restores access after bantime elapsed" do
+    get "/private-place"
+    assert_equal 403, last_response.status
+
+    get "/private-place"
+    assert_equal 403, last_response.status
+
+    get "/"
+    assert_equal 403, last_response.status
+
+    Timecop.travel(60) do
+      get "/"
+
+      assert_equal 200, last_response.status
+    end
+  end
+
+  it "does not forbid all access if maxrety condition is met but not within the findtime timespan" do
+    get "/private-place"
+    assert_equal 403, last_response.status
+
+    Timecop.travel(31) do
+      get "/private-place"
+      assert_equal 403, last_response.status
+
+      get "/"
+      assert_equal 200, last_response.status
+    end
+  end
+end

data/spec/acceptance/safelisting_ip_spec.rb

@@ -0,0 +1,48 @@
+require_relative "../spec_helper"
+
+describe "Safelist an IP" do
+  before do
+    Rack::Attack.blocklist("admin") do |request|
+      request.path == "/admin"
+    end
+
+    Rack::Attack.safelist_ip("5.6.7.8")
+  end
+
+  it "forbids request if blocklist condition is true and safelist is false" do
+    get "/admin", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+    assert_equal 403, last_response.status
+  end
+
+  it "succeeds if blocklist condition is false and safelist is false" do
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+    assert_equal 200, last_response.status
+  end
+
+  it "succeeds request if blocklist condition is false and safelist is true" do
+    get "/", {}, "REMOTE_ADDR" => "5.6.7.8"
+
+    assert_equal 200, last_response.status
+  end
+
+  it "succeeds request if both blocklist and safelist conditions are true" do
+    get "/admin", {}, "REMOTE_ADDR" => "5.6.7.8"
+
+    assert_equal 200, last_response.status
+  end
+
+  it "notifies when the request is safe" do
+    notification_type = nil
+
+    ActiveSupport::Notifications.subscribe("rack.attack") do |_name, _start, _finish, _id, request|
+      notification_type = request.env["rack.attack.match_type"]
+    end
+
+    get "/admin", {}, "REMOTE_ADDR" => "5.6.7.8"
+
+    assert_equal 200, last_response.status
+    assert_equal :safelist, notification_type
+  end
+end

data/spec/acceptance/safelisting_spec.rb

@@ -0,0 +1,53 @@
+require_relative "../spec_helper"
+
+describe "#safelist" do
+  before do
+    Rack::Attack.blocklist("block 1.2.3.4") do |request|
+      request.ip == "1.2.3.4"
+    end
+
+    Rack::Attack.safelist("safe path") do |request|
+      request.path == "/safe_space"
+    end
+  end
+
+  it "forbids request if blocklist condition is true and safelist is false" do
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+    assert_equal 403, last_response.status
+  end
+
+  it "succeeds if blocklist condition is false and safelist is false" do
+    get "/", {}, "REMOTE_ADDR" => "5.6.7.8"
+
+    assert_equal 200, last_response.status
+  end
+
+  it "succeeds request if blocklist condition is false and safelist is true" do
+    get "/safe_space", {}, "REMOTE_ADDR" => "5.6.7.8"
+
+    assert_equal 200, last_response.status
+  end
+
+  it "succeeds request if both blocklist and safelist conditions are true" do
+    get "/safe_space", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+    assert_equal 200, last_response.status
+  end
+
+  it "notifies when the request is safe" do
+    notification_matched = nil
+    notification_type = nil
+
+    ActiveSupport::Notifications.subscribe("rack.attack") do |_name, _start, _finish, _id, request|
+      notification_matched = request.env["rack.attack.matched"]
+      notification_type = request.env["rack.attack.match_type"]
+    end
+
+    get "/safe_space", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+    assert_equal 200, last_response.status
+    assert_equal "safe path", notification_matched
+    assert_equal :safelist, notification_type
+  end
+end

data/spec/acceptance/safelisting_subnet_spec.rb

@@ -0,0 +1,48 @@
+require_relative "../spec_helper"
+
+describe "Safelisting an IP subnet" do
+  before do
+    Rack::Attack.blocklist("admin") do |request|
+      request.path == "/admin"
+    end
+
+    Rack::Attack.safelist_ip("5.6.0.0/16")
+  end
+
+  it "forbids request if blocklist condition is true and safelist is false" do
+    get "/admin", {}, "REMOTE_ADDR" => "5.7.0.0"
+
+    assert_equal 403, last_response.status
+  end
+
+  it "succeeds if blocklist condition is false and safelist is false" do
+    get "/", {}, "REMOTE_ADDR" => "5.7.0.0"
+
+    assert_equal 200, last_response.status
+  end
+
+  it "succeeds request if blocklist condition is false and safelist is true" do
+    get "/", {}, "REMOTE_ADDR" => "5.6.0.0"
+
+    assert_equal 200, last_response.status
+  end
+
+  it "succeeds request if both blocklist and safelist conditions are true" do
+    get "/admin", {}, "REMOTE_ADDR" => "5.6.255.255"
+
+    assert_equal 200, last_response.status
+  end
+
+  it "notifies when the request is safe" do
+    notification_type = nil
+
+    ActiveSupport::Notifications.subscribe("rack.attack") do |_name, _start, _finish, _id, request|
+      notification_type = request.env["rack.attack.match_type"]
+    end
+
+    get "/admin", {}, "REMOTE_ADDR" => "5.6.0.0"
+
+    assert_equal 200, last_response.status
+    assert_equal :safelist, notification_type
+  end
+end

data/spec/acceptance/stores/active_support_dalli_store_spec.rb

@@ -0,0 +1,19 @@
+require_relative "../../spec_helper"
+
+if defined?(::Dalli)
+  require_relative "../../support/cache_store_helper"
+  require "active_support/cache/dalli_store"
+  require "timecop"
+
+  describe "ActiveSupport::Cache::DalliStore as a cache backend" do
+    before do
+      Rack::Attack.cache.store = ActiveSupport::Cache::DalliStore.new
+    end
+
+    after do
+      Rack::Attack.cache.store.clear
+    end
+
+    it_works_for_cache_backed_features(fetch_from_store: ->(key) { Rack::Attack.cache.store.fetch(key) })
+  end
+end

data/spec/acceptance/stores/active_support_mem_cache_store_pooled_spec.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+require_relative "../../spec_helper"
+
+if defined?(::ConnectionPool) && defined?(::Dalli)
+  require_relative "../../support/cache_store_helper"
+  require "timecop"
+
+  describe "ActiveSupport::Cache::MemCacheStore (pooled) as a cache backend" do
+    before do
+      Rack::Attack.cache.store = ActiveSupport::Cache::MemCacheStore.new(pool_size: 2)
+    end
+
+    after do
+      Rack::Attack.cache.store.clear
+    end
+
+    it_works_for_cache_backed_features(fetch_from_store: ->(key) {
+      Rack::Attack.cache.store.read(key)
+    })
+  end
+end

data/spec/acceptance/stores/active_support_mem_cache_store_spec.rb

@@ -0,0 +1,18 @@
+require_relative "../../spec_helper"
+
+if defined?(::Dalli)
+  require_relative "../../support/cache_store_helper"
+  require "timecop"
+
+  describe "ActiveSupport::Cache::MemCacheStore as a cache backend" do
+    before do
+      Rack::Attack.cache.store = ActiveSupport::Cache::MemCacheStore.new
+    end
+
+    after do
+      Rack::Attack.cache.store.clear
+    end
+
+    it_works_for_cache_backed_features(fetch_from_store: ->(key) { Rack::Attack.cache.store.read(key) })
+  end
+end

data/spec/acceptance/stores/active_support_memory_store_spec.rb

@@ -0,0 +1,16 @@
+require_relative "../../spec_helper"
+require_relative "../../support/cache_store_helper"
+
+require "timecop"
+
+describe "ActiveSupport::Cache::MemoryStore as a cache backend" do
+  before do
+    Rack::Attack.cache.store = ActiveSupport::Cache::MemoryStore.new
+  end
+
+  after do
+    Rack::Attack.cache.store.clear
+  end
+
+  it_works_for_cache_backed_features(fetch_from_store: ->(key) { Rack::Attack.cache.store.fetch(key) })
+end