rack-attack 4.3.1 → 5.4.2

data/spec/acceptance/stores/active_support_redis_cache_store_pooled_spec.rb

@@ -0,0 +1,18 @@
+require_relative "../../spec_helper"
+
+if defined?(::ConnectionPool) && defined?(::Redis) && Gem::Version.new(::Redis::VERSION) >= Gem::Version.new("4") && defined?(::ActiveSupport::Cache::RedisCacheStore)
+  require_relative "../../support/cache_store_helper"
+  require "timecop"
+
+  describe "ActiveSupport::Cache::RedisCacheStore (pooled) as a cache backend" do
+    before do
+      Rack::Attack.cache.store = ActiveSupport::Cache::RedisCacheStore.new(pool_size: 2)
+    end
+
+    after do
+      Rack::Attack.cache.store.clear
+    end
+
+    it_works_for_cache_backed_features(fetch_from_store: ->(key) { Rack::Attack.cache.store.fetch(key) })
+  end
+end

data/spec/acceptance/stores/active_support_redis_cache_store_spec.rb

@@ -0,0 +1,18 @@
+require_relative "../../spec_helper"
+
+if defined?(::Redis) && Gem::Version.new(::Redis::VERSION) >= Gem::Version.new("4") && defined?(::ActiveSupport::Cache::RedisCacheStore)
+  require_relative "../../support/cache_store_helper"
+  require "timecop"
+
+  describe "ActiveSupport::Cache::RedisCacheStore as a cache backend" do
+    before do
+      Rack::Attack.cache.store = ActiveSupport::Cache::RedisCacheStore.new
+    end
+
+    after do
+      Rack::Attack.cache.store.clear
+    end
+
+    it_works_for_cache_backed_features(fetch_from_store: ->(key) { Rack::Attack.cache.store.fetch(key) })
+  end
+end

data/spec/acceptance/stores/active_support_redis_store_spec.rb

@@ -0,0 +1,18 @@
+require_relative "../../spec_helper"
+
+if defined?(::ActiveSupport::Cache::RedisStore)
+  require_relative "../../support/cache_store_helper"
+  require "timecop"
+
+  describe "ActiveSupport::Cache::RedisStore as a cache backend" do
+    before do
+      Rack::Attack.cache.store = ActiveSupport::Cache::RedisStore.new
+    end
+
+    after do
+      Rack::Attack.cache.store.flushdb
+    end
+
+    it_works_for_cache_backed_features(fetch_from_store: ->(key) { Rack::Attack.cache.store.read(key) })
+  end
+end

data/spec/acceptance/stores/connection_pool_dalli_client_spec.rb

@@ -0,0 +1,22 @@
+require_relative "../../spec_helper"
+
+if defined?(::Dalli) && defined?(::ConnectionPool)
+  require_relative "../../support/cache_store_helper"
+  require "connection_pool"
+  require "dalli"
+  require "timecop"
+
+  describe "ConnectionPool with Dalli::Client as a cache backend" do
+    before do
+      Rack::Attack.cache.store = ConnectionPool.new { Dalli::Client.new }
+    end
+
+    after do
+      Rack::Attack.cache.store.with { |client| client.flush_all }
+    end
+
+    it_works_for_cache_backed_features(fetch_from_store: ->(key) {
+      Rack::Attack.cache.store.with { |client| client.fetch(key) }
+    })
+  end
+end

data/spec/acceptance/stores/dalli_client_spec.rb

@@ -0,0 +1,19 @@
+require_relative "../../spec_helper"
+
+if defined?(::Dalli)
+  require_relative "../../support/cache_store_helper"
+  require "dalli"
+  require "timecop"
+
+  describe "Dalli::Client as a cache backend" do
+    before do
+      Rack::Attack.cache.store = Dalli::Client.new
+    end
+
+    after do
+      Rack::Attack.cache.store.flush_all
+    end
+
+    it_works_for_cache_backed_features(fetch_from_store: ->(key) { Rack::Attack.cache.store.fetch(key) })
+  end
+end

data/spec/acceptance/stores/redis_spec.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+require_relative "../../spec_helper"
+
+if defined?(::Redis)
+  require_relative "../../support/cache_store_helper"
+  require "timecop"
+
+  describe "Plain redis as a cache backend" do
+    before do
+      Rack::Attack.cache.store = Redis.new
+    end
+
+    after do
+      Rack::Attack.cache.store.flushdb
+    end
+
+    it_works_for_cache_backed_features(fetch_from_store: ->(key) { Rack::Attack.cache.store.get(key) })
+  end
+end

data/spec/acceptance/stores/redis_store_spec.rb

@@ -0,0 +1,18 @@
+require_relative "../../spec_helper"
+require_relative "../../support/cache_store_helper"
+
+if defined?(::Redis::Store)
+  require "timecop"
+
+  describe "ActiveSupport::Cache::RedisStore as a cache backend" do
+    before do
+      Rack::Attack.cache.store = ::Redis::Store.new
+    end
+
+    after do
+      Rack::Attack.cache.store.flushdb
+    end
+
+    it_works_for_cache_backed_features(fetch_from_store: ->(key) { Rack::Attack.cache.store.read(key) })
+  end
+end

data/spec/acceptance/throttling_spec.rb

@@ -0,0 +1,159 @@
+require_relative "../spec_helper"
+require "timecop"
+
+describe "#throttle" do
+  before do
+    Rack::Attack.cache.store = ActiveSupport::Cache::MemoryStore.new
+  end
+
+  it "allows one request per minute by IP" do
+    Rack::Attack.throttle("by ip", limit: 1, period: 60) do |request|
+      request.ip
+    end
+
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+    assert_equal 200, last_response.status
+
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+    assert_equal 429, last_response.status
+    assert_equal "60", last_response.headers["Retry-After"]
+    assert_equal "Retry later\n", last_response.body
+
+    get "/", {}, "REMOTE_ADDR" => "5.6.7.8"
+
+    assert_equal 200, last_response.status
+
+    Timecop.travel(60) do
+      get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+      assert_equal 200, last_response.status
+    end
+  end
+
+  it "supports limit to be dynamic" do
+    # Could be used to have different rate limits for authorized
+    # vs general requests
+    limit_proc = lambda do |request|
+      if request.env["X-APIKey"] == "private-secret"
+        2
+      else
+        1
+      end
+    end
+
+    Rack::Attack.throttle("by ip", limit: limit_proc, period: 60) do |request|
+      request.ip
+    end
+
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+    assert_equal 200, last_response.status
+
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+    assert_equal 429, last_response.status
+
+    get "/", {}, "REMOTE_ADDR" => "5.6.7.8", "X-APIKey" => "private-secret"
+    assert_equal 200, last_response.status
+
+    get "/", {}, "REMOTE_ADDR" => "5.6.7.8", "X-APIKey" => "private-secret"
+    assert_equal 200, last_response.status
+
+    get "/", {}, "REMOTE_ADDR" => "5.6.7.8", "X-APIKey" => "private-secret"
+    assert_equal 429, last_response.status
+  end
+
+  it "supports period to be dynamic" do
+    # Could be used to have different rate limits for authorized
+    # vs general requests
+    period_proc = lambda do |request|
+      if request.env["X-APIKey"] == "private-secret"
+        10
+      else
+        30
+      end
+    end
+
+    Rack::Attack.throttle("by ip", limit: 1, period: period_proc) do |request|
+      request.ip
+    end
+
+    # Using Time#at to align to start/end of periods exactly
+    # to achieve consistenty in different test runs
+
+    Timecop.travel(Time.at(0)) do
+      get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+      assert_equal 200, last_response.status
+
+      get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+      assert_equal 429, last_response.status
+    end
+
+    Timecop.travel(Time.at(10)) do
+      get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+      assert_equal 429, last_response.status
+    end
+
+    Timecop.travel(Time.at(30)) do
+      get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+      assert_equal 200, last_response.status
+    end
+
+    Timecop.travel(Time.at(0)) do
+      get "/", {}, "REMOTE_ADDR" => "5.6.7.8", "X-APIKey" => "private-secret"
+      assert_equal 200, last_response.status
+
+      get "/", {}, "REMOTE_ADDR" => "5.6.7.8", "X-APIKey" => "private-secret"
+      assert_equal 429, last_response.status
+    end
+
+    Timecop.travel(Time.at(10)) do
+      get "/", {}, "REMOTE_ADDR" => "5.6.7.8", "X-APIKey" => "private-secret"
+      assert_equal 200, last_response.status
+    end
+  end
+
+  it "notifies when the request is throttled" do
+    Rack::Attack.throttle("by ip", limit: 1, period: 60) do |request|
+      request.ip
+    end
+
+    notification_matched = nil
+    notification_type = nil
+    notification_data = nil
+    notification_discriminator = nil
+
+    ActiveSupport::Notifications.subscribe("rack.attack") do |_name, _start, _finish, _id, request|
+      notification_matched = request.env["rack.attack.matched"]
+      notification_type = request.env["rack.attack.match_type"]
+      notification_data = request.env['rack.attack.match_data']
+      notification_discriminator = request.env['rack.attack.match_discriminator']
+    end
+
+    get "/", {}, "REMOTE_ADDR" => "5.6.7.8"
+
+    assert_equal 200, last_response.status
+    assert_nil notification_matched
+    assert_nil notification_type
+    assert_nil notification_data
+    assert_nil notification_discriminator
+
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+    assert_equal 200, last_response.status
+    assert_nil notification_matched
+    assert_nil notification_type
+    assert_nil notification_data
+    assert_nil notification_discriminator
+
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+    assert_equal 429, last_response.status
+    assert_equal "by ip", notification_matched
+    assert_equal :throttle, notification_type
+    assert_equal 60, notification_data[:period]
+    assert_equal 1, notification_data[:limit]
+    assert_equal 2, notification_data[:count]
+    assert_equal "1.2.3.4", notification_discriminator
+  end
+end

data/spec/acceptance/track_spec.rb

@@ -0,0 +1,27 @@
+require_relative "../spec_helper"
+
+describe "#track" do
+  it "notifies when track block returns true" do
+    Rack::Attack.track("ip 1.2.3.4") do |request|
+      request.ip == "1.2.3.4"
+    end
+
+    notification_matched = nil
+    notification_type = nil
+
+    ActiveSupport::Notifications.subscribe("rack.attack") do |_name, _start, _finish, _id, request|
+      notification_matched = request.env["rack.attack.matched"]
+      notification_type = request.env["rack.attack.match_type"]
+    end
+
+    get "/", {}, "REMOTE_ADDR" => "5.6.7.8"
+
+    assert_nil notification_matched
+    assert_nil notification_type
+
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+    assert_equal "ip 1.2.3.4", notification_matched
+    assert_equal :track, notification_type
+  end
+end

data/spec/acceptance/track_throttle_spec.rb

@@ -0,0 +1,53 @@
+require_relative "../spec_helper"
+require "timecop"
+
+describe "#track with throttle-ish options" do
+  it "notifies when throttle goes over the limit without actually throttling requests" do
+    Rack::Attack.cache.store = ActiveSupport::Cache::MemoryStore.new
+
+    Rack::Attack.track("by ip", limit: 1, period: 60) do |request|
+      request.ip
+    end
+
+    notification_matched = nil
+    notification_type = nil
+
+    ActiveSupport::Notifications.subscribe("rack.attack") do |_name, _start, _finish, _id, request|
+      notification_matched = request.env["rack.attack.matched"]
+      notification_type = request.env["rack.attack.match_type"]
+    end
+
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+    assert_nil notification_matched
+    assert_nil notification_type
+
+    assert_equal 200, last_response.status
+
+    get "/", {}, "REMOTE_ADDR" => "5.6.7.8"
+
+    assert_nil notification_matched
+    assert_nil notification_type
+
+    assert_equal 200, last_response.status
+
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+    assert_equal "by ip", notification_matched
+    assert_equal :track, notification_type
+
+    assert_equal 200, last_response.status
+
+    Timecop.travel(60) do
+      notification_matched = nil
+      notification_type = nil
+
+      get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+      assert_nil notification_matched
+      assert_nil notification_type
+
+      assert_equal 200, last_response.status
+    end
+  end
+end

data/spec/allow2ban_spec.rb

@@ -1,4 +1,5 @@
 require_relative 'spec_helper'
+
 describe 'Rack::Attack.Allow2Ban' do
   before do
     # Use a long findtime; failures due to cache key rotation less likely
@@ -6,9 +7,10 @@ describe 'Rack::Attack.Allow2Ban' do
     @findtime = 60
     @bantime  = 60
     Rack::Attack.cache.store = ActiveSupport::Cache::MemoryStore.new
-    @f2b_options = {:bantime => @bantime, :findtime => @findtime, :maxretry => 2}
-    Rack::Attack.blacklist('pentest') do |req|
-      Rack::Attack::Allow2Ban.filter(req.ip, @f2b_options){req.query_string =~ /OMGHAX/}
+    @f2b_options = { :bantime => @bantime, :findtime => @findtime, :maxretry => 2 }
+
+    Rack::Attack.blocklist('pentest') do |req|
+      Rack::Attack::Allow2Ban.filter(req.ip, @f2b_options) { req.query_string =~ /OMGHAX/ }
     end
   end
 
@@ -23,12 +25,13 @@ describe 'Rack::Attack.Allow2Ban' do
     describe 'making qualifying request' do
       describe 'when not at maxretry' do
         before { get '/?foo=OMGHAX', {}, 'REMOTE_ADDR' => '1.2.3.4' }
+
         it 'succeeds' do
           last_response.status.must_equal 200
         end
 
         it 'increases fail count' do
-          key = "rack::attack:#{Time.now.to_i/@findtime}:allow2ban:count:1.2.3.4"
+          key = "rack::attack:#{Time.now.to_i / @findtime}:allow2ban:count:1.2.3.4"
           @cache.store.read(key).must_equal 1
         end
 
@@ -50,7 +53,7 @@ describe 'Rack::Attack.Allow2Ban' do
         end
 
         it 'increases fail count' do
-          key = "rack::attack:#{Time.now.to_i/@findtime}:allow2ban:count:1.2.3.4"
+          key = "rack::attack:#{Time.now.to_i / @findtime}:allow2ban:count:1.2.3.4"
           @cache.store.read(key).must_equal 2
         end
 
@@ -58,7 +61,6 @@ describe 'Rack::Attack.Allow2Ban' do
           key = "rack::attack:allow2ban:ban:1.2.3.4"
           @cache.store.read(key).must_equal 1
         end
-
       end
     end
   end
@@ -87,7 +89,7 @@ describe 'Rack::Attack.Allow2Ban' do
       end
 
       it 'does not increase fail count' do
-        key = "rack::attack:#{Time.now.to_i/@findtime}:allow2ban:count:1.2.3.4"
+        key = "rack::attack:#{Time.now.to_i / @findtime}:allow2ban:count:1.2.3.4"
         @cache.store.read(key).must_equal 2
       end
 
@@ -107,7 +109,7 @@ describe 'Rack::Attack.Allow2Ban' do
       end
 
       it 'does not increase fail count' do
-        key = "rack::attack:#{Time.now.to_i/@findtime}:allow2ban:count:1.2.3.4"
+        key = "rack::attack:#{Time.now.to_i / @findtime}:allow2ban:count:1.2.3.4"
         @cache.store.read(key).must_equal 2
       end
 
@@ -116,6 +118,5 @@ describe 'Rack::Attack.Allow2Ban' do
         @cache.store.read(key).must_equal 1
       end
     end
-
   end
 end