rack-attack 5.0.1 → 5.4.2

data/spec/acceptance/stores/redis_spec.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+require_relative "../../spec_helper"
+
+if defined?(::Redis)
+  require_relative "../../support/cache_store_helper"
+  require "timecop"
+
+  describe "Plain redis as a cache backend" do
+    before do
+      Rack::Attack.cache.store = Redis.new
+    end
+
+    after do
+      Rack::Attack.cache.store.flushdb
+    end
+
+    it_works_for_cache_backed_features(fetch_from_store: ->(key) { Rack::Attack.cache.store.get(key) })
+  end
+end

data/spec/acceptance/stores/redis_store_spec.rb

@@ -0,0 +1,18 @@
+require_relative "../../spec_helper"
+require_relative "../../support/cache_store_helper"
+
+if defined?(::Redis::Store)
+  require "timecop"
+
+  describe "ActiveSupport::Cache::RedisStore as a cache backend" do
+    before do
+      Rack::Attack.cache.store = ::Redis::Store.new
+    end
+
+    after do
+      Rack::Attack.cache.store.flushdb
+    end
+
+    it_works_for_cache_backed_features(fetch_from_store: ->(key) { Rack::Attack.cache.store.read(key) })
+  end
+end

data/spec/acceptance/throttling_spec.rb

@@ -0,0 +1,159 @@
+require_relative "../spec_helper"
+require "timecop"
+
+describe "#throttle" do
+  before do
+    Rack::Attack.cache.store = ActiveSupport::Cache::MemoryStore.new
+  end
+
+  it "allows one request per minute by IP" do
+    Rack::Attack.throttle("by ip", limit: 1, period: 60) do |request|
+      request.ip
+    end
+
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+    assert_equal 200, last_response.status
+
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+    assert_equal 429, last_response.status
+    assert_equal "60", last_response.headers["Retry-After"]
+    assert_equal "Retry later\n", last_response.body
+
+    get "/", {}, "REMOTE_ADDR" => "5.6.7.8"
+
+    assert_equal 200, last_response.status
+
+    Timecop.travel(60) do
+      get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+      assert_equal 200, last_response.status
+    end
+  end
+
+  it "supports limit to be dynamic" do
+    # Could be used to have different rate limits for authorized
+    # vs general requests
+    limit_proc = lambda do |request|
+      if request.env["X-APIKey"] == "private-secret"
+        2
+      else
+        1
+      end
+    end
+
+    Rack::Attack.throttle("by ip", limit: limit_proc, period: 60) do |request|
+      request.ip
+    end
+
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+    assert_equal 200, last_response.status
+
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+    assert_equal 429, last_response.status
+
+    get "/", {}, "REMOTE_ADDR" => "5.6.7.8", "X-APIKey" => "private-secret"
+    assert_equal 200, last_response.status
+
+    get "/", {}, "REMOTE_ADDR" => "5.6.7.8", "X-APIKey" => "private-secret"
+    assert_equal 200, last_response.status
+
+    get "/", {}, "REMOTE_ADDR" => "5.6.7.8", "X-APIKey" => "private-secret"
+    assert_equal 429, last_response.status
+  end
+
+  it "supports period to be dynamic" do
+    # Could be used to have different rate limits for authorized
+    # vs general requests
+    period_proc = lambda do |request|
+      if request.env["X-APIKey"] == "private-secret"
+        10
+      else
+        30
+      end
+    end
+
+    Rack::Attack.throttle("by ip", limit: 1, period: period_proc) do |request|
+      request.ip
+    end
+
+    # Using Time#at to align to start/end of periods exactly
+    # to achieve consistenty in different test runs
+
+    Timecop.travel(Time.at(0)) do
+      get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+      assert_equal 200, last_response.status
+
+      get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+      assert_equal 429, last_response.status
+    end
+
+    Timecop.travel(Time.at(10)) do
+      get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+      assert_equal 429, last_response.status
+    end
+
+    Timecop.travel(Time.at(30)) do
+      get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+      assert_equal 200, last_response.status
+    end
+
+    Timecop.travel(Time.at(0)) do
+      get "/", {}, "REMOTE_ADDR" => "5.6.7.8", "X-APIKey" => "private-secret"
+      assert_equal 200, last_response.status
+
+      get "/", {}, "REMOTE_ADDR" => "5.6.7.8", "X-APIKey" => "private-secret"
+      assert_equal 429, last_response.status
+    end
+
+    Timecop.travel(Time.at(10)) do
+      get "/", {}, "REMOTE_ADDR" => "5.6.7.8", "X-APIKey" => "private-secret"
+      assert_equal 200, last_response.status
+    end
+  end
+
+  it "notifies when the request is throttled" do
+    Rack::Attack.throttle("by ip", limit: 1, period: 60) do |request|
+      request.ip
+    end
+
+    notification_matched = nil
+    notification_type = nil
+    notification_data = nil
+    notification_discriminator = nil
+
+    ActiveSupport::Notifications.subscribe("rack.attack") do |_name, _start, _finish, _id, request|
+      notification_matched = request.env["rack.attack.matched"]
+      notification_type = request.env["rack.attack.match_type"]
+      notification_data = request.env['rack.attack.match_data']
+      notification_discriminator = request.env['rack.attack.match_discriminator']
+    end
+
+    get "/", {}, "REMOTE_ADDR" => "5.6.7.8"
+
+    assert_equal 200, last_response.status
+    assert_nil notification_matched
+    assert_nil notification_type
+    assert_nil notification_data
+    assert_nil notification_discriminator
+
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+    assert_equal 200, last_response.status
+    assert_nil notification_matched
+    assert_nil notification_type
+    assert_nil notification_data
+    assert_nil notification_discriminator
+
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+    assert_equal 429, last_response.status
+    assert_equal "by ip", notification_matched
+    assert_equal :throttle, notification_type
+    assert_equal 60, notification_data[:period]
+    assert_equal 1, notification_data[:limit]
+    assert_equal 2, notification_data[:count]
+    assert_equal "1.2.3.4", notification_discriminator
+  end
+end

data/spec/acceptance/track_spec.rb

@@ -0,0 +1,27 @@
+require_relative "../spec_helper"
+
+describe "#track" do
+  it "notifies when track block returns true" do
+    Rack::Attack.track("ip 1.2.3.4") do |request|
+      request.ip == "1.2.3.4"
+    end
+
+    notification_matched = nil
+    notification_type = nil
+
+    ActiveSupport::Notifications.subscribe("rack.attack") do |_name, _start, _finish, _id, request|
+      notification_matched = request.env["rack.attack.matched"]
+      notification_type = request.env["rack.attack.match_type"]
+    end
+
+    get "/", {}, "REMOTE_ADDR" => "5.6.7.8"
+
+    assert_nil notification_matched
+    assert_nil notification_type
+
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+    assert_equal "ip 1.2.3.4", notification_matched
+    assert_equal :track, notification_type
+  end
+end

data/spec/acceptance/track_throttle_spec.rb

@@ -0,0 +1,53 @@
+require_relative "../spec_helper"
+require "timecop"
+
+describe "#track with throttle-ish options" do
+  it "notifies when throttle goes over the limit without actually throttling requests" do
+    Rack::Attack.cache.store = ActiveSupport::Cache::MemoryStore.new
+
+    Rack::Attack.track("by ip", limit: 1, period: 60) do |request|
+      request.ip
+    end
+
+    notification_matched = nil
+    notification_type = nil
+
+    ActiveSupport::Notifications.subscribe("rack.attack") do |_name, _start, _finish, _id, request|
+      notification_matched = request.env["rack.attack.matched"]
+      notification_type = request.env["rack.attack.match_type"]
+    end
+
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+    assert_nil notification_matched
+    assert_nil notification_type
+
+    assert_equal 200, last_response.status
+
+    get "/", {}, "REMOTE_ADDR" => "5.6.7.8"
+
+    assert_nil notification_matched
+    assert_nil notification_type
+
+    assert_equal 200, last_response.status
+
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+    assert_equal "by ip", notification_matched
+    assert_equal :track, notification_type
+
+    assert_equal 200, last_response.status
+
+    Timecop.travel(60) do
+      notification_matched = nil
+      notification_type = nil
+
+      get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+      assert_nil notification_matched
+      assert_nil notification_type
+
+      assert_equal 200, last_response.status
+    end
+  end
+end

data/spec/allow2ban_spec.rb

@@ -1,4 +1,5 @@
 require_relative 'spec_helper'
+
 describe 'Rack::Attack.Allow2Ban' do
   before do
     # Use a long findtime; failures due to cache key rotation less likely
@@ -6,9 +7,10 @@ describe 'Rack::Attack.Allow2Ban' do
     @findtime = 60
     @bantime  = 60
     Rack::Attack.cache.store = ActiveSupport::Cache::MemoryStore.new
-    @f2b_options = {:bantime => @bantime, :findtime => @findtime, :maxretry => 2}
+    @f2b_options = { :bantime => @bantime, :findtime => @findtime, :maxretry => 2 }
+
     Rack::Attack.blocklist('pentest') do |req|
-      Rack::Attack::Allow2Ban.filter(req.ip, @f2b_options){req.query_string =~ /OMGHAX/}
+      Rack::Attack::Allow2Ban.filter(req.ip, @f2b_options) { req.query_string =~ /OMGHAX/ }
     end
   end
 
@@ -23,12 +25,13 @@ describe 'Rack::Attack.Allow2Ban' do
     describe 'making qualifying request' do
       describe 'when not at maxretry' do
         before { get '/?foo=OMGHAX', {}, 'REMOTE_ADDR' => '1.2.3.4' }
+
         it 'succeeds' do
           last_response.status.must_equal 200
         end
 
         it 'increases fail count' do
-          key = "rack::attack:#{Time.now.to_i/@findtime}:allow2ban:count:1.2.3.4"
+          key = "rack::attack:#{Time.now.to_i / @findtime}:allow2ban:count:1.2.3.4"
           @cache.store.read(key).must_equal 1
         end
 
@@ -50,7 +53,7 @@ describe 'Rack::Attack.Allow2Ban' do
         end
 
         it 'increases fail count' do
-          key = "rack::attack:#{Time.now.to_i/@findtime}:allow2ban:count:1.2.3.4"
+          key = "rack::attack:#{Time.now.to_i / @findtime}:allow2ban:count:1.2.3.4"
           @cache.store.read(key).must_equal 2
         end
 
@@ -58,7 +61,6 @@ describe 'Rack::Attack.Allow2Ban' do
           key = "rack::attack:allow2ban:ban:1.2.3.4"
           @cache.store.read(key).must_equal 1
         end
-
       end
     end
   end
@@ -87,7 +89,7 @@ describe 'Rack::Attack.Allow2Ban' do
       end
 
       it 'does not increase fail count' do
-        key = "rack::attack:#{Time.now.to_i/@findtime}:allow2ban:count:1.2.3.4"
+        key = "rack::attack:#{Time.now.to_i / @findtime}:allow2ban:count:1.2.3.4"
         @cache.store.read(key).must_equal 2
       end
 
@@ -107,7 +109,7 @@ describe 'Rack::Attack.Allow2Ban' do
       end
 
       it 'does not increase fail count' do
-        key = "rack::attack:#{Time.now.to_i/@findtime}:allow2ban:count:1.2.3.4"
+        key = "rack::attack:#{Time.now.to_i / @findtime}:allow2ban:count:1.2.3.4"
         @cache.store.read(key).must_equal 2
       end
 
@@ -116,6 +118,5 @@ describe 'Rack::Attack.Allow2Ban' do
         @cache.store.read(key).must_equal 1
       end
     end
-
   end
 end

data/spec/fail2ban_spec.rb

@@ -1,4 +1,5 @@
 require_relative 'spec_helper'
+
 describe 'Rack::Attack.Fail2Ban' do
   before do
     # Use a long findtime; failures due to cache key rotation less likely
@@ -6,9 +7,10 @@ describe 'Rack::Attack.Fail2Ban' do
     @findtime = 60
     @bantime  = 60
     Rack::Attack.cache.store = ActiveSupport::Cache::MemoryStore.new
-    @f2b_options = {:bantime => @bantime, :findtime => @findtime, :maxretry => 2}
+    @f2b_options = { :bantime => @bantime, :findtime => @findtime, :maxretry => 2 }
+
     Rack::Attack.blocklist('pentest') do |req|
-      Rack::Attack::Fail2Ban.filter(req.ip, @f2b_options){req.query_string =~ /OMGHAX/}
+      Rack::Attack::Fail2Ban.filter(req.ip, @f2b_options) { req.query_string =~ /OMGHAX/ }
     end
   end
 
@@ -23,12 +25,13 @@ describe 'Rack::Attack.Fail2Ban' do
     describe 'making failing request' do
       describe 'when not at maxretry' do
         before { get '/?foo=OMGHAX', {}, 'REMOTE_ADDR' => '1.2.3.4' }
+
         it 'fails' do
           last_response.status.must_equal 403
         end
 
         it 'increases fail count' do
-          key = "rack::attack:#{Time.now.to_i/@findtime}:fail2ban:count:1.2.3.4"
+          key = "rack::attack:#{Time.now.to_i / @findtime}:fail2ban:count:1.2.3.4"
           @cache.store.read(key).must_equal 1
         end
 
@@ -50,7 +53,7 @@ describe 'Rack::Attack.Fail2Ban' do
         end
 
         it 'increases fail count' do
-          key = "rack::attack:#{Time.now.to_i/@findtime}:fail2ban:count:1.2.3.4"
+          key = "rack::attack:#{Time.now.to_i / @findtime}:fail2ban:count:1.2.3.4"
           @cache.store.read(key).must_equal 2
         end
 
@@ -72,8 +75,8 @@ describe 'Rack::Attack.Fail2Ban' do
         end
 
         it 'resets fail count' do
-          key = "rack::attack:#{Time.now.to_i/@findtime}:fail2ban:count:1.2.3.4"
-          @cache.store.read(key).must_equal nil
+          key = "rack::attack:#{Time.now.to_i / @findtime}:fail2ban:count:1.2.3.4"
+          assert_nil @cache.store.read(key)
         end
 
         it 'IP is not banned' do
@@ -107,7 +110,7 @@ describe 'Rack::Attack.Fail2Ban' do
       end
 
       it 'does not increase fail count' do
-        key = "rack::attack:#{Time.now.to_i/@findtime}:fail2ban:count:1.2.3.4"
+        key = "rack::attack:#{Time.now.to_i / @findtime}:fail2ban:count:1.2.3.4"
         @cache.store.read(key).must_equal 2
       end
 
@@ -127,7 +130,7 @@ describe 'Rack::Attack.Fail2Ban' do
       end
 
       it 'does not increase fail count' do
-        key = "rack::attack:#{Time.now.to_i/@findtime}:fail2ban:count:1.2.3.4"
+        key = "rack::attack:#{Time.now.to_i / @findtime}:fail2ban:count:1.2.3.4"
         @cache.store.read(key).must_equal 2
       end
 
@@ -136,6 +139,5 @@ describe 'Rack::Attack.Fail2Ban' do
         @cache.store.read(key).must_equal 1
       end
     end
-
   end
 end

data/spec/integration/offline_spec.rb

@@ -1,10 +1,7 @@
 require 'active_support/cache'
-require 'redis-activesupport'
-require 'dalli'
 require_relative '../spec_helper'
 
 OfflineExamples = Minitest::SharedExamples.new do
-
   it 'should write' do
     @cache.write('cache-test-key', 'foobar', 1)
   end
@@ -16,32 +13,33 @@ OfflineExamples = Minitest::SharedExamples.new do
   it 'should count' do
     @cache.send(:do_count, 'rack::attack::cache-test-key', 1)
   end
-
 end
 
-describe 'when Redis is offline' do
-  include OfflineExamples
-
-  before {
-    @cache = Rack::Attack::Cache.new
-    # Use presumably unused port for Redis client
-    @cache.store = ActiveSupport::Cache::RedisStore.new(:host => '127.0.0.1', :port => 3333)
-  }
+if defined?(::ActiveSupport::Cache::RedisStore)
+  describe 'when Redis is offline' do
+    include OfflineExamples
 
+    before do
+      @cache = Rack::Attack::Cache.new
+      # Use presumably unused port for Redis client
+      @cache.store = ActiveSupport::Cache::RedisStore.new(:host => '127.0.0.1', :port => 3333)
+    end
+  end
 end
 
-describe 'when Memcached is offline' do
-  include OfflineExamples
-
-  before {
-    Dalli.logger.level = Logger::FATAL
+if defined?(::Dalli)
+  describe 'when Memcached is offline' do
+    include OfflineExamples
 
-    @cache = Rack::Attack::Cache.new
-    @cache.store = Dalli::Client.new('127.0.0.1:22122')
-  }
+    before do
+      Dalli.logger.level = Logger::FATAL
 
-  after {
-    Dalli.logger.level = Logger::INFO
-  }
+      @cache = Rack::Attack::Cache.new
+      @cache.store = Dalli::Client.new('127.0.0.1:22122')
+    end
 
+    after do
+      Dalli.logger.level = Logger::INFO
+    end
+  end
 end