rack-attack 5.1.0 → 5.2.0

data/spec/acceptance/cache_store_config_for_throttle_spec.rb

@@ -0,0 +1,48 @@
+require_relative "../spec_helper"
+
+describe "Cache store config when throttling without Rails" do
+  before do
+    Rack::Attack.throttle("by ip", limit: 1, period: 60) do |request|
+      request.ip
+    end
+  end
+
+  it "gives semantic error if no store was configured" do
+    assert_raises(Rack::Attack::MissingStoreError) do
+      get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+    end
+  end
+
+  it "gives semantic error if incompatible store was configured" do
+    Rack::Attack.cache.store = Object.new
+
+    assert_raises(Rack::Attack::MisconfiguredStoreError) do
+      get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+    end
+  end
+
+  it "works with any object that responds to #increment" do
+    basic_store_class = Class.new do
+      attr_accessor :counts
+
+      def initialize
+        @counts = {}
+      end
+
+      def increment(key, count, options)
+        @counts[key] ||= 0
+        @counts[key] += 1
+      end
+    end
+
+    Rack::Attack.cache.store = basic_store_class.new
+
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+    assert_equal 200, last_response.status
+
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+    assert_equal 429, last_response.status
+  end
+end

data/spec/acceptance/cache_store_config_with_rails_spec.rb

@@ -0,0 +1,31 @@
+require_relative "../spec_helper"
+require "minitest/stub_const"
+require "ostruct"
+
+describe "Cache store config with Rails" do
+  before do
+    Rack::Attack.throttle("by ip", limit: 1, period: 60) do |request|
+      request.ip
+    end
+  end
+
+  it "fails when Rails.cache is not set" do
+    Object.stub_const(:Rails, OpenStruct.new(cache: nil)) do
+      assert_raises(Rack::Attack::MissingStoreError) do
+        get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+      end
+    end
+  end
+
+  it "works when Rails.cache is set" do
+    Object.stub_const(:Rails, OpenStruct.new(cache: ActiveSupport::Cache::MemoryStore.new)) do
+      get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+      assert_equal 200, last_response.status
+
+      get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+      assert_equal 429, last_response.status
+    end
+  end
+end

data/spec/acceptance/customizing_blocked_response_spec.rb

@@ -0,0 +1,41 @@
+require_relative "../spec_helper"
+
+describe "Customizing block responses" do
+  before do
+    Rack::Attack.blocklist("block 1.2.3.4") do |request|
+      request.ip == "1.2.3.4"
+    end
+  end
+
+  it "can be customized" do
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+    assert_equal 403, last_response.status
+
+    Rack::Attack.blocklisted_response = lambda do |env|
+      [503, {}, ["Blocked"]]
+    end
+
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+    assert_equal 503, last_response.status
+    assert_equal "Blocked", last_response.body
+  end
+
+  it "exposes match data" do
+    matched = nil
+    match_type = nil
+
+    Rack::Attack.blocklisted_response = lambda do |env|
+      matched = env['rack.attack.matched']
+      match_type = env['rack.attack.match_type']
+
+      [503, {}, ["Blocked"]]
+    end
+
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+    assert_equal "block 1.2.3.4", matched
+    assert_equal :blocklist, match_type
+  end
+end

data/spec/acceptance/customizing_throttled_response_spec.rb

@@ -0,0 +1,59 @@
+require_relative "../spec_helper"
+
+describe "Customizing throttled response" do
+  before do
+    Rack::Attack.cache.store = ActiveSupport::Cache::MemoryStore.new
+
+    Rack::Attack.throttle("by ip", limit: 1, period: 60) do |request|
+      request.ip
+    end
+  end
+
+  it "can be customized" do
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+    assert_equal 200, last_response.status
+
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+    assert_equal 429, last_response.status
+
+    Rack::Attack.throttled_response = lambda do |env|
+      [503, {}, ["Throttled"]]
+    end
+
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+    assert_equal 503, last_response.status
+    assert_equal "Throttled", last_response.body
+  end
+
+  it "exposes match data" do
+    matched = nil
+    match_type = nil
+    match_data = nil
+    match_discriminator = nil
+
+    Rack::Attack.throttled_response = lambda do |env|
+      matched = env['rack.attack.matched']
+      match_type = env['rack.attack.match_type']
+      match_data = env['rack.attack.match_data']
+      match_discriminator = env['rack.attack.match_discriminator']
+
+      [429, {}, ["Throttled"]]
+    end
+
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+    assert_equal "by ip", matched
+    assert_equal :throttle, match_type
+    assert_equal 60, match_data[:period]
+    assert_equal 1, match_data[:limit]
+    assert_equal 2, match_data[:count]
+    assert_equal "1.2.3.4", match_discriminator
+
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+    assert_equal 3, match_data[:count]
+  end
+end

data/spec/acceptance/extending_request_object_spec.rb

@@ -0,0 +1,34 @@
+require_relative "../spec_helper"
+
+describe "Extending the request object" do
+  before do
+    class Rack::Attack::Request
+      def authorized?
+        env["APIKey"] == "private-secret"
+      end
+    end
+
+    Rack::Attack.blocklist("unauthorized requests") do |request|
+      !request.authorized?
+    end
+  end
+
+  # We don't want the extension to leak to other test cases
+  after do
+    class Rack::Attack::Request
+      remove_method :authorized?
+    end
+  end
+
+  it "forbids request if blocklist condition is true" do
+    get "/"
+
+    assert_equal 403, last_response.status
+  end
+
+  it "succeeds if blocklist condition is false" do
+    get "/", {}, "APIKey" => "private-secret"
+
+    assert_equal 200, last_response.status
+  end
+end

data/spec/acceptance/fail2ban_spec.rb

@@ -0,0 +1,76 @@
+require_relative "../spec_helper"
+require "timecop"
+
+describe "fail2ban" do
+  before do
+    Rack::Attack.cache.store = ActiveSupport::Cache::MemoryStore.new
+
+    Rack::Attack.blocklist("fail2ban pentesters") do |request|
+      Rack::Attack::Fail2Ban.filter(request.ip, maxretry: 2, findtime: 30, bantime: 60) do
+        request.path.include?("private-place")
+      end
+    end
+  end
+
+  it "returns OK for many requests to non filtered path" do
+    get "/"
+    assert_equal 200, last_response.status
+
+    get "/"
+    assert_equal 200, last_response.status
+  end
+
+  it "forbids access to private path" do
+    get "/private-place"
+    assert_equal 403, last_response.status
+  end
+
+  it "returns OK for non filtered path if yet not reached maxretry limit" do
+    get "/private-place"
+    assert_equal 403, last_response.status
+
+    get "/"
+    assert_equal 200, last_response.status
+  end
+
+  it "forbids all access after reaching maxretry limit" do
+    get "/private-place"
+    assert_equal 403, last_response.status
+
+    get "/private-place"
+    assert_equal 403, last_response.status
+
+    get "/"
+    assert_equal 403, last_response.status
+  end
+
+  it "restores access after bantime elapsed" do
+    get "/private-place"
+    assert_equal 403, last_response.status
+
+    get "/private-place"
+    assert_equal 403, last_response.status
+
+    get "/"
+    assert_equal 403, last_response.status
+
+    Timecop.travel(60) do
+      get "/"
+
+      assert_equal 200, last_response.status
+    end
+  end
+
+  it "does not forbid all access if maxrety condition is met but not within the findtime timespan" do
+    get "/private-place"
+    assert_equal 403, last_response.status
+
+    Timecop.travel(31) do
+      get "/private-place"
+      assert_equal 403, last_response.status
+
+      get "/"
+      assert_equal 200, last_response.status
+    end
+  end
+end

data/spec/acceptance/safelisting_ip_spec.rb

@@ -0,0 +1,49 @@
+require_relative "../spec_helper"
+
+describe "Safelist an IP" do
+  before do
+    Rack::Attack.blocklist("admin") do |request|
+      request.path == "/admin"
+    end
+
+    Rack::Attack.safelist_ip("5.6.7.8")
+  end
+
+  it "forbids request if blocklist condition is true and safelist is false" do
+    get "/admin", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+    assert_equal 403, last_response.status
+  end
+
+  it "succeeds if blocklist condition is false and safelist is false" do
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+    assert_equal 200, last_response.status
+  end
+
+  it "succeeds request if blocklist condition is false and safelist is true" do
+    get "/", {}, "REMOTE_ADDR" => "5.6.7.8"
+
+    assert_equal 200, last_response.status
+  end
+
+  it "succeeds request if both blocklist and safelist conditions are true" do
+    get "/admin", {}, "REMOTE_ADDR" => "5.6.7.8"
+
+    assert_equal 200, last_response.status
+  end
+
+  it "notifies when the request is safe" do
+    notification_type = nil
+
+    ActiveSupport::Notifications.subscribe("rack.attack") do |_name, _start, _finish, _id, request|
+      notification_type = request.env["rack.attack.match_type"]
+    end
+
+    get "/admin", {}, "REMOTE_ADDR" => "5.6.7.8"
+
+    assert_equal 200, last_response.status
+    assert_equal :safelist, notification_type
+  end
+end
+

data/spec/acceptance/safelisting_spec.rb

@@ -34,4 +34,20 @@ describe "#safelist" do
 
     assert_equal 200, last_response.status
   end
+
+  it "notifies when the request is safe" do
+    notification_matched = nil
+    notification_type = nil
+
+    ActiveSupport::Notifications.subscribe("rack.attack") do |_name, _start, _finish, _id, request|
+      notification_matched = request.env["rack.attack.matched"]
+      notification_type = request.env["rack.attack.match_type"]
+    end
+
+    get "/safe_space", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+    assert_equal 200, last_response.status
+    assert_equal "safe path", notification_matched
+    assert_equal :safelist, notification_type
+  end
 end

data/spec/acceptance/safelisting_subnet_spec.rb

@@ -0,0 +1,48 @@
+require_relative "../spec_helper"
+
+describe "Safelisting an IP subnet" do
+  before do
+    Rack::Attack.blocklist("admin") do |request|
+      request.path == "/admin"
+    end
+
+    Rack::Attack.safelist_ip("5.6.0.0/16")
+  end
+
+  it "forbids request if blocklist condition is true and safelist is false" do
+    get "/admin", {}, "REMOTE_ADDR" => "5.7.0.0"
+
+    assert_equal 403, last_response.status
+  end
+
+  it "succeeds if blocklist condition is false and safelist is false" do
+    get "/", {}, "REMOTE_ADDR" => "5.7.0.0"
+
+    assert_equal 200, last_response.status
+  end
+
+  it "succeeds request if blocklist condition is false and safelist is true" do
+    get "/", {}, "REMOTE_ADDR" => "5.6.0.0"
+
+    assert_equal 200, last_response.status
+  end
+
+  it "succeeds request if both blocklist and safelist conditions are true" do
+    get "/admin", {}, "REMOTE_ADDR" => "5.6.255.255"
+
+    assert_equal 200, last_response.status
+  end
+
+  it "notifies when the request is safe" do
+    notification_type = nil
+
+    ActiveSupport::Notifications.subscribe("rack.attack") do |_name, _start, _finish, _id, request|
+      notification_type = request.env["rack.attack.match_type"]
+    end
+
+    get "/admin", {}, "REMOTE_ADDR" => "5.6.0.0"
+
+    assert_equal 200, last_response.status
+    assert_equal :safelist, notification_type
+  end
+end

data/spec/acceptance/throttling_spec.rb

@@ -2,9 +2,11 @@ require_relative "../spec_helper"
 require "timecop"
 
 describe "#throttle" do
-  it "allows one request per minute by IP" do
+  before do
     Rack::Attack.cache.store = ActiveSupport::Cache::MemoryStore.new
+  end
 
+  it "allows one request per minute by IP" do
     Rack::Attack.throttle("by ip", limit: 1, period: 60) do |request|
       request.ip
     end
@@ -16,6 +18,8 @@ describe "#throttle" do
     get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
 
     assert_equal 429, last_response.status
+    assert_equal "60", last_response.headers["Retry-After"]
+    assert_equal "Retry later\n", last_response.body
 
     get "/", {}, "REMOTE_ADDR" => "5.6.7.8"
 
@@ -27,4 +31,129 @@ describe "#throttle" do
       assert_equal 200, last_response.status
     end
   end
+
+  it "supports limit to be dynamic" do
+    # Could be used to have different rate limits for authorized
+    # vs general requests
+    limit_proc = lambda do |request|
+      if request.env["X-APIKey"] == "private-secret"
+        2
+      else
+        1
+      end
+    end
+
+    Rack::Attack.throttle("by ip", limit: limit_proc, period: 60) do |request|
+      request.ip
+    end
+
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+    assert_equal 200, last_response.status
+
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+    assert_equal 429, last_response.status
+
+    get "/", {}, "REMOTE_ADDR" => "5.6.7.8", "X-APIKey" => "private-secret"
+    assert_equal 200, last_response.status
+
+    get "/", {}, "REMOTE_ADDR" => "5.6.7.8", "X-APIKey" => "private-secret"
+    assert_equal 200, last_response.status
+
+    get "/", {}, "REMOTE_ADDR" => "5.6.7.8", "X-APIKey" => "private-secret"
+    assert_equal 429, last_response.status
+  end
+
+  it "supports period to be dynamic" do
+    # Could be used to have different rate limits for authorized
+    # vs general requests
+    period_proc = lambda do |request|
+      if request.env["X-APIKey"] == "private-secret"
+        10
+      else
+        30
+      end
+    end
+
+    Rack::Attack.throttle("by ip", limit: 1, period: period_proc) do |request|
+      request.ip
+    end
+
+    # Using Time#at to align to start/end of periods exactly
+    # to achieve consistenty in different test runs
+
+    Timecop.travel(Time.at(0)) do
+      get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+      assert_equal 200, last_response.status
+
+      get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+      assert_equal 429, last_response.status
+    end
+
+    Timecop.travel(Time.at(10)) do
+      get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+      assert_equal 429, last_response.status
+    end
+
+    Timecop.travel(Time.at(30)) do
+      get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+      assert_equal 200, last_response.status
+    end
+
+    Timecop.travel(Time.at(0)) do
+      get "/", {}, "REMOTE_ADDR" => "5.6.7.8", "X-APIKey" => "private-secret"
+      assert_equal 200, last_response.status
+
+      get "/", {}, "REMOTE_ADDR" => "5.6.7.8", "X-APIKey" => "private-secret"
+      assert_equal 429, last_response.status
+    end
+
+    Timecop.travel(Time.at(10)) do
+      get "/", {}, "REMOTE_ADDR" => "5.6.7.8", "X-APIKey" => "private-secret"
+      assert_equal 200, last_response.status
+    end
+  end
+
+  it "notifies when the request is throttled" do
+    Rack::Attack.throttle("by ip", limit: 1, period: 60) do |request|
+      request.ip
+    end
+
+    notification_matched = nil
+    notification_type = nil
+    notification_data = nil
+    notification_discriminator = nil
+
+    ActiveSupport::Notifications.subscribe("rack.attack") do |_name, _start, _finish, _id, request|
+      notification_matched = request.env["rack.attack.matched"]
+      notification_type = request.env["rack.attack.match_type"]
+      notification_data = request.env['rack.attack.match_data']
+      notification_discriminator = request.env['rack.attack.match_discriminator']
+    end
+
+    get "/", {}, "REMOTE_ADDR" => "5.6.7.8"
+
+    assert_equal 200, last_response.status
+    assert_nil notification_matched
+    assert_nil notification_type
+    assert_nil notification_data
+    assert_nil notification_discriminator
+
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+    assert_equal 200, last_response.status
+    assert_nil notification_matched
+    assert_nil notification_type
+    assert_nil notification_data
+    assert_nil notification_discriminator
+
+    get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+
+    assert_equal 429, last_response.status
+    assert_equal "by ip", notification_matched
+    assert_equal :throttle, notification_type
+    assert_equal 60, notification_data[:period]
+    assert_equal 1, notification_data[:limit]
+    assert_equal 2, notification_data[:count]
+    assert_equal "1.2.3.4", notification_discriminator
+  end
 end