rack-attack 5.4.2 → 6.2.2

data/spec/rack_attack_dalli_proxy_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require_relative 'spec_helper'
 
 describe Rack::Attack::StoreProxy::DalliProxy do

data/spec/rack_attack_instrumentation_spec.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+require_relative "spec_helper"
+
+# ActiveSupport::Subscribers added in ~> 4.0.2.0
+if ActiveSupport::VERSION::MAJOR > 3
+  require_relative 'spec_helper'
+  require 'active_support/subscriber'
+  class CustomSubscriber < ActiveSupport::Subscriber
+    @notification_count = 0
+
+    class << self
+      attr_accessor :notification_count
+    end
+
+    def throttle(_event)
+      self.class.notification_count += 1
+    end
+  end
+
+  describe 'Rack::Attack.instrument' do
+    before do
+      @period = 60 # Use a long period; failures due to cache key rotation less likely
+      Rack::Attack.cache.store = ActiveSupport::Cache::MemoryStore.new
+      Rack::Attack.throttle('ip/sec', limit: 1, period: @period) { |req| req.ip }
+    end
+
+    describe "with throttling" do
+      before do
+        ActiveSupport::Notifications.stub(:notifier, ActiveSupport::Notifications::Fanout.new) do
+          CustomSubscriber.attach_to("rack_attack")
+          2.times { get '/', {}, 'REMOTE_ADDR' => '1.2.3.4' }
+        end
+      end
+
+      it 'should instrument without error' do
+        _(last_response.status).must_equal 429
+        assert_equal 1, CustomSubscriber.notification_count
+      end
+    end
+  end
+end

data/spec/rack_attack_path_normalizer_spec.rb

@@ -1,17 +1,19 @@
+# frozen_string_literal: true
+
 require_relative 'spec_helper'
 
 describe Rack::Attack::PathNormalizer do
   subject { Rack::Attack::PathNormalizer }
 
   it 'should have a normalize_path method' do
-    subject.normalize_path('/foo').must_equal '/foo'
+    _(subject.normalize_path('/foo')).must_equal '/foo'
   end
 
   describe 'FallbackNormalizer' do
     subject { Rack::Attack::FallbackPathNormalizer }
 
     it '#normalize_path does not change the path' do
-      subject.normalize_path('').must_equal ''
+      _(subject.normalize_path('')).must_equal ''
     end
   end
 end

data/spec/rack_attack_request_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require_relative 'spec_helper'
 
 describe 'Rack::Attack' do

data/spec/rack_attack_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require_relative 'spec_helper'
 
 describe 'Rack::Attack' do
@@ -10,7 +12,7 @@ describe 'Rack::Attack' do
 
     it 'blocks requests with trailing slash' do
       get '/foo/'
-      last_response.status.must_equal 403
+      _(last_response.status).must_equal 403
     end
   end
 
@@ -20,28 +22,21 @@ describe 'Rack::Attack' do
       Rack::Attack.blocklist("ip #{@bad_ip}") { |req| req.ip == @bad_ip }
     end
 
-    it('has a blocklist') {
-      Rack::Attack.blocklists.key?("ip #{@bad_ip}").must_equal true
-    }
-
-    it('has a blacklist with a deprication warning') {
-      _, stderror = capture_io do
-        Rack::Attack.blacklists.key?("ip #{@bad_ip}").must_equal true
-      end
-      assert_match "[DEPRECATION] 'Rack::Attack.blacklists' is deprecated.  Please use 'blocklists' instead.", stderror
-    }
+    it 'has a blocklist' do
+      _(Rack::Attack.blocklists.key?("ip #{@bad_ip}")).must_equal true
+    end
 
     describe "a bad request" do
       before { get '/', {}, 'REMOTE_ADDR' => @bad_ip }
 
       it "should return a blocklist response" do
-        last_response.status.must_equal 403
-        last_response.body.must_equal "Forbidden\n"
+        _(last_response.status).must_equal 403
+        _(last_response.body).must_equal "Forbidden\n"
       end
 
       it "should tag the env" do
-        last_request.env['rack.attack.matched'].must_equal "ip #{@bad_ip}"
-        last_request.env['rack.attack.match_type'].must_equal :blocklist
+        _(last_request.env['rack.attack.matched']).must_equal "ip #{@bad_ip}"
+        _(last_request.env['rack.attack.match_type']).must_equal :blocklist
       end
 
       it_allows_ok_requests
@@ -55,43 +50,52 @@ describe 'Rack::Attack' do
 
       it('has a safelist') { Rack::Attack.safelists.key?("good ua") }
 
-      it('has a whitelist with a deprication warning') {
-        _, stderror = capture_io do
-          Rack::Attack.whitelists.key?("good ua")
-        end
-        assert_match "[DEPRECATION] 'Rack::Attack.whitelists' is deprecated.  Please use 'safelists' instead.", stderror
-      }
-
       describe "with a request match both safelist & blocklist" do
         before { get '/', {}, 'REMOTE_ADDR' => @bad_ip, 'HTTP_USER_AGENT' => @good_ua }
 
         it "should allow safelists before blocklists" do
-          last_response.status.must_equal 200
+          _(last_response.status).must_equal 200
         end
 
         it "should tag the env" do
-          last_request.env['rack.attack.matched'].must_equal 'good ua'
-          last_request.env['rack.attack.match_type'].must_equal :safelist
+          _(last_request.env['rack.attack.matched']).must_equal 'good ua'
+          _(last_request.env['rack.attack.match_type']).must_equal :safelist
         end
       end
     end
 
     describe '#blocklisted_response' do
       it 'should exist' do
-        Rack::Attack.blocklisted_response.must_respond_to :call
-      end
-
-      it 'should give a deprication warning for blacklisted_response' do
-        _, stderror = capture_io do
-          Rack::Attack.blacklisted_response
-        end
-        assert_match "[DEPRECATION] 'Rack::Attack.blacklisted_response' is deprecated.  Please use 'blocklisted_response' instead.", stderror
+        _(Rack::Attack.blocklisted_response).must_respond_to :call
       end
     end
 
     describe '#throttled_response' do
       it 'should exist' do
-        Rack::Attack.throttled_response.must_respond_to :call
+        _(Rack::Attack.throttled_response).must_respond_to :call
+      end
+    end
+  end
+
+  describe 'enabled' do
+    it 'should be enabled by default' do
+      _(Rack::Attack.enabled).must_equal true
+    end
+
+    it 'should directly pass request when disabled' do
+      bad_ip = '1.2.3.4'
+      Rack::Attack.blocklist("ip #{bad_ip}") { |req| req.ip == bad_ip }
+
+      get '/', {}, 'REMOTE_ADDR' => bad_ip
+      _(last_response.status).must_equal 403
+
+      prev_enabled = Rack::Attack.enabled
+      begin
+        Rack::Attack.enabled = false
+        get '/', {}, 'REMOTE_ADDR' => bad_ip
+        _(last_response.status).must_equal 200
+      ensure
+        Rack::Attack.enabled = prev_enabled
       end
     end
   end

data/spec/rack_attack_throttle_spec.rb

@@ -1,10 +1,12 @@
+# frozen_string_literal: true
+
 require_relative 'spec_helper'
 
 describe 'Rack::Attack.throttle' do
   before do
     @period = 60 # Use a long period; failures due to cache key rotation less likely
     Rack::Attack.cache.store = ActiveSupport::Cache::MemoryStore.new
-    Rack::Attack.throttle('ip/sec', :limit => 1, :period => @period) { |req| req.ip }
+    Rack::Attack.throttle('ip/sec', limit: 1, period: @period) { |req| req.ip }
   end
 
   it('should have a throttle') { Rack::Attack.throttles.key?('ip/sec') }
@@ -16,12 +18,19 @@ describe 'Rack::Attack.throttle' do
 
     it 'should set the counter for one request' do
       key = "rack::attack:#{Time.now.to_i / @period}:ip/sec:1.2.3.4"
-      Rack::Attack.cache.store.read(key).must_equal 1
+      _(Rack::Attack.cache.store.read(key)).must_equal 1
     end
 
     it 'should populate throttle data' do
-      data = { :count => 1, :limit => 1, :period => @period, epoch_time: Rack::Attack.cache.last_epoch_time.to_i }
-      last_request.env['rack.attack.throttle_data']['ip/sec'].must_equal data
+      data = {
+        count: 1,
+        limit: 1,
+        period: @period,
+        epoch_time: Rack::Attack.cache.last_epoch_time.to_i,
+        discriminator: "1.2.3.4"
+      }
+
+      _(last_request.env['rack.attack.throttle_data']['ip/sec']).must_equal data
     end
   end
 
@@ -31,18 +40,26 @@ describe 'Rack::Attack.throttle' do
     end
 
     it 'should block the last request' do
-      last_response.status.must_equal 429
+      _(last_response.status).must_equal 429
     end
 
     it 'should tag the env' do
-      last_request.env['rack.attack.matched'].must_equal 'ip/sec'
-      last_request.env['rack.attack.match_type'].must_equal :throttle
-      last_request.env['rack.attack.match_data'].must_equal(:count => 2, :limit => 1, :period => @period, epoch_time: Rack::Attack.cache.last_epoch_time.to_i)
-      last_request.env['rack.attack.match_discriminator'].must_equal('1.2.3.4')
+      _(last_request.env['rack.attack.matched']).must_equal 'ip/sec'
+      _(last_request.env['rack.attack.match_type']).must_equal :throttle
+
+      _(last_request.env['rack.attack.match_data']).must_equal(
+        count: 2,
+        limit: 1,
+        period: @period,
+        epoch_time: Rack::Attack.cache.last_epoch_time.to_i,
+        discriminator: "1.2.3.4"
+      )
+
+      _(last_request.env['rack.attack.match_discriminator']).must_equal('1.2.3.4')
     end
 
     it 'should set a Retry-After header' do
-      last_response.headers['Retry-After'].must_equal @period.to_s
+      _(last_response.headers['Retry-After']).must_equal @period.to_s
     end
   end
 end
@@ -51,7 +68,7 @@ describe 'Rack::Attack.throttle with limit as proc' do
   before do
     @period = 60 # Use a long period; failures due to cache key rotation less likely
     Rack::Attack.cache.store = ActiveSupport::Cache::MemoryStore.new
-    Rack::Attack.throttle('ip/sec', :limit => lambda { |_req| 1 }, :period => @period) { |req| req.ip }
+    Rack::Attack.throttle('ip/sec', limit: lambda { |_req| 1 }, period: @period) { |req| req.ip }
   end
 
   it_allows_ok_requests
@@ -61,12 +78,19 @@ describe 'Rack::Attack.throttle with limit as proc' do
 
     it 'should set the counter for one request' do
       key = "rack::attack:#{Time.now.to_i / @period}:ip/sec:1.2.3.4"
-      Rack::Attack.cache.store.read(key).must_equal 1
+      _(Rack::Attack.cache.store.read(key)).must_equal 1
     end
 
     it 'should populate throttle data' do
-      data = { :count => 1, :limit => 1, :period => @period, epoch_time: Rack::Attack.cache.last_epoch_time.to_i }
-      last_request.env['rack.attack.throttle_data']['ip/sec'].must_equal data
+      data = {
+        count: 1,
+        limit: 1,
+        period: @period,
+        epoch_time: Rack::Attack.cache.last_epoch_time.to_i,
+        discriminator: "1.2.3.4"
+      }
+
+      _(last_request.env['rack.attack.throttle_data']['ip/sec']).must_equal data
     end
   end
 end
@@ -75,7 +99,7 @@ describe 'Rack::Attack.throttle with period as proc' do
   before do
     @period = 60 # Use a long period; failures due to cache key rotation less likely
     Rack::Attack.cache.store = ActiveSupport::Cache::MemoryStore.new
-    Rack::Attack.throttle('ip/sec', :limit => lambda { |_req| 1 }, :period => lambda { |_req| @period }) { |req| req.ip }
+    Rack::Attack.throttle('ip/sec', limit: lambda { |_req| 1 }, period: lambda { |_req| @period }) { |req| req.ip }
   end
 
   it_allows_ok_requests
@@ -85,12 +109,19 @@ describe 'Rack::Attack.throttle with period as proc' do
 
     it 'should set the counter for one request' do
       key = "rack::attack:#{Time.now.to_i / @period}:ip/sec:1.2.3.4"
-      Rack::Attack.cache.store.read(key).must_equal 1
+      _(Rack::Attack.cache.store.read(key)).must_equal 1
     end
 
     it 'should populate throttle data' do
-      data = { :count => 1, :limit => 1, :period => @period, epoch_time: Rack::Attack.cache.last_epoch_time.to_i }
-      last_request.env['rack.attack.throttle_data']['ip/sec'].must_equal data
+      data = {
+        count: 1,
+        limit: 1,
+        period: @period,
+        epoch_time: Rack::Attack.cache.last_epoch_time.to_i,
+        discriminator: "1.2.3.4"
+      }
+
+      _(last_request.env['rack.attack.throttle_data']['ip/sec']).must_equal data
     end
   end
 end
@@ -99,7 +130,7 @@ describe 'Rack::Attack.throttle with block retuning nil' do
   before do
     @period = 60
     Rack::Attack.cache.store = ActiveSupport::Cache::MemoryStore.new
-    Rack::Attack.throttle('ip/sec', :limit => 1, :period => @period) { |_| nil }
+    Rack::Attack.throttle('ip/sec', limit: 1, period: @period) { |_| nil }
   end
 
   it_allows_ok_requests

data/spec/rack_attack_track_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require_relative 'spec_helper'
 
 describe 'Rack::Attack.track' do
@@ -23,8 +25,9 @@ describe 'Rack::Attack.track' do
 
   it "should tag the env" do
     get '/'
-    last_request.env['rack.attack.matched'].must_equal 'everything'
-    last_request.env['rack.attack.match_type'].must_equal :track
+
+    _(last_request.env['rack.attack.matched']).must_equal 'everything'
+    _(last_request.env['rack.attack.match_type']).must_equal :track
   end
 
   describe "with a notification subscriber and two tracks" do
@@ -33,7 +36,7 @@ describe 'Rack::Attack.track' do
       # A second track
       Rack::Attack.track("homepage") { |req| req.path == "/" }
 
-      ActiveSupport::Notifications.subscribe("rack.attack") do |*_args|
+      ActiveSupport::Notifications.subscribe("track.rack_attack") do |*_args|
         Counter.incr
       end
 
@@ -41,21 +44,23 @@ describe 'Rack::Attack.track' do
     end
 
     it "should notify twice" do
-      Counter.check.must_equal 2
+      _(Counter.check).must_equal 2
     end
   end
 
   describe "without limit and period options" do
     it "should assign the track filter to a Check instance" do
       track = Rack::Attack.track("homepage") { |req| req.path == "/" }
-      track.filter.class.must_equal Rack::Attack::Check
+
+      _(track.filter.class).must_equal Rack::Attack::Check
     end
   end
 
   describe "with limit and period options" do
     it "should assign the track filter to a Throttle instance" do
-      track = Rack::Attack.track("homepage", :limit => 10, :period => 10) { |req| req.path == "/" }
-      track.filter.class.must_equal Rack::Attack::Throttle
+      track = Rack::Attack.track("homepage", limit: 10, period: 10) { |req| req.path == "/" }
+
+      _(track.filter.class).must_equal Rack::Attack::Throttle
     end
   end
 end

data/spec/spec_helper.rb

@@ -1,10 +1,11 @@
+# frozen_string_literal: true
+
 require "bundler/setup"
 
 require "minitest/autorun"
 require "minitest/pride"
 require "rack/test"
-require 'active_support'
-require 'action_dispatch'
+require "rails"
 
 require "rack/attack"
 
@@ -13,10 +14,9 @@ if RUBY_ENGINE == "ruby"
 end
 
 def safe_require(name)
-  begin
-    require name
-  rescue LoadError
-  end
+  require name
+rescue LoadError
+  nil
 end
 
 safe_require "connection_pool"
@@ -29,6 +29,7 @@ class MiniTest::Spec
   include Rack::Test::Methods
 
   before do
+    Rails.cache = nil
     @_original_throttled_response = Rack::Attack.throttled_response
     @_original_blocklisted_response = Rack::Attack.blocklisted_response
   end
@@ -45,6 +46,8 @@ class MiniTest::Spec
     Rack::Builder.new do
       # Use Rack::Lint to test that rack-attack is complying with the rack spec
       use Rack::Lint
+      # Intentionally added twice to test idempotence property
+      use Rack::Attack
       use Rack::Attack
       use Rack::Lint
 
@@ -55,8 +58,9 @@ class MiniTest::Spec
   def self.it_allows_ok_requests
     it "must allow ok requests" do
       get '/', {}, 'REMOTE_ADDR' => '127.0.0.1'
-      last_response.status.must_equal 200
-      last_response.body.must_equal 'Hello World'
+
+      _(last_response.status).must_equal 200
+      _(last_response.body).must_equal 'Hello World'
     end
   end
 end