rack-attack 6.7.0 → 6.8.0

data/spec/rack_attack_throttle_spec.rb

@@ -1,10 +1,11 @@
 # frozen_string_literal: true
 
 require_relative 'spec_helper'
+require_relative 'support/freeze_time_helper'
 
 describe 'Rack::Attack.throttle' do
   before do
-    @period = 60 # Use a long period; failures due to cache key rotation less likely
+    @period = 60
     Rack::Attack.cache.store = ActiveSupport::Cache::MemoryStore.new
     Rack::Attack.throttle('ip/sec', limit: 1, period: @period) { |req| req.ip }
   end
@@ -14,14 +15,18 @@ describe 'Rack::Attack.throttle' do
   it_allows_ok_requests
 
   describe 'a single request' do
-    before { get '/', {}, 'REMOTE_ADDR' => '1.2.3.4' }
-
     it 'should set the counter for one request' do
-      key = "rack::attack:#{Time.now.to_i / @period}:ip/sec:1.2.3.4"
-      _(Rack::Attack.cache.store.read(key)).must_equal 1
+      within_same_period do
+        get '/', {}, 'REMOTE_ADDR' => '1.2.3.4'
+
+        key = "rack::attack:#{Time.now.to_i / @period}:ip/sec:1.2.3.4"
+        _(Rack::Attack.cache.store.read(key)).must_equal 1
+      end
     end
 
     it 'should populate throttle data' do
+      get '/', {}, 'REMOTE_ADDR' => '1.2.3.4'
+
       data = {
         count: 1,
         limit: 1,
@@ -36,7 +41,9 @@ describe 'Rack::Attack.throttle' do
 
   describe "with 2 requests" do
     before do
-      2.times { get '/', {}, 'REMOTE_ADDR' => '1.2.3.4' }
+      within_same_period do
+        2.times { get '/', {}, 'REMOTE_ADDR' => '1.2.3.4' }
+      end
     end
 
     it 'should block the last request' do
@@ -62,7 +69,7 @@ end
 
 describe 'Rack::Attack.throttle with limit as proc' do
   before do
-    @period = 60 # Use a long period; failures due to cache key rotation less likely
+    @period = 60
     Rack::Attack.cache.store = ActiveSupport::Cache::MemoryStore.new
     Rack::Attack.throttle('ip/sec', limit: lambda { |_req| 1 }, period: @period) { |req| req.ip }
   end
@@ -70,14 +77,17 @@ describe 'Rack::Attack.throttle with limit as proc' do
   it_allows_ok_requests
 
   describe 'a single request' do
-    before { get '/', {}, 'REMOTE_ADDR' => '1.2.3.4' }
-
     it 'should set the counter for one request' do
-      key = "rack::attack:#{Time.now.to_i / @period}:ip/sec:1.2.3.4"
-      _(Rack::Attack.cache.store.read(key)).must_equal 1
+      within_same_period do
+        get '/', {}, 'REMOTE_ADDR' => '1.2.3.4'
+
+        key = "rack::attack:#{Time.now.to_i / @period}:ip/sec:1.2.3.4"
+        _(Rack::Attack.cache.store.read(key)).must_equal 1
+      end
     end
 
     it 'should populate throttle data' do
+      get '/', {}, 'REMOTE_ADDR' => '1.2.3.4'
       data = {
         count: 1,
         limit: 1,
@@ -93,7 +103,7 @@ end
 
 describe 'Rack::Attack.throttle with period as proc' do
   before do
-    @period = 60 # Use a long period; failures due to cache key rotation less likely
+    @period = 60
     Rack::Attack.cache.store = ActiveSupport::Cache::MemoryStore.new
     Rack::Attack.throttle('ip/sec', limit: lambda { |_req| 1 }, period: lambda { |_req| @period }) { |req| req.ip }
   end
@@ -101,14 +111,18 @@ describe 'Rack::Attack.throttle with period as proc' do
   it_allows_ok_requests
 
   describe 'a single request' do
-    before { get '/', {}, 'REMOTE_ADDR' => '1.2.3.4' }
-
     it 'should set the counter for one request' do
-      key = "rack::attack:#{Time.now.to_i / @period}:ip/sec:1.2.3.4"
-      _(Rack::Attack.cache.store.read(key)).must_equal 1
+      within_same_period do
+        get '/', {}, 'REMOTE_ADDR' => '1.2.3.4'
+
+        key = "rack::attack:#{Time.now.to_i / @period}:ip/sec:1.2.3.4"
+        _(Rack::Attack.cache.store.read(key)).must_equal 1
+      end
     end
 
     it 'should populate throttle data' do
+      get '/', {}, 'REMOTE_ADDR' => '1.2.3.4'
+
       data = {
         count: 1,
         limit: 1,
@@ -122,7 +136,7 @@ describe 'Rack::Attack.throttle with period as proc' do
   end
 end
 
-describe 'Rack::Attack.throttle with block retuning nil' do
+describe 'Rack::Attack.throttle with block returning nil' do
   before do
     @period = 60
     Rack::Attack.cache.store = ActiveSupport::Cache::MemoryStore.new
@@ -132,14 +146,17 @@ describe 'Rack::Attack.throttle with block retuning nil' do
   it_allows_ok_requests
 
   describe 'a single request' do
-    before { get '/', {}, 'REMOTE_ADDR' => '1.2.3.4' }
-
     it 'should not set the counter' do
-      key = "rack::attack:#{Time.now.to_i / @period}:ip/sec:1.2.3.4"
-      assert_nil Rack::Attack.cache.store.read(key)
+      within_same_period do
+        get '/', {}, 'REMOTE_ADDR' => '1.2.3.4'
+
+        key = "rack::attack:#{Time.now.to_i / @period}:ip/sec:1.2.3.4"
+        assert_nil Rack::Attack.cache.store.read(key)
+      end
     end
 
     it 'should not populate throttle data' do
+      get '/', {}, 'REMOTE_ADDR' => '1.2.3.4'
       assert_nil last_request.env['rack.attack.throttle_data']
     end
   end
@@ -162,9 +179,11 @@ describe 'Rack::Attack.throttle with throttle_discriminator_normalizer' do
   end
 
   it 'should not differentiate requests when throttle_discriminator_normalizer is enabled' do
-    post_logins
-    key = "rack::attack:#{Time.now.to_i / @period}:logins/email:person@example.com"
-    _(Rack::Attack.cache.store.read(key)).must_equal 3
+    within_same_period do
+      post_logins
+      key = "rack::attack:#{Time.now.to_i / @period}:logins/email:person@example.com"
+      _(Rack::Attack.cache.store.read(key)).must_equal 3
+    end
   end
 
   it 'should differentiate requests when throttle_discriminator_normalizer is disabled' do
@@ -172,10 +191,12 @@ describe 'Rack::Attack.throttle with throttle_discriminator_normalizer' do
       prev = Rack::Attack.throttle_discriminator_normalizer
       Rack::Attack.throttle_discriminator_normalizer = nil
 
-      post_logins
-      @emails.each do |email|
-        key = "rack::attack:#{Time.now.to_i / @period}:logins/email:#{email}"
-        _(Rack::Attack.cache.store.read(key)).must_equal 1
+      within_same_period do
+        post_logins
+        @emails.each do |email|
+          key = "rack::attack:#{Time.now.to_i / @period}:logins/email:#{email}"
+          _(Rack::Attack.cache.store.read(key)).must_equal 1
+        end
       end
     ensure
       Rack::Attack.throttle_discriminator_normalizer = prev

data/spec/rack_attack_track_spec.rb

@@ -3,19 +3,7 @@
 require_relative 'spec_helper'
 
 describe 'Rack::Attack.track' do
-  class Counter
-    def self.incr
-      @counter += 1
-    end
-
-    def self.reset
-      @counter = 0
-    end
-
-    def self.check
-      @counter
-    end
-  end
+  let(:notifications) { [] }
 
   before do
     Rack::Attack.track("everything") { |_req| true }
@@ -32,19 +20,18 @@ describe 'Rack::Attack.track' do
 
   describe "with a notification subscriber and two tracks" do
     before do
-      Counter.reset
       # A second track
       Rack::Attack.track("homepage") { |req| req.path == "/" }
 
-      ActiveSupport::Notifications.subscribe("track.rack_attack") do |*_args|
-        Counter.incr
+      ActiveSupport::Notifications.subscribe("track.rack_attack") do |_name, _start, _finish, _id, payload|
+        notifications.push(payload)
       end
 
       get "/"
     end
 
     it "should notify twice" do
-      _(Counter.check).must_equal 2
+      _(notifications.size).must_equal 2
     end
   end
 

data/spec/spec_helper.rb

@@ -2,6 +2,7 @@
 
 require "bundler/setup"
 
+require "logger"
 require "minitest/autorun"
 require "minitest/pride"
 require "rack/test"
@@ -20,15 +21,15 @@ end
 
 safe_require "connection_pool"
 safe_require "dalli"
+safe_require "rails"
 safe_require "redis"
-safe_require "redis-activesupport"
 safe_require "redis-store"
 
-class MiniTest::Spec
+class Minitest::Spec
   include Rack::Test::Methods
 
   before do
-    if Object.const_defined?(:Rails) && Rails.respond_to?(:cache)
+    if Object.const_defined?(:Rails) && Rails.respond_to?(:cache) && Rails.cache.respond_to?(:clear)
       Rails.cache.clear
     end
   end

data/spec/support/cache_store_helper.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require_relative 'freeze_time_helper'
+
 class Minitest::Spec
   def self.it_works_for_cache_backed_features(options)
     fetch_from_store = options.fetch(:fetch_from_store)
@@ -9,11 +11,13 @@ class Minitest::Spec
         request.ip
       end
 
-      get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
-      assert_equal 200, last_response.status
+      within_same_period do
+        get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+        assert_equal 200, last_response.status
 
-      get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
-      assert_equal 429, last_response.status
+        get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+        assert_equal 429, last_response.status
+      end
     end
 
     it "works for fail2ban" do
@@ -23,17 +27,19 @@ class Minitest::Spec
         end
       end
 
-      get "/"
-      assert_equal 200, last_response.status
+      within_same_period do
+        get "/"
+        assert_equal 200, last_response.status
 
-      get "/private-place"
-      assert_equal 403, last_response.status
+        get "/private-place"
+        assert_equal 403, last_response.status
 
-      get "/private-place"
-      assert_equal 403, last_response.status
+        get "/private-place"
+        assert_equal 403, last_response.status
 
-      get "/"
-      assert_equal 403, last_response.status
+        get "/"
+        assert_equal 403, last_response.status
+      end
     end
 
     it "works for allow2ban" do
@@ -43,20 +49,22 @@ class Minitest::Spec
         end
       end
 
-      get "/"
-      assert_equal 200, last_response.status
+      within_same_period do
+        get "/"
+        assert_equal 200, last_response.status
 
-      get "/scarce-resource"
-      assert_equal 200, last_response.status
+        get "/scarce-resource"
+        assert_equal 200, last_response.status
 
-      get "/scarce-resource"
-      assert_equal 200, last_response.status
+        get "/scarce-resource"
+        assert_equal 200, last_response.status
 
-      get "/scarce-resource"
-      assert_equal 403, last_response.status
+        get "/scarce-resource"
+        assert_equal 403, last_response.status
 
-      get "/"
-      assert_equal 403, last_response.status
+        get "/"
+        assert_equal 403, last_response.status
+      end
     end
 
     it "doesn't leak keys" do
@@ -66,9 +74,7 @@ class Minitest::Spec
 
       key = nil
 
-      # Freeze time during these statement to be sure that the key used by rack attack is the same
-      # we pre-calculate in local variable `key`
-      Timecop.freeze do
+      within_same_period do
         key = "rack::attack:#{Time.now.to_i}:by ip:1.2.3.4"
 
         get "/", {}, "REMOTE_ADDR" => "1.2.3.4"

data/spec/support/freeze_time_helper.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+require "timecop"
+
+class Minitest::Spec
+  def within_same_period(&block)
+    Timecop.freeze(&block)
+  end
+end

metadata

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: rack-attack
 version: !ruby/object:Gem::Version
-  version: 6.7.0
+  version: 6.8.0
 platform: ruby
 authors:
 - Aaron Suggs
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-07-26 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -126,28 +125,56 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.89.1
+        version: 1.12.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.89.1
+        version: 1.12.1
+- !ruby/object:Gem::Dependency
+  name: rubocop-minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.11.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.11.1
 - !ruby/object:Gem::Dependency
   name: rubocop-performance
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.5.0
+        version: 1.10.2
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.10.2
+- !ruby/object:Gem::Dependency
+  name: rubocop-rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.5.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.5.0
+        version: 0.5.1
 - !ruby/object:Gem::Dependency
   name: timecop
   requirement: !ruby/object:Gem::Requirement
@@ -211,7 +238,6 @@ files:
 - lib/rack/attack/railtie.rb
 - lib/rack/attack/request.rb
 - lib/rack/attack/safelist.rb
-- lib/rack/attack/store_proxy/active_support_redis_store_proxy.rb
 - lib/rack/attack/store_proxy/dalli_proxy.rb
 - lib/rack/attack/store_proxy/mem_cache_store_proxy.rb
 - lib/rack/attack/store_proxy/redis_cache_store_proxy.rb
@@ -236,13 +262,11 @@ files:
 - spec/acceptance/safelisting_ip_spec.rb
 - spec/acceptance/safelisting_spec.rb
 - spec/acceptance/safelisting_subnet_spec.rb
-- spec/acceptance/stores/active_support_dalli_store_spec.rb
 - spec/acceptance/stores/active_support_mem_cache_store_pooled_spec.rb
 - spec/acceptance/stores/active_support_mem_cache_store_spec.rb
 - spec/acceptance/stores/active_support_memory_store_spec.rb
 - spec/acceptance/stores/active_support_redis_cache_store_pooled_spec.rb
 - spec/acceptance/stores/active_support_redis_cache_store_spec.rb
-- spec/acceptance/stores/active_support_redis_store_spec.rb
 - spec/acceptance/stores/connection_pool_dalli_client_spec.rb
 - spec/acceptance/stores/dalli_client_spec.rb
 - spec/acceptance/stores/redis_spec.rb
@@ -251,17 +275,20 @@ files:
 - spec/acceptance/track_spec.rb
 - spec/acceptance/track_throttle_spec.rb
 - spec/allow2ban_spec.rb
+- spec/configuration_spec.rb
 - spec/fail2ban_spec.rb
 - spec/integration/offline_spec.rb
 - spec/rack_attack_dalli_proxy_spec.rb
 - spec/rack_attack_instrumentation_spec.rb
 - spec/rack_attack_path_normalizer_spec.rb
 - spec/rack_attack_request_spec.rb
+- spec/rack_attack_reset_spec.rb
 - spec/rack_attack_spec.rb
 - spec/rack_attack_throttle_spec.rb
 - spec/rack_attack_track_spec.rb
 - spec/spec_helper.rb
 - spec/support/cache_store_helper.rb
+- spec/support/freeze_time_helper.rb
 homepage: https://github.com/rack/rack-attack
 licenses:
 - MIT
@@ -269,7 +296,6 @@ metadata:
   bug_tracker_uri: https://github.com/rack/rack-attack/issues
   changelog_uri: https://github.com/rack/rack-attack/blob/main/CHANGELOG.md
   source_code_uri: https://github.com/rack/rack-attack
-post_install_message:
 rdoc_options:
 - "--charset=UTF-8"
 require_paths:
@@ -285,8 +311,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.10
-signing_key:
+rubygems_version: 3.6.9
 specification_version: 4
 summary: Block & throttle abusive requests
 test_files:
@@ -306,13 +331,11 @@ test_files:
 - spec/acceptance/safelisting_ip_spec.rb
 - spec/acceptance/safelisting_spec.rb
 - spec/acceptance/safelisting_subnet_spec.rb
-- spec/acceptance/stores/active_support_dalli_store_spec.rb
 - spec/acceptance/stores/active_support_mem_cache_store_pooled_spec.rb
 - spec/acceptance/stores/active_support_mem_cache_store_spec.rb
 - spec/acceptance/stores/active_support_memory_store_spec.rb
 - spec/acceptance/stores/active_support_redis_cache_store_pooled_spec.rb
 - spec/acceptance/stores/active_support_redis_cache_store_spec.rb
-- spec/acceptance/stores/active_support_redis_store_spec.rb
 - spec/acceptance/stores/connection_pool_dalli_client_spec.rb
 - spec/acceptance/stores/dalli_client_spec.rb
 - spec/acceptance/stores/redis_spec.rb
@@ -321,14 +344,17 @@ test_files:
 - spec/acceptance/track_spec.rb
 - spec/acceptance/track_throttle_spec.rb
 - spec/allow2ban_spec.rb
+- spec/configuration_spec.rb
 - spec/fail2ban_spec.rb
 - spec/integration/offline_spec.rb
 - spec/rack_attack_dalli_proxy_spec.rb
 - spec/rack_attack_instrumentation_spec.rb
 - spec/rack_attack_path_normalizer_spec.rb
 - spec/rack_attack_request_spec.rb
+- spec/rack_attack_reset_spec.rb
 - spec/rack_attack_spec.rb
 - spec/rack_attack_throttle_spec.rb
 - spec/rack_attack_track_spec.rb
 - spec/spec_helper.rb
 - spec/support/cache_store_helper.rb
+- spec/support/freeze_time_helper.rb

data/lib/rack/attack/store_proxy/active_support_redis_store_proxy.rb

@@ -1,39 +0,0 @@
-# frozen_string_literal: true
-
-require 'rack/attack/base_proxy'
-
-module Rack
-  class Attack
-    module StoreProxy
-      class ActiveSupportRedisStoreProxy < BaseProxy
-        def self.handle?(store)
-          defined?(::Redis) &&
-            defined?(::ActiveSupport::Cache::RedisStore) &&
-            store.is_a?(::ActiveSupport::Cache::RedisStore)
-        end
-
-        def increment(name, amount = 1, options = {})
-          # #increment ignores options[:expires_in].
-          #
-          # So in order to workaround this we use #write (which sets expiration) to initialize
-          # the counter. After that we continue using the original #increment.
-          if options[:expires_in] && !read(name)
-            write(name, amount, options)
-
-            amount
-          else
-            super
-          end
-        end
-
-        def read(name, options = {})
-          super(name, options.merge!(raw: true))
-        end
-
-        def write(name, value, options = {})
-          super(name, value, options.merge!(raw: true))
-        end
-      end
-    end
-  end
-end

data/spec/acceptance/stores/active_support_dalli_store_spec.rb

@@ -1,25 +0,0 @@
-# frozen_string_literal: true
-
-require_relative "../../spec_helper"
-
-should_run =
-  defined?(::Dalli) &&
-  Gem::Version.new(::Dalli::VERSION) < Gem::Version.new("3")
-
-if should_run
-  require_relative "../../support/cache_store_helper"
-  require "active_support/cache/dalli_store"
-  require "timecop"
-
-  describe "ActiveSupport::Cache::DalliStore as a cache backend" do
-    before do
-      Rack::Attack.cache.store = ActiveSupport::Cache::DalliStore.new
-    end
-
-    after do
-      Rack::Attack.cache.store.clear
-    end
-
-    it_works_for_cache_backed_features(fetch_from_store: ->(key) { Rack::Attack.cache.store.fetch(key) })
-  end
-end

data/spec/acceptance/stores/active_support_redis_store_spec.rb

@@ -1,20 +0,0 @@
-# frozen_string_literal: true
-
-require_relative "../../spec_helper"
-
-if defined?(::ActiveSupport::Cache::RedisStore)
-  require_relative "../../support/cache_store_helper"
-  require "timecop"
-
-  describe "ActiveSupport::Cache::RedisStore as a cache backend" do
-    before do
-      Rack::Attack.cache.store = ActiveSupport::Cache::RedisStore.new
-    end
-
-    after do
-      Rack::Attack.cache.store.clear
-    end
-
-    it_works_for_cache_backed_features(fetch_from_store: ->(key) { Rack::Attack.cache.store.read(key) })
-  end
-end