rack-defense 0.2.0 → 0.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 0c50757c35cc2da91b683042c9e3b756ec83512c
-  data.tar.gz: a491f2c431c5ccb04f5fd75b20314f6fc0e7a543
+  metadata.gz: e7bada9c179abe1e025f6c215e373df5cb17927c
+  data.tar.gz: 04be29b5ea39a050be5d75fe6e03b1c4383a9681
 SHA512:
-  metadata.gz: bc05d56c2f0cfa059aee32d9d2a0158ae8f53f74eed2f8abdf69f051dc6cd3d3268ed4f7d260fc55bbd0744dc22c6cb0fd1d5b6228a66363f3ad5c97a7ab3d78
-  data.tar.gz: d99193f5823229cc5f155bf7b1f5cb1e7eab49af9aa7bf7aa733890a6fdafc35735a92ccab916dcafa2f4be6642235d8c9deac8212b43b148198c30eb545645e
+  metadata.gz: 3cc00287d01a0a63ae7b9864a27e7266dcb023cf1fe3fc2eef5b9bced4ed203606f0b477f846f5431b5136ee76b934a259e99a39eacebe6f1424386a4d9e71a6
+  data.tar.gz: f957e905c4ed10a0228550d082bc7919bf035081e4775d952151aff170ca6124c289d40ab9db2df97a9d09bbf3340dd3b934ee34d82798fd016a48d3b84d6e82

data/README.md

@@ -4,6 +4,7 @@ Rack::Defense
 A Rack middleware for throttling and filtering requests.
 
 [![Build Status](https://travis-ci.org/Sinbadsoft/rack-defense.svg)](https://travis-ci.org/Sinbadsoft/rack-defense)
+[![Security](https://hakiri.io/github/Sinbadsoft/rack-defense/master.svg)](https://hakiri.io/github/Sinbadsoft/rack-defense/master)
 [![Code Climate](https://codeclimate.com/github/Sinbadsoft/rack-defense/badges/gpa.svg)](https://codeclimate.com/github/Sinbadsoft/rack-defense)
 [![Dependency Status](https://gemnasium.com/Sinbadsoft/rack-defense.svg)](https://gemnasium.com/Sinbadsoft/rack-defense)
 [![Gem Version](https://badge.fury.io/rb/rack-defense.svg)](http://badge.fury.io/rb/rack-defense)
@@ -111,7 +112,7 @@ end
 
 ## Filtering
 
-Rack::Defense can reject requests based on arbitrary properties of the request. Matching requests are filtered.
+Rack::Defense can reject requests based on arbitrary properties of the request. Matching requests are filtered out.
 
 ### Examples
 
@@ -172,7 +173,7 @@ as values is passed.
 ```ruby
 Rack::Defense.setup do |config|
   config.after_throttle do |req, rules|
-    logger.info rules.map { |e| "rule name: #{e[0]} - rule throttle key: #{e[1]}" }.join ', '
+    logger.info rules.map { |e| "[Throttled] rule name: #{e[0]} - rule throttle key: #{e[1]}" }.join ', '
   end
 end
 ```

data/lib/rack/defense/throttle_counter.rb

@@ -23,11 +23,10 @@ module Rack
       SCRIPT = <<-LUA_SCRIPT
       local key = KEYS[1]
       local timestamp, max_requests, time_period = tonumber(ARGV[1]), tonumber(ARGV[2]), tonumber(ARGV[3])
-      if redis.call('rpush', key, timestamp) <= max_requests then
-        return false
-      else
-        return (timestamp - tonumber(redis.call('lpop', key))) <= time_period
-      end
+      local throttle = (redis.call('rpush', key, timestamp) > max_requests) and
+                       (timestamp - time_period) <= tonumber(redis.call('lpop', key))
+      redis.call('pexpire', key, time_period)
+      return throttle
       LUA_SCRIPT
 
       private_constant :SCRIPT

data/lib/rack/defense/version.rb

@@ -1,5 +1,5 @@
 module Rack
   class Defense
-    VERSION = '0.2.0'
+    VERSION = '0.2.1'
   end
 end

data/spec/defense_ban_spec.rb

@@ -8,7 +8,7 @@ describe 'Rack::Defense::ban' do
     Rack::Defense.setup do |config|
       # allow only given ips on path
       config.ban('allow_only_ip_list') do |req|
-        req.path == '/protected' && !['192.168.0.1', '127.0.0.1'].include?(req.ip)
+        req.path == '/protected' && !%w(192.168.0.1 127.0.0.1).include?(req.ip)
       end
     end
   end
@@ -27,7 +27,7 @@ describe 'Rack::Defense::ban' do
 
   def check_request(verb, path, ip)
     send verb, path, {}, 'REMOTE_ADDR' => ip
-    expected_status = path == '/protected' && !['192.168.0.1', '127.0.0.1'].include?(ip) ?
+    expected_status = path == '/protected' && !%w(192.168.0.1 127.0.0.1).include?(ip) ?
       status_banned : status_ok
     assert_equal expected_status, last_response.status
   end

data/spec/defense_callbacks_spec.rb

@@ -50,7 +50,6 @@ describe 'Rack::Defense::callbacks' do
   end
 
   def check_callback_data(trace, matching_request_count, rule_data, req_path)
-    puts
     assert_equal matching_request_count, trace.length
     data = trace[-1]
     # check callback data

data/spec/defense_throttle_expire_keys_spec.rb

@@ -0,0 +1,39 @@
+require_relative 'spec_helper'
+
+describe 'Rack::Defense::throttle_expire_keys' do
+  def window
+    10 * 1000 # in milliseconds
+  end
+
+  before do
+    Rack::Defense.setup do |config|
+      # allow 1 requests per #window per ip
+      config.throttle('rule', 3, window) { |req| req.ip if req.path == '/path' }
+    end
+  end
+
+  it 'expire throttle key' do
+    ip = '192.168.169.244'
+    throttle_key = "#{Rack::Defense::ThrottleCounter::KEY_PREFIX}:rule:#{ip}"
+    redis = Rack::Defense.config.store
+    start = Time.now.to_i
+    3.times do
+      get '/path', {}, 'REMOTE_ADDR' => ip
+      assert status_ok, last_response.status
+    end
+
+    get '/path', {}, 'REMOTE_ADDR' => ip
+    elapsed = Time.now.to_i - start
+    if elapsed < window
+      assert status_throttled, last_response.status
+      assert redis.exists throttle_key
+    else
+      puts "Warning: test too slow elapsed:#{elapsed}s expected < #{window}"
+    end
+
+    # Since Redis 2.6 the expire error is from 0 to 1 milliseconds. See http://redis.io/commands/expire
+    sleep (window / 1000) + 0.002
+
+    refute redis.exists throttle_key
+  end
+end

data/spec/defense_throttle_spec.rb

@@ -1,28 +1,30 @@
 require_relative 'spec_helper'
 
 describe 'Rack::Defense::throttle' do
-  PERIOD = 60 * 1000 # in milliseconds
+  def window
+    60 * 1000 # in milliseconds
+  end
 
   before do
     @start_time = Time.utc(2015, 10, 30, 21, 0, 0)
 
     #
-    # configure the Rack::Defense middleware with two throttling
+    # configure the Rack::Defense middleware with throttling
     # strategies.
     #
     Rack::Defense.setup do |config|
-      # allow only 3 post requests on path '/login' per PERIOD per ip
-      config.throttle('login', 3, PERIOD) do |req|
+      # allow only 3 post requests on path '/login' per #window per ip
+      config.throttle('login', 3, window) do |req|
         req.ip if req.path == '/login' && req.post?
       end
 
-      # allow only 50 get requests on path '/search' per PERIOD per ip
-      config.throttle('res', 30, PERIOD) do |req|
+      # allow only 30 get requests on path '/search' per #window per ip
+      config.throttle('res', 30, window) do |req|
         req.ip if req.path == '/search' && req.get?
       end
 
-      # allow only 5 get requests on path /api/* per PERIOD per authorization token
-      config.throttle('api', 5, PERIOD) do |req|
+      # allow only 5 get requests on path /api/* per #window per authorization token
+      config.throttle('api', 5, window) do |req|
         req.env['HTTP_AUTHORIZATION'] if %r{^/api/} =~ req.path
       end
     end
@@ -35,27 +37,27 @@ describe 'Rack::Defense::throttle' do
   end
   it 'ban get requests higher than acceptable rate' do
     10.times do |period|
-      50.times { |offset| check_get_request(offset + period*PERIOD) }
+      50.times { |offset| check_get_request(offset + period*window) }
     end
   end
   it 'ban post requests higher than acceptable rate' do
     10.times do |period|
-      7.times { |offset| check_post_request(offset + period*PERIOD) }
+      7.times { |offset| check_post_request(offset + period*window) }
     end
   end
-  it 'not have side effects between differrent throttle rules with mixed requests' do
+  it 'not have side effects between different throttle rules with mixed requests' do
     10.times do |period|
       50.times do |offset|
-        check_get_request(offset + period*PERIOD)
-        check_post_request(offset + period*PERIOD)
+        check_get_request(offset + period*window)
+        check_post_request(offset + period*window)
       end
     end
   end
   it 'not have side effects between request filtered by the same rule but with different keys' do
     10.times do |period|
       50.times do |offset|
-        check_get_request(offset + period*PERIOD, ip='192.168.0.1')
-        check_get_request(offset + period*PERIOD, ip='192.168.0.2')
+        check_get_request(offset + period*window, ip='192.168.0.1')
+        check_get_request(offset + period*window, ip='192.168.0.2')
       end
     end
   end
@@ -111,7 +113,7 @@ describe 'Rack::Defense::throttle' do
   def check_request(verb, path, time_offset, max_requests, ip, headers={})
     Timecop.freeze(@start_time + time_offset) do
       send verb, path, {}, headers.merge('REMOTE_ADDR' => ip)
-      expected_status = (time_offset % PERIOD) >= max_requests ? status_throttled : status_ok
+      expected_status = (time_offset % window) >= max_requests ? status_throttled : status_ok
       assert_equal expected_status, last_response.status, "offset #{time_offset}"
     end
   end

data/spec/throttle_counter_spec.rb

@@ -2,41 +2,68 @@ require_relative 'spec_helper'
 
 describe Rack::Defense::ThrottleCounter do
   before do
-    @counter = Rack::Defense::ThrottleCounter.new('upload_photo', 5, 10, Redis.current)
     @key = '192.168.0.1'
   end
-
   describe '.throttle?' do
+    window = 60 * 1000
+    before { @counter = Rack::Defense::ThrottleCounter.new('upload_photo', 5, window, Redis.current) }
     it 'allow request number max_requests if after period' do
       do_max_requests_minus_one
-      refute @counter.throttle? @key, 11
+      refute @counter.throttle? @key, window + 1
     end
     it 'block request number max_requests if in period' do
       do_max_requests_minus_one
-      assert @counter.throttle? @key, 10
+      assert @counter.throttle? @key, window
     end
     it 'allow consecutive valid periods' do
-      (0..20).each { |i| do_max_requests_minus_one(11 * i) }
+      (0..20).each { |i| do_max_requests_minus_one((window + 1) * i) }
     end
     it 'block consecutive invalid requests' do
       do_max_requests_minus_one
-      (0..20).each { |i| assert @counter.throttle?(@key, 10 + i) }
+      (0..20).each { |i| assert @counter.throttle?(@key, window + i) }
     end
     it 'use a sliding window and not reset count after each full period' do
-      [5, 6, 7, 8, 9].each { |t| refute @counter.throttle?(@key, t), "timestamp #{t}" }
-      [12, 13, 14, 15].each { |t| assert @counter.throttle?(@key, t), "timestamp #{t}"}
+      [5, 4, 3, 2, 1].map { |e| window - e }.each { |t| refute @counter.throttle?(@key, t), "timestamp #{t}" }
+      [1, 2, 3, 4].map { |e| window + e }.each { |t| assert @counter.throttle?(@key, t), "timestamp #{t}"}
     end
     it 'should unblock after blocking requests' do
       do_max_requests_minus_one
-      assert @counter.throttle? @key, 10
-      assert @counter.throttle? @key, 11
-      refute @counter.throttle? @key, 16
+      assert @counter.throttle? @key, window
+      assert @counter.throttle? @key, window + 1
+      refute @counter.throttle? @key, window + 6
     end
     it 'should include throttled(blocked) request into the request count' do
       [0, 1, 2, 3, 4].each { |t| refute @counter.throttle?(@key, t), "timestamp #{t}" }
-      assert @counter.throttle? @key, 10
-      [16, 17, 18, 19].each { |t| refute @counter.throttle?(@key, t), "timestamp #{t}" }
-      assert @counter.throttle? @key, 20
+      assert @counter.throttle? @key, window
+      [16, 17, 18, 19].map { |e| window + e }.each { |t| refute @counter.throttle?(@key, t), "timestamp #{t}" }
+      assert @counter.throttle? @key, window + 20
+    end
+  end
+  describe 'expire keys' do
+    before do
+      @redis = Redis.current
+      @counter = Rack::Defense::ThrottleCounter.new('rule_name', 3, 10 * 1000, @redis)
+      @throttle_key = "#{Rack::Defense::ThrottleCounter::KEY_PREFIX}:rule_name:#{@key}"
+    end
+    it 'expire throttle key' do
+      start = Time.now.to_i
+
+      3.times do
+        refute @counter.throttle? @key
+      end
+
+      elapsed = Time.now.to_i - start
+      if elapsed < 10
+        assert @counter.throttle? @key
+        assert @redis.exists @throttle_key
+      else
+        puts "Warning: test too slow elapsed:#{elapsed}s expected < #{10}"
+      end
+
+      # Since Redis 2.6 the expire error is from 0 to 1 milliseconds. See http://redis.io/commands/expire
+      sleep 10 + 0.002
+
+      refute @redis.exists @throttle_key
     end
   end
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rack-defense
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.2.1
 platform: ruby
 authors:
 - Chaker Nakhli
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-10-20 00:00:00.000000000 Z
+date: 2014-10-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -109,6 +109,7 @@ files:
 - spec/defense_ban_spec.rb
 - spec/defense_callbacks_spec.rb
 - spec/defense_config_spec.rb
+- spec/defense_throttle_expire_keys_spec.rb
 - spec/defense_throttle_spec.rb
 - spec/spec_helper.rb
 - spec/throttle_counter_spec.rb
@@ -141,6 +142,7 @@ test_files:
 - spec/defense_ban_spec.rb
 - spec/defense_callbacks_spec.rb
 - spec/defense_config_spec.rb
+- spec/defense_throttle_expire_keys_spec.rb
 - spec/defense_throttle_spec.rb
 - spec/spec_helper.rb
 - spec/throttle_counter_spec.rb