rack_attack_admin 0.1.1 → 0.1.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9ecd6ce1a1b78254993c7d6b6e72b23c7e0aeea62268282666ff3f9c55177f35
-  data.tar.gz: fb1449910735e43bff061886f9d362c0358b8f37b8de2332701864b3d123f859
+  metadata.gz: 56573b4e1953af195a40c77e4ff7a43dc0092ab28752985ff3f21d92ae4b27ce
+  data.tar.gz: 2c224cb40e27bbabac363ba02ed2b37259595d1c4342be2ab2884167d85cb5c3
 SHA512:
-  metadata.gz: d5cb6070210f2b5ba29f3d2c219d9ec3574df58e3e56f0f87294cc60be6c20f719b94379079e3736093a4411584c171445ef2f435e0958d519fee76808ff84c1
-  data.tar.gz: eb24534ef311d712d43647d0804f04ddf193d8f3b623e54bafa80be491e353d83897a05138add8106e0a859f9be8eecc7885d42c0e1318f34c70fde94fe2ff11
+  metadata.gz: 6fd53b0f1e13e09370292b1e3121c1135096d0f4e4f211d11be87dcf588fa4e3a0fadcf8b5f2fab4f666d1600ebf35566022f3d5430833da801d76cde1816ae0
+  data.tar.gz: ca371334c028fcf6e1eb632ca0f8371e58e9cd02c3cf1126e522a430babc30cc953c5e67606d67ee0f73b25f167e7887d005f351cfdc892f9cf41bf8249524b0

data/Changelog.md

@@ -0,0 +1,11 @@
+# Changelog
+
+## 0.1.2 (2019-06-17)
+
+- Various fixes and improvements to the dashboard templates
+- Make it work also when Rack::Attack.cache.store is set to an instance of ActiveSupport::Cache::RedisCacheStore (from rails)
+- Let current_request respond to .html as well as .json
+
+## 0.1.1 (2019-04-02)
+
+Initial release

data/Readme.md

@@ -1,4 +1,8 @@
-# Rack::Attack Admin Dashboard
+# [Rack::Attack](https://github.com/kickstarter/rack-attack) Admin Dashboard  [![Gem Version](https://badge.fury.io/rb/rack_attack_admin.svg)](https://badge.fury.io/rb/rack_attack_admin)
+
+Lets you see the current state of all throttles and bans. Delete existing keys/bans. Manually add bans.
+
+![Screenshot](Screenshot.png)
 
 Inspired by: https://www.backerkit.com/blog/building-a-rackattack-dashboard/
 
@@ -10,11 +14,6 @@ Add this line to your application's `Gemfile`:
 gem 'rack_attack_admin'
 ```
 
-And then execute:
-
-    $ bundle
-
-
 Add this line to your application's `config/routes.rb`:
 
 ```ruby
@@ -23,13 +22,97 @@ mount RackAttackAdmin::Engine, at: '/admin/rack_attack'
 
 ## Usage
 
-TODO: Write usage instructions here
+Go to http://localhost:3000/admin/rack_attack in your browser!
+
+You can also use the provided read-only command-line command, `rake rack_attack_admin:watch` instead of the web interface:
+```
++-------------------------------+--------------------+
+| Banned IP                     | Previous (5 s ago) |
++-------------------------------+--------------------+
+| allow2ban:ban:login-127.0.0.1 |                    |
++-------------------------------+--------------------+
++----------------------------------------------------------------------------------+---------------+--------------------+
+| Key                                                                              | Current Count | Previous (5 s ago) |
++----------------------------------------------------------------------------------+---------------+--------------------+
+| ('allow2ban:count'):login-127.0.0.1                                              | 2             | 1                  |
+| throttle('logins/ip'):127.0.0.1                                                  | 1             |                    |
+| throttle('logins/email'):me@example.com                                          | 1             |                    |
+| throttle('req/ip'):127.0.0.1                                                     | 2             | 1                  |
++----------------------------------------------------------------------------------+---------------+--------------------+
+```
+
 
-## Development
+## Fail2Ban/Allow2Ban
 
-After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+In order to allow your Fail2Ban/Allow2Ban rules to be introspected by this app, you must define them
+slightly differently than the upstream [Rack::Attack
+documentation](https://github.com/kickstarter/rack-attack#fail2ban) tells you
+to define them:
+
+If you have an Allow2Ban filter in a blocklist like this:
+
+```ruby
+  blocklist('login:allow2ban') do |req|
+    Rack::Attack::Allow2Ban.filter("login-#{req.ip}", maxretry: 5, findtime: 1.minute, bantime: 10.minutes) do
+      # The count for the IP is incremented if this return value is truthy.
+      is_login.(req)
+    end
+  end
+```
+
+, you can change it to this equivalent definition:
+
+```ruby
+  blocklist('login:allow2ban') do |req|
+    def_allow2ban('login', limit: 5, period: 1.minute, bantime: 10.minutes)
+    allow2ban(    'login', req.ip) do
+      is_login.(req)
+    end
+  end
+```
 
-To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+`def_fail2ban`/`def_allow2ban` save your configuration in a hash (by name, _without_ discriminator in it), much the same as
+`throttle` does.
+
+`fail2ban`/`allow2ban` methods are simply wrappers for `Rack::Attack::Allow2Ban.filter` that look up and use the options from the definition (that matches the given name).
+
+This has the following advantages:
+- It actually stores your Fail2Ban rule so that we can look it up later
+- It provides an API and options that are more similar to and consistent with regular `throttle`
+    commands:
+    ```ruby
+    # Compare:
+    def_allow2ban('login', limit: 5, period: 1.minute, bantime: …)
+    allow2ban('login', discriminator) do
+      # Return truthy value to increment counter
+    end
+    # allow2ban returns true if counter reaches limit
+
+    throttle('logins/email', limit: 5, period: 1.minute) do |req|
+      discriminator.(req)
+    end
+    ```
+- You can use the familiar `limit` and `period` options instead of `maxretry` and `findtime`
+  options, respectively.
+- You don't have to interpolate the discriminator into a string like you do with the standard
+  `Fail2Ban.filter` syntax.
+
+
+This is completely optional. If you choose not to define them this way, it will still show your
+fail2ban counter keys and value; it just won't be able to find the matching rule, and therefore
+won't be able to show what the limit or time bucket is for that counter key. So instead of showing
+the limit for `allow2ban('login')` like it shows in the screenshot above, it will fall back to
+just showing what little it can show about that key:
+
+![Screenshot](Screenshot-not_find_allow2ban_rule.png)
+
+## Redis cache store compatibility
+
+This has been tested with `Rack::Attack.cache.store` set to an instance of:
+- `Redis::Store` from the fantastic [redis-store](https://github.com/redis-store/redis-store) gem.
+  (Which is used by the `ActiveSupport::Cache::RedisStore` (from redis-activesupport/redis-rails
+  gems))
+- `ActiveSupport::Cache::RedisCacheStore` (provided by Rails 5.2+)
 
 ## Contributing
 

data/app/controllers/rack_attack_admin/application_controller.rb

@@ -13,7 +13,21 @@ module RackAttackAdmin
 
     helper_method \
     def is_redis?
-      Rack::Attack.cache.respond.store.respond_to? :ttl
+      Rack::Attack.cache.respond.store.to_s.match?(/Redis/)
+    end
+
+    helper_method \
+    def redis
+      return unless is_redis?
+      store = Rack::Attack.cache.store
+      store = store.redis if store.respond_to?(:redis)
+      store = store.data  if store.respond_to?(:data)
+      store
+    end
+
+    helper_method \
+    def has_ttl?
+      !!redis
     end
 
     helper_method \

data/app/controllers/rack_attack_admin/rack_attack_controller.rb

@@ -5,14 +5,18 @@ module RackAttackAdmin
     # Web version of lib/tasks/rack_attack_admin_tasks.rake
     def index
       @default_banned_ip = Rack::Attack::BannedIp.new(bantime: '60 m')
-      @banned_ip_keys = Rack::Attack::Fail2Ban.banned_ip_keys
       @counters_h     = Rack::Attack.counters_h.
         without(*Rack::Attack::BannedIps.keys)
       render
     end
 
     def current_request
-      render json: current_request_rack_attack_stats
+      respond_to do |format|
+        format.json do
+          render json: current_request_rack_attack_stats
+        end
+        format.html
+      end
     end
   end
 end

data/app/views/rack_attack_admin/banned_ips/_banned_ip.html.haml

@@ -1,3 +1,4 @@
+- expires_column = local_assigns.key?(:expires_column) ? local_assigns[:expires_column] : has_ttl?
 %tr
   %td= key
 
@@ -6,9 +7,10 @@
     = ip
     (#{link_to 'Look up', "http://ip-lookup.net/?ip=#{ip}", target:'_blank'})
 
-  - if is_redis?
+  - if expires_column
     %td
-      - interval = Rack::Attack.cache.store.ttl("#{Rack::Attack.cache.prefix}:#{key}")
+      - if has_ttl?
+        - interval = redis.ttl("#{Rack::Attack.prefix_with_namespace}:#{key}")
       - if interval
         =# distance_of_time_in_words(interval)
         in #{ActiveSupport::Duration.build(interval)&.human_str}

data/app/views/rack_attack_admin/rack_attack/current_request.html.haml

@@ -0,0 +1,10 @@
+%h1 Current Request
+%table.table.table-striped
+  %thead
+    %tr
+      %th Key
+      %th Value
+  - current_request_rack_attack_stats.each do |key, value|
+    %tr
+      %td= key
+      %td= value

data/app/views/rack_attack_admin/rack_attack/index.html.haml

@@ -4,14 +4,14 @@
     %tr
       %th Key
       %th Banned IP
-      - if is_redis?
-        %th Expires
+      %th Expires
       %th Actions
 
   = render partial: 'rack_attack_admin/banned_ips/banned_ip',
     collection: Rack::Attack::BannedIps.keys, as: 'key',
     locals: { _:nil,
       full_key_prefix: Rack::Attack::BannedIps.full_key_prefix,
+      expires_column: true,
     }
 
   = form_for @default_banned_ip, url: [rack_attack_admin, :banned_ips] do |f|
@@ -27,18 +27,17 @@
     %tr
       %th Key
       %th Banned IP
-      - if is_redis?
+      - if has_ttl?
         %th Expires
       %th Actions
 
--#
-  = render partial: 'admin/rack_attack/banned_ips/banned_ip',
-    collection: @banned_ip_keys, as: 'key',
+  = render partial: 'rack_attack_admin/banned_ips/banned_ip',
+    collection: Rack::Attack::Fail2Ban.banned_ip_keys, as: 'key',
     locals: { _:nil,
       full_key_prefix: Rack::Attack::Fail2Ban.full_key_prefix,
     }
 
-%h1 Throttle/Fail2Ban Count Keys
+%h1 Throttle/Fail2Ban Counters
 %table.table.table-striped.mb-0
   %thead
     %tr
@@ -52,11 +51,25 @@
         (Time bucket)
       %th Actions
   - @counters_h.each do |key, value|
+    :ruby
+      parsed = Rack::Attack.parse_key(key)
+      value = value.to_i
+      name = Rack::Attack.humanize_key(key).sub(":#{parsed[:discriminator]}", '')
+
+      # We can get expires_in from redis or directly from the matched throttle rule
+      interval =
+        if has_ttl?
+          redis.ttl("#{Rack::Attack.prefix_with_namespace}:#{key}")
+        elsif parsed and time_range = parsed[:time_range]
+          (time_range.end - Time.now)
+        end
+      if parsed
+        time_range = parsed[:time_range]
+      end
+      if time_range
+        human_duration = time_range.duration&.human_str
+      end
     %tr
-      :ruby
-        parsed = Rack::Attack.parse_key(key)
-        value = value.to_i
-        name = Rack::Attack.humanize_key(key).sub(":#{parsed[:discriminator]}", '')
       %td
         = name
         -# if parsed and rule = parsed[:rule]
@@ -65,52 +78,33 @@
       %td= parsed[:discriminator]
 
       - limit = parsed && (rule = parsed[:rule]) && rule.limit.to_i
-      - over_limit = value >= limit
+      - over_limit = limit && value >= limit
       %td{class: ('over_limit' if over_limit), style: ('color: red' if over_limit)}
         = value
+        <br/>
         - if limit
-          = "/#{limit}"
+          Limit:
+          = "#{limit}"
+          = "/#{human_duration}" if human_duration
+          <br/>
+          - if time_range
+            %small
+              (#{(limit / (time_range.duration/60.0)).round(0)}/min)
 
       %td
-        -# We can get expires_in from redis or directly from the mached throttle rule
-        :ruby
-          interval =
-            if is_redis?
-              Rack::Attack.cache.store.ttl("#{Rack::Attack.cache.prefix}:#{key}")
-            elsif parsed and time_range = parsed[:time_range]
-              (time_range.end - Time.now)
-            end
         - if interval
-          in #{ActiveSupport::Duration.build(interval)&.human_str}<br/>
+          - if interval < 0
+            expired<br/>
+          - elsif interval
+            in #{ActiveSupport::Duration.build(interval)&.human_str}<br/>
 
-        - if parsed and time_range = parsed[:time_range]
-          %small
-            (#{  time_range.begin.to_s(:time_with_s)}
-            %span><
-              \-
-            #{time_range.end  .to_s(:time_with_s)}
-            \= #{time_range.duration&.human_str})
+          - if time_range
+            %small
+              (#{  time_range.begin.to_s(:time_with_s)}
+              %span><
+                \-
+              #{time_range.end  .to_s(:time_with_s)}
+              \= #{human_duration})
 
       %td= link_to 'Delete', rack_attack_admin.key_path(key), method: :delete, class: 'btn'
 .current_time.mb-2 (Current time: #{Time.now.to_s(:time_with_s)})
-
-%h1 Flags
-%table.table.table-striped
-  %thead
-    %tr
-      %th Key
-      %th Value
-  %tr
-    %td cookies[:skip_safelist]
-    %td= cookies[:skip_safelist]
-
-%h1 Current Request
-%table.table.table-striped
-  %thead
-    %tr
-      %th Key
-      %th Value
-  - current_request_rack_attack_stats.each do |key, value|
-    %tr
-      %td= key
-      %td= value

data/lib/rack/attack_extensions.rb

@@ -6,8 +6,65 @@ class Rack::Attack
   class << self
     extend Memoist
 
+    def all_keys
+      store, namespace = cache_store_and_namespace_to_strip
+      keys = store.keys
+      if namespace
+        keys.map {|key| key.to_s.sub(/^#{namespace}:/, '') }
+      else
+        keys
+      end
+    end
+
+    # The same as cache.prefix but prefixed with "{namespace}:" if namespace option is set and needs
+    # to be stripped from keys returned from store.keys.
+    # Like cache.prefix, this does not include the trailing ':'.
+    def prefix_with_namespace_to_strip
+      prefix = cache.prefix
+      store, namespace = cache_store_and_namespace_to_strip
+      if namespace
+        prefix = "#{namespace}:#{prefix}"
+      end
+      prefix
+    end
+
+    # The same as cache.prefix but prefixed with "{namespace}:" if namespace option is set.
+    # Needed when passing a key directly to a Redis command, like Redis#ttl, since Redis class
+    # doesn't know about namespacing.
+    def prefix_with_namespace
+      prefix = cache.prefix
+      if namespace = cache_namespace
+        prefix = "#{namespace}:#{prefix}"
+      end
+      prefix
+    end
+
+    def cache_namespace
+      cache.store&.options&.[](:namespace)
+    end
+
+    # Returns an array of [cache_store, namespace_to_strip]
+    # This will either be [a Redis::Store, nil] or
+    #                     [a Redis       , namespace_to_strip]
+    def cache_store_and_namespace_to_strip
+      store = cache.store
+      # Store can be a ActiveSupport::Cache::RedisCacheStore, a Redis::Store object, or a Redis object.
+      # If it is a ActiveSupport::Cache::RedisCacheStore, then we need to get the redis object in
+      # order to get keys from it.
+      store = store.redis if store.respond_to?(:redis)
+      if store.respond_to?(:data)  # Redis::Store already stripped namespaced
+        store = store.data
+        [store, nil]
+      else
+        # Redis object (which is all we have available in the case of a
+        # ActiveSupport::Cache::RedisCacheStore) unfortunately returns keys with namespace prefix in
+        # each key, so we need to strip this out (Redis::Store does this already; see store.data.keys above)
+        [store, cache_namespace]
+      end
+    end
+
     def prefixed_keys
-      cache.store.keys.grep(/^rack::attack:/)
+      all_keys.grep(/^#{cache.prefix}:/)
     end
 
     # AKA unprefixed_keys
@@ -56,9 +113,6 @@ class Rack::Attack
       )
     end
 
-    class ParsedKey
-    end
-
     # Reverse Cache#key_and_expiry:
     #   … "#{prefix}:#{(@last_epoch_time / period).to_i}:#{unprefixed_key}" …
     # @return [Hash]
@@ -231,7 +285,7 @@ class Rack::Attack
 
     class << self
       def prefixed_keys
-        cache.store.keys.grep(/^#{cache.prefix}:(allow|fail)2ban:/)
+        Rack::Attack.all_keys.grep(/^#{cache.prefix}:(allow|fail)2ban:/)
       end
 
       # AKA unprefixed_keys
@@ -273,7 +327,7 @@ class Rack::Attack
   class BannedIps
     class << self
       def prefixed_keys
-        cache.store.keys.grep(/^#{full_key_prefix}:/)
+        Rack::Attack.all_keys.grep(/^#{full_key_prefix}:/)
       end
 
       # Removes only the Rack::Attack.cache.prefix

data/lib/rack_attack_admin/version.rb

@@ -1,5 +1,5 @@
 module RackAttackAdmin
     def self.version
-      "0.1.1"
+      "0.1.2"
     end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rack_attack_admin
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.1.2
 platform: ruby
 authors:
 - Tyler Rick
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2019-04-02 00:00:00.000000000 Z
+date: 2019-06-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -164,11 +164,14 @@ files:
 - License
 - Rakefile
 - Readme.md
+- Screenshot-not_find_allow2ban_rule.png
+- Screenshot.png
 - app/controllers/rack_attack_admin/application_controller.rb
 - app/controllers/rack_attack_admin/banned_ips_controller.rb
 - app/controllers/rack_attack_admin/keys_controller.rb
 - app/controllers/rack_attack_admin/rack_attack_controller.rb
 - app/views/rack_attack_admin/banned_ips/_banned_ip.html.haml
+- app/views/rack_attack_admin/rack_attack/current_request.html.haml
 - app/views/rack_attack_admin/rack_attack/index.html.haml
 - bin/console
 - bin/setup
@@ -201,7 +204,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.1
+rubygems_version: 3.0.3
 signing_key: 
 specification_version: 4
 summary: A Rack::Attack admin dashboard