wkimeria-rack-attack 4.1.2

data/spec/fail2ban_spec.rb

@@ -0,0 +1,121 @@
+require_relative 'spec_helper'
+describe 'Rack::Attack.Fail2Ban' do
+  before do
+    # Use a long findtime; failures due to cache key rotation less likely
+    @cache = Rack::Attack.cache
+    @findtime = 60
+    @bantime  = 60
+    Rack::Attack.cache.store = ActiveSupport::Cache::MemoryStore.new
+    @f2b_options = {:bantime => @bantime, :findtime => @findtime, :maxretry => 2}
+    Rack::Attack.blacklist('pentest') do |req|
+      Rack::Attack::Fail2Ban.filter(req.ip, @f2b_options){req.query_string =~ /OMGHAX/}
+    end
+  end
+
+  describe 'discriminator has not been banned' do
+    describe 'making ok request' do
+      it 'succeeds' do
+        get '/', {}, 'REMOTE_ADDR' => '1.2.3.4'
+        last_response.status.must_equal 200
+      end
+    end
+
+    describe 'making failing request' do
+      describe 'when not at maxretry' do
+        before { get '/?foo=OMGHAX', {}, 'REMOTE_ADDR' => '1.2.3.4' }
+        it 'fails' do
+          last_response.status.must_equal 403
+        end
+
+        it 'increases fail count' do
+          key = "rack::attack:#{Time.now.to_i/@findtime}:fail2ban:count:1.2.3.4"
+          @cache.store.read(key).must_equal 1
+        end
+
+        it 'is not banned' do
+          key = "rack::attack:fail2ban:1.2.3.4"
+          @cache.store.read(key).must_be_nil
+        end
+      end
+
+      describe 'when at maxretry' do
+        before do
+          # maxretry is 2 - so hit with an extra failed request first
+          get '/?test=OMGHAX', {}, 'REMOTE_ADDR' => '1.2.3.4'
+          get '/?foo=OMGHAX', {}, 'REMOTE_ADDR' => '1.2.3.4'
+        end
+
+        it 'fails' do
+          last_response.status.must_equal 403
+        end
+
+        it 'increases fail count' do
+          key = "rack::attack:#{Time.now.to_i/@findtime}:fail2ban:count:1.2.3.4"
+          @cache.store.read(key).must_equal 2
+        end
+
+        it 'is banned' do
+          key = "rack::attack:fail2ban:ban:1.2.3.4"
+          @cache.store.read(key).must_equal 1
+        end
+
+      end
+    end
+  end
+
+  describe 'discriminator has been banned' do
+    before do
+      # maxretry is 2 - so hit enough times to get banned
+      get '/?test=OMGHAX', {}, 'REMOTE_ADDR' => '1.2.3.4'
+      get '/?foo=OMGHAX', {}, 'REMOTE_ADDR' => '1.2.3.4'
+    end
+
+    describe 'making request for other discriminator' do
+      it 'succeeds' do
+        get '/', {}, 'REMOTE_ADDR' => '2.2.3.4'
+        last_response.status.must_equal 200
+      end
+    end
+
+    describe 'making ok request' do
+      before do
+        get '/', {}, 'REMOTE_ADDR' => '1.2.3.4'
+      end
+
+      it 'fails' do
+        last_response.status.must_equal 403
+      end
+
+      it 'does not increase fail count' do
+        key = "rack::attack:#{Time.now.to_i/@findtime}:fail2ban:count:1.2.3.4"
+        @cache.store.read(key).must_equal 2
+      end
+
+      it 'is still banned' do
+        key = "rack::attack:fail2ban:ban:1.2.3.4"
+        @cache.store.read(key).must_equal 1
+      end
+    end
+
+    describe 'making failing request' do
+      before do
+        get '/?foo=OMGHAX', {}, 'REMOTE_ADDR' => '1.2.3.4'
+      end
+
+      it 'fails' do
+        last_response.status.must_equal 403
+      end
+
+      it 'does not increase fail count' do
+        key = "rack::attack:#{Time.now.to_i/@findtime}:fail2ban:count:1.2.3.4"
+        @cache.store.read(key).must_equal 2
+      end
+
+      it 'is still banned' do
+        key = "rack::attack:fail2ban:ban:1.2.3.4"
+        @cache.store.read(key).must_equal 1
+      end
+    end
+
+  end
+end

data/spec/integration/offline_spec.rb

@@ -0,0 +1,47 @@
+require 'active_support/cache'
+require 'active_support/cache/redis_store'
+require 'dalli'
+require_relative '../spec_helper'
+
+OfflineExamples = Minitest::SharedExamples.new do
+
+  it 'should write' do
+    @cache.write('cache-test-key', 'foobar', 1)
+  end
+
+  it 'should read' do
+    @cache.read('cache-test-key')
+  end
+
+  it 'should count' do
+    @cache.send(:do_count, 'rack::attack::cache-test-key', 1)
+  end
+
+end
+
+describe 'when Redis is offline' do
+  include OfflineExamples
+
+  before {
+    @cache = Rack::Attack::Cache.new
+    # Use presumably unused port for Redis client
+    @cache.store = ActiveSupport::Cache::RedisStore.new(:host => '127.0.0.1', :port => 3333)
+  }
+
+end
+
+describe 'when Memcached is offline' do
+  include OfflineExamples
+
+  before {
+    Dalli.logger.level = Logger::FATAL
+
+    @cache = Rack::Attack::Cache.new
+    @cache.store = Dalli::Client.new('127.0.0.1:22122')
+  }
+
+  after {
+    Dalli.logger.level = Logger::INFO
+  }
+
+end

data/spec/integration/rack_attack_cache_spec.rb

@@ -0,0 +1,86 @@
+require_relative '../spec_helper'
+
+describe Rack::Attack::Cache do
+  def delete(key)
+    if @cache.store.respond_to?(:delete)
+      @cache.store.delete(key)
+    else
+      @cache.store.del(key)
+    end
+  end
+
+  def sleep_until_expired
+    sleep(@expires_in * 1.1) # Add 10% to reduce errors
+  end
+
+  require 'active_support/cache/dalli_store'
+  require 'active_support/cache/redis_store'
+  require 'connection_pool'
+  cache_stores = [
+    ActiveSupport::Cache::MemoryStore.new,
+    ActiveSupport::Cache::DalliStore.new("127.0.0.1"),
+    ActiveSupport::Cache::RedisStore.new("127.0.0.1"),
+    Dalli::Client.new,
+    ConnectionPool.new { Dalli::Client.new },
+    Redis::Store.new
+  ]
+
+  cache_stores.each do |store|
+    store = Rack::Attack::StoreProxy.build(store)
+    describe "with #{store.class}" do
+
+      before {
+        @cache = Rack::Attack::Cache.new
+        @key = "rack::attack:cache-test-key"
+        @expires_in = 1
+        @cache.store = store
+        delete(@key)
+      }
+
+      after { delete(@key) }
+
+      describe "do_count once" do
+        it "should be 1" do
+          @cache.send(:do_count, @key, @expires_in).must_equal 1
+        end
+      end
+
+      describe "do_count twice" do
+        it "must be 2" do
+          @cache.send(:do_count, @key, @expires_in)
+          @cache.send(:do_count, @key, @expires_in).must_equal 2
+        end
+      end
+      describe "do_count after expires_in" do
+        it "must be 1" do
+          @cache.send(:do_count, @key, @expires_in)
+          sleep_until_expired
+          @cache.send(:do_count, @key, @expires_in).must_equal 1
+        end
+      end
+
+      describe "write" do
+        it "should write a value to the store with prefix" do
+          @cache.write("cache-test-key", "foobar", 1)
+          store.read(@key).must_equal "foobar"
+        end
+      end
+
+      describe "write after expiry" do
+        it "must not have a value" do
+          @cache.write("cache-test-key", "foobar", @expires_in)
+          sleep_until_expired
+          store.read(@key).must_be :nil?
+        end
+      end
+
+      describe "read" do
+        it "must read the value with a prefix" do
+          store.write(@key, "foobar", :expires_in => @expires_in)
+          @cache.read("cache-test-key").must_equal "foobar"
+        end
+      end
+    end
+
+  end
+end

data/spec/rack_attack_conditional_throttle_spec.rb

@@ -0,0 +1,53 @@
+require_relative 'spec_helper'
+describe 'Rack::Attack.conditional_throttle' do
+  before do
+    @period = 60 # Use a long period; failures due to cache key rotation less likely
+    Rack::Attack.cache.store = ActiveSupport::Cache::MemoryStore.new
+    Rack::Attack.conditional_throttle('login', :limit => 1, :period => @period) { |req| req.ip }
+  end
+
+  it('should have a throttle'){ Rack::Attack.throttles.key?('login') }
+  allow_ok_requests
+
+  describe 'a single successful request' do
+    before { get '/', {}, 'REMOTE_ADDR' => '1.2.3.4' }
+    it 'should not set the counter for one request' do
+      key = "rack::attack:#{Time.now.to_i/@period}:login:1.2.3.4"
+      Rack::Attack.cache.store.read(key).must_equal nil
+    end
+  end
+  describe "with 2 requests" do
+    before do
+      2.times { get '/', {}, 'REMOTE_ADDR' => '1.2.3.4' }
+    end
+    it 'should not block the last request' do
+      last_response.status.must_equal 200
+    end
+  end
+
+  describe 'a successful request followed by failed request' do
+    before { get '/', {}, 'REMOTE_ADDR' => '1.2.3.4' }
+    it 'should increment counter for failed request' do
+      key = "rack::attack:#{Time.now.to_i/@period}:login:1.2.3.4"
+      Rack::Attack.increment_throttle_counter('login', '1.2.3.4')
+      Rack::Attack.cache.store.read(key).must_equal 1
+    end
+  end
+
+  describe 'a successful request followed by two failed request followed by successful request' do
+    before {
+      get '/', {}, 'REMOTE_ADDR' => '1.2.3.4'
+      @key = "rack::attack:#{Time.now.to_i/@period}:login:1.2.3.4"
+      Rack::Attack.increment_throttle_counter('login', '1.2.3.4')
+      Rack::Attack.increment_throttle_counter('login', '1.2.3.4')
+    }
+    it 'should increment counter for failed request' do
+
+      Rack::Attack.cache.store.read(@key).must_equal 2
+      get '/', {}, 'REMOTE_ADDR' => '1.2.3.4'
+      Rack::Attack.cache.store.read(@key).must_equal 2
+      last_response.status.must_equal 429
+    end
+  end
+end
+

data/spec/rack_attack_dalli_proxy_spec.rb

@@ -0,0 +1,10 @@
+require_relative 'spec_helper'
+
+describe Rack::Attack::StoreProxy::DalliProxy do
+
+  it 'should stub Dalli::Client#with on older clients' do
+    proxy = Rack::Attack::StoreProxy::DalliProxy.new(Class.new)
+    proxy.with {} # will not raise an error
+  end
+
+end

data/spec/rack_attack_request_spec.rb

@@ -0,0 +1,19 @@
+require_relative 'spec_helper'
+
+describe 'Rack::Attack' do
+  describe 'helpers' do
+    before do
+      class Rack::Attack::Request
+        def remote_ip
+          ip
+        end
+      end
+
+      Rack::Attack.whitelist('valid IP') do |req|
+        req.remote_ip == "127.0.0.1"
+      end
+    end
+
+    allow_ok_requests
+  end
+end

data/spec/rack_attack_spec.rb

@@ -0,0 +1,50 @@
+require_relative 'spec_helper'
+
+describe 'Rack::Attack' do
+  allow_ok_requests
+
+  describe 'blacklist' do
+    before do
+      @bad_ip = '1.2.3.4'
+      Rack::Attack.blacklist("ip #{@bad_ip}") {|req| req.ip == @bad_ip }
+    end
+
+    it('has a blacklist') { Rack::Attack.blacklists.key?("ip #{@bad_ip}") }
+
+    describe "a bad request" do
+      before { get '/', {}, 'REMOTE_ADDR' => @bad_ip }
+      it "should return a blacklist response" do
+        get '/', {}, 'REMOTE_ADDR' => @bad_ip
+        last_response.status.must_equal 403
+        last_response.body.must_equal "Forbidden\n"
+      end
+      it "should tag the env" do
+        last_request.env['rack.attack.matched'].must_equal "ip #{@bad_ip}"
+        last_request.env['rack.attack.match_type'].must_equal :blacklist
+      end
+
+      allow_ok_requests
+    end
+
+    describe "and whitelist" do
+      before do
+        @good_ua = 'GoodUA'
+        Rack::Attack.whitelist("good ua") {|req| req.user_agent == @good_ua }
+      end
+
+      it('has a whitelist'){ Rack::Attack.whitelists.key?("good ua") }
+      describe "with a request match both whitelist & blacklist" do
+        before { get '/', {}, 'REMOTE_ADDR' => @bad_ip, 'HTTP_USER_AGENT' => @good_ua }
+        it "should allow whitelists before blacklists" do
+          get '/', {}, 'REMOTE_ADDR' => @bad_ip, 'HTTP_USER_AGENT' => @good_ua
+          last_response.status.must_equal 200
+        end
+        it "should tag the env" do
+          last_request.env['rack.attack.matched'].must_equal 'good ua'
+          last_request.env['rack.attack.match_type'].must_equal :whitelist
+        end
+      end
+    end
+  end
+
+end

data/spec/rack_attack_throttle_spec.rb

@@ -0,0 +1,64 @@
+require_relative 'spec_helper'
+describe 'Rack::Attack.throttle' do
+  before do
+    @period = 60 # Use a long period; failures due to cache key rotation less likely
+    Rack::Attack.cache.store = ActiveSupport::Cache::MemoryStore.new
+    Rack::Attack.throttle('ip/sec', :limit => 1, :period => @period) { |req| req.ip }
+  end
+
+  it('should have a throttle'){ Rack::Attack.throttles.key?('ip/sec') }
+  allow_ok_requests
+
+  describe 'a single request' do
+    before { get '/', {}, 'REMOTE_ADDR' => '1.2.3.4' }
+    it 'should set the counter for one request' do
+      key = "rack::attack:#{Time.now.to_i/@period}:ip/sec:1.2.3.4"
+      Rack::Attack.cache.store.read(key).must_equal 1
+    end
+
+    it 'should populate throttle data' do
+      data = { :count => 1, :limit => 1, :period => @period }
+      last_request.env['rack.attack.throttle_data']['ip/sec'].must_equal data
+    end
+  end
+  describe "with 2 requests" do
+    before do
+      2.times { get '/', {}, 'REMOTE_ADDR' => '1.2.3.4' }
+    end
+    it 'should block the last request' do
+      last_response.status.must_equal 429
+    end
+    it 'should tag the env' do
+      last_request.env['rack.attack.matched'].must_equal 'ip/sec'
+      last_request.env['rack.attack.match_type'].must_equal :throttle
+      last_request.env['rack.attack.match_data'].must_equal({:count => 2, :limit => 1, :period => @period})
+      last_request.env['rack.attack.match_discriminator'].must_equal('1.2.3.4')
+    end
+    it 'should set a Retry-After header' do
+      last_response.headers['Retry-After'].must_equal @period.to_s
+    end
+  end
+end
+
+describe 'Rack::Attack.throttle with limit as proc' do
+  before do
+    @period = 60 # Use a long period; failures due to cache key rotation less likely
+    Rack::Attack.cache.store = ActiveSupport::Cache::MemoryStore.new
+    Rack::Attack.throttle('ip/sec', :limit => lambda {|req| 1}, :period => @period) { |req| req.ip }
+  end
+
+  allow_ok_requests
+
+  describe 'a single request' do
+    before { get '/', {}, 'REMOTE_ADDR' => '1.2.3.4' }
+    it 'should set the counter for one request' do
+      key = "rack::attack:#{Time.now.to_i/@period}:ip/sec:1.2.3.4"
+      Rack::Attack.cache.store.read(key).must_equal 1
+    end
+
+    it 'should populate throttle data' do
+      data = { :count => 1, :limit => 1, :period => @period }
+      last_request.env['rack.attack.throttle_data']['ip/sec'].must_equal data
+    end
+  end
+end