|
62 | 62 | end |
63 | 63 | end |
64 | 64 |
|
65 | | - describe "#apply_configuration" do |
| 65 | + describe "#enable_rack_attack!" do |
| 66 | + before do |
| 67 | + described_class.enable_rack_attack! |
| 68 | + end |
| 69 | + |
| 70 | + it "enables Rack::Attack" do |
| 71 | + expect(Rack::Attack.enabled).to be_truthy |
| 72 | + end |
| 73 | + end |
| 74 | + |
| 75 | + describe "#disable_rack_attack!" do |
66 | 76 | before do |
67 | | - described_class.apply_configuration |
68 | | - Rack::Attack.reset! |
| 77 | + described_class.disable_rack_attack! |
69 | 78 | end |
70 | 79 |
|
| 80 | + it "enables Rack::Attack" do |
| 81 | + expect(Rack::Attack.enabled).to be_falsey |
| 82 | + end |
| 83 | + end |
| 84 | + |
| 85 | + describe "#deactivate_decidim_throttling!" do |
| 86 | + before do |
| 87 | + # Decidim throttling is deactivated by default in rails env test |
| 88 | + # https://github.com/decidim/decidim/blob/release/0.27-stable/decidim-core/config/initializers/rack_attack.rb#L19 |
| 89 | + # so we add some keys to test the method |
| 90 | + Rack::Attack.throttle("limit confirmations attempts per code", limit: 5, period: 60.seconds) # added by module friendly_signup in decidim_app |
| 91 | + Rack::Attack.throttle("requests by ip", limit: 5, period: 60.seconds) |
| 92 | + described_class.deactivate_decidim_throttling! |
| 93 | + end |
| 94 | + |
| 95 | + after do |
| 96 | + # delete the added keys |
| 97 | + Rack::Attack.throttles.delete("requests by ip") |
| 98 | + Rack::Attack.throttles.delete("limit confirmations attempts per code") |
| 99 | + end |
| 100 | + |
| 101 | + it "deactivates Decidim throttling" do |
| 102 | + expect(Rack::Attack.throttles.keys.join).to include("limit confirmations attempts per code") |
| 103 | + expect(Rack::Attack.throttles.keys.join).not_to include("requests by ip") |
| 104 | + end |
| 105 | + end |
| 106 | + |
| 107 | + describe "#apply_configuration" do |
71 | 108 | describe "Throttling" do |
72 | 109 | let(:headers) { { "REMOTE_ADDR" => "1.2.3.4", "decidim.current_organization" => organization } } |
| 110 | + let(:rack_max_requests) { 15 } |
73 | 111 |
|
74 | | - it "successful for 100 requests, then blocks the user" do |
75 | | - 100.times do |
76 | | - get decidim.root_path, params: {}, headers: headers |
77 | | - expect(response).to have_http_status(:ok) |
78 | | - end |
79 | | - |
80 | | - get decidim.root_path, params: {}, headers: headers |
81 | | - expect(response).to have_http_status(:too_many_requests) |
82 | | - expect(response.body).to include("Your connection has been slowed because server received too many requests.") |
| 112 | + before do |
| 113 | + allow(Rails.application.secrets).to receive(:dig).with(any_args).and_call_original |
| 114 | + allow(Rails.application.secrets).to receive(:dig).with(:decidim, :rack_attack, :throttle, :max_requests).and_return(rack_max_requests) |
| 115 | + described_class.apply_configuration |
| 116 | + Rack::Attack.reset! |
| 117 | + described_class.enable_rack_attack! |
| 118 | + end |
83 | 119 |
|
84 | | - travel_to(1.minute.from_now) do |
85 | | - get decidim.root_path, params: {}, headers: headers |
86 | | - expect(response).to have_http_status(:ok) |
87 | | - end |
| 120 | + it "defines default period and max_requests" do |
| 121 | + expect(DecidimApp::RackAttack::Throttling.max_requests).to eq(rack_max_requests) |
| 122 | + expect(DecidimApp::RackAttack::Throttling.period).to eq(60) |
88 | 123 | end |
89 | 124 |
|
90 | | - it "successful for 99 requests" do |
91 | | - 99.times do |
| 125 | + it "successful for 15 requests, then blocks the user" do |
| 126 | + rack_max_requests.times do |
92 | 127 | get decidim.root_path, params: {}, headers: headers |
93 | 128 | expect(response).to have_http_status(:ok) |
| 129 | + expect(response.body).not_to include("Your connection has been slowed because server received too many requests.") |
94 | 130 | end |
95 | 131 |
|
96 | 132 | get decidim.root_path, params: {}, headers: headers |
97 | | - expect(response.body).not_to include("Your connection has been slowed because server received too many requests.") |
98 | | - expect(response).not_to have_http_status(:too_many_requests) |
| 133 | + expect(response).to have_http_status(:too_many_requests) |
| 134 | + expect(response.body).to include("Your connection has been slowed because server received too many requests.") |
99 | 135 |
|
100 | 136 | travel_to(1.minute.from_now) do |
101 | 137 | get decidim.root_path, params: {}, headers: headers |
|
107 | 143 | describe "Fail2Ban" do |
108 | 144 | let(:headers) { { "REMOTE_ADDR" => "1.2.3.4", "decidim.current_organization" => organization } } |
109 | 145 |
|
| 146 | + before do |
| 147 | + described_class.apply_configuration |
| 148 | + Rack::Attack.reset! |
| 149 | + described_class.enable_rack_attack! |
| 150 | + end |
| 151 | + |
110 | 152 | %w(/etc/passwd /wp-admin/index.php /wp-login/index.php SELECT CONCAT /.git/config).each do |path| |
111 | 153 | it "blocks user for specific request : '#{path}'" do |
112 | 154 | get "#{decidim.root_path}#{path}", params: {}, headers: headers |
|
0 commit comments