Merge pull request #431 from fatkodima/use-middleware

Auto plug middleware for simpler installation

Author: grzuy

Appraisals

@@ -17,24 +17,20 @@ appraise "rack_1_6" do
   gem "rack-test", ">= 0.6"
 end
 
-appraise 'rails_6_0' do
-  gem 'actionpack', '~> 6.0.0'
-  gem 'activesupport', '~> 6.0.0'
+appraise 'rails_6-0' do
+  gem 'railties', '~> 6.0.0'
 end
 
 appraise 'rails_5-2' do
-  gem 'actionpack', '~> 5.2.0'
-  gem 'activesupport', '~> 5.2.0'
+  gem 'railties', '~> 5.2.0'
 end
 
 appraise 'rails_5-1' do
-  gem 'actionpack', '~> 5.1.0'
-  gem 'activesupport', '~> 5.1.0'
+  gem 'railties', '~> 5.1.0'
 end
 
 appraise 'rails_4-2' do
-  gem 'actionpack', '~> 4.2.0'
-  gem 'activesupport', '~> 4.2.0'
+  gem 'railties', '~> 4.2.0'
 
   # Override rack-test version constraint by making it more loose
   # so it's compatible with actionpack 4.2.x

README.md

@@ -68,14 +68,19 @@ Or install it yourself as:
 
 Then tell your ruby web application to use rack-attack as a middleware.
 
-a) For __rails__ applications:
-
+a) For __rails__ applications with versions >= 5 it is used by default. For older rails versions you should enable it explicitly:
 ```ruby
 # In config/application.rb
 
 config.middleware.use Rack::Attack
 ```
 
+You can disable it permanently (like for specific environment) or temporarily (can be useful for specific test cases) by writing:
+
+```ruby
+Rack::Attack.enabled = false
+```
+
 b) For __rack__ applications:
 
 ```ruby

gemfiles/rails_4_2.gemfile

@@ -2,8 +2,7 @@
 
 source "https://rubygems.org"
 
-gem "actionpack", "~> 4.2.0"
-gem "activesupport", "~> 4.2.0"
+gem "railties", "~> 4.2.0"
 gem "rack-test", ">= 0.6"
 
 gemspec path: "../"

gemfiles/rails_5_1.gemfile

@@ -2,7 +2,6 @@
 
 source "https://rubygems.org"
 
-gem "actionpack", "~> 5.1.0"
-gem "activesupport", "~> 5.1.0"
+gem "railties", "~> 5.1.0"
 
 gemspec path: "../"

gemfiles/rails_5_2.gemfile

@@ -2,7 +2,6 @@
 
 source "https://rubygems.org"
 
-gem "actionpack", "~> 5.2.0"
-gem "activesupport", "~> 5.2.0"
+gem "railties", "~> 5.2.0"
 
 gemspec path: "../"

gemfiles/rails_6_0.gemfile

@@ -2,7 +2,6 @@
 
 source "https://rubygems.org"
 
-gem "actionpack", "~> 6.0.0"
-gem "activesupport", "~> 6.0.0"
+gem "railties", "~> 6.0.0"
 
 gemspec path: "../"

lib/rack/attack.rb

@@ -6,6 +6,8 @@
 require 'rack/attack/request'
 require "ipaddr"
 
+require 'rack/attack/railtie' if defined?(::Rails)
+
 module Rack
   class Attack
     class MisconfiguredStoreError < StandardError; end
@@ -28,7 +30,8 @@ class MissingStoreError < StandardError; end
     autoload :Allow2Ban,            'rack/attack/allow2ban'
 
     class << self
-      attr_accessor :notifier, :blocklisted_response, :throttled_response, :anonymous_blocklists, :anonymous_safelists
+      attr_accessor :enabled, :notifier, :blocklisted_response, :throttled_response,
+                    :anonymous_blocklists, :anonymous_safelists
 
       def safelist(name = nil, &block)
         safelist = Safelist.new(name, &block)
@@ -134,6 +137,7 @@ def clear!
     end
 
     # Set defaults
+    @enabled = true
     @anonymous_blocklists = []
     @anonymous_safelists = []
     @notifier = ActiveSupport::Notifications if defined?(ActiveSupport::Notifications)
@@ -148,6 +152,8 @@ def initialize(app)
     end
 
     def call(env)
+      return @app.call(env) unless self.class.enabled
+
       env['PATH_INFO'] = PathNormalizer.normalize_path(env['PATH_INFO'])
       request = Rack::Attack::Request.new(env)
 

lib/rack/attack/railtie.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module Rack
+  class Attack
+    class Railtie < ::Rails::Railtie
+      initializer 'rack.attack.middleware', after: :load_config_initializers, before: :build_middleware_stack do |app|
+        if Gem::Version.new(::Rails::VERSION::STRING) >= Gem::Version.new("5")
+          middlewares = app.config.middleware
+          operations = middlewares.send(:operations) + middlewares.send(:delete_operations)
+
+          use_middleware = operations.none? do |operation|
+            middleware = operation[1]
+            middleware.include?(Rack::Attack)
+          end
+
+          middlewares.use(Rack::Attack) if use_middleware
+        end
+      end
+    end
+  end
+end

rack-attack.gemspec

@@ -46,8 +46,5 @@ Gem::Specification.new do |s|
     s.add_development_dependency 'byebug', '~> 11.0'
   end
 
-  # The following are potential runtime dependencies users may have,
-  # which rack-attack uses only for testing compatibility in test suite.
-  s.add_development_dependency 'actionpack', '~> 5.2'
-  s.add_development_dependency 'activesupport', '~> 5.2'
+  s.add_development_dependency 'railties', '>= 4.2'
 end

spec/acceptance/rails_middleware_spec.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+require_relative "../spec_helper"
+
+if defined?(Rails)
+  describe "Middleware for Rails" do
+    before do
+      @app = Class.new(Rails::Application) do
+        config.eager_load = false
+        config.logger = Logger.new(nil) # avoid creating the log/ directory automatically
+        config.cache_store = :null_store # avoid creating tmp/ directory for cache
+      end
+    end
+
+    if Gem::Version.new(Rails::VERSION::STRING) >= Gem::Version.new("5")
+      it "is used by default" do
+        @app.initialize!
+        assert_equal 1, @app.middleware.count(Rack::Attack)
+      end
+
+      it "is not added when it was added explicitly" do
+        @app.config.middleware.use(Rack::Attack)
+        @app.initialize!
+        assert_equal 1, @app.middleware.count(Rack::Attack)
+      end
+
+      it "is not added when it was explicitly deleted" do
+        @app.config.middleware.delete(Rack::Attack)
+        @app.initialize!
+        refute @app.middleware.include?(Rack::Attack)
+      end
+    end
+
+    if Gem::Version.new(Rails::VERSION::STRING) < Gem::Version.new("5")
+      it "is not used by default" do
+        @app.initialize!
+        assert_equal 0, @app.middleware.count(Rack::Attack)
+      end
+    end
+  end
+end