From 77e400aa0cf13c333f0e7b2b8bffcc8460cec83d Mon Sep 17 00:00:00 2001
From: moustachu <moustachu@opensourcepolitics.eu>
Date: Tue, 19 Nov 2024 16:22:42 +0100
Subject: [PATCH] fix: rack attack tests

---
 spec/lib/decidim_app/rack_attack_spec.rb | 72 +++++++++++++++++-------
 spec/system/confirmation_spec.rb         |  3 +-
 2 files changed, 54 insertions(+), 21 deletions(-)

diff --git a/spec/lib/decidim_app/rack_attack_spec.rb b/spec/lib/decidim_app/rack_attack_spec.rb
index 0aca1063..608a7ce3 100644
--- a/spec/lib/decidim_app/rack_attack_spec.rb
+++ b/spec/lib/decidim_app/rack_attack_spec.rb
@@ -62,40 +62,66 @@
     end
   end
 
-  describe "#apply_configuration" do
+  describe "#enable_rack_attack!" do
+    before do
+      described_class.enable_rack_attack!
+    end
+
+    it "enables Rack::Attack" do
+      expect(Rack::Attack.enabled).to be_truthy
+    end
+  end
+
+  describe "#disable_rack_attack!" do
+    before do
+      described_class.disable_rack_attack!
+    end
+
+    it "enables Rack::Attack" do
+      expect(Rack::Attack.enabled).to be_falsey
+    end
+  end
+
+  describe "#deactivate_decidim_throttling!" do
     before do
-      described_class.apply_configuration
-      Rack::Attack.reset!
+      described_class.deactivate_decidim_throttling!
     end
 
+    it "deactivates Decidim throttling" do
+      # Decidim throttling is deactivated by default in rails env test
+      # https://github.com/decidim/decidim/blob/release/0.27-stable/decidim-core/config/initializers/rack_attack.rb#L19
+      expect(Rack::Attack.throttles.keys.join).to include("limit confirmations attempts per code")
+    end
+  end
+
+  describe "#apply_configuration" do
     describe "Throttling" do
       let(:headers) { { "REMOTE_ADDR" => "1.2.3.4", "decidim.current_organization" => organization } }
+      let(:rack_max_requests) { 15 }
 
-      it "successful for 100 requests, then blocks the user" do
-        100.times do
-          get decidim.root_path, params: {}, headers: headers
-          expect(response).to have_http_status(:ok)
-        end
-
-        get decidim.root_path, params: {}, headers: headers
-        expect(response).to have_http_status(:too_many_requests)
-        expect(response.body).to include("Your connection has been slowed because server received too many requests.")
+      before do
+        allow(Rails.application.secrets).to receive(:dig).with(any_args).and_call_original
+        allow(Rails.application.secrets).to receive(:dig).with(:decidim, :rack_attack, :throttle, :max_requests).and_return(rack_max_requests)
+        described_class.apply_configuration
+        Rack::Attack.reset!
+        described_class.enable_rack_attack!
+      end
 
-        travel_to(1.minute.from_now) do
-          get decidim.root_path, params: {}, headers: headers
-          expect(response).to have_http_status(:ok)
-        end
+      it "defines default period and max_requests" do
+        expect(DecidimApp::RackAttack::Throttling.max_requests).to eq(rack_max_requests)
+        expect(DecidimApp::RackAttack::Throttling.period).to eq(60)
       end
 
-      it "successful for 99 requests" do
-        99.times do
+      it "successful for 15 requests, then blocks the user" do
+        rack_max_requests.times do
           get decidim.root_path, params: {}, headers: headers
           expect(response).to have_http_status(:ok)
+          expect(response.body).not_to include("Your connection has been slowed because server received too many requests.")
         end
 
         get decidim.root_path, params: {}, headers: headers
-        expect(response.body).not_to include("Your connection has been slowed because server received too many requests.")
-        expect(response).not_to have_http_status(:too_many_requests)
+        expect(response).to have_http_status(:too_many_requests)
+        expect(response.body).to include("Your connection has been slowed because server received too many requests.")
 
         travel_to(1.minute.from_now) do
           get decidim.root_path, params: {}, headers: headers
@@ -107,6 +133,12 @@
     describe "Fail2Ban" do
       let(:headers) { { "REMOTE_ADDR" => "1.2.3.4", "decidim.current_organization" => organization } }
 
+      before do
+        described_class.apply_configuration
+        Rack::Attack.reset!
+        described_class.enable_rack_attack!
+      end
+
       %w(/etc/passwd /wp-admin/index.php /wp-login/index.php SELECT CONCAT /.git/config).each do |path|
         it "blocks user for specific request : '#{path}'" do
           get "#{decidim.root_path}#{path}", params: {}, headers: headers
diff --git a/spec/system/confirmation_spec.rb b/spec/system/confirmation_spec.rb
index 3542bbba..b1294c5d 100644
--- a/spec/system/confirmation_spec.rb
+++ b/spec/system/confirmation_spec.rb
@@ -76,6 +76,7 @@ def code_for(str)
 
     before do
       allow(Rails).to receive(:cache).and_return(memory_store)
+      DecidimApp::RackAttack.enable_rack_attack!
       DecidimApp::RackAttack.apply_configuration
       Rack::Attack.reset!
 
@@ -88,7 +89,7 @@ def code_for(str)
     end
 
     after do
-      Rack::Attack.enabled = false
+      DecidimApp::RackAttack.disable_rack_attack!
     end
 
     it "throttles after 5 attempts per minute" do