Maintenance: Stabilize rack attack throttling tests.

spec/requests/form_spec.rb

@@ -133,7 +133,7 @@ RSpec.describe 'Form', type: :request do
 
     end
 
-    it 'does limits' do
+    it 'does limits', :rack_attack do
       Setting.set('form_ticket_create_by_ip_per_hour', 2)
       Setting.set('form_ticket_create', true)
       fingerprint = SecureRandom.hex(40)
@@ -145,8 +145,8 @@ RSpec.describe 'Form', type: :request do
 
       post '/api/v1/form_submit', params: { fingerprint: fingerprint, token: token, name: 'Bob Smith', email: 'discard@zammad.com', title: 'test', body: 'hello' }, as: :json
       expect(response).to have_http_status(:ok)
-      # Trigger rate limiting with a few more requests to be reliable in slow CI
-      5.times do |count|
+
+      3.times do |count|
         post '/api/v1/form_submit', params: { fingerprint: fingerprint, token: token, name: 'Bob Smith', email: 'discard@zammad.com', title: "test#{count}", body: 'hello' }, as: :json
       end
       expect(response).to have_http_status(:too_many_requests)
@@ -155,7 +155,7 @@ RSpec.describe 'Form', type: :request do
       post '/api/v1/form_submit', params: { fingerprint: fingerprint, token: token, name: 'Bob Smith', email: 'discard@zammad.com', title: 'test-2', body: 'hello' }, as: :json
       expect(response).to have_http_status(:ok)
 
-      5.times do |count|
+      3.times do |count|
         post '/api/v1/form_submit', params: { fingerprint: fingerprint, token: token, name: 'Bob Smith', email: 'discard@zammad.com', title: "test-2-#{count}", body: 'hello' }, as: :json
       end
       expect(response).to have_http_status(:too_many_requests)
@@ -163,7 +163,7 @@ RSpec.describe 'Form', type: :request do
       @headers = { 'ACCEPT' => 'application/json', 'CONTENT_TYPE' => 'application/json', 'REMOTE_ADDR' => '::1' }
       post '/api/v1/form_submit', params: { fingerprint: fingerprint, token: token, name: 'Bob Smith', email: 'discard@zammad.com', title: 'test-3', body: 'hello' }, as: :json
 
-      5.times do |count|
+      3.times do |count|
         post '/api/v1/form_submit', params: { fingerprint: fingerprint, token: token, name: 'Bob Smith', email: 'discard@zammad.com', title: "test-3-#{count}", body: 'hello' }, as: :json
       end
       expect(response).to have_http_status(:too_many_requests)

spec/requests/user/admin_password_auth_spec.rb

@@ -48,14 +48,13 @@ RSpec.describe 'User endpoint', authenticated_as: false, type: :request do
     end
 
     # For the throttling, see config/initializers/rack_attack.rb.
-    context 'when user requests admin auth more than throttle allows' do
+    context 'when user requests admin auth more than throttle allows', :rack_attack do
 
       let(:static_username) { create(:admin).login }
       let(:static_ipv4)     { Faker::Internet.ip_v4_address }
 
       it 'blocks due to username throttling (multiple IPs)' do
-        # Throttle should happen after 5 requests, but that is not reliable enough due to CI slowness.
-        15.times do
+        4.times do
           post api_v1_users_admin_password_auth_path, params: { username: static_username }, headers: { 'X-Forwarded-For': Faker::Internet.ip_v4_address }
         end
 
@@ -63,7 +62,7 @@ RSpec.describe 'User endpoint', authenticated_as: false, type: :request do
       end
 
       it 'blocks due to source IP address throttling (multiple usernames)' do
-        15.times do
+        4.times do
           # Ensure throttling even on modified path.
           post "#{api_v1_users_admin_password_auth_path}.json", params: { username: create(:admin).login }, headers: { 'X-Forwarded-For': static_ipv4 }
         end

spec/requests/user/password_reset_spec.rb

@@ -18,14 +18,13 @@ RSpec.describe 'User endpoint', authenticated_as: false, type: :request do
   end
 
   # For the throttling, see config/initializers/rack_attack.rb.
-  context 'when user resets password more than throttle allows' do
+  context 'when user resets password more than throttle allows', :rack_attack do
 
     let(:static_username) { create(:user).login }
     let(:static_ipv4)     { Faker::Internet.ip_v4_address }
 
     it 'blocks due to username throttling (multiple IPs)' do
-      # Throttle should happen after 5 requests, but that is not reliable enough due to CI slowness.
-      15.times do
+      4.times do
         post api_v1_users_password_reset_path, params: { username: static_username }, headers: { 'X-Forwarded-For': Faker::Internet.ip_v4_address }
       end
 
@@ -33,7 +32,7 @@ RSpec.describe 'User endpoint', authenticated_as: false, type: :request do
     end
 
     it 'blocks due to source IP address throttling (multiple usernames)' do
-      15.times do
+      4.times do
         # Ensure throttling even on modified path.
         post "#{api_v1_users_password_reset_path}.json", params: { username: create(:user).login }, headers: { 'X-Forwarded-For': static_ipv4 }
       end

spec/support/rack_attack.rb

@@ -0,0 +1,13 @@
+# Copyright (C) 2012-2023 Zammad Foundation, https://zammad-foundation.org/
+
+RSpec.configure do |config|
+
+  # Rack attack has no rolling time periods. Make sure it works consistently
+  #   also in slow CI situations.
+  # See https://github.com/rack/rack-attack/issues/601
+  config.around(:each, :rack_attack) do |example|
+    freeze_time
+
+    example.run
+  end
+end