Address expiry for IPs never banned

[madfordmac]

Background

When we add an IP to redis, we set an expiry time. That expiry serves two purposes:

1. The amount of time during which we count repeat attempts, watching for the threshold to be exceeded.
2. The length of time that an IP gets banned.

We listen for expiry events from redis to un-ban an IP, but we receive those events for IPs that only tried once or twice and never got banned as well.

Issue

Currently, we log an attempt to unban an IP that's not in the list of blocked IPs as a warning. But that's really only valid as a warning if they had been banned. Maybe it's an info-level alert that their count was reset??

Possible resolutions

1. When a key expires, can we get its value along with the key? We could then check the value against the threshold and log something special for under-threshold keys and not even pass it to banmanager.
2. We could maintain an in-program list of banned keys like we do for netban. Expiring keys could then be checked against the local list and handled differently.

Of these, I'd prefer the first as I'd rather not keep separate state.

[madfordmac]

It seems that Redis will not give you the value when a key expires. This StackOverflow question has a method for doing this kind of operation at the cost of an additional key in the Redis database, but we don't really store that many keys.