[thirdparty/squid.git] / src / auth / AclMaxUserIp.cc

/*
 * Copyright (C) 1996-2017 The Squid Software Foundation and contributors
 *
 * Squid software is distributed under GPLv2+ license and includes
 * contributions from numerous individuals and organizations.
 * Please see the COPYING and CONTRIBUTORS files for details.
 */

/* DEBUG: section 28    Access Control */

#include "squid.h"
#include "acl/FilledChecklist.h"
#include "auth/Acl.h"
#include "auth/AclMaxUserIp.h"
#include "auth/UserRequest.h"
#include "ConfigParser.h"
#include "Debug.h"
#include "Parsing.h"
#include "wordlist.h"

ACLFlag ACLMaxUserIP::SupportedFlags[] = {ACL_F_STRICT, ACL_F_END};

ACLMaxUserIP::ACLMaxUserIP(char const *theClass) :
    ACL(SupportedFlags),
    class_(theClass),
    maximum(0)
{}

ACLMaxUserIP::ACLMaxUserIP(ACLMaxUserIP const &old) :
    class_(old.class_),
    maximum(old.maximum)
{
    flags = old.flags;
}

ACLMaxUserIP::~ACLMaxUserIP()
{}

ACL *
ACLMaxUserIP::clone() const
{
    return new ACLMaxUserIP(*this);
}

char const *
ACLMaxUserIP::typeString() const
{
    return class_;
}

bool
ACLMaxUserIP::empty() const
{
    return false;
}

bool
ACLMaxUserIP::valid() const
{
    return maximum > 0;
}

void
ACLMaxUserIP::parse()
{
    if (maximum) {
        debugs(28, DBG_IMPORTANT, "Attempting to alter already set User max IP acl");
        return;
    }

    char *t = ConfigParser::strtokFile();

    if (!t)
        return;

    debugs(28, 5, "aclParseUserMaxIP: First token is " << t);

    maximum = xatoi(t);

    debugs(28, 5, "aclParseUserMaxIP: Max IP address's " << maximum);

    return;
}

/*
 * aclMatchUserMaxIP - check for users logging in from multiple IP's
 * 0 : No match
 * 1 : Match
 */
int
ACLMaxUserIP::match(Auth::UserRequest::Pointer auth_user_request, Ip::Address const &src_addr)
{
    /*
     * the logic for flush the ip list when the limit is hit vs keep
     * it sorted in most recent access order and just drop the oldest
     * one off is currently undecided (RBC)
     */

    if (authenticateAuthUserRequestIPCount(auth_user_request) <= maximum)
        return 0;

    debugs(28, DBG_IMPORTANT, "aclMatchUserMaxIP: user '" << auth_user_request->username() << "' tries to use too many IP addresses (max " << maximum << " allowed)!");

    /* this is a match */
    if (flags.isSet(ACL_F_STRICT)) {
        /*
         * simply deny access - the user name is already associated with
         * the request
         */
        /* remove _this_ ip, as it is the culprit for going over the limit */
        authenticateAuthUserRequestRemoveIp(auth_user_request, src_addr);
        debugs(28, 4, "aclMatchUserMaxIP: Denying access in strict mode");
    } else {
        /*
         * non-strict - remove some/all of the cached entries
         * ie to allow the user to move machines easily
         */
        authenticateAuthUserRequestClearIp(auth_user_request);
        debugs(28, 4, "aclMatchUserMaxIP: Denying access in non-strict mode - flushing the user ip cache");
    }

    return 1;
}

int
ACLMaxUserIP::match(ACLChecklist *cl)
{
    ACLFilledChecklist *checklist = Filled(cl);
    allow_t answer = AuthenticateAcl(checklist);
    int ti;

    // convert to tri-state ACL match 1,0,-1
    switch (answer) {
    case ACCESS_ALLOWED:
        // check for a match
        ti = match(checklist->auth_user_request, checklist->src_addr);
        checklist->auth_user_request = NULL;
        return ti;

    case ACCESS_DENIED:
        return 0; // non-match

    case ACCESS_DUNNO:
    case ACCESS_AUTH_REQUIRED:
    default:
        // If the answer is not allowed or denied (matches/not matches) and
        // async authentication is not in progress, then we are done.
        if (checklist->keepMatching())
            checklist->markFinished(answer, "AuthenticateAcl exception");
        return -1; // other
    }
}

SBufList
ACLMaxUserIP::dump() const
{
    SBufList sl;
    if (!maximum)
        return sl;
    SBuf s;
    s.Printf("%d", maximum);
    sl.push_back(s);
    return sl;
}
Commit	Line	Data
48071869	1	/*
4ac4a490	2	* Copyright (C) 1996-2017 The Squid Software Foundation and contributors
bbc27441 AJ	3	*
	4	* Squid software is distributed under GPLv2+ license and includes
	5	* contributions from numerous individuals and organizations.
	6	* Please see the COPYING and CONTRIBUTORS files for details.
48071869	7	*/
48071869	8
bbc27441 AJ	9	/* DEBUG: section 28 Access Control */
bbc27441 AJ	10
582c2af2	11	#include "squid.h"
c0941a6a AR	12	#include "acl/FilledChecklist.h"
	13	#include "auth/Acl.h"
	14	#include "auth/AclMaxUserIp.h"
2d2b0bb7	15	#include "auth/UserRequest.h"
d295d770	16	#include "ConfigParser.h"
602d9612	17	#include "Debug.h"
8a01b99e	18	#include "Parsing.h"
602d9612	19	#include "wordlist.h"
48071869	20
d6d0eb11	21	ACLFlag ACLMaxUserIP::SupportedFlags[] = {ACL_F_STRICT, ACL_F_END};
0e1815c0	22
d6d0eb11	23	ACLMaxUserIP::ACLMaxUserIP(char const *theClass) :
f53969cc SM	24	ACL(SupportedFlags),
	25	class_(theClass),
	26	maximum(0)
48071869	27	{}
48071869	28
d6d0eb11	29	ACLMaxUserIP::ACLMaxUserIP(ACLMaxUserIP const &old) :
f53969cc SM	30	class_(old.class_),
f53969cc SM	31	maximum(old.maximum)
0e1815c0	32	{
86c63190	33	flags = old.flags;
0e1815c0	34	}
48071869	35
48071869	36	ACLMaxUserIP::~ACLMaxUserIP()
	37	{}
	38
d6d0eb11 AJ	39	ACL *
	40	ACLMaxUserIP::clone() const
	41	{
	42	return new ACLMaxUserIP(*this);
	43	}
	44
48071869	45	char const *
	46	ACLMaxUserIP::typeString() const
	47	{
	48	return class_;
	49	}
	50
4b0f5de8	51	bool
d6d0eb11	52	ACLMaxUserIP::empty() const
4b0f5de8	53	{
	54	return false;
	55	}
	56
48071869	57	bool
d6d0eb11	58	ACLMaxUserIP::valid() const
48071869	59	{
4b0f5de8	60	return maximum > 0;
48071869	61	}
	62
	63	void
	64	ACLMaxUserIP::parse()
	65	{
a748a390	66	if (maximum) {
e0236918	67	debugs(28, DBG_IMPORTANT, "Attempting to alter already set User max IP acl");
48071869	68	return;
	69	}
	70
d295d770	71	char *t = ConfigParser::strtokFile();
48071869	72
48071869	73	if (!t)
4b0f5de8	74	return;
48071869	75
bf8fe701	76	debugs(28, 5, "aclParseUserMaxIP: First token is " << t);
48071869	77
0e656b69	78	maximum = xatoi(t);
48071869	79
4a7a3d56	80	debugs(28, 5, "aclParseUserMaxIP: Max IP address's " << maximum);
48071869	81
	82	return;
	83	}
	84
	85	/*
26ac0430	86	* aclMatchUserMaxIP - check for users logging in from multiple IP's
48071869	87	* 0 : No match
26ac0430	88	* 1 : Match
48071869	89	*/
48071869	90	int
c7baff40	91	ACLMaxUserIP::match(Auth::UserRequest::Pointer auth_user_request, Ip::Address const &src_addr)
48071869	92	{
	93	/*
	94	* the logic for flush the ip list when the limit is hit vs keep
	95	* it sorted in most recent access order and just drop the oldest
	96	* one off is currently undecided (RBC)
	97	*/
	98
a748a390	99	if (authenticateAuthUserRequestIPCount(auth_user_request) <= maximum)
48071869	100	return 0;
48071869	101
e0236918	102	debugs(28, DBG_IMPORTANT, "aclMatchUserMaxIP: user '" << auth_user_request->username() << "' tries to use too many IP addresses (max " << maximum << " allowed)!");
3b2fd4ec	103
48071869	104	/* this is a match */
0e1815c0	105	if (flags.isSet(ACL_F_STRICT)) {
48071869	106	/*
48071869	107	* simply deny access - the user name is already associated with
26ac0430	108	* the request
48071869	109	*/
	110	/* remove _this_ ip, as it is the culprit for going over the limit */
	111	authenticateAuthUserRequestRemoveIp(auth_user_request, src_addr);
bf8fe701	112	debugs(28, 4, "aclMatchUserMaxIP: Denying access in strict mode");
26ac0430	113	} else {
48071869	114	/*
26ac0430	115	* non-strict - remove some/all of the cached entries
48071869	116	* ie to allow the user to move machines easily
	117	*/
	118	authenticateAuthUserRequestClearIp(auth_user_request);
bf8fe701	119	debugs(28, 4, "aclMatchUserMaxIP: Denying access in non-strict mode - flushing the user ip cache");
48071869	120	}
	121
	122	return 1;
	123	}
	124
	125	int
c0941a6a	126	ACLMaxUserIP::match(ACLChecklist *cl)
48071869	127	{
c0941a6a	128	ACLFilledChecklist *checklist = Filled(cl);
ccec22f9	129	allow_t answer = AuthenticateAcl(checklist);
48071869	130	int ti;
48071869	131
ccec22f9	132	// convert to tri-state ACL match 1,0,-1
9b831d57	133	switch (answer) {
ccec22f9	134	case ACCESS_ALLOWED:
ccec22f9 AJ	135	// check for a match
	136	ti = match(checklist->auth_user_request, checklist->src_addr);
	137	checklist->auth_user_request = NULL;
48071869	138	return ti;
48071869	139
ccec22f9	140	case ACCESS_DENIED:
ccec22f9	141	return 0; // non-match
48071869	142
ccec22f9 AJ	143	case ACCESS_DUNNO:
	144	case ACCESS_AUTH_REQUIRED:
	145	default:
e0f7153c	146	// If the answer is not allowed or denied (matches/not matches) and
6f58d7d7 AR	147	// async authentication is not in progress, then we are done.
6f58d7d7 AR	148	if (checklist->keepMatching())
e0f7153c	149	checklist->markFinished(answer, "AuthenticateAcl exception");
ccec22f9 AJ	150	return -1; // other
ccec22f9 AJ	151	}
48071869	152	}
48071869	153
9b859d6f	154	SBufList
48071869	155	ACLMaxUserIP::dump() const
48071869	156	{
9b859d6f	157	SBufList sl;
a748a390	158	if (!maximum)
9b859d6f FC	159	return sl;
9b859d6f FC	160	SBuf s;
fbe0f952	161	s.Printf("%d", maximum);
9b859d6f FC	162	sl.push_back(s);
9b859d6f FC	163	return sl;
48071869	164	}
f53969cc	165