]>
Commit | Line | Data |
---|---|---|
48071869 | 1 | /* |
4ac4a490 | 2 | * Copyright (C) 1996-2017 The Squid Software Foundation and contributors |
bbc27441 AJ |
3 | * |
4 | * Squid software is distributed under GPLv2+ license and includes | |
5 | * contributions from numerous individuals and organizations. | |
6 | * Please see the COPYING and CONTRIBUTORS files for details. | |
48071869 | 7 | */ |
8 | ||
bbc27441 AJ |
9 | /* DEBUG: section 28 Access Control */ |
10 | ||
582c2af2 | 11 | #include "squid.h" |
c0941a6a AR |
12 | #include "acl/FilledChecklist.h" |
13 | #include "auth/Acl.h" | |
14 | #include "auth/AclMaxUserIp.h" | |
2d2b0bb7 | 15 | #include "auth/UserRequest.h" |
d295d770 | 16 | #include "ConfigParser.h" |
602d9612 | 17 | #include "Debug.h" |
8a01b99e | 18 | #include "Parsing.h" |
602d9612 | 19 | #include "wordlist.h" |
48071869 | 20 | |
d6d0eb11 | 21 | ACLFlag ACLMaxUserIP::SupportedFlags[] = {ACL_F_STRICT, ACL_F_END}; |
0e1815c0 | 22 | |
d6d0eb11 | 23 | ACLMaxUserIP::ACLMaxUserIP(char const *theClass) : |
f53969cc SM |
24 | ACL(SupportedFlags), |
25 | class_(theClass), | |
26 | maximum(0) | |
48071869 | 27 | {} |
28 | ||
d6d0eb11 | 29 | ACLMaxUserIP::ACLMaxUserIP(ACLMaxUserIP const &old) : |
f53969cc SM |
30 | class_(old.class_), |
31 | maximum(old.maximum) | |
0e1815c0 | 32 | { |
86c63190 | 33 | flags = old.flags; |
0e1815c0 | 34 | } |
48071869 | 35 | |
48071869 | 36 | ACLMaxUserIP::~ACLMaxUserIP() |
37 | {} | |
38 | ||
d6d0eb11 AJ |
39 | ACL * |
40 | ACLMaxUserIP::clone() const | |
41 | { | |
42 | return new ACLMaxUserIP(*this); | |
43 | } | |
44 | ||
48071869 | 45 | char const * |
46 | ACLMaxUserIP::typeString() const | |
47 | { | |
48 | return class_; | |
49 | } | |
50 | ||
4b0f5de8 | 51 | bool |
d6d0eb11 | 52 | ACLMaxUserIP::empty() const |
4b0f5de8 | 53 | { |
54 | return false; | |
55 | } | |
56 | ||
48071869 | 57 | bool |
d6d0eb11 | 58 | ACLMaxUserIP::valid() const |
48071869 | 59 | { |
4b0f5de8 | 60 | return maximum > 0; |
48071869 | 61 | } |
62 | ||
63 | void | |
64 | ACLMaxUserIP::parse() | |
65 | { | |
a748a390 | 66 | if (maximum) { |
e0236918 | 67 | debugs(28, DBG_IMPORTANT, "Attempting to alter already set User max IP acl"); |
48071869 | 68 | return; |
69 | } | |
70 | ||
d295d770 | 71 | char *t = ConfigParser::strtokFile(); |
48071869 | 72 | |
73 | if (!t) | |
4b0f5de8 | 74 | return; |
48071869 | 75 | |
bf8fe701 | 76 | debugs(28, 5, "aclParseUserMaxIP: First token is " << t); |
48071869 | 77 | |
0e656b69 | 78 | maximum = xatoi(t); |
48071869 | 79 | |
4a7a3d56 | 80 | debugs(28, 5, "aclParseUserMaxIP: Max IP address's " << maximum); |
48071869 | 81 | |
82 | return; | |
83 | } | |
84 | ||
85 | /* | |
26ac0430 | 86 | * aclMatchUserMaxIP - check for users logging in from multiple IP's |
48071869 | 87 | * 0 : No match |
26ac0430 | 88 | * 1 : Match |
48071869 | 89 | */ |
90 | int | |
c7baff40 | 91 | ACLMaxUserIP::match(Auth::UserRequest::Pointer auth_user_request, Ip::Address const &src_addr) |
48071869 | 92 | { |
93 | /* | |
94 | * the logic for flush the ip list when the limit is hit vs keep | |
95 | * it sorted in most recent access order and just drop the oldest | |
96 | * one off is currently undecided (RBC) | |
97 | */ | |
98 | ||
a748a390 | 99 | if (authenticateAuthUserRequestIPCount(auth_user_request) <= maximum) |
48071869 | 100 | return 0; |
101 | ||
e0236918 | 102 | debugs(28, DBG_IMPORTANT, "aclMatchUserMaxIP: user '" << auth_user_request->username() << "' tries to use too many IP addresses (max " << maximum << " allowed)!"); |
3b2fd4ec | 103 | |
48071869 | 104 | /* this is a match */ |
0e1815c0 | 105 | if (flags.isSet(ACL_F_STRICT)) { |
48071869 | 106 | /* |
107 | * simply deny access - the user name is already associated with | |
26ac0430 | 108 | * the request |
48071869 | 109 | */ |
110 | /* remove _this_ ip, as it is the culprit for going over the limit */ | |
111 | authenticateAuthUserRequestRemoveIp(auth_user_request, src_addr); | |
bf8fe701 | 112 | debugs(28, 4, "aclMatchUserMaxIP: Denying access in strict mode"); |
26ac0430 | 113 | } else { |
48071869 | 114 | /* |
26ac0430 | 115 | * non-strict - remove some/all of the cached entries |
48071869 | 116 | * ie to allow the user to move machines easily |
117 | */ | |
118 | authenticateAuthUserRequestClearIp(auth_user_request); | |
bf8fe701 | 119 | debugs(28, 4, "aclMatchUserMaxIP: Denying access in non-strict mode - flushing the user ip cache"); |
48071869 | 120 | } |
121 | ||
122 | return 1; | |
123 | } | |
124 | ||
125 | int | |
c0941a6a | 126 | ACLMaxUserIP::match(ACLChecklist *cl) |
48071869 | 127 | { |
c0941a6a | 128 | ACLFilledChecklist *checklist = Filled(cl); |
ccec22f9 | 129 | allow_t answer = AuthenticateAcl(checklist); |
48071869 | 130 | int ti; |
131 | ||
ccec22f9 | 132 | // convert to tri-state ACL match 1,0,-1 |
9b831d57 | 133 | switch (answer) { |
ccec22f9 | 134 | case ACCESS_ALLOWED: |
ccec22f9 AJ |
135 | // check for a match |
136 | ti = match(checklist->auth_user_request, checklist->src_addr); | |
137 | checklist->auth_user_request = NULL; | |
48071869 | 138 | return ti; |
139 | ||
ccec22f9 | 140 | case ACCESS_DENIED: |
ccec22f9 | 141 | return 0; // non-match |
48071869 | 142 | |
ccec22f9 AJ |
143 | case ACCESS_DUNNO: |
144 | case ACCESS_AUTH_REQUIRED: | |
145 | default: | |
e0f7153c | 146 | // If the answer is not allowed or denied (matches/not matches) and |
6f58d7d7 AR |
147 | // async authentication is not in progress, then we are done. |
148 | if (checklist->keepMatching()) | |
e0f7153c | 149 | checklist->markFinished(answer, "AuthenticateAcl exception"); |
ccec22f9 AJ |
150 | return -1; // other |
151 | } | |
48071869 | 152 | } |
153 | ||
9b859d6f | 154 | SBufList |
48071869 | 155 | ACLMaxUserIP::dump() const |
156 | { | |
9b859d6f | 157 | SBufList sl; |
a748a390 | 158 | if (!maximum) |
9b859d6f FC |
159 | return sl; |
160 | SBuf s; | |
fbe0f952 | 161 | s.Printf("%d", maximum); |
9b859d6f FC |
162 | sl.push_back(s); |
163 | return sl; | |
48071869 | 164 | } |
f53969cc | 165 |