]>
Commit | Line | Data |
---|---|---|
48071869 | 1 | /* |
5b74111a | 2 | * Copyright (C) 1996-2018 The Squid Software Foundation and contributors |
bbc27441 AJ |
3 | * |
4 | * Squid software is distributed under GPLv2+ license and includes | |
5 | * contributions from numerous individuals and organizations. | |
6 | * Please see the COPYING and CONTRIBUTORS files for details. | |
48071869 | 7 | */ |
8 | ||
bbc27441 AJ |
9 | /* DEBUG: section 28 Access Control */ |
10 | ||
582c2af2 | 11 | #include "squid.h" |
c0941a6a AR |
12 | #include "acl/FilledChecklist.h" |
13 | #include "auth/Acl.h" | |
14 | #include "auth/AclMaxUserIp.h" | |
2d2b0bb7 | 15 | #include "auth/UserRequest.h" |
d295d770 | 16 | #include "ConfigParser.h" |
602d9612 | 17 | #include "Debug.h" |
8a01b99e | 18 | #include "Parsing.h" |
602d9612 | 19 | #include "wordlist.h" |
48071869 | 20 | |
d6d0eb11 | 21 | ACLMaxUserIP::ACLMaxUserIP(char const *theClass) : |
f53969cc SM |
22 | class_(theClass), |
23 | maximum(0) | |
48071869 | 24 | {} |
25 | ||
d6d0eb11 AJ |
26 | ACL * |
27 | ACLMaxUserIP::clone() const | |
28 | { | |
29 | return new ACLMaxUserIP(*this); | |
30 | } | |
31 | ||
48071869 | 32 | char const * |
33 | ACLMaxUserIP::typeString() const | |
34 | { | |
35 | return class_; | |
36 | } | |
37 | ||
4b0f5de8 | 38 | bool |
d6d0eb11 | 39 | ACLMaxUserIP::empty() const |
4b0f5de8 | 40 | { |
41 | return false; | |
42 | } | |
43 | ||
48071869 | 44 | bool |
d6d0eb11 | 45 | ACLMaxUserIP::valid() const |
48071869 | 46 | { |
4b0f5de8 | 47 | return maximum > 0; |
48071869 | 48 | } |
49 | ||
4eac3407 CT |
50 | const Acl::Options & |
51 | ACLMaxUserIP::options() | |
52 | { | |
53 | static const Acl::BooleanOption BeStrict; | |
54 | static const Acl::Options MyOptions = { { "-s", &BeStrict } }; | |
55 | BeStrict.linkWith(&beStrict); | |
56 | return MyOptions; | |
57 | } | |
58 | ||
48071869 | 59 | void |
60 | ACLMaxUserIP::parse() | |
61 | { | |
a748a390 | 62 | if (maximum) { |
e0236918 | 63 | debugs(28, DBG_IMPORTANT, "Attempting to alter already set User max IP acl"); |
48071869 | 64 | return; |
65 | } | |
66 | ||
d295d770 | 67 | char *t = ConfigParser::strtokFile(); |
48071869 | 68 | |
69 | if (!t) | |
4b0f5de8 | 70 | return; |
48071869 | 71 | |
bf8fe701 | 72 | debugs(28, 5, "aclParseUserMaxIP: First token is " << t); |
48071869 | 73 | |
0e656b69 | 74 | maximum = xatoi(t); |
48071869 | 75 | |
4a7a3d56 | 76 | debugs(28, 5, "aclParseUserMaxIP: Max IP address's " << maximum); |
48071869 | 77 | |
78 | return; | |
79 | } | |
80 | ||
81 | /* | |
26ac0430 | 82 | * aclMatchUserMaxIP - check for users logging in from multiple IP's |
48071869 | 83 | * 0 : No match |
26ac0430 | 84 | * 1 : Match |
48071869 | 85 | */ |
86 | int | |
c7baff40 | 87 | ACLMaxUserIP::match(Auth::UserRequest::Pointer auth_user_request, Ip::Address const &src_addr) |
48071869 | 88 | { |
89 | /* | |
90 | * the logic for flush the ip list when the limit is hit vs keep | |
91 | * it sorted in most recent access order and just drop the oldest | |
92 | * one off is currently undecided (RBC) | |
93 | */ | |
94 | ||
a748a390 | 95 | if (authenticateAuthUserRequestIPCount(auth_user_request) <= maximum) |
48071869 | 96 | return 0; |
97 | ||
e0236918 | 98 | debugs(28, DBG_IMPORTANT, "aclMatchUserMaxIP: user '" << auth_user_request->username() << "' tries to use too many IP addresses (max " << maximum << " allowed)!"); |
3b2fd4ec | 99 | |
48071869 | 100 | /* this is a match */ |
4eac3407 | 101 | if (beStrict) { |
48071869 | 102 | /* |
103 | * simply deny access - the user name is already associated with | |
26ac0430 | 104 | * the request |
48071869 | 105 | */ |
106 | /* remove _this_ ip, as it is the culprit for going over the limit */ | |
107 | authenticateAuthUserRequestRemoveIp(auth_user_request, src_addr); | |
bf8fe701 | 108 | debugs(28, 4, "aclMatchUserMaxIP: Denying access in strict mode"); |
26ac0430 | 109 | } else { |
48071869 | 110 | /* |
26ac0430 | 111 | * non-strict - remove some/all of the cached entries |
48071869 | 112 | * ie to allow the user to move machines easily |
113 | */ | |
114 | authenticateAuthUserRequestClearIp(auth_user_request); | |
bf8fe701 | 115 | debugs(28, 4, "aclMatchUserMaxIP: Denying access in non-strict mode - flushing the user ip cache"); |
48071869 | 116 | } |
117 | ||
118 | return 1; | |
119 | } | |
120 | ||
121 | int | |
c0941a6a | 122 | ACLMaxUserIP::match(ACLChecklist *cl) |
48071869 | 123 | { |
c0941a6a | 124 | ACLFilledChecklist *checklist = Filled(cl); |
ccec22f9 | 125 | allow_t answer = AuthenticateAcl(checklist); |
48071869 | 126 | int ti; |
127 | ||
ccec22f9 | 128 | // convert to tri-state ACL match 1,0,-1 |
9b831d57 | 129 | switch (answer) { |
ccec22f9 | 130 | case ACCESS_ALLOWED: |
ccec22f9 AJ |
131 | // check for a match |
132 | ti = match(checklist->auth_user_request, checklist->src_addr); | |
133 | checklist->auth_user_request = NULL; | |
48071869 | 134 | return ti; |
135 | ||
ccec22f9 | 136 | case ACCESS_DENIED: |
ccec22f9 | 137 | return 0; // non-match |
48071869 | 138 | |
ccec22f9 AJ |
139 | case ACCESS_DUNNO: |
140 | case ACCESS_AUTH_REQUIRED: | |
141 | default: | |
e0f7153c | 142 | // If the answer is not allowed or denied (matches/not matches) and |
6f58d7d7 AR |
143 | // async authentication is not in progress, then we are done. |
144 | if (checklist->keepMatching()) | |
e0f7153c | 145 | checklist->markFinished(answer, "AuthenticateAcl exception"); |
ccec22f9 AJ |
146 | return -1; // other |
147 | } | |
48071869 | 148 | } |
149 | ||
9b859d6f | 150 | SBufList |
48071869 | 151 | ACLMaxUserIP::dump() const |
152 | { | |
9b859d6f | 153 | SBufList sl; |
a748a390 | 154 | if (!maximum) |
9b859d6f FC |
155 | return sl; |
156 | SBuf s; | |
fbe0f952 | 157 | s.Printf("%d", maximum); |
9b859d6f FC |
158 | sl.push_back(s); |
159 | return sl; | |
48071869 | 160 | } |
f53969cc | 161 |