src/ACLMaxUserIP.cc

   1 /*
   2  * $Id: ACLMaxUserIP.cc,v 1.10 2006/04/23 11:10:31 robertc Exp $
   3  *
   4  * DEBUG: section 28    Access Control
   5  * AUTHOR: Duane Wessels
   6  *
   7  * SQUID Web Proxy Cache          http://www.squid-cache.org/
   8  * ----------------------------------------------------------
   9  *
  10  *  Squid is the result of efforts by numerous individuals from
  11  *  the Internet community; see the CONTRIBUTORS file for full
  12  *  details.   Many organizations have provided support for Squid's
  13  *  development; see the SPONSORS file for full details.  Squid is
  14  *  Copyrighted (C) 2001 by the Regents of the University of
  15  *  California; see the COPYRIGHT file for full details.  Squid
  16  *  incorporates software developed and/or copyrighted by other
  17  *  sources; see the CREDITS file for full details.
  18  *
  19  *  This program is free software; you can redistribute it and/or modify
  20  *  it under the terms of the GNU General Public License as published by
  21  *  the Free Software Foundation; either version 2 of the License, or
  22  *  (at your option) any later version.
  23  *
  24  *  This program is distributed in the hope that it will be useful,
  25  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  26  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  27  *  GNU General Public License for more details.
  28  *
  29  *  You should have received a copy of the GNU General Public License
  30  *  along with this program; if not, write to the Free Software
  31  *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
  32  *
  33  *
  34  * Copyright (c) 2003, Robert Collins <robertc@squid-cache.org>
  35  */
  36
  37 #include "squid.h"
  38 #include "ACLMaxUserIP.h"
  39 #include "AuthUserRequest.h"
  40 #include "authenticate.h"
  41 #include "wordlist.h"
  42 #include "ConfigParser.h"
  43
  44 ACL::Prototype ACLMaxUserIP::RegistryProtoype(&ACLMaxUserIP::RegistryEntry_, "max_user_ip");
  45
  46 ACLMaxUserIP ACLMaxUserIP::RegistryEntry_("max_user_ip");
  47
  48 ACL *
  49 ACLMaxUserIP::clone() const
  50 {
  51     return new ACLMaxUserIP(*this);
  52 }
  53
  54 ACLMaxUserIP::ACLMaxUserIP (char const *theClass) : class_ (theClass), maximum(0)
  55 {}
  56
  57 ACLMaxUserIP::ACLMaxUserIP (ACLMaxUserIP const & old) :class_ (old.class_), maximum (old.maximum), flags (old.flags)
  58 {}
  59
  60 ACLMaxUserIP::~ACLMaxUserIP()
  61 {}
  62
  63 char const *
  64 ACLMaxUserIP::typeString() const
  65 {
  66     return class_;
  67 }
  68
  69 bool
  70 ACLMaxUserIP::empty () const
  71 {
  72     return false;
  73 }
  74
  75 bool
  76 ACLMaxUserIP::valid () const
  77 {
  78     return maximum > 0;
  79 }
  80
  81 void
  82 ACLMaxUserIP::parse()
  83 {
  84     if (maximum) {
  85         debug(28, 1) ("Attempting to alter already set User max IP acl\n");
  86         return;
  87     }
  88
  89     char *t = ConfigParser::strtokFile();
  90
  91     if (!t)
  92         return;
  93
  94     debug(28, 5) ("aclParseUserMaxIP: First token is %s\n", t);
  95
  96     if (strcmp("-s", t) == 0) {
  97         debug(28, 5) ("aclParseUserMaxIP: Going strict\n");
  98         flags.strict = 1;
  99         t = ConfigParser::strtokFile();
 100     }
 101
 102     if (!t)
 103         return;
 104
 105     maximum = atoi(t);
 106
 107     debug(28, 5) ("aclParseUserMaxIP: Max IP address's %d\n", (int) maximum);
 108
 109     return;
 110 }
 111
 112 /*
 113  * aclMatchUserMaxIP - check for users logging in from multiple IP's
 114  * 0 : No match
 115  * 1 : Match
 116  */
 117 int
 118 ACLMaxUserIP::match(auth_user_request_t * auth_user_request,
 119
 120                     struct IN_ADDR const &src_addr)
 121 {
 122     /*
 123      * the logic for flush the ip list when the limit is hit vs keep
 124      * it sorted in most recent access order and just drop the oldest
 125      * one off is currently undecided (RBC)
 126      */
 127
 128     if (authenticateAuthUserRequestIPCount(auth_user_request) <= maximum)
 129         return 0;
 130
 131     debug(28, 1) ("aclMatchUserMaxIP: user '%s' tries to use too many IP addresses (max %d allowed)!\n", auth_user_request->username(), maximum);
 132
 133     /* this is a match */
 134     if (flags.strict)
 135     {
 136         /*
 137          * simply deny access - the user name is already associated with
 138          * the request
 139          */
 140         /* remove _this_ ip, as it is the culprit for going over the limit */
 141         authenticateAuthUserRequestRemoveIp(auth_user_request, src_addr);
 142         debug(28, 4) ("aclMatchUserMaxIP: Denying access in strict mode\n");
 143     } else
 144     {
 145         /*
 146          * non-strict - remove some/all of the cached entries
 147          * ie to allow the user to move machines easily
 148          */
 149         authenticateAuthUserRequestClearIp(auth_user_request);
 150         debug(28, 4) ("aclMatchUserMaxIP: Denying access in non-strict mode - flushing the user ip cache\n");
 151     }
 152
 153     return 1;
 154 }
 155
 156 int
 157 ACLMaxUserIP::match(ACLChecklist *checklist)
 158 {
 159     int ti;
 160
 161     if ((ti = checklist->authenticated()) != 1)
 162         return ti;
 163
 164     ti = match(checklist->auth_user_request, checklist->src_addr);
 165
 166     checklist->auth_user_request = NULL;
 167
 168     return ti;
 169 }
 170
 171 wordlist *
 172 ACLMaxUserIP::dump() const
 173 {
 174     if (!maximum)
 175         return NULL;
 176
 177     wordlist *W = NULL;
 178
 179     if (flags.strict)
 180         wordlistAdd(&W, "-s");
 181
 182     char buf[128];
 183
 184     snprintf(buf, sizeof(buf), "%lu", (unsigned long int) maximum);
 185
 186     wordlistAdd(&W, buf);
 187
 188     return W;
 189 }