]>
Commit | Line | Data |
---|---|---|
48071869 | 1 | /* |
262a0e14 | 2 | * $Id$ |
48071869 | 3 | * |
4 | * DEBUG: section 28 Access Control | |
5 | * AUTHOR: Duane Wessels | |
6 | * | |
7 | * SQUID Web Proxy Cache http://www.squid-cache.org/ | |
8 | * ---------------------------------------------------------- | |
9 | * | |
10 | * Squid is the result of efforts by numerous individuals from | |
11 | * the Internet community; see the CONTRIBUTORS file for full | |
12 | * details. Many organizations have provided support for Squid's | |
13 | * development; see the SPONSORS file for full details. Squid is | |
14 | * Copyrighted (C) 2001 by the Regents of the University of | |
15 | * California; see the COPYRIGHT file for full details. Squid | |
16 | * incorporates software developed and/or copyrighted by other | |
17 | * sources; see the CREDITS file for full details. | |
18 | * | |
19 | * This program is free software; you can redistribute it and/or modify | |
20 | * it under the terms of the GNU General Public License as published by | |
21 | * the Free Software Foundation; either version 2 of the License, or | |
22 | * (at your option) any later version. | |
26ac0430 | 23 | * |
48071869 | 24 | * This program is distributed in the hope that it will be useful, |
25 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
26 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
27 | * GNU General Public License for more details. | |
26ac0430 | 28 | * |
48071869 | 29 | * You should have received a copy of the GNU General Public License |
30 | * along with this program; if not, write to the Free Software | |
31 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. | |
32 | * | |
33 | * | |
34 | * Copyright (c) 2003, Robert Collins <robertc@squid-cache.org> | |
35 | */ | |
36 | ||
37 | #include "squid.h" | |
38 | #include "ACLMaxUserIP.h" | |
2d2b0bb7 | 39 | #include "auth/UserRequest.h" |
48071869 | 40 | #include "authenticate.h" |
d295d770 | 41 | #include "wordlist.h" |
42 | #include "ConfigParser.h" | |
48071869 | 43 | |
44 | ACL::Prototype ACLMaxUserIP::RegistryProtoype(&ACLMaxUserIP::RegistryEntry_, "max_user_ip"); | |
45 | ||
46 | ACLMaxUserIP ACLMaxUserIP::RegistryEntry_("max_user_ip"); | |
47 | ||
48 | ACL * | |
49 | ACLMaxUserIP::clone() const | |
50 | { | |
51 | return new ACLMaxUserIP(*this); | |
52 | } | |
53 | ||
d295d770 | 54 | ACLMaxUserIP::ACLMaxUserIP (char const *theClass) : class_ (theClass), maximum(0) |
48071869 | 55 | {} |
56 | ||
a748a390 | 57 | ACLMaxUserIP::ACLMaxUserIP (ACLMaxUserIP const & old) :class_ (old.class_), maximum (old.maximum), flags (old.flags) |
48071869 | 58 | {} |
59 | ||
48071869 | 60 | ACLMaxUserIP::~ACLMaxUserIP() |
61 | {} | |
62 | ||
63 | char const * | |
64 | ACLMaxUserIP::typeString() const | |
65 | { | |
66 | return class_; | |
67 | } | |
68 | ||
4b0f5de8 | 69 | bool |
70 | ACLMaxUserIP::empty () const | |
71 | { | |
72 | return false; | |
73 | } | |
74 | ||
48071869 | 75 | bool |
76 | ACLMaxUserIP::valid () const | |
77 | { | |
4b0f5de8 | 78 | return maximum > 0; |
48071869 | 79 | } |
80 | ||
81 | void | |
82 | ACLMaxUserIP::parse() | |
83 | { | |
a748a390 | 84 | if (maximum) { |
bf8fe701 | 85 | debugs(28, 1, "Attempting to alter already set User max IP acl"); |
48071869 | 86 | return; |
87 | } | |
88 | ||
d295d770 | 89 | char *t = ConfigParser::strtokFile(); |
48071869 | 90 | |
91 | if (!t) | |
4b0f5de8 | 92 | return; |
48071869 | 93 | |
bf8fe701 | 94 | debugs(28, 5, "aclParseUserMaxIP: First token is " << t); |
48071869 | 95 | |
96 | if (strcmp("-s", t) == 0) { | |
bf8fe701 | 97 | debugs(28, 5, "aclParseUserMaxIP: Going strict"); |
48071869 | 98 | flags.strict = 1; |
d295d770 | 99 | t = ConfigParser::strtokFile(); |
48071869 | 100 | } |
101 | ||
102 | if (!t) | |
4b0f5de8 | 103 | return; |
48071869 | 104 | |
0e656b69 | 105 | maximum = xatoi(t); |
48071869 | 106 | |
4a7a3d56 | 107 | debugs(28, 5, "aclParseUserMaxIP: Max IP address's " << maximum); |
48071869 | 108 | |
109 | return; | |
110 | } | |
111 | ||
112 | /* | |
26ac0430 | 113 | * aclMatchUserMaxIP - check for users logging in from multiple IP's |
48071869 | 114 | * 0 : No match |
26ac0430 | 115 | * 1 : Match |
48071869 | 116 | */ |
117 | int | |
76f142cd | 118 | ACLMaxUserIP::match(AuthUserRequest * auth_user_request, |
48071869 | 119 | |
ad61a2b4 | 120 | IpAddress const &src_addr) |
48071869 | 121 | { |
122 | /* | |
123 | * the logic for flush the ip list when the limit is hit vs keep | |
124 | * it sorted in most recent access order and just drop the oldest | |
125 | * one off is currently undecided (RBC) | |
126 | */ | |
127 | ||
a748a390 | 128 | if (authenticateAuthUserRequestIPCount(auth_user_request) <= maximum) |
48071869 | 129 | return 0; |
130 | ||
bf8fe701 | 131 | debugs(28, 1, "aclMatchUserMaxIP: user '" << auth_user_request->username() << "' tries to use too many IP addresses (max " << maximum << " allowed)!"); |
3b2fd4ec | 132 | |
48071869 | 133 | /* this is a match */ |
26ac0430 | 134 | if (flags.strict) { |
48071869 | 135 | /* |
136 | * simply deny access - the user name is already associated with | |
26ac0430 | 137 | * the request |
48071869 | 138 | */ |
139 | /* remove _this_ ip, as it is the culprit for going over the limit */ | |
140 | authenticateAuthUserRequestRemoveIp(auth_user_request, src_addr); | |
bf8fe701 | 141 | debugs(28, 4, "aclMatchUserMaxIP: Denying access in strict mode"); |
26ac0430 | 142 | } else { |
48071869 | 143 | /* |
26ac0430 | 144 | * non-strict - remove some/all of the cached entries |
48071869 | 145 | * ie to allow the user to move machines easily |
146 | */ | |
147 | authenticateAuthUserRequestClearIp(auth_user_request); | |
bf8fe701 | 148 | debugs(28, 4, "aclMatchUserMaxIP: Denying access in non-strict mode - flushing the user ip cache"); |
48071869 | 149 | } |
150 | ||
151 | return 1; | |
152 | } | |
153 | ||
154 | int | |
155 | ACLMaxUserIP::match(ACLChecklist *checklist) | |
156 | { | |
157 | int ti; | |
158 | ||
159 | if ((ti = checklist->authenticated()) != 1) | |
160 | return ti; | |
161 | ||
162 | ti = match(checklist->auth_user_request, checklist->src_addr); | |
163 | ||
5d2796f2 | 164 | AUTHUSERREQUESTUNLOCK(checklist->auth_user_request, "ACLChecklist via ACLMaxUserIP"); |
48071869 | 165 | |
166 | return ti; | |
167 | } | |
168 | ||
169 | wordlist * | |
170 | ACLMaxUserIP::dump() const | |
171 | { | |
a748a390 | 172 | if (!maximum) |
48071869 | 173 | return NULL; |
174 | ||
175 | wordlist *W = NULL; | |
176 | ||
177 | if (flags.strict) | |
178 | wordlistAdd(&W, "-s"); | |
179 | ||
180 | char buf[128]; | |
181 | ||
a748a390 | 182 | snprintf(buf, sizeof(buf), "%lu", (unsigned long int) maximum); |
48071869 | 183 | |
184 | wordlistAdd(&W, buf); | |
185 | ||
186 | return W; | |
187 | } |