]>
Commit | Line | Data |
---|---|---|
48071869 | 1 | /* |
ddfcbc22 | 2 | * $Id: ACLMaxUserIP.cc,v 1.7 2005/04/18 21:52:41 hno Exp $ |
48071869 | 3 | * |
4 | * DEBUG: section 28 Access Control | |
5 | * AUTHOR: Duane Wessels | |
6 | * | |
7 | * SQUID Web Proxy Cache http://www.squid-cache.org/ | |
8 | * ---------------------------------------------------------- | |
9 | * | |
10 | * Squid is the result of efforts by numerous individuals from | |
11 | * the Internet community; see the CONTRIBUTORS file for full | |
12 | * details. Many organizations have provided support for Squid's | |
13 | * development; see the SPONSORS file for full details. Squid is | |
14 | * Copyrighted (C) 2001 by the Regents of the University of | |
15 | * California; see the COPYRIGHT file for full details. Squid | |
16 | * incorporates software developed and/or copyrighted by other | |
17 | * sources; see the CREDITS file for full details. | |
18 | * | |
19 | * This program is free software; you can redistribute it and/or modify | |
20 | * it under the terms of the GNU General Public License as published by | |
21 | * the Free Software Foundation; either version 2 of the License, or | |
22 | * (at your option) any later version. | |
23 | * | |
24 | * This program is distributed in the hope that it will be useful, | |
25 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
26 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
27 | * GNU General Public License for more details. | |
28 | * | |
29 | * You should have received a copy of the GNU General Public License | |
30 | * along with this program; if not, write to the Free Software | |
31 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. | |
32 | * | |
33 | * | |
34 | * Copyright (c) 2003, Robert Collins <robertc@squid-cache.org> | |
35 | */ | |
36 | ||
37 | #include "squid.h" | |
38 | #include "ACLMaxUserIP.h" | |
f5691f9c | 39 | #include "AuthUserRequest.h" |
48071869 | 40 | #include "authenticate.h" |
41 | ||
42 | ACL::Prototype ACLMaxUserIP::RegistryProtoype(&ACLMaxUserIP::RegistryEntry_, "max_user_ip"); | |
43 | ||
44 | ACLMaxUserIP ACLMaxUserIP::RegistryEntry_("max_user_ip"); | |
45 | ||
46 | ACL * | |
47 | ACLMaxUserIP::clone() const | |
48 | { | |
49 | return new ACLMaxUserIP(*this); | |
50 | } | |
51 | ||
a748a390 | 52 | ACLMaxUserIP::ACLMaxUserIP (char const *theClass) : class_ (theClass), maximum(0) |
48071869 | 53 | {} |
54 | ||
a748a390 | 55 | ACLMaxUserIP::ACLMaxUserIP (ACLMaxUserIP const & old) :class_ (old.class_), maximum (old.maximum), flags (old.flags) |
48071869 | 56 | {} |
57 | ||
48071869 | 58 | ACLMaxUserIP::~ACLMaxUserIP() |
59 | {} | |
60 | ||
61 | char const * | |
62 | ACLMaxUserIP::typeString() const | |
63 | { | |
64 | return class_; | |
65 | } | |
66 | ||
67 | bool | |
68 | ACLMaxUserIP::valid () const | |
69 | { | |
a748a390 | 70 | return maximum != 0; |
48071869 | 71 | } |
72 | ||
73 | void | |
74 | ACLMaxUserIP::parse() | |
75 | { | |
a748a390 | 76 | if (maximum) { |
48071869 | 77 | debug(28, 1) ("Attempting to alter already set User max IP acl\n"); |
78 | return; | |
79 | } | |
80 | ||
81 | char *t = strtokFile(); | |
82 | ||
83 | if (!t) | |
84 | fatal("aclParseUserMaxIP: Malformed ACL\n"); | |
85 | ||
86 | debug(28, 5) ("aclParseUserMaxIP: First token is %s\n", t); | |
87 | ||
88 | if (strcmp("-s", t) == 0) { | |
89 | debug(28, 5) ("aclParseUserMaxIP: Going strict\n"); | |
90 | flags.strict = 1; | |
91 | t = strtokFile(); | |
92 | } | |
93 | ||
94 | if (!t) | |
95 | fatal("aclParseUserMaxIP: Malformed ACL\n"); | |
96 | ||
a748a390 | 97 | maximum = atoi(t); |
48071869 | 98 | |
a748a390 | 99 | debug(28, 5) ("aclParseUserMaxIP: Max IP address's %d\n", (int) maximum); |
48071869 | 100 | |
101 | return; | |
102 | } | |
103 | ||
104 | /* | |
105 | * aclMatchUserMaxIP - check for users logging in from multiple IP's | |
106 | * 0 : No match | |
107 | * 1 : Match | |
108 | */ | |
109 | int | |
110 | ACLMaxUserIP::match(auth_user_request_t * auth_user_request, | |
111 | ||
ddfcbc22 | 112 | struct IN_ADDR const &src_addr) |
48071869 | 113 | { |
114 | /* | |
115 | * the logic for flush the ip list when the limit is hit vs keep | |
116 | * it sorted in most recent access order and just drop the oldest | |
117 | * one off is currently undecided (RBC) | |
118 | */ | |
119 | ||
a748a390 | 120 | if (authenticateAuthUserRequestIPCount(auth_user_request) <= maximum) |
48071869 | 121 | return 0; |
122 | ||
123 | /* this is a match */ | |
124 | if (flags.strict) | |
125 | { | |
126 | /* | |
127 | * simply deny access - the user name is already associated with | |
128 | * the request | |
129 | */ | |
130 | /* remove _this_ ip, as it is the culprit for going over the limit */ | |
131 | authenticateAuthUserRequestRemoveIp(auth_user_request, src_addr); | |
132 | debug(28, 4) ("aclMatchUserMaxIP: Denying access in strict mode\n"); | |
133 | } else | |
134 | { | |
135 | /* | |
136 | * non-strict - remove some/all of the cached entries | |
137 | * ie to allow the user to move machines easily | |
138 | */ | |
139 | authenticateAuthUserRequestClearIp(auth_user_request); | |
140 | debug(28, 4) ("aclMatchUserMaxIP: Denying access in non-strict mode - flushing the user ip cache\n"); | |
141 | } | |
142 | ||
143 | return 1; | |
144 | } | |
145 | ||
146 | int | |
147 | ACLMaxUserIP::match(ACLChecklist *checklist) | |
148 | { | |
149 | int ti; | |
150 | ||
151 | if ((ti = checklist->authenticated()) != 1) | |
152 | return ti; | |
153 | ||
154 | ti = match(checklist->auth_user_request, checklist->src_addr); | |
155 | ||
156 | checklist->auth_user_request = NULL; | |
157 | ||
158 | return ti; | |
159 | } | |
160 | ||
161 | wordlist * | |
162 | ACLMaxUserIP::dump() const | |
163 | { | |
a748a390 | 164 | if (!maximum) |
48071869 | 165 | return NULL; |
166 | ||
167 | wordlist *W = NULL; | |
168 | ||
169 | if (flags.strict) | |
170 | wordlistAdd(&W, "-s"); | |
171 | ||
172 | char buf[128]; | |
173 | ||
a748a390 | 174 | snprintf(buf, sizeof(buf), "%lu", (unsigned long int) maximum); |
48071869 | 175 | |
176 | wordlistAdd(&W, buf); | |
177 | ||
178 | return W; | |
179 | } |