[thirdparty/squid.git] / src / ACLMaxUserIP.cc

/*
 * $Id: ACLMaxUserIP.cc,v 1.2 2003/03/10 20:12:43 robertc Exp $
 *
 * DEBUG: section 28    Access Control
 * AUTHOR: Duane Wessels
 *
 * SQUID Web Proxy Cache          http://www.squid-cache.org/
 * ----------------------------------------------------------
 *
 *  Squid is the result of efforts by numerous individuals from
 *  the Internet community; see the CONTRIBUTORS file for full
 *  details.   Many organizations have provided support for Squid's
 *  development; see the SPONSORS file for full details.  Squid is
 *  Copyrighted (C) 2001 by the Regents of the University of
 *  California; see the COPYRIGHT file for full details.  Squid
 *  incorporates software developed and/or copyrighted by other
 *  sources; see the CREDITS file for full details.
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *  
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *  
 *  You should have received a copy of the GNU General Public License
 *  along with this program; if not, write to the Free Software
 *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
 *
 *
 * Copyright (c) 2003, Robert Collins <robertc@squid-cache.org>
 */

#include "squid.h"
#include "ACLMaxUserIP.h"
#include "authenticate.h"

ACL::Prototype ACLMaxUserIP::RegistryProtoype(&ACLMaxUserIP::RegistryEntry_, "max_user_ip");

ACLMaxUserIP ACLMaxUserIP::RegistryEntry_("max_user_ip");

ACL *
ACLMaxUserIP::clone() const
{
    return new ACLMaxUserIP(*this);
}

ACLMaxUserIP::ACLMaxUserIP (char const *theClass) : class_ (theClass), maximum(0)
{}

ACLMaxUserIP::ACLMaxUserIP (ACLMaxUserIP const & old) :class_ (old.class_), maximum (old.maximum), flags (old.flags)
{}

MemPool *ACLMaxUserIP::Pool(NULL);
void *
ACLMaxUserIP::operator new (size_t byteCount)
{
    /* derived classes with different sizes must implement their own new */
    assert (byteCount == sizeof (ACLMaxUserIP));

    if (!Pool)
        Pool = memPoolCreate("ACLMaxUserIP", sizeof (ACLMaxUserIP));

    return memPoolAlloc(Pool);
}

void
ACLMaxUserIP::operator delete (void *address)
{
    memPoolFree (Pool, address);
}

void
ACLMaxUserIP::deleteSelf() const
{
    delete this;
}

ACLMaxUserIP::~ACLMaxUserIP()
{}

char const *
ACLMaxUserIP::typeString() const
{
    return class_;
}

bool
ACLMaxUserIP::valid () const
{
    return maximum != 0;
}

void
ACLMaxUserIP::parse()
{
    if (maximum) {
        debug(28, 1) ("Attempting to alter already set User max IP acl\n");
        return;
    }

    char *t = strtokFile();

    if (!t)
        fatal("aclParseUserMaxIP: Malformed ACL\n");

    debug(28, 5) ("aclParseUserMaxIP: First token is %s\n", t);

    if (strcmp("-s", t) == 0) {
        debug(28, 5) ("aclParseUserMaxIP: Going strict\n");
        flags.strict = 1;
        t = strtokFile();
    }

    if (!t)
        fatal("aclParseUserMaxIP: Malformed ACL\n");

    maximum = atoi(t);

    debug(28, 5) ("aclParseUserMaxIP: Max IP address's %d\n", (int) maximum);

    return;
}

/*
 * aclMatchUserMaxIP - check for users logging in from multiple IP's 
 * 0 : No match
 * 1 : Match 
 */
int
ACLMaxUserIP::match(auth_user_request_t * auth_user_request,

                    struct in_addr const &src_addr)
{
    /*
     * the logic for flush the ip list when the limit is hit vs keep
     * it sorted in most recent access order and just drop the oldest
     * one off is currently undecided (RBC)
     */

    if (authenticateAuthUserRequestIPCount(auth_user_request) <= maximum)
        return 0;

    /* this is a match */
    if (flags.strict)
    {
        /*
         * simply deny access - the user name is already associated with
         * the request 
         */
        /* remove _this_ ip, as it is the culprit for going over the limit */
        authenticateAuthUserRequestRemoveIp(auth_user_request, src_addr);
        debug(28, 4) ("aclMatchUserMaxIP: Denying access in strict mode\n");
    } else
    {
        /*
         * non-strict - remove some/all of the cached entries 
         * ie to allow the user to move machines easily
         */
        authenticateAuthUserRequestClearIp(auth_user_request);
        debug(28, 4) ("aclMatchUserMaxIP: Denying access in non-strict mode - flushing the user ip cache\n");
    }

    return 1;
}

int
ACLMaxUserIP::match(ACLChecklist *checklist)
{
    int ti;

    if ((ti = checklist->authenticated()) != 1)
        return ti;

    ti = match(checklist->auth_user_request, checklist->src_addr);

    checklist->auth_user_request = NULL;

    return ti;
}

wordlist *
ACLMaxUserIP::dump() const
{
    if (!maximum)
        return NULL;

    wordlist *W = NULL;

    if (flags.strict)
        wordlistAdd(&W, "-s");

    char buf[128];

    snprintf(buf, sizeof(buf), "%lu", (unsigned long int) maximum);

    wordlistAdd(&W, buf);

    return W;
}
Commit	Line	Data
48071869	1	/*
a748a390	2	* $Id: ACLMaxUserIP.cc,v 1.2 2003/03/10 20:12:43 robertc Exp $
48071869	3	*
	4	* DEBUG: section 28 Access Control
	5	* AUTHOR: Duane Wessels
	6	*
	7	* SQUID Web Proxy Cache http://www.squid-cache.org/
	8	* ----------------------------------------------------------
	9	*
	10	* Squid is the result of efforts by numerous individuals from
	11	* the Internet community; see the CONTRIBUTORS file for full
	12	* details. Many organizations have provided support for Squid's
	13	* development; see the SPONSORS file for full details. Squid is
	14	* Copyrighted (C) 2001 by the Regents of the University of
	15	* California; see the COPYRIGHT file for full details. Squid
	16	* incorporates software developed and/or copyrighted by other
	17	* sources; see the CREDITS file for full details.
	18	*
	19	* This program is free software; you can redistribute it and/or modify
	20	* it under the terms of the GNU General Public License as published by
	21	* the Free Software Foundation; either version 2 of the License, or
	22	* (at your option) any later version.
	23	*
	24	* This program is distributed in the hope that it will be useful,
	25	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	26	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	27	* GNU General Public License for more details.
	28	*
	29	* You should have received a copy of the GNU General Public License
	30	* along with this program; if not, write to the Free Software
	31	* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
	32	*
	33	*
	34	* Copyright (c) 2003, Robert Collins <robertc@squid-cache.org>
	35	*/
	36
	37	#include "squid.h"
	38	#include "ACLMaxUserIP.h"
	39	#include "authenticate.h"
	40
	41	ACL::Prototype ACLMaxUserIP::RegistryProtoype(&ACLMaxUserIP::RegistryEntry_, "max_user_ip");
	42
	43	ACLMaxUserIP ACLMaxUserIP::RegistryEntry_("max_user_ip");
	44
	45	ACL *
	46	ACLMaxUserIP::clone() const
	47	{
	48	return new ACLMaxUserIP(*this);
	49	}
	50
a748a390	51	ACLMaxUserIP::ACLMaxUserIP (char const *theClass) : class_ (theClass), maximum(0)
48071869	52	{}
48071869	53
a748a390	54	ACLMaxUserIP::ACLMaxUserIP (ACLMaxUserIP const & old) :class_ (old.class_), maximum (old.maximum), flags (old.flags)
48071869	55	{}
	56
	57	MemPool *ACLMaxUserIP::Pool(NULL);
	58	void *
	59	ACLMaxUserIP::operator new (size_t byteCount)
	60	{
	61	/* derived classes with different sizes must implement their own new */
	62	assert (byteCount == sizeof (ACLMaxUserIP));
	63
	64	if (!Pool)
	65	Pool = memPoolCreate("ACLMaxUserIP", sizeof (ACLMaxUserIP));
	66
	67	return memPoolAlloc(Pool);
	68	}
	69
	70	void
	71	ACLMaxUserIP::operator delete (void *address)
	72	{
	73	memPoolFree (Pool, address);
	74	}
	75
	76	void
	77	ACLMaxUserIP::deleteSelf() const
	78	{
	79	delete this;
	80	}
	81
	82	ACLMaxUserIP::~ACLMaxUserIP()
	83	{}
	84
	85	char const *
	86	ACLMaxUserIP::typeString() const
	87	{
	88	return class_;
	89	}
	90
	91	bool
	92	ACLMaxUserIP::valid () const
	93	{
a748a390	94	return maximum != 0;
48071869	95	}
	96
	97	void
	98	ACLMaxUserIP::parse()
	99	{
a748a390	100	if (maximum) {
48071869	101	debug(28, 1) ("Attempting to alter already set User max IP acl\n");
	102	return;
	103	}
	104
	105	char *t = strtokFile();
	106
	107	if (!t)
	108	fatal("aclParseUserMaxIP: Malformed ACL\n");
	109
	110	debug(28, 5) ("aclParseUserMaxIP: First token is %s\n", t);
	111
	112	if (strcmp("-s", t) == 0) {
	113	debug(28, 5) ("aclParseUserMaxIP: Going strict\n");
	114	flags.strict = 1;
	115	t = strtokFile();
	116	}
	117
	118	if (!t)
	119	fatal("aclParseUserMaxIP: Malformed ACL\n");
	120
a748a390	121	maximum = atoi(t);
48071869	122
a748a390	123	debug(28, 5) ("aclParseUserMaxIP: Max IP address's %d\n", (int) maximum);
48071869	124
	125	return;
	126	}
	127
	128	/*
	129	* aclMatchUserMaxIP - check for users logging in from multiple IP's
	130	* 0 : No match
	131	* 1 : Match
	132	*/
	133	int
	134	ACLMaxUserIP::match(auth_user_request_t * auth_user_request,
	135
	136	struct in_addr const &src_addr)
	137	{
	138	/*
	139	* the logic for flush the ip list when the limit is hit vs keep
	140	* it sorted in most recent access order and just drop the oldest
	141	* one off is currently undecided (RBC)
	142	*/
	143
a748a390	144	if (authenticateAuthUserRequestIPCount(auth_user_request) <= maximum)
48071869	145	return 0;
	146
	147	/* this is a match */
	148	if (flags.strict)
	149	{
	150	/*
	151	* simply deny access - the user name is already associated with
	152	* the request
	153	*/
	154	/* remove _this_ ip, as it is the culprit for going over the limit */
	155	authenticateAuthUserRequestRemoveIp(auth_user_request, src_addr);
	156	debug(28, 4) ("aclMatchUserMaxIP: Denying access in strict mode\n");
	157	} else
	158	{
	159	/*
	160	* non-strict - remove some/all of the cached entries
	161	* ie to allow the user to move machines easily
	162	*/
	163	authenticateAuthUserRequestClearIp(auth_user_request);
	164	debug(28, 4) ("aclMatchUserMaxIP: Denying access in non-strict mode - flushing the user ip cache\n");
	165	}
	166
	167	return 1;
	168	}
	169
	170	int
	171	ACLMaxUserIP::match(ACLChecklist *checklist)
	172	{
	173	int ti;
	174
	175	if ((ti = checklist->authenticated()) != 1)
	176	return ti;
	177
	178	ti = match(checklist->auth_user_request, checklist->src_addr);
	179
	180	checklist->auth_user_request = NULL;
	181
	182	return ti;
	183	}
	184
	185	wordlist *
	186	ACLMaxUserIP::dump() const
	187	{
a748a390	188	if (!maximum)
48071869	189	return NULL;
	190
	191	wordlist *W = NULL;
	192
	193	if (flags.strict)
	194	wordlistAdd(&W, "-s");
	195
	196	char buf[128];
	197
a748a390	198	snprintf(buf, sizeof(buf), "%lu", (unsigned long int) maximum);
48071869	199
	200	wordlistAdd(&W, buf);
	201
	202	return W;
	203	}