]>
Commit | Line | Data |
---|---|---|
48071869 | 1 | /* |
a748a390 | 2 | * $Id: ACLMaxUserIP.cc,v 1.2 2003/03/10 20:12:43 robertc Exp $ |
48071869 | 3 | * |
4 | * DEBUG: section 28 Access Control | |
5 | * AUTHOR: Duane Wessels | |
6 | * | |
7 | * SQUID Web Proxy Cache http://www.squid-cache.org/ | |
8 | * ---------------------------------------------------------- | |
9 | * | |
10 | * Squid is the result of efforts by numerous individuals from | |
11 | * the Internet community; see the CONTRIBUTORS file for full | |
12 | * details. Many organizations have provided support for Squid's | |
13 | * development; see the SPONSORS file for full details. Squid is | |
14 | * Copyrighted (C) 2001 by the Regents of the University of | |
15 | * California; see the COPYRIGHT file for full details. Squid | |
16 | * incorporates software developed and/or copyrighted by other | |
17 | * sources; see the CREDITS file for full details. | |
18 | * | |
19 | * This program is free software; you can redistribute it and/or modify | |
20 | * it under the terms of the GNU General Public License as published by | |
21 | * the Free Software Foundation; either version 2 of the License, or | |
22 | * (at your option) any later version. | |
23 | * | |
24 | * This program is distributed in the hope that it will be useful, | |
25 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
26 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
27 | * GNU General Public License for more details. | |
28 | * | |
29 | * You should have received a copy of the GNU General Public License | |
30 | * along with this program; if not, write to the Free Software | |
31 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. | |
32 | * | |
33 | * | |
34 | * Copyright (c) 2003, Robert Collins <robertc@squid-cache.org> | |
35 | */ | |
36 | ||
37 | #include "squid.h" | |
38 | #include "ACLMaxUserIP.h" | |
39 | #include "authenticate.h" | |
40 | ||
41 | ACL::Prototype ACLMaxUserIP::RegistryProtoype(&ACLMaxUserIP::RegistryEntry_, "max_user_ip"); | |
42 | ||
43 | ACLMaxUserIP ACLMaxUserIP::RegistryEntry_("max_user_ip"); | |
44 | ||
45 | ACL * | |
46 | ACLMaxUserIP::clone() const | |
47 | { | |
48 | return new ACLMaxUserIP(*this); | |
49 | } | |
50 | ||
a748a390 | 51 | ACLMaxUserIP::ACLMaxUserIP (char const *theClass) : class_ (theClass), maximum(0) |
48071869 | 52 | {} |
53 | ||
a748a390 | 54 | ACLMaxUserIP::ACLMaxUserIP (ACLMaxUserIP const & old) :class_ (old.class_), maximum (old.maximum), flags (old.flags) |
48071869 | 55 | {} |
56 | ||
57 | MemPool *ACLMaxUserIP::Pool(NULL); | |
58 | void * | |
59 | ACLMaxUserIP::operator new (size_t byteCount) | |
60 | { | |
61 | /* derived classes with different sizes must implement their own new */ | |
62 | assert (byteCount == sizeof (ACLMaxUserIP)); | |
63 | ||
64 | if (!Pool) | |
65 | Pool = memPoolCreate("ACLMaxUserIP", sizeof (ACLMaxUserIP)); | |
66 | ||
67 | return memPoolAlloc(Pool); | |
68 | } | |
69 | ||
70 | void | |
71 | ACLMaxUserIP::operator delete (void *address) | |
72 | { | |
73 | memPoolFree (Pool, address); | |
74 | } | |
75 | ||
76 | void | |
77 | ACLMaxUserIP::deleteSelf() const | |
78 | { | |
79 | delete this; | |
80 | } | |
81 | ||
82 | ACLMaxUserIP::~ACLMaxUserIP() | |
83 | {} | |
84 | ||
85 | char const * | |
86 | ACLMaxUserIP::typeString() const | |
87 | { | |
88 | return class_; | |
89 | } | |
90 | ||
91 | bool | |
92 | ACLMaxUserIP::valid () const | |
93 | { | |
a748a390 | 94 | return maximum != 0; |
48071869 | 95 | } |
96 | ||
97 | void | |
98 | ACLMaxUserIP::parse() | |
99 | { | |
a748a390 | 100 | if (maximum) { |
48071869 | 101 | debug(28, 1) ("Attempting to alter already set User max IP acl\n"); |
102 | return; | |
103 | } | |
104 | ||
105 | char *t = strtokFile(); | |
106 | ||
107 | if (!t) | |
108 | fatal("aclParseUserMaxIP: Malformed ACL\n"); | |
109 | ||
110 | debug(28, 5) ("aclParseUserMaxIP: First token is %s\n", t); | |
111 | ||
112 | if (strcmp("-s", t) == 0) { | |
113 | debug(28, 5) ("aclParseUserMaxIP: Going strict\n"); | |
114 | flags.strict = 1; | |
115 | t = strtokFile(); | |
116 | } | |
117 | ||
118 | if (!t) | |
119 | fatal("aclParseUserMaxIP: Malformed ACL\n"); | |
120 | ||
a748a390 | 121 | maximum = atoi(t); |
48071869 | 122 | |
a748a390 | 123 | debug(28, 5) ("aclParseUserMaxIP: Max IP address's %d\n", (int) maximum); |
48071869 | 124 | |
125 | return; | |
126 | } | |
127 | ||
128 | /* | |
129 | * aclMatchUserMaxIP - check for users logging in from multiple IP's | |
130 | * 0 : No match | |
131 | * 1 : Match | |
132 | */ | |
133 | int | |
134 | ACLMaxUserIP::match(auth_user_request_t * auth_user_request, | |
135 | ||
136 | struct in_addr const &src_addr) | |
137 | { | |
138 | /* | |
139 | * the logic for flush the ip list when the limit is hit vs keep | |
140 | * it sorted in most recent access order and just drop the oldest | |
141 | * one off is currently undecided (RBC) | |
142 | */ | |
143 | ||
a748a390 | 144 | if (authenticateAuthUserRequestIPCount(auth_user_request) <= maximum) |
48071869 | 145 | return 0; |
146 | ||
147 | /* this is a match */ | |
148 | if (flags.strict) | |
149 | { | |
150 | /* | |
151 | * simply deny access - the user name is already associated with | |
152 | * the request | |
153 | */ | |
154 | /* remove _this_ ip, as it is the culprit for going over the limit */ | |
155 | authenticateAuthUserRequestRemoveIp(auth_user_request, src_addr); | |
156 | debug(28, 4) ("aclMatchUserMaxIP: Denying access in strict mode\n"); | |
157 | } else | |
158 | { | |
159 | /* | |
160 | * non-strict - remove some/all of the cached entries | |
161 | * ie to allow the user to move machines easily | |
162 | */ | |
163 | authenticateAuthUserRequestClearIp(auth_user_request); | |
164 | debug(28, 4) ("aclMatchUserMaxIP: Denying access in non-strict mode - flushing the user ip cache\n"); | |
165 | } | |
166 | ||
167 | return 1; | |
168 | } | |
169 | ||
170 | int | |
171 | ACLMaxUserIP::match(ACLChecklist *checklist) | |
172 | { | |
173 | int ti; | |
174 | ||
175 | if ((ti = checklist->authenticated()) != 1) | |
176 | return ti; | |
177 | ||
178 | ti = match(checklist->auth_user_request, checklist->src_addr); | |
179 | ||
180 | checklist->auth_user_request = NULL; | |
181 | ||
182 | return ti; | |
183 | } | |
184 | ||
185 | wordlist * | |
186 | ACLMaxUserIP::dump() const | |
187 | { | |
a748a390 | 188 | if (!maximum) |
48071869 | 189 | return NULL; |
190 | ||
191 | wordlist *W = NULL; | |
192 | ||
193 | if (flags.strict) | |
194 | wordlistAdd(&W, "-s"); | |
195 | ||
196 | char buf[128]; | |
197 | ||
a748a390 | 198 | snprintf(buf, sizeof(buf), "%lu", (unsigned long int) maximum); |
48071869 | 199 | |
200 | wordlistAdd(&W, buf); | |
201 | ||
202 | return W; | |
203 | } |