]>
Commit | Line | Data |
---|---|---|
48071869 | 1 | /* |
262a0e14 | 2 | * $Id$ |
48071869 | 3 | * |
4 | * DEBUG: section 28 Access Control | |
5 | * AUTHOR: Duane Wessels | |
6 | * | |
7 | * SQUID Web Proxy Cache http://www.squid-cache.org/ | |
8 | * ---------------------------------------------------------- | |
9 | * | |
10 | * Squid is the result of efforts by numerous individuals from | |
11 | * the Internet community; see the CONTRIBUTORS file for full | |
12 | * details. Many organizations have provided support for Squid's | |
13 | * development; see the SPONSORS file for full details. Squid is | |
14 | * Copyrighted (C) 2001 by the Regents of the University of | |
15 | * California; see the COPYRIGHT file for full details. Squid | |
16 | * incorporates software developed and/or copyrighted by other | |
17 | * sources; see the CREDITS file for full details. | |
18 | * | |
19 | * This program is free software; you can redistribute it and/or modify | |
20 | * it under the terms of the GNU General Public License as published by | |
21 | * the Free Software Foundation; either version 2 of the License, or | |
22 | * (at your option) any later version. | |
26ac0430 | 23 | * |
48071869 | 24 | * This program is distributed in the hope that it will be useful, |
25 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
26 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
27 | * GNU General Public License for more details. | |
26ac0430 | 28 | * |
48071869 | 29 | * You should have received a copy of the GNU General Public License |
30 | * along with this program; if not, write to the Free Software | |
31 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. | |
32 | * | |
33 | * | |
34 | * Copyright (c) 2003, Robert Collins <robertc@squid-cache.org> | |
35 | */ | |
36 | ||
37 | #include "squid.h" | |
c0941a6a AR |
38 | #include "acl/FilledChecklist.h" |
39 | #include "auth/Acl.h" | |
40 | #include "auth/AclMaxUserIp.h" | |
2d2b0bb7 | 41 | #include "auth/UserRequest.h" |
d295d770 | 42 | #include "wordlist.h" |
43 | #include "ConfigParser.h" | |
48071869 | 44 | |
48071869 | 45 | ACL * |
46 | ACLMaxUserIP::clone() const | |
47 | { | |
48 | return new ACLMaxUserIP(*this); | |
49 | } | |
50 | ||
d295d770 | 51 | ACLMaxUserIP::ACLMaxUserIP (char const *theClass) : class_ (theClass), maximum(0) |
48071869 | 52 | {} |
53 | ||
a748a390 | 54 | ACLMaxUserIP::ACLMaxUserIP (ACLMaxUserIP const & old) :class_ (old.class_), maximum (old.maximum), flags (old.flags) |
48071869 | 55 | {} |
56 | ||
48071869 | 57 | ACLMaxUserIP::~ACLMaxUserIP() |
58 | {} | |
59 | ||
60 | char const * | |
61 | ACLMaxUserIP::typeString() const | |
62 | { | |
63 | return class_; | |
64 | } | |
65 | ||
4b0f5de8 | 66 | bool |
67 | ACLMaxUserIP::empty () const | |
68 | { | |
69 | return false; | |
70 | } | |
71 | ||
48071869 | 72 | bool |
73 | ACLMaxUserIP::valid () const | |
74 | { | |
4b0f5de8 | 75 | return maximum > 0; |
48071869 | 76 | } |
77 | ||
78 | void | |
79 | ACLMaxUserIP::parse() | |
80 | { | |
a748a390 | 81 | if (maximum) { |
bf8fe701 | 82 | debugs(28, 1, "Attempting to alter already set User max IP acl"); |
48071869 | 83 | return; |
84 | } | |
85 | ||
d295d770 | 86 | char *t = ConfigParser::strtokFile(); |
48071869 | 87 | |
88 | if (!t) | |
4b0f5de8 | 89 | return; |
48071869 | 90 | |
bf8fe701 | 91 | debugs(28, 5, "aclParseUserMaxIP: First token is " << t); |
48071869 | 92 | |
93 | if (strcmp("-s", t) == 0) { | |
bf8fe701 | 94 | debugs(28, 5, "aclParseUserMaxIP: Going strict"); |
48071869 | 95 | flags.strict = 1; |
d295d770 | 96 | t = ConfigParser::strtokFile(); |
48071869 | 97 | } |
98 | ||
99 | if (!t) | |
4b0f5de8 | 100 | return; |
48071869 | 101 | |
0e656b69 | 102 | maximum = xatoi(t); |
48071869 | 103 | |
4a7a3d56 | 104 | debugs(28, 5, "aclParseUserMaxIP: Max IP address's " << maximum); |
48071869 | 105 | |
106 | return; | |
107 | } | |
108 | ||
109 | /* | |
26ac0430 | 110 | * aclMatchUserMaxIP - check for users logging in from multiple IP's |
48071869 | 111 | * 0 : No match |
26ac0430 | 112 | * 1 : Match |
48071869 | 113 | */ |
114 | int | |
74d45fa5 | 115 | ACLMaxUserIP::match(AuthUserRequest::Pointer auth_user_request, Ip::Address const &src_addr) |
48071869 | 116 | { |
117 | /* | |
118 | * the logic for flush the ip list when the limit is hit vs keep | |
119 | * it sorted in most recent access order and just drop the oldest | |
120 | * one off is currently undecided (RBC) | |
121 | */ | |
122 | ||
a748a390 | 123 | if (authenticateAuthUserRequestIPCount(auth_user_request) <= maximum) |
48071869 | 124 | return 0; |
125 | ||
bf8fe701 | 126 | debugs(28, 1, "aclMatchUserMaxIP: user '" << auth_user_request->username() << "' tries to use too many IP addresses (max " << maximum << " allowed)!"); |
3b2fd4ec | 127 | |
48071869 | 128 | /* this is a match */ |
26ac0430 | 129 | if (flags.strict) { |
48071869 | 130 | /* |
131 | * simply deny access - the user name is already associated with | |
26ac0430 | 132 | * the request |
48071869 | 133 | */ |
134 | /* remove _this_ ip, as it is the culprit for going over the limit */ | |
135 | authenticateAuthUserRequestRemoveIp(auth_user_request, src_addr); | |
bf8fe701 | 136 | debugs(28, 4, "aclMatchUserMaxIP: Denying access in strict mode"); |
26ac0430 | 137 | } else { |
48071869 | 138 | /* |
26ac0430 | 139 | * non-strict - remove some/all of the cached entries |
48071869 | 140 | * ie to allow the user to move machines easily |
141 | */ | |
142 | authenticateAuthUserRequestClearIp(auth_user_request); | |
bf8fe701 | 143 | debugs(28, 4, "aclMatchUserMaxIP: Denying access in non-strict mode - flushing the user ip cache"); |
48071869 | 144 | } |
145 | ||
146 | return 1; | |
147 | } | |
148 | ||
149 | int | |
c0941a6a | 150 | ACLMaxUserIP::match(ACLChecklist *cl) |
48071869 | 151 | { |
c0941a6a | 152 | ACLFilledChecklist *checklist = Filled(cl); |
48071869 | 153 | int ti; |
154 | ||
c0941a6a | 155 | if ((ti = AuthenticateAcl(checklist)) != 1) |
48071869 | 156 | return ti; |
157 | ||
158 | ti = match(checklist->auth_user_request, checklist->src_addr); | |
159 | ||
a33a428a | 160 | checklist->auth_user_request = NULL; |
48071869 | 161 | |
162 | return ti; | |
163 | } | |
164 | ||
165 | wordlist * | |
166 | ACLMaxUserIP::dump() const | |
167 | { | |
a748a390 | 168 | if (!maximum) |
48071869 | 169 | return NULL; |
170 | ||
171 | wordlist *W = NULL; | |
172 | ||
173 | if (flags.strict) | |
174 | wordlistAdd(&W, "-s"); | |
175 | ||
176 | char buf[128]; | |
177 | ||
a748a390 | 178 | snprintf(buf, sizeof(buf), "%lu", (unsigned long int) maximum); |
48071869 | 179 | |
180 | wordlistAdd(&W, buf); | |
181 | ||
182 | return W; | |
183 | } |