[thirdparty/squid.git] / src / auth / AclMaxUserIp.cc

/*
 * $Id$
 *
 * DEBUG: section 28    Access Control
 * AUTHOR: Duane Wessels
 *
 * SQUID Web Proxy Cache          http://www.squid-cache.org/
 * ----------------------------------------------------------
 *
 *  Squid is the result of efforts by numerous individuals from
 *  the Internet community; see the CONTRIBUTORS file for full
 *  details.   Many organizations have provided support for Squid's
 *  development; see the SPONSORS file for full details.  Squid is
 *  Copyrighted (C) 2001 by the Regents of the University of
 *  California; see the COPYRIGHT file for full details.  Squid
 *  incorporates software developed and/or copyrighted by other
 *  sources; see the CREDITS file for full details.
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License
 *  along with this program; if not, write to the Free Software
 *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
 *
 *
 * Copyright (c) 2003, Robert Collins <robertc@squid-cache.org>
 */

#include "squid.h"
#include "acl/FilledChecklist.h"
#include "auth/Acl.h"
#include "auth/AclMaxUserIp.h"
#include "auth/UserRequest.h"
#include "wordlist.h"
#include "ConfigParser.h"

ACL *
ACLMaxUserIP::clone() const
{
    return new ACLMaxUserIP(*this);
}

ACLMaxUserIP::ACLMaxUserIP (char const *theClass) : class_ (theClass), maximum(0)
{}

ACLMaxUserIP::ACLMaxUserIP (ACLMaxUserIP const & old) :class_ (old.class_), maximum (old.maximum), flags (old.flags)
{}

ACLMaxUserIP::~ACLMaxUserIP()
{}

char const *
ACLMaxUserIP::typeString() const
{
    return class_;
}

bool
ACLMaxUserIP::empty () const
{
    return false;
}

bool
ACLMaxUserIP::valid () const
{
    return maximum > 0;
}

void
ACLMaxUserIP::parse()
{
    if (maximum) {
        debugs(28, 1, "Attempting to alter already set User max IP acl");
        return;
    }

    char *t = ConfigParser::strtokFile();

    if (!t)
        return;

    debugs(28, 5, "aclParseUserMaxIP: First token is " << t);

    if (strcmp("-s", t) == 0) {
        debugs(28, 5, "aclParseUserMaxIP: Going strict");
        flags.strict = 1;
        t = ConfigParser::strtokFile();
    }

    if (!t)
        return;

    maximum = xatoi(t);

    debugs(28, 5, "aclParseUserMaxIP: Max IP address's " << maximum);

    return;
}

/*
 * aclMatchUserMaxIP - check for users logging in from multiple IP's
 * 0 : No match
 * 1 : Match
 */
int
ACLMaxUserIP::match(AuthUserRequest::Pointer auth_user_request, Ip::Address const &src_addr)
{
    /*
     * the logic for flush the ip list when the limit is hit vs keep
     * it sorted in most recent access order and just drop the oldest
     * one off is currently undecided (RBC)
     */

    if (authenticateAuthUserRequestIPCount(auth_user_request) <= maximum)
        return 0;

    debugs(28, 1, "aclMatchUserMaxIP: user '" << auth_user_request->username() << "' tries to use too many IP addresses (max " << maximum << " allowed)!");

    /* this is a match */
    if (flags.strict) {
        /*
         * simply deny access - the user name is already associated with
         * the request
         */
        /* remove _this_ ip, as it is the culprit for going over the limit */
        authenticateAuthUserRequestRemoveIp(auth_user_request, src_addr);
        debugs(28, 4, "aclMatchUserMaxIP: Denying access in strict mode");
    } else {
        /*
         * non-strict - remove some/all of the cached entries
         * ie to allow the user to move machines easily
         */
        authenticateAuthUserRequestClearIp(auth_user_request);
        debugs(28, 4, "aclMatchUserMaxIP: Denying access in non-strict mode - flushing the user ip cache");
    }

    return 1;
}

int
ACLMaxUserIP::match(ACLChecklist *cl)
{
    ACLFilledChecklist *checklist = Filled(cl);
    int ti;

    if ((ti = AuthenticateAcl(checklist)) != 1)
        return ti;

    ti = match(checklist->auth_user_request, checklist->src_addr);

    checklist->auth_user_request = NULL;

    return ti;
}

wordlist *
ACLMaxUserIP::dump() const
{
    if (!maximum)
        return NULL;

    wordlist *W = NULL;

    if (flags.strict)
        wordlistAdd(&W, "-s");

    char buf[128];

    snprintf(buf, sizeof(buf), "%lu", (unsigned long int) maximum);

    wordlistAdd(&W, buf);

    return W;
}
Commit	Line	Data
48071869	1	/*
262a0e14	2	* $Id$
48071869	3	*
	4	* DEBUG: section 28 Access Control
	5	* AUTHOR: Duane Wessels
	6	*
	7	* SQUID Web Proxy Cache http://www.squid-cache.org/
	8	* ----------------------------------------------------------
	9	*
	10	* Squid is the result of efforts by numerous individuals from
	11	* the Internet community; see the CONTRIBUTORS file for full
	12	* details. Many organizations have provided support for Squid's
	13	* development; see the SPONSORS file for full details. Squid is
	14	* Copyrighted (C) 2001 by the Regents of the University of
	15	* California; see the COPYRIGHT file for full details. Squid
	16	* incorporates software developed and/or copyrighted by other
	17	* sources; see the CREDITS file for full details.
	18	*
	19	* This program is free software; you can redistribute it and/or modify
	20	* it under the terms of the GNU General Public License as published by
	21	* the Free Software Foundation; either version 2 of the License, or
	22	* (at your option) any later version.
26ac0430	23	*
48071869	24	* This program is distributed in the hope that it will be useful,
	25	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	26	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	27	* GNU General Public License for more details.
26ac0430	28	*
48071869	29	* You should have received a copy of the GNU General Public License
	30	* along with this program; if not, write to the Free Software
	31	* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
	32	*
	33	*
	34	* Copyright (c) 2003, Robert Collins <robertc@squid-cache.org>
	35	*/
	36
	37	#include "squid.h"
c0941a6a AR	38	#include "acl/FilledChecklist.h"
	39	#include "auth/Acl.h"
	40	#include "auth/AclMaxUserIp.h"
2d2b0bb7	41	#include "auth/UserRequest.h"
d295d770	42	#include "wordlist.h"
d295d770	43	#include "ConfigParser.h"
48071869	44
48071869	45	ACL *
	46	ACLMaxUserIP::clone() const
	47	{
	48	return new ACLMaxUserIP(*this);
	49	}
	50
d295d770	51	ACLMaxUserIP::ACLMaxUserIP (char const *theClass) : class_ (theClass), maximum(0)
48071869	52	{}
48071869	53
a748a390	54	ACLMaxUserIP::ACLMaxUserIP (ACLMaxUserIP const & old) :class_ (old.class_), maximum (old.maximum), flags (old.flags)
48071869	55	{}
48071869	56
48071869	57	ACLMaxUserIP::~ACLMaxUserIP()
	58	{}
	59
	60	char const *
	61	ACLMaxUserIP::typeString() const
	62	{
	63	return class_;
	64	}
	65
4b0f5de8	66	bool
	67	ACLMaxUserIP::empty () const
	68	{
	69	return false;
	70	}
	71
48071869	72	bool
	73	ACLMaxUserIP::valid () const
	74	{
4b0f5de8	75	return maximum > 0;
48071869	76	}
	77
	78	void
	79	ACLMaxUserIP::parse()
	80	{
a748a390	81	if (maximum) {
bf8fe701	82	debugs(28, 1, "Attempting to alter already set User max IP acl");
48071869	83	return;
	84	}
	85
d295d770	86	char *t = ConfigParser::strtokFile();
48071869	87
48071869	88	if (!t)
4b0f5de8	89	return;
48071869	90
bf8fe701	91	debugs(28, 5, "aclParseUserMaxIP: First token is " << t);
48071869	92
48071869	93	if (strcmp("-s", t) == 0) {
bf8fe701	94	debugs(28, 5, "aclParseUserMaxIP: Going strict");
48071869	95	flags.strict = 1;
d295d770	96	t = ConfigParser::strtokFile();
48071869	97	}
	98
	99	if (!t)
4b0f5de8	100	return;
48071869	101
0e656b69	102	maximum = xatoi(t);
48071869	103
4a7a3d56	104	debugs(28, 5, "aclParseUserMaxIP: Max IP address's " << maximum);
48071869	105
	106	return;
	107	}
	108
	109	/*
26ac0430	110	* aclMatchUserMaxIP - check for users logging in from multiple IP's
48071869	111	* 0 : No match
26ac0430	112	* 1 : Match
48071869	113	*/
48071869	114	int
74d45fa5	115	ACLMaxUserIP::match(AuthUserRequest::Pointer auth_user_request, Ip::Address const &src_addr)
48071869	116	{
	117	/*
	118	* the logic for flush the ip list when the limit is hit vs keep
	119	* it sorted in most recent access order and just drop the oldest
	120	* one off is currently undecided (RBC)
	121	*/
	122
a748a390	123	if (authenticateAuthUserRequestIPCount(auth_user_request) <= maximum)
48071869	124	return 0;
48071869	125
bf8fe701	126	debugs(28, 1, "aclMatchUserMaxIP: user '" << auth_user_request->username() << "' tries to use too many IP addresses (max " << maximum << " allowed)!");
3b2fd4ec	127
48071869	128	/* this is a match */
26ac0430	129	if (flags.strict) {
48071869	130	/*
48071869	131	* simply deny access - the user name is already associated with
26ac0430	132	* the request
48071869	133	*/
	134	/* remove _this_ ip, as it is the culprit for going over the limit */
	135	authenticateAuthUserRequestRemoveIp(auth_user_request, src_addr);
bf8fe701	136	debugs(28, 4, "aclMatchUserMaxIP: Denying access in strict mode");
26ac0430	137	} else {
48071869	138	/*
26ac0430	139	* non-strict - remove some/all of the cached entries
48071869	140	* ie to allow the user to move machines easily
	141	*/
	142	authenticateAuthUserRequestClearIp(auth_user_request);
bf8fe701	143	debugs(28, 4, "aclMatchUserMaxIP: Denying access in non-strict mode - flushing the user ip cache");
48071869	144	}
	145
	146	return 1;
	147	}
	148
	149	int
c0941a6a	150	ACLMaxUserIP::match(ACLChecklist *cl)
48071869	151	{
c0941a6a	152	ACLFilledChecklist *checklist = Filled(cl);
48071869	153	int ti;
48071869	154
c0941a6a	155	if ((ti = AuthenticateAcl(checklist)) != 1)
48071869	156	return ti;
	157
	158	ti = match(checklist->auth_user_request, checklist->src_addr);
	159
a33a428a	160	checklist->auth_user_request = NULL;
48071869	161
	162	return ti;
	163	}
	164
	165	wordlist *
	166	ACLMaxUserIP::dump() const
	167	{
a748a390	168	if (!maximum)
48071869	169	return NULL;
	170
	171	wordlist *W = NULL;
	172
	173	if (flags.strict)
	174	wordlistAdd(&W, "-s");
	175
	176	char buf[128];
	177
a748a390	178	snprintf(buf, sizeof(buf), "%lu", (unsigned long int) maximum);
48071869	179
	180	wordlistAdd(&W, buf);
	181
	182	return W;
	183	}