2 * Copyright (C) 1996-2022 The Squid Software Foundation and contributors
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
9 /* DEBUG: section 28 Access Control */
12 #include "acl/FilledChecklist.h"
14 #include "auth/AclMaxUserIp.h"
15 #include "auth/UserRequest.h"
16 #include "ConfigParser.h"
17 #include "debug/Stream.h"
21 ACLMaxUserIP::ACLMaxUserIP(char const *theClass
) :
27 ACLMaxUserIP::typeString() const
33 ACLMaxUserIP::empty() const
39 ACLMaxUserIP::valid() const
45 ACLMaxUserIP::options()
47 static const Acl::BooleanOption
BeStrict("-s");
48 static const Acl::Options MyOptions
= { &BeStrict
};
49 BeStrict
.linkWith(&beStrict
);
57 debugs(28, DBG_IMPORTANT
, "Attempting to alter already set User max IP acl");
61 char *t
= ConfigParser::strtokFile();
66 debugs(28, 5, "aclParseUserMaxIP: First token is " << t
);
70 debugs(28, 5, "aclParseUserMaxIP: Max IP address's " << maximum
);
76 * aclMatchUserMaxIP - check for users logging in from multiple IP's
81 ACLMaxUserIP::match(Auth::UserRequest::Pointer auth_user_request
, Ip::Address
const &src_addr
)
84 * the logic for flush the ip list when the limit is hit vs keep
85 * it sorted in most recent access order and just drop the oldest
86 * one off is currently undecided (RBC)
89 if (authenticateAuthUserRequestIPCount(auth_user_request
) <= maximum
)
92 debugs(28, DBG_IMPORTANT
, "aclMatchUserMaxIP: user '" << auth_user_request
->username() << "' tries to use too many IP addresses (max " << maximum
<< " allowed)!");
97 * simply deny access - the user name is already associated with
100 /* remove _this_ ip, as it is the culprit for going over the limit */
101 authenticateAuthUserRequestRemoveIp(auth_user_request
, src_addr
);
102 debugs(28, 4, "aclMatchUserMaxIP: Denying access in strict mode");
105 * non-strict - remove some/all of the cached entries
106 * ie to allow the user to move machines easily
108 authenticateAuthUserRequestClearIp(auth_user_request
);
109 debugs(28, 4, "aclMatchUserMaxIP: Denying access in non-strict mode - flushing the user ip cache");
116 ACLMaxUserIP::match(ACLChecklist
*cl
)
118 ACLFilledChecklist
*checklist
= Filled(cl
);
119 auto answer
= AuthenticateAcl(checklist
);
122 // convert to tri-state ACL match 1,0,-1
126 ti
= match(checklist
->auth_user_request
, checklist
->src_addr
);
127 checklist
->auth_user_request
= nullptr;
131 return 0; // non-match
134 case ACCESS_AUTH_REQUIRED
:
136 // If the answer is not allowed or denied (matches/not matches) and
137 // async authentication is not in progress, then we are done.
138 if (checklist
->keepMatching())
139 checklist
->markFinished(answer
, "AuthenticateAcl exception");
145 ACLMaxUserIP::dump() const
151 s
.Printf("%d", maximum
);