src/auth/AclMaxUserIp.cc

   1 /*
   2  * $Id$
   3  *
   4  * DEBUG: section 28    Access Control
   5  * AUTHOR: Duane Wessels
   6  *
   7  * SQUID Web Proxy Cache          http://www.squid-cache.org/
   8  * ----------------------------------------------------------
   9  *
  10  *  Squid is the result of efforts by numerous individuals from
  11  *  the Internet community; see the CONTRIBUTORS file for full
  12  *  details.   Many organizations have provided support for Squid's
  13  *  development; see the SPONSORS file for full details.  Squid is
  14  *  Copyrighted (C) 2001 by the Regents of the University of
  15  *  California; see the COPYRIGHT file for full details.  Squid
  16  *  incorporates software developed and/or copyrighted by other
  17  *  sources; see the CREDITS file for full details.
  18  *
  19  *  This program is free software; you can redistribute it and/or modify
  20  *  it under the terms of the GNU General Public License as published by
  21  *  the Free Software Foundation; either version 2 of the License, or
  22  *  (at your option) any later version.
  23  *
  24  *  This program is distributed in the hope that it will be useful,
  25  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  26  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  27  *  GNU General Public License for more details.
  28  *
  29  *  You should have received a copy of the GNU General Public License
  30  *  along with this program; if not, write to the Free Software
  31  *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
  32  *
  33  *
  34  * Copyright (c) 2003, Robert Collins <robertc@squid-cache.org>
  35  */
  36
  37 #include "squid-old.h"
  38 #include "acl/FilledChecklist.h"
  39 #include "auth/Acl.h"
  40 #include "auth/AclMaxUserIp.h"
  41 #include "auth/UserRequest.h"
  42 #include "wordlist.h"
  43 #include "ConfigParser.h"
  44
  45 ACL *
  46 ACLMaxUserIP::clone() const
  47 {
  48     return new ACLMaxUserIP(*this);
  49 }
  50
  51 ACLMaxUserIP::ACLMaxUserIP (char const *theClass) : class_ (theClass), maximum(0)
  52 {}
  53
  54 ACLMaxUserIP::ACLMaxUserIP (ACLMaxUserIP const & old) :class_ (old.class_), maximum (old.maximum), flags (old.flags)
  55 {}
  56
  57 ACLMaxUserIP::~ACLMaxUserIP()
  58 {}
  59
  60 char const *
  61 ACLMaxUserIP::typeString() const
  62 {
  63     return class_;
  64 }
  65
  66 bool
  67 ACLMaxUserIP::empty () const
  68 {
  69     return false;
  70 }
  71
  72 bool
  73 ACLMaxUserIP::valid () const
  74 {
  75     return maximum > 0;
  76 }
  77
  78 void
  79 ACLMaxUserIP::parse()
  80 {
  81     if (maximum) {
  82         debugs(28, 1, "Attempting to alter already set User max IP acl");
  83         return;
  84     }
  85
  86     char *t = ConfigParser::strtokFile();
  87
  88     if (!t)
  89         return;
  90
  91     debugs(28, 5, "aclParseUserMaxIP: First token is " << t);
  92
  93     if (strcmp("-s", t) == 0) {
  94         debugs(28, 5, "aclParseUserMaxIP: Going strict");
  95         flags.strict = 1;
  96         t = ConfigParser::strtokFile();
  97     }
  98
  99     if (!t)
 100         return;
 101
 102     maximum = xatoi(t);
 103
 104     debugs(28, 5, "aclParseUserMaxIP: Max IP address's " << maximum);
 105
 106     return;
 107 }
 108
 109 /*
 110  * aclMatchUserMaxIP - check for users logging in from multiple IP's
 111  * 0 : No match
 112  * 1 : Match
 113  */
 114 int
 115 ACLMaxUserIP::match(Auth::UserRequest::Pointer auth_user_request, Ip::Address const &src_addr)
 116 {
 117     /*
 118      * the logic for flush the ip list when the limit is hit vs keep
 119      * it sorted in most recent access order and just drop the oldest
 120      * one off is currently undecided (RBC)
 121      */
 122
 123     if (authenticateAuthUserRequestIPCount(auth_user_request) <= maximum)
 124         return 0;
 125
 126     debugs(28, 1, "aclMatchUserMaxIP: user '" << auth_user_request->username() << "' tries to use too many IP addresses (max " << maximum << " allowed)!");
 127
 128     /* this is a match */
 129     if (flags.strict) {
 130         /*
 131          * simply deny access - the user name is already associated with
 132          * the request
 133          */
 134         /* remove _this_ ip, as it is the culprit for going over the limit */
 135         authenticateAuthUserRequestRemoveIp(auth_user_request, src_addr);
 136         debugs(28, 4, "aclMatchUserMaxIP: Denying access in strict mode");
 137     } else {
 138         /*
 139          * non-strict - remove some/all of the cached entries
 140          * ie to allow the user to move machines easily
 141          */
 142         authenticateAuthUserRequestClearIp(auth_user_request);
 143         debugs(28, 4, "aclMatchUserMaxIP: Denying access in non-strict mode - flushing the user ip cache");
 144     }
 145
 146     return 1;
 147 }
 148
 149 int
 150 ACLMaxUserIP::match(ACLChecklist *cl)
 151 {
 152     ACLFilledChecklist *checklist = Filled(cl);
 153     allow_t answer = AuthenticateAcl(checklist);
 154     checklist->currentAnswer(answer);
 155     int ti;
 156
 157     // convert to tri-state ACL match 1,0,-1
 158     switch (answer) {
 159     case ACCESS_ALLOWED:
 160     case ACCESS_AUTH_EXPIRED_OK:
 161         // check for a match
 162         ti = match(checklist->auth_user_request, checklist->src_addr);
 163         checklist->auth_user_request = NULL;
 164         return ti;
 165
 166     case ACCESS_DENIED:
 167     case ACCESS_AUTH_EXPIRED_BAD:
 168         return 0; // non-match
 169
 170     case ACCESS_DUNNO:
 171     case ACCESS_AUTH_REQUIRED:
 172     default:
 173         return -1; // other
 174     }
 175 }
 176
 177 wordlist *
 178 ACLMaxUserIP::dump() const
 179 {
 180     if (!maximum)
 181         return NULL;
 182
 183     wordlist *W = NULL;
 184
 185     if (flags.strict)
 186         wordlistAdd(&W, "-s");
 187
 188     char buf[128];
 189
 190     snprintf(buf, sizeof(buf), "%lu", (unsigned long int) maximum);
 191
 192     wordlistAdd(&W, buf);
 193
 194     return W;
 195 }