2 * DEBUG: section 28 Access Control
3 * AUTHOR: Duane Wessels
7 #include "acl/FilledChecklist.h"
9 #include "auth/AclMaxUserIp.h"
10 #include "auth/UserRequest.h"
11 #include "ConfigParser.h"
16 ACLFlag
ACLMaxUserIP::SupportedFlags
[] = {ACL_F_STRICT
, ACL_F_END
};
18 ACLMaxUserIP::ACLMaxUserIP(char const *theClass
) :
24 ACLMaxUserIP::ACLMaxUserIP(ACLMaxUserIP
const &old
) :
31 ACLMaxUserIP::~ACLMaxUserIP()
35 ACLMaxUserIP::clone() const
37 return new ACLMaxUserIP(*this);
41 ACLMaxUserIP::typeString() const
47 ACLMaxUserIP::empty() const
53 ACLMaxUserIP::valid() const
62 debugs(28, DBG_IMPORTANT
, "Attempting to alter already set User max IP acl");
66 char *t
= ConfigParser::strtokFile();
71 debugs(28, 5, "aclParseUserMaxIP: First token is " << t
);
75 debugs(28, 5, "aclParseUserMaxIP: Max IP address's " << maximum
);
81 * aclMatchUserMaxIP - check for users logging in from multiple IP's
86 ACLMaxUserIP::match(Auth::UserRequest::Pointer auth_user_request
, Ip::Address
const &src_addr
)
89 * the logic for flush the ip list when the limit is hit vs keep
90 * it sorted in most recent access order and just drop the oldest
91 * one off is currently undecided (RBC)
94 if (authenticateAuthUserRequestIPCount(auth_user_request
) <= maximum
)
97 debugs(28, DBG_IMPORTANT
, "aclMatchUserMaxIP: user '" << auth_user_request
->username() << "' tries to use too many IP addresses (max " << maximum
<< " allowed)!");
100 if (flags
.isSet(ACL_F_STRICT
)) {
102 * simply deny access - the user name is already associated with
105 /* remove _this_ ip, as it is the culprit for going over the limit */
106 authenticateAuthUserRequestRemoveIp(auth_user_request
, src_addr
);
107 debugs(28, 4, "aclMatchUserMaxIP: Denying access in strict mode");
110 * non-strict - remove some/all of the cached entries
111 * ie to allow the user to move machines easily
113 authenticateAuthUserRequestClearIp(auth_user_request
);
114 debugs(28, 4, "aclMatchUserMaxIP: Denying access in non-strict mode - flushing the user ip cache");
121 ACLMaxUserIP::match(ACLChecklist
*cl
)
123 ACLFilledChecklist
*checklist
= Filled(cl
);
124 allow_t answer
= AuthenticateAcl(checklist
);
127 // convert to tri-state ACL match 1,0,-1
131 ti
= match(checklist
->auth_user_request
, checklist
->src_addr
);
132 checklist
->auth_user_request
= NULL
;
136 return 0; // non-match
139 case ACCESS_AUTH_REQUIRED
:
141 // If the answer is not allowed or denied (matches/not matches) and
142 // async authentication is not in progress, then we are done.
143 if (checklist
->keepMatching())
144 checklist
->markFinished(answer
, "AuthenticateAcl exception");
150 ACLMaxUserIP::dump() const
156 s
.Printf("%lu", (unsigned long int) maximum
);