src/auth/AclMaxUserIp.cc

   1 /*
   2  * $Id$
   3  *
   4  * DEBUG: section 28    Access Control
   5  * AUTHOR: Duane Wessels
   6  *
   7  * SQUID Web Proxy Cache          http://www.squid-cache.org/
   8  * ----------------------------------------------------------
   9  *
  10  *  Squid is the result of efforts by numerous individuals from
  11  *  the Internet community; see the CONTRIBUTORS file for full
  12  *  details.   Many organizations have provided support for Squid's
  13  *  development; see the SPONSORS file for full details.  Squid is
  14  *  Copyrighted (C) 2001 by the Regents of the University of
  15  *  California; see the COPYRIGHT file for full details.  Squid
  16  *  incorporates software developed and/or copyrighted by other
  17  *  sources; see the CREDITS file for full details.
  18  *
  19  *  This program is free software; you can redistribute it and/or modify
  20  *  it under the terms of the GNU General Public License as published by
  21  *  the Free Software Foundation; either version 2 of the License, or
  22  *  (at your option) any later version.
  23  *
  24  *  This program is distributed in the hope that it will be useful,
  25  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  26  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  27  *  GNU General Public License for more details.
  28  *
  29  *  You should have received a copy of the GNU General Public License
  30  *  along with this program; if not, write to the Free Software
  31  *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
  32  *
  33  *
  34  * Copyright (c) 2003, Robert Collins <robertc@squid-cache.org>
  35  */
  36
  37 #include "squid.h"
  38 #include "acl/FilledChecklist.h"
  39 #include "auth/Acl.h"
  40 #include "auth/AclMaxUserIp.h"
  41 #include "auth/UserRequest.h"
  42 #include "wordlist.h"
  43 #include "ConfigParser.h"
  44
  45 ACL::Prototype ACLMaxUserIP::RegistryProtoype(&ACLMaxUserIP::RegistryEntry_, "max_user_ip");
  46
  47 ACLMaxUserIP ACLMaxUserIP::RegistryEntry_("max_user_ip");
  48
  49 ACL *
  50 ACLMaxUserIP::clone() const
  51 {
  52     return new ACLMaxUserIP(*this);
  53 }
  54
  55 ACLMaxUserIP::ACLMaxUserIP (char const *theClass) : class_ (theClass), maximum(0)
  56 {}
  57
  58 ACLMaxUserIP::ACLMaxUserIP (ACLMaxUserIP const & old) :class_ (old.class_), maximum (old.maximum), flags (old.flags)
  59 {}
  60
  61 ACLMaxUserIP::~ACLMaxUserIP()
  62 {}
  63
  64 char const *
  65 ACLMaxUserIP::typeString() const
  66 {
  67     return class_;
  68 }
  69
  70 bool
  71 ACLMaxUserIP::empty () const
  72 {
  73     return false;
  74 }
  75
  76 bool
  77 ACLMaxUserIP::valid () const
  78 {
  79     return maximum > 0;
  80 }
  81
  82 void
  83 ACLMaxUserIP::parse()
  84 {
  85     if (maximum) {
  86         debugs(28, 1, "Attempting to alter already set User max IP acl");
  87         return;
  88     }
  89
  90     char *t = ConfigParser::strtokFile();
  91
  92     if (!t)
  93         return;
  94
  95     debugs(28, 5, "aclParseUserMaxIP: First token is " << t);
  96
  97     if (strcmp("-s", t) == 0) {
  98         debugs(28, 5, "aclParseUserMaxIP: Going strict");
  99         flags.strict = 1;
 100         t = ConfigParser::strtokFile();
 101     }
 102
 103     if (!t)
 104         return;
 105
 106     maximum = xatoi(t);
 107
 108     debugs(28, 5, "aclParseUserMaxIP: Max IP address's " << maximum);
 109
 110     return;
 111 }
 112
 113 /*
 114  * aclMatchUserMaxIP - check for users logging in from multiple IP's
 115  * 0 : No match
 116  * 1 : Match
 117  */
 118 int
 119 ACLMaxUserIP::match(AuthUserRequest * auth_user_request,
 120
 121                     IpAddress const &src_addr)
 122 {
 123     /*
 124      * the logic for flush the ip list when the limit is hit vs keep
 125      * it sorted in most recent access order and just drop the oldest
 126      * one off is currently undecided (RBC)
 127      */
 128
 129     if (authenticateAuthUserRequestIPCount(auth_user_request) <= maximum)
 130         return 0;
 131
 132     debugs(28, 1, "aclMatchUserMaxIP: user '" << auth_user_request->username() << "' tries to use too many IP addresses (max " << maximum << " allowed)!");
 133
 134     /* this is a match */
 135     if (flags.strict) {
 136         /*
 137          * simply deny access - the user name is already associated with
 138          * the request
 139          */
 140         /* remove _this_ ip, as it is the culprit for going over the limit */
 141         authenticateAuthUserRequestRemoveIp(auth_user_request, src_addr);
 142         debugs(28, 4, "aclMatchUserMaxIP: Denying access in strict mode");
 143     } else {
 144         /*
 145          * non-strict - remove some/all of the cached entries
 146          * ie to allow the user to move machines easily
 147          */
 148         authenticateAuthUserRequestClearIp(auth_user_request);
 149         debugs(28, 4, "aclMatchUserMaxIP: Denying access in non-strict mode - flushing the user ip cache");
 150     }
 151
 152     return 1;
 153 }
 154
 155 int
 156 ACLMaxUserIP::match(ACLChecklist *cl)
 157 {
 158     ACLFilledChecklist *checklist = Filled(cl);
 159     int ti;
 160
 161     if ((ti = AuthenticateAcl(checklist)) != 1)
 162         return ti;
 163
 164     ti = match(checklist->auth_user_request, checklist->src_addr);
 165
 166     AUTHUSERREQUESTUNLOCK(checklist->auth_user_request, "ACLChecklist via ACLMaxUserIP");
 167
 168     return ti;
 169 }
 170
 171 wordlist *
 172 ACLMaxUserIP::dump() const
 173 {
 174     if (!maximum)
 175         return NULL;
 176
 177     wordlist *W = NULL;
 178
 179     if (flags.strict)
 180         wordlistAdd(&W, "-s");
 181
 182     char buf[128];
 183
 184     snprintf(buf, sizeof(buf), "%lu", (unsigned long int) maximum);
 185
 186     wordlistAdd(&W, buf);
 187
 188     return W;
 189 }