src/auth/AclMaxUserIp.cc

   1 /*
   2  * $Id$
   3  *
   4  * DEBUG: section 28    Access Control
   5  * AUTHOR: Duane Wessels
   6  *
   7  * SQUID Web Proxy Cache          http://www.squid-cache.org/
   8  * ----------------------------------------------------------
   9  *
  10  *  Squid is the result of efforts by numerous individuals from
  11  *  the Internet community; see the CONTRIBUTORS file for full
  12  *  details.   Many organizations have provided support for Squid's
  13  *  development; see the SPONSORS file for full details.  Squid is
  14  *  Copyrighted (C) 2001 by the Regents of the University of
  15  *  California; see the COPYRIGHT file for full details.  Squid
  16  *  incorporates software developed and/or copyrighted by other
  17  *  sources; see the CREDITS file for full details.
  18  *
  19  *  This program is free software; you can redistribute it and/or modify
  20  *  it under the terms of the GNU General Public License as published by
  21  *  the Free Software Foundation; either version 2 of the License, or
  22  *  (at your option) any later version.
  23  *
  24  *  This program is distributed in the hope that it will be useful,
  25  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  26  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  27  *  GNU General Public License for more details.
  28  *
  29  *  You should have received a copy of the GNU General Public License
  30  *  along with this program; if not, write to the Free Software
  31  *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
  32  *
  33  *
  34  * Copyright (c) 2003, Robert Collins <robertc@squid-cache.org>
  35  */
  36
  37 #include "squid.h"
  38 #include "acl/FilledChecklist.h"
  39 #include "auth/Acl.h"
  40 #include "auth/AclMaxUserIp.h"
  41 #include "auth/UserRequest.h"
  42 #include "wordlist.h"
  43 #include "ConfigParser.h"
  44
  45 ACL *
  46 ACLMaxUserIP::clone() const
  47 {
  48     return new ACLMaxUserIP(*this);
  49 }
  50
  51 ACLMaxUserIP::ACLMaxUserIP (char const *theClass) : class_ (theClass), maximum(0)
  52 {}
  53
  54 ACLMaxUserIP::ACLMaxUserIP (ACLMaxUserIP const & old) :class_ (old.class_), maximum (old.maximum), flags (old.flags)
  55 {}
  56
  57 ACLMaxUserIP::~ACLMaxUserIP()
  58 {}
  59
  60 char const *
  61 ACLMaxUserIP::typeString() const
  62 {
  63     return class_;
  64 }
  65
  66 bool
  67 ACLMaxUserIP::empty () const
  68 {
  69     return false;
  70 }
  71
  72 bool
  73 ACLMaxUserIP::valid () const
  74 {
  75     return maximum > 0;
  76 }
  77
  78 void
  79 ACLMaxUserIP::parse()
  80 {
  81     if (maximum) {
  82         debugs(28, 1, "Attempting to alter already set User max IP acl");
  83         return;
  84     }
  85
  86     char *t = ConfigParser::strtokFile();
  87
  88     if (!t)
  89         return;
  90
  91     debugs(28, 5, "aclParseUserMaxIP: First token is " << t);
  92
  93     if (strcmp("-s", t) == 0) {
  94         debugs(28, 5, "aclParseUserMaxIP: Going strict");
  95         flags.strict = 1;
  96         t = ConfigParser::strtokFile();
  97     }
  98
  99     if (!t)
 100         return;
 101
 102     maximum = xatoi(t);
 103
 104     debugs(28, 5, "aclParseUserMaxIP: Max IP address's " << maximum);
 105
 106     return;
 107 }
 108
 109 /*
 110  * aclMatchUserMaxIP - check for users logging in from multiple IP's
 111  * 0 : No match
 112  * 1 : Match
 113  */
 114 int
 115 ACLMaxUserIP::match(AuthUserRequest * auth_user_request,
 116
 117                     IpAddress const &src_addr)
 118 {
 119     /*
 120      * the logic for flush the ip list when the limit is hit vs keep
 121      * it sorted in most recent access order and just drop the oldest
 122      * one off is currently undecided (RBC)
 123      */
 124
 125     if (authenticateAuthUserRequestIPCount(auth_user_request) <= maximum)
 126         return 0;
 127
 128     debugs(28, 1, "aclMatchUserMaxIP: user '" << auth_user_request->username() << "' tries to use too many IP addresses (max " << maximum << " allowed)!");
 129
 130     /* this is a match */
 131     if (flags.strict) {
 132         /*
 133          * simply deny access - the user name is already associated with
 134          * the request
 135          */
 136         /* remove _this_ ip, as it is the culprit for going over the limit */
 137         authenticateAuthUserRequestRemoveIp(auth_user_request, src_addr);
 138         debugs(28, 4, "aclMatchUserMaxIP: Denying access in strict mode");
 139     } else {
 140         /*
 141          * non-strict - remove some/all of the cached entries
 142          * ie to allow the user to move machines easily
 143          */
 144         authenticateAuthUserRequestClearIp(auth_user_request);
 145         debugs(28, 4, "aclMatchUserMaxIP: Denying access in non-strict mode - flushing the user ip cache");
 146     }
 147
 148     return 1;
 149 }
 150
 151 int
 152 ACLMaxUserIP::match(ACLChecklist *cl)
 153 {
 154     ACLFilledChecklist *checklist = Filled(cl);
 155     int ti;
 156
 157     if ((ti = AuthenticateAcl(checklist)) != 1)
 158         return ti;
 159
 160     ti = match(checklist->auth_user_request, checklist->src_addr);
 161
 162     AUTHUSERREQUESTUNLOCK(checklist->auth_user_request, "ACLChecklist via ACLMaxUserIP");
 163
 164     return ti;
 165 }
 166
 167 wordlist *
 168 ACLMaxUserIP::dump() const
 169 {
 170     if (!maximum)
 171         return NULL;
 172
 173     wordlist *W = NULL;
 174
 175     if (flags.strict)
 176         wordlistAdd(&W, "-s");
 177
 178     char buf[128];
 179
 180     snprintf(buf, sizeof(buf), "%lu", (unsigned long int) maximum);
 181
 182     wordlistAdd(&W, buf);
 183
 184     return W;
 185 }