2 * DEBUG: section 28 Access Control
3 * AUTHOR: Duane Wessels
7 #include "acl/FilledChecklist.h"
9 #include "auth/AclMaxUserIp.h"
10 #include "auth/UserRequest.h"
14 #include "ConfigParser.h"
18 ACLMaxUserIP::clone() const
20 return new ACLMaxUserIP(*this);
23 ACLMaxUserIP::ACLMaxUserIP (char const *theClass
) : class_ (theClass
), maximum(0)
26 ACLMaxUserIP::ACLMaxUserIP (ACLMaxUserIP
const & old
) :class_ (old
.class_
), maximum (old
.maximum
), flags (old
.flags
)
29 ACLMaxUserIP::~ACLMaxUserIP()
33 ACLMaxUserIP::typeString() const
39 ACLMaxUserIP::empty () const
45 ACLMaxUserIP::valid () const
54 debugs(28, DBG_IMPORTANT
, "Attempting to alter already set User max IP acl");
58 char *t
= ConfigParser::strtokFile();
63 debugs(28, 5, "aclParseUserMaxIP: First token is " << t
);
65 if (strcmp("-s", t
) == 0) {
66 debugs(28, 5, "aclParseUserMaxIP: Going strict");
68 t
= ConfigParser::strtokFile();
76 debugs(28, 5, "aclParseUserMaxIP: Max IP address's " << maximum
);
82 * aclMatchUserMaxIP - check for users logging in from multiple IP's
87 ACLMaxUserIP::match(Auth::UserRequest::Pointer auth_user_request
, Ip::Address
const &src_addr
)
90 * the logic for flush the ip list when the limit is hit vs keep
91 * it sorted in most recent access order and just drop the oldest
92 * one off is currently undecided (RBC)
95 if (authenticateAuthUserRequestIPCount(auth_user_request
) <= maximum
)
98 debugs(28, DBG_IMPORTANT
, "aclMatchUserMaxIP: user '" << auth_user_request
->username() << "' tries to use too many IP addresses (max " << maximum
<< " allowed)!");
100 /* this is a match */
103 * simply deny access - the user name is already associated with
106 /* remove _this_ ip, as it is the culprit for going over the limit */
107 authenticateAuthUserRequestRemoveIp(auth_user_request
, src_addr
);
108 debugs(28, 4, "aclMatchUserMaxIP: Denying access in strict mode");
111 * non-strict - remove some/all of the cached entries
112 * ie to allow the user to move machines easily
114 authenticateAuthUserRequestClearIp(auth_user_request
);
115 debugs(28, 4, "aclMatchUserMaxIP: Denying access in non-strict mode - flushing the user ip cache");
122 ACLMaxUserIP::match(ACLChecklist
*cl
)
124 ACLFilledChecklist
*checklist
= Filled(cl
);
125 allow_t answer
= AuthenticateAcl(checklist
);
128 // convert to tri-state ACL match 1,0,-1
132 ti
= match(checklist
->auth_user_request
, checklist
->src_addr
);
133 checklist
->auth_user_request
= NULL
;
137 return 0; // non-match
140 case ACCESS_AUTH_REQUIRED
:
142 // If the answer is not allowed or denied (matches/not matches) and
143 // async authentication is not needed (asyncNeeded), then we are done.
144 if (!checklist
->asyncNeeded())
145 checklist
->markFinished(answer
, "AuthenticateAcl exception");
151 ACLMaxUserIP::dump() const
159 wordlistAdd(&W
, "-s");
163 snprintf(buf
, sizeof(buf
), "%lu", (unsigned long int) maximum
);
165 wordlistAdd(&W
, buf
);