/*
- * $Id$
+ * Copyright (C) 1996-2015 The Squid Software Foundation and contributors
*
- * DEBUG: section 28 Access Control
- * AUTHOR: Duane Wessels
- *
- * SQUID Web Proxy Cache http://www.squid-cache.org/
- * ----------------------------------------------------------
- *
- * Squid is the result of efforts by numerous individuals from
- * the Internet community; see the CONTRIBUTORS file for full
- * details. Many organizations have provided support for Squid's
- * development; see the SPONSORS file for full details. Squid is
- * Copyrighted (C) 2001 by the Regents of the University of
- * California; see the COPYRIGHT file for full details. Squid
- * incorporates software developed and/or copyrighted by other
- * sources; see the CREDITS file for full details.
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
- *
- *
- * Copyright (c) 2003, Robert Collins <robertc@squid-cache.org>
+ * Squid software is distributed under GPLv2+ license and includes
+ * contributions from numerous individuals and organizations.
+ * Please see the COPYING and CONTRIBUTORS files for details.
*/
+/* DEBUG: section 28 Access Control */
+
#include "squid.h"
#include "acl/FilledChecklist.h"
#include "auth/Acl.h"
#include "auth/AclMaxUserIp.h"
#include "auth/UserRequest.h"
-#include "wordlist.h"
#include "ConfigParser.h"
+#include "Debug.h"
+#include "Parsing.h"
+#include "wordlist.h"
-ACL *
-ACLMaxUserIP::clone() const
-{
- return new ACLMaxUserIP(*this);
-}
+ACLFlag ACLMaxUserIP::SupportedFlags[] = {ACL_F_STRICT, ACL_F_END};
-ACLMaxUserIP::ACLMaxUserIP (char const *theClass) : class_ (theClass), maximum(0)
+ACLMaxUserIP::ACLMaxUserIP(char const *theClass) :
+ ACL(SupportedFlags),
+ class_(theClass),
+ maximum(0)
{}
-ACLMaxUserIP::ACLMaxUserIP (ACLMaxUserIP const & old) :class_ (old.class_), maximum (old.maximum), flags (old.flags)
-{}
+ACLMaxUserIP::ACLMaxUserIP(ACLMaxUserIP const &old) :
+ class_(old.class_),
+ maximum(old.maximum)
+{
+ flags = old.flags;
+}
ACLMaxUserIP::~ACLMaxUserIP()
{}
+ACL *
+ACLMaxUserIP::clone() const
+{
+ return new ACLMaxUserIP(*this);
+}
+
char const *
ACLMaxUserIP::typeString() const
{
}
bool
-ACLMaxUserIP::empty () const
+ACLMaxUserIP::empty() const
{
return false;
}
bool
-ACLMaxUserIP::valid () const
+ACLMaxUserIP::valid() const
{
return maximum > 0;
}
ACLMaxUserIP::parse()
{
if (maximum) {
- debugs(28, 1, "Attempting to alter already set User max IP acl");
+ debugs(28, DBG_IMPORTANT, "Attempting to alter already set User max IP acl");
return;
}
debugs(28, 5, "aclParseUserMaxIP: First token is " << t);
- if (strcmp("-s", t) == 0) {
- debugs(28, 5, "aclParseUserMaxIP: Going strict");
- flags.strict = 1;
- t = ConfigParser::strtokFile();
- }
-
- if (!t)
- return;
-
maximum = xatoi(t);
debugs(28, 5, "aclParseUserMaxIP: Max IP address's " << maximum);
* 1 : Match
*/
int
-ACLMaxUserIP::match(AuthUserRequest::Pointer auth_user_request, IpAddress const &src_addr)
+ACLMaxUserIP::match(Auth::UserRequest::Pointer auth_user_request, Ip::Address const &src_addr)
{
/*
* the logic for flush the ip list when the limit is hit vs keep
if (authenticateAuthUserRequestIPCount(auth_user_request) <= maximum)
return 0;
- debugs(28, 1, "aclMatchUserMaxIP: user '" << auth_user_request->username() << "' tries to use too many IP addresses (max " << maximum << " allowed)!");
+ debugs(28, DBG_IMPORTANT, "aclMatchUserMaxIP: user '" << auth_user_request->username() << "' tries to use too many IP addresses (max " << maximum << " allowed)!");
/* this is a match */
- if (flags.strict) {
+ if (flags.isSet(ACL_F_STRICT)) {
/*
* simply deny access - the user name is already associated with
* the request
ACLMaxUserIP::match(ACLChecklist *cl)
{
ACLFilledChecklist *checklist = Filled(cl);
+ allow_t answer = AuthenticateAcl(checklist);
int ti;
- if ((ti = AuthenticateAcl(checklist)) != 1)
+ // convert to tri-state ACL match 1,0,-1
+ switch (answer) {
+ case ACCESS_ALLOWED:
+ // check for a match
+ ti = match(checklist->auth_user_request, checklist->src_addr);
+ checklist->auth_user_request = NULL;
return ti;
- ti = match(checklist->auth_user_request, checklist->src_addr);
-
- checklist->auth_user_request = NULL;
-
- return ti;
+ case ACCESS_DENIED:
+ return 0; // non-match
+
+ case ACCESS_DUNNO:
+ case ACCESS_AUTH_REQUIRED:
+ default:
+ // If the answer is not allowed or denied (matches/not matches) and
+ // async authentication is not in progress, then we are done.
+ if (checklist->keepMatching())
+ checklist->markFinished(answer, "AuthenticateAcl exception");
+ return -1; // other
+ }
}
-wordlist *
+SBufList
ACLMaxUserIP::dump() const
{
+ SBufList sl;
if (!maximum)
- return NULL;
-
- wordlist *W = NULL;
-
- if (flags.strict)
- wordlistAdd(&W, "-s");
-
- char buf[128];
-
- snprintf(buf, sizeof(buf), "%lu", (unsigned long int) maximum);
-
- wordlistAdd(&W, buf);
-
- return W;
+ return sl;
+ SBuf s;
+ s.Printf("%d", maximum);
+ sl.push_back(s);
+ return sl;
}
+