AclMaxUserIp.cc
Go to the documentation of this file.
1/*
2 * Copyright (C) 1996-2023 The Squid Software Foundation and contributors
3 *
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
7 */
8
9/* DEBUG: section 28 Access Control */
10
11#include "squid.h"
12#include "acl/FilledChecklist.h"
13#include "auth/Acl.h"
14#include "auth/AclMaxUserIp.h"
15#include "auth/UserRequest.h"
16#include "ConfigParser.h"
17#include "debug/Stream.h"
18#include "Parsing.h"
19#include "wordlist.h"
20
21ACLMaxUserIP::ACLMaxUserIP(char const *theClass) :
22 class_(theClass),
23 maximum(0)
24{}
25
26char const *
28{
29 return class_;
30}
31
32bool
34{
35 return false;
36}
37
38bool
40{
41 return maximum > 0;
42}
43
44const Acl::Options &
46{
47 static const Acl::BooleanOption BeStrict("-s");
48 static const Acl::Options MyOptions = { &BeStrict };
49 BeStrict.linkWith(&beStrict);
50 return MyOptions;
51}
52
53void
55{
56 if (maximum) {
57 debugs(28, DBG_IMPORTANT, "Attempting to alter already set User max IP acl");
58 return;
59 }
60
61 char *t = ConfigParser::strtokFile();
62
63 if (!t)
64 return;
65
66 debugs(28, 5, "aclParseUserMaxIP: First token is " << t);
67
68 maximum = xatoi(t);
69
70 debugs(28, 5, "aclParseUserMaxIP: Max IP address's " << maximum);
71
72 return;
73}
74
75/*
76 * aclMatchUserMaxIP - check for users logging in from multiple IP's
77 * 0 : No match
78 * 1 : Match
79 */
80int
82{
83 /*
84 * the logic for flush the ip list when the limit is hit vs keep
85 * it sorted in most recent access order and just drop the oldest
86 * one off is currently undecided (RBC)
87 */
88
89 if (authenticateAuthUserRequestIPCount(auth_user_request) <= maximum)
90 return 0;
91
92 debugs(28, DBG_IMPORTANT, "aclMatchUserMaxIP: user '" << auth_user_request->username() << "' tries to use too many IP addresses (max " << maximum << " allowed)!");
93
94 /* this is a match */
95 if (beStrict) {
96 /*
97 * simply deny access - the user name is already associated with
98 * the request
99 */
100 /* remove _this_ ip, as it is the culprit for going over the limit */
101 authenticateAuthUserRequestRemoveIp(auth_user_request, src_addr);
102 debugs(28, 4, "aclMatchUserMaxIP: Denying access in strict mode");
103 } else {
104 /*
105 * non-strict - remove some/all of the cached entries
106 * ie to allow the user to move machines easily
107 */
108 authenticateAuthUserRequestClearIp(auth_user_request);
109 debugs(28, 4, "aclMatchUserMaxIP: Denying access in non-strict mode - flushing the user ip cache");
110 }
111
112 return 1;
113}
114
115int
117{
118 ACLFilledChecklist *checklist = Filled(cl);
119 auto answer = AuthenticateAcl(checklist);
120 int ti;
121
122 // convert to tri-state ACL match 1,0,-1
123 switch (answer) {
124 case ACCESS_ALLOWED:
125 // check for a match
126 ti = match(checklist->auth_user_request, checklist->src_addr);
127 checklist->auth_user_request = nullptr;
128 return ti;
129
130 case ACCESS_DENIED:
131 return 0; // non-match
132
133 case ACCESS_DUNNO:
135 default:
136 // If the answer is not allowed or denied (matches/not matches) and
137 // async authentication is not in progress, then we are done.
138 if (checklist->keepMatching())
139 checklist->markFinished(answer, "AuthenticateAcl exception");
140 return -1; // other
141 }
142}
143
146{
147 SBufList sl;
148 if (!maximum)
149 return sl;
150 SBuf s;
151 s.Printf("%d", maximum);
152 sl.push_back(s);
153 return sl;
154}
155
ACLFilledChecklist * Filled(ACLChecklist *checklist)
convenience and safety wrapper for dynamic_cast<ACLFilledChecklist*>
int xatoi(const char *token)
Definition: Parsing.cc:44
void authenticateAuthUserRequestClearIp(Auth::UserRequest::Pointer auth_user_request)
Definition: UserRequest.cc:158
void authenticateAuthUserRequestRemoveIp(Auth::UserRequest::Pointer auth_user_request, Ip::Address const &ipaddr)
Definition: UserRequest.cc:147
int authenticateAuthUserRequestIPCount(Auth::UserRequest::Pointer auth_user_request)
Definition: UserRequest.cc:165
Acl::Answer AuthenticateAcl(ACLChecklist *ch)
Definition: Acl.cc:28
void markFinished(const Acl::Answer &newAnswer, const char *reason)
Definition: Checklist.cc:57
bool keepMatching() const
Whether we should continue to match tree nodes or stop/pause.
Definition: Checklist.h:146
Ip::Address src_addr
Auth::UserRequest::Pointer auth_user_request
void parse() override
parses node representation in squid.conf; dies on failures
Definition: AclMaxUserIp.cc:54
bool valid() const override
Definition: AclMaxUserIp.cc:39
Acl::BooleanOptionValue beStrict
Enforce "one user, one device" policy?
Definition: AclMaxUserIp.h:39
bool empty() const override
Definition: AclMaxUserIp.cc:33
int match(ACLChecklist *cl) override
Matches the actual data in checklist against this ACL.
char const * class_
Definition: AclMaxUserIp.h:42
ACLMaxUserIP(char const *theClass)
Definition: AclMaxUserIp.cc:21
const Acl::Options & options() override
Definition: AclMaxUserIp.cc:45
char const * typeString() const override
Definition: AclMaxUserIp.cc:27
SBufList dump() const override
a type-specific Option (e.g., a boolean –toggle or -m=SBuf)
Definition: Options.h:130
void linkWith(Recipient *recipient) const
who to tell when this option is enabled
Definition: Options.h:137
char const * username() const
Definition: UserRequest.cc:32
static char * strtokFile()
Definition: ConfigParser.cc:65
Definition: SBuf.h:94
SBuf & Printf(const char *fmt,...) PRINTF_FORMAT_ARG2
Definition: SBuf.cc:214
#define DBG_IMPORTANT
Definition: Stream.h:38
#define debugs(SECTION, LEVEL, CONTENT)
Definition: Stream.h:194
@ ACCESS_AUTH_REQUIRED
Definition: Acl.h:120
@ ACCESS_DENIED
Definition: Acl.h:115
@ ACCESS_ALLOWED
Definition: Acl.h:116
@ ACCESS_DUNNO
Definition: Acl.h:117
std::vector< const Option * > Options
Definition: Options.h:214
std::list< SBuf > SBufList
Definition: forward.h:23

 

Introduction

Documentation

Support

Miscellaneous

Web Site Translations

Mirrors