AclMaxUserIp.cc
Go to the documentation of this file.
1 /*
2  * Copyright (C) 1996-2022 The Squid Software Foundation and contributors
3  *
4  * Squid software is distributed under GPLv2+ license and includes
5  * contributions from numerous individuals and organizations.
6  * Please see the COPYING and CONTRIBUTORS files for details.
7  */
8 
9 /* DEBUG: section 28 Access Control */
10 
11 #include "squid.h"
12 #include "acl/FilledChecklist.h"
13 #include "auth/Acl.h"
14 #include "auth/AclMaxUserIp.h"
15 #include "auth/UserRequest.h"
16 #include "ConfigParser.h"
17 #include "debug/Stream.h"
18 #include "Parsing.h"
19 #include "wordlist.h"
20 
21 ACLMaxUserIP::ACLMaxUserIP(char const *theClass) :
22  class_(theClass),
23  maximum(0)
24 {}
25 
26 char const *
28 {
29  return class_;
30 }
31 
32 bool
34 {
35  return false;
36 }
37 
38 bool
40 {
41  return maximum > 0;
42 }
43 
44 const Acl::Options &
46 {
47  static const Acl::BooleanOption BeStrict("-s");
48  static const Acl::Options MyOptions = { &BeStrict };
49  BeStrict.linkWith(&beStrict);
50  return MyOptions;
51 }
52 
53 void
55 {
56  if (maximum) {
57  debugs(28, DBG_IMPORTANT, "Attempting to alter already set User max IP acl");
58  return;
59  }
60 
61  char *t = ConfigParser::strtokFile();
62 
63  if (!t)
64  return;
65 
66  debugs(28, 5, "aclParseUserMaxIP: First token is " << t);
67 
68  maximum = xatoi(t);
69 
70  debugs(28, 5, "aclParseUserMaxIP: Max IP address's " << maximum);
71 
72  return;
73 }
74 
75 /*
76  * aclMatchUserMaxIP - check for users logging in from multiple IP's
77  * 0 : No match
78  * 1 : Match
79  */
80 int
81 ACLMaxUserIP::match(Auth::UserRequest::Pointer auth_user_request, Ip::Address const &src_addr)
82 {
83  /*
84  * the logic for flush the ip list when the limit is hit vs keep
85  * it sorted in most recent access order and just drop the oldest
86  * one off is currently undecided (RBC)
87  */
88 
89  if (authenticateAuthUserRequestIPCount(auth_user_request) <= maximum)
90  return 0;
91 
92  debugs(28, DBG_IMPORTANT, "aclMatchUserMaxIP: user '" << auth_user_request->username() << "' tries to use too many IP addresses (max " << maximum << " allowed)!");
93 
94  /* this is a match */
95  if (beStrict) {
96  /*
97  * simply deny access - the user name is already associated with
98  * the request
99  */
100  /* remove _this_ ip, as it is the culprit for going over the limit */
101  authenticateAuthUserRequestRemoveIp(auth_user_request, src_addr);
102  debugs(28, 4, "aclMatchUserMaxIP: Denying access in strict mode");
103  } else {
104  /*
105  * non-strict - remove some/all of the cached entries
106  * ie to allow the user to move machines easily
107  */
108  authenticateAuthUserRequestClearIp(auth_user_request);
109  debugs(28, 4, "aclMatchUserMaxIP: Denying access in non-strict mode - flushing the user ip cache");
110  }
111 
112  return 1;
113 }
114 
115 int
117 {
118  ACLFilledChecklist *checklist = Filled(cl);
119  auto answer = AuthenticateAcl(checklist);
120  int ti;
121 
122  // convert to tri-state ACL match 1,0,-1
123  switch (answer) {
124  case ACCESS_ALLOWED:
125  // check for a match
126  ti = match(checklist->auth_user_request, checklist->src_addr);
127  checklist->auth_user_request = NULL;
128  return ti;
129 
130  case ACCESS_DENIED:
131  return 0; // non-match
132 
133  case ACCESS_DUNNO:
135  default:
136  // If the answer is not allowed or denied (matches/not matches) and
137  // async authentication is not in progress, then we are done.
138  if (checklist->keepMatching())
139  checklist->markFinished(answer, "AuthenticateAcl exception");
140  return -1; // other
141  }
142 }
143 
144 SBufList
146 {
147  SBufList sl;
148  if (!maximum)
149  return sl;
150  SBuf s;
151  s.Printf("%d", maximum);
152  sl.push_back(s);
153  return sl;
154 }
155 
virtual const Acl::Options & options()
Definition: AclMaxUserIp.cc:45
virtual char const * typeString() const
Definition: AclMaxUserIp.cc:27
a type-specific Option (e.g., a boolean –toggle or -m=SBuf)
Definition: Options.h:130
Ip::Address src_addr
std::vector< const Option * > Options
Definition: Options.h:214
static char * strtokFile()
Definition: ConfigParser.cc:64
virtual bool valid() const
Definition: AclMaxUserIp.cc:39
std::list< SBuf > SBufList
Definition: forward.h:22
bool keepMatching() const
Whether we should continue to match tree nodes or stop/pause.
Definition: Checklist.h:146
Definition: SBuf.h:94
void linkWith(Recipient *recipient) const
who to tell when this option is enabled
Definition: Options.h:137
virtual SBufList dump() const
SBuf & Printf(const char *fmt,...)
Definition: SBuf.cc:214
virtual bool empty() const
Definition: AclMaxUserIp.cc:33
virtual int match(ACLChecklist *cl)
Matches the actual data in checklist against this ACL.
@ ACCESS_AUTH_REQUIRED
Definition: Acl.h:114
void authenticateAuthUserRequestRemoveIp(Auth::UserRequest::Pointer auth_user_request, Ip::Address const &ipaddr)
Definition: UserRequest.cc:147
#define NULL
Definition: types.h:166
ACLMaxUserIP(char const *theClass)
Definition: AclMaxUserIp.cc:21
ACLFilledChecklist * Filled(ACLChecklist *checklist)
convenience and safety wrapper for dynamic_cast<ACLFilledChecklist*>
void markFinished(const Acl::Answer &newAnswer, const char *reason)
Definition: Checklist.cc:57
int xatoi(const char *token)
Definition: Parsing.cc:44
Acl::BooleanOptionValue beStrict
Enforce "one user, one device" policy?
Definition: AclMaxUserIp.h:39
int authenticateAuthUserRequestIPCount(Auth::UserRequest::Pointer auth_user_request)
Definition: UserRequest.cc:165
Acl::Answer AuthenticateAcl(ACLChecklist *ch)
Definition: Acl.cc:28
char const * username() const
Definition: UserRequest.cc:32
@ ACCESS_ALLOWED
Definition: Acl.h:110
@ ACCESS_DENIED
Definition: Acl.h:109
#define DBG_IMPORTANT
Definition: Stream.h:41
virtual void parse()
parses node representation in squid.conf; dies on failures
Definition: AclMaxUserIp.cc:54
@ ACCESS_DUNNO
Definition: Acl.h:111
char const * class_
Definition: AclMaxUserIp.h:42
void authenticateAuthUserRequestClearIp(Auth::UserRequest::Pointer auth_user_request)
Definition: UserRequest.cc:158
Auth::UserRequest::Pointer auth_user_request
#define debugs(SECTION, LEVEL, CONTENT)
Definition: Stream.h:196

 

Introduction

Documentation

Support

Miscellaneous

Web Site Translations

Mirrors