|
|
|
@ -50,35 +50,35 @@ route[AUTHORIZATION] |
|
|
|
route[AUTHORIZATION_CHECK] |
|
|
|
{ |
|
|
|
|
|
|
|
route(AUTHORIZATION_CHECK_TRUSTED); |
|
|
|
route(AUTHORIZATION_CHECK_REGISTERED); |
|
|
|
route(AUTHORIZATION_CHECK_TRUSTED); |
|
|
|
route(AUTHORIZATION_CHECK_REGISTERED); |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
route[AUTHORIZATION_CHECK_TRUSTED] |
|
|
|
{ |
|
|
|
if (isflagset(FLAG_AUTHORIZED)) return; |
|
|
|
if (isflagset(FLAG_AUTHORIZED)) return; |
|
|
|
|
|
|
|
if (isflagset(FLAG_TRUSTED_SOURCE)) { |
|
|
|
route(SETUP_AUTH_ORIGIN); |
|
|
|
route(SETUP_AUTH_TRUSTED); |
|
|
|
setflag(FLAG_AUTHORIZED); |
|
|
|
} |
|
|
|
if (isflagset(FLAG_TRUSTED_SOURCE)) { |
|
|
|
route(SETUP_AUTH_ORIGIN); |
|
|
|
route(SETUP_AUTH_TRUSTED); |
|
|
|
setflag(FLAG_AUTHORIZED); |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
route[AUTHORIZATION_CHECK_REGISTERED] |
|
|
|
{ |
|
|
|
if (isflagset(FLAG_AUTHORIZED)) return; |
|
|
|
if (isflagset(FLAG_AUTHORIZED)) return; |
|
|
|
|
|
|
|
#!ifdef REGISTRAR_ROLE |
|
|
|
#!ifdef REGISTRAR_ROLE |
|
|
|
$xavp(regcfg=>match_received) = $su; |
|
|
|
if (registered("location","sip:$Au", 2, 1) == 1) { |
|
|
|
route(SETUP_AUTH_ORIGIN); |
|
|
|
$xavp(hf[0]=>X-AUTH-Token) = $xavp(ulattrs=>token); |
|
|
|
setflag(FLAG_AUTHORIZED); |
|
|
|
setflag(FLAG_REGISTERED_ENDPOINT); |
|
|
|
route(SETUP_AUTH_ORIGIN); |
|
|
|
$xavp(hf[0]=>X-AUTH-Token) = $xavp(ulattrs=>token); |
|
|
|
setflag(FLAG_AUTHORIZED); |
|
|
|
setflag(FLAG_REGISTERED_ENDPOINT); |
|
|
|
} |
|
|
|
#!endif |
|
|
|
#!endif |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
@ -86,10 +86,10 @@ route[AUTHORIZATION_CHECK_REGISTERED] |
|
|
|
route[HANDLE_AUTHORIZATION] |
|
|
|
{ |
|
|
|
|
|
|
|
if(!is_present_hf("Proxy-Authorization")) { |
|
|
|
route(MAIN); |
|
|
|
exit; |
|
|
|
} |
|
|
|
if(!is_present_hf("Proxy-Authorization")) { |
|
|
|
route(MAIN); |
|
|
|
exit; |
|
|
|
} |
|
|
|
|
|
|
|
if (!is_method("INVITE|REFER|MESSAGE|NOTIFY|SUBSCRIBE|PUBLISH")) { |
|
|
|
consume_credentials(); |
|
|
|
@ -138,31 +138,42 @@ onreply_route[KZ_AUTHORIZATION_CHECK_REPLY] |
|
|
|
xlog("L_INFO", "$ci|auth|received $(kzR{kz.json,Event-Category}) $(kzR{kz.json,Event-Name}) reply from $(kzR{kz.json,App-Name})-$(kzR{kz.json,App-Version}) (Δ1 $(kzR{kz.json,AMQP-Elapsed-Micro}) μs , Δ2 $var(delta_to_start) μs, Δ3 $var(delta_from_query) μs)\n"); |
|
|
|
$var(password) = $(kzR{kz.json,Auth-Password}); |
|
|
|
if( $(kzR{kz.json,Event-Name}) == "authn_err" ) { |
|
|
|
update_stat("auth:authn_err", "+1"); |
|
|
|
update_stat("auth:authn_err", "+1"); |
|
|
|
t_reply("403", "Forbidden"); |
|
|
|
exit; |
|
|
|
} else if( $(kzR{kz.json,Event-Name}) == "authn_resp" ) { |
|
|
|
update_stat("auth:authn_resp", "+1"); |
|
|
|
route(KZ_AUTHORIZATION_CHECK_RESPONSE); |
|
|
|
} else { |
|
|
|
update_stat("auth:authn_unknown", "+1"); |
|
|
|
xlog("L_INFO", "$ci|auth|unhandle response from directory $Au via $(kzR{kz.json,App-Name})-$(kzR{kz.json,App-Version})\n"); |
|
|
|
t_reply("403", "Forbidden"); |
|
|
|
exit; |
|
|
|
update_stat("auth:authn_unknown", "+1"); |
|
|
|
xlog("L_INFO", "$ci|auth|unhandle response from directory $Au via $(kzR{kz.json,App-Name})-$(kzR{kz.json,App-Version})\n"); |
|
|
|
t_reply("403", "Forbidden"); |
|
|
|
exit; |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
route[KZ_AUTHORIZATION_CHECK_RESPONSE] |
|
|
|
{ |
|
|
|
if (!pv_auth_check("$fd", "$var(password)", "0", "0")) { |
|
|
|
#!ifdef ANTIFLOOD_ROLE |
|
|
|
route(ANITFLOOD_FAILED_AUTH); |
|
|
|
#!endif |
|
|
|
|
|
|
|
xlog("L_WARNING", "$ci|end|auth|$mbu\n"); |
|
|
|
send_reply("403", "Forbidden"); |
|
|
|
exit; |
|
|
|
} |
|
|
|
$var(retcode) = pv_auth_check("$fd", "$var(password)", "0", "0"); |
|
|
|
|
|
|
|
if (!$var(retcode)) { |
|
|
|
xlog("L_WARNING", "$ci|end|auth failed $var(retcode)\n$mbu\n"); |
|
|
|
switch($var(retcode)) { |
|
|
|
case -4: |
|
|
|
case -5: |
|
|
|
case -6: |
|
|
|
xlog("L_INFO", "$ci|end|auth check failed due to nonce or missing creds, challenging\n"); |
|
|
|
auth_challenge("$fd", "1"); |
|
|
|
exit; |
|
|
|
break; |
|
|
|
default: |
|
|
|
#!ifdef ANTIFLOOD_ROLE |
|
|
|
route(ANITFLOOD_FAILED_AUTH); |
|
|
|
#!endif |
|
|
|
send_reply("403", "Forbidden"); |
|
|
|
exit; |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
consume_credentials(); |
|
|
|
route(SETUP_AUTH_ORIGIN); |
|
|
|
@ -175,31 +186,30 @@ route[KZ_AUTHORIZATION_CHECK_RESPONSE] |
|
|
|
|
|
|
|
route[SETUP_AUTH_ORIGIN] |
|
|
|
{ |
|
|
|
$xavp(hf=>X-AUTH-IP) = $si; |
|
|
|
$xavp(hf=>X-AUTH-IP) = $si; |
|
|
|
$xavp(hf[0]=>X-AUTH-PORT) = $sp; |
|
|
|
} |
|
|
|
|
|
|
|
route[SETUP_AUTH_AOR] |
|
|
|
{ |
|
|
|
if ($avp(is_registered) == "true") return; |
|
|
|
if ($avp(is_registered) == "true") return; |
|
|
|
|
|
|
|
#!ifdef REGISTRAR_ROLE |
|
|
|
#!ifdef REGISTRAR_ROLE |
|
|
|
$xavp(regcfg=>match_received) = $su; |
|
|
|
if (registered("location","sip:$Au", 2, 1) == 1) { |
|
|
|
$avp(is_registered) = "true"; |
|
|
|
$avp(is_registered) = "true"; |
|
|
|
} |
|
|
|
#!endif |
|
|
|
} |
|
|
|
|
|
|
|
route[SETUP_AUTH_TRUSTED] |
|
|
|
{ |
|
|
|
|
|
|
|
if (isflagset(FLAG_TRUSTED_SOURCE)) { |
|
|
|
$xavp(hf[0]=>X-AUTH-Token) = $avp(trusted_x_header); |
|
|
|
$xavp(hf[0]=>X-AUTH-URI-User) = $rU; |
|
|
|
if (isflagset(FLAG_TRUSTED_SOURCE)) { |
|
|
|
$xavp(hf[0]=>X-AUTH-Token) = $avp(trusted_x_header); |
|
|
|
$xavp(hf[0]=>X-AUTH-URI-User) = $rU; |
|
|
|
$xavp(hf[0]=>X-AUTH-URI-Realm) = $rd; |
|
|
|
if(is_present_hf("P-Asserted-Identity") && $(ai{uri.user}) != "") { |
|
|
|
$xavp(hf[0]=>X-AUTH-From-User) = $(ai{uri.user}); |
|
|
|
$xavp(hf[0]=>X-AUTH-From-User) = $(ai{uri.user}); |
|
|
|
} else if(is_present_hf("P-Preferred-Identity") && $pU != "") { |
|
|
|
$xavp(hf[0]=>X-AUTH-From-User) = $pU; |
|
|
|
} else if(is_present_hf("Remote-Party-ID") && $(re{uri.user}) != "") { |
|
|
|
@ -216,7 +226,6 @@ route[SETUP_AUTH_TRUSTED] |
|
|
|
} |
|
|
|
setflag(FLAG_AUTHORIZED); |
|
|
|
} |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
route[AUTH_HEADERS_JSON] |
|
|
|
|
bitbashing
5 years ago
Luis Azedo