ruhnet
/
kazoo-configs-kamailio
1
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 183 Wiki Activity
Browse Source

start with strict auth 

* all AOR requests must be previously authorized
* allow_trusted from carriers
master
lazedo 6 years ago
parent
8aa9fac0e3
commit
3ed7c9b62c
2 changed files with 32 additions and 52 deletions
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +19
    -47
      kamailio/auth.cfg
  2. +13
    -5
      kamailio/default.cfg

+ 19
- 47
kamailio/auth.cfg View File

@ -1,4 +1,5 @@
#!trydef KZ_STRICT_AUTH 1
kazoo.strict_auth = KZ_STRICT_AUTH descr "only allow requests from registered or trusted sources"
route[AUTH] route[AUTH]
{ {
@ -52,23 +53,31 @@ route[AUTH_HEADERS_JSON]
route[SETUP_AUTH_HEADERS] route[SETUP_AUTH_HEADERS]
{ {
$avp(auth_allowed) = "false";
$xavp(hf=>X-AUTH-IP) = $si; $xavp(hf=>X-AUTH-IP) = $si;
$xavp(hf[0]=>X-AUTH-PORT) = $sp; $xavp(hf[0]=>X-AUTH-PORT) = $sp;
#!ifdef REGISTRAR_ROLE #!ifdef REGISTRAR_ROLE
$avp(is_registered) = "false"; $avp(is_registered) = "false";
$xavp(regcfg=>match_received) = $su; $xavp(regcfg=>match_received) = $su;
if (registered("location","$fu", 2, 1) != 1) return;
$avp(is_registered) = "true";
#!ifdef WITH_AUTH_TOKEN
route(AUTH_TOKEN);
#!else
route(AUTH_CCVS);
if (registered("location","$fu", 2, 1) == 1) {
$avp(is_registered) = "true";
$avp(auth_allowed) = "true";
route(AUTH_TOKEN);
return;
}
#!endif #!endif
#!endif
if (allow_trusted()) {
$avp(auth_allowed) = "true";
$xavp(hf[0]=>X-AUTH-Token) = $avp(trusted_x_header);
$xavp(hf[0]=>X-AUTH-URI-User) = $rU;
$xavp(hf[0]=>X-AUTH-URI-Realm) = $rd;
$xavp(hf[0]=>X-AUTH-To-IP) = $RAi;
$xavp(hf[0]=>X-AUTH-To-Port) = $RAp;
$xavp(hf[0]=>X-AUTH-Source) = "trusted";
return;
}
} }
@ -85,41 +94,4 @@ route[AUTH_TOKEN]
} }
} }
route[AUTH_CCVS]
{
if($(xavp(ulattrs=>custom_channel_vars){kz.json,Account-ID}{s.len}) > 0)
$xavp(hf[0]=>X-ecallmgr_Account-ID) = $(xavp(ulattrs=>custom_channel_vars){kz.json,Account-ID});
if($(xavp(ulattrs=>custom_channel_vars){kz.json,Authorizing-Type}{s.len}) > 0)
$xavp(hf[0]=>X-ecallmgr_Authorizing-Type) = $(xavp(ulattrs=>custom_channel_vars){kz.json,Authorizing-Type});
if($(xavp(ulattrs=>custom_channel_vars){kz.json,Account-ID}{s.len}) > 0 && $(xavp(ulattrs=>custom_channel_vars){kz.json,Authorizing-Type}{s.len}) > 0)
$xavp(hf[0]=>X-AUTH-Token) = $_s($(xavp(ulattrs=>custom_channel_vars){kz.json,Authorizing-ID})@$(xavp(ulattrs=>custom_channel_vars){kz.json,Account-ID}));
if($(xavp(ulattrs=>custom_channel_vars){kz.json,Authorizing-ID}{s.len}) > 0)
$xavp(hf[0]=>X-ecallmgr_Authorizing-ID) = $(xavp(ulattrs=>custom_channel_vars){kz.json,Authorizing-ID});
if($(xavp(ulattrs=>custom_channel_vars){kz.json,Username}{s.len}) > 0)
$xavp(hf[0]=>X-ecallmgr_Username) = $(xavp(ulattrs=>custom_channel_vars){kz.json,Username});
if($(xavp(ulattrs=>custom_channel_vars){kz.json,Realm}{s.len}) > 0)
$xavp(hf[0]=>X-ecallmgr_Realm) = $(xavp(ulattrs=>custom_channel_vars){kz.json,Realm});
if($(xavp(ulattrs=>custom_channel_vars){kz.json,Account-Realm}{s.len}) > 0)
$xavp(hf[0]=>X-ecallmgr_Account-Realm) = $(xavp(ulattrs=>custom_channel_vars){kz.json,Account-Realm});
if($(xavp(ulattrs=>custom_channel_vars){kz.json,Account-Name}{s.len}) > 0)
$xavp(hf[0]=>X-ecallmgr_Account-Name) = $(xavp(ulattrs=>custom_channel_vars){kz.json,Account-Name}{s.escape.param});
if($(xavp(ulattrs=>custom_channel_vars){kz.json,Presence-ID}{s.len}) > 0)
$xavp(hf[0]=>X-ecallmgr_Presence-ID) = $(xavp(ulattrs=>custom_channel_vars){kz.json,Presence-ID});
if($(xavp(ulattrs=>custom_channel_vars){kz.json,Owner-ID}{s.len}) > 0)
$xavp(hf[0]=>X-ecallmgr_Owner-ID) = $(xavp(ulattrs=>custom_channel_vars){kz.json,Owner-ID});
if($(xavp(ulattrs=>custom_channel_vars){kz.json,Hotdesk-Current-ID}{s.len}) > 0)
$xavp(hf[0]=>X-ecallmgr_Hotdesk-Current-ID) = $(xavp(ulattrs=>custom_channel_vars){kz.json,Hotdesk-Current-ID});
}
#!endif #!endif

+ 13
- 5
kamailio/default.cfg View File

@ -210,6 +210,12 @@ modparam("debugger", "mod_level", "core=1")
####### STATISTICS ###### ####### STATISTICS ######
loadmodule "statistics.so" loadmodule "statistics.so"
####### Permissions module ##########
loadmodule "permissions.so"
modparam("permissions", "db_url", "KAZOO_DB_URL")
modparam("permissions", "db_mode", KZ_PERMISSIONS_CACHE)
modparam("permissions", "peer_tag_avp", "$avp(trusted_x_header)")
####### DATABASE module ########## ####### DATABASE module ##########
include_file "db_KAMAILIO_DBMS.cfg" include_file "db_KAMAILIO_DBMS.cfg"
@ -281,11 +287,6 @@ include_file "sanity.cfg"
## auth ## ## auth ##
include_file "auth.cfg" include_file "auth.cfg"
####### Permissions module ##########
loadmodule "permissions.so"
modparam("permissions", "db_url", "KAZOO_DB_URL")
modparam("permissions", "db_mode", 1)
###### local route ###### ###### local route ######
tcp_children = 5 tcp_children = 5
listen=tcp:127.0.0.1:5090 listen=tcp:127.0.0.1:5090
@ -633,6 +634,13 @@ route[PREPARE_INITIAL_REQUESTS]
route[SETUP] route[SETUP]
{ {
if($sel(cfg_get.kazoo.strict_auth) == 1 && $avp(auth_allowed) != "true") {
xlog("L_WARN", "$ci|auth|request denied\n");
sl_reply("403", "Please Register");
exit;
}
#!ifdef DISPATCHER_ROLE #!ifdef DISPATCHER_ROLE
if (!isflagset(FLAG_INTERNALLY_SOURCED)) { if (!isflagset(FLAG_INTERNALLY_SOURCED)) {
route(DISPATCHER_FIND_ROUTES); route(DISPATCHER_FIND_ROUTES);


Write Preview
Loading…
Cancel
Save