add trusted

kamailio/auth.cfg

@@ -3,14 +3,18 @@ kazoo.strict_auth = KZ_STRICT_AUTH descr "only allow requests from registered or
 
 route[AUTH]
 {
-   if (!is_method("INVITE|MESSAGE|REFER")) {
-      return;
+    if (isflagset(FLAG_INTERNALLY_SOURCED)) {
+        $avp(auth_allowed) = "true";
+        return;
+    }
+
+   if (!is_method("INVITE|MESSAGE|REFER")) {   
+        $avp(auth_allowed) = "true";
+        return;
    }
 
    #!ifdef DISPATCHER_ROLE
-   if (!isflagset(FLAG_INTERNALLY_SOURCED)) {
-       route(SETUP_AUTH_HEADERS);
-   }
+   route(SETUP_AUTH_HEADERS);
    #!endif
 }
 
@@ -68,7 +72,7 @@ route[SETUP_AUTH_HEADERS]
    }
    #!endif
 
-   if (allow_trusted()) {
+   if (allow_source_address()) {
        $avp(auth_allowed) = "true";
        $xavp(hf[0]=>X-AUTH-Token) = $avp(trusted_x_header);
        $xavp(hf[0]=>X-AUTH-URI-User) = $rU;

kamailio/default.cfg

@@ -206,16 +206,11 @@ loadmodule "debugger.so"
 modparam("debugger", "mod_hash_size", 5)
 modparam("debugger", "mod_level_mode", 1)
 modparam("debugger", "mod_level", "core=1")
+modparam("debugger", "mod_level", "tm=0")
 
 ####### STATISTICS ######
 loadmodule "statistics.so"
 
-####### Permissions module ##########
-loadmodule "permissions.so"
-modparam("permissions", "db_url", "KAZOO_DB_URL")
-modparam("permissions", "db_mode", KZ_PERMISSIONS_CACHE)
-modparam("permissions", "peer_tag_avp", "$avp(trusted_x_header)")
-
 ####### DATABASE module ##########
 include_file "db_KAMAILIO_DBMS.cfg"
 
@@ -285,6 +280,7 @@ include_file "blocker-role.cfg"
 include_file "sanity.cfg"
 
 ## auth ##
+include_file "trusted.cfg"
 include_file "auth.cfg"
 
 ###### local route ######

kamailio/defs.cfg

@@ -85,6 +85,7 @@ kazoo.to_external_no_response_timer = INTERNAL_TO_EXTERNAL_NO_RESPONSE_TIMER des
 
 #!trydef KZ_MULTI_HOMED 0
 
+#!trydef KZ_PERMISSIONS_CACHE 0
 
 #!endif
 

kamailio/kazoo-bindings.cfg

@@ -69,6 +69,8 @@ event_route[kazoo:mod-init]
     #!ifdef ACL_ROLE
     route(ACL_BINDINGS);
     #!endif
+    
+    route(TRUSTED_BINDINGS);
 
     #!import_file  "kazoo-custom-bindings.cfg"
 

kamailio/trusted.cfg

@@ -0,0 +1,123 @@
+####### Permissions module ##########
+loadmodule "permissions.so"
+modparam("permissions", "db_url", "KAZOO_DB_URL")
+modparam("permissions", "db_mode", KZ_PERMISSIONS_CACHE)
+modparam("permissions", "peer_tag_avp", "$avp(trusted_x_header)")
+
+modparam("rtimer", "timer", "name=trusted_reload;interval=5;mode=1;")
+modparam("rtimer", "exec", "timer=trusted_reload;route=TRUSTED_RELOAD")
+modparam("rtimer", "exec", "timer=trusted_reload;route=TRUSTED_QUERY")
+
+modparam("pv", "shvset", "trusted_query=i:1")
+
+#!trydef TRUSTED_AMQP_FLAGS 4096
+
+route[TRUSTED_LOAD]
+{
+    if (!t_newtran()) {
+        xlog("L_ERROR", "trusted|log|failed to create transaction to query for acl\n");
+        return;
+    }
+
+    $shv(trusted_query) = 0;
+
+    $var(amqp_payload_request) = $_s({"Event-Category" : "trusted" , "Event-Name" : "query"});
+    $var(amqp_routing_key) = "trusted.query";
+
+    xlog("L_DEBUG", "$ci|amqp|publishing to acl => $var(amqp_routing_key) : $var(amqp_payload_request)\n");
+    if(kazoo_async_query("trusted", $var(amqp_routing_key), $var(amqp_payload_request), "KZ_ACL_REPLY", "KZ_ACL_TIMEOUT", "$def(TRUSTED_AMQP_FLAGS)") != 1) {
+        xlog("L_WARNING", "$ci|log|failed to send trusted query\n");
+        $shv(trusted_query) = 1;
+    }
+}
+
+failure_route[KZ_ACL_TIMEOUT]
+{
+    if($(kzR{kz.json,Event-Name}) == "message_returned" ) {
+        xlog("L_WARNING", "$ci|amqp|message was returned by broker $(kzR{kz.json,Error-Code}) $(kzR{kz.json,Error-Reason})\n");
+    } else {
+        xlog("L_WARNING", "$ci|end|failed $T_reply_code $T_reply_reason [$T(id_index):$T(id_label)] querying trusted\n");
+    }
+    $shv(trusted_query) = 1;
+    # this is needed because of async query that creates a transaction
+    t_drop();
+}
+
+onreply_route[KZ_ACL_REPLY]
+{
+    xlog("L_DEBUG", "trusted|query|got reply\n");
+    avp_delete("$avp(TrustedKeys)/g");
+    if(kazoo_json_keys($kzR, "Trusted", "$avp(TrustedKeys)") != 1) {
+        xlog("L_WARNING", "trusted|reply|no keys for Trusted\n");
+        # this is needed because of async query that creates a transaction
+        t_drop();
+        return;
+    }
+    sql_query("exec", "delete from address");
+    $var(total) = 0;
+    $var(Count) = $cnt($avp(TrustedKeys));
+    $var(Idx) = 0;
+    while($var(Idx) < $var(Count)) {
+         $var(KeyName) = $(avp(TrustedKeys)[$var(Idx)]);
+         $var(Key) = $(var(KeyName){s.replace,.,%});
+         $var(token) = $(kzR{kz.json,Trusted.$var(Key).token});
+         $var(cidr_count) = $(kzR{kz.json.count, Trusted.$var(Key).cidrs});
+         $var(cidr_idx) = 0;
+         while($var(cidr_idx) < $var(cidr_count)) {
+            $var(cidr) = $(kzR{kz.json,Trusted.$var(Key).cidrs[$var(cidr_idx)]});
+            $var(ip) = $(var(cidr){s.select,0,/});
+            $var(mask) = $(var(cidr){s.select,1,/});
+            $var(sql) = $_s(insert into address(ip_addr, mask, tag) values("$var(ip)", $var(mask), "$var(token)"));
+            sql_query("exec", "$var(sql)");
+            $var(cidr_idx) = $var(cidr_idx) + 1;
+            $var(total) = $var(total) + 1;
+         }
+         $var(Idx) = $var(Idx) + 1;
+    }
+    
+    xlog("L_NOTICE", "trusted|query|loaded $var(total) entries into address table\n");
+    $shv(trusted_reload) = 1;
+
+    # this is needed because of async query that creates a transaction
+    t_drop();    
+}
+
+route[RELOAD_TRUSTED]
+{
+    jsonrpc_exec('{"jsonrpc": "2.0", "method": "permissions.addressReload"}');
+    xlog("L_INFO", "trusted|reload|$(jsonrpl(body){kz.json,result})\n");
+}
+
+route[TRUSTED_RELOAD]
+{
+   if($shv(trusted_reload) == 1) {
+      route(RELOAD_TRUSTED);
+   };
+   $shv(trusted_reload) = 0;
+}
+
+route[TRUSTED_QUERY]
+{
+   if($shv(trusted_query) == 1) {
+      route(TRUSTED_LOAD);
+   };
+}
+
+route[TRUSTED_BINDINGS]
+{
+    #!import_file "trusted-custom-bindings.cfg"
+
+    #!ifndef TRUSTED_CUSTOM_BINDINGS
+
+    $var(payload) = $_s({"name": "trusted-reload", "exchange": "trusted", "type": "topic", "queue": "trusted-reload-MY_HOSTNAME", "routing": "trusted.reload", "federate": 1 });
+    kazoo_subscribe("$var(payload)");
+
+    #!endif
+
+}
+
+event_route[kazoo:consumer-event-trusted-reload]
+{
+    xlog("L_NOTICE", "received trusted reload\n");
+    $shv(trusted_query) = 1;
+}