rework default for handling auth

6 years ago · dba2a3cc26
--- a/kamailio/default.cfg
+++ b/kamailio/default.cfg
@ -52,6 +52,7 @@ loadmodule "rr.so"
 modparam("rr", "enable_full_lr", RR_FULL_LR)
 modparam("rr", "enable_double_rr", RR_DOUBLE_RR)
 modparam("rr", "force_send_socket", RR_FORCE_SOCKET)
 modparam("rr", "ignore_sips", 1)

 ######## Max-Forward processor module ########
 loadmodule "maxfwd.so"
@ -116,9 +117,6 @@ include_file "db_KAMAILIO_DBMS.cfg"
 include_file "kazoo-bindings.cfg"

 ####### Role Configurations ##########
 #!ifdef AUTHORIZATION_ROLE
 include_file "authorization-role.cfg"
 #!endif
 #!ifdef DISPATCHER_ROLE
 include_file "dispatcher-role-MAJOR.cfg"
 #!endif
@ -167,8 +165,8 @@ include_file "nodes-role.cfg"
 #!ifdef SIP_TRACE_ROLE
 include_file "sip_trace-role.cfg"
 #!endif
 #!ifdef KEEPALIVE_ROLE
 include_file "keepalive-role.cfg"
 #!ifdef SIP_TRACE_ALL_ROLE
 include_file "sip_trace_all-role.cfg"
 #!endif
 #!ifdef BLOCKER_ROLE
 include_file "blocker-role.cfg"
@ -179,7 +177,7 @@ include_file "sanity.cfg"

 ## auth ##
 include_file "trusted.cfg"
 include_file "auth.cfg"
 include_file "authorization.cfg"

 ###### local route ######
 tcp_children = 5
@ -224,14 +222,34 @@ route
    route(SIP_TRACE);
    #!endif

    route_if_exists("CUSTOM_START_ROUTES");

    route(HANDLE_NOTIFY);

    #!ifdef AUTHORIZATION_ROLE
    route(AUTHORIZATION_CHECK);
    #!ifdef REGISTRAR_ROLE
    route(HANDLE_REGISTER);
    #!endif

    route_if_exists("CUSTOM_START_ROUTES");

    #!ifdef RESPONDER_ROLE
    if (isflagset(FLAG_INTERNALLY_SOURCED)) {
        route(HANDLE_RESPOND);
    }
    #!endif

    if (!t_newtran()) {
        xlog("L_ERROR", "$ci|log|failed to create transaction\n");
        drop;
        exit;
    }

    route(HANDLE_AUTHORIZATION);

 }

 route[MAIN]
 {
 	route(AUTHORIZATION);

    #!ifdef MESSAGE_ROLE
    route(HANDLE_MESSAGE);
    #!else
@ -246,10 +264,6 @@ route
    route(HANDLE_PUBLISH);
    #!endif

    #!ifdef REGISTRAR_ROLE
    route(HANDLE_REGISTER);
    #!endif

    route(HANDLE_REFER);

    route(HANDLE_IN_DIALOG_REQUESTS);
@ -260,16 +274,7 @@ route
    route(PUSHER_ROUTE);
    #!endif

    #!ifdef RESPONDER_ROLE
    if (isflagset(FLAG_INTERNALLY_SOURCED)) {
        route(HANDLE_RESPOND);
    }
    #!endif

    route(AUTH);

    route(SETUP);

 }

 #!trydef KZ_LOG_REQUEST_OPTIONS 0
@ -304,18 +309,15 @@ route[CHECK_RETRANS]

 route[CLASSIFY_SOURCE]
 {
    #!ifdef DISPATCHER_ROLE
    route(DISPATCHER_CLASSIFY_SOURCE);
    #!endif

    if (allow_source_address(TRUSTED_ADR_GROUP)) {
    if (allow_source_address()) {
        xlog("$var(log_request_level)", "$ci|log|request from trusted IP\n");
        setflag(FLAG_TRUSTED_SOURCE);
        return;
    }

    if (isflagset(FLAG_INTERNALLY_SOURCED) || is_myself($si)) {
        setflag(FLAG_TRUSTED_SOURCE);
    }
    #!ifdef DISPATCHER_ROLE
    route(DISPATCHER_CLASSIFY_SOURCE);
    #!endif

 }

@ -384,10 +386,6 @@ route[HANDLE_NOTIFY]
           sl_send_reply("200", "Rawr!!");
        }

        #!ifdef KEEPALIVE_ROLE
        route(KEEPALIVE_ON_NOTIFY);
        #!endif

    }
    exit;
 }
@ -403,9 +401,13 @@ route[HANDLE_REFER]
    } else {
       $var(referred_by) = $_s(<sip:$Au>;created=true);
    }
    $xavp(regcfg=>match_received) = $su;
    if(registered("location", "$rz:$Au", 2, 1) == 1) {
        $var(referred_by) = $_s($var(referred_by);endpoint_id=$(xavp(ulattrs=>token){re.subst,/(.*)@(.*)/\1/});account_id=$(xavp(ulattrs=>token){re.subst,/(.*)@(.*)/\2/}));

    if(!isflagset(FLAG_INTERNALLY_SOURCED)) {
      if(isflagset(FLAG_AUTHORIZED)) {
         $var(referred_by) = $_s($var(referred_by);endpoint_id=$(xavp(ulattrs=>token){re.subst,/(.*)@(.*)/\1/});account_id=$(xavp(ulattrs=>token){re.subst,/(.*)@(.*)/\2/}));
      }
    } else {
      record_route();
    }

    remove_hf_re("^Referred-By");
@ -522,30 +524,19 @@ route[PREPARE_INITIAL_REQUESTS]
        #!endif
    }

    record_route();
    if(!isflagset(FLAG_INTERNALLY_SOURCED)) {
        record_route();
    }

 }

 route[SETUP]
 {

    if($sel(cfg_get.kazoo.strict_auth) == 1 && $avp(auth_allowed) != "true") {
        if(is_present_hf("Proxy-Authorization")) {
            xlog("L_WARN", "$ci|auth|request denied\n");
        } else {
            xlog("L_INFO", "$ci|auth|challenging invite\n");
            proxy_challenge("$td", "4");
        }
        exit;
    }

    #!ifdef DISPATCHER_ROLE
    if (!isflagset(FLAG_INTERNALLY_SOURCED)) {
        route(DISPATCHER_FIND_ROUTES);
    }
    #!endif
    
    #!ifdef REGISTRAR_ROLE
    if (isflagset(FLAG_INTERNALLY_SOURCED)) {
    } else {
        route(ROUTE_TO_AOR);
    }
    #!endif
@ -560,12 +551,11 @@ route[BRANCH_HEADERS]
    } else {
        remove_hf_re("^X-");
    }
    
 }

 # Manage outgoing branches
 branch_route[MANAGE_BRANCH] {
    xlog("L_DEBUG", "$ci|branch|new branch [$T_branch_idx] to $ru => $du\n");
    xlog("L_INFO", "$ci|branch|new branch [$T_branch_idx] to $ru\n");
    #!ifdef NAT_TRAVERSAL_ROLE
    route(NAT_MANAGE);
    #!endif
@ -576,13 +566,19 @@ branch_route[MANAGE_BRANCH] {

 route[RELAY]
 {
    if (is_method("INVITE|BYE|SUBSCRIBE|UPDATE|NOTIFY")) {
    if (is_method("INVITE|BYE|SUBSCRIBE|UPDATE|NOTIFY|CANCEL")) {
        if(!t_is_set("branch_route")) t_on_branch("MANAGE_BRANCH");
    }

    if (isflagset(FLAG_INTERNALLY_SOURCED)) {
        xlog("L_DEBUG", "$ci|relay|internal to external\n");
        if(!isflagset(FLAG_RECORD_ROUTE_ADDED) && !has_totag()) {
           xlog("L_DEBUG", "$ci|relay|adding record route\n");
           record_route();
        }
        route(INTERNAL_TO_EXTERNAL_RELAY);
    } else {
        xlog("L_DEBUG", "$ci|relay|external to internal\n");
        route(EXTERNAL_TO_INTERNAL_RELAY);
    }

@ -653,9 +649,7 @@ onreply_route[EXTERNAL_REPLY]
    }

    #!ifdef NAT_TRAVERSAL_ROLE
    if(status=~"[12][0-9][0-9]") {
        route(NAT_MANAGE);
    }
    route(NAT_MANAGE);
    #!endif

    #!ifdef ACL_ROLE
@ -705,9 +699,7 @@ onreply_route[INTERNAL_REPLY]
    }

    #!ifdef NAT_TRAVERSAL_ROLE
    if(status=~"[12][0-9][0-9]") {
        route(NAT_MANAGE);
    }
    route(NAT_MANAGE);
    #!endif

    #!ifdef ACL_ROLE
@ -720,10 +712,7 @@ onreply_route[INTERNAL_REPLY]
    route(DOS_PREVENTION);
    #!endif

    if (is_method("INVITE") &&
        !isflagset(FLAG_SESSION_PROGRESS) &&
        t_check_status("(180)|(183)|(200)")
        ) {
    if (is_method("INVITE") && t_check_status("(180)|(183)|(200)")) {
        xlog("L_INFO", "$ci|log|call setup, now ignoring abnormal termination\n");
        setflag(FLAG_SESSION_PROGRESS);
    }
@ -768,7 +757,7 @@ failure_route[INTERNAL_FAULT]
        xlog("L_INFO", "$ci|failure|ignoring failure after session progress\n");
    } else if (t_check_status("403") && $T_reply_reason=="Forbidden") {
        xlog("L_WARNING", "$ci|failure|Failed auth from IP $si\n");
    } else if (t_check_status("(401)|(407)|(486)")) {
    } else if (t_check_status("(401)|(486)")) {
        xlog("L_INFO", "$ci|failure|auth reply $T_reply_code $T_reply_reason\n");
    } else if (t_check_status("402")) {
        xlog("L_INFO", "$ci|failure|overriding reply code 402 with 486\n");
@ -825,11 +814,11 @@ onsend_route {
 route[ROUTE_TO_AOR]
 {
    if ($hdr(X-KAZOO-AOR) == $null) {
       xlog("L_DEBUG", "$ci|aor|not aor\n");
       return;
    }

    xlog("L_INFO", "$ci|log|using AOR $hdr(X-KAZOO-AOR)\n");
    set_forward_no_connect();
    if ($hdr(X-KAZOO-INVITE-FORMAT) == "contact") {
       if(lookup("location", "$hdr(X-KAZOO-AOR)") > 0){
          xlog("L_INFO", "$ci|end|routing to contact $ru\n");