From e9eb219a92662d7e21761976a1dae30aadc4a387 Mon Sep 17 00:00:00 2001
From: lazedo <luis.azedo@factorlusitano.com>
Date: Thu, 7 Mar 2019 22:24:58 +0000
Subject: [PATCH] some tweaks

move param failure_exec_mode from pusher role to default
move handling of FLAG_LOCAL_ROUTE
add optional require for authn on subscribe
trace local route requests
---
 kamailio/default.cfg        | 26 ++++++++++++++++++--------
 kamailio/presence-nat.cfg   |  1 -
 kamailio/presence-role.cfg  | 18 ++++++++++++++++++
 kamailio/pusher-role.cfg    |  2 --
 kamailio/sip_trace-role.cfg | 22 +++++++++++++++-------
 5 files changed, 51 insertions(+), 18 deletions(-)

diff --git a/kamailio/default.cfg b/kamailio/default.cfg
index e8dd78c..61ad856 100644
--- a/kamailio/default.cfg
+++ b/kamailio/default.cfg
@@ -130,6 +130,8 @@ modparam("tm", "auto_inv_100_reason", "Attempting to connect your call")
 modparam("tm", "cancel_b_method", 2)
 modparam("tm", "ruri_matching", 0)
 modparam("tm", "failure_reply_mode", 3)
+modparam("tm", "failure_exec_mode", 1)
+
 # modparam("tm", "fr_timer", 30000)
 # modparam("tm", "fr_inv_timer", 120000)
 
@@ -968,14 +970,22 @@ event_route[evrexec:DEFERRED_INIT]
 
 route[LOCAL_REQUEST]
 {
-   if(src_ip != myself || $hdr(X-TM-Local) == $null) {
-      return;
-   }
-   xlog("L_DEBUG", "internal route $hdr(X-TM-Local)\n");
-   $var(LocalRoute) = $hdr(X-TM-Local);
-   remove_hf_re("^X-TM-Local");
-   route_if_exists("$var(LocalRoute)");
-   exit;
+    if(src_ip != myself || $hdr(X-TM-Local) == $null) {
+       return;
+    }
+
+    xlog("L_DEBUG", "internal route $hdr(X-TM-Local)\n");
+
+    setflag(FLAG_LOCAL_ROUTE);
+
+    #!ifdef SIP_TRACE_ROLE
+    route(SIP_TRACE);
+    #!endif
+
+    $var(LocalRoute) = $hdr(X-TM-Local);
+    remove_hf_re("^X-TM-Local");
+    route_if_exists("$var(LocalRoute)");
+    exit;
 }
 
 
diff --git a/kamailio/presence-nat.cfg b/kamailio/presence-nat.cfg
index 7932c2a..a78ddfd 100644
--- a/kamailio/presence-nat.cfg
+++ b/kamailio/presence-nat.cfg
@@ -118,7 +118,6 @@ route[PRESENCE_ROUTE_NAT_PING]
    handle_ruri_alias();
    record_route();
    xlog("L_DEBUG", "$ci|local|sending nat keepalive from $fu to $ru => $du => $tu\n");
-   setflag(FLAG_LOCAL_ROUTE);
 
    t_on_reply("PRESENCE_NAT_REPLY");
    t_on_failure("PRESENCE_NAT_FAULT");
diff --git a/kamailio/presence-role.cfg b/kamailio/presence-role.cfg
index 5f88ede..83c6a01 100644
--- a/kamailio/presence-role.cfg
+++ b/kamailio/presence-role.cfg
@@ -11,6 +11,7 @@
 #!trydef KZ_PRESENCE_REQUEST_RESUBSCRIBE_PROBE 0
 #!trydef KZ_PRESENCE_REQUEST_PROBE 1
 #!trydef KZ_PRESENCE_NO_TARGETS_LOG_LEVEL L_DBG
+#!trydef KZ_PRESENCE_REQUIRE_AUTHN 0
 
 modparam("htable", "htable", "first=>size=32;autoexpire=3600;initval=0;")
 
@@ -58,6 +59,7 @@ kazoo.presence_request_resubscribe_probe = KZ_PRESENCE_REQUEST_RESUBSCRIBE_PROBE
 kazoo.presence_ignore_status_probe_resp = KZ_PRESENCE_IGNORE_STATUS_PROBE_RESP descr "ignore online/offline probe replies"
 kazoo.presence_max_call_per_presentity = KZ_PRESENCE_MAX_CALL_PER_PRESENTITY descr "max number of calls per presentity"
 kazoo.presence_no_targets_log_level = KZ_PRESENCE_NO_TARGETS_LOG_LEVEL descr "when a presence event is received and there no targets we can log at another level"
+kazoo.presence_require_authn = KZ_PRESENCE_REQUIRE_AUTHN descr "require authenticated devices for presence"
 
 #!include_file "presence-query.cfg"
 #!include_file "presence-notify.cfg"
@@ -80,6 +82,8 @@ route[HANDLE_SUBSCRIBE]
        send_reply(489, "Bad Event");
        exit();
     }
+    
+    route(PRESENCE_AUTHN);
 
     if (!t_newtran()) {
         sl_reply_error();
@@ -225,6 +229,8 @@ route[HANDLE_PUBLISH]
        exit();
     }
 
+    route(PRESENCE_AUTHN);
+
     if (!t_newtran()) {
         sl_reply_error();
         exit;
@@ -526,4 +532,16 @@ route[PRESENCE_ON_REGISTRATION]
    route(PRESENCE_NAT_ON_REGISTRATION);
 }
 
+route[PRESENCE_AUTHN]
+{
+    if($sel(cfg_get.kazoo.presence_require_authn) == 1) {
+        $xavp(regcfg=>match_received) = $su;
+        if(registered("location", "$rz:$Au", 2, 1) != 1) {
+            xlog("L_WARNING", "$ci|stop|$rm from unregistered ($rz:$Au) user agent $ua => $su\n");
+            send_reply(403, "Forbidden");
+            exit;
+        }
+    }
+}
+
 # vim: tabstop=4 softtabstop=4 shiftwidth=4 expandtab
diff --git a/kamailio/pusher-role.cfg b/kamailio/pusher-role.cfg
index d969eb7..8925ac3 100644
--- a/kamailio/pusher-role.cfg
+++ b/kamailio/pusher-role.cfg
@@ -3,8 +3,6 @@
 ######## Generic Hash Table container in shared memory ########
 modparam("htable", "htable", "push_cache=>autoexpire=60;")
 
-modparam("tm", "failure_exec_mode", 1)
-
 route[PUSHER_ROUTE]
 {
     if ( (!is_method("INVITE")) || (!isflagset(FLAG_INTERNALLY_SOURCED)) || $hdr(X-KAZOO-PUSHER-Token-ID) == $null)
diff --git a/kamailio/sip_trace-role.cfg b/kamailio/sip_trace-role.cfg
index 89af0f0..afae3c7 100644
--- a/kamailio/sip_trace-role.cfg
+++ b/kamailio/sip_trace-role.cfg
@@ -70,19 +70,27 @@ route[SIP_TRACE_LOCAL]
     if($sel(cfg_get.kazoo.trace_local) == 0) {
         return;
     }
+
+    if($hdr(X-TM-Local) != $null) {
+        return;
+    }
+
     sip_trace();
 }
 
-route[SIP_TRACE]
+route[SIP_TRACE_LOCAL_ROUTE]
 {
-    if(src_ip == 127.0.0.1 || dst_ip == 127.0.0.1) {
-        return;
-    }
+    setflag(FLAG_SIP_TRACE);
+}
 
-    if (isflagset(FLAG_INTERNALLY_SOURCED)) {
-        route(SIP_TRACE_INTERNAL);
+route[SIP_TRACE]
+{
+    if (isflagset(FLAG_LOCAL_ROUTE)) {
+        route(SIP_TRACE_LOCAL_ROUTE);
     } else if (isflagset(FLAG_LOCAL_REQUEST)) {
-        route(SIP_TRACE_LOCAL);    
+        route(SIP_TRACE_LOCAL);
+    } else if (isflagset(FLAG_INTERNALLY_SOURCED)) {
+        route(SIP_TRACE_INTERNAL);
     } else {
         route(SIP_TRACE_EXTERNAL);
     }