#!trydef KZ_STRICT_AUTH 1
kazoo.strict_auth = KZ_STRICT_AUTH descr "only allow requests from registered or trusted sources"

route[AUTH]
{
    if (isflagset(FLAG_INTERNALLY_SOURCED)) {
        $avp(auth_allowed) = "true";
        return;
    }

   if (!is_method("INVITE|MESSAGE|REFER")) {   
        $avp(auth_allowed) = "true";
        return;
   }

   #!ifdef DISPATCHER_ROLE
   route(SETUP_AUTH_HEADERS);
   #!endif
}

route[AUTH_HEADERS]
{
   remove_hf_re("^X-");

   xavp_params_implode("hf", "$var(outx)");
   $var(out) = $(var(outx){re.subst,/^(.*);$$/\1/});
   $var(c) = $(var(out){param.count});
   xlog("L_DEBUG", "$ci|auth|headers $var(c) => $var(out) => $var(outx)\n");
   while($var(c) > 0) {
      $var(idx) = $var(c) - 1;
      xlog("L_DEBUG", "$ci|auth|adding $(var(out){param.name,$var(idx)}): $(var(out){param.valueat,$var(idx)}{s.unescape.param})\n");
      append_hf("$(var(out){param.name,$var(idx)}): $(var(out){param.valueat,$var(idx)}{s.unescape.param})\r\n");
      $var(c) = $var(c) - 1;
   }

}

route[AUTH_HEADERS_JSON]
{
   xavp_params_implode("hf", "$var(outx)");
   $var(out) = $(var(outx){re.subst,/^(.*);$$/\1/});
   $var(c) = $(var(out){param.count});
   $var(headers_json) = "";
   $var(sep) = "";
   xlog("L_DEBUG", "$ci|auth|headers $var(c) => $var(out) => $var(outx)\n");
   while($var(c) > 0) {
      $var(idx) = $var(c) - 1;
      xlog("L_DEBUG", "$ci|auth|adding $(var(out){param.name,$var(idx)}): $(var(out){param.valueat,$var(idx)}{s.unescape.param})\n");
      append_hf("$(var(out){param.name,$var(idx)}): $(var(out){param.valueat,$var(idx)}{s.unescape.param})\r\n");
      $var(headers_json) = $_s($var(headers_json)$var(sep)"$(var(out){param.name,$var(idx)})" : "$(var(out){param.valueat,$var(idx)}{s.unescape.param})");
      $var(c) = $var(c) - 1;
      $var(sep) = " , ";
   }
   $var(headers_json) = $_s({ $var(headers_json) });
}

route[SETUP_AUTH_HEADERS]
{

   $avp(auth_allowed) = "false";
   $xavp(hf=>X-AUTH-IP) = $si;
   $xavp(hf[0]=>X-AUTH-PORT) = $sp;

   #!ifdef REGISTRAR_ROLE
   $avp(is_registered) = "false";
   $xavp(regcfg=>match_received) = $su;
   if (registered("location","$fu", 2, 1) == 1) {
        $avp(is_registered) = "true";
        $avp(auth_allowed) = "true";
        #!ifdef WITH_AUTH_TOKEN
        route(AUTH_TOKEN);
        #!else
        route(AUTH_CCVS)
        #!endif
        return;
   }
   #!endif

   if (allow_source_address()) {
       $avp(auth_allowed) = "true";
       $xavp(hf[0]=>X-AUTH-Token) = $avp(trusted_x_header);
       $xavp(hf[0]=>X-AUTH-URI-User) = $rU;
       $xavp(hf[0]=>X-AUTH-URI-Realm) = $rd;
       if($ai != $null) {
            $xavp(hf[0]=>X-AUTH-From-User) = $(ai{uri.user});
       } else {
            $xavp(hf[0]=>X-AUTH-From-User) = $fU;
       }
       return;
   }

}

#!ifdef REGISTRAR_ROLE

route[AUTH_TOKEN]
{
   if($(xavp(ulattrs=>token){s.len}) > 0) {
        $xavp(hf[0]=>X-AUTH-Token) = $xavp(ulattrs=>token);
   } else {
        if($(xavp(ulattrs=>Authorizing-ID){s.len}) > 0 && $(xavp(ulattrs=>Account-ID){s.len})) {
             $xavp(hf[0]=>X-AUTH-Token) = $_s($(xavp(ulattrs=>custom_channel_vars){kz.json,Authorizing-ID})@$(xavp(ulattrs=>custom_channel_vars){kz.json,Account-ID}));
        }
   }
}

route[AUTH_CCVS]
{
    if($(xavp(ulattrs=>custom_channel_vars){kz.json,Account-ID}{s.len}) > 0)
        $xavp(hf[0]=>X-ecallmgr_Account-ID) = $(xavp(ulattrs=>custom_channel_vars){kz.json,Account-ID});

    if($(xavp(ulattrs=>custom_channel_vars){kz.json,Authorizing-Type}{s.len}) > 0)
        $xavp(hf[0]=>X-ecallmgr_Authorizing-Type) = $(xavp(ulattrs=>custom_channel_vars){kz.json,Authorizing-Type});

    if($(xavp(ulattrs=>custom_channel_vars){kz.json,Account-ID}{s.len}) > 0 && $(xavp(ulattrs=>custom_channel_vars){kz.json,Authorizing-Type}{s.len}) > 0)
        $xavp(hf[0]=>X-AUTH-Token) = $_s($(xavp(ulattrs=>custom_channel_vars){kz.json,Authorizing-ID})@$(xavp(ulattrs=>custom_channel_vars){kz.json,Account-ID}));

    if($(xavp(ulattrs=>custom_channel_vars){kz.json,Authorizing-ID}{s.len}) > 0)
        $xavp(hf[0]=>X-ecallmgr_Authorizing-ID) = $(xavp(ulattrs=>custom_channel_vars){kz.json,Authorizing-ID});

    if($(xavp(ulattrs=>custom_channel_vars){kz.json,Username}{s.len}) > 0)
        $xavp(hf[0]=>X-ecallmgr_Username) = $(xavp(ulattrs=>custom_channel_vars){kz.json,Username});

    if($(xavp(ulattrs=>custom_channel_vars){kz.json,Realm}{s.len}) > 0)
        $xavp(hf[0]=>X-ecallmgr_Realm) = $(xavp(ulattrs=>custom_channel_vars){kz.json,Realm});

    if($(xavp(ulattrs=>custom_channel_vars){kz.json,Account-Realm}{s.len}) > 0)
        $xavp(hf[0]=>X-ecallmgr_Account-Realm) = $(xavp(ulattrs=>custom_channel_vars){kz.json,Account-Realm});

    if($(xavp(ulattrs=>custom_channel_vars){kz.json,Account-Name}{s.len}) > 0)
        $xavp(hf[0]=>X-ecallmgr_Account-Name) = $(xavp(ulattrs=>custom_channel_vars){kz.json,Account-Name}{s.escape.param});

    if($(xavp(ulattrs=>custom_channel_vars){kz.json,Presence-ID}{s.len}) > 0)
        $xavp(hf[0]=>X-ecallmgr_Presence-ID) = $(xavp(ulattrs=>custom_channel_vars){kz.json,Presence-ID});

    if($(xavp(ulattrs=>custom_channel_vars){kz.json,Owner-ID}{s.len}) > 0)
        $xavp(hf[0]=>X-ecallmgr_Owner-ID) = $(xavp(ulattrs=>custom_channel_vars){kz.json,Owner-ID});

    if($(xavp(ulattrs=>custom_channel_vars){kz.json,Hotdesk-Current-ID}{s.len}) > 0)
        $xavp(hf[0]=>X-ecallmgr_Hotdesk-Current-ID) = $(xavp(ulattrs=>custom_channel_vars){kz.json,Hotdesk-Current-ID});

}

#!endif