#!trydef REGISTRAR_NAT_PING_INTERVAL 30 #!trydef REGISTRAR_NAT_PING_NAT_ONLY 0 #!trydef REGISTRAR_NAT_PING_WORKERS 5 #!trydef REGISTRAR_MIN_EXPIRES 300 #!trydef REGISTRAR_MAX_EXPIRES 3600 #!trydef REGISTRAR_DEFAULT_EXPIRES 600 #!trydef REGISTRAR_ERROR_MIN_EXPIRES 1 #!trydef REGISTRAR_ERROR_MISSING_EXPIRES 1 #!trydef REGISTRAR_CONTACT_MAX_SIZE 2048 #!trydef REGISTRAR_QUERY_TIMEOUT_MS 2500 #!trydef REGISTRAR_HANDLE_LOST_TCP 1 #!trydef REGISTRAR_CLOSE_EXPIRED_TCP 1 #!trydef REGISTRAR_HANDLE_EXPIRED_TCP 1 #!trydef REGISTRAR_HANDLE_EXPIRED_UDP 0 #!trydef REGISTRAR_HANDLE_EXPIRED_TLS 1 #!trydef REGISTRAR_HANDLE_EXPIRED_WS 1 #!trydef REGISTRAR_FORCE_QUERY 0 #!trydef REGISTRAR_FORCE_FAILOVER 0 #!trydef REGISTRAR_CHECK_AMQP_AVAILABILITY 1 ######## Generic Hash Table container in shared memory ######## modparam("htable", "htable", "auth_cache=>size=16;autoexpire=7200;") ####### Authentication Interface module ########## loadmodule "auth.so" modparam("auth", "auth_checks_register", 11) modparam("auth", "qop", "auth") modparam("auth", "nonce_expire", 90) ####### User Location Implementation module ########## loadmodule "usrloc.so" modparam("usrloc", "db_update_as_insert", 0) modparam("usrloc", "use_domain", 1) modparam("usrloc", "nat_bflag", FLB_NATB) modparam("usrloc", "db_url", "KAZOO_DB_URL") modparam("usrloc", "db_mode", 1) modparam("usrloc", "handle_lost_tcp", 1) modparam("usrloc", "xavp_contact", "ulattrs") modparam("usrloc", "db_check_update", 1) modparam("usrloc", "timer_interval", 30) modparam("usrloc", "timer_procs", 1) modparam("usrloc", "db_timer_clean", 1) modparam("usrloc", "fetch_rows", 400) modparam("usrloc", "handle_lost_tcp", REGISTRAR_HANDLE_LOST_TCP) modparam("usrloc", "close_expired_tcp", REGISTRAR_CLOSE_EXPIRED_TCP) ######## NAT Traversal module - signaling functions ######## #!ifdef NAT_TRAVERSAL_ROLE #!trydef NATHELPER_LOADED loadmodule "nathelper.so" modparam("nathelper", "natping_interval", REGISTRAR_NAT_PING_INTERVAL) modparam("nathelper", "ping_nated_only", REGISTRAR_NAT_PING_NAT_ONLY) modparam("nathelper", "natping_processes", REGISTRAR_NAT_PING_WORKERS) modparam("nathelper", "sipping_bflag", FLB_NATSIPPING) #!endif ####### SIP Registrar implementation module ########## loadmodule "registrar.so" modparam("registrar", "received_avp", "$avp(AVP_RECV_PARAM)") modparam("registrar", "min_expires", REGISTRAR_MIN_EXPIRES) modparam("registrar", "max_expires", REGISTRAR_MAX_EXPIRES) modparam("registrar", "default_expires", REGISTRAR_DEFAULT_EXPIRES) modparam("registrar", "xavp_cfg", "regcfg") modparam("registrar", "gruu_enabled", 1) modparam("registrar", "outbound_mode", 1) modparam("registrar", "regid_mode", 1) modparam("registrar", "path_mode", 1) modparam("registrar", "use_path", 1) modparam("registrar", "received_param", "") modparam("registrar", "xavp_rcd", "ulrcd") modparam("registrar", "contact_max_size", REGISTRAR_CONTACT_MAX_SIZE) kazoo.registrar_error_min_expires = REGISTRAR_ERROR_MIN_EXPIRES descr "send error when UAS sends expires < min-expires" kazoo.registrar_error_missing_expires = REGISTRAR_ERROR_MISSING_EXPIRES descr "send error when UAS do not send expires header" ##### handle expired registrations realtime params ##### kazoo.registrar_handle_expired_tcp = REGISTRAR_HANDLE_EXPIRED_TCP descr "handles expired tcp registrations" kazoo.registrar_handle_expired_udp = REGISTRAR_HANDLE_EXPIRED_UDP descr "handles expired udp registrations" kazoo.registrar_handle_expired_tls = REGISTRAR_HANDLE_EXPIRED_TLS descr "handles expired tls registrations" kazoo.registrar_handle_expired_ws = REGISTRAR_HANDLE_EXPIRED_WS descr "handles expired ws registrations" kazoo.registrar_query_timeout_ms = REGISTRAR_QUERY_TIMEOUT_MS descr "timeout waiting for reply from registrar" kazoo.registrar_failover = REGISTRAR_FORCE_FAILOVER descr "force failover if 1" kazoo.registrar_force_query = REGISTRAR_FORCE_QUERY descr "force query if 1" kazoo.registrar_check_amqp_availability = REGISTRAR_CHECK_AMQP_AVAILABILITY descr "checks if amqp connection is available before querying registrar" ####### Registrar Logic ######## route[HANDLE_REGISTER] { if (!is_method("REGISTER")) { return; } if (isflagset(FLT_NATS)) { setbflag(FLB_NATB); fix_nated_register(); ## KAZOO-1846: Cisco SPA8000 freaks out on options pings if (!($ua =~ "Linksys/SPA8000" || $ua =~ "SIPp" || (af==INET6) )) { setbflag(FLB_NATSIPPING); } } else { $avp(AVP_RECV_PARAM) = $su; } route(ATTEMPT_AUTHORIZATION); } route[AUTHORIZATION_CHECK] { if (!is_method("MESSAGE|NOTIFY|SUBSCRIBE|PUBLISH")) return; if(has_totag()) return; if (isflagset(FLAG_INTERNALLY_SOURCED)) return; if (isflagset(FLAG_TRUSTED_SOURCE)) return; $xavp(regcfg=>match_received) = $su; if(!(registered("location", "$fu", 2, 1) == 1 && $(xavp(ulattrs=>custom_channel_vars){s.len}) > 1)) { xlog("L_INFO", "$ci|log|not authorized $fu from $si:$sp\n"); send_reply("503", "Not Registered"); exit; } } route[ATTEMPT_AUTHORIZATION] { #!ifdef PUSHER_ROLE route(PUSHER_ATTEMPT_REGISTRATION); #!endif if($sel(cfg_get.kazoo.registrar_force_query) == 0) { $xavp(regcfg=>match_received) = $su; if($sht(auth_cache=>$Au) != $null && registered("location", "$rz:$Au", 2, 1) == 1 && $(xavp(ulattrs=>custom_channel_vars){s.len}) > 1) && $sel(cfg_get.kazoo.registrar_failover) == 0 { $var(password) = $sht(auth_cache=>$Au); route(SAVE_LOCATION); exit; } } if($td =~ "[0-9]{1,3}\.[0-9]{1,3}.[0-9]{1,3}\.[0-9]{1,3}" || $fd =~ "[0-9]{1,3}\.[0-9]{1,3}.[0-9]{1,3}\.[0-9]{1,3}") { xlog("L_INFO", "$ci|log|register|invalid domain\n"); drop; } if (!t_newtran()) { xlog("L_ERROR", "$ci|log|failed to create transaction to query for authentication credentials for $Au $si:$sp\n"); drop; } if($sel(cfg_get.kazoo.registrar_check_amqp_availability) == 1) { if($xavp(amqpc=>default::MY_AMQP_ZONE) == 0) { xlog("L_INFO", "$ci|log|register|no amqp connection available for default worker in zone MY_AMQP_ZONE\n"); t_drop(); } } if($sel(cfg_get.kazoo.registrar_failover) == 1) { xlog("L_INFO", "$ci|log|register|forcing failover\n"); t_drop(); } route(REGISTRAR_BOUNDS); $var(auth) = pv_auth_check("$fd", "$uuid(g)", "0", "0"); if($var(auth) != -2) { xlog("L_INFO", "$ci|end|challenging $Au $si:$sp\n"); $var(auth) = auth_challenge("$fd", "21"); if($var(auth) != 1) { xlog("L_ERROR", "$ci|register|error creating or sending challenge to registration attempt for $fu from $si:$sp\n"); t_drop(); } exit; } sl_send_reply("100", "checking your credentials"); $var(amqp_payload_request) = $_s({"Event-Category" : "directory" , "Event-Name" : "authn_req", "Method" : "REGISTER", "Auth-Nonce" : "$adn", "Auth-Realm" : "$fd", "Auth-User" : "$fU", "From" : "$fu", "To" : "$tu", "Orig-IP" : "$si", "Orig-Port" : "$sp", "User-Agent" : "$(ua{s.escape.common}{s.replace,\','}{s.replace,$$,})", "Contact" : "$(ct{s.escape.common}{s.replace,\','}{s.replace,$$,})", "Call-ID" : "$ci" }); $var(amqp_routing_key) = "authn.req." + $(fd{kz.encode}); $avp(kz_timeout) = $sel(cfg_get.kazoo.registrar_query_timeout_ms); $xavp(deltas=>query) = $(TV(Sn){s.replace,.,}); if(kazoo_async_query("callmgr", $var(amqp_routing_key), $var(amqp_payload_request), "KZ_AUTHORIZATION_REPLY", "KZ_AUTHORIZATION_TIMEOUT") != 1) { xlog("L_INFO", "$ci|log|failed to send registrar query for authentication credentials for $Au $si:$sp\n"); t_drop(); } } failure_route[KZ_AUTHORIZATION_TIMEOUT] { xlog("L_INFO", "$ci|log|failed $T_reply_code to query Kazoo for authentication credentials for $Au $si:$sp\n"); t_drop(); } onreply_route[KZ_AUTHORIZATION_REPLY] { $var(StartRoute) = $(TV(Sn){s.replace,.,}); $var(delta_to_start) = $var(StartRoute) - $(kzR{kz.json,AMQP-Received}); $var(delta_from_query) = $(kzR{kz.json,AMQP-Received}) - $xavp(deltas=>query); xlog("L_INFO", "$ci|log|received $(kzR{kz.json,Event-Category}) $(kzR{kz.json,Event-Name}) reply from $(kzR{kz.json,App-Name})-$(kzR{kz.json,App-Version}) (Δ1 $(kzR{kz.json,AMQP-Elapsed-Micro}) μs , Δ2 $var(delta_to_start) μs, Δ3 $var(delta_from_query) μs)\n"); $var(password) = $(kzR{kz.json,Auth-Password}); $var(nonce) = $adn; if( $(kzR{kz.json,Event-Name}) == "authn_err" ) { #!ifdef ANTIFLOOD_ROLE route(ANITFLOOD_FAILED_AUTH); #!endif auth_challenge("$fd", "5"); xlog("L_INFO", "$ci|end|challenging $Au $si:$sp via $(kzR{kz.json,App-Name})-$(kzR{kz.json,App-Version}) response\n"); exit; } else { xlog("L_INFO", "$ci|log|authenticating $Au via $(kzR{kz.json,App-Name})-$(kzR{kz.json,App-Version}) response\n"); route(CHECK_AUTHORIZATION); } } route[CHECK_AUTHORIZATION] { if (!pv_auth_check("$fd", "$var(password)", "0", "0")) { #!ifdef ANTIFLOOD_ROLE route(ANITFLOOD_FAILED_AUTH); #!endif xlog("L_WARNING", "$ci|end|issuing auth challenge to failed registration attempt for $Au from IP $si:$sp\n"); auth_challenge("$fd", "5"); exit; } #!ifdef ANTIFLOOD_ROLE route(ANTIFLOOD_SUCCESSFUL_AUTH); #!endif # user authenticated - remove auth header consume_credentials(); $xavp(ulattrs=>custom_channel_vars) = $(kzR{kz.json,Custom-Channel-Vars}); $xavp(ulattrs[0]=>token) = $_s($(kzR{kz.json,Custom-Channel-Vars.Authorizing-ID})@$(kzR{kz.json,Custom-Channel-Vars.Account-ID})); route(SAVE_LOCATION); } route[SAVE_LOCATION] { if ($sht(auth_cache=>$Au) == $null && $var(password) != $null) { xlog("L_INFO", "$ci|log|caching sip credentials for $Au\n"); }; $sht(auth_cache=>$Au) = $var(password); $var(save_result) = save("location", "0x04"); if($var(save_result) < 0) { exit; } else { if($var(save_result) == 1) { $var(new_reg) = "true"; } else { $var(new_reg) = "false"; } } if($var(save_result) == 3) { $var(expires) = 0; } else { $var(expires) = $xavp(ulrcd=>expires); } if($var(expires) == 0) { xlog("L_INFO", "$ci|end|unregister request from $Au $si:$sp\n"); $var(Status) = "Unregistered"; } else { $var(Status) = "Registered"; } $var(ip) = $Ri; if(af==INET6) { $var(ip) = "[" + $Ri + "]"; } # allow port redirection on registration switch($proto) { #!ifdef KZ_WEBSOCKETS_REGISTRAR_PORT case "ws": case "wss": $var(port) = KZ_WEBSOCKETS_REGISTRAR_PORT; break; #!endif #!ifdef KZ_TLS_REGISTRAR_PORT case "tls": $var(port) = KZ_TLS_REGISTRAR_PORT; break; #!endif #!ifdef KZ_UDP_REGISTRAR_PORT case "udp": $var(port) = KZ_UDP_REGISTRAR_PORT; break; #!endif #!ifdef KZ_TCP_REGISTRAR_PORT case "tcp": $var(port) = KZ_TCP_REGISTRAR_PORT; break; #!endif default: $var(port) = $Rp; } $var(AdvIP) = $RAi; if(af==INET6) { $var(AdvIP) = "[" + $RAi + "]"; } $var(amqp_payload_request) = $_s({"Event-Category" : "directory", "Event-Name" : "reg_success", "Status" : "$var(Status)", "Event-Timestamp" : $TS, "Expires" : $(var(expires){s.int}), "First-Registration" : $var(new_reg), "Contact" : "$(ct{s.escape.common}{s.replace,\','}{s.replace,$$,})", "Call-ID" : "$ci", "Realm" : "$fd", "Username" : "$fU", "From-User" : "$fU", "From-Host" : "$fd", "To-User" : "$tU", "To-Host" : "$td", "User-Agent" : "$(ua{s.escape.common}{s.replace,\','}{s.replace,$$,})" , "Custom-Channel-Vars" : $xavp(ulattrs=>custom_channel_vars), "Proxy-Path" : "sip:MY_IP_ADDRESS:$var(port)", "Proxy-Protocol" : "$proto", "Proxy-IP" : "$var(AdvIP)", "Proxy-Port" : "$RAp", "Source-IP": "$si", "Source-Port": "$sp" }); $var(amqp_routing_key) = "registration.success." + $(fd{kz.encode}) + "." + $(fU{kz.encode}); kazoo_publish("registrar", $var(amqp_routing_key), $var(amqp_payload_request)); xlog("L_INFO", "$ci|end|successful $(var(Status){s.tolower}) with contact : $ct : $var(expires)\n"); #!ifdef PUSHER_ROLE route(PUSHER_ON_REGISTRATION); #!endif exit; } ## kazoo event route , {"directory", "reg_flush") => reg-flush by kamailio limitations ## when a Event-Category or Event-Name has a underscore (_) we need to declare it with a dash (-) event_route[kazoo:consumer-event-directory-reg-flush] { $var(user) = $(kzE{kz.json,Username}) + "@" + $(kzE{kz.json,Realm}); xlog("L_INFO", "$(kzE{kz.json,Msg-ID})|log|received directory flush for $var(user)\n"); if ($sht(auth_cache=>$var(user)) != $null) { $sht(auth_cache=>$var(user)) = $null; } if( $(kzE{kz.json,Cache-Only}) == "true") { return; } if(reg_fetch_contacts("location", "sip:$var(user)", "caller")) { $var(i) = 0; while($var(i) < $(ulc(caller=>count))) { unregister("location", "sip:$(ulc(caller=>aor))", "$(ulc(caller=>ruid)[$var(i)])"); $var(i) = $var(i) + 1; } reg_free_contacts("caller"); } #!ifdef ANTIFLOOD_ROLE route(ANTIFLOOD_RESET_AUTH); #!endif } route[REGISTRAR_BINDINGS] { #!import_file "registrar-custom-bindings.cfg" #!ifndef REGISTRAR_CUSTOM_BINDINGS $var(payload) = $_s({"name": "registrar-api", "exchange": "registrar", "type": "topic", "queue": "registrar-flush-MY_HOSTNAME", "routing": "registration.flush.*", "federate": 1 }); kazoo_subscribe("$var(payload)"); #!endif #!ifdef REGISTRAR_SYNC_ROLE route(REGISTRAR_SYNC_BINDINGS); #!endif } route[REGISTRAR_BOUNDS] { if((int)@contact.expires) { $var(expires) = @contact.expires; } else if(is_present_hf("Expires")) { $var(expires) = $hdr(Expires); } else if($(sel(contact){tobody.params}{param.value,expires}) != "") { $var(expires) = $(sel(contact){tobody.params}{param.value,expires}{s.int}); } else { if($sel(cfg_get.kazoo.registrar_error_missing_expires) == 1) { xlog("L_WARNING", "$ci|end|missing expires registering $Au from IP $si:$sp\n"); send_reply("400", "Missing Expires"); exit; } else { xlog("L_WARNING", "$ci|end|allowing missing expires registering $Au from IP $si:$sp\n"); } } if($var(expires) != 0) { if($sel(cfg_get.kazoo.registrar_error_min_expires) == 1) { if($var(expires) < REGISTRAR_MIN_EXPIRES) { xlog("L_WARNING", "$ci|end|expires $var(expires) too brief (configured $def(REGISTRAR_MIN_EXPIRES)) registering $Au from IP $si:$sp\n"); append_to_reply("Min-Expires: $def(REGISTRAR_MIN_EXPIRES)\r\n"); send_reply("423", "Interval Too Brief"); exit; } } } } ## ## this needs handling logic in ecallmgr ## because we will fire the unregister from this server ## after device registers in another proxy ## causing ecallmgr to delete the registration ## from the other server ## event_route[usrloc:contact-expired] { ## return until we handle this in ecallmr return; $var(transport) = $(ulc(exp=>received){uri.transport}); $var(proto) = $(ulc(exp=>socket){re.subst,/^([^:]*):(.*)/\1/}); if($var(proto) == "tls" && $var(transport) == "ws") { $var(proto) = "wss"; } $var(handle) = 0; switch($var(proto)) { case "ws": case "wss": if($sel(cfg_get.kazoo.registrar_handle_expired_ws) == 1) { $var(handle) = 1; } break; case "tls": if($sel(cfg_get.kazoo.registrar_handle_expired_tls) == 1) { $var(handle) = 1; } break; case "tcp": if($sel(cfg_get.kazoo.registrar_handle_expired_tcp) == 1) { $var(handle) = 1; } break; case "udp": if($sel(cfg_get.kazoo.registrar_handle_expired_udp) == 1) { $var(handle) = 1; } break; default: break; } if($var(handle) == 1) { $var(aor) = $_s(sip:$ulc(exp=>aor)); $var(username) = $(var(aor){uri.user}); $var(domain) = $(var(aor){uri.host}); $var(amqp_payload_request) = $_s({"Event-Category" : "directory", "Event-Name" : "reg_success", "Status" : "Unregistered", "Event-Timestamp" : $TS, "Expires" : 0, "First-Registration" : false, "Contact" : "$(ulc(exp=>addr){s.escape.common}{s.replace,\','}{s.replace,$$,})", "Call-ID" : "$ulc(exp=>callid)", "Realm" : "$var(domain)", "Username" : "$var(username)", "From-User" : "$var(username)", "From-Host" : "$var(domain)", "To-User" : "$var(username)", "To-Host" : "$var(domain)", "Proxy-Path" : "$ulc(exp=>socket)", "User-Agent" : "$(ulc(exp=>user_agent){s.escape.common}{s.replace,\','}{s.replace,$$,})"}); $var(amqp_routing_key) = "registration.success." + $(var(domain){kz.encode}) + "." + $(var(username){kz.encode}); kazoo_publish("registrar", $var(amqp_routing_key), $var(amqp_payload_request)); xlog("L_INFO", "$ulc(exp=>callid)|expired|notified registration removal with contact : $ulc(exp=>addr)\n"); } xlog("L_INFO", "$ulc(exp=>callid)|expired|removed registration with contact : $ulc(exp=>addr)\n"); } #!ifdef REGISTRAR_SYNC_ROLE #!include_file "registrar-sync-role.cfg" #!endif # vim: tabstop=4 softtabstop=4 shiftwidth=4 expandtab