sysmocom
/
asterisk
11
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

res_pjsip: Split type=identify to IP address and SIP header matching priorities 

The type=identify endpoint identification method can match by IP address
and by SIP header.  However, the SIP header matching has limited
usefulness because you cannot specify the SIP header matching priority
relative to the IP address matching.  All the matching happens at the same
priority and the order of evaluating the identify sections is
indeterminate.  e.g., If you had two type=identify sections where one
matches by IP address for endpoint alice and the other matches by SIP
header for endpoint bob then you couldn't predict which endpoint is
matched when a request comes in that matches both.

* Extract the SIP header matching criteria into its own "header" endpoint
identification method so the user can specify the relative priority of the
SIP header and the IP address matching criteria in the global
endpoint_identifier_order option.  The "ip" endpoint identification method
now only matches by IP address.

ASTERISK-27491

Change-Id: I9df142a575b7e1e3471b7cda5d3ea156cef08095
This commit is contained in:
Richard Mudgett 2017-12-22 19:50:34 -06:00
parent 2f392bedb3
commit 8494e78010
9 changed files with 170 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
CHANGES
View File

@ -56,6 +56,31 @@ cdr_syslog
* The cdr_syslog module is now deprecated and by default it is no longer
built.
------------------------------------------------------------------------------
--- Functionality changes from Asterisk 15.2.0 to Asterisk 15.3.0 ------------
------------------------------------------------------------------------------
res_pjsip
------------------
* Users who are matching endpoints by SIP header need to reevaluate their
global "endpoint_identifier_order" option in light of the "ip" endpoint
identifier method split into the "ip" and "header" endpoint identifier
methods.
res_pjsip_endpoint_identifier_ip
------------------
* The endpoint identifier "ip" method previously recognized endpoints either
by IP address or a matching SIP header. The "ip" endpoint identifier method
is now split into the "ip" and "header" endpoint identifier methods. The
"ip" endpoint identifier method only matches by IP address and the "header"
endpoint identifier method only matches by SIP header. The split allows the
user to control the relative priority of the IP address and the SIP header
identification methods in the global "endpoint_identifier_order" option.
e.g., If you have two type=identify sections where one matches by IP address
for endpoint alice and the other matches by SIP header for endpoint bob then
you can now predict which endpoint is matched when a request comes in that
matches both.
------------------------------------------------------------------------------
--- Functionality changes from Asterisk 15.1.0 to Asterisk 15.2.0 ------------
------------------------------------------------------------------------------

23
UPGRADE-15.txt
View File

@ -23,6 +23,29 @@
=== UPGRADE-14.txt -- Upgrade info for 13 to 14
===========================================================
From 15.2.0 to 15.3.0:
res_pjsip
------------------
* Users who are matching endpoints by SIP header need to reevaluate their
global "endpoint_identifier_order" option in light of the "ip" endpoint
identifier method split into the "ip" and "header" endpoint identifier
methods.
res_pjsip_endpoint_identifier_ip
------------------
* The endpoint identifier "ip" method previously recognized endpoints either
by IP address or a matching SIP header. The "ip" endpoint identifier method
is now split into the "ip" and "header" endpoint identifier methods. The
"ip" endpoint identifier method only matches by IP address and the "header"
endpoint identifier method only matches by SIP header. The split allows the
user to control the relative priority of the IP address and the SIP header
identification methods in the global "endpoint_identifier_order" option.
e.g., If you have two type=identify sections where one matches by IP address
for endpoint alice and the other matches by SIP header for endpoint bob then
you can now predict which endpoint is matched when a request comes in that
matches both.
New in 15.0.0:
Build System:

16
UPGRADE.txt
View File

@ -43,19 +43,3 @@ ARI:
cdr_syslog:
- The cdr_syslog module is now deprecated and by default it is no longer
built.
New in 15.0.0:
Build System:
- '--with-pjproject-bundled' is now the default when running ./configure
It can be disabled with '--without-pjproject-bundled'.
Core:
- Multi-stream support has been added so a channel can have multiple
streams of the same type such as audio and video.
- The 'Data Retrieval API' has been removed. This API was not actively
maintained, was not added to new modules (such as res_pjsip), and there
exist better alternatives to acquire the same information, such as the
ARI. As a result, the 'DataGet' AMI action as well as the 'data get'
CLI command have been removed.

11
configs/samples/pjsip.conf.sample
View File

@ -635,6 +635,7 @@
; "username": Identify by the From or To username and domain
; "auth_username": Identify by the Authorization username and realm
; "ip": Identify by the source IP address
; "header": Identify by a configured SIP header value.
; In the username and auth_username cases, if an exact match
; on both username and domain/realm fails, the match is
; retried with just the username.
@ -993,11 +994,11 @@
; (default: "no")
;endpoint_identifier_order=ip,username,anonymous
; The order by which endpoint identifiers are given priority.
; Currently, "ip", "username", "auth_username" and "anonymous" are valid
; identifiers as registered by the res_pjsip_endpoint_identifier_* modules.
; Some modules like res_pjsip_endpoint_identifier_user register more than
; one identifier. Use the CLI command "pjsip show identifiers" to see the
; identifiers currently available.
; Currently, "ip", "header", "username", "auth_username" and "anonymous"
; are valid identifiers as registered by the res_pjsip_endpoint_identifier_*
; modules. Some modules like res_pjsip_endpoint_identifier_user register
; more than one identifier. Use the CLI command "pjsip show identifiers"
; to see the identifiers currently available.
; (default: ip,username,anonymous)
;max_initial_qualify_time=4 ; The maximum amount of time (in seconds) from
; startup that qualifies should be attempted on all

57
contrib/ast-db-manage/config/versions/52798ad97bdf_add_pjsip_identify_by_header.py Normal file
View File

@ -0,0 +1,57 @@
"""add pjsip identify by header
Revision ID: 52798ad97bdf
Revises: e2f04d309071
Create Date: 2018-01-08 12:16:02.782277
"""
# revision identifiers, used by Alembic.
revision = '52798ad97bdf'
down_revision = 'e2f04d309071'
from alembic import op
import sqlalchemy as sa
def column_upgrade(table_name, column_name, enum_name):
if op.get_context().bind.dialect.name != 'postgresql':
if op.get_context().bind.dialect.name == 'mssql':
op.drop_constraint('ck_ps_endpoints_identify_by_pjsip_identify_by_values',
table_name)
op.alter_column(table_name, column_name, type_=sa.String(80))
return
# Postgres requires a few more steps
op.execute('ALTER TABLE ' + table_name + ' ALTER COLUMN ' + column_name +
' TYPE varchar(80) USING identify_by::text::' + enum_name)
op.execute('DROP TYPE ' + enum_name)
def column_downgrade(table_name, column_name, enum_name, enum_values):
if op.get_context().bind.dialect.name != 'postgresql':
op.alter_column(table_name, column_name,
type_=sa.Enum(*enum_values, name=enum_name))
return
# Postgres requires a few more steps
updated = sa.Enum(*enum_values, name=enum_name)
updated.create(op.get_bind(), checkfirst=False)
op.execute('ALTER TABLE ' + table_name + ' ALTER COLUMN ' + column_name +
' TYPE ' + enum_name + ' USING identify_by::text::' + enum_name)
def upgrade():
# The ps_endpoints identify_by column has always been a comma separated
# list of enum values. This is better represented as a string anyway to
# avoid database compatibility issues. Also future changes are likely
# to allow loadable endpoint identifier names and negating fixed enum
# benefits.
column_upgrade('ps_endpoints', 'identify_by', 'pjsip_identify_by_values')
def downgrade():
column_downgrade('ps_endpoints', 'identify_by', 'pjsip_identify_by_values',
['username', 'auth_username', 'ip'])

2
include/asterisk/res_pjsip.h
View File

@ -443,6 +443,8 @@ enum ast_sip_endpoint_identifier_type {
AST_SIP_ENDPOINT_IDENTIFY_BY_AUTH_USERNAME = (1 << 1),
/*! Identify based on source IP address */
AST_SIP_ENDPOINT_IDENTIFY_BY_IP = (1 << 2),
/*! Identify based on arbitrary headers */
AST_SIP_ENDPOINT_IDENTIFY_BY_HEADER = (1 << 3),
};
AST_VECTOR(ast_sip_identify_by_vector, enum ast_sip_endpoint_identifier_type);

11
res/res_pjsip.c
View File

@ -323,6 +323,17 @@
endpoint identification.
</para>
</enum>
<enum name="header">
<para>Matches the endpoint based on a configured SIP header
value.
</para>
<para>This method of identification is not configured here
but simply allowed by this configuration option. See the
documentation for the <literal>identify</literal>
configuration section for more details on this method of
endpoint identification.
</para>
</enum>
</enumlist>
</description>
</configOption>

5
res/res_pjsip/pjsip_configuration.c
View File

@ -594,6 +594,9 @@ static const char *sip_endpoint_identifier_type2str(enum ast_sip_endpoint_identi
case AST_SIP_ENDPOINT_IDENTIFY_BY_IP:
str = "ip";
break;
case AST_SIP_ENDPOINT_IDENTIFY_BY_HEADER:
str = "header";
break;
}
return str;
}
@ -617,6 +620,8 @@ static int sip_endpoint_identifier_str2type(const char *str)
method = AST_SIP_ENDPOINT_IDENTIFY_BY_AUTH_USERNAME;
} else if (!strcasecmp(str, "ip")) {
method = AST_SIP_ENDPOINT_IDENTIFY_BY_IP;
} else if (!strcasecmp(str, "header")) {
method = AST_SIP_ENDPOINT_IDENTIFY_BY_HEADER;
} else {
method = -1;
}

67
res/res_pjsip_endpoint_identifier_ip.c
View File

@ -186,7 +186,7 @@ static int header_identify_match_check(void *obj, void *arg, int flags)
return 0;
}
return CMP_MATCH | CMP_STOP;
return CMP_MATCH;
}
/*! \brief Comparator function for matching an object by IP address */
@ -201,7 +201,7 @@ static int ip_identify_match_check(void *obj, void *arg, int flags)
ast_debug(3, "Source address %s matches identify '%s'\n",
ast_sockaddr_stringify(addr),
ast_sorcery_object_get_id(identify));
return CMP_MATCH | CMP_STOP;
return CMP_MATCH;
} else {
ast_debug(3, "Source address %s does not match identify '%s'\n",
ast_sockaddr_stringify(addr),
@ -210,48 +210,62 @@ static int ip_identify_match_check(void *obj, void *arg, int flags)
}
}
static struct ast_sip_endpoint *ip_identify(pjsip_rx_data *rdata)
static struct ast_sip_endpoint *common_identify(ao2_callback_fn *identify_match_cb, void *arg)
{
struct ast_sockaddr addr = { { 0, } };
RAII_VAR(struct ao2_container *, candidates, NULL, ao2_cleanup);
RAII_VAR(struct ip_identify_match *, match, NULL, ao2_cleanup);
struct ip_identify_match *match;
struct ast_sip_endpoint *endpoint;
/* If no possibilities exist return early to save some time */
if (!(candidates = ast_sorcery_retrieve_by_fields(ast_sip_get_sorcery(), "identify", AST_RETRIEVE_FLAG_MULTIPLE | AST_RETRIEVE_FLAG_ALL, NULL)) ||
!ao2_container_count(candidates)) {
candidates = ast_sorcery_retrieve_by_fields(ast_sip_get_sorcery(), "identify",
AST_RETRIEVE_FLAG_MULTIPLE | AST_RETRIEVE_FLAG_ALL, NULL);
if (!candidates || !ao2_container_count(candidates)) {
ast_debug(3, "No identify sections to match against\n");
return NULL;
}
match = ao2_callback(candidates, 0, identify_match_cb, arg);
if (!match) {
return NULL;
}
endpoint = ast_sorcery_retrieve_by_id(ast_sip_get_sorcery(), "endpoint",
match->endpoint_name);
if (endpoint) {
ast_debug(3, "Identify '%s' SIP message matched to endpoint %s\n",
ast_sorcery_object_get_id(match), match->endpoint_name);
} else {
ast_log(LOG_WARNING, "Identify '%s' points to endpoint '%s' but endpoint could not be found\n",
ast_sorcery_object_get_id(match), match->endpoint_name);
}
ao2_ref(match, -1);
return endpoint;
}
static struct ast_sip_endpoint *ip_identify(pjsip_rx_data *rdata)
{
struct ast_sockaddr addr = { { 0, } };
ast_sockaddr_parse(&addr, rdata->pkt_info.src_name, PARSE_PORT_FORBID);
ast_sockaddr_set_port(&addr, rdata->pkt_info.src_port);
match = ao2_callback(candidates, 0, ip_identify_match_check, &addr);
if (!match) {
ast_debug(3, "Identify checks by IP address failed to find match: '%s' did not match any identify section rules\n",
ast_sockaddr_stringify(&addr));
match = ao2_callback(candidates, 0, header_identify_match_check, rdata);
if (!match) {
return NULL;
}
}
endpoint = ast_sorcery_retrieve_by_id(ast_sip_get_sorcery(), "endpoint", match->endpoint_name);
if (endpoint) {
ast_debug(3, "Retrieved endpoint %s\n", ast_sorcery_object_get_id(endpoint));
} else {
ast_log(LOG_WARNING, "Identify section '%s' points to endpoint '%s' but endpoint could not be looked up\n",
ast_sorcery_object_get_id(match), match->endpoint_name);
}
return endpoint;
return common_identify(ip_identify_match_check, &addr);
}
static struct ast_sip_endpoint_identifier ip_identifier = {
.identify_endpoint = ip_identify,
};
static struct ast_sip_endpoint *header_identify(pjsip_rx_data *rdata)
{
return common_identify(header_identify_match_check, rdata);
}
static struct ast_sip_endpoint_identifier header_identifier = {
.identify_endpoint = header_identify,
};
/*! \brief Helper function which performs a host lookup and adds result to identify match */
static int ip_identify_match_host_lookup(struct ip_identify_match *identify, const char *host)
{
@ -720,6 +734,7 @@ static int load_module(void)
ast_sorcery_load_object(ast_sip_get_sorcery(), "identify");
ast_sip_register_endpoint_identifier_with_name(&ip_identifier, "ip");
ast_sip_register_endpoint_identifier_with_name(&header_identifier, "header");
ast_sip_register_endpoint_formatter(&endpoint_identify_formatter);
cli_formatter = ao2_alloc(sizeof(struct ast_sip_cli_formatter_entry), NULL);