[sr-dev] [tracker] Comment added: add support to auth_db to validate source IP address

[sip-router]

THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY.

The following task has a new comment added:

FS#499 - add support to auth_db to validate source IP address
User who did this - Emmanuel Schmidbauer (eschmidbauer)

----------
I will go down the list and reply to each one:

1. The module and function are for verifying digest authentication, i don't think IP checking should be part of it. It is illogical and confusing.
>From the module overview: "This module contains _all_ authentication related functions that need the access to the database."
I don't see anything about the module only being used to verify digest authentication.

2. The functionality is enable by overloading the configuration of a table column name. Not very in intuitive.
The functionality is enabled by ADDING the column name to the configuration, if it is not added, then the functionality is disabled.
I designed it that way to allow people to upgrade their code and not ADD the functionality unless they wanted it.

3.  The function is limited to only a single ip(-range) per username; not very flexible. The already existing method of achieving the very same functionality is already present in the ipops and, in a more flexible way, the permissions module.
I fail to see how it can easily be done using ipops and permissions. Permissions does not do dynamic SQL queries (you must load/reload your IP addresses). That being said, it cannot be achieved using ipops and permissions. If I am mistaken about this, please provide an example.

4. The functionality is so very trivial to implement in the config script using the ipops module (only taking 2 lines of script), i don't think the additional maintenance burden for the C code is worth it.
Again, I do not see how to implement this in ipops. And there is not much maintenance burden unless another version of IP becomes prevalent.

5. The added functionality is undocumented.
I would be happy to document the functionality.

6. There is no return code to recognize the reason why "authentication" failed.
The return code is same as if authentication failed. Would you prefer a different return code? If so, let me know what return code should be used.


Please understand, I wrote this patch from the standpoint of a VoIP system administrator. IP Authentication coupled with password authentication is almost a necessity in most VoIP systems. Of course there are certainly ways to achieve this goal using what I would call "workarounds", like a perl script or messing with loading SQL data and running it against an ipops functions, but these methods are not documented nor a straightforward approach. Adding the IP restriction capability to the auth_db database makes the entire process straightforward and easy to maintain. I would be happy to re-write any of my code to meet the requirements for it to be pushed into auth_db. I will use my patch whether it is pushed into auth_db codebase or not, I would prefer not to run my own branch of kamailio though. I also think many other people could benefit from this patch.
----------

More information can be found at the following URL:
http://sip-router.org/tracker/index.php?do=details&task_id=499#comment1722

You are receiving this message because you have requested it from the Flyspray bugtracking system.  If you did not expect this message or don't want to receive mails in future, you can change your notification settings at the URL shown above.