[Serusers] PATCH: ip auth for each account
Jan Janak
jan at iptel.org
Sun Aug 8 10:54:01 CEST 2004
Hello,
sorry for late reply. The idea is good, but imho it should be
implemented differently -- in auth module only, there is no need to
touch SER core.
Jan.
On 30-07 14:03, zolia at z1sys.com wrote:
> hello,
>
> wrote some small path, which adds authorization with source ip.
> to patch:
> cd ./ser-0.8.14
> patch -p1 < ser-0.8.14_ip_auth.patch
>
> add additional string column to subscribers: acc_ip
>
> ex. usage:
> www_authorize_ip("your_realm", "subscriber", "0.0.0.0") )
>
> where "0.0.0.0" means that source ip will be taken from from msg
> structure. If you specify IP instead of "0.0.0.0" then it will be checked
> instead of one taken from msg structure. It would be equivelent to write
>
> src_ip != "source_ip_to_check" && !www_authorize("your_realm",
> "subscriber")
>
> and
>
> !www_authorize_ip("213.226.186.195", "subscriber", "source_ip_to_check")
>
>
> Antanas
> diff -r -C 2 ser-0.8.14/action.c ser-0.8.14.new/action.c
> *** ser-0.8.14/action.c Fri Oct 3 09:19:41 2003
> --- ser-0.8.14.new/action.c Fri Jul 30 10:00:20 2004
> ***************
> *** 600,605 ****
> if ( ((a->p1_type==CMDF_ST)&&a->p1.data)/*&&
> ((a->p2_type==STRING_ST)&&a->p2.data)*/ ){
> ! ret=((cmd_function)(a->p1.data))(msg, (char*)a->p2.data,
> ! (char*)a->p3.data);
> }else{
> LOG(L_CRIT,"BUG: do_action: bad module call\n");
> --- 600,610 ----
> if ( ((a->p1_type==CMDF_ST)&&a->p1.data)/*&&
> ((a->p2_type==STRING_ST)&&a->p2.data)*/ ){
> ! if(a->p4.data != NULL){
> ! ret=((cmd_function3)(a->p1.data))(msg, (char*)a->p2.data,
> ! (char*)a->p3.data, (char*)a->p4.data);
> ! }else{
> ! ret=((cmd_function)(a->p1.data))(msg, (char*)a->p2.data,
> ! (char*)a->p3.data);
> ! }
> }else{
> LOG(L_CRIT,"BUG: do_action: bad module call\n");
> Only in ser-0.8.14.new: cfg.tab.h
> diff -r -C 2 ser-0.8.14/cfg.y ser-0.8.14.new/cfg.y
> *** ser-0.8.14/cfg.y Tue Jul 27 01:18:35 2004
> --- ser-0.8.14.new/cfg.y Thu Jul 29 20:25:11 2004
> ***************
> *** 1538,1541 ****
> --- 1538,1565 ----
> }
> }
> + | ID LPAREN STRING COMMA STRING COMMA STRING RPAREN
> + { f_tmp=(void*)find_export($1, 3, rt);
> + if (f_tmp==0){
> + if (find_export($1, 3, 0)) {
> + yyerror("Command cannot be used in the block\n");
> + } else {
> + yyerror("unknown command, missing"
> + " loadmodule?\n");
> + }
> + $$=0;
> + }else{
> + $$=mk_action4( MODULE_T,
> + CMDF_ST,
> + STRING_ST,
> + STRING_ST,
> + STRING_ST,
> + f_tmp,
> + $3,
> + $5,
> + $7
> + );
> + }
> + }
> +
> | ID LPAREN error RPAREN { $$=0; yyerror("bad arguments"); }
> ;
> diff -r -C 2 ser-0.8.14/modules/auth_db/authdb_mod.c ser-0.8.14.new/modules/auth_db/authdb_mod.c
> *** ser-0.8.14/modules/auth_db/authdb_mod.c Mon Sep 15 21:47:02 2003
> --- ser-0.8.14.new/modules/auth_db/authdb_mod.c Fri Jul 30 15:42:49 2004
> ***************
> *** 87,90 ****
> --- 87,91 ----
> char* pass_column = "ha1";
> char* pass_column_2 = "ha1b";
> + char* acc_ip_column = "acc_ip";
> int calc_ha1 = 0;
> int use_domain = 1; /* Use also domain when looking up a table row */
> ***************
> *** 99,102 ****
> --- 100,104 ----
> static cmd_export_t cmds[] = {
> {"www_authorize", www_authorize, 2, str_fixup, REQUEST_ROUTE},
> + {"www_authorize_ip", www_authorize_ip, 3, str_fixup, REQUEST_ROUTE},
> {"proxy_authorize", proxy_authorize, 2, str_fixup, REQUEST_ROUTE},
> {0, 0, 0, 0, 0}
> ***************
> *** 114,117 ****
> --- 116,120 ----
> {"password_column", STR_PARAM, &pass_column },
> {"password_column_2", STR_PARAM, &pass_column_2},
> + {"source_ip_column", STR_PARAM, &acc_ip_column},
> {"calculate_ha1", INT_PARAM, &calc_ha1 },
> {"use_domain", INT_PARAM, &use_domain },
> ***************
> *** 190,194 ****
> str* s;
>
> ! if (param_no == 1) {
> s = (str*)pkg_malloc(sizeof(str));
> if (!s) {
> --- 193,197 ----
> str* s;
>
> ! if (param_no == 1 || param_no == 3) {
> s = (str*)pkg_malloc(sizeof(str));
> if (!s) {
> Only in ser-0.8.14.new/modules/auth_db: authdb_mod.d
> diff -r -C 2 ser-0.8.14/modules/auth_db/authdb_mod.h ser-0.8.14.new/modules/auth_db/authdb_mod.h
> *** ser-0.8.14/modules/auth_db/authdb_mod.h Mon Sep 15 21:47:02 2003
> --- ser-0.8.14.new/modules/auth_db/authdb_mod.h Wed Jul 28 19:45:23 2004
> ***************
> *** 47,52 ****
> extern char* pass_column; /* 'password' column name */
> extern char* pass_column_2; /* Column containg HA1 string constructed
> ! * of user at domain username
> ! */
>
> extern int calc_ha1; /* if set to 1, ha1 is calculated by the server */
> --- 47,52 ----
> extern char* pass_column; /* 'password' column name */
> extern char* pass_column_2; /* Column containg HA1 string constructed
> ! * of user at domain username */
> ! extern char* acc_ip_column; /* account source ip*/
>
> extern int calc_ha1; /* if set to 1, ha1 is calculated by the server */
> diff -r -C 2 ser-0.8.14/modules/auth_db/authorize.c ser-0.8.14.new/modules/auth_db/authorize.c
> *** ser-0.8.14/modules/auth_db/authorize.c Wed Nov 5 05:55:30 2003
> --- ser-0.8.14.new/modules/auth_db/authorize.c Fri Jul 30 15:43:12 2004
> ***************
> *** 35,42 ****
> --- 35,44 ----
>
> #include <string.h>
> + #include <stdio.h>
> #include "../../ut.h"
> #include "../../str.h"
> #include "../../db/db.h"
> #include "../../dprint.h"
> + #include "../../ip_addr.h"
> #include "../../parser/digest/digest.h"
> #include "../../parser/hf.h"
> ***************
> *** 50,64 ****
> static str rpid = {rpid_buffer, 0};
>
> ! static inline int get_ha1(struct username* _username, str* _domain, char* _table, char* _ha1, str* _rpid)
> {
> ! db_key_t keys[2];
> ! db_val_t vals[2];
> db_key_t col[2];
> db_res_t* res;
> str result;
> ! int n, nc;
>
> keys[0] = user_column;
> keys[1] = domain_column;
> col[0] = (_username->domain.len && !calc_ha1) ? (pass_column_2) : (pass_column);
> col[1] = rpid_column;
> --- 52,67 ----
> static str rpid = {rpid_buffer, 0};
>
> ! static inline int get_ha1(struct username* _username, str* _domain, char* _table, char* _ha1, str* _rpid, str* _accip)
> {
> ! db_key_t keys[3];
> ! db_val_t vals[3];
> db_key_t col[2];
> db_res_t* res;
> str result;
> ! int n, nn, nc;
>
> keys[0] = user_column;
> keys[1] = domain_column;
> + keys[2] = (_accip != NULL) ? acc_ip_column : NULL;
> col[0] = (_username->domain.len && !calc_ha1) ? (pass_column_2) : (pass_column);
> col[1] = rpid_column;
> ***************
> *** 73,77 ****
> VAL_STR(vals + 1).len = _domain->len;
>
> ! n = (use_domain ? 2 : 1);
> nc = (use_rpid ? 2 : 1);
> db_use_table(db_handle, _table);
> --- 76,85 ----
> VAL_STR(vals + 1).len = _domain->len;
>
> ! vals[2].type = DB_STR;
> ! vals[2].nul = 0;
> ! vals[2].val.str_val = *_accip;
> !
> ! nn = (_accip != NULL) ? 3 : 2;
> ! n = (use_domain ? nn : 1);
> nc = (use_rpid ? 2 : 1);
> db_use_table(db_handle, _table);
> ***************
> *** 156,160 ****
> * Authorize digest credentials
> */
> ! static inline int authorize(struct sip_msg* _m, str* _realm, char* _table, int _hftype)
> {
> char ha1[256];
> --- 164,168 ----
> * Authorize digest credentials
> */
> ! static inline int authorize(struct sip_msg* _m, str* _realm, char* _table, int _hftype, str* _accip)
> {
> char ha1[256];
> ***************
> *** 164,169 ****
> --- 172,184 ----
> auth_result_t ret;
> str domain;
> + str accip;
>
> domain = *_realm;
> + accip = *_accip;
> +
> + if(strcmp(accip.s, "0.0.0.0") == 0){
> + accip.s = ip_addr2a(&_m->rcv.src_ip);
> + accip.len = strlen(accip.s);
> + }
>
> ret = pre_auth_func(_m, &domain, _hftype, &h);
> ***************
> *** 181,185 ****
> rpid.len = 0;
>
> ! res = get_ha1(&cred->digest.username, &domain, _table, ha1, &rpid);
> if (res < 0) {
> /* Error while accessing the database */
> --- 196,200 ----
> rpid.len = 0;
>
> ! res = get_ha1(&cred->digest.username, &domain, _table, ha1, &rpid, &accip);
> if (res < 0) {
> /* Error while accessing the database */
> ***************
> *** 214,226 ****
> {
> /* realm parameter is converted to str* in str_fixup */
> ! return authorize(_m, (str*)_realm, _table, HDR_PROXYAUTH);
> }
>
>
> /*
> * Authorize using WWW-Authorize header field
> */
> int www_authorize(struct sip_msg* _m, char* _realm, char* _table)
> {
> ! return authorize(_m, (str*)_realm, _table, HDR_AUTHORIZATION);
> }
> --- 229,250 ----
> {
> /* realm parameter is converted to str* in str_fixup */
> ! return authorize(_m, (str*)_realm, _table, HDR_PROXYAUTH, NULL);
> }
>
>
> /*
> + * Authorize using WWW-Authorize header field with ip source address
> + */
> + int www_authorize_ip(struct sip_msg* _m, char* _realm, char* _table, char* _accip)
> + {
> + return authorize(_m, (str*)_realm, _table, HDR_AUTHORIZATION, (str*)_accip);
> + }
> +
> + /*
> * Authorize using WWW-Authorize header field
> */
> int www_authorize(struct sip_msg* _m, char* _realm, char* _table)
> {
> ! return authorize(_m, (str*)_realm, _table, HDR_AUTHORIZATION, NULL);
> }
> +
> Only in ser-0.8.14.new/modules/auth_db: authorize.d
> diff -r -C 2 ser-0.8.14/modules/auth_db/authorize.h ser-0.8.14.new/modules/auth_db/authorize.h
> *** ser-0.8.14/modules/auth_db/authorize.h Thu Mar 6 17:39:33 2003
> --- ser-0.8.14.new/modules/auth_db/authorize.h Wed Jul 28 18:59:51 2004
> ***************
> *** 47,50 ****
> --- 47,56 ----
> int www_authorize(struct sip_msg* _msg, char* _realm, char* _table);
>
> + /*
> + * Authorize using WWW-Authorization header field with source ip
> + */
> + int www_authorize_ip(struct sip_msg* _msg, char* _realm, char* _table, char* _accip);
> +
> +
>
> #endif /* AUTHORIZE_H */
> Only in ser-0.8.14.new/modules/auth_db: rfc2617.d
> diff -r -C 2 ser-0.8.14/route.c ser-0.8.14.new/route.c
> *** ser-0.8.14/route.c Sun Oct 12 17:09:08 2003
> --- ser-0.8.14.new/route.c Thu Jul 29 20:05:55 2004
> ***************
> *** 224,228 ****
> }
> break;
> ! case MODULE_T:
> if ((mod=find_module(t->p1.data, &cmd))!=0){
> DBG("fixing %s %s\n", mod->path, cmd->name);
> --- 224,228 ----
> }
> break;
> ! case MODULE_T:{
> if ((mod=find_module(t->p1.data, &cmd))!=0){
> DBG("fixing %s %s\n", mod->path, cmd->name);
> ***************
> *** 238,243 ****
> --- 238,249 ----
> if (ret<0) return ret;
> }
> + if (cmd->param_no>2){
> + ret=cmd->fixup(&t->p4.data, 3);
> + t->p4_type=MODFIXUP_ST;
> + if (ret<0) return ret;
> + }
> }
> }
> + }
>
> }
> diff -r -C 2 ser-0.8.14/route_struct.c ser-0.8.14.new/route_struct.c
> *** ser-0.8.14/route_struct.c Fri Oct 3 09:19:41 2003
> --- ser-0.8.14.new/route_struct.c Thu Jul 29 16:49:56 2004
> ***************
> *** 117,120 ****
> --- 117,135 ----
> }
>
> + struct action* mk_action4(int type, int p1_type, int p2_type, int p3_type, int p4_type,
> + void* p1, void* p2, void* p3, void* p4)
> + {
> + struct action* a;
> +
> + a=mk_action(type, p1_type, p2_type, p1, p2);
> + if (a){
> + a->p3_type=p3_type;
> + a->p3.data=p3;
> + a->p4_type=p4_type;
> + a->p4.data=p4;
> + }
> + return a;
> + }
> +
>
>
> diff -r -C 2 ser-0.8.14/route_struct.h ser-0.8.14.new/route_struct.h
> *** ser-0.8.14/route_struct.h Sun Oct 12 17:09:08 2003
> --- ser-0.8.14.new/route_struct.h Thu Jul 29 16:53:46 2004
> ***************
> *** 99,107 ****
> int p2_type;
> int p3_type;
> union {
> long number;
> char* string;
> void* data;
> ! }p1, p2, p3;
> struct action* next;
> };
> --- 99,108 ----
> int p2_type;
> int p3_type;
> + int p4_type;
> union {
> long number;
> char* string;
> void* data;
> ! }p1, p2, p3, p4;
> struct action* next;
> };
> ***************
> *** 115,118 ****
> --- 116,121 ----
> struct action* mk_action3(int type, int p1_type, int p2_type, int p3_type,
> void* p1, void* p2, void* p3);
> + struct action* mk_action4(int type, int p1_type, int p2_type, int p3_type, int p4_type,
> + void* p1, void* p2, void* p3, void* p4);
> struct action* append_action(struct action* a, struct action* b);
>
> Only in ser-0.8.14.new: ser_ip.cfg
> diff -r -C 2 ser-0.8.14/sr_module.h ser-0.8.14.new/sr_module.h
> *** ser-0.8.14/sr_module.h Sun Apr 27 20:17:23 2003
> --- ser-0.8.14.new/sr_module.h Fri Jul 30 09:51:52 2004
> ***************
> *** 44,47 ****
> --- 44,48 ----
> typedef struct module_exports* (*module_register)();
> typedef int (*cmd_function)(struct sip_msg*, char*, char*);
> + typedef int (*cmd_function3)(struct sip_msg*, char*, char*, char*);
> typedef int (*fixup_function)(void** param, int param_no);
> typedef int (*response_function)(struct sip_msg*);
> _______________________________________________
> Serusers mailing list
> serusers at lists.iptel.org
> http://lists.iptel.org/mailman/listinfo/serusers
More information about the sr-users
mailing list