[Asterisk-code-review] res pjsip: Add ability to identify by Authorization username (asterisk[master])

[Mark Michelson]

Mark Michelson has posted comments on this change.

Change subject: res_pjsip:  Add ability to identify by Authorization username
......................................................................


Patch Set 3:

This might have some unexpected side effects that aren't covered here. Reading the initial issue, the problem here is that the From header is not necessarily going to match the name of an endpoint.

I expect the flow to be something like:
1. Endpoint sends a request to Asterisk.
2. Asterisk does not recognize the endpoint because the name in the From header does not match the name of any endpoint, and there is no Authorization header.
3. Asterisk generates a fake 401 using the artificial endpoint as its basis for authentication.
4. The endpoint now re-sends the request with an Authorization header.
5. Asterisk recognizes the endpoint based on Authorization header username and realm.
6. Asterisk authenticates the endpoint properly (I guess?) and processes the request.

If the above is the correct flow, this is going to cause some curious entries to get logged around step 2. First, you'll see a "Request from 'blah' failed... no matching endpoint found". Second, you will see a security event sent because we think we have received a request from an invalid endpoint.

Essentially what it boils down to is that this attempts to recognize endpoints based on a header that is not going to be present half the time. It happens to work based on the habit Asterisk has of sending fake authentication to unknown endpoints.

What's not clear is why this is being made in the first place. The issue claims that it's because the From header sometimes contains caller ID. If the endpoints are local to the Asterisk system, then why aren't the endpoints just named the same as the endpoints' caller ID? And if you're accepting requests from a SIP provider, then the preferred methods of identifying that provider is either to identify by IP address/domain or by using the line option for an outbound registration.

-- 
To view, visit https://gerrit.asterisk.org/2368
To unsubscribe, visit https://gerrit.asterisk.org/settings

Gerrit-MessageType: comment
Gerrit-Change-Id: I30ba62d208e6f63439600916fcd1c08a365ed69d
Gerrit-PatchSet: 3
Gerrit-Project: asterisk
Gerrit-Branch: master
Gerrit-Owner: George Joseph <george.joseph at fairview5.com>
Gerrit-Reviewer: Anonymous Coward #1000019
Gerrit-Reviewer: Kevin Harwell <kharwell at digium.com>
Gerrit-Reviewer: Mark Michelson <mmichelson at digium.com>
Gerrit-HasComments: No