<p>Joshua Colp <strong>merged</strong> this change.</p><p><a href="https://gerrit.asterisk.org/6907">View Change</a></p><div style="white-space:pre-wrap">Approvals:
George Joseph: Looks good to me, but someone else must approve
Kevin Harwell: Looks good to me, approved
Joshua Colp: Approved for Submit
</div><pre style="font-family: monospace,monospace; white-space: pre-wrap;">res_pjsip: Add 'ip' as a valid option to 'identify_by' on endpoint.<br><br>When the identify_by option on an endpoint is set to ip it will<br>only be identified using the res_pjsip_endpoint_identifier_ip module.<br>This ensures that it is not mistakenly matched using the username of<br>the From header. To ensure behavior has not changed the default has<br>been changed to "username,ip" for the identify_by option.<br><br>ASTERISK-27206<br><br>Change-Id: I2170b86a7f7e221b4f00bf14aa1ef1ac5b050bbd<br>---<br>M CHANGES<br>M configs/samples/pjsip.conf.sample<br>A contrib/ast-db-manage/config/versions/20abce6d1e3c_add_pjsip_identify_by_ip.py<br>M include/asterisk/res_pjsip.h<br>M res/res_pjsip.c<br>M res/res_pjsip/pjsip_configuration.c<br>M res/res_pjsip_endpoint_identifier_ip.c<br>7 files changed, 93 insertions(+), 14 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">diff --git a/CHANGES b/CHANGES<br>index 68617a4..683a164 100644<br>--- a/CHANGES<br>+++ b/CHANGES<br>@@ -27,6 +27,16 @@<br> dialplan in the hash TRANSFER_DATA.<br> <br> ------------------------------------------------------------------------------<br>+--- Functionality changes from Asterisk 15.1.0 to Asterisk 15.2.0 ------------<br>+------------------------------------------------------------------------------<br>+<br>+res_pjsip<br>+------------------<br>+ * The "identify_by" on endpoints can now be set to "ip" to restrict an endpoint<br>+ being matched based only on IP address. To ensure no behavior change the<br>+ default has been changed to "username,ip".<br>+<br>+------------------------------------------------------------------------------<br> --- Functionality changes from Asterisk 15.0.0 to Asterisk 15.1.0 ------------<br> ------------------------------------------------------------------------------<br> <br>diff --git a/configs/samples/pjsip.conf.sample b/configs/samples/pjsip.conf.sample<br>index c535aaf..800ff0f 100644<br>--- a/configs/samples/pjsip.conf.sample<br>+++ b/configs/samples/pjsip.conf.sample<br>@@ -634,9 +634,11 @@<br> ; identified.<br> ; "username": Identify by the From or To username and domain<br> ; "auth_username": Identify by the Authorization username and realm<br>- ; In all cases, if an exact match on username and domain/realm fails,<br>- ; the match will be retried with just the username.<br>- ; (default: "username")<br>+ ; "ip": Identify by the source IP address<br>+ ; In username and auth_username cases, if an exact match on<br>+ ; username and domain/realm fails, the match will be retried<br>+ ; with just the username.<br>+ ; (default: "username,ip")<br> ;redirect_method=user ; How redirects received from an endpoint are handled<br> ; (default: "user")<br> ;mailboxes= ; NOTIFY the endpoint when state changes for any of the specified mailboxes.<br>diff --git a/contrib/ast-db-manage/config/versions/20abce6d1e3c_add_pjsip_identify_by_ip.py b/contrib/ast-db-manage/config/versions/20abce6d1e3c_add_pjsip_identify_by_ip.py<br>new file mode 100644<br>index 0000000..d457c92<br>--- /dev/null<br>+++ b/contrib/ast-db-manage/config/versions/20abce6d1e3c_add_pjsip_identify_by_ip.py<br>@@ -0,0 +1,46 @@<br>+"""add pjsip identify by ip<br>+<br>+Revision ID: 20abce6d1e3c<br>+Revises: a1698e8bb9c5<br>+Create Date: 2017-10-24 15:44:06.404774<br>+<br>+"""<br>+<br>+# revision identifiers, used by Alembic.<br>+revision = '20abce6d1e3c'<br>+down_revision = 'a1698e8bb9c5'<br>+<br>+from alembic import op<br>+import sqlalchemy as sa<br>+<br>+<br>+def enum_update(table_name, column_name, enum_name, enum_values):<br>+ if op.get_context().bind.dialect.name != 'postgresql':<br>+ if op.get_context().bind.dialect.name == 'mssql':<br>+ op.drop_constraint('ck_ps_endpoints_identify_by_pjsip_identify_by_values', 'ps_endpoints')<br>+ op.alter_column(table_name, column_name,<br>+ type_=sa.Enum(*enum_values, name=enum_name))<br>+ return<br>+<br>+ # Postgres requires a few more steps<br>+ tmp = enum_name + '_tmp'<br>+<br>+ op.execute('ALTER TYPE ' + enum_name + ' RENAME TO ' + tmp)<br>+<br>+ updated = sa.Enum(*enum_values, name=enum_name)<br>+ updated.create(op.get_bind(), checkfirst=False)<br>+<br>+ op.execute('ALTER TABLE ' + table_name + ' ALTER COLUMN ' + column_name +<br>+ ' TYPE ' + enum_name + ' USING identify_by::text::' + enum_name)<br>+<br>+ op.execute('DROP TYPE ' + tmp)<br>+<br>+<br>+def upgrade():<br>+ enum_update('ps_endpoints', 'identify_by', 'pjsip_identify_by_values',<br>+ ['username', 'auth_username', 'ip'])<br>+<br>+<br>+def downgrade():<br>+ enum_update('ps_endpoints', 'identify_by', 'pjsip_identify_by_values',<br>+ ['username', 'auth_username'])<br>diff --git a/include/asterisk/res_pjsip.h b/include/asterisk/res_pjsip.h<br>index e6ccf0a..e71eb98 100644<br>--- a/include/asterisk/res_pjsip.h<br>+++ b/include/asterisk/res_pjsip.h<br>@@ -437,6 +437,8 @@<br> AST_SIP_ENDPOINT_IDENTIFY_BY_USERNAME = (1 << 0),<br> /*! Identify based on user name in Auth header first, then From header */<br> AST_SIP_ENDPOINT_IDENTIFY_BY_AUTH_USERNAME = (1 << 1),<br>+ /*! Identify based on source IP address */<br>+ AST_SIP_ENDPOINT_IDENTIFY_BY_IP = (1 << 2),<br> };<br> AST_VECTOR(ast_sip_identify_by_vector, enum ast_sip_endpoint_identifier_type);<br> <br>diff --git a/res/res_pjsip.c b/res/res_pjsip.c<br>index f81d34c..7499ded 100644<br>--- a/res/res_pjsip.c<br>+++ b/res/res_pjsip.c<br>@@ -268,15 +268,17 @@<br> <configOption name="ice_support" default="no"><br> <synopsis>Enable the ICE mechanism to help traverse NAT</synopsis><br> </configOption><br>- <configOption name="identify_by" default="username,location"><br>+ <configOption name="identify_by" default="username,ip"><br> <synopsis>Way(s) for Endpoint to be identified</synopsis><br> <description><para><br> Endpoints and aors can be identified in multiple ways. Currently, the supported<br> options are <literal>username</literal>, which matches the endpoint or aor id based on<br>- the username and domain in the From header (or To header for aors), and<br>+ the username and domain in the From header (or To header for aors),<br> <literal>auth_username</literal>, which matches the endpoint or aor id based on the<br>- username and realm in the Authentication header. In all cases, if an exact match<br>- on both username and domain/realm fails, the match will be retried with just the username.<br>+ username and realm in the Authentication header, and <literal>ip</literal> which matches<br>+ an endpoint based on the source IP address. In the <literal>username</literal> and<br>+ <literal>auth_username</literal> cases, if an exact match on both username and<br>+ domain/realm fails, the match will be retried with just the username.<br> </para><br> <note><para><br> Identification by auth_username has some security considerations because an<br>@@ -292,14 +294,19 @@<br> configuration object.<br> </para></note><br> <note><para>Endpoints can also be identified by IP address; however, that method<br>- of identification is not handled by this configuration option. See the documentation<br>- for the <literal>identify</literal> configuration section for more details on that<br>- method of endpoint identification. If this option is set and an <literal>identify</literal><br>- configuration section exists for the endpoint, then the endpoint can be identified in<br>- multiple ways.</para></note><br>+ of identification is not configured but simply allowed by this configuration option.<br>+ See the documentation for the <literal>identify</literal> configuration section for<br>+ more details on that method of endpoint identification.</para></note><br>+ <note><para><br>+ This option controls both how an endpoint is matched for incoming traffic and also how<br>+ an AoR is determined if a registration occurs. If <literal>ip</literal> is set alone<br>+ then incoming registration will not find an AoR and the registration attempt will fail.<br>+ If you want to allow incoming registrations to succeed you must set a second identify<br>+ method such as <literal>username</literal> in this case.</para></note><br> <enumlist><br> <enum name="username" /><br> <enum name="auth_username" /><br>+ <enum name="ip" /><br> </enumlist><br> </description><br> </configOption><br>diff --git a/res/res_pjsip/pjsip_configuration.c b/res/res_pjsip/pjsip_configuration.c<br>index 653cb98..6db5b38 100644<br>--- a/res/res_pjsip/pjsip_configuration.c<br>+++ b/res/res_pjsip/pjsip_configuration.c<br>@@ -582,8 +582,10 @@<br> <br> if (!strcasecmp(val, "username")) {<br> method = AST_SIP_ENDPOINT_IDENTIFY_BY_USERNAME;<br>- } else if (!strcasecmp(val, "auth_username")) {<br>+ } else if (!strcasecmp(val, "auth_username")) {<br> method = AST_SIP_ENDPOINT_IDENTIFY_BY_AUTH_USERNAME;<br>+ } else if (!strcasecmp(val, "ip")) {<br>+ method = AST_SIP_ENDPOINT_IDENTIFY_BY_IP;<br> } else {<br> ast_log(LOG_ERROR, "Unrecognized identification method %s specified for endpoint %s\n",<br> val, ast_sorcery_object_get_id(endpoint));<br>@@ -627,6 +629,9 @@<br> break;<br> case AST_SIP_ENDPOINT_IDENTIFY_BY_AUTH_USERNAME :<br> method = "auth_username";<br>+ break;<br>+ case AST_SIP_ENDPOINT_IDENTIFY_BY_IP :<br>+ method = "ip";<br> break;<br> default:<br> continue;<br>@@ -1901,7 +1906,7 @@<br> ast_sorcery_object_field_register(sip_sorcery, "endpoint", "aors", "", OPT_STRINGFIELD_T, 0, STRFLDSET(struct ast_sip_endpoint, aors));<br> ast_sorcery_object_field_register(sip_sorcery, "endpoint", "media_address", "", OPT_STRINGFIELD_T, 0, STRFLDSET(struct ast_sip_endpoint, media.address));<br> ast_sorcery_object_field_register(sip_sorcery, "endpoint", "bind_rtp_to_media_address", "no", OPT_BOOL_T, 1, STRFLDSET(struct ast_sip_endpoint, media.bind_rtp_to_media_address));<br>- ast_sorcery_object_field_register_custom(sip_sorcery, "endpoint", "identify_by", "username", ident_handler, ident_to_str, NULL, 0, 0);<br>+ ast_sorcery_object_field_register_custom(sip_sorcery, "endpoint", "identify_by", "username,ip", ident_handler, ident_to_str, NULL, 0, 0);<br> ast_sorcery_object_field_register(sip_sorcery, "endpoint", "direct_media", "yes", OPT_BOOL_T, 1, FLDSET(struct ast_sip_endpoint, media.direct_media.enabled));<br> ast_sorcery_object_field_register_custom(sip_sorcery, "endpoint", "direct_media_method", "invite", direct_media_method_handler, direct_media_method_to_str, NULL, 0, 0);<br> ast_sorcery_object_field_register_custom(sip_sorcery, "endpoint", "connected_line_method", "invite", connected_line_method_handler, connected_line_method_to_str, NULL, 0, 0);<br>diff --git a/res/res_pjsip_endpoint_identifier_ip.c b/res/res_pjsip_endpoint_identifier_ip.c<br>index 30bfc26..8b92cef 100644<br>--- a/res/res_pjsip_endpoint_identifier_ip.c<br>+++ b/res/res_pjsip_endpoint_identifier_ip.c<br>@@ -227,7 +227,14 @@<br> }<br> <br> endpoint = ast_sorcery_retrieve_by_id(ast_sip_get_sorcery(), "endpoint", match->endpoint_name);<br>+<br> if (endpoint) {<br>+ if (!(endpoint->ident_method & AST_SIP_ENDPOINT_IDENTIFY_BY_IP)) {<br>+ ast_debug(3, "Endpoint '%s' found for '%s' but 'ip' method not supported'\n", match->endpoint_name,<br>+ ast_sockaddr_stringify(&addr));<br>+ ao2_cleanup(endpoint);<br>+ return NULL;<br>+ }<br> ast_debug(3, "Retrieved endpoint %s\n", ast_sorcery_object_get_id(endpoint));<br> } else {<br> ast_log(LOG_WARNING, "Identify section '%s' points to endpoint '%s' but endpoint could not be looked up\n",<br></pre><p>To view, visit <a href="https://gerrit.asterisk.org/6907">change 6907</a>. To unsubscribe, visit <a href="https://gerrit.asterisk.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.asterisk.org/6907"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: asterisk </div>
<div style="display:none"> Gerrit-Branch: master </div>
<div style="display:none"> Gerrit-MessageType: merged </div>
<div style="display:none"> Gerrit-Change-Id: I2170b86a7f7e221b4f00bf14aa1ef1ac5b050bbd </div>
<div style="display:none"> Gerrit-Change-Number: 6907 </div>
<div style="display:none"> Gerrit-PatchSet: 3 </div>
<div style="display:none"> Gerrit-Owner: Joshua Colp <jcolp@digium.com> </div>
<div style="display:none"> Gerrit-Reviewer: George Joseph <gjoseph@digium.com> </div>
<div style="display:none"> Gerrit-Reviewer: Jenkins2 </div>
<div style="display:none"> Gerrit-Reviewer: Joshua Colp <jcolp@digium.com> </div>
<div style="display:none"> Gerrit-Reviewer: Kevin Harwell <kharwell@digium.com> </div>