<p>Sean Bright has uploaded this change for <strong>review</strong>.</p><p><a href="https://gerrit.asterisk.org/c/asterisk/+/15803">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;">res_pjsip.c: OPTIONS processing can now optionally skip authentication<br><br>ASTERISK-27477 #close<br><br>Change-Id: I68f6715bba92a525149e35d142a49377a34a1193<br>---<br>A contrib/ast-db-manage/config/versions/c20d6e3992f4_add_allow_unauthenticated_options.py<br>A doc/CHANGES-staging/pjsip_endpoint_unauthenticated_options.txt<br>M include/asterisk/res_pjsip.h<br>M res/res_pjsip.c<br>M res/res_pjsip/pjsip_configuration.c<br>5 files changed, 54 insertions(+), 0 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">git pull ssh://gerrit.asterisk.org:29418/asterisk refs/changes/03/15803/1</pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/contrib/ast-db-manage/config/versions/c20d6e3992f4_add_allow_unauthenticated_options.py b/contrib/ast-db-manage/config/versions/c20d6e3992f4_add_allow_unauthenticated_options.py</span><br><span>new file mode 100644</span><br><span>index 0000000..fd2be50</span><br><span>--- /dev/null</span><br><span>+++ b/contrib/ast-db-manage/config/versions/c20d6e3992f4_add_allow_unauthenticated_options.py</span><br><span>@@ -0,0 +1,28 @@</span><br><span style="color: hsl(120, 100%, 40%);">+"""add allow_unauthenticated_options</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+Revision ID: c20d6e3992f4</span><br><span style="color: hsl(120, 100%, 40%);">+Revises: 8915fcc5766f</span><br><span style="color: hsl(120, 100%, 40%);">+Create Date: 2021-04-23 13:44:38.296558</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+"""</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+# revision identifiers, used by Alembic.</span><br><span style="color: hsl(120, 100%, 40%);">+revision = 'c20d6e3992f4'</span><br><span style="color: hsl(120, 100%, 40%);">+down_revision = '8915fcc5766f'</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+from alembic import op</span><br><span style="color: hsl(120, 100%, 40%);">+import sqlalchemy as sa</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+AST_BOOL_NAME = 'ast_bool_values'</span><br><span style="color: hsl(120, 100%, 40%);">+AST_BOOL_VALUES = [ '0', '1',</span><br><span style="color: hsl(120, 100%, 40%);">+ 'off', 'on',</span><br><span style="color: hsl(120, 100%, 40%);">+ 'false', 'true',</span><br><span style="color: hsl(120, 100%, 40%);">+ 'no', 'yes' ]</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+def upgrade():</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_bool_values = ENUM(*AST_BOOL_VALUES, name=AST_BOOL_NAME, create_type=False)</span><br><span style="color: hsl(120, 100%, 40%);">+ op.add_column('ps_endpoints', sa.Column('allow_unauthenticated_options', ast_bool_values))</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+def downgrade():</span><br><span style="color: hsl(120, 100%, 40%);">+ op.drop_column('ps_endpoints', 'allow_unauthenticated_options')</span><br><span style="color: hsl(120, 100%, 40%);">+ pass</span><br><span>diff --git a/doc/CHANGES-staging/pjsip_endpoint_unauthenticated_options.txt b/doc/CHANGES-staging/pjsip_endpoint_unauthenticated_options.txt</span><br><span>new file mode 100644</span><br><span>index 0000000..9c8d32c</span><br><span>--- /dev/null</span><br><span>+++ b/doc/CHANGES-staging/pjsip_endpoint_unauthenticated_options.txt</span><br><span>@@ -0,0 +1,5 @@</span><br><span style="color: hsl(120, 100%, 40%);">+Subject: res_pjsip</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+PJSIP endpoints can now be configured to skip authentication when</span><br><span style="color: hsl(120, 100%, 40%);">+handling OPTIONS requests by setting the allow_unauthenticated_options</span><br><span style="color: hsl(120, 100%, 40%);">+configuration property to 'yes.'</span><br><span>diff --git a/include/asterisk/res_pjsip.h b/include/asterisk/res_pjsip.h</span><br><span>index 81161f3..a094205 100644</span><br><span>--- a/include/asterisk/res_pjsip.h</span><br><span>+++ b/include/asterisk/res_pjsip.h</span><br><span>@@ -839,6 +839,8 @@</span><br><span> unsigned int ignore_183_without_sdp;</span><br><span> /*! Enable STIR/SHAKEN support on this endpoint */</span><br><span> unsigned int stir_shaken;</span><br><span style="color: hsl(120, 100%, 40%);">+ /*! Should we authenticate OPTIONS requests per RFC 3261? */</span><br><span style="color: hsl(120, 100%, 40%);">+ unsigned int allow_unauthenticated_options;</span><br><span> };</span><br><span> </span><br><span> /*! URI parameter for symmetric transport */</span><br><span>diff --git a/res/res_pjsip.c b/res/res_pjsip.c</span><br><span>index 4978a24..b70763f 100644</span><br><span>--- a/res/res_pjsip.c</span><br><span>+++ b/res/res_pjsip.c</span><br><span>@@ -1166,6 +1166,18 @@</span><br><span> INVITEs, an Identity header will be added.</para></span><br><span> </description></span><br><span> </configOption></span><br><span style="color: hsl(120, 100%, 40%);">+ <configOption name="allow_unauthenticated_options" default="no"></span><br><span style="color: hsl(120, 100%, 40%);">+ <synopsis>Skip authentication when receiving OPTIONS requests</synopsis></span><br><span style="color: hsl(120, 100%, 40%);">+ <description><para></span><br><span style="color: hsl(120, 100%, 40%);">+ RFC 3261 says that the response to an OPTIONS request MUST be the</span><br><span style="color: hsl(120, 100%, 40%);">+ same had the request been an INVITE. Some UAs use OPTIONS requests</span><br><span style="color: hsl(120, 100%, 40%);">+ like a 'ping' and the expectation is that they will return a</span><br><span style="color: hsl(120, 100%, 40%);">+ 200 OK.</para></span><br><span style="color: hsl(120, 100%, 40%);">+ <para>Enabling <literal>allow_unauthenticated_options</literal></span><br><span style="color: hsl(120, 100%, 40%);">+ will skip authentication of OPTIONS requests for the given</span><br><span style="color: hsl(120, 100%, 40%);">+ endpoint.</para></span><br><span style="color: hsl(120, 100%, 40%);">+ </description></span><br><span style="color: hsl(120, 100%, 40%);">+ </configOption></span><br><span> </configObject></span><br><span> <configObject name="auth"></span><br><span> <synopsis>Authentication type</synopsis></span><br><span>@@ -2990,6 +3002,12 @@</span><br><span> </span><br><span> int ast_sip_requires_authentication(struct ast_sip_endpoint *endpoint, pjsip_rx_data *rdata)</span><br><span> {</span><br><span style="color: hsl(120, 100%, 40%);">+ if (endpoint->allow_unauthenticated_options</span><br><span style="color: hsl(120, 100%, 40%);">+ && !pjsip_method_cmp(&rdata->msg_info.msg->line.req.method, &pjsip_options_method)) {</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_debug(3, "Skipping OPTIONS authentication due to endpoint configuration\n");</span><br><span style="color: hsl(120, 100%, 40%);">+ return 0;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> if (!registered_authenticator) {</span><br><span> ast_log(LOG_WARNING, "No SIP authenticator registered. Assuming authentication is not required\n");</span><br><span> return 0;</span><br><span>diff --git a/res/res_pjsip/pjsip_configuration.c b/res/res_pjsip/pjsip_configuration.c</span><br><span>index a496843..5bf65eb 100644</span><br><span>--- a/res/res_pjsip/pjsip_configuration.c</span><br><span>+++ b/res/res_pjsip/pjsip_configuration.c</span><br><span>@@ -1968,6 +1968,7 @@</span><br><span> ast_sorcery_object_field_register(sip_sorcery, "endpoint", "suppress_q850_reason_headers", "no", OPT_BOOL_T, 1, FLDSET(struct ast_sip_endpoint, suppress_q850_reason_headers));</span><br><span> ast_sorcery_object_field_register(sip_sorcery, "endpoint", "ignore_183_without_sdp", "no", OPT_BOOL_T, 1, FLDSET(struct ast_sip_endpoint, ignore_183_without_sdp));</span><br><span> ast_sorcery_object_field_register(sip_sorcery, "endpoint", "stir_shaken", "no", OPT_BOOL_T, 1, FLDSET(struct ast_sip_endpoint, stir_shaken));</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_sorcery_object_field_register(sip_sorcery, "endpoint", "allow_unauthenticated_options", "no", OPT_BOOL_T, 1, FLDSET(struct ast_sip_endpoint, allow_unauthenticated_options));</span><br><span> </span><br><span> if (ast_sip_initialize_sorcery_transport()) {</span><br><span> ast_log(LOG_ERROR, "Failed to register SIP transport support with sorcery\n");</span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.asterisk.org/c/asterisk/+/15803">change 15803</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.asterisk.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.asterisk.org/c/asterisk/+/15803"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: asterisk </div>
<div style="display:none"> Gerrit-Branch: 16 </div>
<div style="display:none"> Gerrit-Change-Id: I68f6715bba92a525149e35d142a49377a34a1193 </div>
<div style="display:none"> Gerrit-Change-Number: 15803 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: Sean Bright <sean@seanbright.com> </div>
<div style="display:none"> Gerrit-MessageType: newchange </div>