[asterisk-dev] [Code Review] 2649: ARI authentication

David Lee reviewboard at asterisk.org
Fri Jun 28 14:28:00 CDT 2013



> On June 28, 2013, 10:51 a.m., Joshua Colp wrote:
> > /trunk/res/stasis_http/config.c, line 210
> > <https://reviewboard.asterisk.org/r/2649/diff/1/?file=40563#file40563line210>
> >
> >     I'd elaborate a bit more in this error message - perhaps incorporate the filename?

Agreed.


> On June 28, 2013, 10:51 a.m., Joshua Colp wrote:
> > /trunk/res/stasis_http/config.c, lines 261-264
> > <https://reviewboard.asterisk.org/r/2649/diff/1/?file=40563#file40563line261>
> >
> >     Should this be a fatal error for the configuration file? (does this deem it broken) If so then use a prelink callback.

Nah; the remainder of the file is fine. The behavior that a user without a password cannot log in is well defined.

Given that, though, the log should be a warning instead of an error. That I will change.


- David


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviewboard.asterisk.org/r/2649/#review9012
-----------------------------------------------------------


On June 28, 2013, 9:56 a.m., David Lee wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviewboard.asterisk.org/r/2649/
> -----------------------------------------------------------
> 
> (Updated June 28, 2013, 9:56 a.m.)
> 
> 
> Review request for Asterisk Developers.
> 
> 
> Bugs: ASTERISK-21277
>     https://issues.asterisk.org/jira/browse/ASTERISK-21277
> 
> 
> Repository: Asterisk
> 
> 
> Description
> -------
> 
> This patch adds authentication support to ARI.
> 
> Two authentication methods are supported. The first is HTTP Basic
> authentication, as specified in RFC 2617[1]. The second is by simply
> passing the username and password as an ?api_key query parameter
> (which allows swagger-ui[2] to authenticate more easily).
> 
> ARI usernames and passwords are configured in the stasis_http.conf
> file. The user may be set to `read_only`, which will prohibit the user
> from issuing POST, DELETE, etc. The user's password may be specified
> in either plaintext, or encrypted using the crypt() function.
> 
> Several other notes about the patch.
> 
>  * A few command line commands for seeing ARI config and status were
>    also added.
>  * The configuration parsing grew big enough that I extracted it to
>    its own file.
> 
>  [1]: http://www.ietf.org/rfc/rfc2617.txt
>  [2]: https://github.com/wordnik/swagger-ui
> 
> 
> Diffs
> -----
> 
>   /trunk/configs/stasis_http.conf.sample 393125 
>   /trunk/configure UNKNOWN 
>   /trunk/configure.ac 393125 
>   /trunk/include/asterisk/autoconfig.h.in 393125 
>   /trunk/include/asterisk/http.h 393125 
>   /trunk/include/asterisk/utils.h 393125 
>   /trunk/main/Makefile 393125 
>   /trunk/main/http.c 393125 
>   /trunk/main/utils.c 393125 
>   /trunk/makeopts.in 393125 
>   /trunk/res/Makefile 393125 
>   /trunk/res/res_stasis_http.c 393125 
>   /trunk/res/stasis_http/cli.c PRE-CREATION 
>   /trunk/res/stasis_http/config.c PRE-CREATION 
>   /trunk/res/stasis_http/internal.h PRE-CREATION 
>   /trunk/tests/test_utils.c 393125 
> 
> Diff: https://reviewboard.asterisk.org/r/2649/diff/
> 
> 
> Testing
> -------
> 
> Unit tests for crypt wrapper.
> 
> Testsuite tests for authn testing. See https://reviewboard.asterisk.org/r/2650/
> 
> 
> Thanks,
> 
> David Lee
> 
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-dev/attachments/20130628/414e194d/attachment-0001.htm>


More information about the asterisk-dev mailing list