[OpenSIPS-Users] uac_auth to uac_registrant module

Igor Olhovskiy igorolhovskiy at gmail.com
Wed Jul 30 10:42:02 CEST 2014


Code to get realm from failure_route is now looks like

                        $var(hdr) = $(<reply>hdr(Proxy-Authenticate));
                        if ( $var(hdr) != NULL ) {
                                $var(raw_auth) = $var(hdr);
                                xlog("L_INFO", "Proxy-Auth is present");
                        }
                        #WWW is an Asterisk flavour
                        $var(hdr) = $(<reply>hdr(WWW-Authenticate));
                        if ( $var(hdr) != NULL ) {
                                $var(raw_auth) = $var(hdr);
                                xlog("L_INFO", "WWW-Auth is present");
                        }
                        $var(reg_start) = "/(.*?)realm=\"//g";
                        $var(reg_end) = "/\"(.*)//g";
                        xlog("L_INFO", "Raw data $var(raw_auth)");
                        $var(raw_auth) =
$(var(raw_auth){re.subst,$var(reg_start)});
                        $var(raw_auth) =
$(var(raw_auth){re.subst,$var(reg_end)});
                        xlog("L_INFO", "Got realm data $var(raw_auth)");

One little problem is I have not found analog of is_set function, so I get
WARNING:core:do_assign: no value in right expression on line
in console.

29.07.14 12:44, Bogdan-Andrei Iancu написав(ла):
> Hi,
>
> If you try it from a failure route, you need to do :
>     $(<reply>hdr(Proxy-Authenticate))
>
> (see http://www.opensips.org/Documentation/Script-CoreVar-1-11)
>
> In failure route, the context is of the request message, so if you
> want to access the reply, you need to switch to its context.
>
> Regards,
> Bogdan-Andrei Iancu
> OpenSIPS Founder and Developer
> http://www.opensips-solutions.com
> On 29.07.2014 12:41, Igor Olhovskiy wrote:
>> Hi again.
>> Seems to be,  $hdr(Proxy-Authenticate) is NULL at 401 response.
>>
>> failure_route[1] {
>>     ...
>>     if ( t_check_status("40[17]") ) {
>>     ...
>>     xlog("L_INFO", "Asterisk flavour $hdr(WWW-Authenticate), Proxy
>> flavour $hdr(Proxy-Authenticate)");
>>     }
>> }
>>
>> becomes
>>
>> /usr/sbin/opensips[18983]: Asterisk flavour <null>, Proxy flavour <null>
>>
>> It's logic, cause in failure_route we work with initial INVITE, but
>> not 401 reply. Cause, if we working with reply directly, we can't
>> apply uac_auth function to it.
>>
>> 28.07.14 21:10, Игорь Ольховский написав(ла):
>>> Hi,
>>>
>>> Many thanks on your answer, will wait for a new feature and look at $hdr var more close.
>>> Anyway, I have a little trouble with CSeq change (means it is need to do accurate), but for now it’s a solution. 
>>> Many thanks again.
>>> 28 июля 2014, в 20:46, Bogdan-Andrei Iancu <bogdan at opensips.org> написал(а):
>>>
>>>> Hi,
>>>>
>>>> 1) on changing cseq as a simple text - this is not wise as you break the sequence of cseq number in the dialog; we are working on a feature to allow you do that in sip-wise way.
>>>>
>>>> 2) about realm, the proxy/www -Authenticate header (in the 401/407 reply) has the realm parameter; you can grab it by transformations; on $hdr(Proxy-Authenticate) apply a regexp transformation (see http://www.opensips.org/Documentation/Script-Tran-1-11#toc72) to get the realm param from there.
>>>>
>>>> Regards,
>>>>
>>>> Bogdan-Andrei Iancu
>>>> OpenSIPS Founder and Developer
>>>> http://www.opensips-solutions.com
>>>>
>>>> On 21.07.2014 20:15, Igor Olkhovskii wrote:
>>>>> Made it work via modification of CSeq (remove_hf -> append_hf) and now is a question, how to get correct realm from response. OpenSIPs is very limitated to text processing....
>>>>>
>>>>> 21.07.2014 18:39, Igor Olhovskiy пишет:
>>>>>> Found this tread, but seems to be no luck in to work with INVITE on
>>>>>> Asterisk.
>>>>>> Is there any luck to get Asterisk auth (without touching Asterisk)
>>>>>>
>>>>>> https://www.mail-archive.com/users@lists.opensips.org/msg25236.html
>>>>>> On 21.07.2014 16:14, Igor Olhovskiy wrote:
>>>>>>> Hi!
>>>>>>> I'm trying to get OpenSIPS 1.11 act as registrar proxy. Means it's not
>>>>>>> only register on external servers, but take care of INVITE's and so.
>>>>>>> I've configured modules as:
>>>>>>>
>>>>>>> loadmodule "uac_auth.so"
>>>>>>> loadmodule "uac.so"
>>>>>>> loadmodule "uac_registrant.so"
>>>>>>> modparam("uac","restore_mode","auto")
>>>>>>> modparam("uac_auth","auth_realm_avp","$avp(uac_realm)")
>>>>>>> modparam("uac_auth","auth_username_avp","$avp(uac_username)")
>>>>>>> modparam("uac_auth","auth_password_avp","$avp(uac_password)")
>>>>>>> modparam("uac_registrant", "timer_interval", 120)
>>>>>>> modparam("uac_registrant", "hash_size", 2)
>>>>>>> modparam("uac_registrant", "db_url",
>>>>>>> "mysql://opensips:opensips@localhost/opensips")
>>>>>>>
>>>>>>> ....
>>>>>>> failure_route[1] {
>>>>>>>                 ......
>>>>>>>                 # have we already tried to authenticate?
>>>>>>>                 if (isflagset(8)) {
>>>>>>>                         xlog("L_INFO", "FAILUREROUTE_STATUS40X_SETFLAG8:
>>>>>>> [F=$fu R=$ru D=$du M=$rm IP=($si:$sp $Ri:$Rp) ID=$ci]");
>>>>>>>                         t_reply("503","Authentication failed");
>>>>>>>                         exit;
>>>>>>>                 }
>>>>>>>                 if (is_method("INVITE")) {
>>>>>>>                         # mark that auth was performed
>>>>>>>                         setflag(8);
>>>>>>>                         # trigger again the failure route
>>>>>>>                         t_on_failure("1");
>>>>>>>                         # repeat the request with auth response this time
>>>>>>>                         $avp(uac_realm) = $td;
>>>>>>>                         $avp(uac_username) = $fU;
>>>>>>>                         avp_db_query("SELECT password FROM registrant
>>>>>>> WHERE (registrar = 'sip:$avp(uac_realm)') AND ( username =
>>>>>>> '$avp(uac_username)')","$avp(uac_password)");
>>>>>>>                         xlog("L_INFO",
>>>>>>> "FAILUREROUTE_STATUS40X_UACAUTHINVITE_DEBUG_VARIABLES: AVP_UAC_REALM:
>>>>>>> $avp(uac_realm) AVP_UAC_USERNAME: $avp(uac_username) AVP_UAC_PASSWORD
>>>>>>> :$avp(uac_password)");
>>>>>>>                         uac_auth();
>>>>>>>                         t_relay();
>>>>>>>                 }
>>>>>>>         }
>>>>>>> .....
>>>>>>> }
>>>>>>>
>>>>>>>
>>>>>>> I see correct vars in debug message, but uac_auth() not to append branch
>>>>>>> to reply INVITE.
>>>>>>>
>>>>>>> For example, I have  such string
>>>>>>> AVP_UAC_REALM: some-dns.example.net.ua AVP_UAC_USERNAME: 2225678
>>>>>>> AVP_UAC_PASSWORD :SuperStrongPassword
>>>>>>>
>>>>>>> What is wrong in this config/AVP's?
>>>>> _______________________________________________
>>>>> Users mailing list
>>>>> Users at lists.opensips.org
>>>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20140730/cc783b80/attachment-0001.htm>


More information about the Users mailing list