23 Nov
2009
23 Nov
'09
6:41 a.m.
Hi,
I quickly tried to replace the From HF and add the auth header and it
works for two providers. Please check the attached config and rewrite it
as you need.
Miklos
On 11/21/2009 02:56 AM, Andres Moya wrote:
Hi,
I made branch route and changing From there, i decided not to restore from.
ok, i doing calls two times and getting:
first time it set ok:
From: <sip:andres.moya4@sipdiscount.com>;tag=572ac509.
second time i am getting
From:
<sip:andres.moya4@sipdiscount.comsip:21100036838@terrasip.net>;tag=572ac509.
ok
trying
subst('/^From:(.*)sip:[^@]*@[a-zA-Z0-9\.]+(.*)$/From:\1sip:$avp(i:21)@$avp(i:24)\2/i');
first time it substitute ok, on next branch i got result:
From:
<sip:andres.moya4@sipdiscount.com;transport=UDP>;tag=ee12f132.sip:andres.moya4@sipdiscount.com
Looks like both methods are broken.
ok, uac_replace is here:
LM_DBG("uri to replace [%.*s]\n",from->uri.len, from->uri.s);
LM_DBG("replacement uri is [%.*s]\n",from_uri->len, from_uri->s);
# ----------- global configuration parameters ------------------------
debug=2
memdbg=3
fork=yes
log_stderror=yes
children=1
disable_tcp=1
disable_tls=1
disable_sctp=1
check_via=no # (cmd. line: -v)
dns=no # (cmd. line: -r)
rev_dns=no # (cmd. line: -R)
port=5070
listen=udp:10.38.2.177:5070
flags
AUTH_ADDED;
# ------------------ module loading ----------------------------------
loadpath "/home/mtirpak/SER/git/sip-router/"
loadmodule "modules_k/sl/sl.so"
loadmodule "modules/tm/tm.so"
loadmodule "modules_k/rr/rr.so"
loadmodule "modules_k/uac/uac.so"
loadmodule "modules_k/pv/pv.so"
modparam("uac","credential","username:domain:password")
modparam("uac","auth_realm_avp","$avp(s:realm)")
modparam("uac","auth_username_avp","$avp(s:user)")
modparam("uac","auth_password_avp","$avp(s:password)")
# ------------- routing logic --------------------------------------
route {
route("first-provider");
}
route["first-provider"] {
log(0, "FIRST PROVIDER #1\n");
$avp(s:realm) = "foo.com";
$avp(s:user) = "Alice";
$avp(s:password) = "1234";
rewritehostport("10.38.2.177:5080");
resetflag(AUTH_ADDED);
t_on_failure("first-provider-failure");
t_on_branch("first-provider-prepare");
t_relay();
}
# rewrite the From header from branch route so that it is done
# separately for each branch
branch_route["first-provider-prepare"] {
uac_replace_from("sip:Alice@foo.com");
}
failure_route["first-provider-failure"] {
if (!isflagset(AUTH_ADDED) && t_check_status("401|407")) {
log(0, "FIRST PROVIDER #2\n");
t_on_failure("first-provider-failure");
t_on_branch("first-provider-prepare");
if (!uac_auth()) {
route("second-provider");
return;
}
setflag(AUTH_ADDED);
append_branch();
t_drop_replies();
if (!t_relay()) {
route("second-provider");
return;
}
} else {
# Either the authentication did not work
# or there was another failure
log(0, "FIRST PROVIDER FAILED\n");
t_drop_replies();
route("second-provider");
}
}
route["second-provider"] {
log(0, "SECOND PROVIDER #1\n");
$avp(s:realm) = "bar.com";
$avp(s:user) = "Bob";
$avp(s:password) = "5678";
rewritehostport("10.38.2.177:5090");
resetflag(AUTH_ADDED);
t_on_failure("second-provider-failure");
t_on_branch("second-provider-prepare");
append_branch();
t_relay();
}
branch_route["second-provider-prepare"] {
uac_replace_from("sip:Bob@bar.com");
}
failure_route["second-provider-failure"] {
if (!isflagset(AUTH_ADDED) && t_check_status("401|407")) {
log(0, "SECOND PROVIDER #2\n");
t_on_failure("second-provider-failure");
t_on_branch("second-provider-prepare");
if (!uac_auth()) {
route("auth-error");
return;
}
setflag(AUTH_ADDED);
append_branch();
t_drop_replies();
if (!t_relay()) {
route("auth-error");
return;
}
} else {
log(0, "SECOND PROVIDER FAILED\n");
if (t_check_status("401|407")) {
# Does not let the 401/407 forwarded.
route("auth-error");
}
}
}
route["auth-error"] {
t_reply("500", "failed to authenticate");
drop;
}
>>Nov 21 01:22:35 v
/usr/local/sbin/kamailio[32582]: DEBUG: uac
[from.c:305]: uri to replace
[sip:mangust@riki.ru;transport=UDP]
>>Nov 21 01:22:35 v
/usr/local/sbin/kamailio[32582]: DEBUG: uac
[from.c:306]: replacement uri is
[sip:andres.moya4@sipdiscount.com]
sip:mangust@riki.ru is original from. It is same all sequence of calls.
This is actually second call, before sending authenticated INVITE.
Actually i am calling two times uac_replace_from, for first INVITE and
for second authenticated. If doing only on first invite is ok with first
authentiation, but crashes with results described in the beginning of a
mail on second one sip provider. In any case second replace always
problem.
/* build del/add lumps */
if ((l=del_lump( msg, from->uri.s-msg->buf, from->uri.len, 0))==0)
{
LM_ERR("del lump failed\n");
goto error;
}
p = pkg_malloc( from_uri->len);
if (p==0)
{
LM_ERR("no more pkg mem\n");
goto error;
}
memcpy( p, from_uri->s, from_uri->len);
if (insert_new_lump_after( l, p, from_uri->len, 0)==0)
{
LM_ERR("insert new lump failed\n");
pkg_free(p);
goto error;
}
if (from_restore_mode==FROM_NO_RESTORE)
return 0;
Result is:
From:
<sip:andres.moya4@sipdiscount.comsip:andres.moya4@sipdiscount.com>;tag=1307d94b.
if repeat with next step, try to insert sip:21100036838@terrasip.net, we
get:
From:
<sip:andres.moya4@sipdiscount.comsip:21100036838@terrasip.net>;tag=87272c59.
I am sure i am doing something wrong, but Kamailio doing strange things
too ...
Miklos Tirpak wrote:
> [please keep the list CC-d because others may also be interested in
> the solution or may know the answer better.]
>
> On 11/20/2009 07:06 PM, Andres Moya wrote:
>> Can i ask one more question here. It is complicated, i am using
>> uac_replace_from and uac_auth.
>> I am using failure route to process authentication if necessary and
>> redirect on next carrier.
>>
>> If i authenticated with one provider, then fot let say 415 ( i set
>> only speex in UAC to get it ;) ). Ok SER send request to second
>> provider, i use
>> uac_replace_from once again in my LOAD_AUTH route
>> then uac_auth again.
>>
>> Ok. now i see from ngrep that uac_replace_from did nothing in from
>> field and use user@domain for first provider, authentication failed :(
>
> Which authentication fails? The first or the second one?
> The first should work, at least the from header should be rewritten by
> the function.
>
> The second authentication will not work this way (if it requires a
> different from header) because the proxy "remembers" for the header
> changes done before the first t_relay() function call and applies the
> same header modifications also for any other branch added from failure
> route. Hence, the outgoing SIP request to the second provider will
> contain the same from HF as the request to the first provider.
>
> The easiest way is to apply the header modifications in branch route
> if you do not need to reuse them later from failure route.
> Modifications done in branch routes are valid only within that branch.
>
>>
>> I moved uac_replace_from to my failure route to call once again
>> before uac_auth, but got config error as i can't use uac_replace_from
>> in failure_route.
>
> I think you already use this function from failure route because it is
> in a route block that is included from failure route. The only
> difference is that the syntax checker does not recognize the issue. I
> am not familiar with uac_replace_from() but after having a quick look
> at the function I think it is safe to use it from here.
>
>> Ok i will use textops to rewrite, but it is ugly?
>
> The main difference is that uac_replace_from() restores the original
> From HF when the response if forwarded. If you use textops module then
> you need to restore the header manually.
>
>> no. Maybe i should call uac_replace_from in branch route?
>
> I would suggest this way. Both for the first and for the second provider.
>
> Miklos
>
>>
>> Thanks