Hello,
sorry for late reply. The idea is good, but imho it should be
implemented differently -- in auth module only, there is no need to
touch SER core.
Jan.
On 30-07 14:03, zolia(a)z1sys.com wrote:
hello,
wrote some small path, which adds authorization with source ip.
to patch:
cd ./ser-0.8.14
patch -p1 < ser-0.8.14_ip_auth.patch
add additional string column to subscribers: acc_ip
ex. usage:
www_authorize_ip("your_realm", "subscriber", "0.0.0.0") )
where "0.0.0.0" means that source ip will be taken from from msg
structure. If you specify IP instead of "0.0.0.0" then it will be checked
instead of one taken from msg structure. It would be equivelent to write
src_ip != "source_ip_to_check" &&
!www_authorize("your_realm",
"subscriber")
and
!www_authorize_ip("213.226.186.195", "subscriber",
"source_ip_to_check")
Antanas
diff -r -C 2 ser-0.8.14/action.c
ser-0.8.14.new/action.c
*** ser-0.8.14/action.c Fri Oct 3 09:19:41 2003
--- ser-0.8.14.new/action.c Fri Jul 30 10:00:20 2004
***************
*** 600,605 ****
if ( ((a->p1_type==CMDF_ST)&&a->p1.data)/*&&
((a->p2_type==STRING_ST)&&a->p2.data)*/ ){
! ret=((cmd_function)(a->p1.data))(msg, (char*)a->p2.data,
! (char*)a->p3.data);
}else{
LOG(L_CRIT,"BUG: do_action: bad module call\n");
--- 600,610 ----
if ( ((a->p1_type==CMDF_ST)&&a->p1.data)/*&&
((a->p2_type==STRING_ST)&&a->p2.data)*/ ){
! if(a->p4.data != NULL){
! ret=((cmd_function3)(a->p1.data))(msg, (char*)a->p2.data,
! (char*)a->p3.data, (char*)a->p4.data);
! }else{
! ret=((cmd_function)(a->p1.data))(msg, (char*)a->p2.data,
! (char*)a->p3.data);
! }
}else{
LOG(L_CRIT,"BUG: do_action: bad module call\n");
Only in ser-0.8.14.new: cfg.tab.h
diff -r -C 2 ser-0.8.14/cfg.y ser-0.8.14.new/cfg.y
*** ser-0.8.14/cfg.y Tue Jul 27 01:18:35 2004
--- ser-0.8.14.new/cfg.y Thu Jul 29 20:25:11 2004
***************
*** 1538,1541 ****
--- 1538,1565 ----
}
}
+ | ID LPAREN STRING COMMA STRING COMMA STRING RPAREN
+ {
f_tmp=(void*)find_export($1, 3, rt);
+ if (f_tmp==0){
+ if
(find_export($1, 3, 0)) {
+
yyerror("Command cannot be used in the block\n");
+ } else
{
+
yyerror("unknown command, missing"
+
" loadmodule?\n");
+ }
+ $$=0;
+ }else{
+
$$=mk_action4( MODULE_T,
+
CMDF_ST,
+
STRING_ST,
+
STRING_ST,
+
STRING_ST,
+
f_tmp,
+
$3,
+
$5,
+ $7
+
);
+ }
+ }
+
| ID LPAREN error RPAREN { $$=0; yyerror("bad arguments"); }
;
diff -r -C 2 ser-0.8.14/modules/auth_db/authdb_mod.c
ser-0.8.14.new/modules/auth_db/authdb_mod.c
*** ser-0.8.14/modules/auth_db/authdb_mod.c Mon Sep 15 21:47:02 2003
--- ser-0.8.14.new/modules/auth_db/authdb_mod.c Fri Jul 30 15:42:49 2004
***************
*** 87,90 ****
--- 87,91 ----
char* pass_column = "ha1";
char* pass_column_2 = "ha1b";
+ char* acc_ip_column = "acc_ip";
int calc_ha1 = 0;
int use_domain = 1; /* Use also domain when looking up a table row */
***************
*** 99,102 ****
--- 100,104 ----
static cmd_export_t cmds[] = {
{"www_authorize", www_authorize, 2, str_fixup, REQUEST_ROUTE},
+ {"www_authorize_ip", www_authorize_ip, 3, str_fixup, REQUEST_ROUTE},
{"proxy_authorize", proxy_authorize, 2, str_fixup, REQUEST_ROUTE},
{0, 0, 0, 0, 0}
***************
*** 114,117 ****
--- 116,120 ----
{"password_column", STR_PARAM, &pass_column },
{"password_column_2", STR_PARAM, &pass_column_2},
+ {"source_ip_column", STR_PARAM, &acc_ip_column},
{"calculate_ha1", INT_PARAM, &calc_ha1 },
{"use_domain", INT_PARAM, &use_domain },
***************
*** 190,194 ****
str* s;
! if (param_no == 1) {
s = (str*)pkg_malloc(sizeof(str));
if (!s) {
--- 193,197 ----
str* s;
! if (param_no == 1 || param_no == 3) {
s = (str*)pkg_malloc(sizeof(str));
if (!s) {
Only in ser-0.8.14.new/modules/auth_db: authdb_mod.d
diff -r -C 2 ser-0.8.14/modules/auth_db/authdb_mod.h
ser-0.8.14.new/modules/auth_db/authdb_mod.h
*** ser-0.8.14/modules/auth_db/authdb_mod.h Mon Sep 15 21:47:02 2003
--- ser-0.8.14.new/modules/auth_db/authdb_mod.h Wed Jul 28 19:45:23 2004
***************
*** 47,52 ****
extern char* pass_column; /* 'password' column name */
extern char* pass_column_2; /* Column containg HA1 string constructed
! * of user@domain username
! */
extern int calc_ha1; /* if set to 1, ha1 is calculated by the server */
--- 47,52 ----
extern char* pass_column; /* 'password' column name */
extern char* pass_column_2; /* Column containg HA1 string constructed
! * of user@domain username */
! extern char* acc_ip_column; /* account source ip*/
extern int calc_ha1; /* if set to 1, ha1 is calculated by the server */
diff -r -C 2 ser-0.8.14/modules/auth_db/authorize.c
ser-0.8.14.new/modules/auth_db/authorize.c
*** ser-0.8.14/modules/auth_db/authorize.c Wed Nov 5 05:55:30 2003
--- ser-0.8.14.new/modules/auth_db/authorize.c Fri Jul 30 15:43:12 2004
***************
*** 35,42 ****
--- 35,44 ----
#include <string.h>
+ #include <stdio.h>
#include "../../ut.h"
#include "../../str.h"
#include "../../db/db.h"
#include "../../dprint.h"
+ #include "../../ip_addr.h"
#include "../../parser/digest/digest.h"
#include "../../parser/hf.h"
***************
*** 50,64 ****
static str rpid = {rpid_buffer, 0};
! static inline int get_ha1(struct username* _username, str* _domain, char* _table, char*
_ha1, str* _rpid)
{
! db_key_t keys[2];
! db_val_t vals[2];
db_key_t col[2];
db_res_t* res;
str result;
! int n, nc;
keys[0] = user_column;
keys[1] = domain_column;
col[0] = (_username->domain.len && !calc_ha1) ? (pass_column_2) :
(pass_column);
col[1] = rpid_column;
--- 52,67 ----
static str rpid = {rpid_buffer, 0};
! static inline int get_ha1(struct username* _username, str* _domain, char* _table, char*
_ha1, str* _rpid, str* _accip)
{
! db_key_t keys[3];
! db_val_t vals[3];
db_key_t col[2];
db_res_t* res;
str result;
! int n, nn, nc;
keys[0] = user_column;
keys[1] = domain_column;
+ keys[2] = (_accip != NULL) ? acc_ip_column : NULL;
col[0] = (_username->domain.len && !calc_ha1) ? (pass_column_2) :
(pass_column);
col[1] = rpid_column;
***************
*** 73,77 ****
VAL_STR(vals + 1).len = _domain->len;
! n = (use_domain ? 2 : 1);
nc = (use_rpid ? 2 : 1);
db_use_table(db_handle, _table);
--- 76,85 ----
VAL_STR(vals + 1).len = _domain->len;
! vals[2].type = DB_STR;
! vals[2].nul = 0;
! vals[2].val.str_val = *_accip;
!
! nn = (_accip != NULL) ? 3 : 2;
! n = (use_domain ? nn : 1);
nc = (use_rpid ? 2 : 1);
db_use_table(db_handle, _table);
***************
*** 156,160 ****
* Authorize digest credentials
*/
! static inline int authorize(struct sip_msg* _m, str* _realm, char* _table, int
_hftype)
{
char ha1[256];
--- 164,168 ----
* Authorize digest credentials
*/
! static inline int authorize(struct sip_msg* _m, str* _realm, char* _table, int _hftype,
str* _accip)
{
char ha1[256];
***************
*** 164,169 ****
--- 172,184 ----
auth_result_t ret;
str domain;
+ str accip;
domain = *_realm;
+ accip = *_accip;
+
+ if(strcmp(accip.s, "0.0.0.0") == 0){
+ accip.s = ip_addr2a(&_m->rcv.src_ip);
+ accip.len = strlen(accip.s);
+ }
ret = pre_auth_func(_m, &domain, _hftype, &h);
***************
*** 181,185 ****
rpid.len = 0;
! res = get_ha1(&cred->digest.username, &domain, _table, ha1, &rpid);
if (res < 0) {
/* Error while accessing the database */
--- 196,200 ----
rpid.len = 0;
! res = get_ha1(&cred->digest.username, &domain, _table, ha1, &rpid,
&accip);
if (res < 0) {
/* Error while accessing the database */
***************
*** 214,226 ****
{
/* realm parameter is converted to str* in str_fixup */
! return authorize(_m, (str*)_realm, _table, HDR_PROXYAUTH);
}
/*
* Authorize using WWW-Authorize header field
*/
int www_authorize(struct sip_msg* _m, char* _realm, char* _table)
{
! return authorize(_m, (str*)_realm, _table, HDR_AUTHORIZATION);
}
--- 229,250 ----
{
/* realm parameter is converted to str* in str_fixup */
! return authorize(_m, (str*)_realm, _table, HDR_PROXYAUTH, NULL);
}
/*
+ * Authorize using WWW-Authorize header field with ip source address
+ */
+ int www_authorize_ip(struct sip_msg* _m, char* _realm, char* _table, char* _accip)
+ {
+ return authorize(_m, (str*)_realm, _table, HDR_AUTHORIZATION, (str*)_accip);
+ }
+
+ /*
* Authorize using WWW-Authorize header field
*/
int www_authorize(struct sip_msg* _m, char* _realm, char* _table)
{
! return authorize(_m, (str*)_realm, _table, HDR_AUTHORIZATION, NULL);
}
+
Only in ser-0.8.14.new/modules/auth_db: authorize.d
diff -r -C 2 ser-0.8.14/modules/auth_db/authorize.h
ser-0.8.14.new/modules/auth_db/authorize.h
*** ser-0.8.14/modules/auth_db/authorize.h Thu Mar 6 17:39:33 2003
--- ser-0.8.14.new/modules/auth_db/authorize.h Wed Jul 28 18:59:51 2004
***************
*** 47,50 ****
--- 47,56 ----
int www_authorize(struct sip_msg* _msg, char* _realm, char* _table);
+ /*
+ * Authorize using WWW-Authorization header field with source ip
+ */
+ int www_authorize_ip(struct sip_msg* _msg, char* _realm, char* _table, char* _accip);
+
+
#endif /* AUTHORIZE_H */
Only in ser-0.8.14.new/modules/auth_db: rfc2617.d
diff -r -C 2 ser-0.8.14/route.c ser-0.8.14.new/route.c
*** ser-0.8.14/route.c Sun Oct 12 17:09:08 2003
--- ser-0.8.14.new/route.c Thu Jul 29 20:05:55 2004
***************
*** 224,228 ****
}
break;
! case MODULE_T:
if ((mod=find_module(t->p1.data, &cmd))!=0){
DBG("fixing %s %s\n", mod->path, cmd->name);
--- 224,228 ----
}
break;
! case MODULE_T:{
if ((mod=find_module(t->p1.data, &cmd))!=0){
DBG("fixing %s %s\n", mod->path, cmd->name);
***************
*** 238,243 ****
--- 238,249 ----
if (ret<0) return ret;
}
+ if (cmd->param_no>2){
+
ret=cmd->fixup(&t->p4.data, 3);
+ t->p4_type=MODFIXUP_ST;
+ if (ret<0) return ret;
+ }
}
}
+ }
}
diff -r -C 2 ser-0.8.14/route_struct.c ser-0.8.14.new/route_struct.c
*** ser-0.8.14/route_struct.c Fri Oct 3 09:19:41 2003
--- ser-0.8.14.new/route_struct.c Thu Jul 29 16:49:56 2004
***************
*** 117,120 ****
--- 117,135 ----
}
+ struct action* mk_action4(int type, int p1_type, int p2_type, int p3_type, int
p4_type,
+ void* p1, void* p2, void* p3,
void* p4)
+ {
+ struct action* a;
+
+ a=mk_action(type, p1_type, p2_type, p1, p2);
+ if (a){
+ a->p3_type=p3_type;
+ a->p3.data=p3;
+ a->p4_type=p4_type;
+ a->p4.data=p4;
+ }
+ return a;
+ }
+
diff -r -C 2 ser-0.8.14/route_struct.h ser-0.8.14.new/route_struct.h
*** ser-0.8.14/route_struct.h Sun Oct 12 17:09:08 2003
--- ser-0.8.14.new/route_struct.h Thu Jul 29 16:53:46 2004
***************
*** 99,107 ****
int p2_type;
int p3_type;
union {
long number;
char* string;
void* data;
! }p1, p2, p3;
struct action* next;
};
--- 99,108 ----
int p2_type;
int p3_type;
+ int p4_type;
union {
long number;
char* string;
void* data;
! }p1, p2, p3, p4;
struct action* next;
};
***************
*** 115,118 ****
--- 116,121 ----
struct action* mk_action3(int type, int p1_type, int p2_type, int p3_type,
void* p1, void* p2, void* p3);
+ struct action* mk_action4(int type, int p1_type, int p2_type, int p3_type, int p4_type,
+ void* p1, void* p2, void* p3, void* p4);
struct action* append_action(struct action* a, struct action* b);
Only in ser-0.8.14.new: ser_ip.cfg
diff -r -C 2 ser-0.8.14/sr_module.h ser-0.8.14.new/sr_module.h
*** ser-0.8.14/sr_module.h Sun Apr 27 20:17:23 2003
--- ser-0.8.14.new/sr_module.h Fri Jul 30 09:51:52 2004
***************
*** 44,47 ****
--- 44,48 ----
typedef struct module_exports* (*module_register)();
typedef int (*cmd_function)(struct sip_msg*, char*, char*);
+ typedef int (*cmd_function3)(struct sip_msg*, char*, char*, char*);
typedef int (*fixup_function)(void** param, int param_no);
typedef int (*response_function)(struct sip_msg*);
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers