auth_db(k): new function auth_check()

- the function offers www/proxy_authenticate() behaviour by using first
  for REGISTER and the second for the other requests
- it can check auth user against from/to user
- should simplify the config file for the common user authentication
  scenario

modules_k/auth_db/Makefile

@@ -13,5 +13,5 @@ LIBS=
 DEFS+=-DOPENSER_MOD_INTERFACE
 
 SERLIBPATH=../../lib
-SER_LIBS+=$(SERLIBPATH)/srdb1/srdb1
+SER_LIBS+=$(SERLIBPATH)/kcore/kcore $(SERLIBPATH)/srdb1/srdb1
 include ../../Makefile.modules

modules_k/auth_db/README

@@ -24,9 +24,9 @@ Jan Janak
 
    <[email protected]>
 
-   Copyright © 2002, 2003 FhG FOKUS
+   Copyright © 2002, 2003 FhG FOKUS
 
-   Copyright © 2005 Voice Sistem SRL
+   Copyright © 2005 Voice Sistem SRL
      __________________________________________________________________
 
    Table of Contents
@@ -57,6 +57,7 @@ Jan Janak
               4.2. www_authorize(realm, table)
               4.3. proxy_authenticate(realm, table)
               4.4. proxy_authorize(realm, table)
+              4.5. auth_check(realm, table, flags)
 
    List of Examples
 
@@ -71,6 +72,7 @@ Jan Janak
    1.9. version_table parameter usage
    1.10. www_authorize usage
    1.11. proxy_authorize usage
+   1.12. auth_check usage
 
 Chapter 1. Admin Guide
 
@@ -100,6 +102,7 @@ Chapter 1. Admin Guide
         4.2. www_authorize(realm, table)
         4.3. proxy_authenticate(realm, table)
         4.4. proxy_authorize(realm, table)
+        4.5. auth_check(realm, table, flags)
 
 1. Overview
 
@@ -148,7 +151,7 @@ Chapter 1. Admin Guide
    For dbtext module (which stores data in plaintext files) it is
    directory in which the database resides.
 
-   Default value is “mysql://openserro:openserro@localhost/openser�.
+   Default value is "mysql://openserro:openserro@localhost/openser".
 
    Example 1.1. db_url parameter usage
 ...
@@ -160,7 +163,7 @@ modparam("auth_db", "db_url", "dbdriver://username:password@dbhost/dbname")
    This is the name of the column holding usernames. Default value is fine
    for most people. Use the parameter if you really need to change it.
 
-   Default value is “username�.
+   Default value is "username".
 
    Example 1.2. user_column parameter usage
 ...
@@ -173,7 +176,7 @@ modparam("auth_db", "user_column", "user")
    is fine for most people. Use the parameter if you really need to change
    it.
 
-   Default value is “domain�.
+   Default value is "domain".
 
    Example 1.3. domain_column parameter usage
 ...
@@ -188,7 +191,7 @@ modparam("auth_db", "domain_column", "domain")
    safe because the server doesn't need to know plaintext passwords and
    they cannot be obtained from HA1 strings.
 
-   Default value is “ha1�.
+   Default value is "ha1".
 
    Example 1.4. password_column parameter usage
 ...
@@ -216,16 +219,16 @@ modparam("auth_db", "password_column_2", "ha1_2")
    HA1 string or plaintext passwords for authentification.
 
    If the parameter is set to 0 and the username parameter of credentials
-   contains also “@domain� (some user agents append the domain to the
+   contains also "@domain" (some user agents append the domain to the
    username parameter), then the server will use the HA1 values from the
-   column specified in the “password_column_2� parameter. If the username
+   column specified in the "password_column_2" parameter. If the username
    parameter doesn't contain a domain, the server will use the HA1 values
-   from the column given in the “password_column�parameter.
+   from the column given in the "password_column"parameter.
 
    If the parameter is set to 1 then the HA1 value will be calculated from
-   the column specified in the “password_column� parameter.
+   the column specified in the "password_column" parameter.
 
-   The “password_column_2�column contain also HA1 strings but they should
+   The "password_column_2"column contain also HA1 strings but they should
    be calculated including the domain in the username parameter (as
    opposed to password_column which (when containing HA1 strings) should
    always contains HA1 strings calculated without domain in username.
@@ -251,7 +254,7 @@ modparam("auth_db", "calculate_ha1", 1)
    IMPORTANT: before turning on this parameter, be sure that the domain
    column in subscriber table is properly populated.
 
-   Default value is “0 (false)�.
+   Default value is "0 (false)".
 
    Example 1.7. use_domain parameter usage
 ...
@@ -270,7 +273,7 @@ modparam("auth_db", "use_domain", 1)
      * credential = (avp_specification '=' column_name) | (column_name)
      * avp_specification = '$avp(' + 'i:'ID | 's:'NAME | alias + ')'
 
-   Default value of this parameter is “rpid�.
+   Default value of this parameter is "rpid".
 
    Example 1.8. load_credentials parameter usage
 ...
@@ -284,7 +287,7 @@ modparam("auth_db", "load_credentials", "$avp(i:123)=rpid;email_address")
    If set to 0, the module will skip checking the version for subscriber
    table.
 
-   Default value is “1 (check for table version)�.
+   Default value is "1 (check for table version)".
 
    Example 1.9. version_table parameter usage
 ...
@@ -297,8 +300,9 @@ modparam("auth_db", "version_table", 0)
    4.2. www_authorize(realm, table)
    4.3. proxy_authenticate(realm, table)
    4.4. proxy_authorize(realm, table)
+   4.5. auth_check(realm, table, flags)
 
-4.1.  www_authenticate(realm, table)
+4.1. www_authenticate(realm, table)
 
    Name alias: www_authorize(realm, table)
 
@@ -319,7 +323,7 @@ modparam("auth_db", "version_table", 0)
      * realm - Realm is a opaque string that the user agent should present
        to the user so he can decide what username and password to use.
        Usually this is domain of the host the server is running on.
-       It must not be empty string “�. In case of REGISTER requests To
+       It must not be empty string "". In case of REGISTER requests To
        header field domain (e.g., variable $td) can be used (because this
        header field represents the user being registered), for all other
        messages From header field domain can be used (e.g., variable $fd).
@@ -336,13 +340,13 @@ if (!www_authorize("kamailio.org", "subscriber")) {
 };
 ...
 
-4.2.  www_authorize(realm, table)
+4.2. www_authorize(realm, table)
 
    It is same function as www_authenticate(realm, table). This name is
    kept for backward compatibility, since it was named this way first time
    by it actually does user authentication.
 
-4.3.  proxy_authenticate(realm, table)
+4.3. proxy_authenticate(realm, table)
 
    Name alias: proxy_authorize(realm, table)
 
@@ -359,9 +363,9 @@ if (!www_authorize("kamailio.org", "subscriber")) {
      * realm - Realm is a opaque string that the user agent should present
        to the user so he can decide what username and password to use.
        Usually this is domain of the host the server is running on.
-       It must not be empty string “�. Apart of a static strinh, typical
+       It must not be empty string "". Apart of a static string, typical
        value is From header field domain (e.g., variable $fd).
-       If an empty string “� is used then the server will generate it from
+       If an empty string "" is used then the server will generate it from
        the request. From header field domain will be used as realm.
        The string may contain pseudo variables.
      * table - Table to be used to lookup usernames and passwords (usually
@@ -376,8 +380,43 @@ if (!proxy_authorize("$fd", "subscriber)) {
 };
 ...
 
-4.4.  proxy_authorize(realm, table)
+4.4. proxy_authorize(realm, table)
 
    It is same function as proxy_authenticate(realm, table). This name is
    kept for backward compatibility, since it was named this way first time
    but it actually does user authentication.
+
+4.5. auth_check(realm, table, flags)
+
+   The function combines the functionalities of www_authenticate and
+   proxy_authenticate, first being exectuted if the SIP request is a
+   REGISTER, the second for the rest.
+
+   In addition, a matter of flags parameter value, the function checks if
+   authentication username matches From/To header username.
+
+   Meaning of the parameters is as follows:
+     * realm - Realm is a opaque string that the user agent should present
+       to the user so he can decide what username and password to use.
+       Usually this is domain of the host the server is running on.
+       It must not be empty string "". Apart of a static string, typical
+       value is From header field domain (e.g., variable $fd).
+       The string may contain pseudo variables.
+     * table - Table to be used to lookup usernames and passwords (usually
+       subscribers table).
+       The string may contain pseudo variables.
+     * flags - set of flags to control the behaviour of the function. If
+       it is 1, then the function will check to see if the authentication
+       username matches either To or From header username, a matter of
+       whether it is for a REGISTER request or not..
+       The string may contain pseudo variables.
+
+   This function can be used from REQUEST_ROUTE.
+
+   Example 1.12. auth_check usage
+...
+if (!auth_check("$fd", "subscriber", "1")) {
+    auth_challenge("$fd", "1");
+    exit;
+}
+...

modules_k/auth_db/authdb_mod.c

@@ -69,6 +69,7 @@ static int mod_init(void);
 
 
 static int auth_fixup(void** param, int param_no);
+static int auth_check_fixup(void** param, int param_no);
 int parse_aaa_pvs(char *definition, pv_elem_t **pv_def, int *cnt);
 
 #define USER_COL "username"
@@ -119,6 +120,8 @@ static cmd_export_t cmds[] = {
 		REQUEST_ROUTE},
 	{"proxy_authenticate", (cmd_function)proxy_authenticate, 2, auth_fixup, 0,
 		REQUEST_ROUTE},
+	{"auth_check",         (cmd_function)auth_check,         3, auth_check_fixup, 0,
+		REQUEST_ROUTE},
 	{"bind_auth_db",       (cmd_function)bind_auth_db,       0, 0, 0,
 		0},
 	{0, 0, 0, 0, 0, 0}
@@ -265,6 +268,27 @@ static int auth_fixup(void** param, int param_no)
 	return 0;
 }
 
+/*
+ * Convert cfg parameters to run-time structures
+ */
+static int auth_check_fixup(void** param, int param_no)
+{
+	if(strlen((char*)*param)<=0) {
+		LM_ERR("empty parameter %d not allowed\n", param_no);
+		return -1;
+	}
+	if (param_no == 1) {
+		return fixup_var_str_12(param, 1);
+	}
+	if (param_no == 2) {
+		return fixup_var_str_12(param, 2);
+	}
+	if (param_no == 3) {
+		return fixup_igp_null(param, 1);
+	}
+	return 0;
+}
+
 /*
  * Parse extra credentials list
  */

modules_k/auth_db/authorize.c

@@ -45,6 +45,7 @@
 #include "../../usr_avp.h"
 #include "../../mod_fix.h"
 #include "../../mem/mem.h"
+#include "../../lib/kcore/parser_helpers.h"
 #include "api.h"
 #include "authdb_mod.h"
 
@@ -305,6 +306,83 @@ int www_authenticate(struct sip_msg* _m, char* _realm, char* _table)
 	return digest_authenticate(_m, &srealm, &stable, HDR_AUTHORIZATION_T);
 }
 
+/*
+ * Authenticate using WWW/Proxy-Authorize header field
+ */
+#define AUTH_CHECK_ID_F 1<<0
+
+int auth_check(struct sip_msg* _m, char* _realm, char* _table, char *_flags)
+{
+	str srealm;
+	str stable;
+	int iflags;
+	int ret;
+	hdr_field_t *hdr;
+	sip_uri_t *uri;
+
+	if ((_m->REQ_METHOD == METHOD_ACK) || (_m->REQ_METHOD == METHOD_CANCEL)) {
+		return AUTH_OK;
+	}
+
+	if(_m==NULL || _realm==NULL || _table==NULL || _flags==NULL) {
+		LM_ERR("invalid parameters\n");
+		return AUTH_ERROR;
+	}
+
+	if (get_str_fparam(&srealm, _m, (fparam_t*)_realm) < 0) {
+		LM_ERR("failed to get realm value\n");
+		return AUTH_ERROR;
+	}
+
+	if (srealm.len==0) {
+		LM_ERR("invalid realm parameter - empty value\n");
+		return AUTH_ERROR;
+	}
+
+	if (get_str_fparam(&stable, _m, (fparam_t*)_table) < 0) {
+		LM_ERR("failed to get realm value\n");
+		return AUTH_ERROR;
+	}
+
+	if (stable.len==0) {
+		LM_ERR("invalid table parameter - empty value\n");
+		return AUTH_ERROR;
+	}
+
+	if(fixup_get_ivalue(_m, (gparam_p)_flags, &iflags)!=0)
+	{
+		LM_ERR("invalid flags parameter\n");
+		return -1;
+	}
+
+	LM_DBG("realm [%.*s] table [%.*s] flags [%d]\n", srealm.len, srealm.s,
+			stable.len,  stable.s, iflags);
+
+	if(_m->REQ_METHOD==METHOD_REGISTER)
+		ret = digest_authenticate(_m, &srealm, &stable, HDR_AUTHORIZATION_T);
+	else
+		ret = digest_authenticate(_m, &srealm, &stable, HDR_PROXYAUTH_T);
+
+	if(ret==AUTH_OK && (iflags&AUTH_CHECK_ID_F)) {
+		hdr = (_m->proxy_auth==0)?_m->authorization:_m->proxy_auth;
+		srealm = ((auth_body_t*)(hdr->parsed))->digest.username.user;
+		if(_m->REQ_METHOD==METHOD_REGISTER) {
+			if((uri=parse_to_uri(_m))==NULL)
+				return AUTH_ERROR;
+		} else {
+			if((uri=parse_from_uri(_m))==NULL)
+				return AUTH_ERROR;
+		}
+		if(srealm.len==uri->user.len
+					&& strncmp(srealm.s, uri->user.s, srealm.len)==0)
+			return ret;
+		return AUTH_USER_MISMATCH;
+	}
+
+	return ret;
+}
+
+
 /**
  * @brief bind functions to AUTH_DB API structure
  */

modules_k/auth_db/authorize.h

@@ -46,6 +46,11 @@ int proxy_authenticate(struct sip_msg* _msg, char* _realm, char* _table);
 int www_authenticate(struct sip_msg* _msg, char* _realm, char* _table);
 
 
+/*
+ * Authenticate using WWW/Proxy-Authorize header field
+ */
+int auth_check(struct sip_msg* _m, char* _realm, char* _table, char *_flags);
+
 /*
  * Bind to AUTH_DB API
  */

modules_k/auth_db/doc/auth_db_admin.xml

@@ -416,7 +416,7 @@ if (!www_authorize("kamailio.org", "subscriber")) {
 			</para>
 			<para>
 			It must not be empty string <quote></quote>. Apart of a static
-			strinh, typical value is From header field domain
+			string, typical value is From header field domain
 			(e.g., variable $fd).
 			</para>
 			<para>
@@ -460,6 +460,74 @@ if (!proxy_authorize("$fd", "subscriber)) {
 		</para>
 	</section>
 
+	<section>
+		<title>
+			<function moreinfo="none">auth_check(realm, table, flags)</function>
+		</title>
+		<para>The function combines the functionalities of
+		<function moreinfo="none">www_authenticate</function> and
+		<function moreinfo="none">proxy_authenticate</function>, first being
+		exectuted if the SIP request is a REGISTER, the second for the rest.
+		</para>
+		<para>
+		In addition, a matter of <emphasis>flags</emphasis> parameter value,
+		the function checks if authentication username matches From/To header
+		username.
+		</para>
+		<para>Meaning of the parameters is as follows:</para>
+		<itemizedlist>
+		<listitem>
+			<para><emphasis>realm</emphasis> - Realm is a opaque string that
+			the user agent should present to the user so he can decide what
+			username and password to use. Usually this is domain of the host
+			the server is running on.
+			</para>
+			<para>
+			It must not be empty string <quote></quote>. Apart of a static
+			string, typical value is From header field domain
+			(e.g., variable $fd).
+			</para>
+			<para>
+			The string may contain pseudo variables.
+			</para>
+		</listitem>
+		<listitem>
+			<para><emphasis>table</emphasis> - Table to be used to lookup
+			usernames and passwords (usually subscribers table).
+			</para>
+			<para>
+			The string may contain pseudo variables.
+			</para>
+		</listitem>
+		<listitem>
+			<para><emphasis>flags</emphasis> - set of flags to control the
+			behaviour of the function. If it is 1, then the function will
+			check to see if the authentication username matches either To or
+			From header username, a matter of whether it is for a REGISTER
+			request or not..
+			</para>
+			<para>
+			The string may contain pseudo variables.
+			</para>
+		</listitem>
+		</itemizedlist>
+		<para>
+		This function can be used from REQUEST_ROUTE.
+		</para>
+		<example>
+		<title>auth_check usage</title>
+		<programlisting format="linespecific">
+...
+if (!auth_check("$fd", "subscriber", "1")) {
+    auth_challenge("$fd", "1");
+    exit;
+}
+...
+</programlisting>
+		</example>
+	</section>
+
+
 	</section>
 </chapter>