kenmirrors/asterisk
1
0
Fork 0
mirror of https://github.com/asterisk/asterisk.git synced 2025-09-05 04:11:08 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
4ebf9a938daed520ba627dd0f17f4f3c65245ab2
asterisk/contrib/ast-db-manage
History
George Joseph 4ebf9a938d res_pjsip: Add ability to identify by Authorization username 
A feature of chan_sip that service providers relied upon was the ability to
identify by the Authorization username.  This is most often used when customers
have a PBX that needs to register rather than identify by IP address.  From my
own experiance, this is pretty common with small businesses who otherwise
don't need a static IP.

In this scenario, a register from the customer's PBX may succeed because From
will usually contain the PBXs account id but an INVITE will contain the caller
id.  With nothing recognizable in From, the service provider's Asterisk can
never match to an endpoint and the INVITE just stays unauthorized.

The fixes:

A new value "auth_username" has been added to endpoint/identify_by that
will use the username and digest fields in the Authorization header
instead of username and domain in the the From header to match an endpoint,
or the To header to match an aor.  This code as added to
res_pjsip_endpoint_identifier_user rather than creating a new module.

Although identify_by was always a comma-separated list, there was only
1 choice so order wasn't preserved.  So to keep the order, a vector was added
to the end of ast_sip_endpoint.  This is only used by res_pjsip_registrar
to find the aor.  The res_pjsip_endpoint_identifier_* modules are called in
globals/endpoint_identifier_order.

Along the way, the logic in res_pjsip_registrar was corrected to match
most-specific to least-specific as res_pjsip_endpoint_identifier_user does.

The order is:

username@domain
username@domain_alias
username

Auth by username does present 1 problem however, the first INVITE won't have
an Authorization header so the distributor, not finding a match on anything,
sends a securty_alert.  It still sends a 401 with a challenge so the next
INVITE will have the Authorization header and presumably succeed.  As a result
though, that first security alert is actually a false alarm.

To address this, a new feature has been added to pjsip_distributor that keeps
track of unidentified requests and only sends the security alert if a
configurable number of unidentified requests come from the same IP in a
configurable amout of time.  Those configuration options have been added to
the global config object.  This feature is only used when auth_username
is enabled.

Finally, default_realm was added to the globals object to replace the hard
coded "asterisk" used when an endpoint is not yet identified.

The testsuite tests all pass but new tests are forthcoming for this new
feature.

ASTERISK-25835 #close
Reported-by: Ross Beer

Change-Id: I30ba62d208e6f63439600916fcd1c08a365ed69d
2016-04-27 16:33:51 -05:00
..
cdr
Increase account code maximum length to 80.
2015-11-05 10:20:34 -05:00
config
res_pjsip: Add ability to identify by Authorization username
2016-04-27 16:33:51 -05:00
voicemail
alembic: Adjust sippeers, queue_members, and voicemail_messages tables.
2014-08-06 17:04:08 +00:00
cdr.ini.sample
alembic: Adjust sippeers, queue_members, and voicemail_messages tables.
2014-08-06 17:04:08 +00:00
config.ini.sample
alembic: Adjust sippeers, queue_members, and voicemail_messages tables.
2014-08-06 17:04:08 +00:00
README.md
voicemail.ini.sample
alembic: Adjust sippeers, queue_members, and voicemail_messages tables.
2014-08-06 17:04:08 +00:00

README.md

Asterisk Database Manager

Asterisk includes optional database integration for a variety of features. The purpose of this effort is to assist in managing the database schema for Asterisk database integration.

This is implemented as a set of repositories that contain database schema migrations, using Alembic. The existing repositories include:

  • config - Tables used for Asterisk realtime configuration
  • voicemail - Tables used for ODBC_STOARGE of voicemail messages

Alembic uses SQLAlchemy, which has support for many databases.

IMPORTANT NOTE: This is brand new and the initial migrations are still subject to change. Only use this for testing purposes for now.

Example Usage

First, create an ini file that contains database connection details. For help with connection string details, see the SQLAlchemy docs.

$ cp config.ini.sample config.ini
... edit config.ini and change sqlalchemy.url ...

Next, bring the database up to date with the current schema.

$ alembic -c config.ini upgrade head

In the future, as additional database migrations are added, you can run alembic again to migrate the existing tables to the latest schema.

$ alembic -c config.ini upgrade head

The migrations support both upgrading and downgrading. You could go all the way back to where you started with no tables by downgrading back to the base revision.

$ alembic -c config.ini downgrade base

base and head are special revisions. You can refer to specific revisions to upgrade or downgrade to, as well.

$ alembic -c config.ini upgrade 4da0c5f79a9c

Offline Mode

If you would like to just generate the SQL statements that would have been executed, you can use alembic's offline mode.

$ alembic -c config.ini upgrade head --sql

Adding Database Migrations

The best way to learn about how to add additional database migrations is to refer to the Alembic documentation.