628f8d7a43
Why do we need a refactor?
The original stir/shaken implementation was started over 3 years ago
when little was understood about practical implementation. The
result was an implementation that wouldn't actually interoperate
with any other stir-shaken implementations.
There were also a number of stir-shaken features and RFC
requirements that were never implemented such as TNAuthList
certificate validation, sending Reason headers in SIP responses
when verification failed but we wished to continue the call, and
the ability to send Media Key(mky) grants in the Identity header
when the call involved DTLS.
Finally, there were some performance concerns around outgoing
calls and selection of the correct certificate and private key.
The configuration was keyed by an arbitrary name which meant that
for every outgoing call, we had to scan the entire list of
configured TNs to find the correct cert to use. With only a few
TNs configured, this wasn't an issue but if you have a thousand,
it could be.
What's changed?
* Configuration objects have been refactored to be clearer about
their uses and to fix issues.
* The "general" object was renamed to "verification" since it
contains parameters specific to the incoming verification
process. It also never handled ca_path and crl_path
correctly.
* A new "attestation" object was added that controls the
outgoing attestation process. It sets default certificates,
keys, etc.
* The "certificate" object was renamed to "tn" and had it's key
change to telephone number since outgoing call attestation
needs to look up certificates by telephone number.
* The "profile" object had more parameters added to it that can
override default parameters specified in the "attestation"
and "verification" objects.
* The "store" object was removed altogther as it was never
implemented.
* We now use libjwt to create outgoing Identity headers and to
parse and validate signatures on incoming Identiy headers. Our
previous custom implementation was much of the source of the
interoperability issues.
* General code cleanup and refactor.
* Moved things to better places.
* Separated some of the complex functions to smaller ones.
* Using context objects rather than passing tons of parameters
in function calls.
* Removed some complexity and unneeded encapsuation from the
config objects.
Resolves: #351
Resolves: #46
UserNote: Asterisk's stir-shaken feature has been refactored to
correct interoperability, RFC compliance, and performance issues.
See https://docs.asterisk.org/Deployment/STIR-SHAKEN for more
information.
UpgradeNote: The stir-shaken refactor is a breaking change but since
it's not working now we don't think it matters. The
stir_shaken.conf file has changed significantly which means that
existing ones WILL need to be changed. The stir_shaken.conf.sample
file in configs/samples/ has quite a bit more information. This is
also an ABI breaking change since some of the existing objects
needed to be changed or removed, and new ones added. Additionally,
if res_stir_shaken is enabled in menuselect, you'll need to either
have the development package for libjwt v1.15.3 installed or use
the --with-libjwt-bundled option with ./configure.
Asterisk Database Manager
Asterisk includes optional database integration for a variety of features. The purpose of this effort is to assist in managing the database schema for Asterisk database integration.
This is implemented as a set of repositories that contain database schema migrations, using Alembic. The existing repositories include:
cdr- Table used for Asterisk to store CDR recordsconfig- Tables used for Asterisk realtime configurationqueue_log- Table used for Asterisk to store Queue Log recordsvoicemail- Tables used forODBC_STORAGEof voicemail messages
Alembic uses SQLAlchemy, which has support for many databases.
IMPORTANT NOTE: This is brand new and the initial migrations are still subject to change. Only use this for testing purposes for now.
Example Usage
First, create an ini file that contains database connection details. For help with connection string details, see the SQLAlchemy docs.
$ cp config.ini.sample config.ini
... edit config.ini and change sqlalchemy.url ...
Next, bring the database up to date with the current schema.
$ alembic -c config.ini upgrade head
In the future, as additional database migrations are added, you can run alembic again to migrate the existing tables to the latest schema.
$ alembic -c config.ini upgrade head
The migrations support both upgrading and downgrading. You could go all the way back to where you started with no tables by downgrading back to the base revision.
$ alembic -c config.ini downgrade base
base and head are special revisions. You can refer to specific revisions
to upgrade or downgrade to, as well.
$ alembic -c config.ini upgrade 4da0c5f79a9c
Offline Mode
If you would like to just generate the SQL statements that would have been executed, you can use alembic's offline mode.
$ alembic -c config.ini upgrade head --sql
Adding Database Migrations
The best way to learn about how to add additional database migrations is to refer to the Alembic documentation.