res_pjsip: Add ability to identify by Authorization username

A feature of chan_sip that service providers relied upon was the ability to
identify by the Authorization username.  This is most often used when customers
have a PBX that needs to register rather than identify by IP address.  From my
own experiance, this is pretty common with small businesses who otherwise
don't need a static IP.

In this scenario, a register from the customer's PBX may succeed because From
will usually contain the PBXs account id but an INVITE will contain the caller
id.  With nothing recognizable in From, the service provider's Asterisk can
never match to an endpoint and the INVITE just stays unauthorized.

The fixes:

A new value "auth_username" has been added to endpoint/identify_by that
will use the username and digest fields in the Authorization header
instead of username and domain in the the From header to match an endpoint,
or the To header to match an aor.  This code as added to
res_pjsip_endpoint_identifier_user rather than creating a new module.

Although identify_by was always a comma-separated list, there was only
1 choice so order wasn't preserved.  So to keep the order, a vector was added
to the end of ast_sip_endpoint.  This is only used by res_pjsip_registrar
to find the aor.  The res_pjsip_endpoint_identifier_* modules are called in
globals/endpoint_identifier_order.

Along the way, the logic in res_pjsip_registrar was corrected to match
most-specific to least-specific as res_pjsip_endpoint_identifier_user does.

The order is:

username@domain
username@domain_alias
username

Auth by username does present 1 problem however, the first INVITE won't have
an Authorization header so the distributor, not finding a match on anything,
sends a securty_alert.  It still sends a 401 with a challenge so the next
INVITE will have the Authorization header and presumably succeed.  As a result
though, that first security alert is actually a false alarm.

To address this, a new feature has been added to pjsip_distributor that keeps
track of unidentified requests and only sends the security alert if a
configurable number of unidentified requests come from the same IP in a
configurable amout of time.  Those configuration options have been added to
the global config object.  This feature is only used when auth_username
is enabled.

Finally, default_realm was added to the globals object to replace the hard
coded "asterisk" used when an endpoint is not yet identified.

The testsuite tests all pass but new tests are forthcoming for this new
feature.

ASTERISK-25835 #close
Reported-by: Ross Beer

Change-Id: I30ba62d208e6f63439600916fcd1c08a365ed69d

1 files changed, 35 insertions, 5 deletions

diff --git a/configs/samples/pjsip.conf.sample b/configs/samples/pjsip.conf.sample
index 32282e39b..a17dab7a7 100644
--- a/configs/samples/pjsip.conf.sample
+++ b/configs/samples/pjsip.conf.sample
@@ -620,8 +620,13 @@
                                 ; the specified address. (default: "no")
 ;force_rport=yes        ; Force use of return port (default: "yes")
 ;ice_support=no ; Enable the ICE mechanism to help traverse NAT (default: "no")
-;identify_by=username   ; Way s for Endpoint to be identified (default:
-                        ; "username")
+;identify_by=username   ; A comma-separated list of ways the Endpoint or AoR can be
+                        ; identified.
+                        ; "username": Identify by the From or To username and domain
+                        ; "auth_username": Identify by the Authorization username and realm
+                        : In all cases, if an exact match on username and domain/realm fails,
+                        ; the match will be retried with just the username.
+                        ; (default: "username")
 ;redirect_method=user   ; How redirects received from an endpoint are handled
                         ; (default: "user")
 ;mailboxes=     ; NOTIFY the endpoint when state changes for any of the specified mailboxes.
@@ -906,8 +911,12 @@
 			; (default: "no")
 ;endpoint_identifier_order=ip,username,anonymous
             ; The order by which endpoint identifiers are given priority.
-            ; Identifier names are derived from res_pjsip_endpoint_identifier_*
-            ; modules. (default: ip,username,anonymous)
+            ; Currently, "ip", "username", "auth_username" and "anonymous" are valid
+            ; identifiers as registered by the res_pjsip_endpoint_identifier_* modules.
+            ; Some modules like res_pjsip_endpoint_identifier_user register more than
+            ; one identifier. Use the CLI command "pjsip show identifiers" to see the
+            ; identifiers currently available.
+            ; (default: ip,username,anonymous)
 ;max_initial_qualify_time=4 ; The maximum amount of time (in seconds) from
                             ; startup that qualifies should be attempted on all
                             ; contacts.  If greater than the qualify_frequency
@@ -920,7 +929,28 @@
                    ; The voicemail extension to send in the NOTIFY Message-Account header
                    ; if not set on endpoint or aor.
                    ; (default: "")
-
+;
+; The following unidentified_request options are only used when "auth_username"
+; matching is enabled in "endpoint_identifier_order".
+;
+;unidentified_request_count=5   ; The number of unidentified requests that can be
+                                ; received from a single IP address in
+                                ; unidentified_request_period seconds before a security
+                                ; event is generated. (default: 5)
+;unidentified_request_period=5  ; See above.  (default: 5 seconds)
+;unidentified_request_prune_interval=30
+                                ; The interval at which unidentified requests
+                                ; are check to see if they can be pruned.  If they're
+                                ; older than twice the unidentified_request_period,
+                                ; they're pruned.
+;
+;default_from_user=asterisk     ; When Asterisk generates an outgoing SIP request, the
+                                ; From header username will be set to this value if
+                                ; there is no better option (such as CallerID or
+                                ; endpoint/from_user) to be used
+;default_realm=asterisk         ; When Asterisk generates a challenge, the realm will be
+                                ; set to this value if there is no better option (such as
+                                ; auth/realm) to be used
 
 ; MODULE PROVIDING BELOW SECTION(S): res_pjsip_acl
 ;==========================ACL SECTION OPTIONS=========================