Merge "res_pjsip: Add 'ip' as a valid option to 'identify_by' on endpoint."

3 files changed, 30 insertions, 11 deletions

diff --git a/res/res_pjsip.c b/res/res_pjsip.c
index f81d34ca4..7499ded3e 100644
--- a/res/res_pjsip.c
+++ b/res/res_pjsip.c
@@ -268,15 +268,17 @@
 				<configOption name="ice_support" default="no">
 					<synopsis>Enable the ICE mechanism to help traverse NAT</synopsis>
 				</configOption>
-				<configOption name="identify_by" default="username,location">
+				<configOption name="identify_by" default="username,ip">
 					<synopsis>Way(s) for Endpoint to be identified</synopsis>
 					<description><para>
 						Endpoints and aors can be identified in multiple ways. Currently, the supported
 						options are <literal>username</literal>, which matches the endpoint or aor id based on
-						the username and domain in the From header (or To header for aors), and
+						the username and domain in the From header (or To header for aors),
 						<literal>auth_username</literal>, which matches the endpoint or aor id based on the
-						username and realm in the Authentication header.  In all cases, if an exact match
-						on both username and domain/realm fails, the match will be retried with just the username.
+						username and realm in the Authentication header, and <literal>ip</literal> which matches
+						an endpoint based on the source IP address.  In the <literal>username</literal> and
+						<literal>auth_username</literal> cases, if an exact match on both username and
+						domain/realm fails, the match will be retried with just the username.
 						</para>
 						<note><para>
 						Identification by auth_username has some security considerations because an
@@ -292,14 +294,19 @@
 						configuration object.
 						</para></note>
 						<note><para>Endpoints can also be identified by IP address; however, that method
-						of identification is not handled by this configuration option. See the documentation
-						for the <literal>identify</literal> configuration section for more details on that
-						method of endpoint identification. If this option is set and an <literal>identify</literal>
-						configuration section exists for the endpoint, then the endpoint can be identified in
-						multiple ways.</para></note>
+						of identification is not configured but simply allowed by this configuration option.
+						See the documentation for the <literal>identify</literal> configuration section for
+						more details on that method of endpoint identification.</para></note>
+						<note><para>
+						This option controls both how an endpoint is matched for incoming traffic and also how
+						an AoR is determined if a registration occurs. If <literal>ip</literal> is set alone
+						then incoming registration will not find an AoR and the registration attempt will fail.
+						If you want to allow incoming registrations to succeed you must set a second identify
+						method such as <literal>username</literal> in this case.</para></note>
 						<enumlist>
 							<enum name="username" />
 							<enum name="auth_username" />
+							<enum name="ip" />
 						</enumlist>
 					</description>
 				</configOption>
diff --git a/res/res_pjsip/pjsip_configuration.c b/res/res_pjsip/pjsip_configuration.c
index 653cb98ac..6db5b3898 100644
--- a/res/res_pjsip/pjsip_configuration.c
+++ b/res/res_pjsip/pjsip_configuration.c
@@ -582,8 +582,10 @@ static int ident_handler(const struct aco_option *opt, struct ast_variable *var,
 
 		if (!strcasecmp(val, "username")) {
 			method = AST_SIP_ENDPOINT_IDENTIFY_BY_USERNAME;
-		} else	if (!strcasecmp(val, "auth_username")) {
+		} else if (!strcasecmp(val, "auth_username")) {
 			method = AST_SIP_ENDPOINT_IDENTIFY_BY_AUTH_USERNAME;
+		} else if (!strcasecmp(val, "ip")) {
+			method = AST_SIP_ENDPOINT_IDENTIFY_BY_IP;
 		} else {
 			ast_log(LOG_ERROR, "Unrecognized identification method %s specified for endpoint %s\n",
 					val, ast_sorcery_object_get_id(endpoint));
@@ -628,6 +630,9 @@ static int ident_to_str(const void *obj, const intptr_t *args, char **buf)
 		case AST_SIP_ENDPOINT_IDENTIFY_BY_AUTH_USERNAME :
 			method = "auth_username";
 			break;
+		case AST_SIP_ENDPOINT_IDENTIFY_BY_IP :
+			method = "ip";
+			break;
 		default:
 			continue;
 		}
@@ -1901,7 +1906,7 @@ int ast_res_pjsip_initialize_configuration(void)
 	ast_sorcery_object_field_register(sip_sorcery, "endpoint", "aors", "", OPT_STRINGFIELD_T, 0, STRFLDSET(struct ast_sip_endpoint, aors));
 	ast_sorcery_object_field_register(sip_sorcery, "endpoint", "media_address", "", OPT_STRINGFIELD_T, 0, STRFLDSET(struct ast_sip_endpoint, media.address));
 	ast_sorcery_object_field_register(sip_sorcery, "endpoint", "bind_rtp_to_media_address", "no", OPT_BOOL_T, 1, STRFLDSET(struct ast_sip_endpoint, media.bind_rtp_to_media_address));
-	ast_sorcery_object_field_register_custom(sip_sorcery, "endpoint", "identify_by", "username", ident_handler, ident_to_str, NULL, 0, 0);
+	ast_sorcery_object_field_register_custom(sip_sorcery, "endpoint", "identify_by", "username,ip", ident_handler, ident_to_str, NULL, 0, 0);
 	ast_sorcery_object_field_register(sip_sorcery, "endpoint", "direct_media", "yes", OPT_BOOL_T, 1, FLDSET(struct ast_sip_endpoint, media.direct_media.enabled));
 	ast_sorcery_object_field_register_custom(sip_sorcery, "endpoint", "direct_media_method", "invite", direct_media_method_handler, direct_media_method_to_str, NULL, 0, 0);
 	ast_sorcery_object_field_register_custom(sip_sorcery, "endpoint", "connected_line_method", "invite", connected_line_method_handler, connected_line_method_to_str, NULL, 0, 0);
diff --git a/res/res_pjsip_endpoint_identifier_ip.c b/res/res_pjsip_endpoint_identifier_ip.c
index 30bfc2618..8b92cef27 100644
--- a/res/res_pjsip_endpoint_identifier_ip.c
+++ b/res/res_pjsip_endpoint_identifier_ip.c
@@ -227,7 +227,14 @@ static struct ast_sip_endpoint *ip_identify(pjsip_rx_data *rdata)
 	}
 
 	endpoint = ast_sorcery_retrieve_by_id(ast_sip_get_sorcery(), "endpoint", match->endpoint_name);
+
 	if (endpoint) {
+		if (!(endpoint->ident_method & AST_SIP_ENDPOINT_IDENTIFY_BY_IP)) {
+			ast_debug(3, "Endpoint '%s' found for '%s' but 'ip' method not supported'\n", match->endpoint_name,
+				ast_sockaddr_stringify(&addr));
+			ao2_cleanup(endpoint);
+			return NULL;
+		}
 		ast_debug(3, "Retrieved endpoint %s\n", ast_sorcery_object_get_id(endpoint));
 	} else {
 		ast_log(LOG_WARNING, "Identify section '%s' points to endpoint '%s' but endpoint could not be looked up\n",