From 5caa938be22340202b114ec929207bbb89550a0b Mon Sep 17 00:00:00 2001 From: Mark Michelson Date: Tue, 20 Aug 2013 21:01:59 +0000 Subject: Localize and rename ACL configuration. This is more-or-less a reversion of previous ACL behavior so that it is more self-contained. ACL sections are now only parsed if res_pjsip_acl.so is loaded. Moreover, the configuration section is now "type=acl" instead of "type=security". The original reason for having ACLs configured in a "type=security" section was to lump ACLs and other security-related items into the same section. The problem is that ACLs really should be in their own sections and there are no other security-related options implemented anyways. git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@397193 65c4cc65-6c06-0410-ace0-fbb531ad65f3 --- res/res_pjsip/config_security.c | 88 ------------------------------------- res/res_pjsip/pjsip_configuration.c | 7 --- res/res_pjsip_acl.c | 69 ++++++++++++++++++++++++++--- 3 files changed, 64 insertions(+), 100 deletions(-) delete mode 100644 res/res_pjsip/config_security.c (limited to 'res') diff --git a/res/res_pjsip/config_security.c b/res/res_pjsip/config_security.c deleted file mode 100644 index 3caff2b56..000000000 --- a/res/res_pjsip/config_security.c +++ /dev/null @@ -1,88 +0,0 @@ -/* - * Asterisk -- An open source telephony toolkit. - * - * Copyright (C) 2013, Digium, Inc. - * - * Mark Michelson - * Kevin Harwell - * - * See http://www.asterisk.org for more information about - * the Asterisk project. Please do not directly contact - * any of the maintainers of this project for assistance; - * the project provides a web site, mailing lists and IRC - * channels for your use. - * - * This program is free software, distributed under the terms of - * the GNU General Public License Version 2. See the LICENSE file - * at the top of the source tree. - */ - -/*** MODULEINFO - pjproject - res_pjsip - core - ***/ -#include "asterisk.h" - -#include - -#include "asterisk/res_pjsip.h" -#include "asterisk/logger.h" -#include "asterisk/sorcery.h" -#include "asterisk/acl.h" - -static int acl_handler(const struct aco_option *opt, struct ast_variable *var, void *obj) -{ - struct ast_sip_security *security = obj; - int error = 0; - int ignore; - if (!strncmp(var->name, "contact", 7)) { - ast_append_acl(var->name + 7, var->value, &security->contact_acl, &error, &ignore); - } else { - ast_append_acl(var->name, var->value, &security->acl, &error, &ignore); - } - - return error; -} - -static void security_destroy(void *obj) -{ - struct ast_sip_security *security = obj; - security->acl = ast_free_acl_list(security->acl); - security->contact_acl = ast_free_acl_list(security->contact_acl); -} - -static void *security_alloc(const char *name) -{ - struct ast_sip_security *security = - ast_sorcery_generic_alloc(sizeof(*security), security_destroy); - - if (!security) { - return NULL; - } - - return security; -} - -int ast_sip_initialize_sorcery_security(struct ast_sorcery *sorcery) -{ - ast_sorcery_apply_default(sorcery, SIP_SORCERY_SECURITY_TYPE, - "config", "pjsip.conf,criteria=type=security"); - - if (ast_sorcery_object_register(sorcery, SIP_SORCERY_SECURITY_TYPE, - security_alloc, NULL, NULL)) { - - ast_log(LOG_ERROR, "Failed to register SIP %s object with sorcery\n", - SIP_SORCERY_SECURITY_TYPE); - return -1; - } - - ast_sorcery_object_field_register(sorcery, SIP_SORCERY_SECURITY_TYPE, "type", "", OPT_NOOP_T, 0, 0); - ast_sorcery_object_field_register_custom(sorcery, SIP_SORCERY_SECURITY_TYPE, "permit", "", acl_handler, NULL, 0, 0); - ast_sorcery_object_field_register_custom(sorcery, SIP_SORCERY_SECURITY_TYPE, "deny", "", acl_handler, NULL, 0, 0); - ast_sorcery_object_field_register_custom(sorcery, SIP_SORCERY_SECURITY_TYPE, "acl", "", acl_handler, NULL, 0, 0); - ast_sorcery_object_field_register_custom(sorcery, SIP_SORCERY_SECURITY_TYPE, "contactpermit", "", acl_handler, NULL, 0, 0); - ast_sorcery_object_field_register_custom(sorcery, SIP_SORCERY_SECURITY_TYPE, "contactdeny", "", acl_handler, NULL, 0, 0); - ast_sorcery_object_field_register_custom(sorcery, SIP_SORCERY_SECURITY_TYPE, "contactacl", "", acl_handler, NULL, 0, 0); - return 0; -} diff --git a/res/res_pjsip/pjsip_configuration.c b/res/res_pjsip/pjsip_configuration.c index 4d703e54b..527df5da3 100644 --- a/res/res_pjsip/pjsip_configuration.c +++ b/res/res_pjsip/pjsip_configuration.c @@ -740,13 +740,6 @@ int ast_res_pjsip_initialize_configuration(void) return -1; } - if (ast_sip_initialize_sorcery_security(sip_sorcery)) { - ast_log(LOG_ERROR, "Failed to register SIP security support\n"); - ast_sorcery_unref(sip_sorcery); - sip_sorcery = NULL; - return -1; - } - if (ast_sip_initialize_sorcery_global(sip_sorcery)) { ast_log(LOG_ERROR, "Failed to register SIP Global support\n"); ast_sorcery_unref(sip_sorcery); diff --git a/res/res_pjsip_acl.c b/res/res_pjsip_acl.c index 7cb498a96..c44704cf5 100644 --- a/res/res_pjsip_acl.c +++ b/res/res_pjsip_acl.c @@ -153,13 +153,24 @@ static int apply_contact_acl(pjsip_rx_data *rdata, struct ast_acl_list *contact_ return forbidden; } +#define SIP_SORCERY_ACL_TYPE "acl" + +/*! + * \brief SIP ACL details and configuration. + */ +struct ast_sip_acl { + SORCERY_OBJECT(details); + struct ast_acl_list *acl; + struct ast_acl_list *contact_acl; +}; + static int check_acls(void *obj, void *arg, int flags) { - struct ast_sip_security *security = obj; + struct ast_sip_acl *sip_acl = obj; pjsip_rx_data *rdata = arg; - if (apply_acl(rdata, security->acl) || - apply_contact_acl(rdata, security->contact_acl)) { + if (apply_acl(rdata, sip_acl->acl) || + apply_contact_acl(rdata, sip_acl->contact_acl)) { return CMP_MATCH | CMP_STOP; } return 0; @@ -168,9 +179,9 @@ static int check_acls(void *obj, void *arg, int flags) static pj_bool_t acl_on_rx_msg(pjsip_rx_data *rdata) { RAII_VAR(struct ao2_container *, acls, ast_sorcery_retrieve_by_fields( - ast_sip_get_sorcery(), SIP_SORCERY_SECURITY_TYPE, + ast_sip_get_sorcery(), SIP_SORCERY_ACL_TYPE, AST_RETRIEVE_FLAG_MULTIPLE | AST_RETRIEVE_FLAG_ALL, NULL), ao2_cleanup); - RAII_VAR(struct ast_sip_security *, matched_acl, NULL, ao2_cleanup); + RAII_VAR(struct ast_sip_acl *, matched_acl, NULL, ao2_cleanup); if (!acls) { ast_log(LOG_ERROR, "Unable to retrieve ACL sorcery data\n"); @@ -187,6 +198,20 @@ static pj_bool_t acl_on_rx_msg(pjsip_rx_data *rdata) return PJ_FALSE; } +static int acl_handler(const struct aco_option *opt, struct ast_variable *var, void *obj) +{ + struct ast_sip_acl *sip_acl = obj; + int error = 0; + int ignore; + if (!strncmp(var->name, "contact", 7)) { + ast_append_acl(var->name + 7, var->value, &sip_acl->contact_acl, &error, &ignore); + } else { + ast_append_acl(var->name, var->value, &sip_acl->acl, &error, &ignore); + } + + return error; +} + static pjsip_module acl_module = { .name = { "ACL Module", 14 }, /* This should run after a logger but before anything else */ @@ -194,8 +219,42 @@ static pjsip_module acl_module = { .on_rx_request = acl_on_rx_msg, }; +static void acl_destroy(void *obj) +{ + struct ast_sip_acl *sip_acl = obj; + sip_acl->acl = ast_free_acl_list(sip_acl->acl); + sip_acl->contact_acl = ast_free_acl_list(sip_acl->contact_acl); +} + +static void *acl_alloc(const char *name) +{ + struct ast_sip_acl *sip_acl = + ast_sorcery_generic_alloc(sizeof(*sip_acl), acl_destroy); + + return sip_acl; +} + static int load_module(void) { + ast_sorcery_apply_default(ast_sip_get_sorcery(), SIP_SORCERY_ACL_TYPE, + "config", "pjsip.conf,criteria=type=acl"); + + if (ast_sorcery_object_register(ast_sip_get_sorcery(), SIP_SORCERY_ACL_TYPE, + acl_alloc, NULL, NULL)) { + + ast_log(LOG_ERROR, "Failed to register SIP %s object with sorcery\n", + SIP_SORCERY_ACL_TYPE); + return AST_MODULE_LOAD_DECLINE; + } + + ast_sorcery_object_field_register(ast_sip_get_sorcery(), SIP_SORCERY_ACL_TYPE, "type", "", OPT_NOOP_T, 0, 0); + ast_sorcery_object_field_register_custom(ast_sip_get_sorcery(), SIP_SORCERY_ACL_TYPE, "permit", "", acl_handler, NULL, 0, 0); + ast_sorcery_object_field_register_custom(ast_sip_get_sorcery(), SIP_SORCERY_ACL_TYPE, "deny", "", acl_handler, NULL, 0, 0); + ast_sorcery_object_field_register_custom(ast_sip_get_sorcery(), SIP_SORCERY_ACL_TYPE, "acl", "", acl_handler, NULL, 0, 0); + ast_sorcery_object_field_register_custom(ast_sip_get_sorcery(), SIP_SORCERY_ACL_TYPE, "contactpermit", "", acl_handler, NULL, 0, 0); + ast_sorcery_object_field_register_custom(ast_sip_get_sorcery(), SIP_SORCERY_ACL_TYPE, "contactdeny", "", acl_handler, NULL, 0, 0); + ast_sorcery_object_field_register_custom(ast_sip_get_sorcery(), SIP_SORCERY_ACL_TYPE, "contactacl", "", acl_handler, NULL, 0, 0); + ast_sip_register_service(&acl_module); return AST_MODULE_LOAD_SUCCESS; } -- cgit v1.2.3