Localize and rename ACL configuration.

This is more-or-less a reversion of previous ACL behavior so that it is more self-contained. ACL sections are now only parsed if res_pjsip_acl.so is loaded. Moreover, the configuration section is now "type=acl" instead of "type=security". The original reason for having ACLs configured in a "type=security" section was to lump ACLs and other security-related items into the same section. The problem is that ACLs really should be in their own sections and there are no other security-related options implemented anyways. git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@397193 65c4cc65-6c06-0410-ace0-fbb531ad65f3
2025-10-12 15:45:18 +00:00 · 2013-08-20 21:01:59 +00:00
parent b6faaf85e3
commit 5caa938be2
4 changed files with 64 additions and 121 deletions
--- a/include/asterisk/res_pjsip.h
+++ b/include/asterisk/res_pjsip.h
@@ -665,17 +665,6 @@ struct ast_sip_endpoint_identifier {
    struct ast_sip_endpoint *(*identify_endpoint)(pjsip_rx_data *rdata);
 };
 #define SIP_SORCERY_SECURITY_TYPE "security"
 /*!
 * \brief SIP security details and configuration.
 */
 struct ast_sip_security {
 	SORCERY_OBJECT(details);
 	struct ast_acl_list *acl;
 	struct ast_acl_list *contact_acl;
 };
 /*!
 * \brief Register a SIP service in Asterisk.
 *
@@ -972,16 +961,6 @@ int ast_sip_initialize_sorcery_domain_alias(struct ast_sorcery *sorcery);
 */
 int ast_sip_initialize_sorcery_auth(struct ast_sorcery *sorcery);
 /*!
 * \brief Initialize security support on a sorcery instance
 *
 * \param sorcery The sorcery instance
 *
 * \retval -1 failure
 * \retval 0 success
 */
 int ast_sip_initialize_sorcery_security(struct ast_sorcery *sorcery);
 /*!
 * \brief Callback called when an outbound request with authentication credentials is to be sent in dialog
 *
--- a/res/res_pjsip/config_security.c
+++ b/res/res_pjsip/config_security.c
@@ -1,88 +0,0 @@
 /*
 * Asterisk -- An open source telephony toolkit.
 *
 * Copyright (C) 2013, Digium, Inc.
 *
 * Mark Michelson <mmichelson@digium.com>
 * Kevin Harwell <kharwell@digium.com>
 *
 * See http://www.asterisk.org for more information about
 * the Asterisk project. Please do not directly contact
 * any of the maintainers of this project for assistance;
 * the project provides a web site, mailing lists and IRC
 * channels for your use.
 *
 * This program is free software, distributed under the terms of
 * the GNU General Public License Version 2. See the LICENSE file
 * at the top of the source tree.
 */
 /*** MODULEINFO
 	<depend>pjproject</depend>
 	<depend>res_pjsip</depend>
 	<support_level>core</support_level>
 ***/
 #include "asterisk.h"
 #include <pjsip.h>
 #include "asterisk/res_pjsip.h"
 #include "asterisk/logger.h"
 #include "asterisk/sorcery.h"
 #include "asterisk/acl.h"
 static int acl_handler(const struct aco_option *opt, struct ast_variable *var, void *obj)
 {
 	struct ast_sip_security *security = obj;
 	int error = 0;
 	int ignore;
 	if (!strncmp(var->name, "contact", 7)) {
 		ast_append_acl(var->name + 7, var->value, &security->contact_acl, &error, &ignore);
 	} else {
 		ast_append_acl(var->name, var->value, &security->acl, &error, &ignore);
 	}
 	return error;
 }
 static void security_destroy(void *obj)
 {
 	struct ast_sip_security *security = obj;
 	security->acl = ast_free_acl_list(security->acl);
 	security->contact_acl = ast_free_acl_list(security->contact_acl);
 }
 static void *security_alloc(const char *name)
 {
 	struct ast_sip_security *security =
 		ast_sorcery_generic_alloc(sizeof(*security), security_destroy);
 	if (!security) {
 		return NULL;
 	}
 	return security;
 }
 int ast_sip_initialize_sorcery_security(struct ast_sorcery *sorcery)
 {
 	ast_sorcery_apply_default(sorcery, SIP_SORCERY_SECURITY_TYPE,
 				  "config", "pjsip.conf,criteria=type=security");
 	if (ast_sorcery_object_register(sorcery, SIP_SORCERY_SECURITY_TYPE,
 					security_alloc, NULL, NULL)) {
 		ast_log(LOG_ERROR, "Failed to register SIP %s object with sorcery\n",
 			SIP_SORCERY_SECURITY_TYPE);
 		return -1;
 	}
 	ast_sorcery_object_field_register(sorcery, SIP_SORCERY_SECURITY_TYPE, "type", "", OPT_NOOP_T, 0, 0);
 	ast_sorcery_object_field_register_custom(sorcery, SIP_SORCERY_SECURITY_TYPE, "permit", "", acl_handler, NULL, 0, 0);
 	ast_sorcery_object_field_register_custom(sorcery, SIP_SORCERY_SECURITY_TYPE, "deny", "", acl_handler, NULL, 0, 0);
 	ast_sorcery_object_field_register_custom(sorcery, SIP_SORCERY_SECURITY_TYPE, "acl", "", acl_handler, NULL, 0, 0);
 	ast_sorcery_object_field_register_custom(sorcery, SIP_SORCERY_SECURITY_TYPE, "contactpermit", "", acl_handler, NULL, 0, 0);
 	ast_sorcery_object_field_register_custom(sorcery, SIP_SORCERY_SECURITY_TYPE, "contactdeny", "", acl_handler, NULL, 0, 0);
 	ast_sorcery_object_field_register_custom(sorcery, SIP_SORCERY_SECURITY_TYPE, "contactacl", "", acl_handler, NULL, 0, 0);
 	return 0;
 }
--- a/res/res_pjsip/pjsip_configuration.c
+++ b/res/res_pjsip/pjsip_configuration.c
@@ -740,13 +740,6 @@ int ast_res_pjsip_initialize_configuration(void)
 		return -1;
 	}
 	if (ast_sip_initialize_sorcery_security(sip_sorcery)) {
 		ast_log(LOG_ERROR, "Failed to register SIP security support\n");
 		ast_sorcery_unref(sip_sorcery);
 		sip_sorcery = NULL;
 		return -1;
 	}
 	if (ast_sip_initialize_sorcery_global(sip_sorcery)) {
 		ast_log(LOG_ERROR, "Failed to register SIP Global support\n");
 		ast_sorcery_unref(sip_sorcery);
--- a/res/res_pjsip_acl.c
+++ b/res/res_pjsip_acl.c
@@ -153,13 +153,24 @@ static int apply_contact_acl(pjsip_rx_data *rdata, struct ast_acl_list *contact_
 	return forbidden;
 }
 #define SIP_SORCERY_ACL_TYPE "acl"
 /*!
 * \brief SIP ACL details and configuration.
 */
 struct ast_sip_acl {
 	SORCERY_OBJECT(details);
 	struct ast_acl_list *acl;
 	struct ast_acl_list *contact_acl;
 };
 static int check_acls(void *obj, void *arg, int flags)
 {
-	struct ast_sip_security *security = obj;
+	struct ast_sip_acl *sip_acl = obj;
 	pjsip_rx_data *rdata = arg;
-	if (apply_acl(rdata, security->acl) ||
+	if (apply_acl(rdata, sip_acl->acl) ||
-	    apply_contact_acl(rdata, security->contact_acl)) {
+	    apply_contact_acl(rdata, sip_acl->contact_acl)) {
 		return CMP_MATCH | CMP_STOP;
 	}
 	return 0;
@@ -168,9 +179,9 @@ static int check_acls(void *obj, void *arg, int flags)
 static pj_bool_t acl_on_rx_msg(pjsip_rx_data *rdata)
 {
 	RAII_VAR(struct ao2_container *, acls, ast_sorcery_retrieve_by_fields(
-			 ast_sip_get_sorcery(), SIP_SORCERY_SECURITY_TYPE,
+			 ast_sip_get_sorcery(), SIP_SORCERY_ACL_TYPE,
 			 AST_RETRIEVE_FLAG_MULTIPLE | AST_RETRIEVE_FLAG_ALL, NULL), ao2_cleanup);
-	RAII_VAR(struct ast_sip_security *, matched_acl, NULL, ao2_cleanup);
+	RAII_VAR(struct ast_sip_acl *, matched_acl, NULL, ao2_cleanup);
 	if (!acls) {
 		ast_log(LOG_ERROR, "Unable to retrieve ACL sorcery data\n");
@@ -187,6 +198,20 @@ static pj_bool_t acl_on_rx_msg(pjsip_rx_data *rdata)
 	return PJ_FALSE;
 }
 static int acl_handler(const struct aco_option *opt, struct ast_variable *var, void *obj)
 {
 	struct ast_sip_acl *sip_acl = obj;
 	int error = 0;
 	int ignore;
 	if (!strncmp(var->name, "contact", 7)) {
 		ast_append_acl(var->name + 7, var->value, &sip_acl->contact_acl, &error, &ignore);
 	} else {
 		ast_append_acl(var->name, var->value, &sip_acl->acl, &error, &ignore);
 	}
 	return error;
 }
 static pjsip_module acl_module = {
 	.name = { "ACL Module", 14 },
 	/* This should run after a logger but before anything else */
@@ -194,8 +219,42 @@ static pjsip_module acl_module = {
 	.on_rx_request = acl_on_rx_msg,
 };
 static void acl_destroy(void *obj)
 {
 	struct ast_sip_acl *sip_acl = obj;
 	sip_acl->acl = ast_free_acl_list(sip_acl->acl);
 	sip_acl->contact_acl = ast_free_acl_list(sip_acl->contact_acl);
 }
 static void *acl_alloc(const char *name)
 {
 	struct ast_sip_acl *sip_acl =
 		ast_sorcery_generic_alloc(sizeof(*sip_acl), acl_destroy);
 	return sip_acl;
 }
 static int load_module(void)
 {
 	ast_sorcery_apply_default(ast_sip_get_sorcery(), SIP_SORCERY_ACL_TYPE,
 				  "config", "pjsip.conf,criteria=type=acl");
 	if (ast_sorcery_object_register(ast_sip_get_sorcery(), SIP_SORCERY_ACL_TYPE,
 					acl_alloc, NULL, NULL)) {
 		ast_log(LOG_ERROR, "Failed to register SIP %s object with sorcery\n",
 			SIP_SORCERY_ACL_TYPE);
 		return AST_MODULE_LOAD_DECLINE;
 	}
 	ast_sorcery_object_field_register(ast_sip_get_sorcery(), SIP_SORCERY_ACL_TYPE, "type", "", OPT_NOOP_T, 0, 0);
 	ast_sorcery_object_field_register_custom(ast_sip_get_sorcery(), SIP_SORCERY_ACL_TYPE, "permit", "", acl_handler, NULL, 0, 0);
 	ast_sorcery_object_field_register_custom(ast_sip_get_sorcery(), SIP_SORCERY_ACL_TYPE, "deny", "", acl_handler, NULL, 0, 0);
 	ast_sorcery_object_field_register_custom(ast_sip_get_sorcery(), SIP_SORCERY_ACL_TYPE, "acl", "", acl_handler, NULL, 0, 0);
 	ast_sorcery_object_field_register_custom(ast_sip_get_sorcery(), SIP_SORCERY_ACL_TYPE, "contactpermit", "", acl_handler, NULL, 0, 0);
 	ast_sorcery_object_field_register_custom(ast_sip_get_sorcery(), SIP_SORCERY_ACL_TYPE, "contactdeny", "", acl_handler, NULL, 0, 0);
 	ast_sorcery_object_field_register_custom(ast_sip_get_sorcery(), SIP_SORCERY_ACL_TYPE, "contactacl", "", acl_handler, NULL, 0, 0);
 	ast_sip_register_service(&acl_module);
 	return AST_MODULE_LOAD_SUCCESS;
 }