using avops for authentication

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

using avops for authentication

Gabriel Bermudez
Hi,

I need to authenticate and register users that are stored on the opensips db AND a different database.  For that I have the following code

    if (is_method("REGISTER") && $fu=~"^sip:[0-9]{10}@")
    {
        # authenticate the REGISTER based on a different DB
        xlog("getting valid credentials for calling card $fu");
        avp_db_query("select userpass from anothertable where username='$au'", "$avp(s:password)", "1");
        $var(username)=$au; # line 392
        xlog("credentials for user $var(username) : $avp(s:password)");
        if(!pv_www_authorize(""))
        {
                        www_challenge("", "0");
                        xlog("registration from $fu has been challenged");
                        exit;
        }
        xlog("$fu authorized!!!");
        if (!db_check_to())
        {
                sl_send_reply("403","Forbidden auth ID");
                exit;
        }

        if (!save("location"))
                sl_reply_error();

        xlog("location saved for $fu");
        exit;
    }
    if (is_method("REGISTER") && $fu=~"^sip:[0-9]{9}@")
    {
        # authenticate the REGISTER requests (uncomment to enable auth)
        if (!www_authorize("", "subscriber"))
        {
            www_challenge("", "0");
            xlog("registration from $fu has been challenged");
            exit;
        }
       
        if (!db_check_to())
        {
            sl_send_reply("403","Forbidden auth ID");
            exit;
        }

        if (!save("location"))
            sl_reply_error();

        xlog("location saved for $fu");
        exit;
    }

if the username part of the From header has 10 digits the script will try to authenticate against the other DB, but it won't go further than the pv_www_authorize line because on the logs I get the following.

Jul 13 21:28:00 opensips /usr/sbin/opensips[3139]: getting valid credentials for user sip:[hidden email]
Jul 13 21:28:00 opensips /usr/sbin/opensips[3139]: ERROR:core:do_assign: no value in right expression
Jul 13 21:28:00 opensips /usr/sbin/opensips[3139]: ERROR:core:do_assign: error at line: 397
Jul 13 21:28:00 opensips /usr/sbin/opensips[3139]: credentials for user 0 : <null>
Jul 13 21:28:01 opensips /usr/sbin/opensips[3141]: getting valid credentials for user sip:[hidden email]
Jul 13 21:28:01 opensips /usr/sbin/opensips[3141]: credentials for user 9999999999 : 9999999999

I don't know if I'm doing something really wrong or maybe the ERROR message has something to do with this auth failure.  Please can someone clarify this issue.
Thanks,


Kind regards,


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: using avops for authentication

Gabriel Bermudez
I'm forgetting about something, the userpassword field is a plain text password.

Regards,

2010/7/13 Gabriel Bermudez <[hidden email]>
Hi,

I need to authenticate and register users that are stored on the opensips db AND a different database.  For that I have the following code

    if (is_method("REGISTER") && $fu=~"^sip:[0-9]{10}@")
    {
        # authenticate the REGISTER based on a different DB
        xlog("getting valid credentials for calling card $fu");
        avp_db_query("select userpass from anothertable where username='$au'", "$avp(s:password)", "1");
        $var(username)=$au; # line 392
        xlog("credentials for user $var(username) : $avp(s:password)");
        if(!pv_www_authorize(""))
        {
                        www_challenge("", "0");
                        xlog("registration from $fu has been challenged");
                        exit;
        }
        xlog("$fu authorized!!!");
        if (!db_check_to())
        {
                sl_send_reply("403","Forbidden auth ID");
                exit;
        }

        if (!save("location"))
                sl_reply_error();

        xlog("location saved for $fu");
        exit;
    }
    if (is_method("REGISTER") && $fu=~"^sip:[0-9]{9}@")
    {
        # authenticate the REGISTER requests (uncomment to enable auth)
        if (!www_authorize("", "subscriber"))
        {
            www_challenge("", "0");
            xlog("registration from $fu has been challenged");
            exit;
        }
       
        if (!db_check_to())
        {
            sl_send_reply("403","Forbidden auth ID");
            exit;
        }

        if (!save("location"))
            sl_reply_error();

        xlog("location saved for $fu");
        exit;
    }

if the username part of the From header has 10 digits the script will try to authenticate against the other DB, but it won't go further than the pv_www_authorize line because on the logs I get the following.

Jul 13 21:28:00 opensips /usr/sbin/opensips[3139]: getting valid credentials for user sip:[hidden email]
Jul 13 21:28:00 opensips /usr/sbin/opensips[3139]: ERROR:core:do_assign: no value in right expression
Jul 13 21:28:00 opensips /usr/sbin/opensips[3139]: ERROR:core:do_assign: error at line: 397
Jul 13 21:28:00 opensips /usr/sbin/opensips[3139]: credentials for user 0 : <null>
Jul 13 21:28:01 opensips /usr/sbin/opensips[3141]: getting valid credentials for user sip:[hidden email]
Jul 13 21:28:01 opensips /usr/sbin/opensips[3141]: credentials for user 9999999999 : 9999999999

I don't know if I'm doing something really wrong or maybe the ERROR message has something to do with this auth failure.  Please can someone clarify this issue.
Thanks,


Kind regards,



_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: using avops for authentication

Bogdan-Andrei Iancu
In reply to this post by Gabriel Bermudez
Hi Gabriel,

I guess the problem is at:
    $var(username)=$au;

as without doing auth, $au is not defined (parsed) yet.
better try:
    $var(username)=$fU;

Regards,
Bogdan

Gabriel Bermudez wrote:

> Hi,
>
> I need to authenticate and register users that are stored on the
> opensips db AND a different database.  For that I have the following code
>
>     if (is_method("REGISTER") && $fu=~"^sip:[0-9]{10}@")
>     {
>         # authenticate the REGISTER based on a different DB
>         xlog("getting valid credentials for calling card $fu");
>         avp_db_query("select userpass from anothertable where
> username='$au'", "$avp(s:password)", "1");
>         $var(username)=$au; *# line 392*
>         xlog("credentials for user $var(username) : $avp(s:password)");
>         if(!pv_www_authorize(""))
>         {
>                         www_challenge("", "0");
>                         xlog("registration from $fu has been challenged");
>                         exit;
>         }
>         xlog("$fu authorized!!!");
>         if (!db_check_to())
>         {
>                 sl_send_reply("403","Forbidden auth ID");
>                 exit;
>         }
>
>         if (!save("location"))
>                 sl_reply_error();
>
>         xlog("location saved for $fu");
>         exit;
>     }
>     if (is_method("REGISTER") && $fu=~"^sip:[0-9]{9}@")
>     {
>         # authenticate the REGISTER requests (uncomment to enable auth)
>         if (!www_authorize("", "subscriber"))
>         {
>             www_challenge("", "0");
>             xlog("registration from $fu has been challenged");
>             exit;
>         }
>        
>         if (!db_check_to())
>         {
>             sl_send_reply("403","Forbidden auth ID");
>             exit;
>         }
>
>         if (!save("location"))
>             sl_reply_error();
>
>         xlog("location saved for $fu");
>         exit;
>     }
>
> if the username part of the From header has 10 digits the script will
> try to authenticate against the other DB, but it won't go further than
> the pv_www_authorize line because on the logs I get the following.
>
> Jul 13 21:28:00 opensips /usr/sbin/opensips[3139]: getting valid
> credentials for user sip:[hidden email]
> Jul 13 21:28:00 opensips /usr/sbin/opensips[3139]:
> ERROR:core:do_assign: no value in right expression
> Jul 13 21:28:00 opensips /usr/sbin/opensips[3139]:
> ERROR:core:do_assign: error at line: 397
> Jul 13 21:28:00 opensips /usr/sbin/opensips[3139]: credentials for
> user 0 : <null>
> Jul 13 21:28:01 opensips /usr/sbin/opensips[3141]: getting valid
> credentials for user sip:[hidden email]
> Jul 13 21:28:01 opensips /usr/sbin/opensips[3141]: credentials for
> user 9999999999 : 9999999999
>
> I don't know if I'm doing something really wrong or maybe the ERROR
> message has something to do with this auth failure.  Please can
> someone clarify this issue.
> Thanks,
>
>
> Kind regards,
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>  


--
Bogdan-Andrei Iancu
OpenSIPS Bootcamp
20 - 24 September 2010, Frankfurt, Germany
www.voice-system.ro


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: using avops for authentication

Gabriel Bermudez
Hi Bodgan,

Thanks for your answer, is there a way to know if $au is set or check
for the WWW-Authenticate header? If it isn't I can www_challenge the
user for credentials.  After some trial and error I managed to
authenticate my users, I setted calculate_ha1 param to 1

modparam("auth", "calculate_ha1", 1)

Again, thanks for your help.

Regards,

2010/7/14 Bogdan-Andrei Iancu <[hidden email]>

>
> Hi Gabriel,
>
> I guess the problem is at:
>    $var(username)=$au;
>
> as without doing auth, $au is not defined (parsed) yet.
> better try:
>    $var(username)=$fU;
>
> Regards,
> Bogdan
>
> Gabriel Bermudez wrote:
> > Hi,
> >
> > I need to authenticate and register users that are stored on the
> > opensips db AND a different database.  For that I have the following code
> >
> >     if (is_method("REGISTER") && $fu=~"^sip:[0-9]{10}@")
> >     {
> >         # authenticate the REGISTER based on a different DB
> >         xlog("getting valid credentials for calling card $fu");
> >         avp_db_query("select userpass from anothertable where
> > username='$au'", "$avp(s:password)", "1");
> >         $var(username)=$au; *# line 392*
> >         xlog("credentials for user $var(username) : $avp(s:password)");
> >         if(!pv_www_authorize(""))
> >         {
> >                         www_challenge("", "0");
> >                         xlog("registration from $fu has been challenged");
> >                         exit;
> >         }
> >         xlog("$fu authorized!!!");
> >         if (!db_check_to())
> >         {
> >                 sl_send_reply("403","Forbidden auth ID");
> >                 exit;
> >         }
> >
> >         if (!save("location"))
> >                 sl_reply_error();
> >
> >         xlog("location saved for $fu");
> >         exit;
> >     }
> >     if (is_method("REGISTER") && $fu=~"^sip:[0-9]{9}@")
> >     {
> >         # authenticate the REGISTER requests (uncomment to enable auth)
> >         if (!www_authorize("", "subscriber"))
> >         {
> >             www_challenge("", "0");
> >             xlog("registration from $fu has been challenged");
> >             exit;
> >         }
> >
> >         if (!db_check_to())
> >         {
> >             sl_send_reply("403","Forbidden auth ID");
> >             exit;
> >         }
> >
> >         if (!save("location"))
> >             sl_reply_error();
> >
> >         xlog("location saved for $fu");
> >         exit;
> >     }
> >
> > if the username part of the From header has 10 digits the script will
> > try to authenticate against the other DB, but it won't go further than
> > the pv_www_authorize line because on the logs I get the following.
> >
> > Jul 13 21:28:00 opensips /usr/sbin/opensips[3139]: getting valid
> > credentials for user sip:[hidden email]
> > Jul 13 21:28:00 opensips /usr/sbin/opensips[3139]:
> > ERROR:core:do_assign: no value in right expression
> > Jul 13 21:28:00 opensips /usr/sbin/opensips[3139]:
> > ERROR:core:do_assign: error at line: 397
> > Jul 13 21:28:00 opensips /usr/sbin/opensips[3139]: credentials for
> > user 0 : <null>
> > Jul 13 21:28:01 opensips /usr/sbin/opensips[3141]: getting valid
> > credentials for user sip:[hidden email]
> > Jul 13 21:28:01 opensips /usr/sbin/opensips[3141]: credentials for
> > user 9999999999 : 9999999999
> >
> > I don't know if I'm doing something really wrong or maybe the ERROR
> > message has something to do with this auth failure.  Please can
> > someone clarify this issue.
> > Thanks,
> >
> >
> > Kind regards,
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Users mailing list
> > [hidden email]
> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> >
>
>
> --
> Bogdan-Andrei Iancu
> OpenSIPS Bootcamp
> 20 - 24 September 2010, Frankfurt, Germany
> www.voice-system.ro
>
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users