[OpenSIPS-Users] learning the realm from authentication challenges

johan johan at democon.be
Fri Sep 25 08:15:57 EST 2020 

do this in failure_route


     if (is_method("INVITE"))
     {
         # mark that auth was performed
         setflag(8);
         # trigger again the failure route
         t_on_failure("missed_call_registrations");
         if ($(<reply>hdr(Proxy-Authenticate)))
         {
             $var(raw_auth) = $(<reply>hdr(Proxy-Authenticate));
         }
         if ($(<reply>hdr(WWW-Authenticate)))
         {
             $var(raw_auth) = $(<reply>hdr(WWW-Authenticate));
         }
         $var(reg_start) = "/(.*?)realm=\"//g";
         $var(reg_end) = "/\"(.*)//g";
         xlog("callid=$ci: Failure_route[missed_call_registrations]: Raw 
data $var(raw_auth)");
         $var(raw_auth) = $(var(raw_auth){re.subst,$var(reg_start)});
         $var(raw_auth) = $(var(raw_auth){re.subst,$var(reg_end)});
         xlog("callid=$ci: Failure_route[missed_call_registrations]: Got 
realm data $var(raw_auth)");
         $avp(uac_realm)=$var(raw_auth);
         # repeat the request with auth response this time
         xlog("callid=$ci: Failure_route[missed_call_registrations]:let 
us send authentication");
         xlog("callid=$ci: 
Failure_route[missed_call_registrations]:FAILUREROUTE_STATUS40X_UACAUTHINVITE_DEBUG_VARIABLES: 
AVP_UAC_REALM:$avp(uac_realm) AVP_UAC_USERNAME: $avp(uac_username) 
AVP_UAC_PASSWORD:$avp(uac_password)");
         uac_auth();

}

On 25/09/2020 05:13, Jeff Pyle wrote:
> Good catch on Proxy-Authorization vs Proxy-Authenticate.  I think I've 
> been looking at this too long.  I checked the module and that's 
> exactly what it is.
>
> My hope was to load the uac_auth user/pass AVPs ahead of time from a 
> DB based on where I knew I was sending the call, load the realm one in 
> the failure route based on what comes back in the header, and then 
> fire the uac_auth() function.  It looks like I may have to manually 
> extract the realm from whichever header comes in.  Not ideal, but 
> probably workable.
>
>
> - Jeff
>
>
> On Thu, Sep 24, 2020 at 9:58 PM Ben Newlin <Ben.Newlin at genesys.com 
> <mailto:Ben.Newlin at genesys.com>> wrote:
>
>     This does not appear to be documented, but I believe uac_auth()
>     looks through the AVPs configured in the UAC_AUTH module and uses
>     the first one whose realm matches the challenge realm. So in order
>     to authenticate any challenge, you must load all of the possible
>     credentials into those AVPs.
>
>     Ben Newlin
>
>     *From: *Users <users-bounces at lists.opensips.org
>     <mailto:users-bounces at lists.opensips.org>>
>     *Date: *Thursday, September 24, 2020 at 9:53 PM
>     *To: *OpenSIPS users mailling list <users at lists.opensips.org
>     <mailto:users at lists.opensips.org>>
>     *Subject: *Re: [OpenSIPS-Users] learning the realm from
>     authentication challenges
>
>     According to the docs, $ar provides the realm from the
>     “Authorization” or “Proxy-Authorization” headers. Not from the
>     ”Proxy-Authenticate” header, which is what you have.
>
>     https://www.opensips.org/Documentation/Script-CoreVar-3-1#toc6
>
>     Ben Newlin
>
>     *From: *Users <users-bounces at lists.opensips.org
>     <mailto:users-bounces at lists.opensips.org>>
>     *Date: *Thursday, September 24, 2020 at 9:31 PM
>     *To: *OpenSIPS users mailling list <users at lists.opensips.org
>     <mailto:users at lists.opensips.org>>
>     *Subject: *[OpenSIPS-Users] learning the realm from authentication
>     challenges
>
>     I'm trying to recover the realm of an auth challenge to OpenSIPS
>     so I can respond to it with the uac_auth() function, and that
>     requires knowing the realm.  The docs say that $ar
>     <https://www.opensips.org/Documentation/Script-CoreVar-3-1#toc6>
>     should provide that, perhaps written like $(<reply>ar) to get it
>     in the right context. I'm having some trouble getting the data.
>
>     failure_route[relay_failure] {
>     ...
>
>             if (t_check_status("407")) {
>                     xlog("L_NOTICE", "[1] Proxy-Authenticate:
>     $(<reply>hdr(Proxy-Authenticate))\n");
>                     xlog("L_NOTICE", "[2] Auth Realm: $(<reply>ar)\n");
>
>                     xlog("L_NOTICE", "[3] Auth Realm: $ar\n");
>             }
>
>     ...
>
>     }
>
>     The logs show:
>
>     /usr/sbin/opensips[33044]: [1] Proxy-Authenticate: Digest
>     realm="asterisk",
>     nonce="5f6d42140000936ad820dbcd452e6bcd145777e458dd46dd", qop="auth"
>     /usr/sbin/opensips[33044]: [2] Auth Realm reply: <null>
>     /usr/sbin/opensips[33044]: [3] Auth Realm: <null>
>
>     Is it possible to get the realm? Is it possible to build a
>     response with uac_auth() for an arbitrary authentication challenge?
>
>     This is on 3.1.0~20200923~88f89e941.
>
>     - Jeff
>
>     _______________________________________________
>     Users mailing list
>     Users at lists.opensips.org <mailto:Users at lists.opensips.org>
>     http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20200925/e4961f20/attachment.html>

More information about the Users mailing list