// Test that an out-of-dialog request gets an authentication challenge when
// the auth rules require it.
void testForbidden()
{
const char* message =
"INVITE sip:user@forbidden SIP/2.0\r\n"
"Via: SIP/2.0/TCP 10.1.1.3:33855\r\n"
"To: sip:user@forbidden\r\n"
"From: Caller <sip:[email protected]>; tag=30543f3483e1cb11ecb40866edd3295b\r\n"
"Call-Id: f88dfabce84b6a2787ef024a7dbe8749\r\n"
"Cseq: 2 INVITE\r\n"
"Max-Forwards: 20\r\n"
"Contact: [email protected]\r\n"
"Content-Length: 0\r\n"
"\r\n";
SipMessage testMsg(message, strlen(message));
UtlString identity; // no authenticated identity
Url requestUri("sip:somewhere@forbidden");
UtlSList noRemovedRoutes;
UtlString routeName("example.com");
RouteState routeState( testMsg, noRemovedRoutes, routeName );
UtlString rejectReason;
UtlString method("INVITE");
const bool bSpiralingRequest = false;
AuthPlugin::AuthResult priorResult = AuthPlugin::CONTINUE;
CPPUNIT_ASSERT(AuthPlugin::DENY
== enforcer->authorizeAndModify(identity,
requestUri,
routeState,
method,
priorResult,
testMsg,
bSpiralingRequest,
rejectReason
));
ASSERT_STR_EQUAL("", rejectReason.data());
// now try the same request, but with an authenticated identity
// so this time it should provide a reject reason
identity = "*****@*****.**";
CPPUNIT_ASSERT(AuthPlugin::DENY
== enforcer->authorizeAndModify(identity,
requestUri,
routeState,
method,
priorResult,
testMsg,
bSpiralingRequest,
rejectReason
));
ASSERT_STR_EQUAL("Requires NoAccess", rejectReason.data());
}
void testMultiplePAIs_Mixed()
{
const char* message =
"INVITE sip:[email protected]:5060;x-sipX-pubcontact=47.135.162.145%3A29544 SIP/2.0\r\n"
"Record-Route: <sip:192.168.0.2:5060;lr>\r\n"
"From: caller <sip:[email protected]>;tag=94bc25b8-c0a80165-13c4-3e635-37aa1989-3e635\r\n"
"To: <sip:[email protected]>\r\n"
"Call-Id: 94bb2520-c0a80165-13c4-3e635-3ccd2971-3e635@rjolyscs2.ca.nortel.com\r\n"
"Cseq: 1 INVITE\r\n"
"Max-Forwards: 19\r\n"
"Supported: replaces\r\n"
"Contact: <sip:[email protected]:5060;x-sipX-pubcontact=47.135.162.145%3A14956>\r\n"
"P-Asserted-Identity: \"Some guy\" <sip:[email protected]>\r\n"
"P-Asserted-Identity: \"foreigner1\" <sip:[email protected]>\r\n"
"P-Asserted-Identity: \"Some other guy\" <sip:[email protected]>\r\n"
"P-Asserted-Identity: \"foreigner2\" <sip:[email protected]>\r\n"
"P-Asserted-Identity: \"foreigner3\" <sip:[email protected]>\r\n"
"P-Asserted-Identity: \"yet another guy\" <sip:[email protected]>\r\n"
"P-Asserted-Identity: \"foreigner4\" <sip:[email protected]>\r\n"
"P-Asserted-Identity: \"you again\" <sip:[email protected]>\r\n"
"Content-Length: 0\r\n"
"\r\n";
SipMessage testMsg(message, strlen(message));
UtlSList noRemovedRoutes;
UtlString routeName("mydomain.com");
RouteState routeState( testMsg, noRemovedRoutes, routeName );
UtlString rejectReason;
CPPUNIT_ASSERT(AuthPlugin::CONTINUE
== spLinter->authorizeAndModify(identity,
requestUri,
routeState,
"INVITE",
AuthPlugin::CONTINUE,
testMsg,
false,
rejectReason
));
// verify that foreign PAIs are still there.
const char* pPAI;
CPPUNIT_ASSERT( ( pPAI = testMsg.getHeaderValue( 0, SipXauthIdentity::PAssertedIdentityHeaderName ) ) );
ASSERT_STR_EQUAL( "\"foreigner1\" <sip:[email protected]>", pPAI );
CPPUNIT_ASSERT( ( pPAI = testMsg.getHeaderValue( 1, SipXauthIdentity::PAssertedIdentityHeaderName ) ) );
ASSERT_STR_EQUAL( "\"foreigner2\" <sip:[email protected]>", pPAI );
CPPUNIT_ASSERT( ( pPAI = testMsg.getHeaderValue( 2, SipXauthIdentity::PAssertedIdentityHeaderName ) ) );
ASSERT_STR_EQUAL( "\"foreigner3\" <sip:[email protected]>", pPAI );
CPPUNIT_ASSERT( ( pPAI = testMsg.getHeaderValue( 3, SipXauthIdentity::PAssertedIdentityHeaderName ) ) );
ASSERT_STR_EQUAL( "\"foreigner4\" <sip:[email protected]>", pPAI );
}
// Test that a response message is allowed and is not modified
void testNoPermResponse()
{
OsConfigDb configuration;
configuration.set("RULES", TEST_DATA_DIR "/enforcerules.xml");
enforcer->readConfig(configuration);
UtlString identity; // no authenticated identity
Url requestUri("sip:somewhere@forbidden");
const char* message =
"SIP/2.0 200 Ok\r\n"
"Via: SIP/2.0/TCP 10.1.1.3:33855\r\n"
"To: sip:somewhere@forbidden\r\n"
"From: Caller <sip:[email protected]>; tag=99911983748\r\n"
"Call-Id: b1373e736d7d359ead76fa5cd467d999\r\n"
"Cseq: 2 ACK\r\n"
"Max-Forwards: 20\r\n"
"Contact: [email protected]\r\n"
"Content-Length: 0\r\n"
"Record-Route: <sip:example.com;lr;sipXecs-rs=enforce%2Aauth%7E%21d1e296555015a54cb746fa7ac5695cf7>\r\n"
"\r\n";
SipMessage testMsg(message, strlen(message));
UtlSList noRemovedRoutes;
UtlString routeName("example.com");
RouteState routeState( testMsg, noRemovedRoutes, routeName );
const char unmodifiedRejectReason[] = "unmodified";
UtlString rejectReason(unmodifiedRejectReason);
UtlString method("INVITE");
const bool bSpiralingRequest = false;
AuthPlugin::AuthResult priorResult = AuthPlugin::ALLOW; // SipRouter passes this for responses
CPPUNIT_ASSERT(AuthPlugin::CONTINUE
== enforcer->authorizeAndModify(identity,
requestUri,
routeState,
method,
priorResult,
testMsg,
bSpiralingRequest,
rejectReason
));
ASSERT_STR_EQUAL(unmodifiedRejectReason, rejectReason.data());
UtlString recordRoute;
CPPUNIT_ASSERT(testMsg.getRecordRouteField(0, &recordRoute));
ASSERT_STR_EQUAL( "<sip:example.com;lr;sipXecs-rs=enforce%2Aauth%7E%21d1e296555015a54cb746fa7ac5695cf7>", recordRoute );
}
// Test that an in-dialog message with an authorized route is not challenged.
void testNoChallengeAuth()
{
// first, simulate the initial invite to generate the route
UtlString identity("*****@*****.**"); // has only 'fishing' permission
Url okRequestUri("sip:user@boat");
UtlSList noRemovedRoutes;
UtlString rejectReason;
const char* okMessage =
"INVITE sip:user@boat SIP/2.0\r\n" // 'lodge' requires 'hunting' permission
"Via: SIP/2.0/TCP 10.1.1.3:33855\r\n"
"To: sip:user@boat\r\n"
"From: Caller <sip:[email protected]>; tag=30543f3483e1cb11ecb40866edd3295b\r\n"
"Call-Id: authorized-1\r\n"
"Cseq: 2 INVITE\r\n"
"Max-Forwards: 20\r\n"
"Contact: [email protected]\r\n"
"Content-Length: 0\r\n"
"\r\n";
SipMessage okMsg(okMessage, strlen(okMessage));
UtlString routeName("example.com");
RouteState okRouteState( okMsg, noRemovedRoutes, routeName );
UtlString method("INVITE");
const bool bSpiralingRequest = false;
AuthPlugin::AuthResult priorResult = AuthPlugin::CONTINUE;
// confirm that supercaster can call boat
CPPUNIT_ASSERT(AuthPlugin::ALLOW
== enforcer->authorizeAndModify(identity,
okRequestUri,
okRouteState,
method,
priorResult,
okMsg,
bSpiralingRequest,
rejectReason
));
CPPUNIT_ASSERT(rejectReason.isNull());
// No record-route
okRouteState.update(&okMsg);
UtlString recordRoute;
CPPUNIT_ASSERT(!okMsg.getRecordRouteField(0, &recordRoute));
}
void testMultiplePAIs_NoMatch()
{
const char* message =
"INVITE sip:[email protected]:5060;x-sipX-pubcontact=47.135.162.145%3A29544 SIP/2.0\r\n"
"Record-Route: <sip:192.168.0.2:5060;lr>\r\n"
"From: caller <sip:[email protected]>;tag=94bc25b8-c0a80165-13c4-3e635-37aa1989-3e635\r\n"
"To: <sip:[email protected]>\r\n"
"Call-Id: 94bb2520-c0a80165-13c4-3e635-3ccd2971-3e635@rjolyscs2.ca.nortel.com\r\n"
"Cseq: 1 INVITE\r\n"
"Max-Forwards: 19\r\n"
"Supported: replaces\r\n"
"Contact: <sip:[email protected]:5060;x-sipX-pubcontact=47.135.162.145%3A14956>\r\n"
"P-Asserted-Identity: \"foreigner1\" <sip:[email protected]>\r\n"
"P-Asserted-Identity: \"foreigner2\" <sip:[email protected]>\r\n"
"P-Asserted-Identity: \"foreigner3\" <sip:[email protected]>\r\n"
"P-Asserted-Identity: \"foreigner4\" <sip:[email protected]>\r\n"
"Content-Length: 0\r\n"
"\r\n";
SipMessage testMsg(message, strlen(message));
UtlSList noRemovedRoutes;
UtlString routeName("mydomain.com");
RouteState routeState( testMsg, noRemovedRoutes, routeName );
UtlString rejectReason;
CPPUNIT_ASSERT(AuthPlugin::CONTINUE
== spLinter->authorizeAndModify(identity,
requestUri,
routeState,
"INVITE",
AuthPlugin::CONTINUE,
testMsg,
false,
rejectReason
));
ssize_t size;
UtlString modifiedMessageText;
testMsg.getBytes( &modifiedMessageText, &size );
ASSERT_STR_EQUAL( message, modifiedMessageText.data() );
}
void testPAIForMatchingDomain_StillSpiraling()
{
const char* message =
"INVITE sip:[email protected]:5060;x-sipX-pubcontact=47.135.162.145%3A29544 SIP/2.0\r\n"
"Record-Route: <sip:192.168.0.2:5060;lr>\r\n"
"From: caller <sip:[email protected]>;tag=94bc25b8-c0a80165-13c4-3e635-37aa1989-3e635\r\n"
"To: <sip:[email protected]>\r\n"
"Call-Id: 94bb2520-c0a80165-13c4-3e635-3ccd2971-3e635@rjolyscs2.ca.nortel.com\r\n"
"Cseq: 1 INVITE\r\n"
"Max-Forwards: 19\r\n"
"Supported: replaces\r\n"
"Contact: <sip:[email protected]:5060;x-sipX-pubcontact=47.135.162.145%3A14956>\r\n"
"P-Asserted-Identity: \"Some guy\" <sip:[email protected]>\r\n"
"Content-Length: 0\r\n"
"\r\n";
SipMessage testMsg(message, strlen(message));
CPPUNIT_ASSERT( testMsg.getHeaderValue( 0, SipXauthIdentity::PAssertedIdentityHeaderName ) );
UtlSList noRemovedRoutes;
UtlString routeName("mydomain.com");
RouteState routeState( testMsg, noRemovedRoutes, routeName );
UtlString rejectReason;
CPPUNIT_ASSERT(AuthPlugin::CONTINUE
== spLinter->authorizeAndModify(identity,
requestUri,
routeState,
"INVITE",
AuthPlugin::CONTINUE,
testMsg,
true, // request still spiraling
rejectReason
));
// verify that PAI is still there because request is still spiraling.
const char* pPAI;
CPPUNIT_ASSERT( ( pPAI = testMsg.getHeaderValue( 0, SipXauthIdentity::PAssertedIdentityHeaderName ) ) );
ASSERT_STR_EQUAL( "\"Some guy\" <sip:[email protected]>", pPAI );
}
// Test that an out-of-dialog request gets a Record-Route, even if it does not
// require authorization/authentication, and test that the Record-Route has no
// extraneous parameters applied.
void testNoPermNeededOut()
{
OsConfigDb configuration;
configuration.set("RULES", TEST_DATA_DIR "/enforcerules.xml");
enforcer->readConfig(configuration);
UtlString identity; // no authenticated identity
Url requestUri("sip:911@emergency-gw");
const char* message =
"INVITE sip:911@emergency-gw SIP/2.0\r\n"
"Via: SIP/2.0/TCP 10.1.1.3:33855\r\n"
"To: sip:911@emergency-gw\r\n"
"From: Caller <sip:[email protected]>; tag=30543f3483e1cb11ecb40866edd3295b\r\n"
"Call-Id: f88dfabce84b6a2787ef024a7dbe8749\r\n"
"Cseq: 2 INVITE\r\n"
"Max-Forwards: 20\r\n"
"Contact: [email protected]\r\n"
"Content-Length: 0\r\n"
"\r\n";
SipMessage testMsg(message, strlen(message));
UtlSList noRemovedRoutes;
UtlString routeName("example.com");
RouteState routeState( testMsg, noRemovedRoutes, routeName );
const char unmodifiedRejectReason[] = "unmodified";
UtlString rejectReason(unmodifiedRejectReason);
UtlString method("INVITE");
const bool bSpiralingRequest = false;
AuthPlugin::AuthResult priorResult = AuthPlugin::CONTINUE;
CPPUNIT_ASSERT(AuthPlugin::ALLOW
== enforcer->authorizeAndModify(identity,
requestUri,
routeState,
method,
priorResult,
testMsg,
bSpiralingRequest,
rejectReason
));
ASSERT_STR_EQUAL(unmodifiedRejectReason, rejectReason.data());
// No Record-Route header.
routeState.update(&testMsg);
UtlString recordRoute;
CPPUNIT_ASSERT(!testMsg.getRecordRouteField(0, &recordRoute));
RouteState spiraledRouteState(testMsg, noRemovedRoutes, routeName);
// now simulate a spiral with the same message
CPPUNIT_ASSERT(AuthPlugin::ALLOW
== enforcer->authorizeAndModify(identity,
requestUri,
spiraledRouteState,
method,
priorResult,
testMsg,
bSpiralingRequest,
rejectReason
));
ASSERT_STR_EQUAL(unmodifiedRejectReason, rejectReason.data());
// No Record-Route header.
spiraledRouteState.update(&testMsg);
CPPUNIT_ASSERT(!testMsg.getRecordRouteField(0, &recordRoute));
}
// Test that a dialog forming request with an authorized route is challenged.
void testChallengeAuthSpiral()
{
// first, simulate the initial invite to generate the route
UtlString identity("*****@*****.**"); // has only 'fishing' permission
Url okRequestUri("sip:user@boat");
UtlSList noRemovedRoutes;
UtlString rejectReason;
const char* okMessage =
"INVITE sip:user@boat SIP/2.0\r\n"
"Via: SIP/2.0/TCP 10.1.1.3:33855\r\n"
"To: sip:user@boat\r\n"
"From: Caller <sip:[email protected]>; tag=30543f3483e1cb11ecb40866edd3295b\r\n"
"Call-Id: authorized-1\r\n"
"Cseq: 2 INVITE\r\n"
"Max-Forwards: 20\r\n"
"Contact: [email protected]\r\n"
"Content-Length: 0\r\n"
"\r\n";
SipMessage okMsg(okMessage, strlen(okMessage));
UtlString routeName("example.com");
RouteState okRouteState( okMsg, noRemovedRoutes, routeName );
UtlString method("INVITE");
const bool bSpiralingRequest = false;
AuthPlugin::AuthResult priorResult = AuthPlugin::CONTINUE;
// confirm that supercaster can call boat
CPPUNIT_ASSERT(AuthPlugin::ALLOW
== enforcer->authorizeAndModify(identity,
okRequestUri,
okRouteState,
method,
priorResult,
okMsg,
bSpiralingRequest,
rejectReason
));
CPPUNIT_ASSERT(rejectReason.isNull());
// No record-route
okRouteState.update(&okMsg);
UtlString recordRoute;
CPPUNIT_ASSERT(!okMsg.getRecordRouteField(0, &recordRoute));
/*
* Note that the request uri for this message is now 'lodge', simulating a
* spiral where boat became lodge (perhaps due to forwarding). Since 'supercaster'
* cannot call lodge, this should be rejected even though it has an approved
* route header based on the earlier spiral that approved the call to 'boat'.
*/
const char* newdialogForwardMessage =
"INFO sip:user@lodge SIP/2.0\r\n" // 'lodge' requires 'hunting' permission
"Via: SIP/2.0/TCP 10.1.1.3:33855\r\n"
"Via: SIP/2.0/TCP 10.1.1.3:33855\r\n"
"To: sip:user@boat\r\n"
"From: Caller <sip:[email protected]>; tag=30543f3483e1cb11ecb40866edd3295b\r\n"
"Call-Id: authorized-1\r\n"
"Cseq: 2 INFO\r\n"
"Record-Route: <sip:example.com;lr;sipXecs-rs=enforce%2Aauth%7E%21c2ce876a02a4f62e6a4ba3069bfb75b5>\r\n"
"Max-Forwards: 19\r\n"
"Contact: [email protected]\r\n"
"Content-Length: 0\r\n"
"\r\n";
SipMessage newdialogForwardMsg(newdialogForwardMessage, strlen(newdialogForwardMessage));
UtlSList noApprovedRouteList; // empty
RouteState newdialogRouteState( newdialogForwardMsg, noApprovedRouteList, routeName );
Url newdialogRequestUri("sip:user@lodge");
// verify that it is still mutable (has no To tag or signed Route header)
CPPUNIT_ASSERT(newdialogRouteState.isMutable());
// confirm that the spiraled new dialog message with that route is
// not allowed even though it is not authenticated.
UtlString noIdentity;
CPPUNIT_ASSERT(AuthPlugin::DENY
== enforcer->authorizeAndModify(noIdentity,
newdialogRequestUri,
newdialogRouteState,
method,
priorResult,
newdialogForwardMsg,
bSpiralingRequest,
rejectReason
));
CPPUNIT_ASSERT(rejectReason.isNull());
}
// Test that permissions of authIdentity are taken into consideration
void testAuthIdentity()
{
UtlString identity("*****@*****.**"); // has only 'fishing' permission
Url okRequestUri("sip:user@boat");
UtlSList noRemovedRoutes;
UtlString rejectReason;
const char* okMessage =
"INVITE sip:user@boat SIP/2.0\r\n" // 'lodge' requires 'hunting' permission
"Via: SIP/2.0/TCP 10.1.1.3:33855\r\n"
"To: sip:user@boat\r\n"
"From: Caller <sip:[email protected]>; tag=30543f3483e1cb11ecb40866edd3295b\r\n"
"Call-Id: exception-1\r\n"
"Cseq: 2 INVITE\r\n"
"Max-Forwards: 20\r\n"
"Contact: [email protected]\r\n"
"Content-Length: 0\r\n"
"\r\n";
SipMessage okMsg(okMessage, strlen(okMessage));
UtlString routeName("example.com");
RouteState okRouteState( okMsg, noRemovedRoutes, routeName );
UtlString method("INVITE");
const bool bSpiralingRequest = false;
AuthPlugin::AuthResult priorResult = AuthPlugin::CONTINUE;
// confirm that supercaster can call boat
CPPUNIT_ASSERT(AuthPlugin::ALLOW
== enforcer->authorizeAndModify(identity,
okRequestUri,
okRouteState,
method,
priorResult,
okMsg,
bSpiralingRequest,
rejectReason
));
CPPUNIT_ASSERT(rejectReason.isNull());
okRouteState.update(&okMsg);
UtlString recordRoute;
CPPUNIT_ASSERT(okMsg.getRecordRouteField(0, &recordRoute));
ASSERT_STR_EQUAL( "<sip:example.com;lr;sipXecs-rs=enforce%2Aauth%7E%210083f7f42bdf4998911a18d41fb3aa01>", recordRoute );
// now try the same request, but mightyhunter as authIdentity
// so this time it should NOT work
// Modify the identity to mightyhunter and verify that he can't call boat
const char* notOkMessage =
"INVITE sip:user@boat SIP/2.0\r\n" // 'lodge' requires 'hunting' permission
"Via: SIP/2.0/TCP 10.1.1.3:33855\r\n"
"To: sip:user@boat\r\n"
"From: Caller <sip:[email protected]>; tag=30543f3483e1cb11ecb40866edd3295b\r\n"
"Call-Id: exception-1\r\n"
"Cseq: 2 INVITE\r\n"
"Max-Forwards: 20\r\n"
"Contact: [email protected]\r\n"
"Content-Length: 0\r\n"
"\r\n";
SipMessage notOkMsg( notOkMessage, strlen(notOkMessage));
SipXauthIdentity authIdentity;
authIdentity.setIdentity("*****@*****.**");
authIdentity.insert(notOkMsg, SipXauthIdentity::AuthIdentityHeaderName);
rejectReason.remove(0);
// confirm that mightyhunter can't call boat
CPPUNIT_ASSERT(AuthPlugin::DENY
== enforcer->authorizeAndModify(identity,
okRequestUri,
okRouteState,
method,
priorResult,
notOkMsg,
bSpiralingRequest,
rejectReason
));
CPPUNIT_ASSERT(!rejectReason.compareTo("Requires fishing"));
// check that the authidentity is still present
SipXauthIdentity testIdentity(notOkMsg, SipXauthIdentity::AuthIdentityHeaderName);
UtlString testIdentityString;
CPPUNIT_ASSERT(testIdentity.getIdentity(testIdentityString));
ASSERT_STR_EQUAL(testIdentityString,
"*****@*****.**");
const char* noprivMessage =
"INVITE sip:user@lodge SIP/2.0\r\n" // 'lodge' requires 'hunting' permission
"Via: SIP/2.0/TCP 10.1.1.3:33855\r\n"
"To: sip:user@lodge\r\n"
"From: Caller <sip:[email protected]>; tag=30543f3483e1cb11ecb40866edd3295b\r\n"
"Call-Id: exception-2\r\n"
"Cseq: 2 INVITE\r\n"
"Max-Forwards: 20\r\n"
"Contact: [email protected]\r\n"
"Content-Length: 0\r\n"
"\r\n";
SipMessage noprivMsg(noprivMessage, strlen(noprivMessage));
RouteState noprivRouteState( noprivMsg, noRemovedRoutes, routeName );
Url noprivRequestUri("sip:user@lodge");
rejectReason.remove(0);
// confirm that supercaster cannot call lodge
CPPUNIT_ASSERT(AuthPlugin::DENY
== enforcer->authorizeAndModify(identity,
noprivRequestUri,
noprivRouteState,
method,
priorResult,
noprivMsg,
bSpiralingRequest,
rejectReason
));
ASSERT_STR_EQUAL("Requires hunting", rejectReason.data());
// now try the same request, but mightyhunter as authIdentity
// so this time it should work
const char* allowedMessage =
"INVITE sip:allowed@lodge SIP/2.0\r\n" // 'lodge' requires 'hunting' permission
"Via: SIP/2.0/TCP 10.1.1.3:33855\r\n"
"To: sip:allowed@lodge\r\n"
"From: Caller <sip:[email protected]>; tag=30543f3483e1cb11ecb40866edd3295b\r\n"
"Call-Id: exception-3\r\n"
"Cseq: 2 INVITE\r\n"
"Max-Forwards: 20\r\n"
"Contact: [email protected]\r\n"
"Content-Length: 0\r\n"
"\r\n";
SipMessage allowedMsg(allowedMessage, strlen(allowedMessage));
RouteState allowedRouteState( allowedMsg, noRemovedRoutes, routeName );
rejectReason.remove(0);
authIdentity.insert(allowedMsg, SipXauthIdentity::AuthIdentityHeaderName);
CPPUNIT_ASSERT(AuthPlugin::ALLOW
== enforcer->authorizeAndModify(identity,
noprivRequestUri,
allowedRouteState,
method,
priorResult,
allowedMsg,
bSpiralingRequest,
rejectReason
));
CPPUNIT_ASSERT(rejectReason.isNull());
// check that the authidentity is still present
SipXauthIdentity testIdentity1(notOkMsg, SipXauthIdentity::AuthIdentityHeaderName);
CPPUNIT_ASSERT(testIdentity1.getIdentity(testIdentityString));
ASSERT_STR_EQUAL(testIdentityString,
"*****@*****.**");
allowedRouteState.update(&allowedMsg);
CPPUNIT_ASSERT(allowedMsg.getRecordRouteField(0, &recordRoute));
ASSERT_STR_EQUAL( "<sip:example.com;lr;sipXecs-rs=enforce%2Aauth%7E%2175da650843a06eee569f3c93b0f94ee5>", recordRoute );
// check that invalid authidentity can not help bypass permissions
rejectReason.remove(0);
// invalid authidentity - Call-ID does not match
allowedMsg.addHeaderField("X-Sipx-Authidentity", "<sip:[email protected];signature=46A66059%3Ab1b86dffc2e38191cdfad0500bf9a209>");
CPPUNIT_ASSERT(AuthPlugin::DENY
== enforcer->authorizeAndModify(identity,
noprivRequestUri,
allowedRouteState,
method,
priorResult,
allowedMsg,
bSpiralingRequest,
rejectReason
));
ASSERT_STR_EQUAL("Requires hunting", rejectReason.data());
}
// Test that an ACK is not challenged and not RecordRouted
void testNoPermAck()
{
OsConfigDb configuration;
configuration.set("RULES", TEST_DATA_DIR "/enforcerules.xml");
enforcer->readConfig(configuration);
UtlString identity; // no authenticated identity
Url requestUri("sip:somewhere@forbidden");
const char* message =
"ACK sip:somewhere@forbidden SIP/2.0\r\n"
"Via: SIP/2.0/TCP 10.1.1.3:33855\r\n"
"To: sip:somewhere@forbidden\r\n"
"From: Caller <sip:[email protected]>; tag=99911983748\r\n"
"Call-Id: b1373e736d7d359ead76fa5cd467d999\r\n"
"Cseq: 2 ACK\r\n"
"Max-Forwards: 20\r\n"
"Contact: [email protected]\r\n"
"Content-Length: 0\r\n"
"\r\n";
SipMessage testMsg(message, strlen(message));
UtlSList noRemovedRoutes;
UtlString routeName("example.com");
RouteState routeState( testMsg, noRemovedRoutes, routeName );
const char unmodifiedRejectReason[] = "unmodified";
UtlString rejectReason(unmodifiedRejectReason);
UtlString method("ACK");
const bool bSpiralingRequest = false;
AuthPlugin::AuthResult priorResult = AuthPlugin::ALLOW;
CPPUNIT_ASSERT(AuthPlugin::CONTINUE
== enforcer->authorizeAndModify(identity,
requestUri,
routeState,
method,
priorResult,
testMsg,
bSpiralingRequest,
rejectReason
));
ASSERT_STR_EQUAL(unmodifiedRejectReason, rejectReason.data());
routeState.update(&testMsg);
UtlString recordRoute;
CPPUNIT_ASSERT(!testMsg.getRecordRouteField(0, &recordRoute));
// now simulate a spiral with the same message
CPPUNIT_ASSERT(AuthPlugin::CONTINUE
== enforcer->authorizeAndModify(identity,
requestUri,
routeState,
method,
priorResult,
testMsg,
bSpiralingRequest,
rejectReason
));
ASSERT_STR_EQUAL(unmodifiedRejectReason, rejectReason.data());
routeState.update(&testMsg);
CPPUNIT_ASSERT(!testMsg.getRecordRouteField(0, &recordRoute));
}
