void CUsrGroupWt1::addUsrGroup()
{
QWidget* newUsrGroupWt=new CAddUsrGroup1();
((CAddUsrGroup1*)newUsrGroupWt)->isUsr=FALSE;
((CAddUsrGroup1*)newUsrGroupWt)->cbPrivilege->addItem(tr("超级管理员"));
((CAddUsrGroup1*)newUsrGroupWt)->cbPrivilege->addItem(tr("用户组管理员"));
CTitleDlg1 newUsrGroupDlg(0,newUsrGroupWt);
QObject::connect(newUsrGroupWt,SIGNAL(okMsg()),&newUsrGroupDlg,SLOT(accept()));
int ret=newUsrGroupDlg.exec();
}
void CTaskManage1::addXaclTask()
{
QWidget* newXACLTaskWt=new CNewXaclTask();
CTitleDlg1 newXACLTaskDlg(0,newXACLTaskWt);
QObject::connect(newXACLTaskWt,SIGNAL(okMsg()),&newXACLTaskDlg,SLOT(accept()));
int ret=newXACLTaskDlg.exec();
/*CNewXaclTask newXaclTask;
newXaclTask.exec();*/
}
void CTaskManage1::addTask()
{
//QWidget* newTaskWt=new CNewTask1();
QWidget* newTaskWt=new CNewTask2();
CTitleDlg1 newTaskDlg(0,newTaskWt);
newTaskDlg.setFixedSize(newTaskDlg.width(),newTaskDlg.height());
QObject::connect(newTaskWt,SIGNAL(okMsg()),&newTaskDlg,SLOT(accept()));
int ret=newTaskDlg.exec();
/*CNewTask1 newTask;
newTask.exec();*/
}
// Test that an in-dialog message with an authorized route is not challenged.
void testNoChallengeAuth()
{
// first, simulate the initial invite to generate the route
UtlString identity("*****@*****.**"); // has only 'fishing' permission
Url okRequestUri("sip:user@boat");
UtlSList noRemovedRoutes;
UtlString rejectReason;
const char* okMessage =
"INVITE sip:user@boat SIP/2.0\r\n" // 'lodge' requires 'hunting' permission
"Via: SIP/2.0/TCP 10.1.1.3:33855\r\n"
"To: sip:user@boat\r\n"
"From: Caller <sip:[email protected]>; tag=30543f3483e1cb11ecb40866edd3295b\r\n"
"Call-Id: authorized-1\r\n"
"Cseq: 2 INVITE\r\n"
"Max-Forwards: 20\r\n"
"Contact: [email protected]\r\n"
"Content-Length: 0\r\n"
"\r\n";
SipMessage okMsg(okMessage, strlen(okMessage));
UtlString routeName("example.com");
RouteState okRouteState( okMsg, noRemovedRoutes, routeName );
UtlString method("INVITE");
const bool bSpiralingRequest = false;
AuthPlugin::AuthResult priorResult = AuthPlugin::CONTINUE;
// confirm that supercaster can call boat
CPPUNIT_ASSERT(AuthPlugin::ALLOW
== enforcer->authorizeAndModify(identity,
okRequestUri,
okRouteState,
method,
priorResult,
okMsg,
bSpiralingRequest,
rejectReason
));
CPPUNIT_ASSERT(rejectReason.isNull());
// No record-route
okRouteState.update(&okMsg);
UtlString recordRoute;
CPPUNIT_ASSERT(!okMsg.getRecordRouteField(0, &recordRoute));
}
// Test that a dialog forming request with an authorized route is challenged.
void testChallengeAuthSpiral()
{
// first, simulate the initial invite to generate the route
UtlString identity("*****@*****.**"); // has only 'fishing' permission
Url okRequestUri("sip:user@boat");
UtlSList noRemovedRoutes;
UtlString rejectReason;
const char* okMessage =
"INVITE sip:user@boat SIP/2.0\r\n"
"Via: SIP/2.0/TCP 10.1.1.3:33855\r\n"
"To: sip:user@boat\r\n"
"From: Caller <sip:[email protected]>; tag=30543f3483e1cb11ecb40866edd3295b\r\n"
"Call-Id: authorized-1\r\n"
"Cseq: 2 INVITE\r\n"
"Max-Forwards: 20\r\n"
"Contact: [email protected]\r\n"
"Content-Length: 0\r\n"
"\r\n";
SipMessage okMsg(okMessage, strlen(okMessage));
UtlString routeName("example.com");
RouteState okRouteState( okMsg, noRemovedRoutes, routeName );
UtlString method("INVITE");
const bool bSpiralingRequest = false;
AuthPlugin::AuthResult priorResult = AuthPlugin::CONTINUE;
// confirm that supercaster can call boat
CPPUNIT_ASSERT(AuthPlugin::ALLOW
== enforcer->authorizeAndModify(identity,
okRequestUri,
okRouteState,
method,
priorResult,
okMsg,
bSpiralingRequest,
rejectReason
));
CPPUNIT_ASSERT(rejectReason.isNull());
// No record-route
okRouteState.update(&okMsg);
UtlString recordRoute;
CPPUNIT_ASSERT(!okMsg.getRecordRouteField(0, &recordRoute));
/*
* Note that the request uri for this message is now 'lodge', simulating a
* spiral where boat became lodge (perhaps due to forwarding). Since 'supercaster'
* cannot call lodge, this should be rejected even though it has an approved
* route header based on the earlier spiral that approved the call to 'boat'.
*/
const char* newdialogForwardMessage =
"INFO sip:user@lodge SIP/2.0\r\n" // 'lodge' requires 'hunting' permission
"Via: SIP/2.0/TCP 10.1.1.3:33855\r\n"
"Via: SIP/2.0/TCP 10.1.1.3:33855\r\n"
"To: sip:user@boat\r\n"
"From: Caller <sip:[email protected]>; tag=30543f3483e1cb11ecb40866edd3295b\r\n"
"Call-Id: authorized-1\r\n"
"Cseq: 2 INFO\r\n"
"Record-Route: <sip:example.com;lr;sipXecs-rs=enforce%2Aauth%7E%21c2ce876a02a4f62e6a4ba3069bfb75b5>\r\n"
"Max-Forwards: 19\r\n"
"Contact: [email protected]\r\n"
"Content-Length: 0\r\n"
"\r\n";
SipMessage newdialogForwardMsg(newdialogForwardMessage, strlen(newdialogForwardMessage));
UtlSList noApprovedRouteList; // empty
RouteState newdialogRouteState( newdialogForwardMsg, noApprovedRouteList, routeName );
Url newdialogRequestUri("sip:user@lodge");
// verify that it is still mutable (has no To tag or signed Route header)
CPPUNIT_ASSERT(newdialogRouteState.isMutable());
// confirm that the spiraled new dialog message with that route is
// not allowed even though it is not authenticated.
UtlString noIdentity;
CPPUNIT_ASSERT(AuthPlugin::DENY
== enforcer->authorizeAndModify(noIdentity,
newdialogRequestUri,
newdialogRouteState,
method,
priorResult,
newdialogForwardMsg,
bSpiralingRequest,
rejectReason
));
CPPUNIT_ASSERT(rejectReason.isNull());
}
// Test that permissions of authIdentity are taken into consideration
void testAuthIdentity()
{
UtlString identity("*****@*****.**"); // has only 'fishing' permission
Url okRequestUri("sip:user@boat");
UtlSList noRemovedRoutes;
UtlString rejectReason;
const char* okMessage =
"INVITE sip:user@boat SIP/2.0\r\n" // 'lodge' requires 'hunting' permission
"Via: SIP/2.0/TCP 10.1.1.3:33855\r\n"
"To: sip:user@boat\r\n"
"From: Caller <sip:[email protected]>; tag=30543f3483e1cb11ecb40866edd3295b\r\n"
"Call-Id: exception-1\r\n"
"Cseq: 2 INVITE\r\n"
"Max-Forwards: 20\r\n"
"Contact: [email protected]\r\n"
"Content-Length: 0\r\n"
"\r\n";
SipMessage okMsg(okMessage, strlen(okMessage));
UtlString routeName("example.com");
RouteState okRouteState( okMsg, noRemovedRoutes, routeName );
UtlString method("INVITE");
const bool bSpiralingRequest = false;
AuthPlugin::AuthResult priorResult = AuthPlugin::CONTINUE;
// confirm that supercaster can call boat
CPPUNIT_ASSERT(AuthPlugin::ALLOW
== enforcer->authorizeAndModify(identity,
okRequestUri,
okRouteState,
method,
priorResult,
okMsg,
bSpiralingRequest,
rejectReason
));
CPPUNIT_ASSERT(rejectReason.isNull());
okRouteState.update(&okMsg);
UtlString recordRoute;
CPPUNIT_ASSERT(okMsg.getRecordRouteField(0, &recordRoute));
ASSERT_STR_EQUAL( "<sip:example.com;lr;sipXecs-rs=enforce%2Aauth%7E%210083f7f42bdf4998911a18d41fb3aa01>", recordRoute );
// now try the same request, but mightyhunter as authIdentity
// so this time it should NOT work
// Modify the identity to mightyhunter and verify that he can't call boat
const char* notOkMessage =
"INVITE sip:user@boat SIP/2.0\r\n" // 'lodge' requires 'hunting' permission
"Via: SIP/2.0/TCP 10.1.1.3:33855\r\n"
"To: sip:user@boat\r\n"
"From: Caller <sip:[email protected]>; tag=30543f3483e1cb11ecb40866edd3295b\r\n"
"Call-Id: exception-1\r\n"
"Cseq: 2 INVITE\r\n"
"Max-Forwards: 20\r\n"
"Contact: [email protected]\r\n"
"Content-Length: 0\r\n"
"\r\n";
SipMessage notOkMsg( notOkMessage, strlen(notOkMessage));
SipXauthIdentity authIdentity;
authIdentity.setIdentity("*****@*****.**");
authIdentity.insert(notOkMsg, SipXauthIdentity::AuthIdentityHeaderName);
rejectReason.remove(0);
// confirm that mightyhunter can't call boat
CPPUNIT_ASSERT(AuthPlugin::DENY
== enforcer->authorizeAndModify(identity,
okRequestUri,
okRouteState,
method,
priorResult,
notOkMsg,
bSpiralingRequest,
rejectReason
));
CPPUNIT_ASSERT(!rejectReason.compareTo("Requires fishing"));
// check that the authidentity is still present
SipXauthIdentity testIdentity(notOkMsg, SipXauthIdentity::AuthIdentityHeaderName);
UtlString testIdentityString;
CPPUNIT_ASSERT(testIdentity.getIdentity(testIdentityString));
ASSERT_STR_EQUAL(testIdentityString,
"*****@*****.**");
const char* noprivMessage =
"INVITE sip:user@lodge SIP/2.0\r\n" // 'lodge' requires 'hunting' permission
"Via: SIP/2.0/TCP 10.1.1.3:33855\r\n"
"To: sip:user@lodge\r\n"
"From: Caller <sip:[email protected]>; tag=30543f3483e1cb11ecb40866edd3295b\r\n"
"Call-Id: exception-2\r\n"
"Cseq: 2 INVITE\r\n"
"Max-Forwards: 20\r\n"
"Contact: [email protected]\r\n"
"Content-Length: 0\r\n"
"\r\n";
SipMessage noprivMsg(noprivMessage, strlen(noprivMessage));
RouteState noprivRouteState( noprivMsg, noRemovedRoutes, routeName );
Url noprivRequestUri("sip:user@lodge");
rejectReason.remove(0);
// confirm that supercaster cannot call lodge
CPPUNIT_ASSERT(AuthPlugin::DENY
== enforcer->authorizeAndModify(identity,
noprivRequestUri,
noprivRouteState,
method,
priorResult,
noprivMsg,
bSpiralingRequest,
rejectReason
));
ASSERT_STR_EQUAL("Requires hunting", rejectReason.data());
// now try the same request, but mightyhunter as authIdentity
// so this time it should work
const char* allowedMessage =
"INVITE sip:allowed@lodge SIP/2.0\r\n" // 'lodge' requires 'hunting' permission
"Via: SIP/2.0/TCP 10.1.1.3:33855\r\n"
"To: sip:allowed@lodge\r\n"
"From: Caller <sip:[email protected]>; tag=30543f3483e1cb11ecb40866edd3295b\r\n"
"Call-Id: exception-3\r\n"
"Cseq: 2 INVITE\r\n"
"Max-Forwards: 20\r\n"
"Contact: [email protected]\r\n"
"Content-Length: 0\r\n"
"\r\n";
SipMessage allowedMsg(allowedMessage, strlen(allowedMessage));
RouteState allowedRouteState( allowedMsg, noRemovedRoutes, routeName );
rejectReason.remove(0);
authIdentity.insert(allowedMsg, SipXauthIdentity::AuthIdentityHeaderName);
CPPUNIT_ASSERT(AuthPlugin::ALLOW
== enforcer->authorizeAndModify(identity,
noprivRequestUri,
allowedRouteState,
method,
priorResult,
allowedMsg,
bSpiralingRequest,
rejectReason
));
CPPUNIT_ASSERT(rejectReason.isNull());
// check that the authidentity is still present
SipXauthIdentity testIdentity1(notOkMsg, SipXauthIdentity::AuthIdentityHeaderName);
CPPUNIT_ASSERT(testIdentity1.getIdentity(testIdentityString));
ASSERT_STR_EQUAL(testIdentityString,
"*****@*****.**");
allowedRouteState.update(&allowedMsg);
CPPUNIT_ASSERT(allowedMsg.getRecordRouteField(0, &recordRoute));
ASSERT_STR_EQUAL( "<sip:example.com;lr;sipXecs-rs=enforce%2Aauth%7E%2175da650843a06eee569f3c93b0f94ee5>", recordRoute );
// check that invalid authidentity can not help bypass permissions
rejectReason.remove(0);
// invalid authidentity - Call-ID does not match
allowedMsg.addHeaderField("X-Sipx-Authidentity", "<sip:[email protected];signature=46A66059%3Ab1b86dffc2e38191cdfad0500bf9a209>");
CPPUNIT_ASSERT(AuthPlugin::DENY
== enforcer->authorizeAndModify(identity,
noprivRequestUri,
allowedRouteState,
method,
priorResult,
allowedMsg,
bSpiralingRequest,
rejectReason
));
ASSERT_STR_EQUAL("Requires hunting", rejectReason.data());
}
