/[resiprocate]/main/resip/dum/WsCookieAuthManager.cxx
ViewVC logotype

Contents of /main/resip/dum/WsCookieAuthManager.cxx

Parent Directory Parent Directory | Revision Log Revision Log


Revision 10975 - (show annotations) (download)
Sun Feb 16 20:04:10 2014 UTC (5 years, 8 months ago) by sgodin
File size: 6846 byte(s)
-removed use of raw transport pointers in Tuple and SipMessage (finally!!)
 -required repro record route logic to be modified - no longer store transport specific
  record routes in the Transport class - the Proxy class now tracks these
 -removed SipMessage::getReceivedTransport and added isFromWire method that can be used in
  it's place in various locations

1 #include <cassert>
2
3 #include "resip/dum/DumFeature.hxx"
4 #include "resip/dum/DumFeatureChain.hxx"
5 #include "resip/dum/DialogUsageManager.hxx"
6 #include "resip/dum/TargetCommand.hxx"
7 #include "resip/dum/WsCookieAuthManager.hxx"
8 #include "resip/stack/Helper.hxx"
9 #include "rutil/Logger.hxx"
10 #include "rutil/WinLeakCheck.hxx"
11
12 #define RESIPROCATE_SUBSYSTEM Subsystem::DUM
13
14 using namespace resip;
15 using namespace std;
16
17 WsCookieAuthManager::WsCookieAuthManager(DialogUsageManager& dum, TargetCommand::Target& target) :
18 DumFeature(dum, target)
19 {
20 }
21
22 WsCookieAuthManager::~WsCookieAuthManager()
23 {
24 InfoLog(<< "~WsCookieAuthManager");
25 }
26
27 // !bwc! We absolutely, positively, MUST NOT throw here. This is because in
28 // DialogUsageManager::process(), we do not know if a DumFeature has taken
29 // ownership of msg until we get a return. If we throw, the ownership of msg
30 // is unknown. This is unacceptable.
31 DumFeature::ProcessingResult
32 WsCookieAuthManager::process(Message* msg)
33 {
34 SipMessage* sipMessage = dynamic_cast<SipMessage*>(msg);
35
36 if (sipMessage)
37 {
38 //!dcm! -- unecessary happens in handle
39 switch ( handle(sipMessage) )
40 {
41 case WsCookieAuthManager::Rejected:
42 InfoLog(<< "WsCookieAuth rejected request " << sipMessage->brief());
43 return DumFeature::ChainDoneAndEventDone;
44 default: // includes Authorized, Skipped
45 return DumFeature::FeatureDone;
46 }
47 }
48
49 // Catch-all (handles something that was not a SipMessage)
50 return FeatureDone;
51 }
52
53 bool
54 WsCookieAuthManager::cookieUriMatch(const resip::Uri &first, const resip::Uri &second)
55 {
56 return(
57 (isEqualNoCase(first.user(), second.user()) || first.user() == "*") &&
58 (isEqualNoCase(first.host(), second.host()) || first.host() == "*")
59 );
60 }
61
62 bool
63 WsCookieAuthManager::authorizedForThisIdentity(
64 const MethodTypes method,
65 const WsCookieContext &wsCookieContext,
66 const resip::Uri &fromUri,
67 const resip::Uri &toUri)
68 {
69 if(difftime(wsCookieContext.getExpiresTime(), time(NULL)) < 0)
70 {
71 WarningLog(<< "Received expired cookie");
72 return false;
73 }
74
75 Uri wsFromUri = wsCookieContext.getWsFromUri();
76 Uri wsDestUri = wsCookieContext.getWsDestUri();
77 if(cookieUriMatch(wsFromUri, fromUri))
78 {
79 DebugLog(<< "Matched cookie source URI field" << wsFromUri << " against request From header field URI " << fromUri);
80 // When registering, "From" URI == "To" URI, so we can ignore the
81 // "To" URI restriction from the cookie when processing REGISTER
82 if(method == REGISTER && isEqualNoCase(fromUri.user(), toUri.user()) && isEqualNoCase(fromUri.host(), toUri.host()))
83 {
84 return true;
85 }
86 if(cookieUriMatch(wsDestUri, toUri))
87 {
88 DebugLog(<< "Matched cookie destination URI field" << wsDestUri << " against request To header field URI " << toUri);
89 return true;
90 }
91 }
92
93 // catch-all: access denied
94 return false;
95 }
96
97 // return true if request has been consumed
98 WsCookieAuthManager::Result
99 WsCookieAuthManager::handle(SipMessage* sipMessage)
100 {
101 // Only check message coming over WebSockets
102 if(!isWebSocket(sipMessage->getReceivedTransportTuple().getType()))
103 {
104 return Skipped;
105 }
106 //InfoLog( << "trying to do auth" );
107 if (!sipMessage->isRequest() ||
108 sipMessage->header(h_RequestLine).method() == ACK ||
109 sipMessage->header(h_RequestLine).method() == CANCEL)
110 {
111 // Do not inspect ACKs or CANCELs
112 return Skipped;
113 }
114
115 if(!sipMessage->header(h_From).isWellFormed() ||
116 sipMessage->header(h_From).isAllContacts() )
117 {
118 InfoLog(<<"Malformed From header: cannot verify against cookie. Rejecting.");
119 SharedPtr<SipMessage> response(new SipMessage);
120 Helper::makeResponse(*response, *sipMessage, 400, "Malformed From header");
121 mDum.send(response);
122 return Rejected;
123 }
124
125 const WsCookieContext &wsCookieContext = *(sipMessage->getWsCookieContext());
126 if (mDum.isMyDomain(sipMessage->header(h_From).uri().host()))
127 {
128 if (requiresAuthorization(*sipMessage))
129 {
130 if(authorizedForThisIdentity(sipMessage->header(h_RequestLine).method(), wsCookieContext, sipMessage->header(h_From).uri(), sipMessage->header(h_To).uri()))
131 {
132 return Authorized;
133 }
134 SharedPtr<SipMessage> response(new SipMessage);
135 Helper::makeResponse(*response, *sipMessage, 403, "Cookie-based authorization failed");
136 mDum.send(response);
137 return Rejected;
138 }
139 else
140 {
141 return Skipped;
142 }
143 }
144 else
145 {
146 SharedPtr<SipMessage> response(new SipMessage);
147 Helper::makeResponse(*response, *sipMessage, 403, "Cookie-based authorization failed");
148 mDum.send(response);
149 return Rejected;
150 }
151
152 InfoLog(<< "Skipping some message that we didn't explicitly handle");
153 return Skipped;
154 }
155
156 bool
157 WsCookieAuthManager::requiresAuthorization(const SipMessage& msg)
158 {
159 // everything must be authorized, over-ride this method
160 // to implement some other policy
161 return true;
162 }
163
164
165 /* ====================================================================
166 * BSD License
167 *
168 * Copyright (c) 2013 Catalin Constantin Usurelu All rights reserved.
169 *
170 * Redistribution and use in source and binary forms, with or without
171 * modification, are permitted provided that the following conditions
172 * are met:
173 *
174 * 1. Redistributions of source code must retain the above copyright
175 * notice, this list of conditions and the following disclaimer.
176 *
177 * 2. Redistributions in binary form must reproduce the above copyright
178 * notice, this list of conditions and the following disclaimer in
179 * the documentation and/or other materials provided with the
180 * distribution.
181 *
182 * 3. Neither the name of the author(s) nor the names of any contributors
183 * may be used to endorse or promote products derived from this software
184 * without specific prior written permission.
185 *
186 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) AND CONTRIBUTORS "AS IS" AND
187 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
188 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
189 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR(S) OR CONTRIBUTORS BE LIABLE
190 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
191 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
192 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
193 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
194 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
195 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
196 * SUCH DAMAGE.
197 *
198 * ====================================================================
199 *
200 */

webmaster AT resiprocate DOT org
ViewVC Help
Powered by ViewVC 1.1.27