Strict Standards: call_user_func() expects parameter 1 to be a valid callback, non-static method dokuwiki_TextFormatter::render() should not be called statically in /var/www/sip-router.kamailio.org/flyspray/includes/class.tpl.php on line 552 FS#499 : add support to auth_db to validate source IP address

sip-router

Strict Standards: call_user_func() expects parameter 1 to be a valid callback, non-static method dokuwiki_TextFormatter::render() should not be called statically in /var/www/sip-router.kamailio.org/flyspray/includes/class.tpl.php on line 552

SIP Router Project

Tasklist

FS#499 - add support to auth_db to validate source IP address

Attached to Project: sip-router
Opened by Emmanuel Schmidbauer (eschmidbauer) - Wednesday, 03 December 2014, 14:01 GMT
Last edited by Daniel-Constantin Mierla (miconda) - Monday, 22 December 2014, 21:49 GMT
Task Type Improvement
Category Modules kamailio
Status Closed
Assigned To No-one
Operating System All
Severity Low
Priority Normal
Reported Version 4.2
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

I’ve attached the git diff.
This improvement is only executed if the module parameter “ip_address_column” is defined
Example:
modparam(”auth_db”, “ip_address_column”, “ip_address”)

This way it will not affect those who do not wish to implement this feature and still upgrade.

This task depends upon

Closed by  Daniel-Constantin Mierla (miconda)
Monday, 22 December 2014, 21:49 GMT
Reason for closing:  Won't implement
Comment by Emmanuel Schmidbauer (eschmidbauer) - Wednesday, 03 December 2014, 14:54 GMT
Strict Standards: call_user_func() expects parameter 1 to be a valid callback, non-static method dokuwiki_TextFormatter::render() should not be called statically in /var/www/sip-router.kamailio.org/flyspray/includes/class.tpl.php on line 552

Attached updated patch for added crash protection to make sure ip_addr_t *ipa is not NULL

Comment by Daniel-Constantin Mierla (miconda) - Wednesday, 03 December 2014, 23:06 GMT
Strict Standards: call_user_func() expects parameter 1 to be a valid callback, non-static method dokuwiki_TextFormatter::render() should not be called statically in /var/www/sip-router.kamailio.org/flyspray/includes/class.tpl.php on line 552

The functionality can be achieved by loading the ip_address value using load_credentials and then use functions from ipops module inside config file.

That as a note, otherwise I don't have anything against accepting the patch if people find it useful and simplifying the config. Perhaps we should discuss this on the sr-dev mailing list, because we may want to think of some extra additions with this occasion (e.g., a column for account status: active/inactive). Also, it could be the opportunity to decide the removal of unused columns rpid and email address.

Back to you patch, I think that would be useful to have support for sub-network address match as well – a.b.c.d/nm – this can be added if the patch if found useful to be accepted by the community.

Comment by Emmanuel Schmidbauer (eschmidbauer) - Thursday, 04 December 2014, 15:29 GMT
Strict Standards: call_user_func() expects parameter 1 to be a valid callback, non-static method dokuwiki_TextFormatter::render() should not be called statically in /var/www/sip-router.kamailio.org/flyspray/includes/class.tpl.php on line 552

Thanks for your response. I've attached a new version of the patch to work with CIDR notation as you requested.
Please consider pushing my patch to auth_db as I think it's very useful to "bake in" this feature to auth_db.

Comment by Alex Hermann (axlh) - Friday, 05 December 2014, 11:03 GMT
Strict Standards: call_user_func() expects parameter 1 to be a valid callback, non-static method dokuwiki_TextFormatter::render() should not be called statically in /var/www/sip-router.kamailio.org/flyspray/includes/class.tpl.php on line 552

While i value contributions to Kamailio in general, i'm opposed to this one for several reasons, mainly because it is in the wrong place and completely redundant.

  1. The module and function are for verifying digest authentication, i don't think IP checking should be part of it. It is illogical and confusing.
  2. The functionality is enable by overloading the configuration of a table column name. Not very in intuitive.
  3. The function is limited to only a single ip(-range) per username; not very flexible. The already existing method of achieving the very same functionality is already present in the ipops and, in a more flexible way, the permissions module.
  4. The functionality is so very trivial to implement in the config script using the ipops module (only taking 2 lines of script), i don't think the additional maintenance burden for the C code is worth it.
  5. The added functionality is undocumented.
  6. There is no return code to recognize the reason why "authentication" failed.

I don't think this change should be accepted into Kamailio.

Comment by Emmanuel Schmidbauer (eschmidbauer) - Friday, 05 December 2014, 13:43 GMT
Strict Standards: call_user_func() expects parameter 1 to be a valid callback, non-static method dokuwiki_TextFormatter::render() should not be called statically in /var/www/sip-router.kamailio.org/flyspray/includes/class.tpl.php on line 552

I will go down the list and reply to each one:

1. The module and function are for verifying digest authentication, i don't think IP checking should be part of it. It is illogical and confusing.
From the module overview: "This module contains _all_ authentication related functions that need the access to the database."
I don't see anything about the module only being used to verify digest authentication.

2. The functionality is enable by overloading the configuration of a table column name. Not very in intuitive.
The functionality is enabled by ADDING the column name to the configuration, if it is not added, then the functionality is disabled.
I designed it that way to allow people to upgrade their code and not ADD the functionality unless they wanted it.

3. The function is limited to only a single ip(-range) per username; not very flexible. The already existing method of achieving the very same functionality is already present in the ipops and, in a more flexible way, the permissions module.
I fail to see how it can easily be done using ipops and permissions. Permissions does not do dynamic SQL queries (you must load/reload your IP addresses). That being said, it cannot be achieved using ipops and permissions. If I am mistaken about this, please provide an example.

4. The functionality is so very trivial to implement in the config script using the ipops module (only taking 2 lines of script), i don't think the additional maintenance burden for the C code is worth it.
Again, I do not see how to implement this in ipops. And there is not much maintenance burden unless another version of IP becomes prevalent.

5. The added functionality is undocumented.
I would be happy to document the functionality.

6. There is no return code to recognize the reason why "authentication" failed.
The return code is same as if authentication failed. Would you prefer a different return code? If so, let me know what return code should be used.

Please understand, I wrote this patch from the standpoint of a VoIP system administrator. IP Authentication coupled with password authentication is almost a necessity in most VoIP systems. Of course there are certainly ways to achieve this goal using what I would call "workarounds", like a perl script or messing with loading SQL data and running it against an ipops functions, but these methods are not documented nor a straightforward approach. Adding the IP restriction capability to the auth_db database makes the entire process straightforward and easy to maintain. I would be happy to re-write any of my code to meet the requirements for it to be pushed into auth_db. I will use my patch whether it is pushed into auth_db codebase or not, I would prefer not to run my own branch of kamailio though. I also think many other people could benefit from this patch.

Comment by Daniel-Constantin Mierla (miconda) - Friday, 05 December 2014, 14:14 GMT
Strict Standards: call_user_func() expects parameter 1 to be a valid callback, non-static method dokuwiki_TextFormatter::render() should not be called statically in /var/www/sip-router.kamailio.org/flyspray/includes/class.tpl.php on line 552

For clarification of "This module contains _all_ authentication related functions that need the access to the database."

Authentication is asserting the identity of user by username and password. IP check is more authorization – once user is authenticated, you come up with a restriction to authorize its traffic from a limited set of IP addresses. Thus it is not like you suggest that such feature belongs here.

From my point of view, I already expressed the opinion that the patch needs to be discussed, because from feature point of view all was there at an expense of a just 2-3 extra lines of config file. Therefore I suggested to discuss on sr-dev, but it is good that we have more opinions here as well.

Comment by Olle Johansson (oej) - Friday, 05 December 2014, 14:14 GMT
Strict Standards: call_user_func() expects parameter 1 to be a valid callback, non-static method dokuwiki_TextFormatter::render() should not be called statically in /var/www/sip-router.kamailio.org/flyspray/includes/class.tpl.php on line 552

I think this is not needed. I use the extra fields in auth_db to define a group that - if it exists - I use in the permissions module. If auth succeeds but permissions check fail, I challenge again.

Embedding it in the same module gives much less flexibility.

Comment by Emmanuel Schmidbauer (eschmidbauer) - Friday, 05 December 2014, 14:24 GMT
Strict Standards: call_user_func() expects parameter 1 to be a valid callback, non-static method dokuwiki_TextFormatter::render() should not be called statically in /var/www/sip-router.kamailio.org/flyspray/includes/class.tpl.php on line 552

@Daniel-Constantin
Who defines authentication? Their can be many variables to authentication, much more than just user/pass. As I said before, most VoIP systems will do IP authentication along with user/pass. This is important to prevent toll fraud.

@Olle
permissions does not dynamically do a database query, you need to load/reload the list. This is not the same behavior.

Comment by Alex Hermann (axlh) - Friday, 05 December 2014, 14:25 GMT
Strict Standards: call_user_func() expects parameter 1 to be a valid callback, non-static method dokuwiki_TextFormatter::render() should not be called statically in /var/www/sip-router.kamailio.org/flyspray/includes/class.tpl.php on line 552

1. The module and function are for verifying digest authentication, i don't think IP checking should be part of it. It is illogical and confusing.
From the module overview: "This module contains _all_ authentication related functions that need the access to the database."

I don't see anything about the module only being used to verify digest authentication.

The module and functions are about authentication. I think IP checks are more an authorization thing.

2. The functionality is enable by overloading the configuration of a table column name. Not very in intuitive.
The functionality is enabled by ADDING the column name to the configuration, if it is not added, then the functionality is disabled.

The configuration item is for specifying the column name. You overloaded it by using it to en-/disable functionality.

3. The function is limited to only a single ip(-range) per username; not very flexible. The already existing method of achieving the very same functionality is already present in the ipops and, in a more flexible way, the permissions module.
I fail to see how it can easily be done using ipops and permissions. Permissions does not do dynamic SQL queries (you must load/reload your IP addresses). That being said, it cannot be achieved using ipops and permissions. If I am mistaken about this, please provide an example.

Daniel already gave the answer, but i'll expand on it:

Add or change:
modparam("auth_db", "load_credentials", "$var(ip)=ip_address")

Change:
if (proxy_authenticate(realm, table)) {

to:
if (proxy_authenticate(realm, table) and is_in_subnet($si, $var(ip))) {

4. The functionality is so very trivial to implement in the config script using the ipops module (only taking 2 lines of script), i don't think the additional maintenance burden for the C code is worth it.

And there is not much maintenance burden unless another version of IP becomes prevalent.

The code base will become (more) bloated and eventually unmaintainable if everything but the kitchen sink will be coded into it. IMHO only functionality that is hard or impossible to do in the script should be coded in C. Kamailio is not my project, so it's not up to me to decide, but, as a contributor already having spent a lot of time digging through the existing code, i would appreciate it if the code would not be expanded by more trivial and/or (imho) misplaced functionality.

Comment by Emmanuel Schmidbauer (eschmidbauer) - Friday, 05 December 2014, 14:26 GMT
Strict Standards: call_user_func() expects parameter 1 to be a valid callback, non-static method dokuwiki_TextFormatter::render() should not be called statically in /var/www/sip-router.kamailio.org/flyspray/includes/class.tpl.php on line 552

Also @Olle, embedding this into the module does not provide less flexibility, you can continue to use your methods and completely ignore this patch.

Comment by Emmanuel Schmidbauer (eschmidbauer) - Friday, 05 December 2014, 15:00 GMT
Strict Standards: call_user_func() expects parameter 1 to be a valid callback, non-static method dokuwiki_TextFormatter::render() should not be called statically in /var/www/sip-router.kamailio.org/flyspray/includes/class.tpl.php on line 552

Thanks @Alex.
Your example worked:
modparam("auth_db", "load_credentials", "$var(ip)=ip_address")

if (!proxy_authenticate("$fd", "user_extension") || !is_in_subnet("$si", "$var(ip)")) {

  proxy_challenge("$fd", "1");
  exit;

}

Please disregard this patch, I would like to doc this example on auth_db if possible.

Comment by Emmanuel Schmidbauer (eschmidbauer) - Friday, 05 December 2014, 16:05 GMT
Strict Standards: call_user_func() expects parameter 1 to be a valid callback, non-static method dokuwiki_TextFormatter::render() should not be called statically in /var/www/sip-router.kamailio.org/flyspray/includes/class.tpl.php on line 552

After a bit of discussion on IRC, found this to be the best solution using ipops

modparam("auth_db", "load_credentials", "$var(ip)=ip_address")

                              if (!proxy_authenticate("$fd", "user_extension")) {
                                      proxy_challenge("$fd", "1");
                                      exit;
                              }
                              if (ip_type("$var(ip)") && !is_in_subnet("$si", "$var(ip)")) {
                                      sl_send_reply( "403", "IP forbidden" );
                                      exit;
                              }
Comment by Olle Johansson (oej) - Friday, 05 December 2014, 17:45 GMT
Strict Standards: call_user_func() expects parameter 1 to be a valid callback, non-static method dokuwiki_TextFormatter::render() should not be called statically in /var/www/sip-router.kamailio.org/flyspray/includes/class.tpl.php on line 552

So do we agree we don't need to change anything in auth_db?

I think adding something in the code will mean that users are less interested in going exploring all possible options we have to do this and think this is the only way.

Comment by Emmanuel Schmidbauer (eschmidbauer) - Friday, 05 December 2014, 18:20 GMT
Strict Standards: call_user_func() expects parameter 1 to be a valid callback, non-static method dokuwiki_TextFormatter::render() should not be called statically in /var/www/sip-router.kamailio.org/flyspray/includes/class.tpl.php on line 552

I do agree. I think this illustrates a problem with Kamailio though, the lack of documentation. Especially of common practices and techniques.
I just explored the wiki and I couldn't even find a place to doc this scenario.

Loading...