[Home]

Summary:ASTERISK-25339: res_pjsip: Empty "auth" sections from non-config backgrounds are interpreted as valid
Reporter:Matt Jordan (mjordan)Labels:
Date Opened:2015-08-23 18:39:05Date Closed:2015-08-24 14:01:39
Priority:MajorRegression?
Status:Closed/CompleteComponents:Resources/res_pjsip
Versions:Frequency of
Occurrence
Related
Issues:
Environment:Attachments:
Description:When using a non-static conf file backend, a non-existant {{auth}} parameter will be stored as an empty value. This causes {{res_pjsip}} to assume that an empty {{auth}} value was provided, which causes the endpoint to believe that it should authenticate inbound requests, even though no {{auth}} section exists for its empty {{auth}} value.

As an example, consider the following:

{code}
[res_pjsip]
endpoint=astdb,ps_endpoints
{code}

When an endpoint is created via ARI, it will be stored in the database on something like the following:

{code}
/ps_endpoints/endpoint/foo                        : {"send_diversion":"true","device_state_busy_at":"0","direct_media_method":"invite","sdp_owner":"foo","pickup_group":"","timers_sess_expires":"1800","message_context":"","accountcode":"","dtls_fingerprint":"SHA-256","rpid_immediate":"false","force_avp":"false","aors":"foo","trust_id_inbound":"false","ice_support":"false","fax_detect":"false","outbound_proxy":"","t38_udptl_maxdatagram":"0","direct_media_glare_mitigation":"none","dtls_rekey":"0","context":"from-external","media_encryption_optimistic":"false","named_pickup_group":"","from_domain":"","mailboxes":"","sdp_session":"foo","rtp_timeout":"30","identify_by":"username","t38_udptl":"false","send_rpid":"false","rtp_engine":"asterisk","t38_udptl_ec":"none","dtls_verify":"No","aggregate_mwi":"true","moh_suggest":"default","media_encryption":"no","callerid":"<unknown>","named_call_group":"","record_on_feature":"automixmon","dtls_setup":"active","inband_progress":"false","timers_min_se":"90","tos_video":"0","rtp_symmetric":"true","rtp_ipv6":"false","record_off_feature":"automixmon","rtp_keepalive":"30","transport":"","t38_udptl_nat":"false","connected_line_method":"invite","allow_transfer":"true","allow_subscribe":"true","srtp_tag_32":"false","g726_non_standard":"false","100rel":"yes","use_avpf":"false","call_group":"","user_eq_phone":"false","allow":"(ulaw|alaw)","sub_min_expiry":"0","force_rport":"true","direct_media":"true","tos_audio":"0","use_ptime":"false","rtp_timeout_hold":"0","dtmf_mode":"rfc4733","media_use_received_transport":"false","language":"","mwi_from_user":"","one_touch_recording":"false","cos_video":"0","rewrite_contact":"false","cos_audio":"0","t38_udptl_ipv6":"false","trust_id_outbound":"false","tone_zone":"","from_user":"","disable_direct_media_on_nat":"false","media_address":"","timers":"yes","send_pai":"false","callerid_privacy":"allowed_not_screened"}
{code}

Note that the {{auth}} value is blank. This will be interpreted by {{res_pjsip}} as being a valid auth object, which doesn't exist. The desired behaviour is that we just don't authenticate inbound requests.
Comments: