From 928c02b356c6d10c51b5a907125e2eba51c6939d Mon Sep 17 00:00:00 2001
From: Sean Bright <sean.bright@gmail.com>
Date: Fri, 23 Apr 2021 13:37:20 -0400
Subject: [PATCH] res_pjsip.c: OPTIONS processing can now optionally skip
 authentication

ASTERISK-27477 #close

Change-Id: I68f6715bba92a525149e35d142a49377a34a1193
---
 ...992f4_add_allow_unauthenticated_options.py | 29 +++++++++++++++++++
 ...pjsip_endpoint_unauthenticated_options.txt |  5 ++++
 include/asterisk/res_pjsip.h                  |  2 ++
 res/res_pjsip.c                               | 18 ++++++++++++
 res/res_pjsip/pjsip_configuration.c           |  1 +
 5 files changed, 55 insertions(+)
 create mode 100644 contrib/ast-db-manage/config/versions/c20d6e3992f4_add_allow_unauthenticated_options.py
 create mode 100644 doc/CHANGES-staging/pjsip_endpoint_unauthenticated_options.txt

diff --git a/contrib/ast-db-manage/config/versions/c20d6e3992f4_add_allow_unauthenticated_options.py b/contrib/ast-db-manage/config/versions/c20d6e3992f4_add_allow_unauthenticated_options.py
new file mode 100644
index 0000000000..deec5325d7
--- /dev/null
+++ b/contrib/ast-db-manage/config/versions/c20d6e3992f4_add_allow_unauthenticated_options.py
@@ -0,0 +1,29 @@
+"""add allow_unauthenticated_options
+
+Revision ID: c20d6e3992f4
+Revises: 8915fcc5766f
+Create Date: 2021-04-23 13:44:38.296558
+
+"""
+
+# revision identifiers, used by Alembic.
+revision = 'c20d6e3992f4'
+down_revision = '8915fcc5766f'
+
+from alembic import op
+import sqlalchemy as sa
+from sqlalchemy.dialects.postgresql import ENUM
+
+AST_BOOL_NAME = 'ast_bool_values'
+AST_BOOL_VALUES = [ '0', '1',
+                    'off', 'on',
+                    'false', 'true',
+                    'no', 'yes' ]
+
+def upgrade():
+    ast_bool_values = ENUM(*AST_BOOL_VALUES, name=AST_BOOL_NAME, create_type=False)
+    op.add_column('ps_endpoints', sa.Column('allow_unauthenticated_options', ast_bool_values))
+
+def downgrade():
+    op.drop_column('ps_endpoints', 'allow_unauthenticated_options')
+    pass
diff --git a/doc/CHANGES-staging/pjsip_endpoint_unauthenticated_options.txt b/doc/CHANGES-staging/pjsip_endpoint_unauthenticated_options.txt
new file mode 100644
index 0000000000..9c8d32cb0e
--- /dev/null
+++ b/doc/CHANGES-staging/pjsip_endpoint_unauthenticated_options.txt
@@ -0,0 +1,5 @@
+Subject: res_pjsip
+
+PJSIP endpoints can now be configured to skip authentication when
+handling OPTIONS requests by setting the allow_unauthenticated_options
+configuration property to 'yes.'
diff --git a/include/asterisk/res_pjsip.h b/include/asterisk/res_pjsip.h
index 81161f38a7..a094205acb 100644
--- a/include/asterisk/res_pjsip.h
+++ b/include/asterisk/res_pjsip.h
@@ -839,6 +839,8 @@ struct ast_sip_endpoint {
 	unsigned int ignore_183_without_sdp;
 	/*! Enable STIR/SHAKEN support on this endpoint */
 	unsigned int stir_shaken;
+	/*! Should we authenticate OPTIONS requests per RFC 3261? */
+	unsigned int allow_unauthenticated_options;
 };
 
 /*! URI parameter for symmetric transport */
diff --git a/res/res_pjsip.c b/res/res_pjsip.c
index 4978a24f2a..b70763f904 100644
--- a/res/res_pjsip.c
+++ b/res/res_pjsip.c
@@ -1166,6 +1166,18 @@
 						INVITEs, an Identity header will be added.</para>
 					</description>
 				</configOption>
+				<configOption name="allow_unauthenticated_options" default="no">
+					<synopsis>Skip authentication when receiving OPTIONS requests</synopsis>
+					<description><para>
+						RFC 3261 says that the response to an OPTIONS request MUST be the
+						same had the request been an INVITE. Some UAs use OPTIONS requests
+						like a 'ping' and the expectation is that they will return a
+						200 OK.</para>
+						<para>Enabling <literal>allow_unauthenticated_options</literal>
+						will skip authentication of OPTIONS requests for the given
+						endpoint.</para>
+					</description>
+				</configOption>
 			</configObject>
 			<configObject name="auth">
 				<synopsis>Authentication type</synopsis>
@@ -2990,6 +3002,12 @@ void ast_sip_unregister_authenticator(struct ast_sip_authenticator *auth)
 
 int ast_sip_requires_authentication(struct ast_sip_endpoint *endpoint, pjsip_rx_data *rdata)
 {
+	if (endpoint->allow_unauthenticated_options
+		&& !pjsip_method_cmp(&rdata->msg_info.msg->line.req.method, &pjsip_options_method)) {
+		ast_debug(3, "Skipping OPTIONS authentication due to endpoint configuration\n");
+		return 0;
+	}
+
 	if (!registered_authenticator) {
 		ast_log(LOG_WARNING, "No SIP authenticator registered. Assuming authentication is not required\n");
 		return 0;
diff --git a/res/res_pjsip/pjsip_configuration.c b/res/res_pjsip/pjsip_configuration.c
index a4968431c7..5bf65eb6e1 100644
--- a/res/res_pjsip/pjsip_configuration.c
+++ b/res/res_pjsip/pjsip_configuration.c
@@ -1968,6 +1968,7 @@ int ast_res_pjsip_initialize_configuration(void)
 	ast_sorcery_object_field_register(sip_sorcery, "endpoint", "suppress_q850_reason_headers", "no", OPT_BOOL_T, 1, FLDSET(struct ast_sip_endpoint, suppress_q850_reason_headers));
 	ast_sorcery_object_field_register(sip_sorcery, "endpoint", "ignore_183_without_sdp", "no", OPT_BOOL_T, 1, FLDSET(struct ast_sip_endpoint, ignore_183_without_sdp));
 	ast_sorcery_object_field_register(sip_sorcery, "endpoint", "stir_shaken", "no", OPT_BOOL_T, 1, FLDSET(struct ast_sip_endpoint, stir_shaken));
+	ast_sorcery_object_field_register(sip_sorcery, "endpoint", "allow_unauthenticated_options", "no", OPT_BOOL_T, 1, FLDSET(struct ast_sip_endpoint, allow_unauthenticated_options));
 
 	if (ast_sip_initialize_sorcery_transport()) {
 		ast_log(LOG_ERROR, "Failed to register SIP transport support with sorcery\n");
-- 
2.25.1