Localize and rename ACL configuration.
[asterisk/asterisk.git] / res / res_pjsip_acl.c
1 /*
2  * Asterisk -- An open source telephony toolkit.
3  *
4  * Copyright (C) 2013, Digium, Inc.
5  *
6  * Mark Michelson <mmichelson@digium.com>
7  *
8  * See http://www.asterisk.org for more information about
9  * the Asterisk project. Please do not directly contact
10  * any of the maintainers of this project for assistance;
11  * the project provides a web site, mailing lists and IRC
12  * channels for your use.
13  *
14  * This program is free software, distributed under the terms of
15  * the GNU General Public License Version 2. See the LICENSE file
16  * at the top of the source tree.
17  */
18
19 /*** MODULEINFO
20         <depend>pjproject</depend>
21         <depend>res_pjsip</depend>
22         <support_level>core</support_level>
23  ***/
24
25 #include "asterisk.h"
26
27 #include <pjsip.h>
28
29 #include "asterisk/res_pjsip.h"
30 #include "asterisk/module.h"
31 #include "asterisk/logger.h"
32 #include "asterisk/sorcery.h"
33 #include "asterisk/acl.h"
34
35 /*** DOCUMENTATION
36         <configInfo name="res_pjsip_acl" language="en_US">
37                 <synopsis>SIP ACL module</synopsis>
38                 <description><para>
39                         <emphasis>ACL</emphasis>
40                         </para>
41                         <para>The ACL module used by <literal>res_pjsip</literal>. This module is
42                         independent of <literal>endpoints</literal> and operates on all inbound
43                         SIP communication using res_pjsip.
44                         </para><para>
45                         It should be noted that this module can also reference ACLs from
46                         <filename>acl.conf</filename>.
47                         </para><para>
48                         There are two main ways of creating an access list: <literal>IP-Domain</literal>
49                         and <literal>Contact Header</literal>. It is possible to create a combined ACL using
50                         both IP and Contact.
51                 </para></description>
52                 <configFile name="pjsip.conf">
53                         <configObject name="acl">
54                                 <synopsis>Access Control List</synopsis>
55                                 <configOption name="acl">
56                                         <synopsis>Name of IP ACL</synopsis>
57                                         <description><para>
58                                                 This matches sections configured in <literal>acl.conf</literal>
59                                         </para></description>
60                                 </configOption>
61                                 <configOption name="contactacl">
62                                         <synopsis>Name of Contact ACL</synopsis>
63                                         <description><para>
64                                                 This matches sections configured in <literal>acl.conf</literal>
65                                         </para></description>
66                                 </configOption>
67                                 <configOption name="contactdeny">
68                                         <synopsis>List of Contact Header addresses to Deny</synopsis>
69                                 </configOption>
70                                 <configOption name="contactpermit">
71                                         <synopsis>List of Contact Header addresses to Permit</synopsis>
72                                 </configOption>
73                                 <configOption name="deny">
74                                         <synopsis>List of IP-domains to deny access from</synopsis>
75                                 </configOption>
76                                 <configOption name="permit">
77                                         <synopsis>List of IP-domains to allow access from</synopsis>
78                                 </configOption>
79                                 <configOption name="type">
80                                         <synopsis>Must be of type 'security'.</synopsis>
81                                 </configOption>
82                         </configObject>
83                 </configFile>
84         </configInfo>
85  ***/
86
87 static int apply_acl(pjsip_rx_data *rdata, struct ast_acl_list *acl)
88 {
89         struct ast_sockaddr addr;
90
91         if (ast_acl_list_is_empty(acl)) {
92                 return 0;
93         }
94
95         memset(&addr, 0, sizeof(addr));
96         ast_sockaddr_parse(&addr, rdata->pkt_info.src_name, PARSE_PORT_FORBID);
97         ast_sockaddr_set_port(&addr, rdata->pkt_info.src_port);
98
99         if (ast_apply_acl(acl, &addr, "SIP ACL: ") != AST_SENSE_ALLOW) {
100                 ast_log(LOG_WARNING, "Incoming SIP message from %s did not pass ACL test\n", ast_sockaddr_stringify(&addr));
101                 return 1;
102         }
103         return 0;
104 }
105
106 static int extract_contact_addr(pjsip_contact_hdr *contact, struct ast_sockaddr **addrs)
107 {
108         pjsip_sip_uri *sip_uri;
109         char host[256];
110
111         if (!contact) {
112                 return 0;
113         }
114         if (!PJSIP_URI_SCHEME_IS_SIP(contact->uri) && !PJSIP_URI_SCHEME_IS_SIPS(contact->uri)) {
115                 return 0;
116         }
117         sip_uri = pjsip_uri_get_uri(contact->uri);
118         ast_copy_pj_str(host, &sip_uri->host, sizeof(host));
119         return ast_sockaddr_resolve(addrs, host, PARSE_PORT_FORBID, AST_AF_UNSPEC);
120 }
121
122 static int apply_contact_acl(pjsip_rx_data *rdata, struct ast_acl_list *contact_acl)
123 {
124         int num_contact_addrs;
125         int forbidden = 0;
126         struct ast_sockaddr *contact_addrs;
127         int i;
128         pjsip_contact_hdr *contact = (pjsip_contact_hdr *)&rdata->msg_info.msg->hdr;
129
130         if (ast_acl_list_is_empty(contact_acl)) {
131                 return 0;
132         }
133
134         while ((contact = pjsip_msg_find_hdr(rdata->msg_info.msg, PJSIP_H_CONTACT, contact->next))) {
135                 num_contact_addrs = extract_contact_addr(contact, &contact_addrs);
136                 if (num_contact_addrs <= 0) {
137                         continue;
138                 }
139                 for (i = 0; i < num_contact_addrs; ++i) {
140                         if (ast_apply_acl(contact_acl, &contact_addrs[i], "SIP Contact ACL: ") != AST_SENSE_ALLOW) {
141                                 ast_log(LOG_WARNING, "Incoming SIP message from %s did not pass ACL test\n", ast_sockaddr_stringify(&contact_addrs[i]));
142                                 forbidden = 1;
143                                 break;
144                         }
145                 }
146                 ast_free(contact_addrs);
147                 if (forbidden) {
148                         /* No use checking other contacts if we already have failed ACL check */
149                         break;
150                 }
151         }
152
153         return forbidden;
154 }
155
156 #define SIP_SORCERY_ACL_TYPE "acl"
157
158 /*!
159  * \brief SIP ACL details and configuration.
160  */
161 struct ast_sip_acl {
162         SORCERY_OBJECT(details);
163         struct ast_acl_list *acl;
164         struct ast_acl_list *contact_acl;
165 };
166
167 static int check_acls(void *obj, void *arg, int flags)
168 {
169         struct ast_sip_acl *sip_acl = obj;
170         pjsip_rx_data *rdata = arg;
171
172         if (apply_acl(rdata, sip_acl->acl) ||
173             apply_contact_acl(rdata, sip_acl->contact_acl)) {
174                 return CMP_MATCH | CMP_STOP;
175         }
176         return 0;
177 }
178
179 static pj_bool_t acl_on_rx_msg(pjsip_rx_data *rdata)
180 {
181         RAII_VAR(struct ao2_container *, acls, ast_sorcery_retrieve_by_fields(
182                          ast_sip_get_sorcery(), SIP_SORCERY_ACL_TYPE,
183                          AST_RETRIEVE_FLAG_MULTIPLE | AST_RETRIEVE_FLAG_ALL, NULL), ao2_cleanup);
184         RAII_VAR(struct ast_sip_acl *, matched_acl, NULL, ao2_cleanup);
185
186         if (!acls) {
187                 ast_log(LOG_ERROR, "Unable to retrieve ACL sorcery data\n");
188                 return PJ_FALSE;
189         }
190
191         if ((matched_acl = ao2_callback(acls, 0, check_acls, rdata))) {
192                 if (rdata->msg_info.msg->line.req.method.id != PJSIP_ACK_METHOD) {
193                         pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 403, NULL, NULL, NULL);
194                 }
195                 return PJ_TRUE;
196         }
197
198         return PJ_FALSE;
199 }
200
201 static int acl_handler(const struct aco_option *opt, struct ast_variable *var, void *obj)
202 {
203         struct ast_sip_acl *sip_acl = obj;
204         int error = 0;
205         int ignore;
206         if (!strncmp(var->name, "contact", 7)) {
207                 ast_append_acl(var->name + 7, var->value, &sip_acl->contact_acl, &error, &ignore);
208         } else {
209                 ast_append_acl(var->name, var->value, &sip_acl->acl, &error, &ignore);
210         }
211
212         return error;
213 }
214
215 static pjsip_module acl_module = {
216         .name = { "ACL Module", 14 },
217         /* This should run after a logger but before anything else */
218         .priority = 1,
219         .on_rx_request = acl_on_rx_msg,
220 };
221
222 static void acl_destroy(void *obj)
223 {
224         struct ast_sip_acl *sip_acl = obj;
225         sip_acl->acl = ast_free_acl_list(sip_acl->acl);
226         sip_acl->contact_acl = ast_free_acl_list(sip_acl->contact_acl);
227 }
228
229 static void *acl_alloc(const char *name)
230 {
231         struct ast_sip_acl *sip_acl =
232                 ast_sorcery_generic_alloc(sizeof(*sip_acl), acl_destroy);
233
234         return sip_acl;
235 }
236
237 static int load_module(void)
238 {
239         ast_sorcery_apply_default(ast_sip_get_sorcery(), SIP_SORCERY_ACL_TYPE,
240                                   "config", "pjsip.conf,criteria=type=acl");
241
242         if (ast_sorcery_object_register(ast_sip_get_sorcery(), SIP_SORCERY_ACL_TYPE,
243                                         acl_alloc, NULL, NULL)) {
244
245                 ast_log(LOG_ERROR, "Failed to register SIP %s object with sorcery\n",
246                         SIP_SORCERY_ACL_TYPE);
247                 return AST_MODULE_LOAD_DECLINE;
248         }
249
250         ast_sorcery_object_field_register(ast_sip_get_sorcery(), SIP_SORCERY_ACL_TYPE, "type", "", OPT_NOOP_T, 0, 0);
251         ast_sorcery_object_field_register_custom(ast_sip_get_sorcery(), SIP_SORCERY_ACL_TYPE, "permit", "", acl_handler, NULL, 0, 0);
252         ast_sorcery_object_field_register_custom(ast_sip_get_sorcery(), SIP_SORCERY_ACL_TYPE, "deny", "", acl_handler, NULL, 0, 0);
253         ast_sorcery_object_field_register_custom(ast_sip_get_sorcery(), SIP_SORCERY_ACL_TYPE, "acl", "", acl_handler, NULL, 0, 0);
254         ast_sorcery_object_field_register_custom(ast_sip_get_sorcery(), SIP_SORCERY_ACL_TYPE, "contactpermit", "", acl_handler, NULL, 0, 0);
255         ast_sorcery_object_field_register_custom(ast_sip_get_sorcery(), SIP_SORCERY_ACL_TYPE, "contactdeny", "", acl_handler, NULL, 0, 0);
256         ast_sorcery_object_field_register_custom(ast_sip_get_sorcery(), SIP_SORCERY_ACL_TYPE, "contactacl", "", acl_handler, NULL, 0, 0);
257
258         ast_sip_register_service(&acl_module);
259         return AST_MODULE_LOAD_SUCCESS;
260 }
261
262 static int unload_module(void)
263 {
264         ast_sip_unregister_service(&acl_module);
265         return 0;
266 }
267
268 AST_MODULE_INFO(ASTERISK_GPL_KEY, AST_MODFLAG_LOAD_ORDER, "PJSIP ACL Resource",
269                 .load = load_module,
270                 .unload = unload_module,
271                 .load_pri = AST_MODPRI_APP_DEPEND,
272                );