[mod_sofia] Deprecate the auth-subscriptions profile param by setting it to be enabled by default and introducing the new disable-auth-subscriptions param with a higher priority when set.

src/mod/endpoints/mod_sofia/conf/sofia.conf.xml

@@ -330,6 +330,14 @@
              disable-auth-messages param has higher priority than the deprecated auth-messages param. -->
         <!-- <param name="disable-auth-messages" value="true"/> -->
 
+        <!-- NOTICE: auth-subscriptions was deprecated and authentication is enabled by default now.
+             See disable-auth-subscriptions param for more details. -->
+        <!-- <param name="auth-subscriptions" value="false"/> -->
+        <!-- Uncomment to stop authentication on subscriptions packets.
+             By default authentication is enabled.
+             disable-auth-subscriptions param has higher priority than the deprecated auth-subscriptions param. -->
+        <!-- <param name="disable-auth-subscriptions" value="true"/> -->
+
         <!-- external_sip_ip
              Used as the public IP address for SDP.
              Can be an one of:

src/mod/endpoints/mod_sofia/sofia.c

@@ -4591,7 +4591,9 @@ switch_status_t config_sofia(sofia_config_t reload, char *profile_name)
 			} else {
 				switch_memory_pool_t *pool = NULL;
 				char *auth_messages_value = NULL;
-				uint8_t disable_auth_flag = 0;
+				char *auth_subscriptions_value = NULL;
+				uint8_t disable_message_auth_flag = 0;
+				uint8_t disable_subscription_auth_flag = 0;
 
 				if (!xprofilename) {
 					xprofilename = "unnamed";
@@ -5593,13 +5595,17 @@ switch_status_t config_sofia(sofia_config_t reload, char *profile_name)
 							sofia_set_pflag(profile, PFLAG_AUTH_MESSAGES);
 						}
 
-						disable_auth_flag = 1;
+						disable_message_auth_flag = 1;
 					} else if (!strcasecmp(var, "auth-subscriptions")) {
+						auth_subscriptions_value = switch_core_strdup(profile->pool, val);
+					} else if (!strcasecmp(var, "disable-auth-subscriptions")) {
 						if (switch_true(val)) {
-							sofia_set_pflag(profile, PFLAG_AUTH_SUBSCRIPTIONS);
-						} else {
 							sofia_clear_pflag(profile, PFLAG_AUTH_SUBSCRIPTIONS);
+						} else {
+							sofia_set_pflag(profile, PFLAG_AUTH_SUBSCRIPTIONS);
 						}
+
+						disable_subscription_auth_flag = 1;
 					} else if (!strcasecmp(var, "extended-info-parsing")) {
 						if (switch_true(val)) {
 							sofia_set_pflag(profile, PFLAG_EXTENDED_INFO_PARSING);
@@ -6104,7 +6110,7 @@ switch_status_t config_sofia(sofia_config_t reload, char *profile_name)
 					}
 				}
 
-				if (!disable_auth_flag) {
+				if (!disable_message_auth_flag) {
 					if (!auth_messages_value || switch_true(auth_messages_value)) {
 						sofia_set_pflag(profile, PFLAG_AUTH_MESSAGES);
 					} else {
@@ -6112,6 +6118,14 @@ switch_status_t config_sofia(sofia_config_t reload, char *profile_name)
 					}
 				}
 
+				if (!disable_subscription_auth_flag) {
+					if (!auth_subscriptions_value || switch_true(auth_subscriptions_value)) {
+						sofia_set_pflag(profile, PFLAG_AUTH_SUBSCRIPTIONS);
+					} else {
+						sofia_clear_pflag(profile, PFLAG_AUTH_SUBSCRIPTIONS);
+					}
+				}
+
 				if (sofia_test_flag(profile, TFLAG_ZRTP_PASSTHRU) && !sofia_test_flag(profile, TFLAG_LATE_NEGOTIATION)) {
 					switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_WARNING, "ZRTP passthrough implictly enables inbound-late-negotiation\n");
 					sofia_set_flag(profile, TFLAG_LATE_NEGOTIATION);

src/mod/endpoints/mod_sofia/test/conf-sipp/freeswitch.xml

@@ -424,7 +424,7 @@
         <param name="outbound-codec-prefs" value="PCMU"/>
         <param name="rtp-timer-name" value="soft"/>
         <param name="local-network-acl" value="localnet.auto"/>
-        <param name="manage-presence" value="false"/>
+        <param name="manage-presence" value="true"/>
         <param name="inbound-codec-negotiation" value="generous"/>
         <param name="nonce-ttl" value="60"/>
         <param name="inbound-late-negotiation" value="true"/>

src/mod/endpoints/mod_sofia/test/sipp-based-tests.c

@@ -96,6 +96,18 @@ static int start_sipp_uas(const char *ip, int listen_port, const char *scenario_
 
 	return sys_ret;
 }
+static int run_sipp(const char *ip, int remote_port, int listen_port, const char *dialed_number, const char *scenario_uac, const char *auth_password, const char *extra)
+{
+	char *cmd = switch_mprintf("sipp %s:%d -nr -p %d -m 1 -s %s -recv_timeout 10000 -timeout 10s -sf %s -au %s -ap %s -bg %s", ip, remote_port, listen_port, dialed_number, scenario_uac, dialed_number, auth_password, extra);
+	int sys_ret = switch_system(cmd, SWITCH_TRUE);
+
+	printf("%s\n", cmd);
+	switch_safe_free(cmd);
+	switch_sleep(1000 * 1000);
+
+	return sys_ret;
+}
+
 static void kill_sipp(void)
 {
 	switch_system("pkill -x sipp", SWITCH_TRUE);
@@ -382,7 +394,7 @@ skiptest:
 
 			switch_event_bind("sofia", SWITCH_EVENT_CUSTOM, NULL, event_handler_reg_fail, NULL);
 
-			sipp_ret = start_sipp_uas(local_ip_v4, 6080, "sipp-scenarios/uas_register_403.xml", "");
+			sipp_ret = start_sipp_uas(local_ip_v4, 6080, "sipp-scenarios/uac_407_subscriber.xml", "-inf data.csv");
 			if (sipp_ret < 0 || sipp_ret == 127) {
 				fst_requires(0); /* sipp not found */
 			}
@@ -401,6 +413,45 @@ skiptest:
 		}
 		FST_TEST_END()
 
+		FST_TEST_BEGIN(subscribe_auth_check)
+		{
+			const char *local_ip_v4 = switch_core_get_variable("local_ip_v4");
+			const char *auth_password = switch_core_get_variable("default_password");
+			switch_cache_db_handle_t *dbh = NULL;
+			char *dsn = "sofia_reg_internal";
+			char count[20]="";
+			char count1[20]="";
+			int sipp_ret;
+
+			/* check without 407 Proxy Authentication. If count not 0 fail case. */
+			sipp_ret = run_sipp(local_ip_v4, 5060, 6091, "1001", "sipp-scenarios/uac_subscriber.xml", auth_password, "");
+			if (sipp_ret < 0 || sipp_ret == 127) {
+				fst_requires(0); /* sipp not found */
+			}
+			switch_sleep(100 * 1000);
+
+			if (switch_cache_db_get_db_handle_dsn(&dbh, dsn) == SWITCH_STATUS_SUCCESS) {
+				switch_cache_db_execute_sql2str(dbh, "select count(*) from  sip_subscriptions where contact like \"%1001%6091%\";", (char *)&count1, 20, NULL);
+				switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_INFO, "Count : %s\n", count1);
+			}
+			fst_check_string_equals(count1, "0");
+
+			/* check with 407  Proxy Authentication Required. If count not 1 fail case. */
+			sipp_ret = run_sipp(local_ip_v4, 5060, 6090, "1001", "sipp-scenarios/uac_407_subscriber.xml", auth_password, "");
+			if (sipp_ret < 0 || sipp_ret == 127) {
+				fst_requires(0); /* sipp not found */
+			}
+			switch_sleep(100 * 1000);
+
+			switch_cache_db_execute_sql2str(dbh, "select count(*) from  sip_subscriptions where contact like \"%1001%6090%\";", (char *)&count, 20, NULL);
+			switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_INFO, "Count : %s\n", count);
+			fst_check_string_equals(count, "1");
+
+			/* sipp should timeout, attempt kill, just in case.*/
+			kill_sipp();
+		}
+		FST_TEST_END()
+
 		FST_TEST_BEGIN(register_no_challange)
 		{
 			const char *local_ip_v4 = switch_core_get_variable("local_ip_v4");

src/mod/endpoints/mod_sofia/test/sipp-scenarios/uac_407_subscriber.xml

@@ -0,0 +1,50 @@
+<?xml version="1.0" encoding="ISO-8859-1" ?>
+<scenario name="UAC with challenge subscribe">
+
+  <send retrans="500">
+    <![CDATA[
+
+      SUBSCRIBE sip:[service]@[remote_ip]:[remote_port] SIP/2.0
+      Via: SIP/2.0/[transport] [local_ip]:[local_port];branch=[branch]
+      From: [service] <sip:[service]@[local_ip]:[local_port]>;tag=[pid]SIPpTag00[call_number]
+      To: sut <sip:[service]@[remote_ip]:[remote_port]>
+      Call-ID: [call_id]
+      CSeq: 1 SUBSCRIBE
+      Contact: sip:[service]@[local_ip]:[local_port]
+      Max-Forwards: 70
+      Event: presence
+	  Allow: SUBSCRIBE
+	  Expires: 120
+      Accept: application/simple-message-summary
+      Allow-Events: presence, kpml
+      Content-Length: 0
+
+    ]]>
+  </send>
+
+  <recv response="407" rtd="true" auth="true"/>
+
+  <send retrans="500">
+    <![CDATA[
+
+      SUBSCRIBE sip:[service]@[remote_ip]:[remote_port] SIP/2.0
+      Via: SIP/2.0/[transport] [local_ip]:[local_port];branch=[branch]
+      From: [service] <sip:[service]@[local_ip]:[local_port]>;tag=[pid]SIPpTag00[call_number]
+      To: sut <sip:[service]@[remote_ip]:[remote_port]>
+      Call-ID: [call_id]
+      CSeq: 2 SUBSCRIBE
+      Contact: sip:[service]@[local_ip]:[local_port]
+      Max-Forwards: 70
+      Event: presence
+      Expires: 120
+      Allow: SUBSCRIBE
+      Accept: application/simple-message-summary
+      Allow-Events: presence, kpml
+      Content-Length: 0
+      [authentication]
+
+    ]]>
+  </send>
+
+</scenario>
+

src/mod/endpoints/mod_sofia/test/sipp-scenarios/uac_subscriber.xml

@@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="ISO-8859-1" ?>
+<scenario name="UAC with subscribe only">
+
+  <send retrans="500">
+    <![CDATA[
+
+      SUBSCRIBE sip:[service]@[remote_ip]:[remote_port] SIP/2.0
+      Via: SIP/2.0/[transport] [local_ip]:[local_port];branch=[branch]
+      From: [service] <sip:[service]@[local_ip]:[local_port]>;tag=[pid]SIPpTag00[call_number]
+      To: sut <sip:[service]@[remote_ip]:[remote_port]>
+      Call-ID: [call_id]
+      CSeq: 1 SUBSCRIBE
+      Contact: sip:[service]@[local_ip]:[local_port]
+      Max-Forwards: 70
+      Event: presence
+	  Allow: SUBSCRIBE
+	  Expires: 120
+      Accept: application/simple-message-summary
+      Allow-Events: presence, kpml
+      Content-Length: 0
+
+    ]]>
+  </send>
+
+  <recv response="202" timeout="2000">
+  </recv>
+
+</scenario>