THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY.
The following task has a new comment added:
FS#499 - add support to auth_db to validate source IP address
User who did this - Alex Hermann (axlh)
----------
1. The module and function are for verifying digest authentication, i don't think IP
checking should be part of it. It is illogical and confusing.
From the module overview: "This module contains
_all_ authentication related functions that need the access to the database."
I don't see anything about the module only being used to verify digest
authentication.
The module and functions are about __authentication__. I think IP checks are more an
__authorization__ thing.
2. The functionality is enable by overloading the configuration of a table column name.
Not very in intuitive.
The functionality is enabled by ADDING the column name to the configuration, if it is not
added, then the functionality is disabled.
The configuration item is for specifying the column name. You overloaded it by using it to
en-/disable functionality.
3. The function is limited to only a single ip(-range) per username; not very flexible.
The already existing method of achieving the very same functionality is already present in
the ipops and, in a more flexible way, the permissions module.
I fail to see how it can easily be done using ipops and permissions. Permissions does not
do dynamic SQL queries (you must load/reload your IP addresses). That being said, it
cannot be achieved using ipops and permissions. If I am mistaken about this, please
provide an example.
Daniel already gave the answer, but i'll expand on it:
Add or change:
modparam("auth_db", "load_credentials",
"$var(ip)=ip_address")
Change:
if (proxy_authenticate(realm, table)) {
to:
if (proxy_authenticate(realm, table) and is_in_subnet($si, $var(ip))) {
4. The functionality is so very trivial to implement in the config script using the ipops
module (only taking 2 lines of script), i don't think the additional maintenance
burden for the C code is worth it.
And there is not much maintenance burden unless another version of IP becomes prevalent.
The code base will become (more) bloated and eventually unmaintainable if everything but
the kitchen sink will be coded into it. IMHO only functionality that is hard or impossible
to do in the script should be coded in C. Kamailio is not my project, so it's not up
to me to decide, but, as a contributor already having spent a lot of time digging through
the existing code, i would appreciate it if the code would not be expanded by more trivial
and/or (imho) misplaced functionality.
----------
More information can be found at the following URL:
http://sip-router.org/tracker/index.php?do=details&task_id=499#comment1…
You are receiving this message because you have requested it from the Flyspray bugtracking
system. If you did not expect this message or don't want to receive mails in future,
you can change your notification settings at the URL shown above.