[SR-Users] executing python routine on demand

Walter Martín Villalba wvillalba at gmail.com
Wed Jul 18 18:06:58 CEST 2018


Hello,

TL;DR
How can I execute a routine in my Kamailio python module
(kamailio_python.py) on demand?  For example, using kamcmd from the command
line.  I know you can execute *app_python.reload  *but I don't need to
reload the whole python module, and furthermore, docs for this call say
it's unstable and can even crash your kamailio instance.  So my goal is to
execute one single python routine on demand.
https://www.kamailio.org/docs/modules/5.1.x/modules/app_python.html#app_python.r.reload


Full explanation:
I'm currently implementing OIDC token authentication for Kamailio.  I have
a python routine that extracts the token from a custom SIP header, and
validates the token as per the OIDC spec (I'm using pyjwt plus other custom
checks for this). In order to do offline validation of the token, you need
the Identity Provider (IdP) Server's certificate, which I get in advance
and cache in a local file on my Kamailio server.  I also have an external
python script which I can run to get the latest certificate from the IdP
server and update it locally.

The part I'm missing is how to tell Kamailio to reload the value of the
certificate from the local cache, WITHOUT stopping kamailio or interrupting
any sessions.  This is needed in case the certificate is updated (e.g. due
to expiration or compromise) on the IdP server; if you don't update it so
that Kamailio can use the latest one, all token verification will fail
(tokens signed by IdP server using latest private key corresponding to
latest certificate, but Kamailio trying to validate the signature using the
public key extracted from previous certificate -- this results in a
signature error, as Kamailio needs to be using the public key corresponding
to the private one that was used to sign the token).

By being able to execute one single python routine on demand (e.g. using
kamcmd), I can tell Kamailio to reload the certificate value from the local
cache, which I just updated by running my other (external and unrelated to
Kamailio software) python script.

Hope this makes sense, and hopefully I can get some tips on how to achieve
this.

Thanks,
Martín.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20180718/cc10374e/attachment.html>


More information about the sr-users mailing list