Asterisk - The Open Source Telephony Project GIT-master-2070bb5
profile_config.c
Go to the documentation of this file.
1/*
2 * Asterisk -- An open source telephony toolkit.
3 *
4 * Copyright (C) 2022, Sangoma Technologies Corporation
5 *
6 * Ben Ford <bford@sangoma.com>
7 *
8 * See http://www.asterisk.org for more information about
9 * the Asterisk project. Please do not directly contact
10 * any of the maintainers of this project for assistance;
11 * the project provides a web site, mailing lists and IRC
12 * channels for your use.
13 *
14 * This program is free software, distributed under the terms of
15 * the GNU General Public License Version 2. See the LICENSE file
16 * at the top of the source tree.
17 */
18
19#include "asterisk.h"
20
21#include "asterisk/cli.h"
22#include "asterisk/sorcery.h"
23#include "asterisk/acl.h"
24#include "asterisk/stasis.h"
26
27#include "stir_shaken.h"
28
29#define CONFIG_TYPE "profile"
30
31#define DEFAULT_endpoint_behavior endpoint_behavior_OFF
32
33#define DEFAULT_ca_file NULL
34#define DEFAULT_ca_path NULL
35#define DEFAULT_crl_file NULL
36#define DEFAULT_crl_path NULL
37#define DEFAULT_untrusted_cert_file NULL
38#define DEFAULT_untrusted_cert_path NULL
39#define DEFAULT_cert_cache_dir NULL
40
41#define DEFAULT_curl_timeout 0
42#define DEFAULT_max_iat_age 0
43#define DEFAULT_max_date_header_age 0
44#define DEFAULT_max_cache_entry_age 0
45#define DEFAULT_max_cache_size 0
46
47#define DEFAULT_stir_shaken_failure_action stir_shaken_failure_action_NOT_SET
48#define DEFAULT_use_rfc9410_responses use_rfc9410_responses_NOT_SET
49#define DEFAULT_relax_x5u_port_scheme_restrictions relax_x5u_port_scheme_restrictions_NOT_SET
50#define DEFAULT_relax_x5u_path_restrictions relax_x5u_path_restrictions_NOT_SET
51#define DEFAULT_load_system_certs load_system_certs_NOT_SET
52
53#define DEFAULT_check_tn_cert_public_url check_tn_cert_public_url_NOT_SET
54#define DEFAULT_private_key_file NULL
55#define DEFAULT_public_cert_url NULL
56#define DEFAULT_attest_level attest_level_NOT_SET
57#define DEFAULT_send_mky send_mky_NOT_SET
58
59static void profile_destructor(void *obj)
60{
61 struct profile_cfg *cfg = obj;
63
66
68
69 return;
70}
71
72static void *profile_alloc(const char *name)
73{
74 struct profile_cfg *profile;
75
76 profile = ast_sorcery_generic_alloc(sizeof(*profile), profile_destructor);
77 if (!profile) {
78 return NULL;
79 }
80
81 if (ast_string_field_init(profile, 2048)) {
82 ao2_ref(profile, -1);
83 return NULL;
84 }
85
86 /*
87 * The memory for the commons actually comes from cfg
88 * due to the weirdness of the STRFLDSET macro used with
89 * sorcery. We just use a token amount of memory in
90 * this call so the initialize doesn't fail.
91 */
92 if (ast_string_field_init(&profile->acfg_common, 8)) {
93 ao2_ref(profile, -1);
94 return NULL;
95 }
96
97 if (ast_string_field_init(&profile->vcfg_common, 8)) {
98 ao2_ref(profile, -1);
99 return NULL;
100 }
101
102 return profile;
103}
104
106{
109}
110
111struct profile_cfg *profile_get_cfg(const char *id)
112{
113 if (ast_strlen_zero(id)) {
114 return NULL;
115 }
117}
118
120{
121 return ast_sorcery_retrieve_by_fields(get_sorcery(), "eprofile",
123}
124
125struct profile_cfg *eprofile_get_cfg(const char *id)
126{
127 if (ast_strlen_zero(id)) {
128 return NULL;
129 }
130 return ast_sorcery_retrieve_by_id(get_sorcery(), "eprofile", id);
131}
132
134 struct profile_cfg *base_profile)
135{
136 struct profile_cfg *eprofile;
137 struct profile_cfg *existing_eprofile;
140 const char *id = ast_sorcery_object_get_id(base_profile);
141 int rc = 0;
142
143 eprofile = ast_sorcery_alloc(get_sorcery(), "eprofile", id);
144 if (!eprofile) {
145 ast_log(LOG_ERROR, "%s: Unable to allocate memory for effective profile\n", id);
146 return NULL;
147 }
148
150 &vcfg->vcfg_common);
151 if (rc != 0) {
153 return NULL;
154 }
155
157 &base_profile->vcfg_common);
158 if (rc != 0) {
160 return NULL;
161 }
162
164 &acfg->acfg_common);
165 if (rc != 0) {
167 return NULL;
168 }
169
171 &base_profile->acfg_common);
172 if (rc != 0) {
174 return NULL;
175 }
176
178
179 if (eprofile->endpoint_behavior == endpoint_behavior_ON) {
180 if (acfg->global_disable && vcfg->global_disable) {
181 eprofile->endpoint_behavior = endpoint_behavior_OFF;
182 } else if (acfg->global_disable && !vcfg->global_disable) {
183 eprofile->endpoint_behavior = endpoint_behavior_VERIFY;
184 } else if (!acfg->global_disable && vcfg->global_disable) {
185 eprofile->endpoint_behavior = endpoint_behavior_ATTEST;
186 }
187 } else if (eprofile->endpoint_behavior == endpoint_behavior_ATTEST
188 && acfg->global_disable) {
189 eprofile->endpoint_behavior = endpoint_behavior_OFF;
190 } else if (eprofile->endpoint_behavior == endpoint_behavior_VERIFY
191 && vcfg->global_disable) {
192 eprofile->endpoint_behavior = endpoint_behavior_OFF;
193 }
194
195 existing_eprofile = ast_sorcery_retrieve_by_id(get_sorcery(), "eprofile", id);
196 if (existing_eprofile) {
197 ao2_cleanup(existing_eprofile);
199 } else {
201 }
202
203 /*
204 * This triggers eprofile_apply. We _could_ just call
205 * eprofile_apply directly but this seems more keeping
206 * with how sorcery works.
207 */
209
210 return eprofile;
211}
212
213static int profile_apply(const struct ast_sorcery *sorcery, void *obj)
214{
215 struct profile_cfg *cfg = obj;
216 const char *id = ast_sorcery_object_get_id(cfg);
217
218 if (PROFILE_ALLOW_ATTEST(cfg)
219 && as_check_common_config(id, &cfg->acfg_common) != 0) {
220 return -1;
221 }
222
223 if (PROFILE_ALLOW_VERIFY(cfg)
224 && vs_check_common_config(id, &cfg->vcfg_common) !=0) {
225 return -1;
226 }
227
229 if (!cfg->eprofile) {
230 return -1;
231 }
232
233 return 0;
234}
235
236static int eprofile_apply(const struct ast_sorcery *sorcery, void *obj)
237{
238 struct profile_cfg *cfg = obj;
239 const char *id = ast_sorcery_object_get_id(cfg);
240
241 if (PROFILE_ALLOW_VERIFY(cfg) && !cfg->vcfg_common.tcs) {
242 ast_log(LOG_ERROR, "%s: Neither this profile nor default"
243 " verification options specify ca_file or ca_path\n", id);
244 return -1;
245 }
246
247 return 0;
248}
251
254
255static char *cli_profile_show(struct ast_cli_entry *e, int cmd, struct ast_cli_args *a)
256{
257 struct profile_cfg *profile;
258 struct config_object_cli_data data = {
259 .title = "Profile",
260 .object_type = config_object_type_profile,
261 };
262
263 switch(cmd) {
264 case CLI_INIT:
265 e->command = "stir_shaken show profile";
266 e->usage =
267 "Usage: stir_shaken show profile <id>\n"
268 " Show the stir/shaken profile settings for a given id\n";
269 return NULL;
270 case CLI_GENERATE:
271 if (a->pos == 3) {
273 } else {
274 return NULL;
275 }
276 }
277
278 if (a->argc != 4) {
279 return CLI_SHOWUSAGE;
280 }
281
282 profile = profile_get_cfg(a->argv[3]);
283 if (!profile) {
284 ast_log(LOG_ERROR,"Profile %s doesn't exist\n", a->argv[3]);
285 return CLI_FAILURE;
286 }
287 config_object_cli_show(profile, a, &data, 0);
288
289 ao2_cleanup(profile);
290
291 return CLI_SUCCESS;
292}
293
294static char *cli_profile_show_all(struct ast_cli_entry *e, int cmd, struct ast_cli_args *a)
295{
296 struct ao2_container *container;
297 struct config_object_cli_data data = {
298 .title = "Profile",
299 .object_type = config_object_type_profile,
300 };
301
302 switch(cmd) {
303 case CLI_INIT:
304 e->command = "stir_shaken show profiles";
305 e->usage =
306 "Usage: stir_shaken show profiles\n"
307 " Show all profiles for stir/shaken\n";
308 return NULL;
309 case CLI_GENERATE:
310 return NULL;
311 }
312
313 if (a->argc != 3) {
314 return CLI_SHOWUSAGE;
315 }
316
319 ast_cli(a->fd, "No stir/shaken profiles found\n");
321 return CLI_SUCCESS;
322 }
323
325 ao2_ref(container, -1);
326
327 return CLI_SUCCESS;
328}
329
330static char *cli_eprofile_show(struct ast_cli_entry *e, int cmd, struct ast_cli_args *a)
331{
332 struct profile_cfg *profile;
333 struct config_object_cli_data data = {
334 .title = "Effective Profile",
335 .object_type = config_object_type_profile,
336 };
337
338 switch(cmd) {
339 case CLI_INIT:
340 e->command = "stir_shaken show eprofile";
341 e->usage =
342 "Usage: stir_shaken show eprofile <id>\n"
343 " Show the stir/shaken eprofile settings for a given id\n";
344 return NULL;
345 case CLI_GENERATE:
346 if (a->pos == 3) {
348 } else {
349 return NULL;
350 }
351 }
352
353 if (a->argc != 4) {
354 return CLI_SHOWUSAGE;
355 }
356
357 profile = eprofile_get_cfg(a->argv[3]);
358 if (!profile) {
359 ast_log(LOG_ERROR,"Effective Profile %s doesn't exist\n", a->argv[3]);
360 return CLI_FAILURE;
361 }
362 config_object_cli_show(profile, a, &data, 0);
363
364 ao2_cleanup(profile);
365
366 return CLI_SUCCESS;
367}
368
369static char *cli_eprofile_show_all(struct ast_cli_entry *e, int cmd, struct ast_cli_args *a)
370{
371 struct ao2_container *container;
372 struct config_object_cli_data data = {
373 .title = "Effective Profile",
374 .object_type = config_object_type_profile,
375 };
376
377 switch(cmd) {
378 case CLI_INIT:
379 e->command = "stir_shaken show eprofiles";
380 e->usage =
381 "Usage: stir_shaken show eprofiles\n"
382 " Show all eprofiles for stir/shaken\n";
383 return NULL;
384 case CLI_GENERATE:
385 return NULL;
386 }
387
388 if (a->argc != 3) {
389 return CLI_SHOWUSAGE;
390 }
391
394 ast_cli(a->fd, "No stir/shaken eprofiles found\n");
396 return CLI_SUCCESS;
397 }
398
400 ao2_ref(container, -1);
401
402 return CLI_SUCCESS;
403}
404
406 AST_CLI_DEFINE(cli_profile_show, "Show stir/shaken profile by id"),
407 AST_CLI_DEFINE(cli_profile_show_all, "Show all stir/shaken profiles"),
408 AST_CLI_DEFINE(cli_eprofile_show, "Show stir/shaken eprofile by id"),
409 AST_CLI_DEFINE(cli_eprofile_show_all, "Show all stir/shaken eprofiles"),
410};
411
413{
414 struct ast_sorcery *sorcery = get_sorcery();
417 return 0;
418}
419
421{
424
425 return 0;
426}
427
429{
430 struct ast_sorcery *sorcery = get_sorcery();
431 enum ast_sorcery_apply_result apply_rc;
432
433 /*
434 * eprofile MUST be registered first because profile needs it.
435 */
436 apply_rc = ast_sorcery_apply_default(sorcery, "eprofile", "memory", NULL);
437 if (apply_rc != AST_SORCERY_APPLY_SUCCESS) {
438 abort();
439 }
442 ast_log(LOG_ERROR, "stir/shaken - failed to register '%s' sorcery object\n", "eprofile");
443 return -1;
444 }
445
446 ast_sorcery_object_field_register_nodoc(sorcery, "eprofile", "type", "", OPT_NOOP_T, 0, 0);
447 enum_option_register(sorcery, "eprofile", endpoint_behavior, _nodoc);
450
451 /*
452 * Now we can do profile
453 */
454 ast_sorcery_apply_default(sorcery, CONFIG_TYPE, "config", "stir_shaken.conf,criteria=type=profile");
457 ast_log(LOG_ERROR, "stir/shaken - failed to register '%s' sorcery object\n", CONFIG_TYPE);
458 return -1;
459 }
460
462 enum_option_register(sorcery, CONFIG_TYPE, endpoint_behavior,);
465
467 ast_sorcery_load_object(sorcery, "eprofile");
468
471
472 return 0;
473}
Access Control of various sorts.
Asterisk main include file. File version handling, generic pbx functions.
#define ast_log
Definition: astobj2.c:42
int ao2_container_count(struct ao2_container *c)
Returns the number of elements in a container.
#define ao2_cleanup(obj)
Definition: astobj2.h:1934
#define ao2_callback_data(container, flags, cb_fn, arg, data)
Definition: astobj2.h:1723
#define ao2_ref(o, delta)
Reference/unreference an object and return the old refcount.
Definition: astobj2.h:459
@ OBJ_NODATA
Definition: astobj2.h:1044
struct attestation_cfg * as_get_cfg(void)
int as_check_common_config(const char *id, struct attestation_cfg_common *acfg_common)
void acfg_cleanup(struct attestation_cfg_common *acfg_common)
int as_copy_cfg_common(const char *id, struct attestation_cfg_common *cfg_dst, struct attestation_cfg_common *cfg_src)
Standard Command Line Interface.
#define CLI_SHOWUSAGE
Definition: cli.h:45
#define CLI_SUCCESS
Definition: cli.h:44
int ast_cli_unregister_multiple(struct ast_cli_entry *e, int len)
Unregister multiple commands.
Definition: clicompat.c:30
#define AST_CLI_DEFINE(fn, txt,...)
Definition: cli.h:197
void ast_cli(int fd, const char *fmt,...)
Definition: clicompat.c:6
@ CLI_INIT
Definition: cli.h:152
@ CLI_GENERATE
Definition: cli.h:153
#define CLI_FAILURE
Definition: cli.h:46
#define ast_cli_register_multiple(e, len)
Register multiple commands.
Definition: cli.h:265
int config_object_cli_show(void *obj, void *arg, void *data, int flags)
Output configuration settings to the Asterisk CLI.
char * config_object_tab_complete_name(const char *word, struct ao2_container *container)
Tab completion for name matching with STIR/SHAKEN CLI commands.
struct ast_sorcery * get_sorcery(void)
Retrieve the stir/shaken sorcery context.
Definition: common_config.c:34
@ config_object_type_profile
#define register_common_verification_fields(sorcery, object, CONFIG_TYPE, nodoc)
struct verification_cfg * vs_get_cfg(void)
#define register_common_attestation_fields(sorcery, object, CONFIG_TYPE, nodoc)
#define PROFILE_ALLOW_VERIFY(__profile)
#define enum_option_register(sorcery, CONFIG_TYPE, name, nodoc)
int vs_copy_cfg_common(const char *id, struct verification_cfg_common *cfg_dst, struct verification_cfg_common *cfg_src)
#define PROFILE_ALLOW_ATTEST(__profile)
int vs_check_common_config(const char *id, struct verification_cfg_common *vcfg_common)
void vcfg_cleanup(struct verification_cfg_common *cfg)
@ OPT_NOOP_T
Type for a default handler that should do nothing.
static const char name[]
Definition: format_mp3.c:68
#define LOG_ERROR
generate_sorcery_enum_from_str(profile_cfg,, endpoint_behavior, UNKNOWN)
static char * cli_profile_show_all(struct ast_cli_entry *e, int cmd, struct ast_cli_args *a)
static void profile_destructor(void *obj)
generate_vcfg_common_sorcery_handlers(profile_cfg)
static int eprofile_apply(const struct ast_sorcery *sorcery, void *obj)
int profile_unload(void)
static struct profile_cfg * create_effective_profile(struct profile_cfg *base_profile)
int profile_load(void)
static void * profile_alloc(const char *name)
static char * cli_eprofile_show(struct ast_cli_entry *e, int cmd, struct ast_cli_args *a)
generate_sorcery_enum_to_str(profile_cfg,, endpoint_behavior)
struct profile_cfg * eprofile_get_cfg(const char *id)
struct ao2_container * eprofile_get_all(void)
struct profile_cfg * profile_get_cfg(const char *id)
struct ao2_container * profile_get_all(void)
static struct ast_cli_entry stir_shaken_profile_cli[]
static int profile_apply(const struct ast_sorcery *sorcery, void *obj)
int profile_reload(void)
static char * cli_profile_show(struct ast_cli_entry *e, int cmd, struct ast_cli_args *a)
static char * cli_eprofile_show_all(struct ast_cli_entry *e, int cmd, struct ast_cli_args *a)
#define CONFIG_TYPE
generate_acfg_common_sorcery_handlers(profile_cfg)
struct ao2_container * container
Definition: res_fax.c:501
@ UNKNOWN
Definition: res_pjsip.h:440
static struct ast_sorcery * sorcery
#define NULL
Definition: resample.c:96
Security Event Reporting API.
Sorcery Data Access Layer API.
const char * ast_sorcery_object_get_id(const void *object)
Get the unique identifier of a sorcery object.
Definition: sorcery.c:2317
#define ast_sorcery_object_field_register_nodoc(sorcery, type, name, default_val, opt_type, flags,...)
Register a field within an object without documentation.
Definition: sorcery.h:987
@ AST_RETRIEVE_FLAG_MULTIPLE
Return all matching objects.
Definition: sorcery.h:120
@ AST_RETRIEVE_FLAG_ALL
Perform no matching, return all objects.
Definition: sorcery.h:123
int ast_sorcery_create(const struct ast_sorcery *sorcery, void *object)
Create and potentially persist an object using an available wizard.
Definition: sorcery.c:2062
void * ast_sorcery_retrieve_by_id(const struct ast_sorcery *sorcery, const char *type, const char *id)
Retrieve an object using its unique identifier.
Definition: sorcery.c:1853
#define ast_sorcery_object_register(sorcery, type, alloc, transform, apply)
Register an object type.
Definition: sorcery.h:837
void ast_sorcery_load_object(const struct ast_sorcery *sorcery, const char *type)
Inform any wizards of a specific object type to load persistent objects.
Definition: sorcery.c:1393
#define ast_sorcery_internal_object_register(sorcery, type, alloc, transform, apply)
Register an internal, hidden object type.
Definition: sorcery.h:867
void * ast_sorcery_generic_alloc(size_t size, ao2_destructor_fn destructor)
Allocate a generic sorcery capable object.
Definition: sorcery.c:1728
#define ast_sorcery_object_field_register(sorcery, type, name, default_val, opt_type, flags,...)
Register a field within an object.
Definition: sorcery.h:955
void * ast_sorcery_alloc(const struct ast_sorcery *sorcery, const char *type, const char *id)
Allocate an object.
Definition: sorcery.c:1744
int ast_sorcery_update(const struct ast_sorcery *sorcery, void *object)
Update an object.
Definition: sorcery.c:2150
int ast_sorcery_objectset_apply(const struct ast_sorcery *sorcery, void *object, struct ast_variable *objectset)
Apply an object set (KVP list) to an object.
Definition: sorcery.c:1632
void ast_sorcery_force_reload_object(const struct ast_sorcery *sorcery, const char *type)
Inform any wizards of a specific object type to reload persistent objects even if no changes determin...
Definition: sorcery.c:1457
#define ast_sorcery_apply_default(sorcery, type, name, data)
Definition: sorcery.h:476
void * ast_sorcery_retrieve_by_fields(const struct ast_sorcery *sorcery, const char *type, unsigned int flags, struct ast_variable *fields)
Retrieve an object or multiple objects using specific fields.
Definition: sorcery.c:1897
ast_sorcery_apply_result
Definition: sorcery.h:423
@ AST_SORCERY_APPLY_SUCCESS
Definition: sorcery.h:427
Stasis Message Bus API. See Stasis Message Bus API for detailed documentation.
#define ast_string_field_init(x, size)
Initialize a field pool and fields.
Definition: stringfields.h:359
#define ast_string_field_free_memory(x)
free all memory - to be called before destroying the object
Definition: stringfields.h:374
static force_inline int attribute_pure ast_strlen_zero(const char *s)
Definition: strings.h:65
Generic container type.
descriptor for a cli entry.
Definition: cli.h:171
char * command
Definition: cli.h:186
const char * usage
Definition: cli.h:177
Full structure for sorcery.
Definition: sorcery.c:230
Profile configuration for stir/shaken.
enum endpoint_behavior_enum endpoint_behavior
struct attestation_cfg_common acfg_common
struct profile_cfg * eprofile
struct verification_cfg_common vcfg_common
struct crypto_cert_store * tcs
static struct test_val a
#define RAII_VAR(vartype, varname, initval, dtor)
Declare a variable that will call a destructor function when it goes out of scope.
Definition: utils.h:941
#define ARRAY_LEN(a)
Definition: utils.h:666