Merge branch 'Mickaelh51-stir-and-shaken-acc'

README.md

@@ -448,17 +448,102 @@ but BYE is authenticated by the UAC.
 A basic stir and shaken authentication<br>
 It use a compatible Self-Signed STIR/SHAKEN Certificate [(info here)](https://blog.opensips.org/2022/10/31/how-to-generate-self-signed-stir-shaken-certificates)<br>
 :warning: This scenario use a specific version of [opensips-cli](https://hub.docker.com/r/allomediadocker/opensips-cli)
+(more explanations in scenario's README)
 
 #### 02.auth-diverted-cached
 Same as
-[01.auth-simple](#01auth-simple), but add processing of Diversion header, public key caching, store private key in separate file
+[01.auth-simple](#01auth-simple), but add processing of Diversion header, public key caching, store private key in separate file (more explanations in scenario's README)<br>
 :warning: Scenario for French regulations
 
 #### 03.auth-issue-bypass-token
 Same as
-[01.auth-simple](#01auth-simple), $var(cert) deleted to force stir_shaken_auth function in error and automatically add P-Identity-Bypass header. 
+[01.auth-simple](#01auth-simple), $var(cert) deleted to force stir_shaken_auth function in error and automatically add P-Identity-Bypass header. (more explanations in scenario's README)<br>
 :warning: Scenario for French regulations
 
+#### 04.verify-200
+Places a call with correct Identity header
+
+#### 05.verify-200-anonymous
+Places a call with correct Identity header but with `From` Anonymous
+
+#### 06.verify-error-400-wrong-from
+Places a call with wrong orig in conf (more explanations in scenario's README)
+
+#### 07.verify-error-400-wrong-from-no-kill-call
+Places a call with wrong orig in conf, but not kill call (more explanations in scenario's README)
+
+#### 08.verify-error-403-wrong-date
+Places a call with wrong Date header (more explanations in scenario's README)
+
+#### 09.verify-error-403-wrong-iat
+Places a call with wrong iat token (more explanations in scenario's README)
+
+#### 10.verify-error-428-no-identity
+Places a call without Identity header (more explanations in scenario's README)
+
+#### 11.verify-error-436-no-info
+Places a call without Identity's info param (more explanations in scenario's README)
+
+#### 12.verify-error-436-token-no-4-params
+Places a call without 4 params in Identity header (more explanations in scenario's README)
+
+#### 13.verify-error-436-x5u-diff-info
+Places a call with x5u and info are different (more explanations in scenario's README)
+
+#### 14.verify-error-437-no-alg
+Places a call without alg identity param (more explanations in scenario's README)
+
+#### 15.verify-error-437-wrong-alg
+Places a call with wrong alg identity param (more explanations in scenario's README)
+
+#### 16.verify-error-437-wrong-header-alg
+Places a call without alg token param (more explanations in scenario's README)
+
+#### 17.verify-error-437-wrong-header-typ
+Places a call without typ token param (more explanations in scenario's README)
+
+#### 18.verify-error-437-cert-expired
+Places a call with expired certificate (more explanations in scenario's README)
+
+#### 19.verify-error-437-cert-in-future
+Places a call with certificate starts in 2025 (more explanations in scenario's README)
+
+#### 20.verify-error-438-identity-more-4-params
+Places a call with 5 params in Identity header (more explanations in scenario's README)
+
+#### 21.verify-error-438-no-ppt
+Places a call without ppt identity param (more explanations in scenario's README)
+
+#### 22.verify-error-438-wrong-ppt
+Places a call with wrong ppt identity param (more explanations in scenario's README)
+
+#### 23.verify-error-438-wrong-header-ppt
+Places a call without ppt token param (more explanations in scenario's README)
+
+#### 24.verify-error-438-wrong-attest
+Places a call with wrong attest (more explanations in scenario's README)
+
+#### 25.verify-error-438-orig-diff-from
+Places a call with orig and from are different (more explanations in scenario's README)
+
+#### 26.verify-error-438-dest-diff-to
+Places a call with dest and To are different (more explanations in scenario's README)
+
+#### 27.acc-stats-200
+Places a call with correct Identity and push stats in ACC (more explanations in scenario's README)
+:warning: Scenario for French regulations<br>
+:warning: This scenario use a specific version of [opensips](https://hub.docker.com/r/allomediadocker/opensips)
+
+#### 28.acc-stats-error-403-wrong-iat
+Places a call with wrong iat token and push stats in ACC (more explanations in scenario's README)
+:warning: Scenario for French regulations<br>
+:warning: This scenario use a specific version of [opensips](https://hub.docker.com/r/allomediadocker/opensips)
+
+#### 29.acc-stats-error-403-no-kill-call
+Places a call with wrong iat token, but not kill call and push stats in ACC (more explanations in scenario's README)
+:warning: Scenario for French regulations<br>
+:warning: This scenario use a specific version of [opensips](https://hub.docker.com/r/allomediadocker/opensips)
+
 ## Execution
 
 Install the `sipssert` tool and run it in the main directory.

config.yml

@@ -22,6 +22,11 @@ defaults:
     port: {{ uas_port }}
     keys:
       domain: {{ opensips_ip }}
+  uac-sipp-stir-shaken:
+    port: {{ uac_port }}
+    proxy: {{ opensips_ip }}:{{ opensips_port }}
+    keys:
+      domain: {{ opensips_ip }}
   opensips-cli:
     mi_ip: {{ opensips_ip }}
   opensips:
@@ -37,4 +42,4 @@ defaults:
     ready:
       wait: {{ mysql_ready_timeout }}
   mysql-client:
-    host: {{ mysql_ip }}
+    host: {{ mysql_ip }}

stir-shaken/04.verify-200/README.md

@@ -0,0 +1,11 @@
+# Diagram
+```mermaid
+sequenceDiagram
+    uac-sipp-stir-shaken->>+opensips: With identity header
+    opensips->>+uas-sipp: Without identity header
+    uas-sipp-->>-opensips: 200 OK
+    opensips-->>-uac-sipp-stir-shaken: 200 OK
+```
+
+# Explanations:
+

stir-shaken/04.verify-200/opensips.cfg

@@ -0,0 +1,159 @@
+#
+# OpenSIPS residential configuration script
+#     by OpenSIPS Solutions <team@opensips-solutions.com>
+#
+# This script was generated via "make menuconfig", from
+#   the "Residential" scenario.
+# You can enable / disable more features / functionalities by
+#   re-generating the scenario with different options.#
+#
+# Please refer to the Core CookBook at:
+#      https://opensips.org/Resources/DocsCookbooks
+# for a explanation of possible statements, functions and parameters.
+#
+
+
+####### Global Parameters #########
+######################################################################
+/* uncomment the following lines to enable debugging */
+#debug_mode=yes
+
+log_level=4
+xlog_level=4
+log_stderror=yes
+
+udp_workers=4
+
+####### Modules Section ########
+
+#set module path
+mpath="/usr/lib/x86_64-linux-gnu/opensips/modules/"
+
+#### SIGNALING module
+loadmodule "signaling.so"
+
+#### StateLess module
+loadmodule "sl.so"
+
+#### Transaction Module
+loadmodule "tm.so"
+modparam("tm", "fr_timeout", 5)
+modparam("tm", "fr_inv_timeout", 30)
+modparam("tm", "restart_fr_on_each_reply", 0)
+modparam("tm", "onreply_avp_mode", 1)
+
+#### SIP MSG OPerationS module
+loadmodule "sipmsgops.so"
+
+#### MySQL module
+#loadmodule "db_mysql.so"
+
+#### Dialog module
+loadmodule "dialog.so"
+#modparam("dialog", "db_mode", 2)
+#modparam("dialog", "db_update_period", 2)
+#modparam("dialog", "db_url", "mysql://root@192.168.52.2/opensips")
+
+#### MAX ForWarD module
+loadmodule "maxfwd.so"
+
+#### Record Route Module
+loadmodule "rr.so"
+/* do not append from tag to the RR (no need for this script) */
+modparam("rr", "append_fromtag", 0)
+
+loadmodule "proto_udp.so"
+
+loadmodule "httpd.so"
+loadmodule "mi_http.so"
+
+#### Stir and Shaken
+loadmodule "stir_shaken.so"
+modparam("stir_shaken", "ca_list", "/etc/opensips/stir-shaken-ca/ca-cert.pem")
+modparam("stir_shaken", "require_date_hdr", 0)
+modparam("stir_shaken", "verify_date_freshness", 300) # => please change to 60 for French reglementation
+
+
+include_file "stir_shaken_verify.cfg"
+
+
+####### Routing Logic ########
+
+# main request routing logic
+
+route {
+
+	$var(cert) = "-----BEGIN CERTIFICATE-----
+MIIByzCCAXGgAwIBAgIUWfW2wiP6QMbm7OlahCyplooFTl0wCgYIKoZIzj0EAwIw
+RTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGElu
+dGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMzA1MDkwOTE2NThaFw0yNTA4MTEw
+OTE2NThaMGoxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJWQTESMBAGA1UEBwwJU29t
+ZXdoZXJlMRowGAYDVQQKDBFBY21lVGVsZWNvbSwgSW5jLjENMAsGA1UECwwEVk9J
+UDEPMA0GA1UEAwwGU0hBS0VOMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEuyQP
+0hteN1oKDUxo/2zvTp+0ppJ2IntNSdu36QFsUPDsCWlr4iTUMsjPtD+XQ58xQEf6
+n/zTE9cwZhs46NJWdKMaMBgwFgYIKwYBBQUHARoECjAIoAYWBDEwMDEwCgYIKoZI
+zj0EAwIDSAAwRQIga2buNdRtI/56SZ0pBOUd21UxVNacFelmTpnda145zYICIQDz
+yWoJxs18OGdJL0sfcw2JKiWQ9i6AKQAgGh31oKxXHg==
+-----END CERTIFICATE-----";
+
+	if (!mf_process_maxfwd_header(10)) {
+		send_reply(483,"Too Many Hops");
+		exit;
+	}
+
+	if (has_totag()) {
+
+		# handle hop-by-hop ACK (no routing required)
+		if (is_method("ACK") && t_check_trans()) {
+			t_relay();
+			exit;
+		}
+
+		# sequential request within a dialog should
+		# take the path determined by record-routing
+		if (!loose_route() && !match_dialog()) {
+			# we do record-routing for all our traffic, so we should not
+			# receive any sequential requests without Route hdr.
+			send_reply(404,"Not here");
+			exit;
+		}
+
+		# route it out to whatever destination was set by loose_route()
+		# in $du (destination URI).
+
+		t_relay();
+		exit;
+	}
+
+	# CANCEL processing
+	if (is_method("CANCEL")) {
+		if (t_check_trans())
+			t_relay();
+		exit;
+	}
+
+	# accept just INVITE requests
+	if (!is_method("INVITE")) {
+		send_reply(503, "Service Unavailable");
+		exit;
+	}
+	else
+	{
+		$var(kill_calls) = false;
+		route(stir_shaken_verify);
+	}
+
+	if (!create_dialog()) {
+		send_reply(500, "Internal Server Error");
+		exit;
+	}
+	record_route();
+
+	if (!t_relay())
+		send_reply(500, "Internal Error");
+	exit;
+
+
+
+
+}

stir-shaken/04.verify-200/scenario.yml

@@ -0,0 +1,37 @@
+---
+# generate CA: https://blog.opensips.org/2022/10/31/how-to-generate-self-signed-stir-shaken-certificates/
+
+timeout: 30
+
+tasks:
+  - name: OpenSIPS
+    type: opensips
+
+  - name: SIPP UAS
+    type: uas-sipp
+    username: "+33987654321"
+    config_file: scripts/uas.xml
+    require: OpenSIPS
+
+  - name: SIPP UAC
+    type: uac-sipp-stir-shaken
+    service: "+33987654321"
+    config_file: scripts/uac.xml
+    remote: {{ uas_ip }}:{{ uas_port }}
+    caller: "+33612345678"
+    duration: 10000
+    stir_shaken_origid: "toto"
+    stir_shaken_private_key: |
+      -----BEGIN EC PRIVATE KEY-----
+      MHcCAQEEIIOvgr23lbJ5rIOhiF+LR/VU4piEc1EYLT1CF5SN5HtZoAoGCCqGSM49
+      AwEHoUQDQgAEuyQP0hteN1oKDUxo/2zvTp+0ppJ2IntNSdu36QFsUPDsCWlr4iTU
+      MsjPtD+XQ58xQEf6n/zTE9cwZhs46NJWdA==
+      -----END EC PRIVATE KEY-----
+    
+    require:
+      - started:
+          task: SIPP UAS
+          wait: 0.5
+      - after:
+          task: OpenSIPS
+          wait: 0.5