I have recently installed Opensips 3.1. I am able to add SIP phones and place local LAN calls. I am trying to setup a inbound gateway connection with SIP provider Skyetel using IP Authentication. Everything is setup on the Skyetel side. From Opensips Control Panel, routing has been setup with all of the Skyetel gateways. Skyetel sends OPTIONS request, but Opensips seems not be able to process the request. Opensips is sending a 403 Relay Forbidden response. I am using the default config file, and I see that the 403 response is processing at the below step -
if ( !(is_method("REGISTER") || is_from_gw() ) ) {
if (is_from_local()) {
# authenticate if from local subscriber
# authenticate all initial non-REGISTER request that pretend to be
# generated by local subscriber (domain from FROM URI is local)
if (!proxy_authorize("", "subscriber")) {
proxy_challenge("", "auth");
exit;
}
if ($au!=$fU) {
send_reply(403,"Forbidden auth ID");
exit;
}
consume_credentials();
# caller authenticated
} else {
# if caller is not local, then called number must be local
if (!is_uri_host_local()) {
send_reply(403,"Relay Forbidden");
exit;
Also, I have added the SKyetel gateways as aliases in the config file and no change.
alias="52.41.52.34"
alias="35.85.225.96"
alias="52.60.138.31"
alias= 3.99.65.224
alias="52.8.201.128"
Any help on this would be appreciated.
Related
I'm trying to use Cloud Tasks HTTP Requests to reach a Kubernetes endpoint behind an HTTPS Load Balancer protected by Cloud IAP.
The endpoint works using any Gsuite company account as it should be but when the Cloud Task executes this is the Cloud Audit - Data Access log (only important parts displayed)
authenticationInfo: {
}
authorizationInfo: [
0: {
permission: "iap.webServiceVersions.accessViaIAP"
resource: "projects/<PROJECT_NUMBER>/iap_web/compute/services/<SERVICE_NUMBER>/versions/bs_0"
resourceAttributes: {
service: "iap.googleapis.com"
type: "iap.googleapis.com/WebServiceVersion"
}
}
]
status: {
code: 7
message: "PERMISSION_DENIED"
}
I'm using the compute-engine service account to create the task so I've granted this account the appropriate permissions:
When I create the task I add the appropriate OIDC service account email to the http request
'oidc_token': {'service_account_email': <PROJECT_NUMBER>-compute#developer.gserviceaccount.com}}
I also checked the Cloud Tasks HTTP Request on another endpoint and the Authentication Bearer token is present.
I really don't have any idea at this point on how to make it work.
Thanks for the help
I found the problem, the OIDC needed a specific audience to work with Cloud IAP.
The audience needed is the IAP ClientID that could be found in API & Services > Credentials under the section OAuth 2.0 client IDs with a name starting with IAP.
Just as an example here is the python code to add a task that can be granted access by the Cloud IAP.
# This is the important part, the audience filed is very important!
oidc_token = {'service_account_email': <PROJECT_NUMBER>-compute#developer.gserviceaccount.com, 'audience': <PROJECT_NUMBER>-<NUMBER_GENERATED_AUTOMATICALLY_BY_IAP>.apps.googleusercontent.com}
http_request = {'http_method': 'POST', 'url': url, 'body': json.dumps(payload).encode(), 'headers': headers, 'oidc_token': oidc_token}
task['schedule_time'] = timestamp
created_task = client.create_task(parent, {'http_request': http_request})
I'm using Jhipster 4.13.3 with the Oauth2/OIDC option to generate a gateway connected keycloak.
When a service send a 401 status, redirection to /login doesn't executed.
An interceptor (auth-expired.interceptor.ts) is defined to handle the error, but it doesn't work correctly.
First question
In the if condition, error.json() doesn't contain path, so the condition is false and the redirection is never executed.
if (error.status === 401 && error.text() !== ''
&& error.json().path && !error.json().path.includes('/api/account')) {
const destination = this.stateStorageService.getDestinationState();
if (destination !== null) {
const to = destination.destination;
const toParams = destination.params;
if (to.name === 'accessdenied') {
this.stateStorageService.storePreviousState(to.name, toParams);
}
} else {
this.stateStorageService.storeUrl('/');
}
const loginService: LoginService = this.injector.get(LoginService);
loginService.login();
}
Somebody knows the correct condition ?
Second question
I disabled the check on "error.json().path...", the redirection is called but fails "often", it works sometimes, I didn't found a explanation. Even if I kill all sessions in the keycloak admin console, the browsers redirects to the home page, not the keycloak login form.
Does somebody have an explanation about this ?
Thanks,
Philippe
We kept getting HTTP 401 status code responses when the hostname stamped on the iss field of the bearer's/user's access token had a different case i.e. lowercase vs. uppercase than the hostname in the URL used to post an HTTP request to keycloak's token endpoint.
Any kind of hostname mismatch can cause 401 errors:
Short hostname alias vs. fully qualified hostname e.g. https://myhost:8080 vs. https://myhost.domain.com:8080
https://MYHOST:8080 vs. https://myhost:8080
https://Myhost:8080 vs. https://myhost:8080
etc.
This happened in a Microsoft Windows 10 version 1809 environment.
This one has me for a while now, I am trying to build a console app that can call a .net web/wcf service SP, the first leg is to get a token from the idP (ADFS4.0) the pasted code was working fine for a whole day, at some point it stopped working with the following error:
SOAP security negotiation with 'https://adfs.domain.in/adfs/services/trust/13/windowsmixed' for target 'https://adfs.domain.in/adfs/services/trust/13/windowsmixed' failed. See inner exception for more details.
The inner error is:
The Security Support Provider Interface (SSPI) negotiation failed.
NativeErrorCode: 0x80090350 -> SEC_E_DOWNGRADE_DETECTED
I have tried /13/windows and /windowstransport as well as the endpoint.
private static GenericXmlSecurityToken RequestSecurityToken()
{
// set up the ws-trust channel factory
var factory = new Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannelFactory(new WindowsWSTrustBinding(
SecurityMode.TransportWithMessageCredential), new EndpointAddress(new Uri("https://adfs.domain.in/adfs/services/trust/13/windowsmixed"), EndpointIdentity.CreateSpnIdentity("adfs#domain.in")));
factory.TrustVersion = TrustVersion.WSTrust13;
var rst = new RequestSecurityToken
{
RequestType = RequestTypes.Issue,
KeyType = KeyTypes.Bearer,
AppliesTo = new System.ServiceModel.EndpointAddress(endpoint_address)
};
// request token and return
return factory.CreateChannel().Issue(rst) as GenericXmlSecurityToken;
}
In my case, for some reason, the ADFS was available over VPN but the AD based authentication bits are not happening over VPN. That's why SEC_E_DOWNGRADE_DETECTED is coming. In a regular non VPN environment things are good.
Also, another observation is once SAML token is generated over a regular enterprise network. Subsequent calls to generate the SAML token are going through as expected even on VPN.
So, if you see this error just check if the network you are in is part of the domain (and not public or private network), for SSPI negotiation.
I am building a form in C#, .NET, and MVC. On the back end the form will send its contents over email. For testing, I am using a local install of hMailServer.
Initially I set HMS to run as localhost.localdomain; the SMTP setting for "local host name" is localhost. I attempted to connect to it on port 587, like so:
SmtpClient smtp = new SmtpClient
{
Host = WebConfigurationManager.AppSettings["emailServer"],
Port = 587,
EnableSsl = true,
DeliveryMethod = SmtpDeliveryMethod.Network,
UseDefaultCredentials = true,
Credentials = networkCredential
};
I have double- and triple-checked that the credentials are the mail server user and password that I set. Here they are, in case this helps:
<add key="emailUser" value="user#localhost.localdomain"/>
<add key="emailPassword" value="~~~"/>
<add key="emailServer" value="localhost.localdomain"/>
When using localhost.localdomain, sending mail throws an exception, with the outer message: "Failure sending mail", and the inner message: "The remote name could not be resolved: 'localhost.localdomain'."
So I tried using companyname.com. Sending mail throws an exception, with the outer message: "Failure sending mail", and the inner message: "Unable to connect to the remote server."
I expect either my HMS domain config is wrong or my protocol config is wrong. The HMS documentation didn't help me, but I may not have known what to look for.
ETA
hMail server status shows zero processed messages in a week, despite all my testing.
Here is how I configured it for development:
Created host file entry like following:
local.myname.com 127.0.0.1
Once done, I opened command prompt and make sure it is updated. I tested it by following:
tracert local.myname.com
It should return 127.0.0.1 if host file entry is updated.
Next, in hmail, we need to create a new domain: local.myname.com and add an email address with password. so your email address would be something like admin#local.myname.com.
Next is, in advance you need to double check the protocols configuration and IP range vs authentication configuration as well.
In my case I configured to block external incoming and outgoing emails and skipped authentication for internal emails. So basically that;s what you can do in advance - IP range configuration. Then with the development, you just need to make sure all your emails are *#local.myname.com and it should work.
Also enable logging in hmail to get detailed error that can help solve the problem because hmail's help documentation works directly with their error codes nicely.
hMail is actually good choice for real emails. For development, I would recommend using smtp4dev though.
I am working on braintree and I want to send custom email notifications to my customers as I am working with recurring billing, so every month these custom notifications should be send to all users. For this I have to use webhooks to retrieve currently ocuured event and then send email notification according to webhook's response. (I think this is only solution in this case, If anyone know another possible solution please suggest). I want to test webhooks at my localhost first, And I have tried to create a new webhook and specified the localhost path as destination to retrieve webhooks. But this shows a error "Destination is not verified"..........
My path is : "http://127.0.0.1:81/webhook/Accept"
These are some of the tools that can be used during development of webhooks :
1) PostCatcher,
2) RequestBin,
3) ngrok,
4) PageKite and
5) LocalTunnel
http://telerivet.com/help/api/webhook/testing
https://www.twilio.com/blog/2013/10/test-your-webhooks-locally-with-ngrok.html
Well Another way to test it is by creating a WebAPI and POSTing Data to your POST method via Postman. To do this, just create a WebAPI in Visual Studio. In the API controller, create a POST method.
/// <summary>
/// Web API POST method for Braintree Webhook request
/// The data is passed through HTTP POST request.
/// A sample data set is present in POSTMAN HTTP Body
/// /api/webhook
/// </summary>
/// <param name="BTRequest">Data from HTTP request body</param>
/// <returns>Webhook notification object</returns>
public WebhookNotification Post([FromBody]Dictionary<String, String> BTRequest)
{
WebhookNotification webhook = gateway.WebhookNotification.Parse(BTRequest["bt_signature"], BTRequest["bt_payload"]);
return webhook;
}
In Postman, Post the following data in the Body as raw JSON.
{
"bt_signature":"Generated Data",
"bt_payload":"Very long generated data"
}
The data for the above Json dictionary has been generated through the below code:
Dictionary<String, String> sampleNotification = gateway.WebhookTesting.SampleNotification(WebhookKind.DISPUTE_OPENED, "my_Test_id");
// Your Webhook kind and your test ID
Just pick the data from sample notification and place it above in the JSON. Run your WebAPI, place debuggers. Add the localhost URL in Postman, select POST, and click on Send.
Your POST method should be hit.
Also, don't forget to add your gateway details:
private BraintreeGateway gateway = new BraintreeGateway
{
Environment = Braintree.Environment.SANDBOX,
MerchantId = "Your Merchant Key",
PublicKey = "Your Public Key",
PrivateKey = "Your Private Key"
};
I hope this helps!
I work at Braintree. If you need more help, please get in touch with our support team.
In order to test webhooks, your app needs to be able to be reached by the Braintree Gateway. A localhost address isn't. Try using your external IP address and make sure the port on the correct computer can be reached from the internet.
Take a look at the Braintree webhook guide for more info on setting up webhooks.
You can use PutsReq to simulate the response you want and do your end-to-end test in development.
For quick 'n dirty testing:
http://requestb.in/
For more formal testing (e.g. continuous integration):
https://www.runscope.com/
If you have a online server you may forward port from your computer to that server.
ssh -nNT -R 9090:localhost:3000 root#yourvds.com
And then specify webhook as http://yourvds.com:9090/webhook
all requests will be forwarded to you machine, you will be able to see logs
I know this is an old question, but according to the docs, you can use this code to test your webhook code:
Dictionary<String, String> sampleNotification = gateway.WebhookTesting.SampleNotification(
WebhookKind.SUBSCRIPTION_WENT_PAST_DUE, "my_id"
);
WebhookNotification webhookNotification = gateway.WebhookNotification.Parse(
sampleNotification["bt_signature"],
sampleNotification["bt_payload"]
);
webhookNotification.Subscription.Id;
// "my_id"
You can use the Svix CLI Listener: https://github.com/svix/svix-cli#using-the-listen-command
This will allow you to easily channel requests to your public endpoint to a local port where you can run your logic against and debug it on your localhost.