With this we can directly use the method code for decision making
purposes before the CDR generation routine runs.
Change-Id: I8967e77e6cd717bb4d3342a1bf7052c33d0f9b45
Now we can use some of the JSON fields for decision making purposes,
before we get to the CDR creation stage.
Change-Id: I0a521c7c6bbf82e5fed683c5461914fefd784f0f
This makes it possible to reuse the data from the JSON object in several
places in the code without having to re-parse it.
Change-Id: I62f3b2b814acc52ae3fb84c88b7b4f99bff9232f
Use strdup/free for string fields in med_entry_t that are highly
variable in length. This elimiates future problems if one of these
fields ever has its length extended.
Use g_strdup as it guarantees a non-NULL return value.
Change-Id: Ia0f5883547feb62f04fcd4c5353850eb9d815413
Using an array in this context (to return a list of acc records) is
mostly pointless as it wastes memory and incurs the additional overhead
of having to initialise the array and an extra layer of copying strings
around. This also ultimately allows us to dynamically append to the list
of acc records without having to reallocate the array.
Change-Id: I1039f01861f8d3f82fdc3a80377fd7535fa24bab
Using an array in this context (to return a list of call IDs) is mostly
pointless as it wastes memory and incurs the additional overhead of
having to initialise the array and an extra layer of copying strings
around. This also eliminates the auxiliary type `med_callid_t` and
ultimately allows us to dynamically append to the list of call IDs
without having to reallocate the array.
Use g_strdup for string allocation as it guarantees a non-NULL return
value.
Change-Id: Iae6c97f80c216352ab36de89d361f09ee355b6c8
We are migrating from redis to keydb so for now we need to support both
so we should not depend on specific key-value storage in unit file but
should use database.key_value.flavor value in override file.
But we can't redefine dependencies in override file just add additional
ones. So remove it from unit file.
Change-Id: I16e94e938bd9f1da14e1068bc6b94485b08a4ca5
As the number of subscribers grows, the current approach of doing a full
table dump of the subscribers DB and caching it in memory becomes less
and less feasible. The new approach is to simply do a straight DB query
for each subscriber as records are processed, and then cache the result
in memory for a little while.
Change-Id: I19a6271d779bd0abccc29e3548e7bcdb2e00baa3
ubuntu-20.04 doesn't provide debhelper-compat (= 13), therefore fails with:
| The following packages have unmet dependencies:
| builddeps:. : Depends: debhelper-compat (= 13)
| E: Unable to correct problems, you have held broken packages.
Let's switch from ubuntu-20.04 to ubuntu-latest, which
currently still points to ubuntu-20.04, but should reduce
our maintenance efforts.
Furthermore enabled the ubuntu-cloud-archive/yoga-staging PPA,
which provides a backport of debhelper v13:
https://launchpad.net/~ubuntu-cloud-archive/+archive/ubuntu/yoga-staging/+packages
and fixes our failing coverity builds on github.
Change-Id: I3bba166843f164b67b90c403cc772dfd939eeae7
Using apt-get with `-qq` displays only the following message
on package installation problems:
| E: Unable to correct problems, you have held broken packages.
Whereas with `-q`, we get the actual underlying problem, being:
| The following packages have unmet dependencies:
| builddeps:. : Depends: debhelper-compat (= 13)
| E: Unable to correct problems, you have held broken packages.
Change-Id: Ibadc483f1cb324c83d7616d009bcc932876a25a3
Use a macro in combination with an included file to define the list of
all string fields used in the CDR struct.
Change-Id: Ic0b93c005b792eadf00544768c74382fa3307577
We cannot overwrite the reallocated variable, otherwise on failure we
leak it.
Change-Id: I541537ade71086c9ceb851d8c5223364e3908b07
Warned-by: cppcheck (memleakOnRealloc)
While the code is not threaded, better be future-proof and use safer
APIs, which in addition has less side-effects as it does not set the
global TZ related variables.
Change-Id: I57fbe6683590cc2fbc0da508819553c040764739
Warned-by: lgtm
Whether a bit-field is signed or unsigned is implementation specific, so
we should be explicit about this.
Change-Id: I8bce847d6ece3d08fc93fa77227f6f970d1353de
Warned-by: lgtm
On Debian buster the latter contains transitive dependencies in Libs,
instead of in Libs.private, which leaks linking implementation details.
Change-Id: Ia131fe82444b8c2204976df75be047ab6d17c561
We need readonly access to /dev/urandom, otherwise the rand()
calls might fail, as seen in kamailio-config-tests.
Change-Id: Id132191994ae5fe74ec3ebb7d34a4a5d50769dbc
Thanks: Victor Seva for reporting
In carrier environments we have foreign DB hosts
configured in /etc/ngcp-mediator/ngcp-mediator.conf,
therefore we can't easily apply IP address filtering.
JFTR, new and current systemd hardening state for ngcp-mediator:
| $ sudo COLUMNS=142 systemd-analyze security ngcp-mediator | grep -v '✓'
| NAME DESCRIPTION EXPOSURE
| ✗ PrivateNetwork= Service has access to the host's … 0.5
| ✗ User=/DynamicUser= Service runs as root user 0.4
| ✗ RestrictAddressFamilies=~AF_(INET… Service may allocate Internet soc… 0.3
| ✗ RestrictAddressFamilies=~… Service may allocate exotic socke… 0.3
| ✗ DeviceAllow= Service has a device ACL with som… 0.1
| ✗ IPAddressDeny= Service does not define an IP add… 0.2
| ✗ RestrictAddressFamilies=~AF_PACKET Service may allocate packet socke… 0.2
| ✗ SystemCallFilter=~@privileged System call whitelist defined for… 0.2
| ✗ RestrictAddressFamilies=~AF_NETLI… Service may allocate netlink sock… 0.1
| ✗ RootDirectory=/RootImage= Service runs within the host's ro… 0.1
| SupplementaryGroups= Service runs as root, option does…
| RemoveIPC= Service runs as root, option does…
| ✗ RestrictAddressFamilies=~AF_UNIX Service may allocate local sockets 0.1
|
| → Overall exposure level for ngcp-mediator.service: 2.1 OK 🙂
Change-Id: I0e7c474eddd5d4d4c77b9bda157448294ed0a5c4
ngcp-mediator service state BEFORE this change:
| $ systemd-analyze security ngcp-mediator | tail -1
| → Overall exposure level for ngcp-mediator.service: 9.5 UNSAFE 😨
ngcp-mediator service state AFTER this change:
| $ sudo COLUMNS=142 systemd-analyze security ngcp-mediator | grep -v '✓'
| NAME DESCRIPTION EXPOSURE
| ✗ PrivateNetwork= Service has access to the host's network 0.5
| ✗ User=/DynamicUser= Service runs as root user 0.4
| ✗ RestrictAddressFamilies=~AF_(INET|INET6) Service may allocate Internet sockets 0.3
| ✗ RestrictAddressFamilies=~… Service may allocate exotic sockets 0.3
| ✗ DeviceAllow= Service has a device ACL with some special devices 0.1
| ✗ IPAddressDeny= Service defines IP address whitelits with only localhost entries 0.1
| ✗ RestrictAddressFamilies=~AF_PACKET Service may allocate packet sockets 0.2
| ✗ SystemCallFilter=~@privileged System call whitelist defined for service, and @privileged is included 0.2
| ✗ RestrictAddressFamilies=~AF_NETLINK Service may allocate netlink sockets 0.1
| ✗ RootDirectory=/RootImage= Service runs within the host's root directory 0.1
| SupplementaryGroups= Service runs as root, option does not matter
| RemoveIPC= Service runs as root, option does not apply
| ✗ RestrictAddressFamilies=~AF_UNIX Service may allocate local sockets 0.1
|
| → Overall exposure level for ngcp-mediator.service: 2.0 OK 🙂
Change-Id: If33c303b9df465393f15c0b685d1aab54a465df6
We only ever go into the error handling code before malloc has
succeeded, which means ‘entries’ will always be NULL.
Change-Id: Iaedd1ac668249b0e4516f782c24a2f420e8682a5
Warned-by: coverity
While MariaDB uses my_bool here, MySQL uses the standard bool type. Both
are compatible, so use the more standard one.
Change-Id: I648bc8eb55f7617f6b4eb796a33bc77ce15ca34b