From 84ab3965c834e899f6c7f65fbe235a911f5f4766 Mon Sep 17 00:00:00 2001
From: Luis Azedo <luis.azedo@factorlusitano.com>
Date: Thu, 29 Jun 2023 01:05:52 +0100
Subject: [PATCH] fix the check on authz response

checking for true/false on the return of functions is not the same
as assign the return value to a variable and do the same question.

kamailio uses handles the return of function values as follows
- = 0 drop the message
- < 0 false
- > 0 true

'if (!somefuntion())' is equivalent to 'if(somefuntion() < 0)' and is not equivalent to 'if(somefuntion() == 0)'
'if (somefuntion())' is equivalent to 'if(somefuntion() > 0)' and is not equivalent to 'if(somefuntion() != 0)'

!$var(something) => is the variable != 0 which will never be true if the value was assigned from the return of a function

(cherry picked from commit b41dd06f6b3350d990de9c5115fe0bf943698248)
---
 kamailio/authorization.cfg  | 11 +++++------
 kamailio/registrar-role.cfg |  1 -
 2 files changed, 5 insertions(+), 7 deletions(-)

diff --git a/kamailio/authorization.cfg b/kamailio/authorization.cfg
index e520fcaa..7fb17329 100644
--- a/kamailio/authorization.cfg
+++ b/kamailio/authorization.cfg
@@ -122,7 +122,7 @@ onreply_route[KZ_AUTHORIZATION_CHECK_REPLY]
     $var(delta_to_start) = $var(StartRoute) - $(kzR{kz.json,AMQP-Received});
     $var(delta_from_query) = $(kzR{kz.json,AMQP-Received}) - $xavp(deltas=>query);
     xlog("L_INFO", "received $(kzR{kz.json,Event-Category}) $(kzR{kz.json,Event-Name}) reply from $(kzR{kz.json,App-Name})-$(kzR{kz.json,App-Version}) (Δ1 $(kzR{kz.json,AMQP-Elapsed-Micro}) μs , Δ2 $var(delta_to_start) μs, Δ3 $var(delta_from_query) μs)\n");
-    $var(password) = $(kzR{kz.json,Auth-Password});
+    $vn(password) = $(kzR{kz.json,Auth-Password});
     if( $(kzR{kz.json,Event-Name}) == "authn_err" ) {
         update_stat("auth:authn_err", "+1");
         t_reply("403", "Forbidden");
@@ -140,10 +140,10 @@ onreply_route[KZ_AUTHORIZATION_CHECK_REPLY]
 
 route[KZ_AUTHORIZATION_CHECK_RESPONSE]
 {
-    $var(retcode) = pv_auth_check("$avp(auth-domain)", "$var(password)", "0", "0");
-
-    if (!$var(retcode)) {
-        xlog("L_WARNING", "end - auth failed $var(retcode)\n$mbu\n");
+    $var(retcode) = pv_auth_check("$avp(auth-domain)", "$vn(password)", "0", "0");
+    if ($var(retcode) != 1) {
+        xlog("L_WARNING", "end - auth failed $var(retcode)\n");
+        routes(KZ_AUTHORIZATION_FAILED_AUTH);
         switch($var(retcode)) {
             case -4:
             case -5:
@@ -153,7 +153,6 @@ route[KZ_AUTHORIZATION_CHECK_RESPONSE]
                 exit;
                 break;
             default:
-                routes(KZ_AUTHORIZATION_FAILED_AUTH);
                 send_reply("403", "Forbidden");
                 exit;
         }
diff --git a/kamailio/registrar-role.cfg b/kamailio/registrar-role.cfg
index 821ba85e..fc37fd28 100644
--- a/kamailio/registrar-role.cfg
+++ b/kamailio/registrar-role.cfg
@@ -341,7 +341,6 @@ route[CHECK_AUTHORIZATION]
 {
     if (!pv_auth_check("$avp(auth-domain)", "$vn(password)", "0", "0")) {
         routes(KZ_AUTHORIZATION_FAILED_AUTH);
-
         xlog("L_WARNING", "end - issuing auth challenge to failed registration attempt for $avp(auth-uri) from IP $si:$sp\n");
         update_stat("registrar:challenge", "+1");
         auth_challenge("$avp(auth-domain)", "5");