[_362][_522][_523] allow '=' and ';' in PAM passwords

d-w-moore · d-w-moore · commit 2d19eacf5ecd · 2024-03-22T23:34:38.000-04:00
diff --git a/irods/api_number.py b/irods/api_number.py
@@ -179,5 +179,7 @@
     "GET_RESOURCE_INFO_FOR_OPERATION_AN": 10220,
     "ATOMIC_APPLY_METADATA_OPERATIONS_APN": 20002,
     "GET_FILE_DESCRIPTOR_INFO_APN": 20000,
-    "REPLICA_CLOSE_APN": 20004
+    "REPLICA_CLOSE_APN": 20004,
+
+    "AUTH_PLUG_REQ_AN": 1201
 }
diff --git a/irods/connection.py b/irods/connection.py
@@ -25,8 +25,6 @@
 from irods.message import (PamAuthRequest, PamAuthRequestOut)
 
 
-
-ALLOW_PAM_LONG_TOKENS = True      # True to fix [#279]
 # Message to be logged when the connection
 # destructor is called. Used in a unit test
 DESTRUCTOR_MSG = "connection __del__() called"
@@ -493,9 +491,10 @@ def _login_pam(self):
             if getattr(self,'DISALLOWING_PAM_PLAINTEXT',True):
                 raise PlainTextPAMPasswordError
 
-        Pam_Long_Tokens = (ALLOW_PAM_LONG_TOKENS and (len(ctx) >= MAX_NAME_LEN))
+        use_dedicated_pam_api = len(ctx) >= MAX_NAME_LEN or \
+                                {';','='}.intersection(set(new_pam_password))
 
-        if Pam_Long_Tokens:
+        if use_dedicated_pam_api:
             message_body = PamAuthRequest( pamUser = self.account.client_user,
                                            pamPassword = new_pam_password,
                                            timeToLive = time_to_live_in_hours)
@@ -505,7 +504,7 @@ def _login_pam(self):
         auth_req = iRODSMessage(
             msg_type='RODS_API_REQ',
             msg=message_body,
-            int_info=(725 if Pam_Long_Tokens else 1201)
+            int_info=api_number['PAM_AUTH_REQUEST_AN' if use_dedicated_pam_api else 'AUTH_PLUG_REQ_AN']
         )
 
         self.send(auth_req)
@@ -516,8 +515,7 @@ def _login_pam(self):
             # TODO (#480): In Python3 will be able to do: 'raise RuntimeError(...) from exc' for more succinct error messages
             raise RuntimeError('Client-configured TTL is outside server parameters (password min and max times)')
 
-        Pam_Response_Class = (PamAuthRequestOut if Pam_Long_Tokens
-                         else AuthPluginOut)
+        Pam_Response_Class = (PamAuthRequestOut if use_dedicated_pam_api else AuthPluginOut)
 
         auth_out = output_message.get_main_message( Pam_Response_Class )
 
diff --git a/irods/test/PRC_issue_362.bats b/irods/test/PRC_issue_362.bats
@@ -50,7 +50,6 @@ prc_test()
 }
 
 @test "test_with_atsymbol" { prc_test; }
-# TODO: investigate: the following two cases fail with SYS_BAD_INPUT (when tested with iRODS 4.3.1)
-#@test "test_with_semicolon" { prc_test; }
-#@test "test_with_equals" { prc_test; }
+@test "test_with_semicolon" { prc_test; }
+@test "test_with_equals" { prc_test; }
 @test "test_with_ampersand" { prc_test; }

Original file line number	Diff line number	Diff line change
`@@ -179,5 +179,7 @@`
`179`	`179`	`"GET_RESOURCE_INFO_FOR_OPERATION_AN": 10220,`
`180`	`180`	`"ATOMIC_APPLY_METADATA_OPERATIONS_APN": 20002,`
`181`	`181`	`"GET_FILE_DESCRIPTOR_INFO_APN": 20000,`
`182`		`- "REPLICA_CLOSE_APN": 20004`
	`182`	`+ "REPLICA_CLOSE_APN": 20004,`
	`183`	`+`
	`184`	`+ "AUTH_PLUG_REQ_AN": 1201`
`183`	`185`	`}`
Original file line number	Diff line number	Diff line change
`@@ -50,7 +50,6 @@ prc_test()`
`50`	`50`	`}`
`51`	`51`
`52`	`52`	`@test "test_with_atsymbol" { prc_test; }`
`53`		`-# TODO: investigate: the following two cases fail with SYS_BAD_INPUT (when tested with iRODS 4.3.1)`
`54`		`-#@test "test_with_semicolon" { prc_test; }`
`55`		`-#@test "test_with_equals" { prc_test; }`
	`53`	`+@test "test_with_semicolon" { prc_test; }`
	`54`	`+@test "test_with_equals" { prc_test; }`
`56`	`55`	`@test "test_with_ampersand" { prc_test; }`