diff --git a/irods/connection.py b/irods/connection.py index 4a8ffec0c..412be1c24 100644 --- a/irods/connection.py +++ b/irods/connection.py @@ -181,14 +181,14 @@ def requires_cs_negotiation(self): @staticmethod def make_ssl_context(irods_account): - check_hostname = getattr(irods_account,'ssl_verify_server','hostname') + verify_server = getattr(irods_account,'ssl_verify_server','hostname') CAfile = getattr(irods_account,'ssl_ca_certificate_file',None) CApath = getattr(irods_account,'ssl_ca_certificate_path',None) - verify = ssl.CERT_NONE if (None is CAfile is CApath) else ssl.CERT_REQUIRED + verify = ssl.CERT_NONE if ((None is CAfile is CApath) or verify_server == 'none') else ssl.CERT_REQUIRED # See https://stackoverflow.com/questions/30461969/disable-default-certificate-verification-in-python-2-7-9/49040695#49040695 ctx = ssl.create_default_context(ssl.Purpose.SERVER_AUTH, cafile=CAfile, capath=CApath) # Note: check_hostname must be assigned prior to verify_mode property or Python library complains! - ctx.check_hostname = (check_hostname.startswith('host') and verify != ssl.CERT_NONE) + ctx.check_hostname = (verify_server == 'hostname' and verify != ssl.CERT_NONE) ctx.verify_mode = verify return ctx diff --git a/irods/test/login_auth_test.py b/irods/test/login_auth_test.py index 073b889d3..3b270cea2 100644 --- a/irods/test/login_auth_test.py +++ b/irods/test/login_auth_test.py @@ -24,6 +24,7 @@ from re import compile as regex import gc import six +from irods.test.setupssl import create_ssl_dir # # Allow override to specify the PAM password in effect for the test rodsuser. @@ -57,7 +58,7 @@ def env_dir_fullpath(authtype): return os.path.join( os.environ['HOME'] , '.iro def json_env_fullpath(authtype): return os.path.join( env_dir_fullpath(authtype), 'irods_environment.json') def secrets_fullpath(authtype): return os.path.join( env_dir_fullpath(authtype), '.irodsA') -SERVER_ENV_PATH = os.path.expanduser('~irods/.irods/irods_environment.json') +RODSADMIN_ENV_PATH = os.path.expanduser('~/.irods/irods_environment.json') SERVER_ENV_SSL_SETTINGS = { "irods_ssl_certificate_chain_file": "/etc/irods/ssl/irods.crt", @@ -67,9 +68,6 @@ def secrets_fullpath(authtype): return os.path.join( env_dir_fullpath(authtype "irods_ssl_verify_server": "cert" } -def update_service_account_for_SSL(): - json_file_update( SERVER_ENV_PATH, **SERVER_ENV_SSL_SETTINGS ) - CLIENT_OPTIONS_FOR_SSL = { "irods_client_server_policy": "CS_NEG_REQUIRE", "irods_client_server_negotiation": "request_server_negotiation", @@ -82,9 +80,9 @@ def update_service_account_for_SSL(): } -def client_env_from_server_env(user_name, auth_scheme=""): +def client_env_keys_from_admin_env(user_name, auth_scheme=""): cli_env = {} - with open(SERVER_ENV_PATH) as f: + with open(RODSADMIN_ENV_PATH) as f: srv_env = json.load(f) for k in [ "irods_host", "irods_zone_name", "irods_port" ]: cli_env [k] = srv_env[k] @@ -163,7 +161,7 @@ def create_env_dirs(self): # -- create environment configurations and secrets with pam_password_in_plaintext(): for dirname,lookup in self.user_auth_envs.items(): - if lookup['AUTH'] == 'pam': + if lookup['AUTH'] in ('pam','pam_password'): ses = iRODSSession( host=gethostname(), user=lookup['USER'], zone='tempZone', @@ -179,7 +177,7 @@ def create_env_dirs(self): #elif lookup['AUTH'] == 'XXXXXX': # TODO: insert other authentication schemes here elif lookup['AUTH'] in ('native', '',None): scrambled_pw = pw_encode( lookup['PASSWORD'] ) - cl_env = client_env_from_server_env(TEST_RODS_USER) + cl_env = client_env_keys_from_admin_env(TEST_RODS_USER) if lookup.get('AUTH',None) is not None: # - specify auth scheme only if given cl_env['irods_authentication_scheme'] = lookup['AUTH'] dirbase = os.path.join(os.environ['HOME'],dirname) @@ -199,18 +197,19 @@ def create_env_dirs(self): retval = dirs.keys() return retval + PAM_SCHEME_STRING = 'pam' @classmethod def setUpClass(cls): cls.admin = helpers.make_session() + if cls.admin.server_version >= (4,3): + cls.PAM_SCHEME_STRING = cls.user_auth_envs['.irods.pam']['AUTH'] = 'pam_password' @classmethod def tearDownClass(cls): cls.admin.cleanup() def setUp(self): - if os.environ['HOME'] != '/var/lib/irods': - self.skipTest('Must be run as irods') super(TestLogins,self).setUp() def tearDown(self): @@ -244,12 +243,14 @@ def _setup_rodsuser_and_optional_pw(self, name, make_irods_pw = False): self.admin.users.remove( name ) def tst0(self, ssl_opt, auth_opt, env_opt, name = TEST_RODS_USER, make_irods_pw = False): - + _auth_opt = auth_opt + if auth_opt in ('pam', 'pam_password'): + auth_opt = self.PAM_SCHEME_STRING with self._setup_rodsuser_and_optional_pw(name = name, make_irods_pw = make_irods_pw): self.envdirs = self.create_env_dirs() if not self.envdirs: raise RuntimeError('Could not create one or more client environments') - auth_opt_explicit = 'native' if auth_opt=='' else auth_opt + auth_opt_explicit = 'native' if _auth_opt=='' else _auth_opt verbosity=False #verbosity='' # -- debug - sanity check by printing out options applied out = {'':''} @@ -282,7 +283,7 @@ def tst0(self, ssl_opt, auth_opt, env_opt, name = TEST_RODS_USER, make_irods_pw cadata = None, cafile = SSL_cert), **CLIENT_OPTIONS_FOR_SSL ) - lookup = self.user_auth_envs ['.irods.'+('native' if not(auth_opt) else auth_opt)] + lookup = self.user_auth_envs ['.irods.'+('native' if not(_auth_opt) else _auth_opt)] session = iRODSSession ( host=gethostname(), user=lookup['USER'], zone='tempZone', @@ -508,22 +509,25 @@ def setUp(self): def test_ssl_with_server_verify_set_to_none_281(self): env_file = os.path.expanduser('~/.irods/irods_environment.json') - with helpers.file_backed_up(env_file): - with open(env_file) as env_file_handle: - env = json.load( env_file_handle ) - env.update({ "irods_client_server_negotiation": "request_server_negotiation", - "irods_client_server_policy": "CS_NEG_REQUIRE", - "irods_ssl_ca_certificate_file": "/path/to/some/file.crt", # does not need to exist - "irods_ssl_verify_server": "none", - "irods_encryption_key_size": 32, - "irods_encryption_salt_size": 8, - "irods_encryption_num_hash_rounds": 16, - "irods_encryption_algorithm": "AES-256-CBC" }) - with open(env_file,'w') as f: - json.dump(env,f) - with helpers.make_session() as session: - session.collections.get('/{session.zone}/home/{session.username}'.format(**locals())) - + my_ssl_directory = '' + try: + with helpers.file_backed_up(env_file): + with open(env_file) as env_file_handle: + env = json.load( env_file_handle ) + my_ssl_directory = tempfile.mkdtemp(dir = os.path.expanduser("~")) + # Elect for efficiency in DH param generation, eg. when setting up for testing. + create_ssl_dir(ssl_dir = my_ssl_directory, use_strong_primes_for_dh_generation = False) + settings_to_update = {key:value.replace("/etc/irods/ssl",my_ssl_directory) + for key,value in env.items() if type(value) is str and value.startswith("/etc/irods/ssl")} + settings_to_update["irods_ssl_verify_server"] = "none" + env.update( settings_to_update ) + with open(env_file,'w') as f: + json.dump(env,f) + with helpers.make_session() as session: + session.collections.get('/{session.zone}/home/{session.username}'.format(**locals())) + finally: + if my_ssl_directory: + shutil.rmtree(my_ssl_directory) if __name__ == '__main__': # let the tests find the parent irods lib diff --git a/irods/test/test_ssl_context.bats b/irods/test/test_ssl_context.bats index b037b8dea..8c92791a5 100755 --- a/irods/test/test_ssl_context.bats +++ b/irods/test/test_ssl_context.bats @@ -143,7 +143,7 @@ teardown() { # THE TESTS THEMSELVES @test "basic_test" { - json_config -i $IRODS_LOCAL_ENV 'verify_server="host"' + json_config -i $IRODS_LOCAL_ENV 'verify_server="hostname"' python3 $REPO_SCRIPTS/ssl_test_client.py }