irods · alanking · Apr 25, 2024 · Mar 14, 2024
diff --git a/irods/connection.py b/irods/connection.py
@@ -181,14 +181,14 @@ def requires_cs_negotiation(self):
 
     @staticmethod
     def make_ssl_context(irods_account):
-        check_hostname = getattr(irods_account,'ssl_verify_server','hostname')
+        verify_server = getattr(irods_account,'ssl_verify_server','hostname')
         CAfile = getattr(irods_account,'ssl_ca_certificate_file',None)
         CApath = getattr(irods_account,'ssl_ca_certificate_path',None)
-        verify = ssl.CERT_NONE if (None is CAfile is CApath) else ssl.CERT_REQUIRED
+        verify = ssl.CERT_NONE if ((None is CAfile is CApath) or verify_server == 'none') else ssl.CERT_REQUIRED
         # See https://stackoverflow.com/questions/30461969/disable-default-certificate-verification-in-python-2-7-9/49040695#49040695
         ctx = ssl.create_default_context(ssl.Purpose.SERVER_AUTH, cafile=CAfile, capath=CApath)
         # Note: check_hostname must be assigned prior to verify_mode property or Python library complains!
-        ctx.check_hostname = (check_hostname.startswith('host') and verify != ssl.CERT_NONE)
+        ctx.check_hostname = (verify_server == 'hostname' and verify != ssl.CERT_NONE)
         ctx.verify_mode = verify
         return ctx
 

diff --git a/irods/test/login_auth_test.py b/irods/test/login_auth_test.py
@@ -24,6 +24,7 @@
 from re import compile as regex
 import gc
 import six
+from irods.test.setupssl import create_ssl_dir
 
 #
 # Allow override to specify the PAM password in effect for the test rodsuser.
@@ -57,7 +58,7 @@ def env_dir_fullpath(authtype):  return os.path.join( os.environ['HOME'] , '.iro
 def json_env_fullpath(authtype):  return os.path.join( env_dir_fullpath(authtype), 'irods_environment.json')
 def secrets_fullpath(authtype):   return os.path.join( env_dir_fullpath(authtype), '.irodsA')
 
-SERVER_ENV_PATH = os.path.expanduser('~irods/.irods/irods_environment.json')
+RODSADMIN_ENV_PATH = os.path.expanduser('~/.irods/irods_environment.json')
 
 SERVER_ENV_SSL_SETTINGS = {
     "irods_ssl_certificate_chain_file": "/etc/irods/ssl/irods.crt",
@@ -67,9 +68,6 @@ def secrets_fullpath(authtype):   return os.path.join( env_dir_fullpath(authtype
     "irods_ssl_verify_server": "cert"
 }
 
-def update_service_account_for_SSL():
-    json_file_update( SERVER_ENV_PATH, **SERVER_ENV_SSL_SETTINGS )
-
 CLIENT_OPTIONS_FOR_SSL = {
     "irods_client_server_policy": "CS_NEG_REQUIRE",
     "irods_client_server_negotiation": "request_server_negotiation",
@@ -82,9 +80,9 @@ def update_service_account_for_SSL():
 }
 
 
-def client_env_from_server_env(user_name, auth_scheme=""):
+def client_env_keys_from_admin_env(user_name, auth_scheme=""):
     cli_env = {}
-    with open(SERVER_ENV_PATH) as f:
+    with open(RODSADMIN_ENV_PATH) as f:
         srv_env = json.load(f)
         for k in [ "irods_host", "irods_zone_name", "irods_port"  ]:
             cli_env [k] = srv_env[k]
@@ -163,7 +161,7 @@ def create_env_dirs(self):
         # -- create environment configurations and secrets
         with pam_password_in_plaintext():
             for dirname,lookup in self.user_auth_envs.items():
-                if lookup['AUTH'] == 'pam':
+                if lookup['AUTH'] in ('pam','pam_password'):
                     ses = iRODSSession( host=gethostname(),
                                         user=lookup['USER'],
                                         zone='tempZone',
@@ -179,7 +177,7 @@ def create_env_dirs(self):
                #elif lookup['AUTH'] == 'XXXXXX': # TODO: insert other authentication schemes here
                 elif lookup['AUTH'] in ('native', '',None):
                     scrambled_pw = pw_encode( lookup['PASSWORD'] )
-                cl_env = client_env_from_server_env(TEST_RODS_USER)
+                cl_env = client_env_keys_from_admin_env(TEST_RODS_USER)
                 if lookup.get('AUTH',None) is not None:     # - specify auth scheme only if given
                     cl_env['irods_authentication_scheme'] = lookup['AUTH']
                 dirbase = os.path.join(os.environ['HOME'],dirname)
@@ -199,18 +197,19 @@ def create_env_dirs(self):
         retval = dirs.keys()
         return retval
 
+    PAM_SCHEME_STRING = 'pam'
 
     @classmethod
     def setUpClass(cls):
         cls.admin = helpers.make_session()
+        if cls.admin.server_version >= (4,3):
+            cls.PAM_SCHEME_STRING = cls.user_auth_envs['.irods.pam']['AUTH'] = 'pam_password'
 
     @classmethod
     def tearDownClass(cls):
         cls.admin.cleanup()
 
     def setUp(self):
-        if os.environ['HOME'] != '/var/lib/irods':
-            self.skipTest('Must be run as irods')
         super(TestLogins,self).setUp()
 
     def tearDown(self):
@@ -244,12 +243,14 @@ def _setup_rodsuser_and_optional_pw(self, name, make_irods_pw = False):
             self.admin.users.remove( name )
 
     def tst0(self, ssl_opt, auth_opt, env_opt, name = TEST_RODS_USER, make_irods_pw = False):
-
+        _auth_opt = auth_opt
+        if auth_opt in ('pam', 'pam_password'):
+            auth_opt = self.PAM_SCHEME_STRING
         with self._setup_rodsuser_and_optional_pw(name = name, make_irods_pw = make_irods_pw):
             self.envdirs = self.create_env_dirs()
             if not self.envdirs:
                 raise RuntimeError('Could not create one or more client environments')
-            auth_opt_explicit = 'native' if auth_opt=='' else  auth_opt
+            auth_opt_explicit = 'native' if _auth_opt=='' else  _auth_opt
             verbosity=False
             #verbosity='' # -- debug - sanity check by printing out options applied
             out = {'':''}
@@ -282,7 +283,7 @@ def tst0(self, ssl_opt, auth_opt, env_opt, name = TEST_RODS_USER, make_irods_pw
                                                                    cadata = None,
                                                                    cafile = SSL_cert),
                         **CLIENT_OPTIONS_FOR_SSL )
-                lookup = self.user_auth_envs ['.irods.'+('native' if not(auth_opt) else auth_opt)]
+                lookup = self.user_auth_envs ['.irods.'+('native' if not(_auth_opt) else _auth_opt)]
                 session = iRODSSession ( host=gethostname(),
                                          user=lookup['USER'],
                                          zone='tempZone',
@@ -508,22 +509,25 @@ def setUp(self):
 
     def test_ssl_with_server_verify_set_to_none_281(self):
         env_file = os.path.expanduser('~/.irods/irods_environment.json')
-        with helpers.file_backed_up(env_file):
-            with open(env_file) as env_file_handle:
-                env = json.load( env_file_handle )
-            env.update({ "irods_client_server_negotiation": "request_server_negotiation",
-                         "irods_client_server_policy": "CS_NEG_REQUIRE",
-                         "irods_ssl_ca_certificate_file": "/path/to/some/file.crt",  # does not need to exist
-                         "irods_ssl_verify_server": "none",
-                         "irods_encryption_key_size": 32,
-                         "irods_encryption_salt_size": 8,
-                         "irods_encryption_num_hash_rounds": 16,
-                         "irods_encryption_algorithm": "AES-256-CBC" })
-            with open(env_file,'w') as f:
-                json.dump(env,f)
-            with helpers.make_session() as session:
-                session.collections.get('/{session.zone}/home/{session.username}'.format(**locals()))
-
+        my_ssl_directory = ''
+        try:
+            with helpers.file_backed_up(env_file):
+                with open(env_file) as env_file_handle:
+                    env = json.load( env_file_handle )
+                my_ssl_directory = tempfile.mkdtemp(dir = os.path.expanduser("~"))
+                # Elect for efficiency in DH param generation, eg. when setting up for testing.
+                create_ssl_dir(ssl_dir = my_ssl_directory, use_strong_primes_for_dh_generation = False)
+                settings_to_update = {key:value.replace("/etc/irods/ssl",my_ssl_directory)
+                                  for key,value in env.items() if type(value) is str and value.startswith("/etc/irods/ssl")}
+                settings_to_update["irods_ssl_verify_server"] = "none"
+                env.update( settings_to_update )
+                with open(env_file,'w') as f:
+                    json.dump(env,f)
+                with helpers.make_session() as session:
+                    session.collections.get('/{session.zone}/home/{session.username}'.format(**locals()))
+        finally:
+            if my_ssl_directory:
+                shutil.rmtree(my_ssl_directory)
 
 if __name__ == '__main__':
     # let the tests find the parent irods lib

diff --git a/irods/test/test_ssl_context.bats b/irods/test/test_ssl_context.bats
@@ -143,7 +143,7 @@ teardown() {
 # THE TESTS THEMSELVES
 
 @test "basic_test" {
-    json_config -i $IRODS_LOCAL_ENV 'verify_server="host"'
+    json_config -i $IRODS_LOCAL_ENV 'verify_server="hostname"'
     python3 $REPO_SCRIPTS/ssl_test_client.py
 }