[ 7274] Replace plugin-specific auth configs with general one

The plugin-specific auth configurations (authentication::pam_password and authentication::native) have been replaced by a general config for all auth schemes. The string in R_GRID_CONFIGURATION is now just "authentication".
alanking · Sep 29, 2023 · d036bb8 · d036bb8
1 parent a802b08
commit d036bb8
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 20 deletions.
diff --git a/plugins/database/src/db_plugin.cpp b/plugins/database/src/db_plugin.cpp
@@ -6596,9 +6596,7 @@ irods::error db_check_auth_op(
     expireTime = atoll( goodPwExpiry );
     getNowStr( myTime );
 
-    /* Check for PAM_AUTH type passwords */
-
-    if (const auto err = get_auth_config("authentication::pam_password", ac); !err.ok()) {
+    if (const auto err = get_auth_config("authentication", ac); !err.ok()) {
         log_db::error("Failed to get auth configuration. [{}]", err.result());
         return err;
     }
@@ -7095,7 +7093,7 @@ irods::error db_make_limited_pw_op(
     getNowStr( myTime );
 
     auth_config ac{};
-    if (const auto err = get_auth_config("authentication::native", ac); !err.ok()) {
+    if (const auto err = get_auth_config("authentication", ac); !err.ok()) {
         log_db::error("Failed to get auth configuration. [{}]", err.result());
         return err;
     }
@@ -7235,7 +7233,7 @@ auto db_update_pam_password_op(irods::plugin_context& _ctx,
     getNowStr( myTime );
 
     auth_config ac{};
-    if (const auto err = get_auth_config("authentication::pam_password", ac); !err.ok()) {
+    if (const auto err = get_auth_config("authentication", ac); !err.ok()) {
         log_db::error("Failed to get auth configuration. [{}]", err.result());
         return err;
     }
@@ -7573,7 +7571,7 @@ irods::error db_mod_user_op(
 
     if ( strncmp( _option, "rmPamPw", 9 ) == 0 ) {
         auth_config ac{};
-        if (const auto err = get_auth_config("authentication::pam_password", ac); !err.ok()) {
+        if (const auto err = get_auth_config("authentication", ac); !err.ok()) {
             log_db::error("Failed to get auth configuration. [{}]", err.result());
             return err;
         }

diff --git a/scripts/irods/database_upgrade.py b/scripts/irods/database_upgrade.py
@@ -175,10 +175,10 @@ def run_update(irods_config, cursor):
             'password_max_time': str(pam_password_config.get('password_max_time', 1209600))
         }
 
-        scheme_namespaces = ['authentication::pam_password', 'authentication::native']
+        scheme_namespaces = ['authentication']
         statement_str = "insert into R_GRID_CONFIGURATION (namespace, option_name, option_value) values ('{}','{}','{}');"
         # pam_password configurations for password lifetime have always been used with native authentication as well.
-        # The configurations are now separately configurable.
+        # The new configurations shall continue to configure both schemes, but under a more generic namespace.
         for scheme in scheme_namespaces:
             for option in password_config_dict:
                 database_connect.execute_sql_statement(cursor, statement_str.format(scheme, option, password_config_dict[option]))

diff --git a/scripts/irods/test/test_iadmin_set_grid_configuration.py b/scripts/irods/test/test_iadmin_set_grid_configuration.py
@@ -42,7 +42,7 @@ def test_nonexistent_namespace(self):
             f'Failed to get grid configuration for namespace [{bad_namespace}] and option [{option_name}] [ec=-808000]')
 
     def test_no_option_name(self):
-        namespace = 'authentication::native'
+        namespace = 'authentication'
         self.admin.assert_icommand(
             ['iadmin', 'get_grid_configuration', namespace],
             'STDERR', 'Error: option name must be between 1 and 2699 characters.')
@@ -51,23 +51,23 @@ def test_really_long_option_name(self):
         # The input buffer to set_grid_configuration_value API is only 2700 characters long. If a value of 2700
         # characters or more is fed to the input struct for the set_pam_password_config API, packstruct gives an error.
         # iadmin will catch this case and show a slightly more presentable error, which is checked in this test.
-        namespace = 'authentication::native'
+        namespace = 'authentication'
         really_long_option_name = 'this_is_27_characters_long_' * 100
 
         self.admin.assert_icommand(
             ['iadmin', 'set_grid_configuration', namespace, really_long_option_name],
             'STDERR', 'Error: option name must be between 1 and 2699 characters.')
 
     def test_nonexistent_option_name(self):
-        namespace = 'authentication::native'
+        namespace = 'authentication'
         bad_option_name = 'nopes'
 
         self.admin.assert_icommand(
             ['iadmin', 'get_grid_configuration', namespace, bad_option_name], 'STDERR',
             f'Failed to get grid configuration for namespace [{namespace}] and option [{bad_option_name}] [ec=-808000]')
 
     def test_get_grid_configuration_valid(self):
-        namespace = 'authentication::native'
+        namespace = 'authentication'
         option_name = 'password_max_time'
 
         # Assert that a value is returned and that there are no errors.
@@ -112,7 +112,7 @@ def test_nonexistent_namespace(self):
             f'Failed to set grid configuration for namespace [{bad_namespace}] and option [{option_name}] [ec=-808000]')
 
     def test_no_option_name(self):
-        namespace = 'authentication::native'
+        namespace = 'authentication'
         self.admin.assert_icommand(
             ['iadmin', 'set_grid_configuration', namespace],
             'STDERR', 'Error: option name must be between 1 and 2699 characters.')
@@ -121,7 +121,7 @@ def test_really_long_option_name(self):
         # The input buffer to set_grid_configuration_value API is only 2700 characters long. If a value of 2700
         # characters or more is fed to the input struct for the set_pam_password_config API, packstruct gives an error.
         # iadmin will catch this case and show a slightly more presentable error, which is checked in this test.
-        namespace = 'authentication::native'
+        namespace = 'authentication'
         really_long_option_name = 'this_is_27_characters_long_' * 100
         option_value = '1000'
 
@@ -130,7 +130,7 @@ def test_really_long_option_name(self):
             'STDERR', 'Error: option name must be between 1 and 2699 characters.')
 
     def test_nonexistent_option_name(self):
-        namespace = 'authentication::native'
+        namespace = 'authentication'
         bad_option_name = 'nopes'
         option_value = '1000'
 
@@ -139,14 +139,14 @@ def test_nonexistent_option_name(self):
             f'Failed to set grid configuration for namespace [{namespace}] and option [{bad_option_name}] [ec=-808000]')
 
     def test_no_option_value(self):
-        namespace = 'authentication::native'
+        namespace = 'authentication'
         option_name = 'password_max_time'
         self.admin.assert_icommand(
             ['iadmin', 'set_grid_configuration', namespace, option_name],
             'STDERR', 'Error: option value must be between 1 and 2699 characters.')
 
     def test_really_long_option_value(self):
-        namespace = 'authentication::native'
+        namespace = 'authentication'
         option_name = 'password_max_time'
 
         # The input buffer to set_grid_configuration_value API is only 2700 characters long. If a value of 2700
@@ -167,7 +167,7 @@ def test_really_long_option_value(self):
             self.admin.assert_icommand(['iadmin', 'get_grid_configuration', namespace, option_name], 'STDOUT')[1])
 
     def test_set_grid_configuration_valid(self):
-        namespace = 'authentication::native'
+        namespace = 'authentication'
         option_name = 'password_max_time'
 
         original_value = self.admin.assert_icommand(
@@ -188,7 +188,7 @@ def test_set_grid_configuration_valid(self):
             self.admin.run_icommand(['iadmin', 'set_grid_configuration', namespace, option_name, original_value])
 
     def test_set_invalid_grid_configuration_with_option_name_that_is_protected_in_another_namespace(self):
-        namespace = 'authentication::native'
+        namespace = 'authentication'
         option_name = 'schema_version'
 
         # Make sure this namespace doesn't have the option_name used in the test...
@@ -274,7 +274,7 @@ def test_set_delay_server_namespace_is_protected_even_with_invalid_option_name(s
 
     def test_set_delay_server_namespace_is_protected_even_with_option_name_from_unprotected_namespaces(self):
         namespace = 'delay_server'
-        other_namespace = 'authentication::native'
+        other_namespace = 'authentication'
         option_name = 'password_max_time'
         option_value = 'shenanigans!'