7274.m

lib/core/src/clientLogin.cpp

@@ -253,7 +253,8 @@ int clientLoginTTL( rcComm_t *Conn, int ttl ) {
     if ( int status = rcGetLimitedPassword( Conn,
                 &getLimitedPasswordInp,
                 &getLimitedPasswordOut ) ) {
-        allocate_if_necessary_and_add_rError_msg(&Conn->rError, status, "rcGetLimitedPassword");
+        const auto msg = fmt::format("rcGetLimitedPassword failed with error [{}]", status);
+        allocate_if_necessary_and_add_rError_msg(&Conn->rError, status, msg.c_str());
         memset( userPassword, 0, sizeof( userPassword ) );
         return status;
     }

plugins/database/src/db_plugin.cpp

@@ -6596,9 +6596,7 @@ irods::error db_check_auth_op(
     expireTime = atoll( goodPwExpiry );
     getNowStr( myTime );
 
-    /* Check for PAM_AUTH type passwords */
-
-    if (const auto err = get_auth_config("authentication::pam_password", ac); !err.ok()) {
+    if (const auto err = get_auth_config("authentication", ac); !err.ok()) {
         log_db::error("Failed to get auth configuration. [{}]", err.result());
         return err;
     }
@@ -7095,20 +7093,22 @@ irods::error db_make_limited_pw_op(
     getNowStr( myTime );
 
     auth_config ac{};
-    if (const auto err = get_auth_config("authentication::native", ac); !err.ok()) {
+    if (const auto err = get_auth_config("authentication", ac); !err.ok()) {
         log_db::error("Failed to get auth configuration. [{}]", err.result());
         return err;
     }
 
-    if (_ttl < ac.password_min_time || _ttl > ac.password_max_time) {
-        log_db::error(
-            "Invalid TTL - min time: [{}] max time:[{}] ttl: [{}]", ac.password_min_time, ac.password_max_time, _ttl);
+    // NOLINTNEXTLINE(cppcoreguidelines-avoid-magic-numbers,readability-magic-numbers)
+    int timeToLive = _ttl * 3600; /* convert input hours to seconds */
+    if (timeToLive < ac.password_min_time || timeToLive > ac.password_max_time) {
+        log_db::error("Invalid TTL - min time: [{}] max time:[{}] ttl: [{}]",
+                      ac.password_min_time,
+                      ac.password_max_time,
+                      timeToLive);
         return ERROR( PAM_AUTH_PASSWORD_INVALID_TTL, "invalid ttl" );
     }
 
     /* Insert the limited password */
-    // NOLINTNEXTLINE(cppcoreguidelines-avoid-magic-numbers,readability-magic-numbers)
-    int timeToLive = _ttl * 3600; /* convert input hours to seconds */
     snprintf( expTime, sizeof expTime, "%d", timeToLive );
     cllBindVars[cllBindVarCount++] = _ctx.comm()->clientUser.userName;
     // NOLINTNEXTLINE(cppcoreguidelines-pro-bounds-constant-array-index)
@@ -7233,7 +7233,7 @@ auto db_update_pam_password_op(irods::plugin_context& _ctx,
     getNowStr( myTime );
 
     auth_config ac{};
-    if (const auto err = get_auth_config("authentication::pam_password", ac); !err.ok()) {
+    if (const auto err = get_auth_config("authentication", ac); !err.ok()) {
         log_db::error("Failed to get auth configuration. [{}]", err.result());
         return err;
     }
@@ -7571,7 +7571,7 @@ irods::error db_mod_user_op(
 
     if ( strncmp( _option, "rmPamPw", 9 ) == 0 ) {
         auth_config ac{};
-        if (const auto err = get_auth_config("authentication::pam_password", ac); !err.ok()) {
+        if (const auto err = get_auth_config("authentication", ac); !err.ok()) {
             log_db::error("Failed to get auth configuration. [{}]", err.result());
             return err;
         }

scripts/core_tests_list.json

@@ -96,9 +96,10 @@
     "test_izonereport",
     "test_load_balanced_suite",
     "test_misc",
+    "test_native_authentication.test_configurations",
     "test_native_rule_engine_plugin",
     "test_negotiation",
-    "test_pam_password.test_configurations",
+    "test_pam_password_authentication.test_configurations",
     "test_prep_genquery_iterator",
     "test_python_rule_engine_plugin",
     "test_quotas",

scripts/irods/database_upgrade.py

@@ -175,10 +175,10 @@ def run_update(irods_config, cursor):
             'password_max_time': str(pam_password_config.get('password_max_time', 1209600))
         }
 
-        scheme_namespaces = ['authentication::pam_password', 'authentication::native']
+        scheme_namespaces = ['authentication']
         statement_str = "insert into R_GRID_CONFIGURATION (namespace, option_name, option_value) values ('{}','{}','{}');"
         # pam_password configurations for password lifetime have always been used with native authentication as well.
-        # The configurations are now separately configurable.
+        # The new configurations shall continue to configure both schemes, but under a more generic namespace.
         for scheme in scheme_namespaces:
             for option in password_config_dict:
                 database_connect.execute_sql_statement(cursor, statement_str.format(scheme, option, password_config_dict[option]))

scripts/irods/test/test_iadmin_set_grid_configuration.py

@@ -42,7 +42,7 @@ def test_nonexistent_namespace(self):
             f'Failed to get grid configuration for namespace [{bad_namespace}] and option [{option_name}] [ec=-808000]')
 
     def test_no_option_name(self):
-        namespace = 'authentication::native'
+        namespace = 'authentication'
         self.admin.assert_icommand(
             ['iadmin', 'get_grid_configuration', namespace],
             'STDERR', 'Error: option name must be between 1 and 2699 characters.')
@@ -51,23 +51,23 @@ def test_really_long_option_name(self):
         # The input buffer to set_grid_configuration_value API is only 2700 characters long. If a value of 2700
         # characters or more is fed to the input struct for the set_pam_password_config API, packstruct gives an error.
         # iadmin will catch this case and show a slightly more presentable error, which is checked in this test.
-        namespace = 'authentication::native'
+        namespace = 'authentication'
         really_long_option_name = 'this_is_27_characters_long_' * 100
 
         self.admin.assert_icommand(
             ['iadmin', 'set_grid_configuration', namespace, really_long_option_name],
             'STDERR', 'Error: option name must be between 1 and 2699 characters.')
 
     def test_nonexistent_option_name(self):
-        namespace = 'authentication::native'
+        namespace = 'authentication'
         bad_option_name = 'nopes'
 
         self.admin.assert_icommand(
             ['iadmin', 'get_grid_configuration', namespace, bad_option_name], 'STDERR',
             f'Failed to get grid configuration for namespace [{namespace}] and option [{bad_option_name}] [ec=-808000]')
 
     def test_get_grid_configuration_valid(self):
-        namespace = 'authentication::native'
+        namespace = 'authentication'
         option_name = 'password_max_time'
 
         # Assert that a value is returned and that there are no errors.
@@ -112,7 +112,7 @@ def test_nonexistent_namespace(self):
             f'Failed to set grid configuration for namespace [{bad_namespace}] and option [{option_name}] [ec=-808000]')
 
     def test_no_option_name(self):
-        namespace = 'authentication::native'
+        namespace = 'authentication'
         self.admin.assert_icommand(
             ['iadmin', 'set_grid_configuration', namespace],
             'STDERR', 'Error: option name must be between 1 and 2699 characters.')
@@ -121,7 +121,7 @@ def test_really_long_option_name(self):
         # The input buffer to set_grid_configuration_value API is only 2700 characters long. If a value of 2700
         # characters or more is fed to the input struct for the set_pam_password_config API, packstruct gives an error.
         # iadmin will catch this case and show a slightly more presentable error, which is checked in this test.
-        namespace = 'authentication::native'
+        namespace = 'authentication'
         really_long_option_name = 'this_is_27_characters_long_' * 100
         option_value = '1000'
 
@@ -130,7 +130,7 @@ def test_really_long_option_name(self):
             'STDERR', 'Error: option name must be between 1 and 2699 characters.')
 
     def test_nonexistent_option_name(self):
-        namespace = 'authentication::native'
+        namespace = 'authentication'
         bad_option_name = 'nopes'
         option_value = '1000'
 
@@ -139,14 +139,14 @@ def test_nonexistent_option_name(self):
             f'Failed to set grid configuration for namespace [{namespace}] and option [{bad_option_name}] [ec=-808000]')
 
     def test_no_option_value(self):
-        namespace = 'authentication::native'
+        namespace = 'authentication'
         option_name = 'password_max_time'
         self.admin.assert_icommand(
             ['iadmin', 'set_grid_configuration', namespace, option_name],
             'STDERR', 'Error: option value must be between 1 and 2699 characters.')
 
     def test_really_long_option_value(self):
-        namespace = 'authentication::native'
+        namespace = 'authentication'
         option_name = 'password_max_time'
 
         # The input buffer to set_grid_configuration_value API is only 2700 characters long. If a value of 2700
@@ -167,7 +167,7 @@ def test_really_long_option_value(self):
             self.admin.assert_icommand(['iadmin', 'get_grid_configuration', namespace, option_name], 'STDOUT')[1])
 
     def test_set_grid_configuration_valid(self):
-        namespace = 'authentication::native'
+        namespace = 'authentication'
         option_name = 'password_max_time'
 
         original_value = self.admin.assert_icommand(
@@ -188,7 +188,7 @@ def test_set_grid_configuration_valid(self):
             self.admin.run_icommand(['iadmin', 'set_grid_configuration', namespace, option_name, original_value])
 
     def test_set_invalid_grid_configuration_with_option_name_that_is_protected_in_another_namespace(self):
-        namespace = 'authentication::native'
+        namespace = 'authentication'
         option_name = 'schema_version'
 
         # Make sure this namespace doesn't have the option_name used in the test...
@@ -274,7 +274,7 @@ def test_set_delay_server_namespace_is_protected_even_with_invalid_option_name(s
 
     def test_set_delay_server_namespace_is_protected_even_with_option_name_from_unprotected_namespaces(self):
         namespace = 'delay_server'
-        other_namespace = 'authentication::native'
+        other_namespace = 'authentication'
         option_name = 'password_max_time'
         option_value = 'shenanigans!'