[_517] allow generating a pam-password based .irodsA if not pre-existing

irods · Mar 23, 2024 · 4b6b3e8 · 4b6b3e8
1 parent cdd47ab
commit 4b6b3e8
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 10 deletions.
diff --git a/irods/account.py b/irods/account.py
@@ -1,15 +1,25 @@
+import os
+
 class iRODSAccount(object):
 
+    @property
+    def derived_auth_file(self):
+        return '' if not self.env_file else os.path.join(os.path.dirname(self.env_file),'.irodsA')
+
     def __init__(self, irods_host, irods_port, irods_user_name, irods_zone_name,
                  irods_authentication_scheme='native',
                  password=None, client_user=None,
-                 server_dn=None, client_zone=None, **kwargs):
+                 server_dn=None, client_zone=None,
+                 env_file = '',
+                 **kwargs):
+
 
         # Allowed overrides when cloning sessions. (Currently hostname only.)
         for k,v in kwargs.pop('_overrides',{}).items():
             if k =='irods_host':
                 irods_host = v
 
+        self.env_file = env_file
         tuplify = lambda _: _ if isinstance(_,(list,tuple)) else (_,)
         schemes = [_.lower() for _ in tuplify(irods_authentication_scheme)]
 

diff --git a/irods/connection.py b/irods/connection.py
@@ -461,7 +461,6 @@ def _login_gsi(self):
         logger.info("GSI authorization validated")
 
     def _login_pam(self):
-
         import irods.client_configuration as cfg
         inline_password = (self.account.authentication_scheme == self.account._original_authentication_scheme)
         # By default, let server determine the TTL.
@@ -533,8 +532,9 @@ def _login_pam(self):
         self._login_native(password = auth_out.result_)
 
         # Store new password in .irodsA if requested.
-        if self.account._auth_file and cfg.legacy_auth.pam.store_password_to_environment:
-            with open(self.account._auth_file,'w') as f:
+        auth_file = (self.account._auth_file or self.account.derived_auth_file)
+        if auth_file and cfg.legacy_auth.pam.store_password_to_environment:
+            with open(auth_file,'w') as f:
                 f.write(obf.encode(auth_out.result_))
                 logger.debug('new PAM pw write succeeded')
 

diff --git a/irods/session.py b/irods/session.py
@@ -195,10 +195,9 @@ def cleanup(self, new_host = ''):
             self.__configured = self.configure(**self.do_configure)
 
     def _configure_account(self, **kwargs):
-
+        env_file = None
         try:
             env_file = kwargs['irods_env_file']
-
         except KeyError:
             # For backward compatibility
             for key in ['host', 'port', 'authentication_scheme']:
@@ -217,6 +216,9 @@ def _configure_account(self, **kwargs):
         # Update with new keywords arguments only
         creds.update((key, value) for key, value in kwargs.items() if key not in creds)
 
+        if env_file:
+            creds['env_file'] = env_file
+
         # Get auth scheme
         try:
             auth_scheme = creds['irods_authentication_scheme']
@@ -244,10 +246,11 @@ def _configure_account(self, **kwargs):
         missing_file_path = []
         error_args = []
         pw = creds['password'] = self.get_irods_password(session_ = self, file_path_if_not_found = missing_file_path, **creds)
-        if not pw and creds.get('irods_user_name') != 'anonymous':
-            if missing_file_path:
-                error_args += ["Authentication file not found at {!r}".format(missing_file_path[0])]
-            raise NonAnonymousLoginWithoutPassword(*error_args)
+        if auth_scheme.lower() not in PAM_AUTH_SCHEMES:
+            if not pw and creds.get('irods_user_name') != 'anonymous':
+                if missing_file_path:
+                    error_args += ["Authentication file not found at {!r}".format(missing_file_path[0])]
+                raise NonAnonymousLoginWithoutPassword(*error_args)
 
         return iRODSAccount(**creds)