[_362][_522][_523] allow '=' and ';' in PAM passwords

irods · Mar 23, 2024 · 2d19eac · 2d19eac
1 parent 6a17f6f
commit 2d19eac
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 11 deletions.
diff --git a/irods/api_number.py b/irods/api_number.py
@@ -179,5 +179,7 @@
     "GET_RESOURCE_INFO_FOR_OPERATION_AN": 10220,
     "ATOMIC_APPLY_METADATA_OPERATIONS_APN": 20002,
     "GET_FILE_DESCRIPTOR_INFO_APN": 20000,
-    "REPLICA_CLOSE_APN": 20004
+    "REPLICA_CLOSE_APN": 20004,
+
+    "AUTH_PLUG_REQ_AN": 1201
 }
diff --git a/irods/connection.py b/irods/connection.py
@@ -25,8 +25,6 @@
 from irods.message import (PamAuthRequest, PamAuthRequestOut)
 
 
-
-ALLOW_PAM_LONG_TOKENS = True      # True to fix [#279]
 # Message to be logged when the connection
 # destructor is called. Used in a unit test
 DESTRUCTOR_MSG = "connection __del__() called"
@@ -493,9 +491,10 @@ def _login_pam(self):
             if getattr(self,'DISALLOWING_PAM_PLAINTEXT',True):
                 raise PlainTextPAMPasswordError
 
-        Pam_Long_Tokens = (ALLOW_PAM_LONG_TOKENS and (len(ctx) >= MAX_NAME_LEN))
+        use_dedicated_pam_api = len(ctx) >= MAX_NAME_LEN or \
+                                {';','='}.intersection(set(new_pam_password))
 
-        if Pam_Long_Tokens:
+        if use_dedicated_pam_api:
             message_body = PamAuthRequest( pamUser = self.account.client_user,
                                            pamPassword = new_pam_password,
                                            timeToLive = time_to_live_in_hours)
@@ -505,7 +504,7 @@ def _login_pam(self):
         auth_req = iRODSMessage(
             msg_type='RODS_API_REQ',
             msg=message_body,
-            int_info=(725 if Pam_Long_Tokens else 1201)
+            int_info=api_number['PAM_AUTH_REQUEST_AN' if use_dedicated_pam_api else 'AUTH_PLUG_REQ_AN']
         )
 
         self.send(auth_req)
@@ -516,8 +515,7 @@ def _login_pam(self):
             # TODO (#480): In Python3 will be able to do: 'raise RuntimeError(...) from exc' for more succinct error messages
             raise RuntimeError('Client-configured TTL is outside server parameters (password min and max times)')
 
-        Pam_Response_Class = (PamAuthRequestOut if Pam_Long_Tokens
-                         else AuthPluginOut)
+        Pam_Response_Class = (PamAuthRequestOut if use_dedicated_pam_api else AuthPluginOut)
 
         auth_out = output_message.get_main_message( Pam_Response_Class )
 

diff --git a/irods/test/PRC_issue_362.bats b/irods/test/PRC_issue_362.bats
@@ -50,7 +50,6 @@ prc_test()
 }
 
 @test "test_with_atsymbol" { prc_test; }
-# TODO: investigate: the following two cases fail with SYS_BAD_INPUT (when tested with iRODS 4.3.1)
-#@test "test_with_semicolon" { prc_test; }
-#@test "test_with_equals" { prc_test; }
+@test "test_with_semicolon" { prc_test; }
+@test "test_with_equals" { prc_test; }
 @test "test_with_ampersand" { prc_test; }