squash w/ 99b1ac6. test infra for pam

Author: korydraughn

irods/src/test/resources/docker/docker-compose.pam.yml

@@ -0,0 +1,27 @@
+name: cyberduck-irods-testing
+
+services:
+  irods-catalog:
+    build:
+      context: irods_catalog
+    environment:
+      - POSTGRES_PASSWORD=testpassword
+    restart: always
+
+  irods-catalog-provider:
+    build:
+      context: irods_catalog_provider_pam
+    init: true
+    ports:
+      - "1347:1247"
+    shm_size: 100mb
+    healthcheck:
+      test: ["CMD-SHELL", "su - irods -c 'ils || exit 1'"]
+      interval: 10s
+      timeout: 10s
+      retries: 3
+      start_period: 20s
+      start_interval: 10s
+    restart: always
+    depends_on:
+      - irods-catalog

irods/src/test/resources/docker/irods_catalog_provider/Dockerfile

@@ -1,5 +1,6 @@
 FROM ubuntu:24.04
 
+SHELL [ "/bin/bash", "-c" ]
 ENV DEBIAN_FRONTEND=noninteractive
 
 RUN apt-get update && \

irods/src/test/resources/docker/irods_catalog_provider_pam/Dockerfile

@@ -0,0 +1,62 @@
+FROM ubuntu:24.04
+
+SHELL [ "/bin/bash", "-c" ]
+ENV DEBIAN_FRONTEND=noninteractive
+
+RUN apt-get update && \
+    apt-get install -y \
+        apt-transport-https \
+        gnupg \
+        wget \
+        netcat-traditional \
+    && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/* /tmp/*
+
+RUN mkdir -p /etc/apt/keyrings && \
+    wget -qO - https://packages.irods.org/irods-signing-key.asc | \
+        gpg \
+            --no-options \
+            --no-default-keyring \
+            --no-auto-check-trustdb \
+            --homedir /dev/null \
+            --no-keyring \
+            --import-options import-export \
+            --output /etc/apt/keyrings/renci-irods-archive-keyring.pgp \
+            --import \
+        && \
+    echo "deb [signed-by=/etc/apt/keyrings/renci-irods-archive-keyring.pgp arch=amd64] https://packages.irods.org/apt/ noble main" | \
+        tee /etc/apt/sources.list.d/renci-irods.list
+
+RUN apt-get update && \
+    apt-get install -y \
+        libcurl4-gnutls-dev \
+        python3 \
+        python3-distro \
+        python3-jsonschema \
+        python3-pip \
+        python3-psutil \
+        python3-requests \
+        rsyslog \
+        unixodbc \
+    && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/* /tmp/*
+
+ARG irods_version=5.0.2
+ARG irods_package_version_suffix=-0~noble
+ARG irods_package_version=${irods_version}${irods_package_version_suffix}
+
+RUN apt-get update && \
+    apt-get install -y \
+        irods-database-plugin-postgres=${irods_package_version} \
+        irods-runtime=${irods_package_version} \
+        irods-server=${irods_package_version} \
+        irods-icommands=${irods_package_version} \
+    && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/* /tmp/*
+
+COPY unattended_install.json pam_password /
+COPY --chmod=755 entrypoint.sh /
+ENTRYPOINT ["./entrypoint.sh"]

irods/src/test/resources/docker/irods_catalog_provider_pam/entrypoint.sh

@@ -0,0 +1,44 @@
+#! /bin/bash -e
+
+echo "Waiting for iRODS catalog database to be ready"
+catalog_db_hostname=irods-catalog
+until pg_isready -h ${catalog_db_hostname} -d ICAT -U irods -q; do
+    sleep 1
+done
+echo "iRODS catalog database is ready"
+
+unattended_install_file=/unattended_install.json
+if [ -f "${unattended_install_file}" ]; then
+    echo "Running iRODS setup"
+
+    # Configure the server with secure communication (TLS) disabled. This
+    # avoids issues with setup (e.g. the post install test).
+
+    # Add generated hostname as a recognizable alias.
+    sed -i "s/CONTAINER_HOSTNAME_ALIAS/${HOSTNAME}/g" ${unattended_install_file}
+    python3 /var/lib/irods/scripts/setup_irods.py --json_configuration_file ${unattended_install_file}
+
+    # Move the input file used to configure the server out of the way so
+    # the container is restartable.
+    mv ${unattended_install_file} ${unattended_install_file}.processed
+
+    # Generate a self-signed certificate for the server.
+    openssl genrsa -out /tmp/irods_server.key 2048
+    openssl req -batch -new -x509 -key /tmp/irods_server.key -out /tmp/irods_server.crt -days 1
+    openssl dhparam -2 -out /tmp/irods_dhparams.pem 2048
+    chown irods:irods /tmp/irods_server.key
+
+    # Update the server's configuration to require secure communication.
+    sed -i 's/="CS_NEG_REFUSE"/="CS_NEG_REQUIRE"/g' /etc/irods/core.re
+    sed -i 's/CS_NEG_REFUSE/CS_NEG_REQUIRE/g' /etc/irods/server_config.json /var/lib/irods/.irods/irods_environment.json
+
+    # Configure PAM.
+    ln -s /pam_password /etc/pam.d/irods
+
+    # Set up the test user, for PAM authentication.
+    useradd -m john
+    echo "john:=i;r@o\\d&s" | chpasswd
+fi
+
+echo "Starting server"
+su - irods -c 'irodsServer --stdout'

irods/src/test/resources/docker/irods_catalog_provider_pam/pam_password

@@ -0,0 +1,7 @@
+# This file is for testing PAM authentication with iRODS
+# using the pam_password authentication scheme.
+
+auth    required    pam_env.so
+auth    sufficient  pam_unix.so
+auth    requisite   pam_succeed_if.so uid >= 500 quiet
+auth    required    pam_deny.so

irods/src/test/resources/docker/irods_catalog_provider_pam/unattended_install.json

@@ -0,0 +1,180 @@
+{
+    "admin_password": "rods",
+    "default_resource_directory": "/var/lib/irods/Vault",
+    "default_resource_name": "demoResc",
+    "host_system_information": {
+        "service_account_user_name": "irods",
+        "service_account_group_name": "irods"
+    },
+    "service_account_environment": {
+        "irods_client_server_policy": "CS_NEG_REFUSE",
+        "irods_connection_pool_refresh_time_in_seconds": 300,
+        "irods_cwd": "/tempZone/home/rods",
+        "irods_default_hash_scheme": "SHA256",
+        "irods_default_number_of_transfer_threads": 4,
+        "irods_default_resource": "demoResc",
+        "irods_encryption_algorithm": "AES-256-CBC",
+        "irods_encryption_key_size": 32,
+        "irods_encryption_num_hash_rounds": 16,
+        "irods_encryption_salt_size": 8,
+        "irods_home": "/tempZone/home/rods",
+        "irods_host": "irods-catalog-provider",
+        "irods_match_hash_policy": "compatible",
+        "irods_maximum_size_for_single_buffer_in_megabytes": 32,
+        "irods_port": 1247,
+        "irods_ssl_ca_certificate_file": "/tmp/irods_server.crt",
+        "irods_ssl_verify_server": "none",
+        "irods_transfer_buffer_size_for_parallel_transfer_in_megabytes": 4,
+        "irods_user_name": "rods",
+        "irods_zone_name": "tempZone",
+        "schema_name": "service_account_environment",
+        "schema_version": "v5"
+    },
+    "server_config": {
+        "advanced_settings": {
+            "checksum_read_buffer_size_in_bytes": 1048576,
+            "default_number_of_transfer_threads": 4,
+            "default_temporary_password_lifetime_in_seconds": 120,
+            "delay_rule_executors": [],
+            "delay_server_sleep_time_in_seconds": 30,
+            "dns_cache": {
+                "eviction_age_in_seconds": 3600,
+                "cache_clearer_sleep_time_in_seconds": 600,
+                "shared_memory_size_in_bytes": 5000000
+            },
+            "hostname_cache": {
+                "eviction_age_in_seconds": 3600,
+                "cache_clearer_sleep_time_in_seconds": 600,
+                "shared_memory_size_in_bytes": 2500000
+            },
+            "maximum_size_for_single_buffer_in_megabytes": 32,
+            "maximum_size_of_delay_queue_in_bytes": 0,
+            "maximum_temporary_password_lifetime_in_seconds": 1000,
+            "migrate_delay_server_sleep_time_in_seconds": 5,
+            "number_of_concurrent_delay_rule_executors": 4,
+            "stacktrace_file_processor_sleep_time_in_seconds": 10,
+            "transfer_buffer_size_for_parallel_transfer_in_megabytes": 4,
+            "transfer_chunk_size_for_parallel_transfer_in_megabytes": 40
+        },
+        "catalog_provider_hosts": [
+            "irods-catalog-provider"
+        ],
+        "catalog_service_role": "provider",
+        "client_server_policy": "CS_NEG_REFUSE",
+        "connection_pool_refresh_time_in_seconds": 300,
+        "controlled_user_connection_list": {
+            "control_type": "denylist",
+            "users": []
+        },
+        "default_dir_mode": "0750",
+        "default_file_mode": "0600",
+        "default_hash_scheme": "SHA256",
+        "default_resource_name": "demoResc",
+        "encryption": {
+            "algorithm": "AES-256-CBC",
+            "key_size": 32,
+            "num_hash_rounds": 16,
+            "salt_size": 8
+        },
+        "environment_variables": {},
+        "federation": [],
+        "graceful_shutdown_timeout_in_seconds": 30,
+        "host": "irods-catalog-provider",
+        "host_access_control": {
+            "access_entries": []
+        },
+        "host_resolution": {
+            "host_entries": [
+                {
+                    "address_type": "local",
+                    "addresses": [
+                        "irods-catalog-provider",
+                        "CONTAINER_HOSTNAME_ALIAS"
+                    ]
+                }
+            ]
+        },
+        "log_level": {
+            "agent": "info",
+            "agent_factory": "info",
+            "api": "info",
+            "authentication": "info",
+            "database": "info",
+            "delay_server": "info",
+            "genquery1": "info",
+            "genquery2": "info",
+            "legacy": "info",
+            "microservice": "info",
+            "network": "info",
+            "resource": "info",
+            "rule_engine": "info",
+            "server": "info",
+            "sql": "info"
+        },
+        "match_hash_policy": "compatible",
+        "negotiation_key": "32_byte_server_negotiation_key__",
+        "plugin_configuration": {
+            "authentication": {},
+            "database": {
+                "technology": "postgres",
+                "host": "irods-catalog",
+                "name": "ICAT",
+                "odbc_driver": "PostgreSQL ANSI",
+                "password": "testpassword",
+                "port": 5432,
+                "username": "irods"
+            },
+            "network": {},
+            "resource": {},
+            "rule_engines": [
+                {
+                    "instance_name": "irods_rule_engine_plugin-irods_rule_language-instance",
+                    "plugin_name": "irods_rule_engine_plugin-irods_rule_language",
+                    "plugin_specific_configuration": {
+                        "re_data_variable_mapping_set": [
+                            "core"
+                        ],
+                        "re_function_name_mapping_set": [
+                            "core"
+                        ],
+                        "re_rulebase_set": [
+                            "core"
+                        ],
+                        "regexes_for_supported_peps": [
+                            "ac[^ ]*",
+                            "msi[^ ]*",
+                            "[^ ]*pep_[^ ]*_(pre|post|except|finally)"
+                        ]
+                    },
+                    "shared_memory_instance": "irods_rule_language_rule_engine"
+                },
+                {
+                    "instance_name": "irods_rule_engine_plugin-cpp_default_policy-instance",
+                    "plugin_name": "irods_rule_engine_plugin-cpp_default_policy",
+                    "plugin_specific_configuration": {}
+                }
+            ]
+        },
+        "rule_engine_namespaces": [
+            ""
+        ],
+        "schema_name": "server_config",
+        "schema_version": "v5",
+        "server_port_range_end": 20199,
+        "server_port_range_start": 20000,
+        "tls_client": {
+            "ca_certificate_file": "/tmp/irods_server.crt",
+            "verify_server": "none"
+        },
+        "tls_server": {
+            "certificate_chain_file": "/tmp/irods_server.crt",
+            "certificate_key_file": "/tmp/irods_server.key",
+            "dh_params_file": "/tmp/irods_dhparams.pem"
+        },
+        "zone_auth_scheme": "native",
+        "zone_key": "TEMPORARY_ZONE_KEY",
+        "zone_name": "tempZone",
+        "zone_port": 1247,
+        "zone_user": "rods"
+    }
+}

irods/src/test/resources/iRODS_pam.cyberduckprofile

@@ -0,0 +1,39 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+    <dict>
+        <key>Protocol</key>
+        <string>irods</string>
+        <key>Vendor</key>
+        <string>iRODS Consortium</string>
+        <key>Description</key>
+        <string>iRODS (Integrated Rule-Oriented Data System)</string>
+
+        <key>Hostname Configurable</key>
+        <false/>
+        <key>Port Configurable</key>
+        <false/>
+
+        <key>Default Hostname</key>
+        <string>localhost</string>
+        <key>Default Port</key>
+        <string>1347</string>
+
+        <key>Username Placeholder</key>
+        <string>iRODS username</string>
+        <key>Password Placeholder</key>
+        <string>iRODS password</string>
+
+        <key>Region</key>
+        <string>tempZone</string>
+
+        <key>Authorization</key>
+        <string>pam_password</string>
+
+        <key>Properties</key>
+        <dict>
+            <key>Client Server Negotiation</key>
+            <string>CS_NEG_REQUIRE</string>
+        </dict>
+    </dict>
+</plist>