Add client-server negotiation config

go.mod

@@ -174,6 +174,6 @@ require (
 replace (
 	github.com/jlaffaye/ftp => github.com/drakkan/ftp v0.0.0-20201114075148-9b9adce499a9
 	github.com/robfig/cron/v3 => github.com/drakkan/cron/v3 v3.0.0-20230222140221-217a1e4d96c0
-	github.com/sftpgo/sdk => github.com/cyverse/sftpgo-sdk v0.1.3-0.20230906214213-bdb8dbbe543f
+	github.com/sftpgo/sdk => github.com/cyverse/sftpgo-sdk v0.1.3-0.20230913180245-efcf4a8e8628
 	golang.org/x/crypto => github.com/drakkan/crypto v0.0.0-20230106095953-5417b4dfde62
 )

go.sum

@@ -832,8 +832,8 @@ github.com/cyphar/filepath-securejoin v0.2.2/go.mod h1:FpkQEhXnPnOthhzymB7CGsFk2
 github.com/cyphar/filepath-securejoin v0.2.3/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
 github.com/cyverse/go-irodsclient v0.12.8 h1:sUaNCQ7nDxUiD+HI/hBSnUiY11P8Ph+IujJt/M8Eh48=
 github.com/cyverse/go-irodsclient v0.12.8/go.mod h1:SOMr0JtAmbtYp06ZdYhxBYi47GYpV9ImW7sqKVypQhU=
-github.com/cyverse/sftpgo-sdk v0.1.3-0.20230906214213-bdb8dbbe543f h1:479l82wotcLnomdIiaypZ6yUNRQ34BGf+mUiM5xVT8Q=
-github.com/cyverse/sftpgo-sdk v0.1.3-0.20230906214213-bdb8dbbe543f/go.mod h1:Giy5vj7Gmju0nGlmBNd28DwPo0G0o1nr9XkE+vu3i+o=
+github.com/cyverse/sftpgo-sdk v0.1.3-0.20230913180245-efcf4a8e8628 h1:PNaD/30SPnBkhd7MNe6A9R7prFkMHXg0X9CAWhExGXQ=
+github.com/cyverse/sftpgo-sdk v0.1.3-0.20230913180245-efcf4a8e8628/go.mod h1:Giy5vj7Gmju0nGlmBNd28DwPo0G0o1nr9XkE+vu3i+o=
 github.com/d2g/dhcp4 v0.0.0-20170904100407-a1d1b6c41b1c/go.mod h1:Ct2BUK8SB0YC1SMSibvLzxjeJLnrYEVLULFNiHY9YfQ=
 github.com/d2g/dhcp4client v1.0.0/go.mod h1:j0hNfjhrt2SxUOw55nL0ATM/z4Yt3t2Kd1mW34z5W5s=
 github.com/d2g/dhcp4server v0.0.0-20181031114812-7d4a0a7f59a5/go.mod h1:Eo87+Kg/IX2hfWJfwxMzLyuSZyxSoAug2nGa1G2QAi8=

internal/cmd/portable.go

@@ -103,6 +103,8 @@ var (
 	portableIRODSProxyUsername         string
 	portableIRODSResourceServer        string
 	portableIRODSAuthScheme            string
+	portableIRODSRequireCSNegotiation  bool
+	portableIRODSCSNegotiationPolicy   string
 	portableIRODSSSLCACertificatePath  string
 	portableIRODSSSLKeySize            int
 	portableIRODSSSLAlgorithm          string
@@ -269,17 +271,19 @@ Please take a look at the usage below to customize the serving parameters`,
 						},
 						IRODSConfig: vfs.IRODSFsConfig{
 							BaseIRODSFsConfig: sdk.BaseIRODSFsConfig{
-								Endpoint:             portableIRODSEndpoint,
-								CollectionPath:       portableIRODSCollectionPath,
-								Username:             portableIRODSUsername,
-								ProxyUsername:        portableIRODSProxyUsername,
-								ResourceServer:       portableIRODSResourceServer,
-								AuthScheme:           portableIRODSAuthScheme,
-								SSLCACertificatePath: portableIRODSSSLCACertificatePath,
-								SSLKeySize:           portableIRODSSSLKeySize,
-								SSLAlgorithm:         portableIRODSSSLAlgorithm,
-								SSLSaltSize:          portableIRODSSSLSaltSize,
-								SSLHashRounds:        protableIRODSSSLHashRounds,
+								Endpoint:                       portableIRODSEndpoint,
+								CollectionPath:                 portableIRODSCollectionPath,
+								Username:                       portableIRODSUsername,
+								ProxyUsername:                  portableIRODSProxyUsername,
+								ResourceServer:                 portableIRODSResourceServer,
+								AuthScheme:                     portableIRODSAuthScheme,
+								RequireClientServerNegotiation: portableIRODSRequireCSNegotiation,
+								ClientServerNegotiationPolicy:  portableIRODSCSNegotiationPolicy,
+								SSLCACertificatePath:           portableIRODSSSLCACertificatePath,
+								SSLKeySize:                     portableIRODSSSLKeySize,
+								SSLAlgorithm:                   portableIRODSSSLAlgorithm,
+								SSLSaltSize:                    portableIRODSSSLSaltSize,
+								SSLHashRounds:                  protableIRODSSSLHashRounds,
 							},
 							Password: kms.NewPlainSecret(portableIRODSPassword),
 						},
@@ -448,6 +452,8 @@ by overlapping round-trip times`)
 	portableCmd.Flags().StringVar(&portableIRODSProxyUsername, "irods-proxyusername", "", `iRODS proxy user for iRODS provider`)
 	portableCmd.Flags().StringVar(&portableIRODSResourceServer, "irods-resource", "", `iRODS resource server for iRODS provider`)
 	portableCmd.Flags().StringVar(&portableIRODSAuthScheme, "irods-auth-scheme", "", `iRODS authentication scheme for iRODS provider`)
+	portableCmd.Flags().BoolVar(&portableIRODSRequireCSNegotiation, "irods-require-cs-negotiation", false, `iRODS client-server negotiation is required`)
+	portableCmd.Flags().StringVar(&portableIRODSCSNegotiationPolicy, "irods-cs-negotiation-policy", "", `iRODS client-server negotiation policy`)
 	portableCmd.Flags().StringVar(&portableIRODSSSLCACertificatePath, "irods-ssl-ca-cert", "", `iRODS SSL CA Certificate file path for iRODS provider`)
 	portableCmd.Flags().StringVar(&portableIRODSSSLAlgorithm, "irods-ssl-algorithm", "", `iRODS SSL encryption algorithm for iRODS provider`)
 	portableCmd.Flags().IntVar(&portableIRODSSSLKeySize, "irods-ssl-key-size", 0, `iRODS SSL encryption key size for iRODS provider`)

internal/httpd/webadmin.go

@@ -1515,6 +1515,12 @@ func getIRODSConfig(r *http.Request) (vfs.IRODSFsConfig, error) {
 	config.CollectionPath = r.Form.Get("irods_collection")
 	config.ResourceServer = r.Form.Get("irods_resource")
 	config.AuthScheme = r.Form.Get("irods_auth_scheme")
+	requireClientServerNegotiation, err := strconv.ParseBool(r.Form.Get("irods_require_cs_negotiation"))
+	if err != nil {
+		return config, fmt.Errorf("invalid irods require cs negotiation: %w", err)
+	}
+	config.RequireClientServerNegotiation = requireClientServerNegotiation
+	config.ClientServerNegotiationPolicy = r.Form.Get("irods_cs_negotiation_policy")
 	config.SSLCACertificatePath = r.Form.Get("irods_ssl_ca_cert_path")
 	encryptionKeySize, err := strconv.ParseInt(r.Form.Get("irods_ssl_key_size"), 10, 32)
 	if err != nil {

internal/httpdtest/httpdtest.go

@@ -2016,6 +2016,12 @@ func compareIRODSFsConfig(expected *vfs.Filesystem, actual *vfs.Filesystem) erro
 	if expected.IRODSConfig.AuthScheme != actual.IRODSConfig.AuthScheme {
 		return errors.New("IRODSFs auth scheme mismatch")
 	}
+	if expected.IRODSConfig.RequireClientServerNegotiation != actual.IRODSConfig.RequireClientServerNegotiation {
+		return errors.New("IRODSFs require client-server negotiation mismatch")
+	}
+	if expected.IRODSConfig.ClientServerNegotiationPolicy != actual.IRODSConfig.ClientServerNegotiationPolicy {
+		return errors.New("IRODSFs client-server negotiation policy mismatch")
+	}
 	if expected.IRODSConfig.SSLCACertificatePath != actual.IRODSConfig.SSLCACertificatePath {
 		return errors.New("IRODSFs SSL CA certificate path scheme mismatch")
 	}

internal/vfs/filesystem.go

@@ -385,17 +385,19 @@ func (f *Filesystem) GetACopy() Filesystem {
 		},
 		IRODSConfig: IRODSFsConfig{
 			BaseIRODSFsConfig: sdk.BaseIRODSFsConfig{
-				Endpoint:             f.IRODSConfig.Endpoint,
-				CollectionPath:       f.IRODSConfig.CollectionPath,
-				Username:             f.IRODSConfig.Username,
-				ProxyUsername:        f.IRODSConfig.ProxyUsername,
-				ResourceServer:       f.IRODSConfig.ResourceServer,
-				AuthScheme:           f.IRODSConfig.AuthScheme,
-				SSLCACertificatePath: f.IRODSConfig.SSLCACertificatePath,
-				SSLKeySize:           f.IRODSConfig.SSLKeySize,
-				SSLAlgorithm:         f.IRODSConfig.SSLAlgorithm,
-				SSLSaltSize:          f.IRODSConfig.SSLSaltSize,
-				SSLHashRounds:        f.IRODSConfig.SSLHashRounds,
+				Endpoint:                       f.IRODSConfig.Endpoint,
+				CollectionPath:                 f.IRODSConfig.CollectionPath,
+				Username:                       f.IRODSConfig.Username,
+				ProxyUsername:                  f.IRODSConfig.ProxyUsername,
+				ResourceServer:                 f.IRODSConfig.ResourceServer,
+				AuthScheme:                     f.IRODSConfig.AuthScheme,
+				RequireClientServerNegotiation: f.IRODSConfig.RequireClientServerNegotiation,
+				ClientServerNegotiationPolicy:  f.IRODSConfig.ClientServerNegotiationPolicy,
+				SSLCACertificatePath:           f.IRODSConfig.SSLCACertificatePath,
+				SSLKeySize:                     f.IRODSConfig.SSLKeySize,
+				SSLAlgorithm:                   f.IRODSConfig.SSLAlgorithm,
+				SSLSaltSize:                    f.IRODSConfig.SSLSaltSize,
+				SSLHashRounds:                  f.IRODSConfig.SSLHashRounds,
 			},
 			Password: f.IRODSConfig.Password.Clone(),
 		},

internal/vfs/irodsfs.go

@@ -72,6 +72,12 @@ func (c *IRODSFsConfig) isEqual(other *IRODSFsConfig) bool {
 	if c.AuthScheme != other.AuthScheme {
 		return false
 	}
+	if c.RequireClientServerNegotiation != other.RequireClientServerNegotiation {
+		return false
+	}
+	if c.ClientServerNegotiationPolicy != other.ClientServerNegotiationPolicy {
+		return false
+	}
 	if c.SSLCACertificatePath != other.SSLCACertificatePath {
 		return false
 	}
@@ -126,7 +132,20 @@ func (c *IRODSFsConfig) validate() error {
 	if strings.ToLower(c.AuthScheme) != "" && strings.ToLower(c.AuthScheme) != "native" && strings.ToLower(c.AuthScheme) != "pam" {
 		return errors.New("unknown authentication scheme")
 	}
+
+	requireSSL := false
 	if strings.ToLower(c.AuthScheme) == "pam" {
+		requireSSL = true
+	}
+	if c.RequireClientServerNegotiation {
+		if strings.ToLower(c.ClientServerNegotiationPolicy) == "cs_neg_require" {
+			requireSSL = true
+		} else if strings.ToLower(c.ClientServerNegotiationPolicy) == "cs_neg_dont_care" {
+			requireSSL = true
+		}
+	}
+
+	if requireSSL {
 		if c.SSLCACertificatePath == "" {
 			return errors.New("SSL CA certificate path cannot be empty when PAM authentication is used")
 		}
@@ -143,6 +162,7 @@ func (c *IRODSFsConfig) validate() error {
 			return errors.New("SSL encryption has rounds cannot be 0 when PAM authentication is used")
 		}
 	}
+
 	if err := c.validateCredentials(); err != nil {
 		return err
 	}
@@ -815,15 +835,26 @@ func (fs *IRODSFs) createConnection() error {
 		if err != nil {
 			return err
 		}
+	default:
+		return fmt.Errorf("unknown authentication scheme %s", fs.config.AuthScheme)
+	}
 
-		sslConf, err := irodstypes.CreateIRODSSSLConfig(fs.config.SSLCACertificatePath, fs.config.SSLKeySize, fs.config.SSLAlgorithm, fs.config.SSLSaltSize, fs.config.SSLHashRounds)
+	if fs.config.RequireClientServerNegotiation {
+		require, err := irodstypes.GetCSNegotiationRequire(fs.config.ClientServerNegotiationPolicy)
 		if err != nil {
-			return err
+			return fmt.Errorf("failed to create iRODS client-server negotiation policy from string '%s'", fs.config.ClientServerNegotiationPolicy)
 		}
 
-		irodsAccount.SetSSLConfiguration(sslConf)
-	default:
-		return fmt.Errorf("unknown authentication scheme %s", fs.config.AuthScheme)
+		irodsAccount.SetCSNegotiation(true, require)
+
+		if len(fs.config.SSLCACertificatePath) > 0 {
+			sslConf, err := irodstypes.CreateIRODSSSLConfig(fs.config.SSLCACertificatePath, fs.config.SSLKeySize, fs.config.SSLAlgorithm, fs.config.SSLSaltSize, fs.config.SSLHashRounds)
+			if err != nil {
+				return err
+			}
+
+			irodsAccount.SetSSLConfiguration(sslConf)
+		}
 	}
 
 	fsLog(fs, logger.LevelDebug, "connecting to iRODS %s:%d using %s auth", irodsAccount.Host, irodsAccount.Port, irodsAccount.AuthenticationScheme)

templates/webadmin/fsconfig.html

@@ -603,11 +603,31 @@
         <div class="form-group row fsconfig fsconfig-irodsfs">
             <label for="idIRODSAuthScheme" class="col-sm-2 col-form-label">Authentication Scheme</label>
             <div class="col-sm-10">
-                <input type="text" class="form-control" id="idIRODSAuthScheme" name="irods_auth_scheme" placeholder=""
-                    value="{{.IRODSConfig.AuthScheme}}" aria-describedby="IRODSAuthSchemeHelpBlock">
-                <small id="IRODSAuthSchemeHelpBlock" class="form-text text-muted">
-                    iRODS Authentication Scheme, optional. Example: "native" or "pam". Default: "native".
-                </small>
+                <select class="form-control selectpicker" id="idIRODSAuthScheme" name="irods_auth_scheme">
+                    <option value="native" {{if eq .IRODSConfig.AuthScheme "" }}selected{{end}}>Default (Native)</option>
+                    <option value="native" {{if eq .IRODSConfig.AuthScheme "native" }}selected{{end}}>Native</option>
+                    <option value="pam" {{if eq .IRODSConfig.AuthScheme "pam" }}selected{{end}}>PAM</option>
+                </select>
+            </div>
+        </div>
+
+        <div class="form-group fsconfig fsconfig-irodsfs">
+            <div class="form-check">
+                <input type="checkbox" class="form-check-input" id="idIRODSRequireCSNegotiation" name="irods_require_cs_negotiation" {{if
+                    .IRODSConfig.RequireClientServerNegotiation}}checked{{end}}>
+                <label for="idIRODSRequireCSNegotiation" class="form-check-label">Use Client-Server negotiation (required for PAM/SSL)</label>
+            </div>
+        </div>
+
+        <div class="form-group row fsconfig fsconfig-irodsfs">
+            <label for="idIRODSCSNegotiationPolicy" class="col-sm-2 col-form-label">Client-Server Negotiation Policy</label>
+            <div class="col-sm-10">
+                <select class="form-control selectpicker" id="idIRODSCSNegotiationPolicy" name="irods_cs_negotiation_policy">
+                    <option value="CS_NEG_REFUSE" {{if eq .IRODSConfig.ClientServerNegotiationPolicy "" }}selected{{end}}>Default (CS_NEG_REFUSE)</option>
+                    <option value="CS_NEG_REFUSE" {{if eq .IRODSConfig.ClientServerNegotiationPolicy "CS_NEG_REFUSE" }}selected{{end}}>CS_NEG_REFUSE</option>
+                    <option value="CS_NEG_REQUIRE" {{if eq .IRODSConfig.ClientServerNegotiationPolicy "CS_NEG_REQUIRE" }}selected{{end}}>CS_NEG_REQUIRE</option>
+                    <option value="CS_NEG_DONT_CARE" {{if eq .IRODSConfig.ClientServerNegotiationPolicy "CS_NEG_DONT_CARE" }}selected{{end}}>CS_NEG_DONT_CARE</option>
+                </select>
             </div>
         </div>