Allow iRODS authentication without iinit icommand

README.md

@@ -53,6 +53,23 @@ active connections to close before shutting down.
 
 For additional options, use the `--help` flag.
 
+## iRODS authentication
+
+Sqyrrl uses the standard iRODS environment file to authenticate to iRODS. If the user has been
+authenticated with `iinit` before starting Sqyrrl, the server will use the existing iRODS auth
+file created by `iinit`. If the user has not been authenticated, Sqyrrl will require the iRODS
+password to be supplied using the environment variable `IRODS_PASSWORD`. Sqyrrl will then create
+the iRODS auth file itself, without requiring `iinit` to be used.
+
+## Running in a container
+
+When running Sqyrrl in a Docker container, configuration files (iRODS environment file, SSL
+certificates) should be mounted into the container and the password should be supplied using
+the environment variable `IRODS_PASSWORD`.
+
+The docker-compose.yml file in the repository contains an example configuration for running
+Sqyrrl in a container.
+
 ## Dependencies
 
 Sqyrrl uses [go-irodsclient](https://github.com/cyverse/go-irodsclient) to connect to iRODS. 

docker-compose.yml

@@ -1,19 +1,37 @@
 version: "3"
 
 services:
-  irods-server:
-    container_name: irods-server
-    image: "ghcr.io/wtsi-npg/ub-16.04-irods-4.2.7:latest"
-    ports:
-      - "127.0.0.1:1247:1247"
-      - "127.0.0.1:20000-20199:20000-20199"
-    restart: always
+    irods-server:
+      container_name: irods-server
+      image: "ghcr.io/wtsi-npg/ub-16.04-irods-4.2.7:latest"
+      ports:
+        - "1247:1247"
+        - "20000-20199:20000-20199"
+      restart: always
+      healthcheck:
+        test: ["CMD", "nc", "-z", "-v", "localhost", "1247"]
+        start_period: 30s
+        interval: 5s
+        timeout: 10s
+        retries: 12
 
-  app:
-    build:
+    app:
+      build:
         context: .
         dockerfile: Dockerfile
-    ports:
-      - "127.0.0.1:3333:3333"
-    depends_on:
-      - irods-server
+      command: ["start",
+                "--host", "0.0.0.0",
+                "--port", "3333",
+                "--cert-file", "/app/config/localhost.crt",
+                "--key-file", "/app/config/localhost.key",
+                "--irods-env", "/app/config/irods_environment.json",
+                "--log-level", "trace"]
+      environment:
+        IRODS_PASSWORD: "irods"
+      ports:
+        - "3333:3333"
+      volumes:
+        - ./config:/app/config
+      depends_on:
+        irods-server:
+          condition: service_healthy

server/irods.go

@@ -33,6 +33,7 @@ import (
 
 const defaultIRODSEnvFile = "~/.irods/irods_environment.json"
 const iRODSEnvFileEnvVar = "IRODS_ENVIRONMENT_FILE"
+const IRODSPasswordEnvVar = "IRODS_PASSWORD"
 
 const PublicUser = "public"
 
@@ -59,15 +60,11 @@ func IRODSEnvFilePath() string {
 // InitIRODS initialises the iRODS environment by creating a populated auth file if it
 // does not already exist. This avoids the need to have `iinit` present on the server
 // host.
-func InitIRODS(logger zerolog.Logger, manager *icommands.ICommandsEnvironmentManager, password string) error {
-	authFile := manager.GetPasswordFilePath()
-	if _, err := os.Stat(authFile); err != nil && errors.Is(err, os.ErrNotExist) {
-		logger.Info().
-			Str("path", authFile).
-			Msg("Creating an iRODS auth file because one does not exist")
-		return icommands.EncodePasswordFile(authFile, password, os.Getuid())
-	}
-	return nil
+func InitIRODS(logger zerolog.Logger, authFilePath string, password string) error {
+	logger.Info().
+		Str("path", authFilePath).
+		Msg("Writing an iRODS auth file")
+	return icommands.EncodePasswordFile(authFilePath, password, os.Getuid())
 }
 
 // NewICommandsEnvironmentManager creates a new environment manager instance.
@@ -117,11 +114,38 @@ func NewIRODSAccount(logger zerolog.Logger,
 		return nil, err
 	}
 
+	authFilePath := manager.GetPasswordFilePath()
+	if _, err := os.Stat(authFilePath); err != nil && errors.Is(err, os.ErrNotExist) {
+		password, ok := os.LookupEnv(IRODSPasswordEnvVar)
+		if !ok {
+			logger.Error().
+				Str("variable", IRODSPasswordEnvVar).
+				Msg("Environment variable not set")
+			return nil, errors.New("the iRODS password environment variable was not set")
+		}
+		if password == "" {
+			logger.Error().
+				Str("variable", IRODSPasswordEnvVar).
+				Msg("Environment variable empty")
+			return nil, errors.New("the iRODS password environment variable was empty")
+		}
+		account.Password = password
+
+		if err = InitIRODS(logger, authFilePath, password); err != nil {
+			logger.Err(err).
+				Str("path", authFilePath).
+				Msg("Failed to initialise iRODS")
+			return nil, err
+		}
+	}
+
 	logger.Info().
 		Str("host", account.Host).
 		Int("port", account.Port).
 		Str("zone", account.ClientZone).
 		Str("user", account.ClientUser).
+		Str("env_file", manager.GetEnvironmentFilePath()).
+		Str("auth_file", manager.GetPasswordFilePath()).
 		Str("auth_scheme", string(account.AuthenticationScheme)).
 		Bool("cs_neg_required", account.ClientServerNegotiation).
 		Str("cs_neg_policy", string(account.CSNegotiationPolicy)).

server/server_suite_test.go

@@ -63,7 +63,10 @@ var _ = BeforeSuite(func() {
 	err = manager.SetEnvironmentFilePath(iRODSEnvFile)
 	Expect(err).NotTo(HaveOccurred())
 
-	err = server.InitIRODS(suiteLogger, manager, "irods")
+	err = os.Setenv(server.IRODSPasswordEnvVar, "irods")
+	Expect(err).NotTo(HaveOccurred())
+	authFilePath := manager.GetPasswordFilePath()
+	err = server.InitIRODS(suiteLogger, authFilePath, os.Getenv(server.IRODSPasswordEnvVar))
 	Expect(err).NotTo(HaveOccurred())
 
 	account, err = server.NewIRODSAccount(suiteLogger, manager)