From 0e08ba9801ff12e58931c9697932245ab8afbb16 Mon Sep 17 00:00:00 2001 From: John Yun Date: Mon, 25 Nov 2024 11:22:44 -0800 Subject: [PATCH 01/13] testing --- index.d.ts | 10 ++++++++-- lib/agent/socket_util.js | 9 ++------- lib/constants/error_messages.js | 2 +- lib/core.js | 16 ++++++++++------ lib/errors.js | 2 +- lib/global_config.js | 16 ++++++++-------- test/integration/testStructuredType.js | 2 +- test/unit/ocsp/test_unit_ocsp_mode.js | 4 ++-- test/unit/snowflake_config_test.js | 20 ++++++++++---------- 9 files changed, 43 insertions(+), 38 deletions(-) diff --git a/index.d.ts b/index.d.ts index 0d4e17bea..17a272a15 100644 --- a/index.d.ts +++ b/index.d.ts @@ -25,7 +25,7 @@ declare module 'snowflake-sdk' { // 403001 ERR_GLOBAL_CONFIGURE_INVALID_LOG_LEVEL = 403001, - ERR_GLOBAL_CONFIGURE_INVALID_INSECURE_CONNECT = 403002, + ERR_GLOBAL_CONFIGURE_INVALID_DISABLE_OCSP_CHECKS = 403002, ERR_GLOBAL_CONFIGURE_INVALID_OCSP_MODE = 403003, ERR_GLOBAL_CONFIGURE_INVALID_JSON_PARSER = 403004, ERR_GLOBAL_CONFIGURE_INVALID_XML_PARSER = 403005, @@ -219,10 +219,16 @@ declare module 'snowflake-sdk' { additionalLogToConsole?: boolean | null; /** - * Check the ocsp checking is off. + * @deprecated + * This option will be deprecated. Use disableOCSPChecks */ insecureConnect?: boolean; + /** + * The option to turn off the OCSP check. + */ + disableOCSPChecks?: boolean; + /** * The default value is true. * Detailed information: https://docs.snowflake.com/en/user-guide/ocsp. diff --git a/lib/agent/socket_util.js b/lib/agent/socket_util.js index 215f42ff6..d8a58fc58 100644 --- a/lib/agent/socket_util.js +++ b/lib/agent/socket_util.js @@ -13,11 +13,6 @@ const ErrorCodes = Errors.codes; const REGEX_SNOWFLAKE_ENDPOINT = /.snowflakecomputing./; -const ocspFailOpenWarning = - 'WARNING!!! using fail-open to connect. Driver is connecting to an HTTPS endpoint ' + - 'without OCSP based Certificated Revocation checking as it could not obtain a valid OCSP Response to use from ' + - 'the CA OCSP responder. Details: '; - const socketSecuredEvent = 'secureConnect'; const rawOcspFlag = @@ -120,7 +115,7 @@ exports.secureSocket = function (socket, host, agent, mock) { function isOcspValidationDisabled(host) { // ocsp is disabled if insecure-connect is enabled, or if we've disabled ocsp // for non-snowflake endpoints and the host is a non-snowflake endpoint - return GlobalConfig.isInsecureConnect() || + return GlobalConfig.isOCSPChecksDisabled() || (Parameters.getValue(Parameters.names.JS_DRIVER_DISABLE_OCSP_FOR_NON_SF_ENDPOINTS) && !REGEX_SNOWFLAKE_ENDPOINT.test(host)); } @@ -158,7 +153,7 @@ function canEarlyExitForOCSP(errors) { const err = errors[errorIndex]; if (err && !isValidOCSPError(err)) { // any of the errors is NOT good/revoked/unknown - Logger.getInstance().warn(ocspFailOpenWarning + err); + Logger.getInstance().debug('OCSP responder didn\'t respond correctly. Assuming certificate is not revoked'); return null; } else if (err && err.code === ErrorCodes.ERR_OCSP_REVOKED) { anyRevoked = err; diff --git a/lib/constants/error_messages.js b/lib/constants/error_messages.js index 2effda456..b1bfff5e0 100644 --- a/lib/constants/error_messages.js +++ b/lib/constants/error_messages.js @@ -18,7 +18,7 @@ exports[402002] = 'Request to S3/Blob failed.'; // 403001 exports[403001] = 'Invalid logLevel. The specified value must be one of these five levels: error, warn, debug, info and trace.'; -exports[403002] = 'Invalid insecureConnect option. The specified value must be a boolean.'; +exports[403002] = 'Invalid disableOCSPChecks option. The specified value must be a boolean.'; exports[403003] = 'Invalid OCSP mode. The specified value must be FAIL_CLOSED, FAIL_OPEN, or INSECURE_MODE.'; exports[403004] = 'Invalid custom JSON parser. The specified value must be a function.'; exports[403005] = 'Invalid custom XML parser. The specified value must be a function.'; diff --git a/lib/core.js b/lib/core.js index 47f50e969..a603e5cf2 100644 --- a/lib/core.js +++ b/lib/core.js @@ -196,14 +196,18 @@ function Core(options) { Logger.getInstance().info('Configuring logger with level: %s, filePath: %s, additionalLogToConsole: %s', logLevel, logFilePath, additionalLogToConsole); } - const insecureConnect = options.insecureConnect; - if (Util.exists(insecureConnect)) { + if (options.insecureConnect) { + Logger.getInstance().warn('Warning! The option insecureConnect will be deprecated. Please use the disableOCSPChecks.') + }; + + const disableOCSPChecks = options.disableOCSPChecks || options.insecureConnect; + if (Util.exists(disableOCSPChecks)) { // check that the specified value is a boolean - Errors.checkArgumentValid(Util.isBoolean(insecureConnect), - ErrorCodes.ERR_GLOBAL_CONFIGURE_INVALID_INSECURE_CONNECT); + Errors.checkArgumentValid(Util.isBoolean(disableOCSPChecks), + ErrorCodes.ERR_GLOBAL_CONFIGURE_INVALID_DISABLE_OCSP_CHECKS); - GlobalConfig.setInsecureConnect(insecureConnect); - Logger.getInstance().debug('Setting insecureConnect to value from core options: %s', insecureConnect); + GlobalConfig.isDisableOCSPChecks(disableOCSPChecks); + Logger.getInstance().debug('Setting disableOCSPChecks to value from core options: %s', disableOCSPChecks); } const ocspFailOpen = options.ocspFailOpen; diff --git a/lib/errors.js b/lib/errors.js index 6a00ad982..9c3625c04 100644 --- a/lib/errors.js +++ b/lib/errors.js @@ -23,7 +23,7 @@ codes.ERR_LARGE_RESULT_SET_RESPONSE_FAILURE = 402002; // 403001 codes.ERR_GLOBAL_CONFIGURE_INVALID_LOG_LEVEL = 403001; -codes.ERR_GLOBAL_CONFIGURE_INVALID_INSECURE_CONNECT = 403002; +codes.ERR_GLOBAL_CONFIGURE_INVALID_DISABLE_OCSP_CHECKS= 403002; codes.ERR_GLOBAL_CONFIGURE_INVALID_OCSP_MODE = 403003; codes.ERR_GLOBAL_CONFIGURE_INVALID_JSON_PARSER = 403004; codes.ERR_GLOBAL_CONFIGURE_INVALID_XML_PARSER = 403005; diff --git a/lib/global_config.js b/lib/global_config.js index 23cdd1c24..eb38b558e 100644 --- a/lib/global_config.js +++ b/lib/global_config.js @@ -11,27 +11,27 @@ const Util = require('./util'); const Logger = require('./logger'); const { XMLParser, XMLValidator } = require('fast-xml-parser'); -let insecureConnect = false; +let disableOCSPChecks = false; /** - * Updates the value of the 'insecureConnect' parameter. + * Updates the value of the 'disableOCSPChecks' parameter. * * @param {boolean} value */ -exports.setInsecureConnect = function (value) { +exports.isDisableOCSPChecks = function (value) { // validate input Errors.assertInternal(Util.isBoolean(value)); - insecureConnect = value; + disableOCSPChecks = value; }; /** - * Returns the value of the 'insecureConnect' parameter. + * Returns the value of the 'disableOCSPChecks' parameter. * * @returns {boolean} */ -exports.isInsecureConnect = function () { - return insecureConnect; +exports.isOCSPChecksDisabled = function () { + return disableOCSPChecks; }; let ocspFailOpen = true; @@ -71,7 +71,7 @@ exports.ocspModes = ocspModes; * @returns {string} */ exports.getOcspMode = function () { - if (insecureConnect) { + if (disableOCSPChecks) { return ocspModes.INSECURE; } else if (!ocspFailOpen) { return ocspModes.FAIL_CLOSED; diff --git a/test/integration/testStructuredType.js b/test/integration/testStructuredType.js index e26b8d28c..4ffa66b48 100644 --- a/test/integration/testStructuredType.js +++ b/test/integration/testStructuredType.js @@ -33,7 +33,7 @@ describe('Test Structured types', function () { connection = testUtil.createConnection(); async.series([ function (callback) { - // snowflake.configure({ 'insecureConnect': true }); + // snowflake.configure({ 'disableOCSPChecks': true }); // GlobalConfig.setInsecureConnect(true); testUtil.connect(connection, callback); }, diff --git a/test/unit/ocsp/test_unit_ocsp_mode.js b/test/unit/ocsp/test_unit_ocsp_mode.js index 219aa63fe..6e8a929f1 100644 --- a/test/unit/ocsp/test_unit_ocsp_mode.js +++ b/test/unit/ocsp/test_unit_ocsp_mode.js @@ -9,13 +9,13 @@ const assert = require('assert'); describe('OCSP mode', function () { it('getOcspMode', function (done) { // insecure mode - GlobalConfig.setInsecureConnect(true); + GlobalConfig.isDisableOCSPChecks(true); assert.equal(GlobalConfig.getOcspMode(), GlobalConfig.ocspModes.INSECURE); // insecure mode + Fail open GlobalConfig.setOcspFailOpen(true); assert.equal(GlobalConfig.getOcspMode(), GlobalConfig.ocspModes.INSECURE); - GlobalConfig.setInsecureConnect(false); + GlobalConfig.isDisableOCSPChecks(false); assert.equal(GlobalConfig.getOcspMode(), GlobalConfig.ocspModes.FAIL_OPEN); GlobalConfig.setOcspFailOpen(false); diff --git a/test/unit/snowflake_config_test.js b/test/unit/snowflake_config_test.js index 7cc9405af..1f10fe3c4 100644 --- a/test/unit/snowflake_config_test.js +++ b/test/unit/snowflake_config_test.js @@ -15,7 +15,7 @@ describe('Snowflake Configure Tests', function () { before(function () { originalConfig = { logLevel: Logger.getInstance().getLevelTag(), - insecureConnect: GlobalConfig.isInsecureConnect(), + disableOCSPChecks: GlobalConfig.isOCSPChecksDisabled(), ocspFailOpen: GlobalConfig.getOcspFailOpen(), keepAlive: GlobalConfig.getKeepAlive(), jsonColumnVariantParser: GlobalConfig.jsonColumnVariantParser, @@ -36,9 +36,9 @@ describe('Snowflake Configure Tests', function () { errorCode: ErrorCodes.ERR_GLOBAL_CONFIGURE_INVALID_LOG_LEVEL }, { - name: 'invalid insecureConnect', - options: { insecureConnect: 'unsupported' }, - errorCode: ErrorCodes.ERR_GLOBAL_CONFIGURE_INVALID_INSECURE_CONNECT + name: 'invalid disableOCSPChecks', + options: { disableOCSPChecks: 'unsupported' }, + errorCode: ErrorCodes.ERR_GLOBAL_CONFIGURE_INVALID_DISABLE_OCSP_CHECKS }, { name: 'invalid ocspMode', @@ -134,17 +134,17 @@ describe('Snowflake Configure Tests', function () { } }, { - name: 'insecureConnect false', + name: 'disableOCSPChecks false', options: { - insecureConnect: false + disableOCSPChecks: false } }, { - name: 'insecureConnect true', + name: 'disableOCSPChecks true', options: { - insecureConnect: true + disableOCSPChecks: true } }, { @@ -213,8 +213,8 @@ describe('Snowflake Configure Tests', function () { let val; if (key === 'logLevel') { val = Logger.getInstance().getLevelTag(); - } else if (key === 'insecureConnect') { - val = GlobalConfig.isInsecureConnect(); + } else if (key === 'disableOCSPChecks') { + val = GlobalConfig.isOCSPChecksDisabled(); } else if (key === 'ocspFailOpen') { val = GlobalConfig.getOcspFailOpen(); } else if (key === 'keepAlive') { From 6fc7ddcbbd854a9b5683c81214f3918bfbb1d6d3 Mon Sep 17 00:00:00 2001 From: John Yun Date: Mon, 25 Nov 2024 16:16:08 -0800 Subject: [PATCH 02/13] fix error --- lib/agent/check.js | 2 +- lib/core.js | 10 +++++----- lib/errors.js | 2 +- lib/global_config.js | 2 +- test/unit/ocsp/test_unit_ocsp_mode.js | 4 ++-- 5 files changed, 10 insertions(+), 10 deletions(-) diff --git a/lib/agent/check.js b/lib/agent/check.js index 0f1bdef83..e9af12540 100644 --- a/lib/agent/check.js +++ b/lib/agent/check.js @@ -115,7 +115,7 @@ function getResponse(uri, req, cb) { module.exports = function check(options, cb, mock) { let sync = true; - const maxNumRetries = GlobalConfig.getOcspMode() === GlobalConfig.ocspModes.FAIL_CLOSED ? 5 : 1; + const maxNumRetries = GlobalConfig.getOcspMode() === GlobalConfig.ocspModes.FAIL_CLOSED ? 2 : 1; function done(err, data) { if (sync) { diff --git a/lib/core.js b/lib/core.js index a603e5cf2..64c773dca 100644 --- a/lib/core.js +++ b/lib/core.js @@ -196,17 +196,17 @@ function Core(options) { Logger.getInstance().info('Configuring logger with level: %s, filePath: %s, additionalLogToConsole: %s', logLevel, logFilePath, additionalLogToConsole); } - if (options.insecureConnect) { - Logger.getInstance().warn('Warning! The option insecureConnect will be deprecated. Please use the disableOCSPChecks.') - }; + if (Util.exists(options.insecureConnect)) { + Logger.getInstance().warn('Warning! The option insecureConnect will be deprecated. Please use the disableOCSPChecks.'); + } - const disableOCSPChecks = options.disableOCSPChecks || options.insecureConnect; + const disableOCSPChecks = options.insecureConnect || options.disableOCSPChecks; if (Util.exists(disableOCSPChecks)) { // check that the specified value is a boolean Errors.checkArgumentValid(Util.isBoolean(disableOCSPChecks), ErrorCodes.ERR_GLOBAL_CONFIGURE_INVALID_DISABLE_OCSP_CHECKS); - GlobalConfig.isDisableOCSPChecks(disableOCSPChecks); + GlobalConfig.setDisableOCSPChecks(disableOCSPChecks); Logger.getInstance().debug('Setting disableOCSPChecks to value from core options: %s', disableOCSPChecks); } diff --git a/lib/errors.js b/lib/errors.js index 9c3625c04..4875c781d 100644 --- a/lib/errors.js +++ b/lib/errors.js @@ -23,7 +23,7 @@ codes.ERR_LARGE_RESULT_SET_RESPONSE_FAILURE = 402002; // 403001 codes.ERR_GLOBAL_CONFIGURE_INVALID_LOG_LEVEL = 403001; -codes.ERR_GLOBAL_CONFIGURE_INVALID_DISABLE_OCSP_CHECKS= 403002; +codes.ERR_GLOBAL_CONFIGURE_INVALID_DISABLE_OCSP_CHECKS = 403002; codes.ERR_GLOBAL_CONFIGURE_INVALID_OCSP_MODE = 403003; codes.ERR_GLOBAL_CONFIGURE_INVALID_JSON_PARSER = 403004; codes.ERR_GLOBAL_CONFIGURE_INVALID_XML_PARSER = 403005; diff --git a/lib/global_config.js b/lib/global_config.js index eb38b558e..e47e30543 100644 --- a/lib/global_config.js +++ b/lib/global_config.js @@ -18,7 +18,7 @@ let disableOCSPChecks = false; * * @param {boolean} value */ -exports.isDisableOCSPChecks = function (value) { +exports.setDisableOCSPChecks = function (value) { // validate input Errors.assertInternal(Util.isBoolean(value)); diff --git a/test/unit/ocsp/test_unit_ocsp_mode.js b/test/unit/ocsp/test_unit_ocsp_mode.js index 6e8a929f1..a961b83cc 100644 --- a/test/unit/ocsp/test_unit_ocsp_mode.js +++ b/test/unit/ocsp/test_unit_ocsp_mode.js @@ -9,13 +9,13 @@ const assert = require('assert'); describe('OCSP mode', function () { it('getOcspMode', function (done) { // insecure mode - GlobalConfig.isDisableOCSPChecks(true); + GlobalConfig.setDisableOCSPChecks(true); assert.equal(GlobalConfig.getOcspMode(), GlobalConfig.ocspModes.INSECURE); // insecure mode + Fail open GlobalConfig.setOcspFailOpen(true); assert.equal(GlobalConfig.getOcspMode(), GlobalConfig.ocspModes.INSECURE); - GlobalConfig.isDisableOCSPChecks(false); + GlobalConfig.setDisableOCSPChecks(false); assert.equal(GlobalConfig.getOcspMode(), GlobalConfig.ocspModes.FAIL_OPEN); GlobalConfig.setOcspFailOpen(false); From e17af5b4f1dac84e4a05837891befe32d160a091 Mon Sep 17 00:00:00 2001 From: John Yun Date: Tue, 26 Nov 2024 12:27:33 -0800 Subject: [PATCH 03/13] update --- lib/agent/socket_util.js | 2 +- lib/core.js | 4 ++-- test/unit/snowflake_config_test.js | 25 ++++++++++++++++++++++++- 3 files changed, 27 insertions(+), 4 deletions(-) diff --git a/lib/agent/socket_util.js b/lib/agent/socket_util.js index d8a58fc58..718b1ae94 100644 --- a/lib/agent/socket_util.js +++ b/lib/agent/socket_util.js @@ -153,7 +153,7 @@ function canEarlyExitForOCSP(errors) { const err = errors[errorIndex]; if (err && !isValidOCSPError(err)) { // any of the errors is NOT good/revoked/unknown - Logger.getInstance().debug('OCSP responder didn\'t respond correctly. Assuming certificate is not revoked'); + Logger.getInstance().debug(`1OCSP responder didn\'t respond correctly. Assuming certificate is not revoked. Details: ${err}`); return null; } else if (err && err.code === ErrorCodes.ERR_OCSP_REVOKED) { anyRevoked = err; diff --git a/lib/core.js b/lib/core.js index 64c773dca..99ce8c02a 100644 --- a/lib/core.js +++ b/lib/core.js @@ -197,10 +197,10 @@ function Core(options) { } if (Util.exists(options.insecureConnect)) { - Logger.getInstance().warn('Warning! The option insecureConnect will be deprecated. Please use the disableOCSPChecks.'); + Logger.getInstance().warn('Warning! The option insecureConnect was deprecated. Please use the disableOCSPChecks.'); } - const disableOCSPChecks = options.insecureConnect || options.disableOCSPChecks; + const disableOCSPChecks = (Util.exists(options.insecureConnect) && Util.exists(options.disableOCSPChecks)) ? options.disableOCSPChecks : (options.insecureConnect || options.disableOCSPChecks); if (Util.exists(disableOCSPChecks)) { // check that the specified value is a boolean Errors.checkArgumentValid(Util.isBoolean(disableOCSPChecks), diff --git a/test/unit/snowflake_config_test.js b/test/unit/snowflake_config_test.js index 1f10fe3c4..7b37685f0 100644 --- a/test/unit/snowflake_config_test.js +++ b/test/unit/snowflake_config_test.js @@ -16,6 +16,7 @@ describe('Snowflake Configure Tests', function () { originalConfig = { logLevel: Logger.getInstance().getLevelTag(), disableOCSPChecks: GlobalConfig.isOCSPChecksDisabled(), + insecureConnect: GlobalConfig.isOCSPChecksDisabled(), ocspFailOpen: GlobalConfig.getOcspFailOpen(), keepAlive: GlobalConfig.getKeepAlive(), jsonColumnVariantParser: GlobalConfig.jsonColumnVariantParser, @@ -40,6 +41,11 @@ describe('Snowflake Configure Tests', function () { options: { disableOCSPChecks: 'unsupported' }, errorCode: ErrorCodes.ERR_GLOBAL_CONFIGURE_INVALID_DISABLE_OCSP_CHECKS }, + { + name: 'invalid insecureConnect', + options: { insecureConnect: 'unsupported' }, + errorCode: ErrorCodes.ERR_GLOBAL_CONFIGURE_INVALID_DISABLE_OCSP_CHECKS + }, { name: 'invalid ocspMode', options: { ocspFailOpen: 'unsupported' }, @@ -147,6 +153,20 @@ describe('Snowflake Configure Tests', function () { disableOCSPChecks: true } }, + { + name: 'insecureConnect false', + options: + { + insecureConnect: false + } + }, + { + name: 'insecureConnect true', + options: + { + insecureConnect: true + } + }, { name: 'ocspFailOpen false', options: @@ -215,7 +235,10 @@ describe('Snowflake Configure Tests', function () { val = Logger.getInstance().getLevelTag(); } else if (key === 'disableOCSPChecks') { val = GlobalConfig.isOCSPChecksDisabled(); - } else if (key === 'ocspFailOpen') { + } else if (key === 'insecureConnect') { + val = GlobalConfig.isOCSPChecksDisabled(); + } + else if (key === 'ocspFailOpen') { val = GlobalConfig.getOcspFailOpen(); } else if (key === 'keepAlive') { val = GlobalConfig.getKeepAlive(); From 5524bcae04bd7f5d7f06019062d50197087507d1 Mon Sep 17 00:00:00 2001 From: John Yun Date: Tue, 26 Nov 2024 14:36:44 -0800 Subject: [PATCH 04/13] lint fix --- lib/agent/socket_util.js | 2 +- test/unit/snowflake_config_test.js | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/lib/agent/socket_util.js b/lib/agent/socket_util.js index 718b1ae94..9f99ec182 100644 --- a/lib/agent/socket_util.js +++ b/lib/agent/socket_util.js @@ -153,7 +153,7 @@ function canEarlyExitForOCSP(errors) { const err = errors[errorIndex]; if (err && !isValidOCSPError(err)) { // any of the errors is NOT good/revoked/unknown - Logger.getInstance().debug(`1OCSP responder didn\'t respond correctly. Assuming certificate is not revoked. Details: ${err}`); + Logger.getInstance().debug(`OCSP responder didn't respond correctly. Assuming certificate is not revoked. Details: ${err}`); return null; } else if (err && err.code === ErrorCodes.ERR_OCSP_REVOKED) { anyRevoked = err; diff --git a/test/unit/snowflake_config_test.js b/test/unit/snowflake_config_test.js index 7b37685f0..f01df6e43 100644 --- a/test/unit/snowflake_config_test.js +++ b/test/unit/snowflake_config_test.js @@ -237,8 +237,7 @@ describe('Snowflake Configure Tests', function () { val = GlobalConfig.isOCSPChecksDisabled(); } else if (key === 'insecureConnect') { val = GlobalConfig.isOCSPChecksDisabled(); - } - else if (key === 'ocspFailOpen') { + } else if (key === 'ocspFailOpen') { val = GlobalConfig.getOcspFailOpen(); } else if (key === 'keepAlive') { val = GlobalConfig.getKeepAlive(); From d280e023d6bae704404aae232dcada344a6ddb28 Mon Sep 17 00:00:00 2001 From: John Yun Date: Tue, 26 Nov 2024 14:42:27 -0800 Subject: [PATCH 05/13] fix error --- test/unit/snowflake_config_test.js | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/test/unit/snowflake_config_test.js b/test/unit/snowflake_config_test.js index f01df6e43..5b5d77614 100644 --- a/test/unit/snowflake_config_test.js +++ b/test/unit/snowflake_config_test.js @@ -140,31 +140,31 @@ describe('Snowflake Configure Tests', function () { } }, { - name: 'disableOCSPChecks false', + name: 'insecureConnect false', options: { - disableOCSPChecks: false + insecureConnect: false } }, { - name: 'disableOCSPChecks true', + name: 'insecureConnect true', options: { - disableOCSPChecks: true + insecureConnect: true } }, { - name: 'insecureConnect false', + name: 'disableOCSPChecks false', options: { - insecureConnect: false + disableOCSPChecks: false } }, { - name: 'insecureConnect true', + name: 'disableOCSPChecks true', options: { - insecureConnect: true + disableOCSPChecks: true } }, { From 99731490cf08d278a0a28456689efd7e2c9a6c27 Mon Sep 17 00:00:00 2001 From: John Yun Date: Wed, 27 Nov 2024 13:14:53 -0800 Subject: [PATCH 06/13] add logs when the responder URL was missing --- lib/agent/check.js | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/lib/agent/check.js b/lib/agent/check.js index e9af12540..b3f4c5257 100644 --- a/lib/agent/check.js +++ b/lib/agent/check.js @@ -190,6 +190,11 @@ module.exports = function check(options, cb, mock) { function ocspRequestCallback(err, uri) { if (err) { + //This error message is from @techteamer/ocsp (ocsp.utils.getAuthorityInfo) + if (err.message === 'AuthorityInfoAccess not found in extensions') { + Logger.getInstance().debug('The responder URL is missing in the certificate.'); + return done(null); + } return done(err); } @@ -206,6 +211,7 @@ module.exports = function check(options, cb, mock) { 'Contact OCSP responder: %s, (%s/%s)', uri, numRetries, maxNumRetries); if (!mock) { + uri = null; getResponse(uri, req.data, ocspResponseVerify); } } From a98736d44eda01b49d9cf5ce5735ba52ba94d16b Mon Sep 17 00:00:00 2001 From: John Yun Date: Thu, 28 Nov 2024 10:23:11 -0800 Subject: [PATCH 07/13] fix --- lib/agent/check.js | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/lib/agent/check.js b/lib/agent/check.js index b3f4c5257..82449b51b 100644 --- a/lib/agent/check.js +++ b/lib/agent/check.js @@ -115,7 +115,8 @@ function getResponse(uri, req, cb) { module.exports = function check(options, cb, mock) { let sync = true; - const maxNumRetries = GlobalConfig.getOcspMode() === GlobalConfig.ocspModes.FAIL_CLOSED ? 2 : 1; + const isFailClosed = GlobalConfig.getOcspMode() === GlobalConfig.ocspModes.FAIL_CLOSED; + const maxNumRetries = isFailClosed ? 2 : 1; function done(err, data) { if (sync) { @@ -192,8 +193,12 @@ module.exports = function check(options, cb, mock) { if (err) { //This error message is from @techteamer/ocsp (ocsp.utils.getAuthorityInfo) if (err.message === 'AuthorityInfoAccess not found in extensions') { - Logger.getInstance().debug('The responder URL is missing in the certificate.'); - return done(null); + if (!isFailClosed) { + Logger.getInstance().debug('OCSP Responder URL is missing from the certificate.'); + return done(null); + } else { + Logger.getInstance().Error('OCSP Responder URL is missing from the certificate, so cannot verify with OCSP. Aborting connection attempt due to OCSP being set to FAIL_CLOSE https://docs.snowflake.com/en/user-guide/ocsp#fail-close'); + } } return done(err); } @@ -211,7 +216,6 @@ module.exports = function check(options, cb, mock) { 'Contact OCSP responder: %s, (%s/%s)', uri, numRetries, maxNumRetries); if (!mock) { - uri = null; getResponse(uri, req.data, ocspResponseVerify); } } From 83a0c8e13f304e8969e4452e3af2d8dee3bfc48b Mon Sep 17 00:00:00 2001 From: John Yun Date: Thu, 28 Nov 2024 10:50:52 -0800 Subject: [PATCH 08/13] fix --- lib/agent/check.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/agent/check.js b/lib/agent/check.js index 82449b51b..bbc966e3f 100644 --- a/lib/agent/check.js +++ b/lib/agent/check.js @@ -197,7 +197,7 @@ module.exports = function check(options, cb, mock) { Logger.getInstance().debug('OCSP Responder URL is missing from the certificate.'); return done(null); } else { - Logger.getInstance().Error('OCSP Responder URL is missing from the certificate, so cannot verify with OCSP. Aborting connection attempt due to OCSP being set to FAIL_CLOSE https://docs.snowflake.com/en/user-guide/ocsp#fail-close'); + Logger.getInstance().error('OCSP Responder URL is missing from the certificate, so cannot verify with OCSP. Aborting connection attempt due to OCSP being set to FAIL_CLOSE https://docs.snowflake.com/en/user-guide/ocsp#fail-close'); } } return done(err); From dd685827737206dd3b377c86d49a7e501c0a83df Mon Sep 17 00:00:00 2001 From: John Yun Date: Fri, 29 Nov 2024 09:48:32 -0800 Subject: [PATCH 09/13] fix comment --- index.d.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.d.ts b/index.d.ts index 17a272a15..94cc58858 100644 --- a/index.d.ts +++ b/index.d.ts @@ -220,7 +220,7 @@ declare module 'snowflake-sdk' { /** * @deprecated - * This option will be deprecated. Use disableOCSPChecks + * This option was deprecated. Please use disableOCSPChecks. */ insecureConnect?: boolean; From bcdccd1c1cd11d8e66912c6ff4e32a22a79419c4 Mon Sep 17 00:00:00 2001 From: John Yun Date: Fri, 29 Nov 2024 09:49:41 -0800 Subject: [PATCH 10/13] fix comment --- index.d.ts | 2 +- lib/core.js | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/index.d.ts b/index.d.ts index 94cc58858..e94fe26bd 100644 --- a/index.d.ts +++ b/index.d.ts @@ -220,7 +220,7 @@ declare module 'snowflake-sdk' { /** * @deprecated - * This option was deprecated. Please use disableOCSPChecks. + * This option is deprecated. Please use disableOCSPChecks. */ insecureConnect?: boolean; diff --git a/lib/core.js b/lib/core.js index 99ce8c02a..123d06087 100644 --- a/lib/core.js +++ b/lib/core.js @@ -197,7 +197,7 @@ function Core(options) { } if (Util.exists(options.insecureConnect)) { - Logger.getInstance().warn('Warning! The option insecureConnect was deprecated. Please use the disableOCSPChecks.'); + Logger.getInstance().warn('Warning! The option insecureConnect is deprecated. Please use the disableOCSPChecks.'); } const disableOCSPChecks = (Util.exists(options.insecureConnect) && Util.exists(options.disableOCSPChecks)) ? options.disableOCSPChecks : (options.insecureConnect || options.disableOCSPChecks); From fbc7a55c127346b30d840423c873c56a2dc9365f Mon Sep 17 00:00:00 2001 From: John Yun Date: Tue, 3 Dec 2024 11:19:40 -0800 Subject: [PATCH 11/13] remove insecureconnect --- index.d.ts | 6 ------ lib/core.js | 6 +----- test/integration/testStructuredType.js | 2 +- test/unit/snowflake_config_test.js | 16 ---------------- 4 files changed, 2 insertions(+), 28 deletions(-) diff --git a/index.d.ts b/index.d.ts index e94fe26bd..f687dbb02 100644 --- a/index.d.ts +++ b/index.d.ts @@ -218,12 +218,6 @@ declare module 'snowflake-sdk' { */ additionalLogToConsole?: boolean | null; - /** - * @deprecated - * This option is deprecated. Please use disableOCSPChecks. - */ - insecureConnect?: boolean; - /** * The option to turn off the OCSP check. */ diff --git a/lib/core.js b/lib/core.js index 123d06087..5f8b02a6f 100644 --- a/lib/core.js +++ b/lib/core.js @@ -196,11 +196,7 @@ function Core(options) { Logger.getInstance().info('Configuring logger with level: %s, filePath: %s, additionalLogToConsole: %s', logLevel, logFilePath, additionalLogToConsole); } - if (Util.exists(options.insecureConnect)) { - Logger.getInstance().warn('Warning! The option insecureConnect is deprecated. Please use the disableOCSPChecks.'); - } - - const disableOCSPChecks = (Util.exists(options.insecureConnect) && Util.exists(options.disableOCSPChecks)) ? options.disableOCSPChecks : (options.insecureConnect || options.disableOCSPChecks); + const disableOCSPChecks = options.disableOCSPChecks; if (Util.exists(disableOCSPChecks)) { // check that the specified value is a boolean Errors.checkArgumentValid(Util.isBoolean(disableOCSPChecks), diff --git a/test/integration/testStructuredType.js b/test/integration/testStructuredType.js index 4ffa66b48..22b776352 100644 --- a/test/integration/testStructuredType.js +++ b/test/integration/testStructuredType.js @@ -34,7 +34,7 @@ describe('Test Structured types', function () { async.series([ function (callback) { // snowflake.configure({ 'disableOCSPChecks': true }); - // GlobalConfig.setInsecureConnect(true); + // GlobalConfig.setDisableOCSPChecks(true); testUtil.connect(connection, callback); }, function (callback) { diff --git a/test/unit/snowflake_config_test.js b/test/unit/snowflake_config_test.js index 5b5d77614..ce91bfacd 100644 --- a/test/unit/snowflake_config_test.js +++ b/test/unit/snowflake_config_test.js @@ -139,20 +139,6 @@ describe('Snowflake Configure Tests', function () { logLevel: LOG_LEVEL_TAGS.TRACE } }, - { - name: 'insecureConnect false', - options: - { - insecureConnect: false - } - }, - { - name: 'insecureConnect true', - options: - { - insecureConnect: true - } - }, { name: 'disableOCSPChecks false', options: @@ -235,8 +221,6 @@ describe('Snowflake Configure Tests', function () { val = Logger.getInstance().getLevelTag(); } else if (key === 'disableOCSPChecks') { val = GlobalConfig.isOCSPChecksDisabled(); - } else if (key === 'insecureConnect') { - val = GlobalConfig.isOCSPChecksDisabled(); } else if (key === 'ocspFailOpen') { val = GlobalConfig.getOcspFailOpen(); } else if (key === 'keepAlive') { From 0fbf321f3f5e127bceca73ea015be9f6d77164ad Mon Sep 17 00:00:00 2001 From: John Yun Date: Tue, 3 Dec 2024 13:20:53 -0800 Subject: [PATCH 12/13] fix --- test/unit/snowflake_config_test.js | 5 ----- 1 file changed, 5 deletions(-) diff --git a/test/unit/snowflake_config_test.js b/test/unit/snowflake_config_test.js index ce91bfacd..0b4066208 100644 --- a/test/unit/snowflake_config_test.js +++ b/test/unit/snowflake_config_test.js @@ -41,11 +41,6 @@ describe('Snowflake Configure Tests', function () { options: { disableOCSPChecks: 'unsupported' }, errorCode: ErrorCodes.ERR_GLOBAL_CONFIGURE_INVALID_DISABLE_OCSP_CHECKS }, - { - name: 'invalid insecureConnect', - options: { insecureConnect: 'unsupported' }, - errorCode: ErrorCodes.ERR_GLOBAL_CONFIGURE_INVALID_DISABLE_OCSP_CHECKS - }, { name: 'invalid ocspMode', options: { ocspFailOpen: 'unsupported' }, From 80ff0991aa9acab27c5a245cc08d6c4d014e7157 Mon Sep 17 00:00:00 2001 From: John Yun Date: Wed, 4 Dec 2024 09:24:26 -0800 Subject: [PATCH 13/13] remove unnecessary code --- test/unit/snowflake_config_test.js | 1 - 1 file changed, 1 deletion(-) diff --git a/test/unit/snowflake_config_test.js b/test/unit/snowflake_config_test.js index 0b4066208..1f10fe3c4 100644 --- a/test/unit/snowflake_config_test.js +++ b/test/unit/snowflake_config_test.js @@ -16,7 +16,6 @@ describe('Snowflake Configure Tests', function () { originalConfig = { logLevel: Logger.getInstance().getLevelTag(), disableOCSPChecks: GlobalConfig.isOCSPChecksDisabled(), - insecureConnect: GlobalConfig.isOCSPChecksDisabled(), ocspFailOpen: GlobalConfig.getOcspFailOpen(), keepAlive: GlobalConfig.getKeepAlive(), jsonColumnVariantParser: GlobalConfig.jsonColumnVariantParser,