SNOW-1825607 Initial OCSP deprecation plan steps

index.d.ts

@@ -25,7 +25,7 @@ declare module 'snowflake-sdk' {
 
         // 403001
         ERR_GLOBAL_CONFIGURE_INVALID_LOG_LEVEL = 403001,
-        ERR_GLOBAL_CONFIGURE_INVALID_INSECURE_CONNECT = 403002,
+        ERR_GLOBAL_CONFIGURE_INVALID_DISABLE_OCSP_CHECKS = 403002,
         ERR_GLOBAL_CONFIGURE_INVALID_OCSP_MODE = 403003,
         ERR_GLOBAL_CONFIGURE_INVALID_JSON_PARSER = 403004,
         ERR_GLOBAL_CONFIGURE_INVALID_XML_PARSER = 403005,
@@ -219,10 +219,16 @@ declare module 'snowflake-sdk' {
         additionalLogToConsole?: boolean | null;
 
         /**
-         * Check the ocsp checking is off.
+         * @deprecated
+         * This option will be deprecated. Use disableOCSPChecks
          */
         insecureConnect?: boolean;
 
+        /**
+         * The option to turn off the OCSP check.
+         */
+        disableOCSPChecks?: boolean;
+
         /**
          * The default value is true.
          * Detailed information: https://docs.snowflake.com/en/user-guide/ocsp.

lib/agent/check.js

@@ -115,7 +115,7 @@ function getResponse(uri, req, cb) {
 
 module.exports = function check(options, cb, mock) {
   let sync = true;
-  const maxNumRetries = GlobalConfig.getOcspMode() === GlobalConfig.ocspModes.FAIL_CLOSED ? 5 : 1;
+  const maxNumRetries = GlobalConfig.getOcspMode() === GlobalConfig.ocspModes.FAIL_CLOSED ? 2 : 1;
 
   function done(err, data) {
     if (sync) {

lib/agent/socket_util.js

@@ -13,11 +13,6 @@ const ErrorCodes = Errors.codes;
 
 const REGEX_SNOWFLAKE_ENDPOINT = /.snowflakecomputing./;
 
-const ocspFailOpenWarning =
-  'WARNING!!! using fail-open to connect. Driver is connecting to an HTTPS endpoint ' +
-  'without OCSP based Certificated Revocation checking as it could not obtain a valid OCSP Response to use from ' +
-  'the CA OCSP responder. Details: ';
-
 const socketSecuredEvent = 'secureConnect';
 
 const rawOcspFlag =
@@ -120,7 +115,7 @@ exports.secureSocket = function (socket, host, agent, mock) {
 function isOcspValidationDisabled(host) {
   // ocsp is disabled if insecure-connect is enabled, or if we've disabled ocsp
   // for non-snowflake endpoints and the host is a non-snowflake endpoint
-  return GlobalConfig.isInsecureConnect() ||
+  return GlobalConfig.isOCSPChecksDisabled() ||
     (Parameters.getValue(Parameters.names.JS_DRIVER_DISABLE_OCSP_FOR_NON_SF_ENDPOINTS) &&
       !REGEX_SNOWFLAKE_ENDPOINT.test(host));
 }
@@ -158,7 +153,7 @@ function canEarlyExitForOCSP(errors) {
       const err = errors[errorIndex];
       if (err && !isValidOCSPError(err)) {
         // any of the errors is NOT good/revoked/unknown
-        Logger.getInstance().warn(ocspFailOpenWarning + err);
+        Logger.getInstance().debug('OCSP responder didn\'t respond correctly. Assuming certificate is not revoked');
         return null;
       } else if (err && err.code === ErrorCodes.ERR_OCSP_REVOKED) {
         anyRevoked = err;

lib/constants/error_messages.js

@@ -18,7 +18,7 @@ exports[402002] = 'Request to S3/Blob failed.';
 
 // 403001
 exports[403001] = 'Invalid logLevel. The specified value must be one of these five levels: error, warn, debug, info and trace.';
-exports[403002] = 'Invalid insecureConnect option. The specified value must be a boolean.';
+exports[403002] = 'Invalid disableOCSPChecks option. The specified value must be a boolean.';
 exports[403003] = 'Invalid OCSP mode. The specified value must be FAIL_CLOSED, FAIL_OPEN, or INSECURE_MODE.';
 exports[403004] = 'Invalid custom JSON parser. The specified value must be a function.';
 exports[403005] = 'Invalid custom XML parser. The specified value must be a function.';

lib/core.js

@@ -196,14 +196,18 @@
           Logger.getInstance().info('Configuring logger with level: %s, filePath: %s, additionalLogToConsole: %s', logLevel, logFilePath, additionalLogToConsole);
         }
 
-        const insecureConnect = options.insecureConnect;
-        if (Util.exists(insecureConnect)) {
+        if (Util.exists(options.insecureConnect)) {
+          Logger.getInstance().warn('Warning! The option insecureConnect will be deprecated. Please use the disableOCSPChecks.');
+        }
+
+        const disableOCSPChecks = options.insecureConnect || options.disableOCSPChecks;
+        if (Util.exists(disableOCSPChecks)) {
           // check that the specified value is a boolean
-          Errors.checkArgumentValid(Util.isBoolean(insecureConnect),
-            ErrorCodes.ERR_GLOBAL_CONFIGURE_INVALID_INSECURE_CONNECT);
+          Errors.checkArgumentValid(Util.isBoolean(disableOCSPChecks),
+            ErrorCodes.ERR_GLOBAL_CONFIGURE_INVALID_DISABLE_OCSP_CHECKS);
 
-          GlobalConfig.setInsecureConnect(insecureConnect);
-          Logger.getInstance().debug('Setting insecureConnect to value from core options: %s', insecureConnect);
+          GlobalConfig.setDisableOCSPChecks(disableOCSPChecks);
+          Logger.getInstance().debug('Setting disableOCSPChecks to value from core options: %s', disableOCSPChecks);
         }
 
         const ocspFailOpen = options.ocspFailOpen;

lib/errors.js

@@ -23,7 +23,7 @@ codes.ERR_LARGE_RESULT_SET_RESPONSE_FAILURE = 402002;
 
 // 403001
 codes.ERR_GLOBAL_CONFIGURE_INVALID_LOG_LEVEL = 403001;
-codes.ERR_GLOBAL_CONFIGURE_INVALID_INSECURE_CONNECT = 403002;
+codes.ERR_GLOBAL_CONFIGURE_INVALID_DISABLE_OCSP_CHECKS = 403002;
 codes.ERR_GLOBAL_CONFIGURE_INVALID_OCSP_MODE = 403003;
 codes.ERR_GLOBAL_CONFIGURE_INVALID_JSON_PARSER = 403004;
 codes.ERR_GLOBAL_CONFIGURE_INVALID_XML_PARSER = 403005;

lib/global_config.js

@@ -11,27 +11,27 @@ const Util = require('./util');
 const Logger = require('./logger');
 const { XMLParser, XMLValidator } = require('fast-xml-parser');
 
-let insecureConnect = false;
+let disableOCSPChecks = false;
 
 /**
- * Updates the value of the 'insecureConnect' parameter.
+ * Updates the value of the 'disableOCSPChecks' parameter.
  *
  * @param {boolean} value
  */
-exports.setInsecureConnect = function (value) {
+exports.setDisableOCSPChecks = function (value) {
   // validate input
   Errors.assertInternal(Util.isBoolean(value));
 
-  insecureConnect = value;
+  disableOCSPChecks = value;
 };
 
 /**
- * Returns the value of the 'insecureConnect' parameter.
+ * Returns the value of the 'disableOCSPChecks' parameter.
  *
  * @returns {boolean}
  */
-exports.isInsecureConnect = function () {
-  return insecureConnect;
+exports.isOCSPChecksDisabled = function () {
+  return disableOCSPChecks;
 };
 
 let ocspFailOpen = true;
@@ -71,7 +71,7 @@ exports.ocspModes = ocspModes;
  * @returns {string}
  */
 exports.getOcspMode = function () {
-  if (insecureConnect) {
+  if (disableOCSPChecks) {
     return ocspModes.INSECURE;
   } else if (!ocspFailOpen) {
     return ocspModes.FAIL_CLOSED;

test/integration/testStructuredType.js

@@ -33,7 +33,7 @@ describe('Test Structured types', function () {
     connection = testUtil.createConnection();
     async.series([
       function (callback) {
-        // snowflake.configure({ 'insecureConnect': true });
+        // snowflake.configure({ 'disableOCSPChecks': true });
         // GlobalConfig.setInsecureConnect(true);
         testUtil.connect(connection, callback);
       },

test/unit/ocsp/test_unit_ocsp_mode.js

@@ -9,13 +9,13 @@ const assert = require('assert');
 describe('OCSP mode', function () {
   it('getOcspMode', function (done) {
     // insecure mode
-    GlobalConfig.setInsecureConnect(true);
+    GlobalConfig.setDisableOCSPChecks(true);
     assert.equal(GlobalConfig.getOcspMode(), GlobalConfig.ocspModes.INSECURE);
 
     // insecure mode + Fail open
     GlobalConfig.setOcspFailOpen(true);
     assert.equal(GlobalConfig.getOcspMode(), GlobalConfig.ocspModes.INSECURE);
-    GlobalConfig.setInsecureConnect(false);
+    GlobalConfig.setDisableOCSPChecks(false);
     assert.equal(GlobalConfig.getOcspMode(), GlobalConfig.ocspModes.FAIL_OPEN);
 
     GlobalConfig.setOcspFailOpen(false);

test/unit/snowflake_config_test.js

@@ -15,7 +15,7 @@ describe('Snowflake Configure Tests', function () {
   before(function () {
     originalConfig = {
       logLevel: Logger.getInstance().getLevelTag(),
-      insecureConnect: GlobalConfig.isInsecureConnect(),
+      disableOCSPChecks: GlobalConfig.isOCSPChecksDisabled(),
       ocspFailOpen: GlobalConfig.getOcspFailOpen(),
       keepAlive: GlobalConfig.getKeepAlive(),
       jsonColumnVariantParser: GlobalConfig.jsonColumnVariantParser,
@@ -36,9 +36,9 @@ describe('Snowflake Configure Tests', function () {
           errorCode: ErrorCodes.ERR_GLOBAL_CONFIGURE_INVALID_LOG_LEVEL
         },
         {
-          name: 'invalid insecureConnect',
-          options: { insecureConnect: 'unsupported' },
-          errorCode: ErrorCodes.ERR_GLOBAL_CONFIGURE_INVALID_INSECURE_CONNECT
+          name: 'invalid disableOCSPChecks',
+          options: { disableOCSPChecks: 'unsupported' },
+          errorCode: ErrorCodes.ERR_GLOBAL_CONFIGURE_INVALID_DISABLE_OCSP_CHECKS
         },
         {
           name: 'invalid ocspMode',
@@ -134,17 +134,17 @@ describe('Snowflake Configure Tests', function () {
           }
         },
         {
-          name: 'insecureConnect false',
+          name: 'disableOCSPChecks false',
           options:
           {
-            insecureConnect: false
+            disableOCSPChecks: false
           }
         },
         {
-          name: 'insecureConnect true',
+          name: 'disableOCSPChecks true',
           options:
           {
-            insecureConnect: true
+            disableOCSPChecks: true
           }
         },
         {
@@ -213,8 +213,8 @@ describe('Snowflake Configure Tests', function () {
           let val;
           if (key === 'logLevel') {
             val = Logger.getInstance().getLevelTag();
-          } else if (key === 'insecureConnect') {
-            val = GlobalConfig.isInsecureConnect();
+          } else if (key === 'disableOCSPChecks') {
+            val = GlobalConfig.isOCSPChecksDisabled();
           } else if (key === 'ocspFailOpen') {
             val = GlobalConfig.getOcspFailOpen();
           } else if (key === 'keepAlive') {