Skip to content

Commit

Permalink
disableOCSPChecks property added.
Browse files Browse the repository at this point in the history
  • Loading branch information
sfc-gh-ext-simba-vb committed Dec 17, 2024
1 parent c9607ee commit 4d66099
Show file tree
Hide file tree
Showing 6 changed files with 59 additions and 9 deletions.
8 changes: 4 additions & 4 deletions src/main/java/net/snowflake/client/core/HttpUtil.java
Original file line number Diff line number Diff line change
Expand Up @@ -345,9 +345,9 @@ public static CloseableHttpClient buildHttpClient(
}

TrustManager[] trustManagers = null;
if (key != null && key.getOcspMode() != OCSPMode.INSECURE) {
// A custom TrustManager is required only if insecureMode is disabled,
// which is by default in the production. insecureMode can be enabled
if (key != null && key.getOcspMode() != OCSPMode.DISABLE_OCSP_CHECKS) {
// A custom TrustManager is required only if disableOCSPMode is disabled,
// which is by default in the production. disableOCSPMode can be enabled
// 1) OCSP service is down for reasons, 2) PowerMock test that doesn't
// care OCSP checks.
// OCSP FailOpen is ON by default
Expand Down Expand Up @@ -742,7 +742,7 @@ public static String executeRequest(
HttpClientSettingsKey ocspAndProxyKey,
ExecTimeTelemetryData execTimeData)
throws SnowflakeSQLException, IOException {
boolean ocspEnabled = !(ocspAndProxyKey.getOcspMode().equals(OCSPMode.INSECURE));
boolean ocspEnabled = !(ocspAndProxyKey.getOcspMode().equals(OCSPMode.DISABLE_OCSP_CHECKS));
logger.debug("Executing request with OCSP enabled: {}", ocspEnabled);
execTimeData.setOCSPStatus(ocspEnabled);
return executeRequestInternal(
Expand Down
11 changes: 9 additions & 2 deletions src/main/java/net/snowflake/client/core/OCSPMode.java
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,15 @@ public enum OCSPMode {
*/
FAIL_OPEN(1),

/** Insure mode. No OCSP check is made. */
INSECURE(2);
/**
* @deprecated Use {@link #DISABLE_OCSP_CHECKS} for clarity. This configuration option is used to
* disable OCSP verification. Insure mode. No OCSP check is made.
*/
@Deprecated
INSECURE(2),

/** Disable OCSP checks. It's used to disable OCSP verification. */
DISABLE_OCSP_CHECKS(3);

private final int value;

Expand Down
6 changes: 4 additions & 2 deletions src/main/java/net/snowflake/client/core/SFBaseSession.java
Original file line number Diff line number Diff line change
Expand Up @@ -714,10 +714,12 @@ public void unsetInvalidProxyHostAndPort() {
public OCSPMode getOCSPMode() {
OCSPMode ret;

Boolean disableOCSPMode =
(Boolean) connectionPropertiesMap.get(SFSessionProperty.DISABLE_OCSP_CHECKS);
Boolean insecureMode = (Boolean) connectionPropertiesMap.get(SFSessionProperty.INSECURE_MODE);
if (insecureMode != null && insecureMode) {
if ((disableOCSPMode != null && disableOCSPMode) || (insecureMode != null && insecureMode)) {
// skip OCSP checks
ret = OCSPMode.INSECURE;
ret = OCSPMode.DISABLE_OCSP_CHECKS;
} else if (!connectionPropertiesMap.containsKey(SFSessionProperty.OCSP_FAIL_OPEN)
|| (boolean) connectionPropertiesMap.get(SFSessionProperty.OCSP_FAIL_OPEN)) {
// fail open (by default, not set)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,13 @@ public enum SFSessionProperty {
APP_ID("appId", false, String.class),
APP_VERSION("appVersion", false, String.class),
OCSP_FAIL_OPEN("ocspFailOpen", false, Boolean.class),
/**
* @deprecated Use {@link #DISABLE_OCSP_CHECKS} for clarity. This configuration option is used to
* disable OCSP verification.
*/
@Deprecated
INSECURE_MODE("insecureMode", false, Boolean.class),
DISABLE_OCSP_CHECKS("disableOCSPChecks", false, Boolean.class),
QUERY_TIMEOUT("queryTimeout", false, Integer.class),
STRINGS_QUOTED("stringsQuotedForColumnDef", false, Boolean.class),
APPLICATION("application", false, String.class),
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -1161,7 +1161,7 @@ private OCSPResp fetchOcspResponse(
new DecorrelatedJitterBackoff(sleepTime, MAX_SLEEPING_TIME_IN_MILLISECONDS);
boolean success = false;

final int maxRetryCounter = isOCSPFailOpen() ? 1 : 3;
final int maxRetryCounter = isOCSPFailOpen() ? 1 : 2;
Exception savedEx = null;
CloseableHttpClient httpClient =
ocspCacheServerClient.computeIfAbsent(
Expand Down
35 changes: 35 additions & 0 deletions src/test/java/net/snowflake/client/jdbc/ConnectionIT.java
Original file line number Diff line number Diff line change
Expand Up @@ -1052,6 +1052,41 @@ public void testFailOverOrgAccount() throws SQLException {
}
}

/** Test production connectivity with disableOCSPChecksMode enabled. */
@Test
public void testDisableOCSPChecksMode() throws SQLException {
String deploymentUrl = "jdbc:snowflake://sfcsupport.snowflakecomputing.com";

Properties properties = new Properties();

properties.put("user", "fakeuser");
properties.put("password", "fakepwd");
properties.put("account", "fakeaccount");
properties.put("disableOCSPChecks", true);
try {
DriverManager.getConnection(deploymentUrl, properties);
fail();
} catch (SQLException e) {
assertThat(
e.getErrorCode(), anyOf(is(INVALID_CONNECTION_INFO_CODE), is(BAD_REQUEST_GS_CODE)));
}

deploymentUrl = "jdbc:snowflake://sfcsupport.snowflakecomputing.com?disableOCSPChecks=true";

properties = new Properties();

properties.put("user", "fakeuser");
properties.put("password", "fakepwd");
properties.put("account", "fakeaccount");
try {
DriverManager.getConnection(deploymentUrl, properties);
fail();
} catch (SQLException e) {
assertThat(
e.getErrorCode(), anyOf(is(INVALID_CONNECTION_INFO_CODE), is(BAD_REQUEST_GS_CODE)));
}
}

private class ConcurrentConnections implements Runnable {

ConcurrentConnections() {}
Expand Down

0 comments on commit 4d66099

Please sign in to comment.