From 5f8ef63a52c27a92bd647fbd7db6e697f2ca71e9 Mon Sep 17 00:00:00 2001
From: Przemyslaw Motacki <przemyslaw.motacki@snowflake.com>
Date: Fri, 19 Jul 2024 11:35:02 +0200
Subject: [PATCH] SNOW-1454054 - add check of user permision for token file

---
 .../config/SFConnectionConfigParser.java      |  3 +-
 .../config/SFConnectionConfigParserTest.java  | 96 ++++++++++++-------
 2 files changed, 62 insertions(+), 37 deletions(-)

diff --git a/src/main/java/net/snowflake/client/config/SFConnectionConfigParser.java b/src/main/java/net/snowflake/client/config/SFConnectionConfigParser.java
index 405dd09db..4a36d7b22 100644
--- a/src/main/java/net/snowflake/client/config/SFConnectionConfigParser.java
+++ b/src/main/java/net/snowflake/client/config/SFConnectionConfigParser.java
@@ -108,13 +108,14 @@ public static ConnectionParameters buildConnectionParameters() throws SnowflakeS
                     .orElse(SNOWFLAKE_TOKEN_FILE_PATH));
         logger.debug("Token used in connect is read from file: {}", path);
         try {
+          varifyFilePermissionSecure(path);
           String token = new String(Files.readAllBytes(path), Charset.defaultCharset());
           if (!token.isEmpty()) {
             putPropertyIfNotNull(conectionProperties, "token", token.trim());
           } else {
             logger.warn("The token has empty value");
           }
-        } catch (IOException ex) {
+        } catch (Exception ex) {
           throw new SnowflakeSQLException(ex, "There is a problem during reading token from file");
         }
       }
diff --git a/src/test/java/net/snowflake/client/config/SFConnectionConfigParserTest.java b/src/test/java/net/snowflake/client/config/SFConnectionConfigParserTest.java
index 07882fcb7..01da714e5 100644
--- a/src/test/java/net/snowflake/client/config/SFConnectionConfigParserTest.java
+++ b/src/test/java/net/snowflake/client/config/SFConnectionConfigParserTest.java
@@ -53,7 +53,7 @@ public void testLoadSFConnectionConfigWrongConfigurationName()
       throws SnowflakeSQLException, IOException {
     SnowflakeUtil.systemSetEnv(SNOWFLAKE_HOME_KEY, tempPath.toString());
     SnowflakeUtil.systemSetEnv(SNOWFLAKE_DEFAULT_CONNECTION_NAME_KEY, "unknown");
-    prepareConnectionConfigurationTomlFile(null, true);
+    prepareConnectionConfigurationTomlFile();
     ConnectionParameters connectionParameters =
         SFConnectionConfigParser.buildConnectionParameters();
     assertNull(connectionParameters);
@@ -62,7 +62,7 @@ public void testLoadSFConnectionConfigWrongConfigurationName()
   @Test
   public void testLoadSFConnectionConfigInValidPath() throws SnowflakeSQLException, IOException {
     SnowflakeUtil.systemSetEnv(SNOWFLAKE_HOME_KEY, Paths.get("unknownPath").toString());
-    prepareConnectionConfigurationTomlFile(null, true);
+    prepareConnectionConfigurationTomlFile();
     assertNull(SFConnectionConfigParser.buildConnectionParameters());
   }
 
@@ -73,12 +73,23 @@ public void testLoadSFConnectionConfigWithTokenFromFile()
     SnowflakeUtil.systemSetEnv(SNOWFLAKE_DEFAULT_CONNECTION_NAME_KEY, "default");
     File tokenFile = new File(Paths.get(tempPath.toString(), "token").toUri());
     prepareConnectionConfigurationTomlFile(
-        Collections.singletonMap("token_file_path", tokenFile.toString()), true);
+        Collections.singletonMap("token_file_path", tokenFile.toString()));
 
     ConnectionParameters data = SFConnectionConfigParser.buildConnectionParameters();
     assertNotNull(data);
     assertEquals(tokenFile.toString(), data.getParams().get("token_file_path"));
-    assertEquals("testToken", data.getParams().get("token"));
+  }
+
+  @Test
+  public void testThrowErrorWhenWrongPermissionsForConnectionConfigurationFile()
+      throws IOException {
+    SnowflakeUtil.systemSetEnv(SNOWFLAKE_HOME_KEY, tempPath.toString());
+    File tokenFile = new File(Paths.get(tempPath.toString(), "token").toUri());
+    prepareConnectionConfigurationTomlFile(
+        Collections.singletonMap("token_file_path", tokenFile.toString()), false, false);
+    assumeFalse(RunningNotOnLinuxMac.isNotRunningOnLinuxMac());
+    assertThrows(
+        SnowflakeSQLException.class, () -> SFConnectionConfigParser.buildConnectionParameters());
   }
 
   @Test
@@ -86,24 +97,63 @@ public void testThrowErrorWhenWrongPermissionsForTokenFile() throws IOException
     SnowflakeUtil.systemSetEnv(SNOWFLAKE_HOME_KEY, tempPath.toString());
     File tokenFile = new File(Paths.get(tempPath.toString(), "token").toUri());
     prepareConnectionConfigurationTomlFile(
-        Collections.singletonMap("token_file_path", tokenFile.toString()), false);
+        Collections.singletonMap("token_file_path", tokenFile.toString()), true, false);
     assumeFalse(RunningNotOnLinuxMac.isNotRunningOnLinuxMac());
     assertThrows(
         SnowflakeSQLException.class, () -> SFConnectionConfigParser.buildConnectionParameters());
   }
 
+  @Test
+  public void testLoadSFConnectionConfigWithHostConfigured()
+      throws SnowflakeSQLException, IOException {
+    SnowflakeUtil.systemSetEnv(SNOWFLAKE_HOME_KEY, tempPath.toString());
+    SnowflakeUtil.systemSetEnv(SNOWFLAKE_DEFAULT_CONNECTION_NAME_KEY, "default");
+    Map<String, String> extraparams = new HashMap();
+    extraparams.put("host", "snowflake.reg.local");
+    extraparams.put("account", null);
+    extraparams.put("port", "8082");
+    extraparams.put("token", "testToken");
+    prepareConnectionConfigurationTomlFile(extraparams);
+    ConnectionParameters data = SFConnectionConfigParser.buildConnectionParameters();
+    assertNotNull(data);
+    assertEquals("jdbc:snowflake://snowflake.reg.local:8082", data.getUrl());
+    assertEquals("oauth", data.getParams().get("authenticator"));
+    assertEquals("testToken", data.getParams().get("token"));
+  }
+
+  @Test
+  public void shouldThrowExceptionIfNoneOfHostAndAccountIsSet() throws IOException {
+    SnowflakeUtil.systemSetEnv(SNOWFLAKE_HOME_KEY, tempPath.toString());
+    SnowflakeUtil.systemSetEnv(SNOWFLAKE_DEFAULT_CONNECTION_NAME_KEY, "default");
+    Map<String, String> extraparams = new HashMap();
+    extraparams.put("host", null);
+    extraparams.put("account", null);
+    prepareConnectionConfigurationTomlFile(extraparams);
+    Assert.assertThrows(
+        SnowflakeSQLException.class, () -> SFConnectionConfigParser.buildConnectionParameters());
+  }
+
+  private void prepareConnectionConfigurationTomlFile() throws IOException {
+    prepareConnectionConfigurationTomlFile(null, true, true);
+  }
+
+  private void prepareConnectionConfigurationTomlFile(Map moreParameters) throws IOException {
+    prepareConnectionConfigurationTomlFile(moreParameters, true, true);
+  }
+
   private void prepareConnectionConfigurationTomlFile(
-      Map moreParameters, boolean onlyUserPermission) throws IOException {
+      Map moreParameters, boolean onlyUserPermissionConnection, boolean onlyUserPermissionToken)
+      throws IOException {
     Path path = Paths.get(tempPath.toString(), "connections.toml");
-    Path filePath = createFilePathWithPermission(path, onlyUserPermission);
+    Path filePath = createFilePathWithPermission(path, onlyUserPermissionConnection);
     File file = filePath.toFile();
 
     Map configuration = new HashMap();
     Map configurationParams = new HashMap();
     configurationParams.put("account", "snowaccount.us-west-2.aws");
     configurationParams.put("user", "user1");
-    configurationParams.put("token", "testToken");
     configurationParams.put("port", "443");
+    configurationParams.put("authenticator", "oauth");
 
     if (moreParameters != null) {
       moreParameters.forEach((k, v) -> configurationParams.put(k, v));
@@ -114,7 +164,8 @@ private void prepareConnectionConfigurationTomlFile(
     if (configurationParams.containsKey("token_file_path")) {
       Path tokenFilePath =
           createFilePathWithPermission(
-              Paths.get(configurationParams.get("token_file_path").toString()), onlyUserPermission);
+              Paths.get(configurationParams.get("token_file_path").toString()),
+              onlyUserPermissionToken);
       Files.write(tokenFilePath, "token_from_file".getBytes());
     }
   }
@@ -131,31 +182,4 @@ private Path createFilePathWithPermission(Path path, boolean onlyUserPermission)
       return Files.createFile(path);
     }
   }
-
-  @Test
-  public void testLoadSFConnectionConfigWithHostConfigured()
-      throws SnowflakeSQLException, IOException {
-    SnowflakeUtil.systemSetEnv(SNOWFLAKE_HOME_KEY, tempPath.toString());
-    SnowflakeUtil.systemSetEnv(SNOWFLAKE_DEFAULT_CONNECTION_NAME_KEY, "default");
-    Map<String, String> extraparams = new HashMap();
-    extraparams.put("host", "snowflake.reg.local");
-    extraparams.put("account", null);
-    extraparams.put("port", "8082");
-    prepareConnectionConfigurationTomlFile(extraparams, true);
-    ConnectionParameters data = SFConnectionConfigParser.buildConnectionParameters();
-    assertNotNull(data);
-    assertEquals("jdbc:snowflake://snowflake.reg.local:8082", data.getUrl());
-  }
-
-  @Test
-  public void shouldThrowExceptionIfNoneOfHostAndAccountIsSet() throws IOException {
-    SnowflakeUtil.systemSetEnv(SNOWFLAKE_HOME_KEY, tempPath.toString());
-    SnowflakeUtil.systemSetEnv(SNOWFLAKE_DEFAULT_CONNECTION_NAME_KEY, "default");
-    Map<String, String> extraparams = new HashMap();
-    extraparams.put("host", null);
-    extraparams.put("account", null);
-    prepareConnectionConfigurationTomlFile(extraparams, true);
-    Assert.assertThrows(
-        SnowflakeSQLException.class, () -> SFConnectionConfigParser.buildConnectionParameters());
-  }
 }