-
Notifications
You must be signed in to change notification settings - Fork 171
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SNOW-1825482: PAT + OAuth Authorization Code + OAuth Client Credentials support #1978
base: master
Are you sure you want to change the base?
Conversation
119a205
to
195ff36
Compare
ec6effb
to
a3dad01
Compare
…bc into oauth-code-flow
️✅ There are no secrets present in this pull request anymore.If these secrets were true positive and are still valid, we highly recommend you to revoke them. 🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request. |
TokenRequest request = buildTokenRequest(loginInput, authorizationCode, pkceVerifier); | ||
URI requestUri = request.getEndpointURI(); | ||
logger.debug( | ||
"Requesting access token from: " + requestUri.getAuthority() + requestUri.getPath()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
please use logger parameters instead of string concatenation, also in other logs
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
...main/java/net/snowflake/client/core/auth/oauth/AuthorizationCodeFlowAccessTokenProvider.java
Outdated
Show resolved
Hide resolved
...main/java/net/snowflake/client/core/auth/oauth/AuthorizationCodeFlowAccessTokenProvider.java
Outdated
Show resolved
Hide resolved
...main/java/net/snowflake/client/core/auth/oauth/AuthorizationCodeFlowAccessTokenProvider.java
Outdated
Show resolved
Hide resolved
src/main/java/net/snowflake/client/core/auth/oauth/TokenResponseDTO.java
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me in general, I will need a second look once I get some more knowledge about OAuth
@@ -29,6 +29,12 @@ public enum SFSessionProperty { | |||
AUTHENTICATOR("authenticator", false, String.class), | |||
OKTA_USERNAME("oktausername", false, String.class), | |||
PRIVATE_KEY("privateKey", false, PrivateKey.class), | |||
OAUTH_REDIRECT_URI("redirectUri", false, String.class), | |||
CLIENT_ID("clientID", false, String.class), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oauthClientId, oauthClientSecret etc.?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd prefer not to introduce new parameters, after all user can use only one authentication type at a time
}, | ||
"bodyPatterns": [ | ||
{ | ||
"contains": "grant_type=authorization_code&code=123&redirect_uri=http%3A%2F%2Flocalhost%3A8001%2Fsnowflake%2Foauth-redirect&code_verifier=" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please verify if we indeed use PKCE
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, we need to.
src/test/java/net/snowflake/client/jdbc/OauthAuthorizationCodeFlowLatestIT.java
Outdated
Show resolved
Hide resolved
/* | ||
* Authorization code flow with browser popup | ||
*/ | ||
OAUTH_AUTHORIZATION_CODE |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maybe CLIENT_OAUTH would be a good name from this OAuth flows to make it different than OAuth and indicate it's on client side, WDYT? @sfc-gh-dprzybysz @sfc-gh-dheyman @sfc-gh-pfus
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't like it. CLIENT_OAUTH is too generic. Dawid's name seems better to me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would rather change the original OAUTH authenticator to OAUTH_ACCESS_TOKEN or something like that, but I understand it would be a BCR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@sfc-gh-eworoshow WDYT? did you go through any naming discussion already
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see a couple options:
AUTHENTICATOR=OAUTH
plusOAUTH_FLOW={TOKEN | AUTHORIZATION_CODE | CLIENT_CREDENTIALS }
, whereTOKEN
is our existing default.AUTHENTICATOR={OAUTH | OAUTH_ACCESS_TOKEN, alias of OAUTH | OAUTH_AUTHORIZATION_CODE | ... }
.
In both cases I think we should use the "standard" name for the OAuth flow we're implementing.
/* | ||
* Authorization code flow with browser popup | ||
*/ | ||
OAUTH_AUTHORIZATION_CODE |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't like it. CLIENT_OAUTH is too generic. Dawid's name seems better to me.
...main/java/net/snowflake/client/core/auth/oauth/AuthorizationCodeFlowAccessTokenProvider.java
Outdated
Show resolved
Hide resolved
src/main/java/net/snowflake/client/core/auth/oauth/TokenResponseDTO.java
Show resolved
Hide resolved
...main/java/net/snowflake/client/core/auth/oauth/AuthorizationCodeFlowAccessTokenProvider.java
Outdated
Show resolved
Hide resolved
src/main/java/net/snowflake/client/core/auth/oauth/TokenResponseDTO.java
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I didn't review the whole PR, I just wanted to opine on a couple points I learned about indirectly 🙂
private static final SFLogger logger = | ||
SFLoggerFactory.getLogger(OAuthAuthorizationCodeAccessTokenProvider.class); | ||
|
||
private static final String DEFAULT_REDIRECT_HOST = "http://localhost:8001"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should use http://127.0.0.1
for compliance with RFC 8252 which strongly recommends not listening on localhost but rather on the IPv4 loopback interface.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, had no idea about this. Will adjust.
SFLoggerFactory.getLogger(OAuthAuthorizationCodeAccessTokenProvider.class); | ||
|
||
private static final String DEFAULT_REDIRECT_HOST = "http://localhost:8001"; | ||
private static final String REDIRECT_URI_ENDPOINT = "/snowflake/oauth-redirect"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should perhaps omit the path here, since I want the Snowflake OAuth "driver" OAuth integration to work more straightforwardly for other use cases (e.g., customer code)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good idea.
OAuthAccessTokenProviderFactory accessTokenProviderFactory = | ||
new OAuthAccessTokenProviderFactory( | ||
new SessionUtilExternalBrowser.DefaultAuthExternalBrowserHandlers(), | ||
(int) loginInput.getBrowserResponseTimeout().getSeconds()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe we could change the type in OAuthAccessTokenProviderFactory
(and down the line) to be long? From what I understand this parameter is only ever used cast to long either way.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
With the changes made, this cast is unnecessary
src/main/java/net/snowflake/client/core/auth/oauth/OAuthAccessTokenProviderFactory.java
Outdated
Show resolved
Hide resolved
...ain/java/net/snowflake/client/core/auth/oauth/OAuthAuthorizationCodeAccessTokenProvider.java
Show resolved
Hide resolved
...ain/java/net/snowflake/client/core/auth/oauth/OAuthAuthorizationCodeAccessTokenProvider.java
Outdated
Show resolved
Hide resolved
src/main/java/net/snowflake/client/core/auth/oauth/OAuthUtil.java
Outdated
Show resolved
Hide resolved
src/test/java/net/snowflake/client/core/OAuthAuthorizationCodeFlowLatestIT.java
Outdated
Show resolved
Hide resolved
...t/java/net/snowflake/client/core/auth/oauth/AuthorizationCodeRedirectRequestHandlerTest.java
Outdated
Show resolved
Hide resolved
} | ||
|
||
private static String createDefaultRedirectUri() throws IOException { | ||
try (ServerSocket socket = new ServerSocket(0)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Semgrep identified an issue in your code:
Detected use of a Java socket that is not encrypted. As a result, the traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by 'SSLSocketFactory' or 'SSLServerSocketFactory' instead.
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>
for false positive/ar <comment>
for acceptable risk/other <comment>
for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by unencrypted-socket.
You can view more details about this finding in the Semgrep AppSec Platform.
@@ -16,5 +16,6 @@ $MVNW_EXE -DjenkinsIT \ | |||
-DintegrationTestSuites=AuthenticationTestSuite \ | |||
-Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn \ | |||
-Dnot-self-contained-jar \ | |||
-Dsnowflake.jdbc.enableSoteria=true \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need this parameter in the final code? When are we planning to drop this flag?
@@ -0,0 +1,22 @@ | |||
/* | |||
* Copyright (c) 2024 Snowflake Computing Inc. All rights reserved. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we update the year?
loginInput.setOauthRefreshToken(cred); | ||
break; | ||
default: | ||
logger.debug("Unrecognized type {} for local cached credential", credType); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Debug only? I presume it is worth having an exception (fail fast) or at least warn?
exchange.getResponseBody().close(); | ||
} | ||
|
||
static String handleRedirectRequest( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
private?
requestUri.getAuthority(), | ||
requestUri.getPath()); | ||
String tokenResponse = | ||
HttpUtil.executeGeneralRequest( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We don't send request GUIDs etc here, do we?
return new OAuthClientCredentialsAccessTokenProvider(); | ||
default: | ||
logger.error("Unsupported authenticator type: " + authenticatorType); | ||
throw new SFException(ErrorCode.INTERNAL_ERROR); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we add the message to the exception itself? It may be helpful for tools like sentry.
} | ||
|
||
private static String createDefaultRedirectUri() throws IOException { | ||
try (ServerSocket socket = new ServerSocket(0)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What if an IdP does not support random ports? Should we provide a way to use a fixed port?
|
||
@SnowflakeJdbcInternalApi | ||
public interface StateProvider<T> { | ||
T getState(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Isn't it always a string?
public class RandomStateProvider implements StateProvider<String> { | ||
@Override | ||
public String getState() { | ||
return new State(256).getValue(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we name this magic value?
Overview
SNOW-1825482: PAT + OAuth Authorization Code + OAuth Client Credentials support
Pre-review self checklist
master
branchmvn -P check-style validate
)mvn verify
and inspecttarget/japicmp/japicmp.html
)SNOW-XXXX:
External contributors - please answer these questions before submitting a pull request. Thanks!
What GitHub issue is this PR addressing? Make sure that there is an accompanying issue to your PR.
Issue: #NNNN
Fill out the following pre-review checklist:
@SnowflakeJdbcInternalApi
(note that public/protected methods/fields in classes marked with this annotation are already internal)Please describe how your code solves the related issue.
Please write a short description of how your code change solves the related issue.