-
Notifications
You must be signed in to change notification settings - Fork 170
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SNOW-1821504: [JDBC] Initialal OCSP deprecation plan steps #2008
base: master
Are you sure you want to change the base?
Changes from 11 commits
c4fdb4c
e5d2224
c9607ee
4d66099
1967502
f26374e
47ab1dc
b244875
a5237da
e0055ca
20a9483
b76683b
c8e578e
28bbf9d
1dff792
829b5c6
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -710,14 +710,26 @@ public void unsetInvalidProxyHostAndPort() { | |
* Get OCSP mode | ||
* | ||
* @return {@link OCSPMode} | ||
* @throws SnowflakeSQLException | ||
*/ | ||
public OCSPMode getOCSPMode() { | ||
public OCSPMode getOCSPMode() throws SnowflakeSQLException { | ||
OCSPMode ret; | ||
|
||
Boolean disableOCSPMode = | ||
(Boolean) connectionPropertiesMap.get(SFSessionProperty.DISABLE_OCSP_CHECKS); | ||
Boolean insecureMode = (Boolean) connectionPropertiesMap.get(SFSessionProperty.INSECURE_MODE); | ||
if (insecureMode != null && insecureMode) { | ||
|
||
if ((disableOCSPMode != null && insecureMode != null) && (disableOCSPMode != insecureMode)) { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
|
||
logger.error( | ||
"The values for 'disableOCSPMode' and 'insecureMode' must be identical. " | ||
+ "Please ensure both properties are set to the same value."); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I'd add "or unset insecureMode". |
||
throw new SnowflakeSQLException( | ||
ErrorCode.DISABLEOCSP_INSECUREMODE_VALUE_MISMATCH, | ||
"The values for 'disableOCSPMode' and 'insecureMode' " + "must be identical."); | ||
} | ||
if ((disableOCSPMode != null && disableOCSPMode) || (insecureMode != null && insecureMode)) { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I don't think it works correctly in a case when someone deliberately specified There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. this case should not happen - it's miss configuration There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. guys didn't we call this There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The property name is disableOCSPChecks in Connection Properties. disableOCSPMode was just a variable name in the method. I will change it to disableOCSPChecks all over the place. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. got it, no need to change if it's just an internal variable name. i wanted to ensure |
||
// skip OCSP checks | ||
ret = OCSPMode.INSECURE; | ||
ret = OCSPMode.DISABLE_OCSP_CHECKS; | ||
} else if (!connectionPropertiesMap.containsKey(SFSessionProperty.OCSP_FAIL_OPEN) | ||
|| (boolean) connectionPropertiesMap.get(SFSessionProperty.OCSP_FAIL_OPEN)) { | ||
// fail open (by default, not set) | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -11,6 +11,7 @@ | |
import static org.hamcrest.MatcherAssert.assertThat; | ||
import static org.junit.jupiter.api.Assertions.assertEquals; | ||
import static org.junit.jupiter.api.Assertions.assertFalse; | ||
import static org.junit.jupiter.api.Assertions.assertThrows; | ||
import static org.junit.jupiter.api.Assertions.assertTrue; | ||
import static org.junit.jupiter.api.Assertions.fail; | ||
|
||
|
@@ -1014,6 +1015,28 @@ public void testFailOverOrgAccount() throws SQLException { | |
} | ||
} | ||
|
||
/** Test production connectivity with disableOCSPChecksMode enabled. */ | ||
@Test | ||
public void testDisableOCSPChecksMode() throws SQLException { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Can we have more tests on various combinations of |
||
|
||
String deploymentUrl = | ||
"jdbc:snowflake://sfcsupport.snowflakecomputing.com?disableOCSPChecks=true"; | ||
Properties properties = new Properties(); | ||
|
||
properties.put("user", "fakeuser"); | ||
properties.put("password", "fakepwd"); | ||
properties.put("account", "fakeaccount"); | ||
SQLException thrown = | ||
assertThrows( | ||
SQLException.class, | ||
() -> { | ||
DriverManager.getConnection(deploymentUrl, properties); | ||
}); | ||
|
||
assertThat( | ||
thrown.getErrorCode(), anyOf(is(INVALID_CONNECTION_INFO_CODE), is(BAD_REQUEST_GS_CODE))); | ||
} | ||
|
||
private class ConcurrentConnections implements Runnable { | ||
|
||
ConcurrentConnections() {} | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -7,9 +7,11 @@ | |
import static org.hamcrest.CoreMatchers.anyOf; | ||
import static org.hamcrest.CoreMatchers.containsString; | ||
import static org.hamcrest.CoreMatchers.equalTo; | ||
import static org.hamcrest.CoreMatchers.is; | ||
import static org.hamcrest.MatcherAssert.assertThat; | ||
import static org.hamcrest.core.IsInstanceOf.instanceOf; | ||
import static org.junit.jupiter.api.Assertions.assertNull; | ||
import static org.junit.jupiter.api.Assertions.assertThrows; | ||
import static org.junit.jupiter.api.Assertions.fail; | ||
|
||
import java.net.SocketTimeoutException; | ||
|
@@ -42,6 +44,9 @@ public class ConnectionWithOCSPModeIT extends BaseJDBCTest { | |
private final String testUser = "fakeuser"; | ||
private final String testPassword = "testpassword"; | ||
private final String testRevokedCertConnectString = "jdbc:snowflake://revoked.badssl.com/"; | ||
public static final int INVALID_CONNECTION_INFO_CODE = 390100; | ||
private static final int DISABLE_OCSP_INSECURE_MODE_MISMATCH = 200064; | ||
public static final int BAD_REQUEST_GS_CODE = 390400; | ||
|
||
private static int nameCounter = 0; | ||
|
||
|
@@ -440,6 +445,49 @@ public void testWrongHost() throws InterruptedException { | |
fail("All retries failed"); | ||
} | ||
|
||
/** Test connectivity with disableOCSPChecksMode and insecure mode enabled. */ | ||
@Test | ||
public void testDisableOCSPChecksModeAndInsecureMode() throws SQLException { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Also worth having tests for There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. These tests are already added in ConnectionIT class. I shifted them to same class. |
||
|
||
String deploymentUrl = | ||
"jdbc:snowflake://sfcsupport.snowflakecomputing.com?disableOCSPChecks=true&insecureMode=true"; | ||
Properties properties = new Properties(); | ||
|
||
properties.put("user", "fakeuser"); | ||
properties.put("password", "fakepwd"); | ||
properties.put("account", "fakeaccount"); | ||
SQLException thrown = | ||
assertThrows( | ||
SQLException.class, | ||
() -> { | ||
DriverManager.getConnection(deploymentUrl, properties); | ||
}); | ||
|
||
assertThat( | ||
thrown.getErrorCode(), anyOf(is(INVALID_CONNECTION_INFO_CODE), is(BAD_REQUEST_GS_CODE))); | ||
} | ||
|
||
/** Test connectivity with disableOCSPChecksMode enabled and insecure mode disabled. */ | ||
@Test | ||
public void testDisableOCSPChecksModeAndInsecureModeMismatched() throws SQLException { | ||
|
||
String deploymentUrl = | ||
"jdbc:snowflake://sfcsupport.snowflakecomputing.com?disableOCSPChecks=true&insecureMode=false"; | ||
Properties properties = new Properties(); | ||
|
||
properties.put("user", "fakeuser"); | ||
properties.put("password", "fakepwd"); | ||
properties.put("account", "fakeaccount"); | ||
SQLException thrown = | ||
assertThrows( | ||
SQLException.class, | ||
() -> { | ||
DriverManager.getConnection(deploymentUrl, properties); | ||
}); | ||
|
||
assertThat(thrown.getErrorCode(), anyOf(is(DISABLE_OCSP_INSECURE_MODE_MISMATCH))); | ||
} | ||
|
||
private static Matcher<String> httpStatus403Or404Or513() { | ||
return anyOf( | ||
containsString("HTTP status=403"), | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
disableOCSPChecks
isn't it ? here and all the other places