-
Notifications
You must be signed in to change notification settings - Fork 170
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SNOW-1821504: [JDBC] Initialal OCSP deprecation plan steps #2008
base: master
Are you sure you want to change the base?
Changes from 7 commits
c4fdb4c
e5d2224
c9607ee
4d66099
1967502
f26374e
47ab1dc
b244875
a5237da
e0055ca
20a9483
b76683b
c8e578e
28bbf9d
1dff792
829b5c6
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -714,10 +714,12 @@ public void unsetInvalidProxyHostAndPort() { | |
public OCSPMode getOCSPMode() { | ||
OCSPMode ret; | ||
|
||
Boolean disableOCSPMode = | ||
(Boolean) connectionPropertiesMap.get(SFSessionProperty.DISABLE_OCSP_CHECKS); | ||
Boolean insecureMode = (Boolean) connectionPropertiesMap.get(SFSessionProperty.INSECURE_MODE); | ||
if (insecureMode != null && insecureMode) { | ||
if ((disableOCSPMode != null && disableOCSPMode) || (insecureMode != null && insecureMode)) { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I don't think it works correctly in a case when someone deliberately specified There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. this case should not happen - it's miss configuration There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. guys didn't we call this There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The property name is disableOCSPChecks in Connection Properties. disableOCSPMode was just a variable name in the method. I will change it to disableOCSPChecks all over the place. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. got it, no need to change if it's just an internal variable name. i wanted to ensure |
||
// skip OCSP checks | ||
ret = OCSPMode.INSECURE; | ||
ret = OCSPMode.DISABLE_OCSP_CHECKS; | ||
} else if (!connectionPropertiesMap.containsKey(SFSessionProperty.OCSP_FAIL_OPEN) | ||
|| (boolean) connectionPropertiesMap.get(SFSessionProperty.OCSP_FAIL_OPEN)) { | ||
// fail open (by default, not set) | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -841,10 +841,8 @@ private void executeRevocationStatusChecks( | |
} | ||
|
||
private String generateFailOpenLog(String logData) { | ||
return "WARNING!!! Using fail-open to connect. Driver is connecting to an " | ||
+ "HTTPS endpoint without OCSP based Certificate Revocation checking " | ||
+ "as it could not obtain a valid OCSP Response to use from the CA OCSP " | ||
+ "responder. Details: \n" | ||
return "OCSP responder didn't respond correctly. Assuming certificate is " | ||
+ "not revoked. Details: \n" | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Do we need this newline? It's not good to add newlines in logs as it breaks log gathering by some tools. |
||
+ logData; | ||
} | ||
|
||
|
@@ -981,7 +979,7 @@ private void executeOneRevocationStatusCheck( | |
ocspLog = telemetryData.generateTelemetry(SF_OCSP_EVENT_TYPE_VALIDATION_ERROR, error); | ||
if (isOCSPFailOpen()) { | ||
// Log includes fail-open warning. | ||
logger.error(generateFailOpenLog(ocspLog), false); | ||
logger.debug(generateFailOpenLog(ocspLog), false); | ||
} else { | ||
// still not success, raise an error. | ||
logger.debug(ocspLog, false); | ||
|
@@ -1163,7 +1161,7 @@ private OCSPResp fetchOcspResponse( | |
new DecorrelatedJitterBackoff(sleepTime, MAX_SLEEPING_TIME_IN_MILLISECONDS); | ||
boolean success = false; | ||
|
||
final int maxRetryCounter = isOCSPFailOpen() ? 1 : 3; | ||
final int maxRetryCounter = isOCSPFailOpen() ? 1 : 2; | ||
sfc-gh-dprzybysz marked this conversation as resolved.
Show resolved
Hide resolved
|
||
Exception savedEx = null; | ||
CloseableHttpClient httpClient = | ||
ocspCacheServerClient.computeIfAbsent( | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -1014,6 +1014,27 @@ public void testFailOverOrgAccount() throws SQLException { | |
} | ||
} | ||
|
||
/** Test production connectivity with disableOCSPChecksMode enabled. */ | ||
@Test | ||
public void testDisableOCSPChecksMode() throws SQLException { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Can we have more tests on various combinations of |
||
|
||
String deploymentUrl = | ||
"jdbc:snowflake://sfcsupport.snowflakecomputing.com?disableOCSPChecks=true"; | ||
Properties properties = new Properties(); | ||
properties = new Properties(); | ||
|
||
properties.put("user", "fakeuser"); | ||
properties.put("password", "fakepwd"); | ||
properties.put("account", "fakeaccount"); | ||
try { | ||
DriverManager.getConnection(deploymentUrl, properties); | ||
fail(); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. We have junit5, we can check something like this:
|
||
} catch (SQLException e) { | ||
assertThat( | ||
e.getErrorCode(), anyOf(is(INVALID_CONNECTION_INFO_CODE), is(BAD_REQUEST_GS_CODE))); | ||
} | ||
} | ||
|
||
private class ConcurrentConnections implements Runnable { | ||
|
||
ConcurrentConnections() {} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
disableOCSPChecks
isn't it ? here and all the other places