Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SNOW-1821504: [JDBC] Initialal OCSP deprecation plan steps #2008

Open
wants to merge 16 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from 12 commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions src/main/java/net/snowflake/client/core/HttpUtil.java
Original file line number Diff line number Diff line change
Expand Up @@ -345,9 +345,9 @@ public static CloseableHttpClient buildHttpClient(
}

TrustManager[] trustManagers = null;
if (key != null && key.getOcspMode() != OCSPMode.INSECURE) {
// A custom TrustManager is required only if insecureMode is disabled,
// which is by default in the production. insecureMode can be enabled
if (key != null && key.getOcspMode() != OCSPMode.DISABLE_OCSP_CHECKS) {
// A custom TrustManager is required only if disableOCSPChecks is disabled,
// which is by default in the production. disableOCSPChecks can be enabled
// 1) OCSP service is down for reasons, 2) PowerMock test that doesn't
// care OCSP checks.
// OCSP FailOpen is ON by default
Expand Down Expand Up @@ -742,7 +742,7 @@ public static String executeRequest(
HttpClientSettingsKey ocspAndProxyKey,
ExecTimeTelemetryData execTimeData)
throws SnowflakeSQLException, IOException {
boolean ocspEnabled = !(ocspAndProxyKey.getOcspMode().equals(OCSPMode.INSECURE));
boolean ocspEnabled = !(ocspAndProxyKey.getOcspMode().equals(OCSPMode.DISABLE_OCSP_CHECKS));
logger.debug("Executing request with OCSP enabled: {}", ocspEnabled);
execTimeData.setOCSPStatus(ocspEnabled);
return executeRequestInternal(
Expand Down
11 changes: 9 additions & 2 deletions src/main/java/net/snowflake/client/core/OCSPMode.java
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,15 @@ public enum OCSPMode {
*/
FAIL_OPEN(1),

/** Insure mode. No OCSP check is made. */
INSECURE(2);
/**
* @deprecated Use {@link #DISABLE_OCSP_CHECKS} for clarity. This configuration option is used to
* disable OCSP verification. Insure mode. No OCSP check is made.
*/
@Deprecated
INSECURE(2),

/** Disable OCSP checks. It's used to disable OCSP verification. */
DISABLE_OCSP_CHECKS(3);

private final int value;

Expand Down
20 changes: 17 additions & 3 deletions src/main/java/net/snowflake/client/core/SFBaseSession.java
Original file line number Diff line number Diff line change
Expand Up @@ -710,14 +710,28 @@ public void unsetInvalidProxyHostAndPort() {
* Get OCSP mode
*
* @return {@link OCSPMode}
* @throws SnowflakeSQLException
*/
public OCSPMode getOCSPMode() {
public OCSPMode getOCSPMode() throws SnowflakeSQLException {
OCSPMode ret;

Boolean disableOCSPChecks =
(Boolean) connectionPropertiesMap.get(SFSessionProperty.DISABLE_OCSP_CHECKS);
Boolean insecureMode = (Boolean) connectionPropertiesMap.get(SFSessionProperty.INSECURE_MODE);
if (insecureMode != null && insecureMode) {

if ((disableOCSPChecks != null && insecureMode != null)
&& (disableOCSPChecks != insecureMode)) {
logger.error(
"The values for 'disableOCSPChecks' and 'insecureMode' must be identical. "
+ "Please ensure both properties are set to the same value.");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd add "or unset insecureMode".

throw new SnowflakeSQLException(
ErrorCode.DISABLEOCSP_INSECUREMODE_VALUE_MISMATCH,
"The values for 'disableOCSPChecks' and 'insecureMode' " + "must be identical.");
}
if ((disableOCSPChecks != null && disableOCSPChecks)
|| (insecureMode != null && insecureMode)) {
// skip OCSP checks
ret = OCSPMode.INSECURE;
ret = OCSPMode.DISABLE_OCSP_CHECKS;
} else if (!connectionPropertiesMap.containsKey(SFSessionProperty.OCSP_FAIL_OPEN)
|| (boolean) connectionPropertiesMap.get(SFSessionProperty.OCSP_FAIL_OPEN)) {
// fail open (by default, not set)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,13 @@ public enum SFSessionProperty {
APP_ID("appId", false, String.class),
APP_VERSION("appVersion", false, String.class),
OCSP_FAIL_OPEN("ocspFailOpen", false, Boolean.class),
/**
* @deprecated Use {@link #DISABLE_OCSP_CHECKS} for clarity. This configuration option is used to
* disable OCSP verification.
*/
@Deprecated
INSECURE_MODE("insecureMode", false, Boolean.class),
DISABLE_OCSP_CHECKS("disableOCSPChecks", false, Boolean.class),
QUERY_TIMEOUT("queryTimeout", false, Integer.class),
STRINGS_QUOTED("stringsQuotedForColumnDef", false, Boolean.class),
APPLICATION("application", false, String.class),
Expand Down
10 changes: 4 additions & 6 deletions src/main/java/net/snowflake/client/core/SFTrustManager.java
Original file line number Diff line number Diff line change
Expand Up @@ -841,10 +841,8 @@ private void executeRevocationStatusChecks(
}

private String generateFailOpenLog(String logData) {
return "WARNING!!! Using fail-open to connect. Driver is connecting to an "
+ "HTTPS endpoint without OCSP based Certificate Revocation checking "
+ "as it could not obtain a valid OCSP Response to use from the CA OCSP "
+ "responder. Details: \n"
return "OCSP responder didn't respond correctly. Assuming certificate is "
+ "not revoked. Details: "
+ logData;
}

Expand Down Expand Up @@ -981,7 +979,7 @@ private void executeOneRevocationStatusCheck(
ocspLog = telemetryData.generateTelemetry(SF_OCSP_EVENT_TYPE_VALIDATION_ERROR, error);
if (isOCSPFailOpen()) {
// Log includes fail-open warning.
logger.error(generateFailOpenLog(ocspLog), false);
logger.debug(generateFailOpenLog(ocspLog), false);
} else {
// still not success, raise an error.
logger.debug(ocspLog, false);
Expand Down Expand Up @@ -1163,7 +1161,7 @@ private OCSPResp fetchOcspResponse(
new DecorrelatedJitterBackoff(sleepTime, MAX_SLEEPING_TIME_IN_MILLISECONDS);
boolean success = false;

final int maxRetryCounter = isOCSPFailOpen() ? 1 : 3;
final int maxRetryCounter = isOCSPFailOpen() ? 1 : 2;
sfc-gh-dprzybysz marked this conversation as resolved.
Show resolved Hide resolved
Exception savedEx = null;
CloseableHttpClient httpClient =
ocspCacheServerClient.computeIfAbsent(
Expand Down
3 changes: 2 additions & 1 deletion src/main/java/net/snowflake/client/jdbc/ErrorCode.java
Original file line number Diff line number Diff line change
Expand Up @@ -83,7 +83,8 @@ public enum ErrorCode {
INVALID_OKTA_USERNAME(200060, SqlState.CONNECTION_EXCEPTION),
GCP_SERVICE_ERROR(200061, SqlState.SYSTEM_ERROR),
AUTHENTICATOR_REQUEST_TIMEOUT(200062, SqlState.CONNECTION_EXCEPTION),
INVALID_STRUCT_DATA(200063, SqlState.DATA_EXCEPTION);
INVALID_STRUCT_DATA(200063, SqlState.DATA_EXCEPTION),
DISABLEOCSP_INSECUREMODE_VALUE_MISMATCH(200064, SqlState.INVALID_PARAMETER_VALUE);

public static final String errorMessageResource = "net.snowflake.client.jdbc.jdbc_error_messages";

Expand Down
23 changes: 23 additions & 0 deletions src/test/java/net/snowflake/client/jdbc/ConnectionIT.java
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@
import static org.hamcrest.MatcherAssert.assertThat;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertFalse;
import static org.junit.jupiter.api.Assertions.assertThrows;
import static org.junit.jupiter.api.Assertions.assertTrue;
import static org.junit.jupiter.api.Assertions.fail;

Expand Down Expand Up @@ -1014,6 +1015,28 @@ public void testFailOverOrgAccount() throws SQLException {
}
}

/** Test production connectivity with disableOCSPChecksMode enabled. */
@Test
public void testDisableOCSPChecksMode() throws SQLException {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we have more tests on various combinations of disableOCSPChecks and insecureMode? Or maybe this is not a good place, it should be checked in a place where connection string is parsed?


String deploymentUrl =
"jdbc:snowflake://sfcsupport.snowflakecomputing.com?disableOCSPChecks=true";
Properties properties = new Properties();

properties.put("user", "fakeuser");
properties.put("password", "fakepwd");
properties.put("account", "fakeaccount");
SQLException thrown =
assertThrows(
SQLException.class,
() -> {
DriverManager.getConnection(deploymentUrl, properties);
});

assertThat(
thrown.getErrorCode(), anyOf(is(INVALID_CONNECTION_INFO_CODE), is(BAD_REQUEST_GS_CODE)));
}

private class ConcurrentConnections implements Runnable {

ConcurrentConnections() {}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,11 @@
import static org.hamcrest.CoreMatchers.anyOf;
import static org.hamcrest.CoreMatchers.containsString;
import static org.hamcrest.CoreMatchers.equalTo;
import static org.hamcrest.CoreMatchers.is;
import static org.hamcrest.MatcherAssert.assertThat;
import static org.hamcrest.core.IsInstanceOf.instanceOf;
import static org.junit.jupiter.api.Assertions.assertNull;
import static org.junit.jupiter.api.Assertions.assertThrows;
import static org.junit.jupiter.api.Assertions.fail;

import java.net.SocketTimeoutException;
Expand Down Expand Up @@ -42,6 +44,9 @@ public class ConnectionWithOCSPModeIT extends BaseJDBCTest {
private final String testUser = "fakeuser";
private final String testPassword = "testpassword";
private final String testRevokedCertConnectString = "jdbc:snowflake://revoked.badssl.com/";
public static final int INVALID_CONNECTION_INFO_CODE = 390100;
private static final int DISABLE_OCSP_INSECURE_MODE_MISMATCH = 200064;
public static final int BAD_REQUEST_GS_CODE = 390400;

private static int nameCounter = 0;

Expand Down Expand Up @@ -440,6 +445,49 @@ public void testWrongHost() throws InterruptedException {
fail("All retries failed");
}

/** Test connectivity with disableOCSPChecksMode and insecure mode enabled. */
@Test
public void testDisableOCSPChecksModeAndInsecureMode() throws SQLException {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also worth having tests for disableOCSPChecks only and insecureMode only.

Copy link
Collaborator Author

@sfc-gh-ext-simba-vb sfc-gh-ext-simba-vb Dec 19, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These tests are already added in ConnectionIT class. I shifted them to same class.


String deploymentUrl =
"jdbc:snowflake://sfcsupport.snowflakecomputing.com?disableOCSPChecks=true&insecureMode=true";
Properties properties = new Properties();

properties.put("user", "fakeuser");
properties.put("password", "fakepwd");
properties.put("account", "fakeaccount");
SQLException thrown =
assertThrows(
SQLException.class,
() -> {
DriverManager.getConnection(deploymentUrl, properties);
});

assertThat(
thrown.getErrorCode(), anyOf(is(INVALID_CONNECTION_INFO_CODE), is(BAD_REQUEST_GS_CODE)));
}

/** Test connectivity with disableOCSPChecksMode enabled and insecure mode disabled. */
@Test
public void testDisableOCSPChecksModeAndInsecureModeMismatched() throws SQLException {

String deploymentUrl =
"jdbc:snowflake://sfcsupport.snowflakecomputing.com?disableOCSPChecks=true&insecureMode=false";
Properties properties = new Properties();

properties.put("user", "fakeuser");
properties.put("password", "fakepwd");
properties.put("account", "fakeaccount");
SQLException thrown =
assertThrows(
SQLException.class,
() -> {
DriverManager.getConnection(deploymentUrl, properties);
});

assertThat(thrown.getErrorCode(), anyOf(is(DISABLE_OCSP_INSECURE_MODE_MISMATCH)));
}

private static Matcher<String> httpStatus403Or404Or513() {
return anyOf(
containsString("HTTP status=403"),
Expand Down
Loading