-
Notifications
You must be signed in to change notification settings - Fork 170
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SNOW-1821504: [JDBC] Initialal OCSP deprecation plan steps #2008
base: master
Are you sure you want to change the base?
SNOW-1821504: [JDBC] Initialal OCSP deprecation plan steps #2008
Conversation
…into SNOW-1821504-jdbc-initialal-ocsp-deprecation-plan-steps
…into SNOW-1821504-jdbc-initialal-ocsp-deprecation-plan-steps
Boolean insecureMode = (Boolean) connectionPropertiesMap.get(SFSessionProperty.INSECURE_MODE); | ||
if (insecureMode != null && insecureMode) { | ||
if ((disableOCSPMode != null && disableOCSPMode) || (insecureMode != null && insecureMode)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think it works correctly in a case when someone deliberately specified disableOCSPMode = false, insecureMode = true
, because the first &&
will evaluate to false and we evaluate the second &&
to true
- and we shouldn't.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this case should not happen - it's miss configuration
I think we can throw the exception when both disableOCSPMode and insecureMode are not null and are not equal
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
guys didn't we call this disableOCSPChecks
in other drivers, and in the requirements?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The property name is disableOCSPChecks in Connection Properties. disableOCSPMode was just a variable name in the method. I will change it to disableOCSPChecks all over the place.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
got it, no need to change if it's just an internal variable name. i wanted to ensure disableOCSPChecks
naming is consistent across all drivers
+ "as it could not obtain a valid OCSP Response to use from the CA OCSP " | ||
+ "responder. Details: \n" | ||
return "OCSP responder didn't respond correctly. Assuming certificate is " | ||
+ "not revoked. Details: \n" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need this newline? It's not good to add newlines in logs as it breaks log gathering by some tools.
@@ -1014,6 +1014,27 @@ public void testFailOverOrgAccount() throws SQLException { | |||
} | |||
} | |||
|
|||
/** Test production connectivity with disableOCSPChecksMode enabled. */ | |||
@Test | |||
public void testDisableOCSPChecksMode() throws SQLException { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we have more tests on various combinations of disableOCSPChecks
and insecureMode
? Or maybe this is not a good place, it should be checked in a place where connection string is parsed?
properties.put("account", "fakeaccount"); | ||
try { | ||
DriverManager.getConnection(deploymentUrl, properties); | ||
fail(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We have junit5, we can check something like this:
SQLException e = assertThrows(() -> DriverManager.getConnection(deploymentUrl, properties))
assertThat(e.getErrorCode()....
Boolean insecureMode = (Boolean) connectionPropertiesMap.get(SFSessionProperty.INSECURE_MODE); | ||
if (insecureMode != null && insecureMode) { | ||
if ((disableOCSPMode != null && disableOCSPMode) || (insecureMode != null && insecureMode)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this case should not happen - it's miss configuration
I think we can throw the exception when both disableOCSPMode and insecureMode are not null and are not equal
…into SNOW-1821504-jdbc-initialal-ocsp-deprecation-plan-steps
…' of https://github.com/snowflakedb/snowflake-jdbc into SNOW-1821504-jdbc-initialal-ocsp-deprecation-plan-steps
Hi @sfc-gh-pfus, code review comments implemented. |
// A custom TrustManager is required only if insecureMode is disabled, | ||
// which is by default in the production. insecureMode can be enabled | ||
if (key != null && key.getOcspMode() != OCSPMode.DISABLE_OCSP_CHECKS) { | ||
// A custom TrustManager is required only if disableOCSPMode is disabled, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
disableOCSPChecks
isn't it ? here and all the other places
Boolean insecureMode = (Boolean) connectionPropertiesMap.get(SFSessionProperty.INSECURE_MODE); | ||
if (insecureMode != null && insecureMode) { | ||
|
||
if ((disableOCSPMode != null && insecureMode != null) && (disableOCSPMode != insecureMode)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
disableOCSPChecks
is the flag name, in other drivers too
&& (disableOCSPChecks != insecureMode)) { | ||
logger.error( | ||
"The values for 'disableOCSPChecks' and 'insecureMode' must be identical. " | ||
+ "Please ensure both properties are set to the same value."); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd add "or unset insecureMode".
@@ -440,6 +445,49 @@ public void testWrongHost() throws InterruptedException { | |||
fail("All retries failed"); | |||
} | |||
|
|||
/** Test connectivity with disableOCSPChecksMode and insecure mode enabled. */ | |||
@Test | |||
public void testDisableOCSPChecksModeAndInsecureMode() throws SQLException { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also worth having tests for disableOCSPChecks
only and insecureMode
only.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These tests are already added in ConnectionIT class. I shifted them to same class.
…' of https://github.com/snowflakedb/snowflake-jdbc into SNOW-1821504-jdbc-initialal-ocsp-deprecation-plan-steps
}); | ||
|
||
assertThat( | ||
thrown.getErrorCode(), anyOf(is(INVALID_CONNECTION_INFO_CODE), is(BAD_REQUEST_GS_CODE))); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is the purpose of this assertion? It only tests options mismatch, not the effect. We could make a typo in config and it wouldn't end up in the same exception, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The test name for option mismatch is testDisableOCSPChecksModeAndInsecureModeMismatched.
This above test testDisableOCSPChecksModeAndInsecureMode is a good case where both options are enabled. It will skip the OCSP check and try to connect to db, but it ends up with an exception as the user and account are fake.
For testDisableOCSPChecksModeAndInsecureModeMismatched test, it will get the new error code 200064.
Overview
SNOW-1821504
Pre-review self checklist
master
branchmvn -P check-style validate
)mvn verify
and inspecttarget/japicmp/japicmp.html
)SNOW-XXXX:
External contributors - please answer these questions before submitting a pull request. Thanks!
What GitHub issue is this PR addressing? Make sure that there is an accompanying issue to your PR.
Issue: #NNNN
Fill out the following pre-review checklist:
@SnowflakeJdbcInternalApi
(note that public/protected methods/fields in classes marked with this annotation are already internal)Please describe how your code solves the related issue.
Please write a short description of how your code change solves the related issue.