Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SNOW-1821504: [JDBC] Initialal OCSP deprecation plan steps #2008

Open
wants to merge 16 commits into
base: master
Choose a base branch
from

Conversation

sfc-gh-ext-simba-vb
Copy link
Collaborator

Overview

SNOW-1821504

Pre-review self checklist

  • PR branch is updated with all the changes from master branch
  • The code is correctly formatted (run mvn -P check-style validate)
  • New public API is not unnecessary exposed (run mvn verify and inspect target/japicmp/japicmp.html)
  • The pull request name is prefixed with SNOW-XXXX:
  • Code is in compliance with internal logging requirements

External contributors - please answer these questions before submitting a pull request. Thanks!

  1. What GitHub issue is this PR addressing? Make sure that there is an accompanying issue to your PR.

    Issue: #NNNN

  2. Fill out the following pre-review checklist:

    • I am adding a new automated test(s) to verify correctness of my new code
    • I am adding new logging messages
    • I am modifying authorization mechanisms
    • I am adding new credentials
    • I am modifying OCSP code
    • I am adding a new dependency or upgrading an existing one
    • I am adding new public/protected component not marked with @SnowflakeJdbcInternalApi (note that public/protected methods/fields in classes marked with this annotation are already internal)
  3. Please describe how your code solves the related issue.

    Please write a short description of how your code change solves the related issue.

@sfc-gh-ext-simba-vb sfc-gh-ext-simba-vb marked this pull request as ready for review December 17, 2024 22:45
@sfc-gh-ext-simba-vb sfc-gh-ext-simba-vb requested a review from a team as a code owner December 17, 2024 22:45
Boolean insecureMode = (Boolean) connectionPropertiesMap.get(SFSessionProperty.INSECURE_MODE);
if (insecureMode != null && insecureMode) {
if ((disableOCSPMode != null && disableOCSPMode) || (insecureMode != null && insecureMode)) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think it works correctly in a case when someone deliberately specified disableOCSPMode = false, insecureMode = true, because the first && will evaluate to false and we evaluate the second && to true - and we shouldn't.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this case should not happen - it's miss configuration
I think we can throw the exception when both disableOCSPMode and insecureMode are not null and are not equal

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

guys didn't we call this disableOCSPChecks in other drivers, and in the requirements?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The property name is disableOCSPChecks in Connection Properties. disableOCSPMode was just a variable name in the method. I will change it to disableOCSPChecks all over the place.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

got it, no need to change if it's just an internal variable name. i wanted to ensure disableOCSPChecks naming is consistent across all drivers

+ "as it could not obtain a valid OCSP Response to use from the CA OCSP "
+ "responder. Details: \n"
return "OCSP responder didn't respond correctly. Assuming certificate is "
+ "not revoked. Details: \n"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need this newline? It's not good to add newlines in logs as it breaks log gathering by some tools.

@@ -1014,6 +1014,27 @@ public void testFailOverOrgAccount() throws SQLException {
}
}

/** Test production connectivity with disableOCSPChecksMode enabled. */
@Test
public void testDisableOCSPChecksMode() throws SQLException {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we have more tests on various combinations of disableOCSPChecks and insecureMode? Or maybe this is not a good place, it should be checked in a place where connection string is parsed?

properties.put("account", "fakeaccount");
try {
DriverManager.getConnection(deploymentUrl, properties);
fail();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have junit5, we can check something like this:

SQLException e = assertThrows(() -> DriverManager.getConnection(deploymentUrl, properties))
assertThat(e.getErrorCode()....

Boolean insecureMode = (Boolean) connectionPropertiesMap.get(SFSessionProperty.INSECURE_MODE);
if (insecureMode != null && insecureMode) {
if ((disableOCSPMode != null && disableOCSPMode) || (insecureMode != null && insecureMode)) {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this case should not happen - it's miss configuration
I think we can throw the exception when both disableOCSPMode and insecureMode are not null and are not equal

@sfc-gh-ext-simba-vb
Copy link
Collaborator Author

Hi @sfc-gh-pfus, code review comments implemented.

// A custom TrustManager is required only if insecureMode is disabled,
// which is by default in the production. insecureMode can be enabled
if (key != null && key.getOcspMode() != OCSPMode.DISABLE_OCSP_CHECKS) {
// A custom TrustManager is required only if disableOCSPMode is disabled,
Copy link
Contributor

@sfc-gh-dszmolka sfc-gh-dszmolka Dec 19, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

disableOCSPChecks isn't it ? here and all the other places

Boolean insecureMode = (Boolean) connectionPropertiesMap.get(SFSessionProperty.INSECURE_MODE);
if (insecureMode != null && insecureMode) {

if ((disableOCSPMode != null && insecureMode != null) && (disableOCSPMode != insecureMode)) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

disableOCSPChecks is the flag name, in other drivers too

&& (disableOCSPChecks != insecureMode)) {
logger.error(
"The values for 'disableOCSPChecks' and 'insecureMode' must be identical. "
+ "Please ensure both properties are set to the same value.");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd add "or unset insecureMode".

@@ -440,6 +445,49 @@ public void testWrongHost() throws InterruptedException {
fail("All retries failed");
}

/** Test connectivity with disableOCSPChecksMode and insecure mode enabled. */
@Test
public void testDisableOCSPChecksModeAndInsecureMode() throws SQLException {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also worth having tests for disableOCSPChecks only and insecureMode only.

Copy link
Collaborator Author

@sfc-gh-ext-simba-vb sfc-gh-ext-simba-vb Dec 19, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These tests are already added in ConnectionIT class. I shifted them to same class.

});

assertThat(
thrown.getErrorCode(), anyOf(is(INVALID_CONNECTION_INFO_CODE), is(BAD_REQUEST_GS_CODE)));
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is the purpose of this assertion? It only tests options mismatch, not the effect. We could make a typo in config and it wouldn't end up in the same exception, right?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The test name for option mismatch is testDisableOCSPChecksModeAndInsecureModeMismatched.
This above test testDisableOCSPChecksModeAndInsecureMode is a good case where both options are enabled. It will skip the OCSP check and try to connect to db, but it ends up with an exception as the user and account are fake.
For testDisableOCSPChecksModeAndInsecureModeMismatched test, it will get the new error code 200064.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants