Skip to content

SNOW-1825789 Secure token cache #1012

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 60 commits into
base: master
Choose a base branch
from
+392 −93
Open

SNOW-1825789 Secure token cache #1012

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
60 commits
Select commit Hold shift + click to select a range
d72bac3
Secure token cache
sfc-gh-astachowski Feb 18, 2025
89e3b4b
Merge branch 'master' into SNOW-1825789-secure-token-cache
sfc-gh-astachowski Feb 18, 2025
ada2872
Test fixes
sfc-gh-astachowski Feb 18, 2025
f638e60
Disable tests on windows
sfc-gh-astachowski Feb 18, 2025
c9c6bd6
Enable tests on windows
sfc-gh-astachowski Feb 18, 2025
a431cb8
Diagnostic logs
sfc-gh-astachowski Feb 18, 2025
770e3b1
Potential windows fix
sfc-gh-astachowski Feb 18, 2025
7e3dc4f
More logs
sfc-gh-astachowski Feb 18, 2025
dcc6d2e
Attempted fix
sfc-gh-astachowski Feb 20, 2025
d51750d
Added error log
sfc-gh-astachowski Feb 20, 2025
b0c0752
Windows fix
sfc-gh-astachowski Feb 20, 2025
1c3dc35
Fixes
sfc-gh-astachowski Feb 20, 2025
f813df5
Extra logging
sfc-gh-astachowski Feb 20, 2025
9cb1c16
Improved logging
sfc-gh-astachowski Feb 21, 2025
03e376f
Improved logging
sfc-gh-astachowski Feb 21, 2025
800a58a
Added more logging
sfc-gh-astachowski Feb 21, 2025
47a684a
Test fixes
sfc-gh-astachowski Feb 21, 2025
7f4afd4
Test fixes
sfc-gh-astachowski Feb 21, 2025
ef6e428
Further test fixes
sfc-gh-astachowski Feb 21, 2025
d279ca6
Added even more logs
sfc-gh-astachowski Feb 21, 2025
52a088c
Change to util exists
sfc-gh-astachowski Feb 21, 2025
43e1040
Improved cleanup
sfc-gh-astachowski Feb 21, 2025
6d49ccf
More logs
sfc-gh-astachowski Feb 21, 2025
1778e9f
More logs
sfc-gh-astachowski Feb 21, 2025
7a1b31d
Fixes, cleanup
sfc-gh-astachowski Feb 21, 2025
c99010b
Merge branch 'master' into SNOW-1825789-secure-token-cache
sfc-gh-astachowski Feb 21, 2025
cdc5484
Sym link fix
sfc-gh-astachowski Feb 25, 2025
3ba209a
Added key hashing
sfc-gh-astachowski Feb 25, 2025
948cd27
Switched to file handles
sfc-gh-astachowski Feb 25, 2025
8e9e85d
Windows fix
sfc-gh-astachowski Feb 25, 2025
13e04df
Windows fix?
sfc-gh-astachowski Feb 25, 2025
90f758d
Windows fix?
sfc-gh-astachowski Feb 25, 2025
f1e8ebf
Logging
sfc-gh-astachowski Feb 25, 2025
74c6d1c
Remove logs
sfc-gh-astachowski Feb 25, 2025
5f2cf3c
Close description in case of loch error
sfc-gh-astachowski Feb 25, 2025
d5898c9
Close descriptor before opening a new one
sfc-gh-astachowski Feb 28, 2025
2d65bbf
Change flag to integer
sfc-gh-astachowski Feb 28, 2025
47e6449
revert change flag to integer
sfc-gh-astachowski Feb 28, 2025
3f66eb2
Some logging
sfc-gh-astachowski Feb 28, 2025
dc36c39
Additional cleanup
sfc-gh-astachowski Feb 28, 2025
3097c53
Handle closing fix
sfc-gh-astachowski Feb 28, 2025
c036882
Change error handling
sfc-gh-astachowski Mar 3, 2025
f2ea3b3
Change flags to use NOFOLLOW
sfc-gh-astachowski Mar 3, 2025
a24a749
Force cleanup
sfc-gh-astachowski Mar 3, 2025
50e7e39
Close file handles in tests
sfc-gh-astachowski Mar 3, 2025
25f6ccb
Review improvements
sfc-gh-astachowski Mar 7, 2025
86fd21b
Fix imports
sfc-gh-astachowski Mar 7, 2025
3514cd7
Merge branch 'master' into SNOW-1825789-secure-token-cache
sfc-gh-astachowski Mar 7, 2025
81a56df
Permission fixes
sfc-gh-astachowski Mar 10, 2025
24995a4
Add directory check
sfc-gh-astachowski Mar 11, 2025
3048378
Remove anti-symlink flag
sfc-gh-astachowski Mar 11, 2025
0140865
Remove chmod
sfc-gh-astachowski Mar 14, 2025
76462a5
Review fixes
sfc-gh-astachowski Mar 21, 2025
1d15e2e
Removed unused import
sfc-gh-astachowski Mar 21, 2025
380c2f0
Review feedback
sfc-gh-astachowski Mar 24, 2025
cf9b613
Flag changes
sfc-gh-astachowski Mar 25, 2025
55a6b4b
Removed duplicated code
sfc-gh-astachowski Mar 25, 2025
aed35d0
Extract retry interval to a constant
sfc-gh-astachowski Mar 25, 2025
29c74f2
Review improvements
sfc-gh-astachowski Mar 31, 2025
669e214
Merge branch 'master' into SNOW-1825789-secure-token-cache
sfc-gh-dheyman Apr 2, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
252 changes: 211 additions & 41 deletions lib/authentication/secure_storage/json_credential_manager.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,87 +1,257 @@
const path = require('path');
const Logger = require('../../logger');
const fs = require('node:fs/promises');
const os = require('os');
const Util = require('../../util');
const { validateOnlyUserReadWritePermissionAndOwner } = require('../../file_util');
const os = require('os');
const crypto = require('crypto');
const { getSecureHandle, closeHandle } = require('../../file_util');

const defaultJsonTokenCachePaths = {
'win32': ['AppData', 'Local', 'Snowflake', 'Caches'],
'linux': ['.cache', 'snowflake'],
'darwin': ['Library', 'Caches', 'Snowflake']
};

function JsonCredentialManager(credentialCacheDir, timeoutMs = 60000) {
const tokenMapKey = 'tokens';
const retryInterval = 100;

this.hashKey = function (key) {
return crypto.createHash('sha256').update(key).digest('hex');
};

this.getTokenDirCandidates = function () {
const candidates = [];
candidates.push({ folder: credentialCacheDir, subfolders: [] });

candidates.push({ folder: process.env.SF_TEMPORARY_CREDENTIAL_CACHE_DIR, subfolders: [] });

switch (process.platform) {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: it's hard to see what's returned for each system. Can you do it like this

switch(proces.platform) {
  case 'win32':
    return [ ... ]
  case 'linux':
    return [ ... ]
  case 'darwin':
    return [ ... ]
}

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Didn't do exactly that, but without the null/undefined checks the function is much more readable now

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good

case 'win32':
candidates.push({ folder: os.homedir(), subfolders: defaultJsonTokenCachePaths['win32'] });
break;

Check warning on line 32 in lib/authentication/secure_storage/json_credential_manager.js

View check run for this annotation

Codecov / codecov/patch

lib/authentication/secure_storage/json_credential_manager.js#L31-L32 

Added lines #L31 - L32 were not covered by tests
case 'linux':
candidates.push({ folder: process.env.XDG_CACHE_HOME, subfolders: ['snowflake'] });
candidates.push({ folder: process.env.HOME, subfolders: defaultJsonTokenCachePaths['linux'] });
break;
case 'darwin':
candidates.push({ folder: process.env.HOME, subfolders: defaultJsonTokenCachePaths['darwin'] });
}
return candidates;
};

this.createCacheDir = async function (cacheDir) {
const options = { recursive: true };
if (process.platform !== 'win32') {
options.mode = 0o755;

Check warning on line 46 in lib/authentication/secure_storage/json_credential_manager.js

View check run for this annotation

Codecov / codecov/patch

lib/authentication/secure_storage/json_credential_manager.js#L44-L46 

Added lines #L44 - L46 were not covered by tests
}
await fs.mkdir(cacheDir, options);
if (process.platform !== 'win32') {
await fs.chmod(cacheDir, 0o700);

Check warning on line 50 in lib/authentication/secure_storage/json_credential_manager.js

View check run for this annotation

Codecov / codecov/patch

lib/authentication/secure_storage/json_credential_manager.js#L48-L50 

Added lines #L48 - L50 were not covered by tests
}
};

this.tryTokenDir = async function (dir, subDirs) {
if (!Util.exists(dir)) {
return false;
}
const cacheDir = path.join(dir, ...subDirs);
try {
const stat = await fs.stat(dir);
if (!stat.isDirectory()) {
Logger.getInstance().info(`Path ${dir} is not a directory`);
return false;

Check warning on line 63 in lib/authentication/secure_storage/json_credential_manager.js

View check run for this annotation

Codecov / codecov/patch

lib/authentication/secure_storage/json_credential_manager.js#L62-L63 

Added lines #L62 - L63 were not covered by tests
}
const cacheStat = await fs.stat(cacheDir).catch(async (err) => {
if (err.code !== 'ENOENT') {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe create dir here when ENOENT? Then stat it again and recover from error?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point, changed that

throw err;

Check warning on line 67 in lib/authentication/secure_storage/json_credential_manager.js

View check run for this annotation

Codecov / codecov/patch

lib/authentication/secure_storage/json_credential_manager.js#L66-L67 

Added lines #L66 - L67 were not covered by tests
}
await this.createCacheDir(cacheDir);
return await fs.stat(cacheDir);

Check warning on line 70 in lib/authentication/secure_storage/json_credential_manager.js

View check run for this annotation

Codecov / codecov/patch

lib/authentication/secure_storage/json_credential_manager.js#L69-L70 

Added lines #L69 - L70 were not covered by tests
});
if (!cacheStat.isDirectory()) {
return false;

Check warning on line 73 in lib/authentication/secure_storage/json_credential_manager.js

View check run for this annotation

Codecov / codecov/patch

lib/authentication/secure_storage/json_credential_manager.js#L73 

Added line #L73 was not covered by tests
}
if (process.platform === 'win32') {
return true;

Check warning on line 76 in lib/authentication/secure_storage/json_credential_manager.js

View check run for this annotation

Codecov / codecov/patch

lib/authentication/secure_storage/json_credential_manager.js#L76 

Added line #L76 was not covered by tests
}
if ((cacheStat.mode & 0o777) !== 0o700 && cacheStat.uid === os.userInfo().uid) {
Logger.getInstance().warn(`Token cache directory ${cacheDir} has unsecure permissions.`);

Check warning on line 79 in lib/authentication/secure_storage/json_credential_manager.js

View check run for this annotation

Codecov / codecov/patch

lib/authentication/secure_storage/json_credential_manager.js#L79 

Added line #L79 was not covered by tests
}
if (cacheStat.uid !== os.userInfo().uid) {
Logger.getInstance().warn(`Token cache directory ${cacheDir} has unsecure owner.`);

Check warning on line 82 in lib/authentication/secure_storage/json_credential_manager.js

View check run for this annotation

Codecov / codecov/patch

lib/authentication/secure_storage/json_credential_manager.js#L82 

Added line #L82 was not covered by tests
}
return true;
} catch (err) {
Logger.getInstance().warn(`The path location ${cacheDir} is invalid. Please check this location is accessible or existing`);
return false;
}
};

function JsonCredentialManager(credentialCacheDir) {

this.getTokenDir = async function () {
let tokenDir = credentialCacheDir;
if (!Util.exists(tokenDir)) {
tokenDir = os.homedir();
} else {
Logger.getInstance().info(`The credential cache directory is configured by the user. The token will be saved at ${tokenDir}`);
const candidates = this.getTokenDirCandidates();
for (const candidate of candidates) {
const { folder: dir, subfolders: subDirs } = candidate;
if (await this.tryTokenDir(dir, subDirs)) {
return path.join(dir, ...subDirs);
}
}
return null;

Check warning on line 99 in lib/authentication/secure_storage/json_credential_manager.js

View check run for this annotation

Codecov / codecov/patch

lib/authentication/secure_storage/json_credential_manager.js#L99 

Added line #L99 was not covered by tests
};

this.getTokenFilePath = async function () {
const tokenDir = await this.getTokenDir();

if (!Util.exists(tokenDir)) {
throw new Error(`Temporary credential cache directory is invalid, and the driver is unable to use the default location(home).
throw new Error(`Temporary credential cache directory is invalid, and the driver is unable to use the default location.

Check warning on line 106 in lib/authentication/secure_storage/json_credential_manager.js

View check run for this annotation

Codecov / codecov/patch

lib/authentication/secure_storage/json_credential_manager.js#L106 

Added line #L106 was not covered by tests
Please set 'credentialCacheDir' connection configuration option to enable the default credential manager.`);
}

const tokenCacheFile = path.join(tokenDir, 'temporary_credential.json');
await validateOnlyUserReadWritePermissionAndOwner(tokenCacheFile);
return tokenCacheFile;
return path.join(tokenDir, 'credential_cache_v1.json');
};

this.readJsonCredentialFile = async function () {
this.readJsonCredentialFile = async function (fileHandle) {
if (!Util.exists(fileHandle)) {
return null;
}
try {
const cred = await fs.readFile(await this.getTokenDir(), 'utf8');
const cred = await fileHandle.readFile('utf8');
return JSON.parse(cred);
} catch (err) {
Logger.getInstance().warn('Failed to read token data from the file. Err: %s', err.message);
return null;
}
};

this.removeStale = async function (file) {
const stat = await fs.stat(file).catch(() => {
return undefined;
});
if (!Util.exists(stat)) {
return;
}
if (new Date().getTime() - stat.birthtimeMs > timeoutMs) {
try {
await fs.rmdir(file);
} catch (err) {
Logger.getInstance().warn('Failed to remove stale file. Error: %s', err.message);

Check warning on line 137 in lib/authentication/secure_storage/json_credential_manager.js

View check run for this annotation

Codecov / codecov/patch

lib/authentication/secure_storage/json_credential_manager.js#L137 

Added line #L137 was not covered by tests
}
}

};

this.lockFile = async function (filename) {
const lckFile = filename + '.lck';
await this.removeStale(lckFile);
let attempts = 1;
let locked = false;
const options = {};
if (process.platform !== 'win32') {
options.mode = 0o600;
}
while (attempts <= 10) {
Logger.getInstance().debug('Attempting to get a lock on file %s, attempt: %d', filename, attempts);
attempts++;
await fs.mkdir(lckFile, options).then(() => {
locked = true;
}, () => {});
if (locked) {
break;
}
await new Promise(resolve => setTimeout(resolve, retryInterval));
}
if (!locked) {
Logger.getInstance().warn('Could not acquire lock on cache file %s', filename);
}
return locked;
};

this.unlockFile = async function (filename) {
const lckFile = filename + '.lck';
await fs.rmdir(lckFile);
};

this.withFileLocked = async function (fun) {
const filename = await this.getTokenFilePath();
if (await this.lockFile(filename)) {
const res = await fun(filename);
await this.unlockFile(filename);
return res;
}
return null;
};

this.write = async function (key, token) {
if (!validateTokenCacheOption(key)) {
return null;
}

const jsonCredential = await this.readJsonCredentialFile() || {};
jsonCredential[key] = token;

try {
await fs.writeFile(await this.getTokenDir(), JSON.stringify(jsonCredential), { mode: 0o600 });
} catch (err) {
throw new Error(`Failed to write token data. Please check the permission or the file format of the token. ${err.message}`);
}
const keyHash = this.hashKey(key);

await this.withFileLocked(async (filename) => {
const fileHandle = await getSecureHandle(filename, fs.constants.O_RDWR | fs.constants.O_CREAT, fs);
const jsonCredential = await this.readJsonCredentialFile(fileHandle) || {};
if (!Util.exists(jsonCredential[tokenMapKey])) {
jsonCredential[tokenMapKey] = {};
}
jsonCredential[tokenMapKey][keyHash] = token;

try {
await fileHandle.truncate();
await fileHandle.write(JSON.stringify(jsonCredential), 0);
await closeHandle(fileHandle);
} catch (err) {
Logger.getInstance().warn(`Failed to write token data in ${filename}. Please check the permission or the file format of the token. ${err.message}`);

Check warning on line 203 in lib/authentication/secure_storage/json_credential_manager.js

View check run for this annotation

Codecov / codecov/patch

lib/authentication/secure_storage/json_credential_manager.js#L203 

Added line #L203 was not covered by tests
}
});
};

this.read = async function (key) {
if (!validateTokenCacheOption(key)) {
return null;
}

const jsonCredential = await this.readJsonCredentialFile();
if (!!jsonCredential && jsonCredential[key]){
return jsonCredential[key];
} else {
return null;
}
const keyHash = this.hashKey(key);

return await this.withFileLocked(async (filename) => {
const fileHandle = await getSecureHandle(filename, fs.constants.O_RDWR, fs);
const jsonCredential = await this.readJsonCredentialFile(fileHandle);
await closeHandle(fileHandle);
if (!!jsonCredential && jsonCredential[tokenMapKey] && jsonCredential[tokenMapKey][keyHash]) {
return jsonCredential[tokenMapKey][keyHash];
} else {
return null;
}
});
};

this.remove = async function (key) {
if (!validateTokenCacheOption(key)) {
return null;
}
const jsonCredential = await this.readJsonCredentialFile();

if (jsonCredential && jsonCredential[key]) {
try {
jsonCredential[key] = null;
await fs.writeFile(await this.getTokenDir(), JSON.stringify(jsonCredential), { mode: 0o600 });
} catch (err) {
throw new Error(`Failed to write token data from the file in ${await this.getTokenDir()}. Please check the permission or the file format of the token. ${err.message}`);
}
}

const keyHash = this.hashKey(key);

await this.withFileLocked(async (filename) => {
const fileHandle = await getSecureHandle(filename, fs.constants.O_RDWR, fs);
const jsonCredential = await this.readJsonCredentialFile(fileHandle);

if (jsonCredential && jsonCredential[tokenMapKey] && jsonCredential[tokenMapKey][keyHash]) {
try {
jsonCredential[tokenMapKey][keyHash] = null;
await fileHandle.truncate();
await fileHandle.write(JSON.stringify(jsonCredential), 0);
await closeHandle(fileHandle);
} catch (err) {
Logger.getInstance().warn(`Failed to remove token data from the file in ${filename}. Please check the permission or the file format of the token. ${err.message}`);

Check warning on line 245 in lib/authentication/secure_storage/json_credential_manager.js

View check run for this annotation

Codecov / codecov/patch

lib/authentication/secure_storage/json_credential_manager.js#L245 

Added line #L245 was not covered by tests
}
}
});
};

function validateTokenCacheOption(key) {
return Util.checkParametersDefined(key);
}
}

module.exports = JsonCredentialManager;
module.exports.defaultJsonTokenCachePaths = defaultJsonTokenCachePaths;
module.exports.JsonCredentialManager = JsonCredentialManager;
2 changes: 1 addition & 1 deletion lib/connection/connection.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ const Logger = require('../logger');
const { isOktaAuth } = require('../authentication/authentication');
const { init: initEasyLogging } = require('../logger/easy_logging_starter');
const GlobalConfig = require('../global_config');
const JsonCredentialManager = require('../authentication/secure_storage/json_credential_manager');
const { JsonCredentialManager } = require('../authentication/secure_storage/json_credential_manager');
const ExecutionTimer = require('../logger/execution_timer');

/**
Expand Down
48 changes: 48 additions & 0 deletions lib/file_util.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -183,6 +183,54 @@
}
};

/**
* Checks if the provided file is writable only by the user and os tha file owner is the same as os user. FsPromises can be provided.
* @param filePath
* @param expectedMode
* @param fsPromises
* @returns {Promise<FileHandle>}
*/
exports.getSecureHandle = async function (filePath, flags, fsPromises) {
const fsp = fsPromises ? fsPromises : require('fs/promises');
try {
const fileHandle = await fsp.open(filePath, flags, 0o600);
if (os.platform() === 'win32') {
return fileHandle;

Check warning on line 198 in lib/file_util.js

View check run for this annotation

Codecov / codecov/patch

lib/file_util.js#L198 

Added line #L198 was not covered by tests
}
const stats = await fileHandle.stat();
const mode = stats.mode;
const permission = mode & 0o777;

//This should be 600 permission, which means the file permission has not been changed by others.
if (permission === 0o600) {
Logger.getInstance().debug(`Validated that the user has only read and write permission for file: ${filePath}, Permission: ${permission}`);
} else {
throw new Error(`Invalid file permissions (${permission.toString(8)} for file ${filePath}). Make sure you have read and write permissions and other users do not have access to it. Please remove the file and re-run the driver.`);

Check warning on line 208 in lib/file_util.js

View check run for this annotation

Codecov / codecov/patch

lib/file_util.js#L208 

Added line #L208 was not covered by tests
}

const userInfo = os.userInfo();
if (stats.uid === userInfo.uid) {
Logger.getInstance().debug('Validated file owner');
} else {
throw new Error(`Invalid file owner for file ${filePath}). Make sure the system user are the owner of the file otherwise please remove the file and re-run the driver.`);

Check warning on line 215 in lib/file_util.js

View check run for this annotation

Codecov / codecov/patch

lib/file_util.js#L215 

Added line #L215 was not covered by tests
}
return fileHandle;
} catch (err) {
//When file doesn't exist - return
if (err.code === 'ENOENT') {
return null;
} else {
throw err;

Check warning on line 223 in lib/file_util.js

View check run for this annotation

Codecov / codecov/patch

lib/file_util.js#L223 

Added line #L223 was not covered by tests
}
}
};

exports.closeHandle = async function (fileHandle) {
if (fileHandle !== undefined && fileHandle !== null) {
await fileHandle.close();
}
};

/**
* Checks if the provided file or directory permissions are correct.
* @param filePath
Expand Down
Loading
Loading