SNOW-1825789 Secure token cache #1012
+385
−69
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,82 +1,233 @@ | ||
| const path = require('path'); | ||
| const Logger = require('../../logger'); | ||
| const fs = require('node:fs/promises'); | ||
| const Util = require('../../util'); | ||
| const os = require('os'); | ||
| const crypto = require('crypto'); | ||
| const { getSecureHandle } = require('../../file_util'); | ||
|
|
||
| function JsonCredentialManager(credentialCacheDir, timeoutMs = 60000) { | ||
| const topLevelKey = 'tokens'; | ||
|
|
||
| this.hashKey = function (key) { | ||
| return crypto.createHash('sha256').update(key).digest('hex'); | ||
| }; | ||
|
|
||
| this.getTokenDirCandidates = function () { | ||
| const candidates = []; | ||
| if (Util.exists(credentialCacheDir)) { | ||
| candidates.push({ folder: credentialCacheDir, subfolders: [] }); | ||
| } | ||
| const sfTemp = process.env.SF_TEMPORARY_CREDENTIAL_CACHE_DIR; | ||
| if (Util.exists(sfTemp)) { | ||
| candidates.push({ folder: sfTemp, subfolders: [] }); | ||
| } | ||
| const xdgCache = process.env.XDG_CACHE_HOME; | ||
| if (Util.exists(xdgCache) && process.platform === 'linux') { | ||
| candidates.push({ folder: xdgCache, subfolders: ['snowflake'] }); | ||
| } | ||
| const home = process.env.HOME; | ||
| switch (process.platform) { | ||
| case 'win32': | ||
| candidates.push({ folder: os.homedir(), subfolders: ['AppData', 'Local', 'Snowflake', 'Caches'] }); | ||
| break; | ||
| case 'linux': | ||
| if (Util.exists(home)) { | ||
| candidates.push({ folder: home, subfolders: ['.cache', 'snowflake'] }); | ||
| } | ||
| break; | ||
| case 'darwin': | ||
| if (Util.exists(home)) { | ||
| candidates.push({ folder: home, subfolders: ['Library', 'Caches', 'Snowflake'] }); | ||
| } | ||
| } | ||
| return candidates; | ||
| }; | ||
|
|
||
| this.tryTokenDir = async function (dir, subDirs) { | ||
| const cacheDir = path.join(dir, ...subDirs); | ||
| try { | ||
| const stat = await fs.stat(dir); | ||
| if (!stat.isDirectory()) { | ||
| Logger.getInstance().info(`Path ${dir} is not a directory`); | ||
| return false; | ||
| } | ||
| const cacheStat = await fs.lstat(cacheDir).catch(() => {}); | ||
| if (!Util.exists(cacheStat)) { | ||
|
There was a problem hiding this comment. In this logic, the empty cacheStats is the correct equivalent for the directory that doesn't exist. We also return empty even for any cached error. There was a problem hiding this comment. Looking back at it, I should probably check if the error is ENOENT and only ignore that one. |
||
| const options = { recursive: true }; | ||
| if (process.platform !== 'win32') { | ||
| options.mode = 0o700; | ||
| } | ||
| await fs.mkdir(cacheDir, options); | ||
|
There was a problem hiding this comment. According to the previous comment, we can skip verification checking the directory exists? There was a problem hiding this comment. With the fix mentioned above, we should enter this branch iff the directory doesn't exist |
||
| return true; | ||
| } else { | ||
| if (process.platform === 'win32') { | ||
| return true; | ||
| } | ||
| if ((cacheStat.mode & 0o777) === 0o700) { | ||
| return true; | ||
| } | ||
| await fs.chmod(cacheDir, 0o700); | ||
|
There was a problem hiding this comment. Why is the permission changing for the existing directory? For me it is unsafe ... There was a problem hiding this comment. This is in accordance with https://docs.google.com/document/d/1taFHFZNaKr3D5kPwOJw-0PDGoFKB2TFaMtx6gSZ5iY4/edit?usp=sharing , section "Location" |
||
| return true; | ||
| } | ||
| } catch (err) { | ||
| Logger.getInstance().warn(`The path location ${cacheDir} is invalid. Please check this location is accessible or existing`); | ||
| return false; | ||
| } | ||
| }; | ||
|
|
||
| this.getTokenDir = async function () { | ||
| const candidates = this.getTokenDirCandidates(); | ||
| for (const candidate of candidates) { | ||
| const { folder: dir, subfolders: subDirs } = candidate; | ||
| if (await this.tryTokenDir(dir, subDirs)) { | ||
| return path.join(dir, ...subDirs); | ||
| } else { | ||
| Logger.getInstance().info(`${path.join(dir, ...subDirs)} is not a valid cache directory`); | ||
| } | ||
| } | ||
| return null; | ||
| }; | ||
|
|
||
| this.getTokenFile = async function () { | ||
| const tokenDir = await this.getTokenDir(); | ||
|
|
||
| if (!Util.exists(tokenDir)) { | ||
| throw new Error(`Temporary credential cache directory is invalid, and the driver is unable to use the default location. | ||
| Please set 'credentialCacheDir' connection configuration option to enable the default credential manager.`); | ||
| } | ||
|
|
||
| const tokenCacheFile = path.join(tokenDir, 'credential_cache_v1.json'); | ||
| return [await getSecureHandle(tokenCacheFile, fs.constants.O_RDWR | fs.constants.O_CREAT, fs), tokenCacheFile]; | ||
| }; | ||
|
|
||
| this.readJsonCredentialFile = async function (fileHandle) { | ||
| try { | ||
| const cred = await fileHandle.readFile('utf8'); | ||
| return JSON.parse(cred); | ||
| } catch (err) { | ||
| Logger.getInstance().warn('Failed to read token data from the file. Err: %s', err.message); | ||
| return null; | ||
| } | ||
| }; | ||
|
|
||
| this.removeStale = async function (file) { | ||
| const stat = await fs.stat(file).catch(() => { | ||
| return undefined; | ||
| }); | ||
| if (!Util.exists(stat)) { | ||
| return; | ||
| } | ||
| if (new Date().getTime() - stat.birthtimeMs > timeoutMs) { | ||
| try { | ||
| await fs.rmdir(file); | ||
| } catch (err) { | ||
| Logger.getInstance().warn('Failed to remove stale file. Error: %s', err.message); | ||
| } | ||
| } | ||
|
|
||
| }; | ||
|
|
||
|
|
||
| this.withFileLocked = async function (fun) { | ||
|
There was a problem hiding this comment. Should we treat fun as a callback? There was a problem hiding this comment. Well, I'm not sure how you define callback. It is called within the function, but not at the end of the function, as we need to cleanup after |
||
| const [fileHandle, file] = await this.getTokenFile(); | ||
| const lckFile = file + '.lck'; | ||
| await this.removeStale(lckFile); | ||
| let attempts = 1; | ||
| let locked = false; | ||
| const options = {}; | ||
| if (process.platform !== 'win32') { | ||
| options.mode = 0o600; | ||
| } | ||
| while (attempts <= 10) { | ||
| Logger.getInstance().debug('Attempting to get a lock on file %s, attempt: %d', file, attempts); | ||
| attempts++; | ||
| await fs.mkdir(lckFile, options).then(() => { | ||
| locked = true; | ||
| }, () => {}); | ||
| if (locked) { | ||
| break; | ||
| } | ||
| await new Promise(resolve => setTimeout(resolve, 100)); | ||
| } | ||
| if (!locked) { | ||
| if (Util.exists(fileHandle)) { | ||
| await fileHandle.close(); | ||
| } | ||
| Logger.getInstance().warn('Could not acquire lock on cache file %s', file); | ||
| return null; | ||
| } | ||
| const res = await fun(fileHandle, file); | ||
| if (Util.exists(fileHandle)) { | ||
| await fileHandle.close(); | ||
| } | ||
| await fs.rmdir(lckFile); | ||
| return res; | ||
| }; | ||
|
|
||
| this.write = async function (key, token) { | ||
| if (!validateTokenCacheOption(key)) { | ||
| return null; | ||
| } | ||
| const keyHash = this.hashKey(key); | ||
|
|
||
| await this.withFileLocked(async (fileHandle, filename) => { | ||
| const jsonCredential = await this.readJsonCredentialFile(fileHandle) || {}; | ||
| if (!Util.exists(jsonCredential[topLevelKey])) { | ||
| jsonCredential[topLevelKey] = {}; | ||
| } | ||
| jsonCredential[topLevelKey][keyHash] = token; | ||
|
|
||
| try { | ||
| const flag = Util.exists(fileHandle) ? fs.constants.O_RDWR | fs.constants.O_CREAT : fs.constants.O_WRONLY; | ||
| const writeFileHandle = await getSecureHandle(filename, flag, fs); | ||
| await writeFileHandle.writeFile(JSON.stringify(jsonCredential), { mode: 0o600 }); | ||
| await writeFileHandle.close(); | ||
| } catch (err) { | ||
| Logger.getInstance().warn(`Failed to write token data in ${filename}. Please check the permission or the file format of the token. ${err.message}`); | ||
| } | ||
| }); | ||
| }; | ||
|
|
||
| this.read = async function (key) { | ||
| if (!validateTokenCacheOption(key)) { | ||
| return null; | ||
| } | ||
|
|
||
| const keyHash = this.hashKey(key); | ||
|
|
||
| return await this.withFileLocked(async (fileHandle) => { | ||
| const jsonCredential = await this.readJsonCredentialFile(fileHandle); | ||
| if (!!jsonCredential && jsonCredential[topLevelKey] && jsonCredential[topLevelKey][keyHash]) { | ||
| return jsonCredential[topLevelKey][keyHash]; | ||
| } else { | ||
| return null; | ||
| } | ||
| }); | ||
| }; | ||
|
|
||
| this.remove = async function (key) { | ||
| if (!validateTokenCacheOption(key)) { | ||
| return null; | ||
| } | ||
|
|
||
| const keyHash = this.hashKey(key); | ||
|
|
||
| await this.withFileLocked(async (fileHandle, filename) => { | ||
| const jsonCredential = await this.readJsonCredentialFile(fileHandle); | ||
|
|
||
| if (jsonCredential && jsonCredential[topLevelKey] && jsonCredential[topLevelKey][keyHash]) { | ||
| try { | ||
| jsonCredential[topLevelKey][keyHash] = null; | ||
| const flag = Util.exists(fileHandle) ? fs.constants.O_RDWR | fs.constants.O_CREAT : fs.constants.O_WRONLY; | ||
| const writeFileHandle = await getSecureHandle(filename, flag, fs); | ||
| await writeFileHandle.writeFile(JSON.stringify(jsonCredential), { mode: 0o600 }); | ||
| await writeFileHandle.close(); | ||
| } catch (err) { | ||
| Logger.getInstance().warn(`Failed to remove token data from the file in ${filename}. Please check the permission or the file format of the token. ${err.message}`); | ||
| } | ||
| } | ||
| }); | ||
| }; | ||
|
|
||
| function validateTokenCacheOption(key) { | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -164,7 +164,9 @@ exports.validateOnlyUserReadWritePermissionAndOwner = async function (filePath, | |
| if (octalPermissions === '600') { | ||
| Logger.getInstance().debug(`Validated that the user has only read and write permission for file: ${filePath}, Permission: ${permission}`); | ||
| } else { | ||
| await fsp.chmod(filePath, 0o600).catch(() => { | ||
|
There was a problem hiding this comment. Why are we changing permission for existing file? Potentially, it could be modified by an attacker. There was a problem hiding this comment. From the design doc: "If cache file doesn’t have exactly 600 permissions: all operations should attempt to change the permissions to 600 or fail if not possible" That being said, as I ended up creating a new function based on this one and no longer use it, I can revert this change |
||
| throw new Error(`Invalid file permissions (${octalPermissions} for file ${filePath}). Make sure you have read and write permissions and other users do not have access to it. Please remove the file and re-run the driver.`); | ||
| }); | ||
| } | ||
|
|
||
| const userInfo = os.userInfo(); | ||
|
|
@@ -183,6 +185,51 @@ exports.validateOnlyUserReadWritePermissionAndOwner = async function (filePath, | |
| } | ||
| }; | ||
|
|
||
| /** | ||
| * Checks if the provided file is writable only by the user and os tha file owner is the same as os user. FsPromises can be provided. | ||
| * @param filePath | ||
| * @param expectedMode | ||
| * @param fsPromises | ||
| * @returns {Promise<FileHandle>} | ||
| */ | ||
| exports.getSecureHandle = async function (filePath, flags, fsPromises) { | ||
| const fsp = fsPromises ? fsPromises : require('fs/promises'); | ||
| try { | ||
| const fileHandle = await fsp.open(filePath, flags | fsp.constants.O_NOFOLLOW, 0o600); | ||
| if (os.platform() === 'win32') { | ||
| return fileHandle; | ||
| } | ||
| const stats = await fileHandle.stat(); | ||
| const mode = stats.mode; | ||
| const permission = mode & 0o777; | ||
|
|
||
| //This should be 600 permission, which means the file permission has not been changed by others. | ||
| const octalPermissions = permission.toString(8); | ||
|
There was a problem hiding this comment. Isn't it duplication of validateOnlyUserReadWritePermissionAndOwner method? There was a problem hiding this comment. It is very similar, but operates on file handles in order to mitigate any manipulations between our checks and operations. |
||
| if (octalPermissions === '600') { | ||
| Logger.getInstance().debug(`Validated that the user has only read and write permission for file: ${filePath}, Permission: ${permission}`); | ||
| } else { | ||
| await fileHandle.chmod(0o600).catch(() => { | ||
| throw new Error(`Invalid file permissions (${octalPermissions} for file ${filePath}). Make sure you have read and write permissions and other users do not have access to it. Please remove the file and re-run the driver.`); | ||
| }); | ||
| } | ||
|
|
||
| const userInfo = os.userInfo(); | ||
| if (stats.uid === userInfo.uid) { | ||
| Logger.getInstance().debug('Validated file owner'); | ||
| } else { | ||
| throw new Error(`Invalid file owner for file ${filePath}). Make sure the system user are the owner of the file otherwise please remove the file and re-run the driver.`); | ||
| } | ||
| return fileHandle; | ||
| } catch (err) { | ||
| //When file doesn't exist - return | ||
| if (err.code === 'ENOENT') { | ||
| return null; | ||
| } else { | ||
| throw err; | ||
| } | ||
| } | ||
| }; | ||
|
|
||
| /** | ||
| * Checks if the provided file or directory permissions are correct. | ||
| * @param filePath | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would be more readable for me if the name indicated its relation to the token.