SNOW-1902211: Add initial DPoP support

Author: sfc-gh-dheyman

src/main/java/net/snowflake/client/core/CachedCredentialType.java

@@ -4,7 +4,8 @@ enum CachedCredentialType {
   ID_TOKEN("ID_TOKEN"),
   MFA_TOKEN("MFATOKEN"),
   OAUTH_ACCESS_TOKEN("OAUTH_ACCESS_TOKEN"),
-  OAUTH_REFRESH_TOKEN("OAUTH_REFRESH_TOKEN");
+  OAUTH_REFRESH_TOKEN("OAUTH_REFRESH_TOKEN"),
+  DPOP_PUBLIC_KEY("DPOP_PUBLIC_KEY");
 
   private final String value;
 

src/main/java/net/snowflake/client/core/CredentialManager.java

@@ -124,6 +124,22 @@ static void fillCachedOAuthRefreshToken(SFLoginInput loginInput) throws SFExcept
             loginInput, host, loginInput.getUserName(), CachedCredentialType.OAUTH_REFRESH_TOKEN);
   }
 
+  /**
+   * Reuse the cached OAuth DPoP public kley stored locally
+   *
+   * @param loginInput login input to attach refresh token
+   */
+  static void fillCachedDPoPPublicKey(SFLoginInput loginInput) throws SFException {
+    String host = getHostForOAuthCacheKey(loginInput);
+    logger.debug(
+        "Looking for cached DPoP public key for user: {}, host: {}",
+        loginInput.getUserName(),
+        host);
+    getInstance()
+        .fillCachedCredential(
+            loginInput, host, loginInput.getUserName(), CachedCredentialType.DPOP_PUBLIC_KEY);
+  }
+
   /** Reuse the cached token stored locally */
   synchronized void fillCachedCredential(
       SFLoginInput loginInput, String host, String username, CachedCredentialType credType)
@@ -168,6 +184,9 @@ synchronized void fillCachedCredential(
       case OAUTH_REFRESH_TOKEN:
         loginInput.setOauthRefreshToken(cred);
         break;
+      case DPOP_PUBLIC_KEY:
+        loginInput.setDPoPPublicKeyBase64(cred);
+        break;
       default:
         throw new SFException(
             ErrorCode.INTERNAL_ERROR, "Unrecognized type {} for local cached credential", credType);
@@ -238,6 +257,25 @@ static void writeOAuthRefreshToken(SFLoginInput loginInput) throws SFException {
             CachedCredentialType.OAUTH_REFRESH_TOKEN);
   }
 
+  /**
+   * Store OAuth DPoP Public Key
+   *
+   * @param loginInput loginInput to denote to the cache
+   */
+  static void writeDPoPPublicKey(SFLoginInput loginInput) throws SFException {
+    String host = getHostForOAuthCacheKey(loginInput);
+    logger.debug(
+        "Caching DPoP public key in a secure storage for user: {}, host: {}",
+        loginInput.getUserName(),
+        host);
+    getInstance()
+        .writeTemporaryCredential(
+            host,
+            loginInput.getUserName(),
+            loginInput.getDPoPPublicKeyBase64(),
+            CachedCredentialType.DPOP_PUBLIC_KEY);
+  }
+
   /** Store the temporary credential */
   synchronized void writeTemporaryCredential(
       String host, String user, String cred, CachedCredentialType credType) {
@@ -279,10 +317,28 @@ static void deleteMfaTokenCache(String host, String user) {
   /** Delete the Oauth access token cache */
   static void deleteOAuthAccessTokenCache(String host, String user) {
     logger.debug(
-        "Removing cached mfa token from a secure storage for user: {}, host: {}", user, host);
+        "Removing cached oauth access token from a secure storage for user: {}, host: {}",
+        user,
+        host);
     getInstance().deleteTemporaryCredential(host, user, CachedCredentialType.OAUTH_ACCESS_TOKEN);
   }
 
+  /** Delete the Oauth refresh token cache */
+  static void deleteOAuthRefreshTokenCache(String host, String user) {
+    logger.debug(
+        "Removing cached OAuth refresh token from a secure storage for user: {}, host: {}",
+        user,
+        host);
+    getInstance().deleteTemporaryCredential(host, user, CachedCredentialType.OAUTH_REFRESH_TOKEN);
+  }
+
+  /** Delete the Oauth access token cache */
+  static void deleteDPoPPublicKeyCache(String host, String user) {
+    logger.debug(
+        "Removing cached DPoP public key from a secure storage for user: {}, host: {}", user, host);
+    getInstance().deleteTemporaryCredential(host, user, CachedCredentialType.DPOP_PUBLIC_KEY);
+  }
+
   /** Delete the OAuth access token cache */
   static void deleteOAuthAccessTokenCache(SFLoginInput loginInput) throws SFException {
     String host = getHostForOAuthCacheKey(loginInput);
@@ -295,13 +351,10 @@ static void deleteOAuthRefreshTokenCache(SFLoginInput loginInput) throws SFExcep
     deleteOAuthRefreshTokenCache(host, loginInput.getUserName());
   }
 
-  /** Delete the Oauth refresh token cache */
-  static void deleteOAuthRefreshTokenCache(String host, String user) {
-    logger.debug(
-        "Removing cached OAuth refresh token from a secure storage for user: {}, host: {}",
-        user,
-        host);
-    getInstance().deleteTemporaryCredential(host, user, CachedCredentialType.OAUTH_REFRESH_TOKEN);
+  /** Delete the DPoP refresh token cache */
+  static void deleteDPoPPublicKeyCache(SFLoginInput loginInput) throws SFException {
+    String host = getHostForOAuthCacheKey(loginInput);
+    deleteDPoPPublicKeyCache(host, loginInput.getUserName());
   }
 
   /**

src/main/java/net/snowflake/client/core/HttpUtil.java

@@ -5,6 +5,8 @@
 import static org.apache.http.client.config.CookieSpecs.IGNORE_COOKIES;
 
 import com.amazonaws.ClientConfiguration;
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.ObjectMapper;
 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.Strings;
 import com.microsoft.azure.storage.OperationContext;
@@ -31,6 +33,7 @@
 import net.snowflake.client.jdbc.RetryContextManager;
 import net.snowflake.client.jdbc.SnowflakeDriver;
 import net.snowflake.client.jdbc.SnowflakeSQLException;
+import net.snowflake.client.jdbc.SnowflakeUseDPoPNonceException;
 import net.snowflake.client.jdbc.SnowflakeUtil;
 import net.snowflake.client.jdbc.cloud.storage.S3HttpUtil;
 import net.snowflake.client.log.ArgSupplier;
@@ -42,6 +45,7 @@
 import net.snowflake.common.core.SqlState;
 import org.apache.commons.io.IOUtils;
 import org.apache.http.HttpHost;
+import org.apache.http.HttpResponse;
 import org.apache.http.auth.AuthScope;
 import org.apache.http.auth.Credentials;
 import org.apache.http.auth.UsernamePasswordCredentials;
@@ -66,6 +70,10 @@
 public class HttpUtil {
   private static final SFLogger logger = SFLoggerFactory.getLogger(HttpUtil.class);
 
+  static final String ERROR_FIELD_NAME = "error";
+  static final String ERROR_USE_DPOP_NONCE = "use_dpop_nonce";
+  static final String DPOP_NONCE_HEADER_NAME = "dpop-nonce";
+
   static final int DEFAULT_MAX_CONNECTIONS = 300;
   static final int DEFAULT_MAX_CONNECTIONS_PER_ROUTE = 300;
   private static final int DEFAULT_HTTP_CLIENT_CONNECTION_TIMEOUT_IN_MS = 60000;
@@ -913,6 +921,12 @@ private static String executeRequestInternal(
       if (response == null || response.getStatusLine().getStatusCode() != 200) {
         logger.error("Error executing request: {}", requestInfoScrubbed);
 
+        if (response != null
+            && response.getStatusLine().getStatusCode() == 400
+            && response.getEntity() != null) {
+          checkForDPoPNonceError(response);
+        }
+
         SnowflakeUtil.logResponseDetails(response, logger);
 
         if (response != null) {
@@ -950,6 +964,26 @@ private static String executeRequestInternal(
     return theString;
   }
 
+  private static void checkForDPoPNonceError(HttpResponse response) throws IOException {
+    StringWriter writer = new StringWriter();
+    try (InputStream ins = response.getEntity().getContent()) {
+      IOUtils.copy(ins, writer, "UTF-8");
+    }
+    String errorResponse = writer.toString();
+    if (!Strings.isNullOrEmpty(errorResponse)) {
+      ObjectMapper objectMapper = ObjectMapperFactory.getObjectMapper();
+      JsonNode rootNode = objectMapper.readTree(errorResponse);
+      JsonNode errorNode = rootNode.get(ERROR_FIELD_NAME);
+      if (errorNode != null
+          && errorNode.isValueNode()
+          && errorNode.isTextual()
+          && errorNode.textValue().equals(ERROR_USE_DPOP_NONCE)) {
+        throw new SnowflakeUseDPoPNonceException(
+            response.getFirstHeader(DPOP_NONCE_HEADER_NAME).getValue());
+      }
+    }
+  }
+
   // This is a workaround for JDK-7036144.
   //
   // The GZIPInputStream prematurely closes its input if a) it finds

src/main/java/net/snowflake/client/core/SFLoginInput.java

@@ -40,6 +40,8 @@ public class SFLoginInput {
   private String mfaToken;
   private String oauthAccessToken;
   private String oauthRefreshToken;
+  private String dpopPublicKeyBase64;
+  private boolean dpopEnabled = false;
   private String serviceName;
   private OCSPMode ocspMode;
   private HttpClientSettingsKey httpClientKey;
@@ -340,6 +342,27 @@ SFLoginInput setOauthRefreshToken(String oauthRefreshToken) {
     return this;
   }
 
+  @SnowflakeJdbcInternalApi
+  public String getDPoPPublicKeyBase64() {
+    return dpopPublicKeyBase64;
+  }
+
+  SFLoginInput setDPoPPublicKeyBase64(String dpopPublicKeyBase64) {
+    this.dpopPublicKeyBase64 = dpopPublicKeyBase64;
+    return this;
+  }
+
+  @SnowflakeJdbcInternalApi
+  public boolean isDPoPEnabled() {
+    return dpopEnabled;
+  }
+
+  // Currently only used for testing purpose
+  @SnowflakeJdbcInternalApi
+  public void setDPoPEnabled(boolean dpopEnabled) {
+    this.dpopEnabled = dpopEnabled;
+  }
+
   Map<String, Object> getSessionParameters() {
     return sessionParameters;
   }

src/main/java/net/snowflake/client/core/SessionUtil.java

@@ -28,6 +28,7 @@
 import net.snowflake.client.core.auth.ClientAuthnDTO;
 import net.snowflake.client.core.auth.ClientAuthnParameter;
 import net.snowflake.client.core.auth.oauth.AccessTokenProvider;
+import net.snowflake.client.core.auth.oauth.DPoPUtil;
 import net.snowflake.client.core.auth.oauth.OAuthAccessTokenForRefreshTokenProvider;
 import net.snowflake.client.core.auth.oauth.OAuthAccessTokenProviderFactory;
 import net.snowflake.client.core.auth.oauth.TokenResponseDTO;
@@ -329,7 +330,7 @@ static SFLoginOutput openSession(
 
     convertSessionParameterStringValueToBooleanIfGiven(loginInput, CLIENT_REQUEST_MFA_TOKEN);
 
-    readCachedTokensIfPossible(loginInput);
+    readCachedCredentialsIfPossible(loginInput);
     if (OAuthAccessTokenProviderFactory.isEligible(getAuthenticator(loginInput))) {
       obtainAuthAccessTokenAndUpdateInput(loginInput);
     }
@@ -403,6 +404,7 @@ private static void fetchOAuthAccessTokenAndUpdateInput(SFLoginInput loginInput)
     loginInput.setToken(tokenResponse.getAccessToken());
     loginInput.setOauthAccessToken(tokenResponse.getAccessToken());
     loginInput.setOauthRefreshToken(tokenResponse.getRefreshToken());
+    loginInput.setDPoPPublicKeyBase64(accessTokenProvider.getDPoPPublicKeyBase64());
   }
 
   private static void refreshOAuthAccessTokenAndUpdateInput(SFLoginInput loginInput)
@@ -437,12 +439,13 @@ private static void convertSessionParameterStringValueToBooleanIfGiven(
     }
   }
 
-  private static void readCachedTokensIfPossible(SFLoginInput loginInput) throws SFException {
+  private static void readCachedCredentialsIfPossible(SFLoginInput loginInput) throws SFException {
     if (!StringUtils.isNullOrEmpty(loginInput.getUserName())) {
       if (asBoolean(loginInput.getSessionParameters().get(CLIENT_STORE_TEMPORARY_CREDENTIAL))) {
         CredentialManager.fillCachedIdToken(loginInput);
         CredentialManager.fillCachedOAuthAccessToken(loginInput);
         CredentialManager.fillCachedOAuthRefreshToken(loginInput);
+        CredentialManager.fillCachedDPoPPublicKey(loginInput);
       }
 
       if (asBoolean(loginInput.getSessionParameters().get(CLIENT_REQUEST_MFA_TOKEN))) {
@@ -768,6 +771,10 @@ static SFLoginOutput newSession(
 
       postRequest.addHeader("accept", "application/json");
       postRequest.addHeader("Accept-Encoding", "");
+      if (loginInput.isDPoPEnabled()) {
+        new DPoPUtil(loginInput.getDPoPPublicKeyBase64())
+            .addDPoPProofHeaderToRequest(postRequest, null);
+      }
 
       /*
        * HttpClient should take authorization header from char[] instead of
@@ -896,11 +903,13 @@ static SFLoginOutput newSession(
           logger.debug("OAuth Access Token Invalid: {}", errorCode);
           loginInput.setOauthAccessToken(null);
           CredentialManager.deleteOAuthAccessTokenCache(loginInput);
+          CredentialManager.deleteDPoPPublicKeyCache(loginInput);
         }
 
         if (errorCode == Constants.OAUTH_ACCESS_TOKEN_EXPIRED_GS_CODE) {
           loginInput.setOauthAccessToken(null);
           CredentialManager.deleteOAuthAccessTokenCache(loginInput);
+          CredentialManager.deleteDPoPPublicKeyCache(loginInput);
 
           logger.debug("OAuth Access Token Expired: {}", errorCode);
           SnowflakeUtil.checkErrorAndThrowExceptionIncludingReauth(jsonNode);
@@ -1053,6 +1062,9 @@ static SFLoginOutput newSession(
       if (loginInput.getOauthRefreshToken() != null) {
         CredentialManager.writeOAuthRefreshToken(loginInput);
       }
+      if (loginInput.getDPoPPublicKeyBase64() != null && loginInput.isDPoPEnabled()) {
+        CredentialManager.writeDPoPPublicKey(loginInput);
+      }
     }
 
     if (asBoolean(loginInput.getSessionParameters().get(CLIENT_REQUEST_MFA_TOKEN))) {

src/main/java/net/snowflake/client/core/auth/oauth/AccessTokenProvider.java

@@ -8,4 +8,6 @@
 public interface AccessTokenProvider {
 
   TokenResponseDTO getAccessToken(SFLoginInput loginInput) throws SFException;
+
+  String getDPoPPublicKeyBase64();
 }

src/main/java/net/snowflake/client/core/auth/oauth/DPoPUtil.java

@@ -0,0 +1,85 @@
+package net.snowflake.client.core.auth.oauth;
+
+import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jose.jwk.Curve;
+import com.nimbusds.jose.jwk.ECKey;
+import com.nimbusds.jose.jwk.gen.ECKeyGenerator;
+import com.nimbusds.jwt.SignedJWT;
+import com.nimbusds.oauth2.sdk.dpop.DPoPProofFactory;
+import com.nimbusds.oauth2.sdk.dpop.DefaultDPoPProofFactory;
+import com.nimbusds.oauth2.sdk.dpop.JWKThumbprintConfirmation;
+import com.nimbusds.openid.connect.sdk.Nonce;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.util.Base64;
+import net.snowflake.client.core.SFException;
+import net.snowflake.client.core.SnowflakeJdbcInternalApi;
+import net.snowflake.client.jdbc.ErrorCode;
+import org.apache.http.client.methods.HttpRequestBase;
+
+@SnowflakeJdbcInternalApi
+public class DPoPUtil {
+
+  private final ECKey jwk;
+
+  DPoPUtil() throws SFException {
+    try {
+      jwk = new ECKeyGenerator(Curve.P_256).generate();
+    } catch (JOSEException e) {
+      throw new SFException(
+          ErrorCode.INTERNAL_ERROR, "Error during DPoP JWK initialization: " + e.getMessage());
+    }
+  }
+
+  public DPoPUtil(String jsonKeyBase64) throws SFException {
+    try {
+      String jsonKey = new String(Base64.getDecoder().decode(jsonKeyBase64));
+      jwk = ECKey.parse(jsonKey);
+    } catch (Exception e) {
+      throw new SFException(
+          ErrorCode.INTERNAL_ERROR, "Error during DPoP JWK initialization: " + e.getMessage());
+    }
+  }
+
+  String getPublicKeyInBase64() {
+    String jsonString = jwk.toJSONString();
+    return Base64.getEncoder().encodeToString(jsonString.getBytes());
+  }
+
+  JWKThumbprintConfirmation getThumbprint() throws SFException {
+    try {
+      return JWKThumbprintConfirmation.of(this.jwk);
+    } catch (JOSEException e) {
+      throw new SFException(
+          ErrorCode.INTERNAL_ERROR, "Error during JWK thumbprint generation: " + e.getMessage());
+    }
+  }
+
+  public void addDPoPProofHeaderToRequest(HttpRequestBase httpRequest, String nonce)
+      throws SFException {
+    SignedJWT signedJWT = generateDPoPProof(httpRequest, nonce);
+    httpRequest.setHeader("DPoP", signedJWT.serialize());
+  }
+
+  private SignedJWT generateDPoPProof(HttpRequestBase httpRequest, String nonce)
+      throws SFException {
+    try {
+      DPoPProofFactory proofFactory = new DefaultDPoPProofFactory(jwk, JWSAlgorithm.ES256);
+      if (nonce != null) {
+        return proofFactory.createDPoPJWT(
+            httpRequest.getMethod(), httpRequest.getURI(), new Nonce(nonce));
+      } else {
+        return proofFactory.createDPoPJWT(
+            httpRequest.getMethod(), getUriWithoutQuery(httpRequest.getURI()));
+      }
+    } catch (Exception e) {
+      throw new SFException(
+          ErrorCode.INTERNAL_ERROR, " Error during DPoP proof generation: " + e.getMessage());
+    }
+  }
+
+  private URI getUriWithoutQuery(URI uri) throws URISyntaxException {
+    return new URI(uri.getScheme(), uri.getAuthority(), uri.getPath(), null, null);
+  }
+}