SNOW-2021533 Fix OCSP cache server URL when using proxy (#2149)

Author: sfc-gh-pfus

src/main/java/net/snowflake/client/core/SFTrustManager.java

@@ -165,8 +165,8 @@ public class SFTrustManager extends X509ExtendedTrustManager {
   private static final int DEFAULT_OCSP_RESPONDER_CONNECTION_TIMEOUT = 10000;
   /** Default OCSP Cache server host name prefix */
   private static final String DEFAULT_OCSP_CACHE_HOST_PREFIX = "http://ocsp.snowflakecomputing.";
-  /** Default OCSP Cache server host name */
-  private static final String DEFAULT_OCSP_CACHE_HOST = DEFAULT_OCSP_CACHE_HOST_PREFIX + "com";
+  /** Default domain for OCSP cache host */
+  private static final String DEFAULT_OCSP_CACHE_HOST_DOMAIN = "com";
 
   /** OCSP response file cache directory */
   private static final FileCacheManager fileCacheManager;
@@ -329,7 +329,7 @@ static void resetOCSPResponseCacherServerURL(String ocspCacheServerUrl) throws I
     }
   }
 
-  private static void setOCSPResponseCacheServerURL(String topLevelDomain) {
+  static void setOCSPResponseCacheServerURL(String serverURL) {
     String ocspCacheUrl = systemGetProperty(SF_OCSP_RESPONSE_CACHE_SERVER_URL);
     if (ocspCacheUrl != null) {
       SF_OCSP_RESPONSE_CACHE_SERVER_URL_VALUE = ocspCacheUrl;
@@ -345,6 +345,14 @@ private static void setOCSPResponseCacheServerURL(String topLevelDomain) {
           true);
     }
     if (SF_OCSP_RESPONSE_CACHE_SERVER_URL_VALUE == null) {
+      String topLevelDomain = DEFAULT_OCSP_CACHE_HOST_DOMAIN;
+      try {
+        URL url = new URL(serverURL);
+        int domainIndex = url.getHost().lastIndexOf(".") + 1;
+        topLevelDomain = url.getHost().substring(domainIndex);
+      } catch (Exception e) {
+        logger.debug("Exception while setting top level domain (for OCSP)", e);
+      }
       SF_OCSP_RESPONSE_CACHE_SERVER_URL_VALUE =
           String.format("%s%s/%s", DEFAULT_OCSP_CACHE_HOST_PREFIX, topLevelDomain, CACHE_FILE_NAME);
     }
@@ -772,8 +780,6 @@ void validateRevocationStatus(X509Certificate[] chain, String peerHost)
       ocspCacheServer.resetOCSPResponseCacheServer(peerHost);
     }
 
-    String topLevelDomain = peerHost.substring(peerHost.lastIndexOf(".") + 1);
-    setOCSPResponseCacheServerURL(topLevelDomain);
     boolean isCached = isCached(pairIssuerSubjectList);
     if (useOCSPResponseCacheServer() && !isCached) {
       if (!ocspCacheServer.new_endpoint_enabled) {

src/main/java/net/snowflake/client/core/SessionUtil.java

@@ -1,6 +1,7 @@
 package net.snowflake.client.core;
 
 import static net.snowflake.client.core.SFTrustManager.resetOCSPResponseCacherServerURL;
+import static net.snowflake.client.core.SFTrustManager.setOCSPResponseCacheServerURL;
 import static net.snowflake.client.jdbc.SnowflakeUtil.isNullOrEmpty;
 import static net.snowflake.client.jdbc.SnowflakeUtil.systemGetEnv;
 import static net.snowflake.client.jdbc.SnowflakeUtil.systemGetProperty;
@@ -514,6 +515,13 @@ static SFLoginOutput newSession(
       Map<SFSessionProperty, Object> connectionPropertiesMap,
       String tracingLevel)
       throws SFException, SnowflakeSQLException {
+    try {
+      // Adjust OCSP cache server if it is private link
+      resetOCSPUrlIfNecessary(loginInput.getServerUrl());
+    } catch (IOException ex) {
+      throw new SFException(ex, ErrorCode.IO_ERROR, "unexpected URL syntax exception");
+    }
+
     Stopwatch stopwatch = new Stopwatch();
     stopwatch.start();
     // build URL for login request
@@ -612,13 +620,6 @@ static SFLoginOutput newSession(
       throw new SFException(ex, ErrorCode.INTERNAL_ERROR, "unexpected URI syntax exception:1");
     }
 
-    try {
-      // Adjust OCSP cache server if it is private link
-      resetOCSPUrlIfNecessary(loginInput.getServerUrl());
-    } catch (IOException ex) {
-      throw new SFException(ex, ErrorCode.IO_ERROR, "unexpected URL syntax exception");
-    }
-
     HttpPost postRequest = null;
 
     try {
@@ -1931,6 +1932,7 @@ enum TokenRequestType {
    * @throws IOException If exception encountered
    */
   public static void resetOCSPUrlIfNecessary(String serverUrl) throws IOException {
+    setOCSPResponseCacheServerURL(serverUrl);
     if (PrivateLinkDetector.isPrivateLink(serverUrl)) {
       // Privatelink uses special OCSP Cache server
       URL url = new URL(serverUrl);

src/test/java/net/snowflake/client/SystemPropertyOverrider.java

@@ -0,0 +1,20 @@
+package net.snowflake.client;
+
+public class SystemPropertyOverrider {
+  private final String propertyName;
+  private final String oldValue;
+
+  public SystemPropertyOverrider(String propertyName, String newValue) {
+    this.propertyName = propertyName;
+    this.oldValue = System.getProperty(propertyName);
+    System.setProperty(propertyName, newValue);
+  }
+
+  public void rollback() {
+    if (oldValue != null) {
+      System.setProperty(propertyName, oldValue);
+    } else {
+      System.clearProperty(propertyName);
+    }
+  }
+}

src/test/java/net/snowflake/client/core/SFTrustManagerIT.java

@@ -1,10 +1,12 @@
 package net.snowflake.client.core;
 
+import static net.snowflake.client.core.SFTrustManager.SF_OCSP_RESPONSE_CACHE_SERVER_URL_VALUE;
 import static org.awaitility.Awaitility.await;
 import static org.hamcrest.CoreMatchers.equalTo;
 import static org.hamcrest.CoreMatchers.not;
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.core.AnyOf.anyOf;
+import static org.junit.jupiter.api.Assertions.assertEquals;
 
 import java.io.File;
 import java.io.IOException;
@@ -15,12 +17,16 @@
 import java.security.cert.X509Certificate;
 import java.time.Duration;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.List;
+import java.util.Properties;
 import java.util.concurrent.TimeUnit;
 import java.util.stream.Stream;
 import javax.net.ssl.SSLHandshakeException;
+import net.snowflake.client.SystemPropertyOverrider;
 import net.snowflake.client.category.TestTags;
 import net.snowflake.client.jdbc.BaseJDBCTest;
+import net.snowflake.client.jdbc.SnowflakeConnectionV1;
 import net.snowflake.client.jdbc.telemetryOOB.TelemetryService;
 import net.snowflake.client.log.SFLogger;
 import net.snowflake.client.log.SFLoggerFactory;
@@ -36,6 +42,7 @@
 import org.junit.jupiter.params.provider.Arguments;
 import org.junit.jupiter.params.provider.ArgumentsProvider;
 import org.junit.jupiter.params.provider.ArgumentsSource;
+import org.junit.jupiter.params.provider.CsvSource;
 
 @Tag(TestTags.CORE)
 public class SFTrustManagerIT extends BaseJDBCTest {
@@ -96,6 +103,8 @@ public void tearDown() throws InterruptedException {
   public void testOcsp(String host) throws Throwable {
     System.setProperty(
         SFTrustManager.SF_OCSP_RESPONSE_CACHE_SERVER_ENABLED, Boolean.TRUE.toString());
+    // this initialization normally happens on first call
+    SFTrustManager.setOCSPResponseCacheServerURL(String.format("http://%s", host));
     HttpClient client =
         HttpUtil.buildHttpClient(
             new HttpClientSettingsKey(OCSPMode.FAIL_CLOSED),
@@ -259,4 +268,57 @@ private InputStream getFile(String fileName) throws Throwable {
     URL url = classLoader.getResource(fileName);
     return url != null ? url.openStream() : null;
   }
+
+  @ParameterizedTest
+  @CsvSource({
+    "jdbc:snowflake://someaccount.snowflakecomputing.com:443,http://ocsp.snowflakecomputing.com/ocsp_response_cache.json",
+    "jdbc:snowflake://someaccount.snowflakecomputing.cn:443,http://ocsp.snowflakecomputing.cn/ocsp_response_cache.json",
+  })
+  void testOCSPCacheServerUrlWithoutProxy(String sfHost, String ocspHost) throws Exception {
+    Properties props = new Properties();
+    props.setProperty(SFSessionProperty.USER.getPropertyKey(), "testUser");
+    props.setProperty(SFSessionProperty.PASSWORD.getPropertyKey(), "testPassword");
+    props.setProperty(SFSessionProperty.LOGIN_TIMEOUT.getPropertyKey(), "1");
+    try {
+      new SnowflakeConnectionV1(sfHost, props);
+    } catch (Exception e) {
+      // do nothing, we don't want to connect, just check the value below
+    }
+    assertEquals(SF_OCSP_RESPONSE_CACHE_SERVER_URL_VALUE, ocspHost);
+  }
+
+  @ParameterizedTest
+  @CsvSource({
+    "jdbc:snowflake://someaccount.snowflakecomputing.com:443,http://ocsp.snowflakecomputing.com/ocsp_response_cache.json",
+    "jdbc:snowflake://someaccount.snowflakecomputing.cn:443,http://ocsp.snowflakecomputing.cn/ocsp_response_cache.json",
+  })
+  void testOCSPCacheServerUrlWithProxy(String sfHost, String ocspHost) {
+    SystemPropertyOverrider useProxyOverrider =
+        new SystemPropertyOverrider("http.useProxy", "true");
+    SystemPropertyOverrider proxyHostOverrider =
+        new SystemPropertyOverrider("http.proxyHost", "localhost");
+    SystemPropertyOverrider proxyPortOverrider =
+        new SystemPropertyOverrider("http.proxyPort", "8080");
+    try {
+      Properties props = new Properties();
+      props.setProperty(SFSessionProperty.USER.getPropertyKey(), "testUser");
+      props.setProperty(SFSessionProperty.PASSWORD.getPropertyKey(), "testPassword");
+      props.setProperty(SFSessionProperty.LOGIN_TIMEOUT.getPropertyKey(), "1");
+      try {
+        new SnowflakeConnectionV1(sfHost, props);
+      } catch (Exception e) {
+        // do nothing, we don't want to connect, just check the value below
+      }
+      assertEquals(SF_OCSP_RESPONSE_CACHE_SERVER_URL_VALUE, ocspHost);
+    } finally {
+      Arrays.asList(useProxyOverrider, proxyHostOverrider, proxyPortOverrider)
+          .forEach(SystemPropertyOverrider::rollback);
+    }
+  }
+
+  @BeforeEach
+  @AfterEach
+  void cleanup() {
+    SF_OCSP_RESPONSE_CACHE_SERVER_URL_VALUE = null;
+  }
 }