Merge branch 'master' into SNOW-1437655-set-auth-timeout-to-0-in-not-auth-endpoint-calls

Author: sfc-gh-mkubik

src/main/java/net/snowflake/client/core/CachedCredentialType.java

@@ -4,7 +4,10 @@ enum CachedCredentialType {
   ID_TOKEN("ID_TOKEN"),
   MFA_TOKEN("MFATOKEN"),
   OAUTH_ACCESS_TOKEN("OAUTH_ACCESS_TOKEN"),
-  OAUTH_REFRESH_TOKEN("OAUTH_REFRESH_TOKEN");
+  OAUTH_REFRESH_TOKEN("OAUTH_REFRESH_TOKEN"),
+  DPOP_BUNDLED_ACCESS_TOKEN(
+      "DPOP_BUNDLED_ACCESS_TOKEN"); // contains '.' separated, base64 encoded access token and DPoP
+  // public key
 
   private final String value;
 

src/main/java/net/snowflake/client/core/CredentialManager.java

@@ -3,6 +3,8 @@
 import com.amazonaws.util.StringUtils;
 import com.google.common.base.Strings;
 import java.net.URI;
+import java.nio.charset.StandardCharsets;
+import java.util.Base64;
 import net.snowflake.client.jdbc.ErrorCode;
 import net.snowflake.client.log.SFLogger;
 import net.snowflake.client.log.SFLoggerFactory;
@@ -124,6 +126,25 @@ static void fillCachedOAuthRefreshToken(SFLoginInput loginInput) throws SFExcept
             loginInput, host, loginInput.getUserName(), CachedCredentialType.OAUTH_REFRESH_TOKEN);
   }
 
+  /**
+   * Reuse the cached OAuth access token & DPoP public key tied to it
+   *
+   * @param loginInput login input to attach refresh token
+   */
+  static void fillCachedDPoPBundledAccessToken(SFLoginInput loginInput) throws SFException {
+    String host = getHostForOAuthCacheKey(loginInput);
+    logger.debug(
+        "Looking for cached DPoP public key for user: {}, host: {}",
+        loginInput.getUserName(),
+        host);
+    getInstance()
+        .fillCachedCredential(
+            loginInput,
+            host,
+            loginInput.getUserName(),
+            CachedCredentialType.DPOP_BUNDLED_ACCESS_TOKEN);
+  }
+
   /** Reuse the cached token stored locally */
   synchronized void fillCachedCredential(
       SFLoginInput loginInput, String host, String username, CachedCredentialType credType)
@@ -137,24 +158,34 @@ synchronized void fillCachedCredential(
       return;
     }
 
-    String cred;
+    String base64EncodedCred, cred = null;
     try {
-      cred = secureStorageManager.getCredential(host, username, credType.getValue());
+      base64EncodedCred = secureStorageManager.getCredential(host, username, credType.getValue());
     } catch (NoClassDefFoundError error) {
       logMissingJnaJarForSecureLocalStorage();
       return;
     }
 
-    if (cred == null) {
+    if (base64EncodedCred == null) {
       logger.debug("Retrieved {} is null", credType);
     }
 
     logger.debug(
         "Setting {}{} token for user: {}, host: {}",
-        cred == null ? "null " : "",
+        base64EncodedCred == null ? "null " : "",
         credType.getValue(),
         username,
         host);
+
+    if (base64EncodedCred != null && credType != CachedCredentialType.DPOP_BUNDLED_ACCESS_TOKEN) {
+      try {
+        cred = new String(Base64.getDecoder().decode(base64EncodedCred));
+      } catch (Exception e) {
+        // handle legacy non-base64 encoded cache values (CredentialManager fails to decode)
+        deleteTemporaryCredential(host, username, credType);
+        return;
+      }
+    }
     switch (credType) {
       case ID_TOKEN:
         loginInput.setIdToken(cred);
@@ -168,12 +199,29 @@ synchronized void fillCachedCredential(
       case OAUTH_REFRESH_TOKEN:
         loginInput.setOauthRefreshToken(cred);
         break;
+      case DPOP_BUNDLED_ACCESS_TOKEN:
+        updateInputWithTokenAndPublicKey(base64EncodedCred, loginInput);
+        break;
       default:
         throw new SFException(
             ErrorCode.INTERNAL_ERROR, "Unrecognized type {} for local cached credential", credType);
     }
   }
 
+  private void updateInputWithTokenAndPublicKey(String cred, SFLoginInput loginInput)
+      throws SFException {
+    if (Strings.isNullOrEmpty(cred)) {
+      String[] values = cred.split("\\.");
+      if (values.length != 2) {
+        throw new SFException(
+            ErrorCode.INTERNAL_ERROR, "Invalid DPoP bundled access token credential format");
+      }
+      Base64.Decoder decoder = Base64.getDecoder();
+      loginInput.setOauthAccessToken(new String(decoder.decode(values[0])));
+      loginInput.setDPoPPublicKey(new String(decoder.decode(values[1])));
+    }
+  }
+
   static void writeIdToken(SFLoginInput loginInput, String idToken) throws SFException {
     logger.debug(
         "Caching id token in a secure storage for user: {}, host: {}",
@@ -238,6 +286,30 @@ static void writeOAuthRefreshToken(SFLoginInput loginInput) throws SFException {
             CachedCredentialType.OAUTH_REFRESH_TOKEN);
   }
 
+  /**
+   * Store OAuth DPoP Public Key With Token
+   *
+   * @param loginInput loginInput to denote to the cache
+   */
+  static void writeDPoPBundledAccessToken(SFLoginInput loginInput) throws SFException {
+    String host = getHostForOAuthCacheKey(loginInput);
+    logger.debug(
+        "Caching DPoP public key in a secure storage for user: {}, host: {}",
+        loginInput.getUserName(),
+        host);
+    Base64.Encoder encoder = Base64.getEncoder();
+    String tokenBase64 =
+        encoder.encodeToString(loginInput.getOauthAccessToken().getBytes(StandardCharsets.UTF_8));
+    String publicKeyBase64 =
+        encoder.encodeToString(loginInput.getDPoPPublicKey().getBytes(StandardCharsets.UTF_8));
+    getInstance()
+        .writeTemporaryCredential(
+            host,
+            loginInput.getUserName(),
+            tokenBase64 + "." + publicKeyBase64,
+            CachedCredentialType.DPOP_BUNDLED_ACCESS_TOKEN);
+  }
+
   /** Store the temporary credential */
   synchronized void writeTemporaryCredential(
       String host, String user, String cred, CachedCredentialType credType) {
@@ -256,52 +328,75 @@ synchronized void writeTemporaryCredential(
     }
 
     try {
-      secureStorageManager.setCredential(host, user, credType.getValue(), cred);
+      if (credType == CachedCredentialType.DPOP_BUNDLED_ACCESS_TOKEN) {
+        // DPOP_ACCESS_TOKEN is already preformatted and Base64 encoded
+        secureStorageManager.setCredential(host, user, credType.getValue(), cred);
+      } else {
+        String base64EncodedCred =
+            Base64.getEncoder().encodeToString(cred.getBytes(StandardCharsets.UTF_8));
+        secureStorageManager.setCredential(host, user, credType.getValue(), base64EncodedCred);
+      }
     } catch (NoClassDefFoundError error) {
       logMissingJnaJarForSecureLocalStorage();
     }
   }
 
   /** Delete the id token cache */
-  static void deleteIdTokenCache(String host, String user) {
+  static void deleteIdTokenCacheEntry(String host, String user) {
     logger.debug(
         "Removing cached id token from a secure storage for user: {}, host: {}", user, host);
     getInstance().deleteTemporaryCredential(host, user, CachedCredentialType.ID_TOKEN);
   }
 
   /** Delete the mfa token cache */
-  static void deleteMfaTokenCache(String host, String user) {
+  static void deleteMfaTokenCacheEntry(String host, String user) {
     logger.debug(
         "Removing cached mfa token from a secure storage for user: {}, host: {}", user, host);
     getInstance().deleteTemporaryCredential(host, user, CachedCredentialType.MFA_TOKEN);
   }
 
   /** Delete the Oauth access token cache */
-  static void deleteOAuthAccessTokenCache(String host, String user) {
+  static void deleteOAuthAccessTokenCacheEntry(String host, String user) {
     logger.debug(
-        "Removing cached mfa token from a secure storage for user: {}, host: {}", user, host);
+        "Removing cached oauth access token from a secure storage for user: {}, host: {}",
+        user,
+        host);
     getInstance().deleteTemporaryCredential(host, user, CachedCredentialType.OAUTH_ACCESS_TOKEN);
   }
 
+  /** Delete the Oauth refresh token cache */
+  static void deleteOAuthRefreshTokenCacheEntry(String host, String user) {
+    logger.debug(
+        "Removing cached OAuth refresh token from a secure storage for user: {}, host: {}",
+        user,
+        host);
+    getInstance().deleteTemporaryCredential(host, user, CachedCredentialType.OAUTH_REFRESH_TOKEN);
+  }
+
+  /** Delete the DPoP bundled access token cache */
+  static void deleteDPoPBundledAccessTokenCacheEntry(String host, String user) {
+    logger.debug(
+        "Removing cached DPoP public key from a secure storage for user: {}, host: {}", user, host);
+    getInstance()
+        .deleteTemporaryCredential(host, user, CachedCredentialType.DPOP_BUNDLED_ACCESS_TOKEN);
+  }
+
   /** Delete the OAuth access token cache */
-  static void deleteOAuthAccessTokenCache(SFLoginInput loginInput) throws SFException {
+  static void deleteOAuthAccessTokenCacheEntry(SFLoginInput loginInput) throws SFException {
     String host = getHostForOAuthCacheKey(loginInput);
-    deleteOAuthAccessTokenCache(host, loginInput.getUserName());
+    deleteOAuthAccessTokenCacheEntry(host, loginInput.getUserName());
   }
 
   /** Delete the OAuth refresh token cache */
-  static void deleteOAuthRefreshTokenCache(SFLoginInput loginInput) throws SFException {
+  static void deleteOAuthRefreshTokenCacheEntry(SFLoginInput loginInput) throws SFException {
     String host = getHostForOAuthCacheKey(loginInput);
-    deleteOAuthRefreshTokenCache(host, loginInput.getUserName());
+    deleteOAuthRefreshTokenCacheEntry(host, loginInput.getUserName());
   }
 
-  /** Delete the Oauth refresh token cache */
-  static void deleteOAuthRefreshTokenCache(String host, String user) {
-    logger.debug(
-        "Removing cached OAuth refresh token from a secure storage for user: {}, host: {}",
-        user,
-        host);
-    getInstance().deleteTemporaryCredential(host, user, CachedCredentialType.OAUTH_REFRESH_TOKEN);
+  /** Delete the DPoP bundled access token cache */
+  static void deleteDPoPBundledAccessTokenCacheEntry(SFLoginInput loginInput) throws SFException {
+    String host = getHostForOAuthCacheKey(loginInput);
+    deleteDPoPBundledAccessTokenCacheEntry(host, loginInput.getUserName());
   }
 
   /**

src/main/java/net/snowflake/client/core/HttpUtil.java

@@ -5,6 +5,8 @@
 import static org.apache.http.client.config.CookieSpecs.IGNORE_COOKIES;
 
 import com.amazonaws.ClientConfiguration;
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.ObjectMapper;
 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.Strings;
 import com.microsoft.azure.storage.OperationContext;
@@ -31,6 +33,7 @@
 import net.snowflake.client.jdbc.RetryContextManager;
 import net.snowflake.client.jdbc.SnowflakeDriver;
 import net.snowflake.client.jdbc.SnowflakeSQLException;
+import net.snowflake.client.jdbc.SnowflakeUseDPoPNonceException;
 import net.snowflake.client.jdbc.SnowflakeUtil;
 import net.snowflake.client.jdbc.cloud.storage.S3HttpUtil;
 import net.snowflake.client.log.ArgSupplier;
@@ -42,6 +45,7 @@
 import net.snowflake.common.core.SqlState;
 import org.apache.commons.io.IOUtils;
 import org.apache.http.HttpHost;
+import org.apache.http.HttpResponse;
 import org.apache.http.auth.AuthScope;
 import org.apache.http.auth.Credentials;
 import org.apache.http.auth.UsernamePasswordCredentials;
@@ -66,6 +70,10 @@
 public class HttpUtil {
   private static final SFLogger logger = SFLoggerFactory.getLogger(HttpUtil.class);
 
+  static final String ERROR_FIELD_NAME = "error";
+  static final String ERROR_USE_DPOP_NONCE = "use_dpop_nonce";
+  static final String DPOP_NONCE_HEADER_NAME = "dpop-nonce";
+
   static final int DEFAULT_MAX_CONNECTIONS = 300;
   static final int DEFAULT_MAX_CONNECTIONS_PER_ROUTE = 300;
   private static final int DEFAULT_HTTP_CLIENT_CONNECTION_TIMEOUT_IN_MS = 60000;
@@ -913,6 +921,12 @@ private static String executeRequestInternal(
       if (response == null || response.getStatusLine().getStatusCode() != 200) {
         logger.error("Error executing request: {}", requestInfoScrubbed);
 
+        if (response != null
+            && response.getStatusLine().getStatusCode() == 400
+            && response.getEntity() != null) {
+          checkForDPoPNonceError(response);
+        }
+
         SnowflakeUtil.logResponseDetails(response, logger);
 
         if (response != null) {
@@ -950,6 +964,22 @@ private static String executeRequestInternal(
     return theString;
   }
 
+  private static void checkForDPoPNonceError(HttpResponse response) throws IOException {
+    String errorResponse = EntityUtils.toString(response.getEntity());
+    if (!Strings.isNullOrEmpty(errorResponse)) {
+      ObjectMapper objectMapper = ObjectMapperFactory.getObjectMapper();
+      JsonNode rootNode = objectMapper.readTree(errorResponse);
+      JsonNode errorNode = rootNode.get(ERROR_FIELD_NAME);
+      if (errorNode != null
+          && errorNode.isValueNode()
+          && errorNode.isTextual()
+          && errorNode.textValue().equals(ERROR_USE_DPOP_NONCE)) {
+        throw new SnowflakeUseDPoPNonceException(
+            response.getFirstHeader(DPOP_NONCE_HEADER_NAME).getValue());
+      }
+    }
+  }
+
   // This is a workaround for JDK-7036144.
   //
   // The GZIPInputStream prematurely closes its input if a) it finds

src/main/java/net/snowflake/client/core/SFLoginInput.java

@@ -40,6 +40,8 @@ public class SFLoginInput {
   private String mfaToken;
   private String oauthAccessToken;
   private String oauthRefreshToken;
+  private String dpopPublicKey;
+  private boolean dpopEnabled = false;
   private String serviceName;
   private OCSPMode ocspMode;
   private HttpClientSettingsKey httpClientKey;
@@ -340,6 +342,27 @@ SFLoginInput setOauthRefreshToken(String oauthRefreshToken) {
     return this;
   }
 
+  @SnowflakeJdbcInternalApi
+  public String getDPoPPublicKey() {
+    return dpopPublicKey;
+  }
+
+  SFLoginInput setDPoPPublicKey(String dpopPublicKey) {
+    this.dpopPublicKey = dpopPublicKey;
+    return this;
+  }
+
+  @SnowflakeJdbcInternalApi
+  public boolean isDPoPEnabled() {
+    return dpopEnabled;
+  }
+
+  // Currently only used for testing purpose
+  @SnowflakeJdbcInternalApi
+  public void setDPoPEnabled(boolean dpopEnabled) {
+    this.dpopEnabled = dpopEnabled;
+  }
+
   Map<String, Object> getSessionParameters() {
     return sessionParameters;
   }