SNOW-2021533 Fix OCSP cache server URL when using proxy

sfc-gh-pfus · sfc-gh-pfus · commit 87cabe5cc39c · 2025-04-08T12:54:20.000+02:00
diff --git a/src/main/java/net/snowflake/client/core/SFTrustManager.java b/src/main/java/net/snowflake/client/core/SFTrustManager.java
@@ -166,7 +166,6 @@ public class SFTrustManager extends X509ExtendedTrustManager {
   /** Default OCSP Cache server host name prefix */
   private static final String DEFAULT_OCSP_CACHE_HOST_PREFIX = "http://ocsp.snowflakecomputing.";
   /** Default OCSP Cache server host name */
-  private static final String DEFAULT_OCSP_CACHE_HOST = DEFAULT_OCSP_CACHE_HOST_PREFIX + "com";
 
   /** OCSP response file cache directory */
   private static final FileCacheManager fileCacheManager;
@@ -329,7 +328,7 @@ static void resetOCSPResponseCacherServerURL(String ocspCacheServerUrl) throws I
     }
   }
 
-  private static void setOCSPResponseCacheServerURL(String topLevelDomain) {
+  static void setOCSPResponseCacheServerURL(String serverURL) {
     String ocspCacheUrl = systemGetProperty(SF_OCSP_RESPONSE_CACHE_SERVER_URL);
     if (ocspCacheUrl != null) {
       SF_OCSP_RESPONSE_CACHE_SERVER_URL_VALUE = ocspCacheUrl;
@@ -345,8 +344,16 @@ private static void setOCSPResponseCacheServerURL(String topLevelDomain) {
           true);
     }
     if (SF_OCSP_RESPONSE_CACHE_SERVER_URL_VALUE == null) {
-      SF_OCSP_RESPONSE_CACHE_SERVER_URL_VALUE =
-          String.format("%s%s/%s", DEFAULT_OCSP_CACHE_HOST_PREFIX, topLevelDomain, CACHE_FILE_NAME);
+      String topLevelDomain = "com";
+      try {
+        URL url = new URL(serverURL);
+        topLevelDomain = url.getHost().substring(url.getHost().lastIndexOf(".") + 1);
+        SF_OCSP_RESPONSE_CACHE_SERVER_URL_VALUE =
+            String.format(
+                "%s%s/%s", DEFAULT_OCSP_CACHE_HOST_PREFIX, topLevelDomain, CACHE_FILE_NAME);
+      } catch (Exception e) {
+        logger.debug("Exception while setting top level domain (for OCSP)", e);
+      }
     }
     logger.debug("Set OCSP response cache server to: {}", SF_OCSP_RESPONSE_CACHE_SERVER_URL_VALUE);
   }
@@ -772,8 +779,6 @@ void validateRevocationStatus(X509Certificate[] chain, String peerHost)
       ocspCacheServer.resetOCSPResponseCacheServer(peerHost);
     }
 
-    String topLevelDomain = peerHost.substring(peerHost.lastIndexOf(".") + 1);
-    setOCSPResponseCacheServerURL(topLevelDomain);
     boolean isCached = isCached(pairIssuerSubjectList);
     if (useOCSPResponseCacheServer() && !isCached) {
       if (!ocspCacheServer.new_endpoint_enabled) {
@@ -1528,17 +1533,19 @@ void resetOCSPResponseCacheServer(String host) {
       String ocspCacheServerUrl;
       if (host.toLowerCase().contains(".global.snowflakecomputing.")) {
         ocspCacheServerUrl =
-            String.format("https://ocspssd%s/%s", host.substring(host.indexOf('-')), "ocsp");
+            java.lang.String.format(
+                "https://ocspssd%s/%s", host.substring(host.indexOf('-')), "ocsp");
       } else if (host.toLowerCase().contains(".snowflakecomputing.")) {
         ocspCacheServerUrl =
-            String.format("https://ocspssd%s/%s", host.substring(host.indexOf('.')), "ocsp");
+            java.lang.String.format(
+                "https://ocspssd%s/%s", host.substring(host.indexOf('.')), "ocsp");
       } else {
         String topLevelDomain = host.substring(host.lastIndexOf(".") + 1);
         ocspCacheServerUrl =
-            String.format("https://ocspssd.snowflakecomputing.%s/ocsp", topLevelDomain);
+            java.lang.String.format("https://ocspssd.snowflakecomputing.%s/ocsp", topLevelDomain);
       }
-      SF_OCSP_RESPONSE_CACHE_SERVER = String.format("%s/%s", ocspCacheServerUrl, "fetch");
-      SF_OCSP_RESPONSE_RETRY_URL = String.format("%s/%s", ocspCacheServerUrl, "retry");
+      SF_OCSP_RESPONSE_CACHE_SERVER = java.lang.String.format("%s/%s", ocspCacheServerUrl, "fetch");
+      SF_OCSP_RESPONSE_RETRY_URL = java.lang.String.format("%s/%s", ocspCacheServerUrl, "retry");
     }
   }
 
@@ -1586,7 +1593,7 @@ public boolean equals(Object obj) {
     }
 
     public String toString() {
-      return String.format(
+      return java.lang.String.format(
           "OcspResponseCacheKey: NameHash: %s, KeyHash: %s, SerialNumber: %s",
           HexUtil.byteToHexString(nameHash),
           HexUtil.byteToHexString(keyHash),
@@ -1614,7 +1621,7 @@ public byte[] getDigest() {
         return messageDigest.digest(bytes);
       } catch (NoSuchAlgorithmException ex) {
         String errMsg =
-            String.format(
+            java.lang.String.format(
                 "Failed to instantiate the algorithm: %s. err=%s",
                 ALGORITHM_SHA1_NAME, ex.getMessage());
         logger.error(errMsg, false);
diff --git a/src/main/java/net/snowflake/client/core/SessionUtil.java b/src/main/java/net/snowflake/client/core/SessionUtil.java
@@ -1,6 +1,7 @@
 package net.snowflake.client.core;
 
 import static net.snowflake.client.core.SFTrustManager.resetOCSPResponseCacherServerURL;
+import static net.snowflake.client.core.SFTrustManager.setOCSPResponseCacheServerURL;
 import static net.snowflake.client.jdbc.SnowflakeUtil.isNullOrEmpty;
 import static net.snowflake.client.jdbc.SnowflakeUtil.systemGetEnv;
 import static net.snowflake.client.jdbc.SnowflakeUtil.systemGetProperty;
@@ -1927,6 +1928,7 @@ enum TokenRequestType {
    * @throws IOException If exception encountered
    */
   public static void resetOCSPUrlIfNecessary(String serverUrl) throws IOException {
+    setOCSPResponseCacheServerURL(serverUrl);
     if (PrivateLinkDetector.isPrivateLink(serverUrl)) {
       // Privatelink uses special OCSP Cache server
       URL url = new URL(serverUrl);
diff --git a/src/test/java/net/snowflake/client/SystemPropertyOverrider.java b/src/test/java/net/snowflake/client/SystemPropertyOverrider.java
@@ -0,0 +1,20 @@
+package net.snowflake.client;
+
+public class SystemPropertyOverrider {
+  private final String propertyName;
+  private final String oldValue;
+
+  public SystemPropertyOverrider(String propertyName, String newValue) {
+    this.propertyName = propertyName;
+    this.oldValue = System.getProperty(propertyName);
+    System.setProperty(propertyName, newValue);
+  }
+
+  public void rollback() {
+    if (oldValue != null) {
+      System.setProperty(propertyName, oldValue);
+    } else {
+      System.clearProperty(propertyName);
+    }
+  }
+}
diff --git a/src/test/java/net/snowflake/client/core/SFTrustManagerIT.java b/src/test/java/net/snowflake/client/core/SFTrustManagerIT.java
@@ -1,10 +1,12 @@
 package net.snowflake.client.core;
 
+import static net.snowflake.client.core.SFTrustManager.SF_OCSP_RESPONSE_CACHE_SERVER_URL_VALUE;
 import static org.awaitility.Awaitility.await;
 import static org.hamcrest.CoreMatchers.equalTo;
 import static org.hamcrest.CoreMatchers.not;
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.core.AnyOf.anyOf;
+import static org.junit.jupiter.api.Assertions.assertEquals;
 
 import java.io.File;
 import java.io.IOException;
@@ -15,12 +17,16 @@
 import java.security.cert.X509Certificate;
 import java.time.Duration;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.List;
+import java.util.Properties;
 import java.util.concurrent.TimeUnit;
 import java.util.stream.Stream;
 import javax.net.ssl.SSLHandshakeException;
+import net.snowflake.client.SystemPropertyOverrider;
 import net.snowflake.client.category.TestTags;
 import net.snowflake.client.jdbc.BaseJDBCTest;
+import net.snowflake.client.jdbc.SnowflakeConnectionV1;
 import net.snowflake.client.jdbc.telemetryOOB.TelemetryService;
 import net.snowflake.client.log.SFLogger;
 import net.snowflake.client.log.SFLoggerFactory;
@@ -36,6 +42,7 @@
 import org.junit.jupiter.params.provider.Arguments;
 import org.junit.jupiter.params.provider.ArgumentsProvider;
 import org.junit.jupiter.params.provider.ArgumentsSource;
+import org.junit.jupiter.params.provider.CsvSource;
 
 @Tag(TestTags.CORE)
 public class SFTrustManagerIT extends BaseJDBCTest {
@@ -96,6 +103,8 @@ public void tearDown() throws InterruptedException {
   public void testOcsp(String host) throws Throwable {
     System.setProperty(
         SFTrustManager.SF_OCSP_RESPONSE_CACHE_SERVER_ENABLED, Boolean.TRUE.toString());
+    // this initialization normally happens on first call
+    SFTrustManager.setOCSPResponseCacheServerURL(String.format("http://%s", host));
     HttpClient client =
         HttpUtil.buildHttpClient(
             new HttpClientSettingsKey(OCSPMode.FAIL_CLOSED),
@@ -259,4 +268,57 @@ private InputStream getFile(String fileName) throws Throwable {
     URL url = classLoader.getResource(fileName);
     return url != null ? url.openStream() : null;
   }
+
+  @ParameterizedTest
+  @CsvSource({
+    "jdbc:snowflake://someaccount.snowflakecomputing.com:443,http://ocsp.snowflakecomputing.com/ocsp_response_cache.json",
+    "jdbc:snowflake://someaccount.snowflakecomputing.cn:443,http://ocsp.snowflakecomputing.cn/ocsp_response_cache.json",
+  })
+  void testOCSPCacheServerUrlWithoutProxy(String sfHost, String ocspHost) throws Exception {
+    Properties props = new Properties();
+    props.setProperty(SFSessionProperty.USER.getPropertyKey(), "testUser");
+    props.setProperty(SFSessionProperty.PASSWORD.getPropertyKey(), "testPassword");
+    props.setProperty(SFSessionProperty.LOGIN_TIMEOUT.getPropertyKey(), "1");
+    try {
+      new SnowflakeConnectionV1(sfHost, props);
+    } catch (Exception e) {
+      // do nothing, we don't want to connect, just check the value below
+    }
+    assertEquals(SF_OCSP_RESPONSE_CACHE_SERVER_URL_VALUE, ocspHost);
+  }
+
+  @ParameterizedTest
+  @CsvSource({
+    "jdbc:snowflake://someaccount.snowflakecomputing.com:443,http://ocsp.snowflakecomputing.com/ocsp_response_cache.json",
+    "jdbc:snowflake://someaccount.snowflakecomputing.cn:443,http://ocsp.snowflakecomputing.cn/ocsp_response_cache.json",
+  })
+  void testOCSPCacheServerUrlWithProxy(String sfHost, String ocspHost) {
+    SystemPropertyOverrider useProxyOverrider =
+        new SystemPropertyOverrider("http.useProxy", "true");
+    SystemPropertyOverrider proxyHostOverrider =
+        new SystemPropertyOverrider("http.proxyHost", "localhost");
+    SystemPropertyOverrider proxyPortOverrider =
+        new SystemPropertyOverrider("http.proxyPort", "8080");
+    try {
+      Properties props = new Properties();
+      props.setProperty(SFSessionProperty.USER.getPropertyKey(), "testUser");
+      props.setProperty(SFSessionProperty.PASSWORD.getPropertyKey(), "testPassword");
+      props.setProperty(SFSessionProperty.LOGIN_TIMEOUT.getPropertyKey(), "1");
+      try {
+        new SnowflakeConnectionV1(sfHost, props);
+      } catch (Exception e) {
+        // do nothing, we don't want to connect, just check the value below
+      }
+      assertEquals(SF_OCSP_RESPONSE_CACHE_SERVER_URL_VALUE, ocspHost);
+    } finally {
+      Arrays.asList(useProxyOverrider, proxyHostOverrider, proxyPortOverrider)
+          .forEach(SystemPropertyOverrider::rollback);
+    }
+  }
+
+  @BeforeEach
+  @AfterEach
+  void cleanup() {
+    SF_OCSP_RESPONSE_CACHE_SERVER_URL_VALUE = null;
+  }
 }
