Merge branch 'master' into SNOW-2161718-JDBC-fix-permission-check-for-toml-config

Author: sfc-gh-ext-simba-vb

CHANGELOG.rst

@@ -1,3 +1,7 @@
+**JDBC Driver 3.26.0**
+
+- \||Please Refer to Release Notes at https://docs.snowflake.com/en/release-notes/clients-drivers/jdbc
+
 **JDBC Driver 3.25.1**
 
 - \||Please Refer to Release Notes at https://docs.snowflake.com/en/release-notes/clients-drivers/jdbc

FIPS/pom.xml

@@ -5,12 +5,12 @@
   <parent>
     <groupId>net.snowflake</groupId>
     <artifactId>snowflake-jdbc-parent</artifactId>
-    <version>3.25.2-SNAPSHOT</version>
+    <version>3.26.0</version>
     <relativePath>../parent-pom.xml</relativePath>
   </parent>
 
   <artifactId>snowflake-jdbc-fips</artifactId>
-  <version>3.25.2-SNAPSHOT</version>
+  <version>3.26.0</version>
   <packaging>jar</packaging>
 
   <name>snowflake-jdbc-fips</name>

parent-pom.xml

@@ -5,7 +5,7 @@
 
   <groupId>net.snowflake</groupId>
   <artifactId>snowflake-jdbc-parent</artifactId>
-  <version>3.25.2-SNAPSHOT</version>
+  <version>3.26.0</version>
   <packaging>pom</packaging>
 
   <modules>

pom.xml

@@ -6,13 +6,13 @@
   <parent>
     <groupId>net.snowflake</groupId>
     <artifactId>snowflake-jdbc-parent</artifactId>
-    <version>3.25.2-SNAPSHOT</version>
+    <version>3.26.0</version>
     <relativePath>./parent-pom.xml</relativePath>
   </parent>
 
   <!-- Maven complains about using property here, but it makes install and deploy process easier to override final package names and localization -->
   <artifactId>${artifactId}</artifactId>
-  <version>3.25.2-SNAPSHOT</version>
+  <version>3.26.0</version>
   <packaging>jar</packaging>
 
   <name>${artifactId}</name>

src/main/java/net/snowflake/client/core/SessionUtil.java

@@ -391,9 +391,6 @@ private static boolean isNativeOAuthOriginalAuthenticator(SFLoginInput loginInpu
 
   private static WorkloadIdentityAttestation getWorkloadIdentityAttestation(SFLoginInput loginInput)
       throws SFException {
-    if (loginInput.getWorkloadIdentityProvider() == null) {
-      return null;
-    }
     WorkloadIdentityAttestationProvider attestationProvider =
         new WorkloadIdentityAttestationProvider(
             new AwsIdentityAttestationCreator(new AwsAttestationService()),

src/main/java/net/snowflake/client/core/auth/wif/AwsAttestationService.java

@@ -23,6 +23,9 @@ public class AwsAttestationService {
 
   public AwsAttestationService() {
     aws4Signer = new AWS4Signer();
+  }
+
+  void initializeSignerRegion() {
     aws4Signer.setRegionName(getAWSRegion());
   }
 
@@ -31,18 +34,18 @@ AWSCredentials getAWSCredentials() {
   }
 
   String getAWSRegion() {
-    try {
-      if (!regionInitialized) {
-        String envRegion = SnowflakeUtil.systemGetEnv(EnvironmentVariables.AWS_REGION.getName());
-        region = envRegion != null ? envRegion : new InstanceMetadataRegionProvider().getRegion();
+    if (!regionInitialized) {
+      logger.debug("Getting AWS region from environment variable");
+      String envRegion = SnowflakeUtil.systemGetEnv(EnvironmentVariables.AWS_REGION.getName());
+      if (envRegion != null) {
+        region = envRegion;
+      } else {
+        logger.debug("Getting AWS region from EC2 metadata service");
+        region = new InstanceMetadataRegionProvider().getRegion();
       }
-      return region;
-    } catch (Exception e) {
-      logger.debug("Could not get AWS region", e);
-      return null;
-    } finally {
       regionInitialized = true;
     }
+    return region;
   }
 
   void signRequestWithSigV4(Request<Void> signableRequest, AWSCredentials awsCredentials) {

src/main/java/net/snowflake/client/core/auth/wif/AwsIdentityAttestationCreator.java

@@ -10,7 +10,9 @@
 import java.util.Base64;
 import java.util.Collections;
 import net.minidev.json.JSONObject;
+import net.snowflake.client.core.SFException;
 import net.snowflake.client.core.SnowflakeJdbcInternalApi;
+import net.snowflake.client.jdbc.ErrorCode;
 import net.snowflake.client.log.SFLogger;
 import net.snowflake.client.log.SFLoggerFactory;
 
@@ -29,17 +31,17 @@ public AwsIdentityAttestationCreator(AwsAttestationService attestationService) {
   }
 
   @Override
-  public WorkloadIdentityAttestation createAttestation() {
+  public WorkloadIdentityAttestation createAttestation() throws SFException {
     logger.debug("Creating AWS identity attestation...");
+    attestationService.initializeSignerRegion();
     AWSCredentials awsCredentials = attestationService.getAWSCredentials();
     if (awsCredentials == null) {
-      logger.debug("No AWS credentials were found.");
-      return null;
+      throw new SFException(
+          ErrorCode.WORKLOAD_IDENTITY_FLOW_ERROR, "No AWS credentials were found");
     }
     String region = attestationService.getAWSRegion();
     if (region == null) {
-      logger.debug("No AWS region was found.");
-      return null;
+      throw new SFException(ErrorCode.WORKLOAD_IDENTITY_FLOW_ERROR, "No AWS region was found");
     }
 
     String stsHostname = getStsHostname(region);

src/main/java/net/snowflake/client/core/auth/wif/AzureAttestationService.java

@@ -1,7 +1,9 @@
 package net.snowflake.client.core.auth.wif;
 
+import net.snowflake.client.core.SFException;
 import net.snowflake.client.core.SFLoginInput;
 import net.snowflake.client.core.SnowflakeJdbcInternalApi;
+import net.snowflake.client.jdbc.ErrorCode;
 import net.snowflake.client.jdbc.SnowflakeUtil;
 import net.snowflake.client.log.SFLogger;
 import net.snowflake.client.log.SFLoggerFactory;
@@ -27,12 +29,15 @@ String getClientId() {
     return SnowflakeUtil.systemGetEnv("MANAGED_IDENTITY_CLIENT_ID");
   }
 
-  String fetchTokenFromMetadataService(HttpRequestBase tokenRequest, SFLoginInput loginInput) {
+  String fetchTokenFromMetadataService(HttpRequestBase tokenRequest, SFLoginInput loginInput)
+      throws SFException {
     try {
       return WorkloadIdentityUtil.performIdentityRequest(tokenRequest, loginInput);
     } catch (Exception e) {
-      logger.debug("Azure metadata server request was not successful: {}", e);
-      return null;
+      logger.error("Azure metadata server request failed", e);
+      throw new SFException(
+          ErrorCode.WORKLOAD_IDENTITY_FLOW_ERROR,
+          "Azure metadata server request was not successful: " + e.getMessage());
     }
   }
 }

src/main/java/net/snowflake/client/core/auth/wif/AzureIdentityAttestationCreator.java

@@ -7,8 +7,10 @@
 import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.google.common.base.Strings;
+import net.snowflake.client.core.SFException;
 import net.snowflake.client.core.SFLoginInput;
 import net.snowflake.client.core.SnowflakeJdbcInternalApi;
+import net.snowflake.client.jdbc.ErrorCode;
 import net.snowflake.client.log.SFLogger;
 import net.snowflake.client.log.SFLoggerFactory;
 import org.apache.http.client.methods.HttpGet;
@@ -48,7 +50,7 @@ public AzureIdentityAttestationCreator(
   }
 
   @Override
-  public WorkloadIdentityAttestation createAttestation() {
+  public WorkloadIdentityAttestation createAttestation() throws SFException {
     logger.debug("Creating Azure identity attestation...");
     String identityEndpoint = azureAttestationService.getIdentityEndpoint();
     HttpGet request;
@@ -57,28 +59,24 @@ public WorkloadIdentityAttestation createAttestation() {
     } else {
       String identityHeader = azureAttestationService.getIdentityHeader();
       if (Strings.isNullOrEmpty(identityHeader)) {
-        logger.warn("Managed identity is not enabled on this Azure function.");
-        return null;
+        throw new SFException(
+            ErrorCode.WORKLOAD_IDENTITY_FLOW_ERROR,
+            "Managed identity is not enabled on this Azure function.");
       }
       request =
           createAzureFunctionsIdentityRequest(
               identityEndpoint, identityHeader, azureAttestationService.getClientId());
     }
     String tokenJson = azureAttestationService.fetchTokenFromMetadataService(request, loginInput);
     if (tokenJson == null) {
-      logger.debug("Could not fetch Azure token.");
-      return null;
+      throw new SFException(ErrorCode.WORKLOAD_IDENTITY_FLOW_ERROR, "Could not fetch Azure token.");
     }
     String token = extractTokenFromJson(tokenJson);
     if (token == null) {
-      logger.error("No access token found in Azure response.");
-      return null;
+      throw new SFException(
+          ErrorCode.WORKLOAD_IDENTITY_FLOW_ERROR, "No access token found in Azure response.");
     }
     SubjectAndIssuer claims = extractClaimsWithoutVerifyingSignature(token);
-    if (claims == null) {
-      logger.error("Could not extract claims from token");
-      return null;
-    }
     return new WorkloadIdentityAttestation(
         WorkloadIdentityProviderType.AZURE, token, claims.toMap());
   }
@@ -91,13 +89,15 @@ private String getEntraResource(SFLoginInput loginInput) {
     }
   }
 
-  private String extractTokenFromJson(String tokenJson) {
+  private String extractTokenFromJson(String tokenJson) throws SFException {
     try {
       JsonNode jsonNode = objectMapper.readTree(tokenJson);
       return jsonNode.get("access_token").asText();
     } catch (Exception e) {
-      logger.error("Unable to extract token from Azure metadata response: {}", e.getMessage());
-      return null;
+      logger.error("Unable to extract token from Azure metadata response", e);
+      throw new SFException(
+          ErrorCode.WORKLOAD_IDENTITY_FLOW_ERROR,
+          "Unable to extract token from Azure metadata response: " + e.getMessage());
     }
   }
 

src/main/java/net/snowflake/client/core/auth/wif/GcpIdentityAttestationCreator.java

@@ -4,8 +4,10 @@
 import static net.snowflake.client.core.auth.wif.WorkloadIdentityUtil.performIdentityRequest;
 
 import java.util.Collections;
+import net.snowflake.client.core.SFException;
 import net.snowflake.client.core.SFLoginInput;
 import net.snowflake.client.core.SnowflakeJdbcInternalApi;
+import net.snowflake.client.jdbc.ErrorCode;
 import net.snowflake.client.log.SFLogger;
 import net.snowflake.client.log.SFLoggerFactory;
 import org.apache.http.client.methods.HttpGet;
@@ -35,28 +37,23 @@ public GcpIdentityAttestationCreator(SFLoginInput loginInput) {
   }
 
   @Override
-  public WorkloadIdentityAttestation createAttestation() {
+  public WorkloadIdentityAttestation createAttestation() throws SFException {
     logger.debug("Creating GCP identity attestation...");
     String token = fetchTokenFromMetadataService();
     if (token == null) {
-      logger.debug("No GCP token was found.");
-      return null;
+      throw new SFException(ErrorCode.WORKLOAD_IDENTITY_FLOW_ERROR, "No GCP token was found.");
     }
     // if the token has been returned, we can assume that we're on GCP environment
     WorkloadIdentityUtil.SubjectAndIssuer claims =
         WorkloadIdentityUtil.extractClaimsWithoutVerifyingSignature(token);
-    if (claims == null) {
-      logger.error("Could not extract claims from token");
-      return null;
-    }
 
     return new WorkloadIdentityAttestation(
         WorkloadIdentityProviderType.GCP,
         token,
         Collections.singletonMap("sub", claims.getSubject()));
   }
 
-  private String fetchTokenFromMetadataService() {
+  private String fetchTokenFromMetadataService() throws SFException {
     String uri =
         gcpMetadataServiceBaseUrl
             + "/computeMetadata/v1/instance/service-accounts/default/identity?audience="
@@ -66,8 +63,10 @@ private String fetchTokenFromMetadataService() {
     try {
       return performIdentityRequest(tokenRequest, loginInput);
     } catch (Exception e) {
-      logger.debug("GCP metadata server request was not successful: {}" + e);
-      return null;
+      logger.error("GCP metadata server request was not successful", e);
+      throw new SFException(
+          ErrorCode.WORKLOAD_IDENTITY_FLOW_ERROR,
+          "GCP metadata server request was not successful: " + e.getMessage());
     }
   }
 }