Merge branch 'master' into SNOW-1950032-bugfix

Author: sfc-gh-rkowalski

Jenkinsfile

@@ -56,7 +56,7 @@ timestamps {
         string(name: 'parent_build_number', value: env.BUILD_NUMBER),
         string(name: 'timeout_value', value: '420'),
         string(name: 'PR_Key', value: scmInfo.GIT_BRANCH.substring(3)),
-        string(name: 'svn_revision', value: 'bptp-built')
+        string(name: 'svn_revision', value: 'bptp-stable')
       ]]
     }
 

src/main/java/net/snowflake/client/core/SFLoginInput.java

@@ -62,6 +62,7 @@ public class SFLoginInput {
   // Workload Identity Federation
   private String workloadIdentityProvider;
   private WorkloadIdentityAttestation workloadIdentityAttestation;
+  private String workloadIdentityEntraResource;
 
   // OAuth
   private int redirectUriPort = -1;
@@ -612,4 +613,13 @@ public void setWorkloadIdentityAttestation(
   public WorkloadIdentityAttestation getWorkloadIdentityAttestation() {
     return workloadIdentityAttestation;
   }
+
+  public String getWorkloadIdentityEntraResource() {
+    return this.workloadIdentityEntraResource;
+  }
+
+  public SFLoginInput setWorkloadIdentityEntraResource(String workloadIdentityEntraResource) {
+    this.workloadIdentityEntraResource = workloadIdentityEntraResource;
+    return this;
+  }
 }

src/main/java/net/snowflake/client/core/SFSession.java

@@ -723,6 +723,9 @@ public synchronized void open() throws SFException, SnowflakeSQLException {
         .setOauthLoginInput(oauthLoginInput)
         .setWorkloadIdentityProvider(
             (String) connectionPropertiesMap.get(SFSessionProperty.WORKLOAD_IDENTITY_PROVIDER))
+        .setWorkloadIdentityEntraResource(
+            (String)
+                connectionPropertiesMap.get(SFSessionProperty.WORKLOAD_IDENTITY_ENTRA_RESOURCE))
         .setPrivateKeyBase64(
             (String) connectionPropertiesMap.get(SFSessionProperty.PRIVATE_KEY_BASE64))
         .setPrivateKeyPwd(

src/main/java/net/snowflake/client/core/SFSessionProperty.java

@@ -27,6 +27,7 @@ public enum SFSessionProperty {
   OAUTH_AUTHORIZATION_URL("oauthAuthorizationUrl", false, String.class),
   OAUTH_TOKEN_REQUEST_URL("oauthTokenRequestUrl", false, String.class),
   WORKLOAD_IDENTITY_PROVIDER("workloadIdentityProvider", false, String.class),
+  WORKLOAD_IDENTITY_ENTRA_RESOURCE("workloadIdentityEntraResource", false, String.class),
   WAREHOUSE("warehouse", false, String.class),
   LOGIN_TIMEOUT("loginTimeout", false, Integer.class),
   NETWORK_TIMEOUT("networkTimeout", false, Integer.class),

src/main/java/net/snowflake/client/core/SFTrustManager.java

@@ -165,8 +165,8 @@ public class SFTrustManager extends X509ExtendedTrustManager {
   private static final int DEFAULT_OCSP_RESPONDER_CONNECTION_TIMEOUT = 10000;
   /** Default OCSP Cache server host name prefix */
   private static final String DEFAULT_OCSP_CACHE_HOST_PREFIX = "http://ocsp.snowflakecomputing.";
-  /** Default OCSP Cache server host name */
-  private static final String DEFAULT_OCSP_CACHE_HOST = DEFAULT_OCSP_CACHE_HOST_PREFIX + "com";
+  /** Default domain for OCSP cache host */
+  private static final String DEFAULT_OCSP_CACHE_HOST_DOMAIN = "com";
 
   /** OCSP response file cache directory */
   private static final FileCacheManager fileCacheManager;
@@ -329,7 +329,7 @@ static void resetOCSPResponseCacherServerURL(String ocspCacheServerUrl) throws I
     }
   }
 
-  private static void setOCSPResponseCacheServerURL(String topLevelDomain) {
+  static void setOCSPResponseCacheServerURL(String serverURL) {
     String ocspCacheUrl = systemGetProperty(SF_OCSP_RESPONSE_CACHE_SERVER_URL);
     if (ocspCacheUrl != null) {
       SF_OCSP_RESPONSE_CACHE_SERVER_URL_VALUE = ocspCacheUrl;
@@ -345,6 +345,14 @@ private static void setOCSPResponseCacheServerURL(String topLevelDomain) {
           true);
     }
     if (SF_OCSP_RESPONSE_CACHE_SERVER_URL_VALUE == null) {
+      String topLevelDomain = DEFAULT_OCSP_CACHE_HOST_DOMAIN;
+      try {
+        URL url = new URL(serverURL);
+        int domainIndex = url.getHost().lastIndexOf(".") + 1;
+        topLevelDomain = url.getHost().substring(domainIndex);
+      } catch (Exception e) {
+        logger.debug("Exception while setting top level domain (for OCSP)", e);
+      }
       SF_OCSP_RESPONSE_CACHE_SERVER_URL_VALUE =
           String.format("%s%s/%s", DEFAULT_OCSP_CACHE_HOST_PREFIX, topLevelDomain, CACHE_FILE_NAME);
     }
@@ -772,8 +780,6 @@ void validateRevocationStatus(X509Certificate[] chain, String peerHost)
       ocspCacheServer.resetOCSPResponseCacheServer(peerHost);
     }
 
-    String topLevelDomain = peerHost.substring(peerHost.lastIndexOf(".") + 1);
-    setOCSPResponseCacheServerURL(topLevelDomain);
     boolean isCached = isCached(pairIssuerSubjectList);
     if (useOCSPResponseCacheServer() && !isCached) {
       if (!ocspCacheServer.new_endpoint_enabled) {

src/main/java/net/snowflake/client/core/SessionUtil.java

@@ -1,6 +1,7 @@
 package net.snowflake.client.core;
 
 import static net.snowflake.client.core.SFTrustManager.resetOCSPResponseCacherServerURL;
+import static net.snowflake.client.core.SFTrustManager.setOCSPResponseCacheServerURL;
 import static net.snowflake.client.jdbc.SnowflakeUtil.isNullOrEmpty;
 import static net.snowflake.client.jdbc.SnowflakeUtil.systemGetEnv;
 import static net.snowflake.client.jdbc.SnowflakeUtil.systemGetProperty;
@@ -31,8 +32,9 @@
 import net.snowflake.client.core.auth.oauth.OAuthAccessTokenForRefreshTokenProvider;
 import net.snowflake.client.core.auth.oauth.OAuthAccessTokenProviderFactory;
 import net.snowflake.client.core.auth.oauth.TokenResponseDTO;
-import net.snowflake.client.core.auth.wif.AWSAttestationService;
+import net.snowflake.client.core.auth.wif.AwsAttestationService;
 import net.snowflake.client.core.auth.wif.AwsIdentityAttestationCreator;
+import net.snowflake.client.core.auth.wif.AzureAttestationService;
 import net.snowflake.client.core.auth.wif.AzureIdentityAttestationCreator;
 import net.snowflake.client.core.auth.wif.GcpIdentityAttestationCreator;
 import net.snowflake.client.core.auth.wif.OidcIdentityAttestationCreator;
@@ -339,19 +341,12 @@ static SFLoginOutput openSession(
     }
 
     if (authenticator.equals(AuthenticatorType.WORKLOAD_IDENTITY)) {
-      WorkloadIdentityAttestationProvider attestationProvider =
-          new WorkloadIdentityAttestationProvider(
-              new AwsIdentityAttestationCreator(new AWSAttestationService()),
-              new GcpIdentityAttestationCreator(loginInput),
-              new AzureIdentityAttestationCreator(),
-              new OidcIdentityAttestationCreator());
-      WorkloadIdentityAttestation attestation =
-          attestationProvider.getAttestation(loginInput.getWorkloadIdentityProvider());
+      WorkloadIdentityAttestation attestation = getWorkloadIdentityAttestation(loginInput);
       if (attestation != null) {
         loginInput.setWorkloadIdentityAttestation(attestation);
       } else {
         throw new SFException(
-            ErrorCode.WORKFLOW_IDENTITY_FLOW_ERROR,
+            ErrorCode.WORKLOAD_IDENTITY_FLOW_ERROR,
             "Unable to obtain workload identity attestation. Make sure that correct workload identity provider has been set and that Snowflake-JDBC driver runs on supported environment.");
       }
     }
@@ -378,6 +373,17 @@ static SFLoginOutput openSession(
     }
   }
 
+  private static WorkloadIdentityAttestation getWorkloadIdentityAttestation(SFLoginInput loginInput)
+      throws SFException {
+    WorkloadIdentityAttestationProvider attestationProvider =
+        new WorkloadIdentityAttestationProvider(
+            new AwsIdentityAttestationCreator(new AwsAttestationService()),
+            new GcpIdentityAttestationCreator(loginInput),
+            new AzureIdentityAttestationCreator(new AzureAttestationService(), loginInput),
+            new OidcIdentityAttestationCreator(loginInput.getToken()));
+    return attestationProvider.getAttestation(loginInput.getWorkloadIdentityProvider());
+  }
+
   static void checkIfExperimentalAuthnEnabled(AuthenticatorType authenticator) throws SFException {
     if (authenticator.equals(AuthenticatorType.PROGRAMMATIC_ACCESS_TOKEN)
         || authenticator.equals(AuthenticatorType.OAUTH_CLIENT_CREDENTIALS)
@@ -510,6 +516,13 @@ static SFLoginOutput newSession(
       Map<SFSessionProperty, Object> connectionPropertiesMap,
       String tracingLevel)
       throws SFException, SnowflakeSQLException {
+    try {
+      // Adjust OCSP cache server if it is private link
+      resetOCSPUrlIfNecessary(loginInput.getServerUrl());
+    } catch (IOException ex) {
+      throw new SFException(ex, ErrorCode.IO_ERROR, "unexpected URL syntax exception");
+    }
+
     Stopwatch stopwatch = new Stopwatch();
     stopwatch.start();
     // build URL for login request
@@ -608,13 +621,6 @@ static SFLoginOutput newSession(
       throw new SFException(ex, ErrorCode.INTERNAL_ERROR, "unexpected URI syntax exception:1");
     }
 
-    try {
-      // Adjust OCSP cache server if it is private link
-      resetOCSPUrlIfNecessary(loginInput.getServerUrl());
-    } catch (IOException ex) {
-      throw new SFException(ex, ErrorCode.IO_ERROR, "unexpected URL syntax exception");
-    }
-
     HttpPost postRequest = null;
 
     try {
@@ -1927,6 +1933,7 @@ enum TokenRequestType {
    * @throws IOException If exception encountered
    */
   public static void resetOCSPUrlIfNecessary(String serverUrl) throws IOException {
+    setOCSPResponseCacheServerURL(serverUrl);
     if (PrivateLinkDetector.isPrivateLink(serverUrl)) {
       // Privatelink uses special OCSP Cache server
       URL url = new URL(serverUrl);

src/main/java/net/snowflake/client/core/auth/AuthenticatorType.java

@@ -56,7 +56,7 @@ public enum AuthenticatorType {
   PROGRAMMATIC_ACCESS_TOKEN,
 
   /*
-   * Authenticator to support existing authentication by existing AWS/GCP/Azure workload identity
+   * Authenticator to support existing authentication by existing AWS/GCP/Azure/OIDC workload identity
    */
   WORKLOAD_IDENTITY
 }

…core/auth/wif/AWSAttestationService.java …core/auth/wif/AwsAttestationService.javasrc/main/java/net/snowflake/client/core/auth/wif/AWSAttestationService.java renamed to src/main/java/net/snowflake/client/core/auth/wif/AwsAttestationService.java src/main/java/net/snowflake/client/core/auth/wif/AWSAttestationService.java renamed to src/main/java/net/snowflake/client/core/auth/wif/AwsAttestationService.java

@@ -12,17 +12,21 @@
 import net.snowflake.client.core.SnowflakeJdbcInternalApi;
 import net.snowflake.client.jdbc.EnvironmentVariables;
 import net.snowflake.client.jdbc.SnowflakeUtil;
+import net.snowflake.client.log.SFLogger;
+import net.snowflake.client.log.SFLoggerFactory;
 
 @SnowflakeJdbcInternalApi
-public class AWSAttestationService {
+public class AwsAttestationService {
+
+  public static final SFLogger logger = SFLoggerFactory.getLogger(AwsAttestationService.class);
 
   private static final String SECURE_TOKEN_SERVICE_NAME = "sts";
   private static boolean regionInitialized = false;
   private static String region;
 
   private final AWS4Signer aws4Signer;
 
-  public AWSAttestationService() {
+  public AwsAttestationService() {
     aws4Signer = new AWS4Signer();
     aws4Signer.setServiceName(SECURE_TOKEN_SERVICE_NAME);
   }
@@ -32,12 +36,18 @@ AWSCredentials getAWSCredentials() {
   }
 
   String getAWSRegion() {
-    if (!regionInitialized) {
-      String envRegion = SnowflakeUtil.systemGetEnv(EnvironmentVariables.AWS_REGION.getName());
-      region = envRegion != null ? envRegion : new InstanceMetadataRegionProvider().getRegion();
+    try {
+      if (!regionInitialized) {
+        String envRegion = SnowflakeUtil.systemGetEnv(EnvironmentVariables.AWS_REGION.getName());
+        region = envRegion != null ? envRegion : new InstanceMetadataRegionProvider().getRegion();
+      }
+      return region;
+    } catch (Exception e) {
+      logger.debug("Could not get AWS region", e);
+      return null;
+    } finally {
       regionInitialized = true;
     }
-    return region;
   }
 
   String getArn() {

src/main/java/net/snowflake/client/core/auth/wif/AwsIdentityAttestationCreator.java

@@ -19,9 +19,9 @@ public class AwsIdentityAttestationCreator implements WorkloadIdentityAttestatio
   private static final SFLogger logger =
       SFLoggerFactory.getLogger(AwsIdentityAttestationCreator.class);
 
-  private final AWSAttestationService attestationService;
+  private final AwsAttestationService attestationService;
 
-  public AwsIdentityAttestationCreator(AWSAttestationService attestationService) {
+  public AwsIdentityAttestationCreator(AwsAttestationService attestationService) {
     this.attestationService = attestationService;
   }
 

src/main/java/net/snowflake/client/core/auth/wif/AzureAttestationService.java

@@ -0,0 +1,38 @@
+package net.snowflake.client.core.auth.wif;
+
+import net.snowflake.client.core.SFLoginInput;
+import net.snowflake.client.core.SnowflakeJdbcInternalApi;
+import net.snowflake.client.jdbc.SnowflakeUtil;
+import net.snowflake.client.log.SFLogger;
+import net.snowflake.client.log.SFLoggerFactory;
+import org.apache.http.client.methods.HttpRequestBase;
+
+@SnowflakeJdbcInternalApi
+public class AzureAttestationService {
+
+  private static final SFLogger logger = SFLoggerFactory.getLogger(AzureAttestationService.class);
+
+  // Expected to be set in Azure Functions environment
+  String getIdentityEndpoint() {
+    return SnowflakeUtil.systemGetEnv("IDENTITY_ENDPOINT");
+  }
+
+  // Expected to be set in Azure Functions environment
+  String getIdentityHeader() {
+    return SnowflakeUtil.systemGetEnv("IDENTITY_HEADER");
+  }
+
+  // Expected to be set in Azure Functions environment
+  String getClientId() {
+    return SnowflakeUtil.systemGetEnv("MANAGED_IDENTITY_CLIENT_ID");
+  }
+
+  String fetchTokenFromMetadataService(HttpRequestBase tokenRequest, SFLoginInput loginInput) {
+    try {
+      return WorkloadIdentityUtil.performIdentityRequest(tokenRequest, loginInput);
+    } catch (Exception e) {
+      logger.debug("Azure metadata server request was not successful: {}", e);
+      return null;
+    }
+  }
+}