Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SNOW-1825607 Initial OCSP deprecation plan steps #973

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

SNOW-1825607 Initial OCSP deprecation plan steps #973

wants to merge 2 commits into from
+44 −39

Conversation

sfc-gh-ext-simba-jy
Copy link
Collaborator

@sfc-gh-ext-simba-jy sfc-gh-ext-simba-jy commented Nov 25, 2024
edited
Loading

Description

Please explain the changes you made here.

  • FAIL_OPEN log changed (message + log level)?
  • FAIL_OPEN passing request along if responder URL is missing?
  • [] FAIL_CLOSED - no NPE if responder URL is missing? Please check the message below about this.
  • Retries and timeouts confirmed (both to responder and cache server)?
  • disableOCSPChecks introduced?
    • Deprecated insecureMode?
    • disableOCSPChecks has precedence?

Checklist

  • Format code according to the existing code style (run npm run lint:check -- CHANGED_FILES and fix problems in changed code)
  • Create tests which fail without the change (if possible)
  • Make all tests (unit and integration) pass (npm run test:unit and npm run test:integration)
  • Extend the README / documentation and ensure is properly displayed (if necessary)
  • Provide JIRA issue id (if possible) or GitHub issue id in commit message

@sfc-gh-ext-simba-jy sfc-gh-ext-simba-jy requested a review from a team as a code owner November 25, 2024 19:23
@sfc-gh-ext-simba-jy sfc-gh-ext-simba-jy changed the title testing SNOW-1825607 Nov 25, 2024
@sfc-gh-ext-simba-jy sfc-gh-ext-simba-jy marked this pull request as draft November 25, 2024 19:24
@sfc-gh-ext-simba-jy
Copy link
Collaborator Author

sfc-gh-ext-simba-jy commented Nov 26, 2024
edited
Loading

It seems like the node.js driver does not have the use case that the responder URL does not exist according to the code:

snowflake-connector-nodejs/lib/agent/check.js

Line 176 in bada542

let parsedUrl = require('url').parse(process.env.SF_OCSP_RESPONSE_CACHE_SERVER_URL);
. As we have the default OCSP_RESPONSE_CACHE_SERVER_URL and there will be no error for the responder URL, this will not throw the error like JDBC.

@sfc-gh-ext-simba-jy sfc-gh-ext-simba-jy marked this pull request as ready for review November 26, 2024 00:20
@sfc-gh-ext-simba-jy sfc-gh-ext-simba-jy changed the title SNOW-1825607 SNOW-1825607 Initialal OCSP deprecation plan steps Nov 26, 2024
@codecov Codecov
Copy link

codecov bot commented Nov 26, 2024

Codecov Report

Attention: Patch coverage is 94.44444% with 1 line in your changes missing coverage. Please review.

Project coverage is 88.91%. Comparing base (bada542) to head (6fc7ddc).

Files with missing lines Patch % Lines
lib/core.js 85.71% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##           master     #973      +/-   ##
==========================================
- Coverage   88.93%   88.91%   -0.02%     
==========================================
  Files          69       69              
  Lines        6748     6749       +1     
==========================================
  Hits         6001     6001              
- Misses        747      748       +1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

sfc-gh-pfus
sfc-gh-pfus reviewed Nov 26, 2024
View reviewed changes
lib/agent/socket_util.js
@@ -120,7 +115,7 @@ exports.secureSocket = function (socket, host, agent, mock) {
function isOcspValidationDisabled(host) {
// ocsp is disabled if insecure-connect is enabled, or if we've disabled ocsp
// for non-snowflake endpoints and the host is a non-snowflake endpoint
return GlobalConfig.isInsecureConnect() ||
return GlobalConfig.isOCSPChecksDisabled() ||
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this cover also a case when someone sets insecureMode?

lib/agent/socket_util.js
@@ -158,7 +153,7 @@ function canEarlyExitForOCSP(errors) {
const err = errors[errorIndex];
if (err && !isValidOCSPError(err)) {
// any of the errors is NOT good/revoked/unknown
Logger.getInstance().warn(ocspFailOpenWarning + err);
Logger.getInstance().debug('OCSP responder didn\'t respond correctly. Assuming certificate is not revoked');
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we leave details as it was before?

lib/core.js
const insecureConnect = options.insecureConnect;
if (Util.exists(insecureConnect)) {
if (Util.exists(options.insecureConnect)) {
Logger.getInstance().warn('Warning! The option insecureConnect will be deprecated. Please use the disableOCSPChecks.');
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually it is deprecated, not will be :)

lib/core.js
Logger.getInstance().warn('Warning! The option insecureConnect will be deprecated. Please use the disableOCSPChecks.');
}

const disableOCSPChecks = options.insecureConnect || options.disableOCSPChecks;
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are this values nullable? If yes and both are not null, disableOCSPChecks should have precedence, not the alternative.

test/unit/ocsp/test_unit_ocsp_mode.js
@@ -9,13 +9,13 @@ const assert = require('assert');
describe('OCSP mode', function () {
it('getOcspMode', function (done) {
// insecure mode
GlobalConfig.setInsecureConnect(true);
GlobalConfig.setDisableOCSPChecks(true);
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we have also a test confirming that insecureMode still works?

test/unit/snowflake_config_test.js
@@ -15,7 +15,7 @@ describe('Snowflake Configure Tests', function () {
before(function () {
originalConfig = {
logLevel: Logger.getInstance().getLevelTag(),
insecureConnect: GlobalConfig.isInsecureConnect(),
disableOCSPChecks: GlobalConfig.isOCSPChecksDisabled(),
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here + test for setting both values at once.

@sfc-gh-pfus
Copy link
Collaborator

It seems like the node.js driver does not have the use case that the responder URL does not exist according to the code:

snowflake-connector-nodejs/lib/agent/check.js

Line 176 in bada542

let parsedUrl = require('url').parse(process.env.SF_OCSP_RESPONSE_CACHE_SERVER_URL);

. As we have the default OCSP_RESPONSE_CACHE_SERVER_URL and there will be no error for the responder URL, this will not throw the error like JDBC.

What you mentioned is not a responder URL - it is a cache server URL. Responder URL is provided in each certificate.

@sfc-gh-dszmolka sfc-gh-dszmolka changed the title SNOW-1825607 Initialal OCSP deprecation plan steps SNOW-1825607 Initial OCSP deprecation plan steps Nov 26, 2024
@sfc-gh-dszmolka
Copy link
Collaborator

sfc-gh-dszmolka commented Nov 26, 2024
edited
Loading

It seems like the node.js driver does not have the use case that the responder URL does not exist according to the code:

snowflake-connector-nodejs/lib/agent/check.js

Line 176 in bada542

let parsedUrl = require('url').parse(process.env.SF_OCSP_RESPONSE_CACHE_SERVER_URL);

. As we have the default OCSP_RESPONSE_CACHE_SERVER_URL and there will be no error for the responder URL, this will not throw the error like JDBC.

OCSP Responder url != OCSP Cache URL. The (default) OCSP Cache URL is always the same, by default, ocsp.snowflakecomputing.com (gracefully ignoring privatelink situations here)

However OCSP Responder URL is not from Snowflake. It is always hardcoded into the particular certificate, which is under verification. See this random cert as an example: https://crt.sh/?sha256=9c3f2fd11c57d7c649ad5a0932c0f0d29756f6a0a1c74c43e1e89a62d64cd320

            Authority Information Access: 
                CA Issuers - URI:http://i.pki.goog/r4.crt

It does not have OCSP endpoint. The driver today will complain if it encounters such certs which doesn't have the OCSP endpoint, because the driver expects the cert to have it. See this issue what exactly happens: #932

As a comparison, here's a cert which does have OCSP endpoint: https://crt.sh/?id=12092745633
Observe:

            Authority Information Access: 
>>>>            OCSP - URI:http://ocsp.r2m03.amazontrust.com
                CA Issuers - URI:http://crt.r2m03.amazontrust.com/r2m03.cer

(this section is missing from the first cert)

The goal here, is for the driver if encountering a cert without the said OCSP endpoint, then it should just log the debug-level message and gracefully continue as if the verification was successful.
Implementing this change will also fix 932.

edit: I see Piotr also pointed the same out while I was typing this message :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sfc-gh-pfus sfc-gh-pfus sfc-gh-pfus left review comments

@sfc-gh-dprzybysz sfc-gh-dprzybysz Awaiting requested review from sfc-gh-dprzybysz

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@sfc-gh-ext-simba-jy @sfc-gh-pfus @sfc-gh-dszmolka