All Downloads are FREE. Search and download functionalities are using the official Maven repository.

net.snowflake.client.core.SessionUtil Maven / Gradle / Ivy

There is a newer version: 3.21.0
Show newest version
/*
 * Copyright (c) 2012-2022 Snowflake Computing Inc. All rights reserved.
 */

package net.snowflake.client.core;

import static net.snowflake.client.core.SFTrustManager.resetOCSPResponseCacherServerURL;
import static net.snowflake.client.jdbc.SnowflakeUtil.systemGetProperty;

import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.google.common.base.Strings;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
import java.nio.charset.StandardCharsets;
import java.security.PrivateKey;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import net.snowflake.client.jdbc.ErrorCode;
import net.snowflake.client.jdbc.SnowflakeDriver;
import net.snowflake.client.jdbc.SnowflakeReauthenticationRequest;
import net.snowflake.client.jdbc.SnowflakeSQLException;
import net.snowflake.client.jdbc.SnowflakeSQLLoggedException;
import net.snowflake.client.jdbc.SnowflakeType;
import net.snowflake.client.jdbc.SnowflakeUtil;
import net.snowflake.client.jdbc.telemetryOOB.TelemetryService;
import net.snowflake.client.log.ArgSupplier;
import net.snowflake.client.log.SFLogger;
import net.snowflake.client.log.SFLoggerFactory;
import net.snowflake.client.util.SecretDetector;
import net.snowflake.client.util.Stopwatch;
import net.snowflake.common.core.ClientAuthnDTO;
import net.snowflake.common.core.ClientAuthnParameter;
import net.snowflake.common.core.SqlState;
import org.apache.http.HttpHeaders;
import org.apache.http.client.config.RequestConfig;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.client.methods.HttpRequestBase;
import org.apache.http.client.utils.URIBuilder;
import org.apache.http.entity.StringEntity;
import org.apache.http.message.BasicHeader;
import org.apache.http.message.HeaderGroup;
import org.jsoup.Jsoup;
import org.jsoup.nodes.Document;
import org.jsoup.select.Elements;

/** Low level session util */
public class SessionUtil {
  private static final SFLogger logger = SFLoggerFactory.getLogger(SessionUtil.class);
  // Response Field Name
  private static final String SF_QUERY_DATABASE = "databaseName";
  private static final String SF_QUERY_SCHEMA = "schemaName";
  private static final String SF_QUERY_WAREHOUSE = "warehouse";
  private static final String SF_QUERY_ROLE = "roleName";

  // Request path
  private static final String SF_PATH_LOGIN_REQUEST = "/session/v1/login-request";
  private static final String SF_PATH_TOKEN_REQUEST = "/session/token-request";
  public static final String SF_PATH_AUTHENTICATOR_REQUEST = "/session/authenticator-request";
  public static final String SF_PATH_CONSOLE_LOGIN_REQUEST = "/console/login";

  public static final String SF_QUERY_SESSION_DELETE = "delete";

  // Headers
  @Deprecated
  public static final String SF_HEADER_AUTHORIZATION = SFSession.SF_HEADER_AUTHORIZATION;

  // Authentication type
  private static final String SF_HEADER_BASIC_AUTHTYPE = "Basic";
  private static final String CLIENT_STORE_TEMPORARY_CREDENTIAL =
      "CLIENT_STORE_TEMPORARY_CREDENTIAL";
  private static final String CLIENT_REQUEST_MFA_TOKEN = "CLIENT_REQUEST_MFA_TOKEN";
  private static final String SERVICE_NAME = "SERVICE_NAME";
  private static final String CLIENT_IN_BAND_TELEMETRY_ENABLED = "CLIENT_TELEMETRY_ENABLED";
  private static final String CLIENT_OUT_OF_BAND_TELEMETRY_ENABLED =
      "CLIENT_OUT_OF_BAND_TELEMETRY_ENABLED";
  private static final String CLIENT_RESULT_COLUMN_CASE_INSENSITIVE =
      "CLIENT_RESULT_COLUMN_CASE_INSENSITIVE";
  private static final String JDBC_RS_COLUMN_CASE_INSENSITIVE = "JDBC_RS_COLUMN_CASE_INSENSITIVE";
  private static final String JDBC_TREAT_TIMESTAMP_NTZ_AS_UTC = "JDBC_TREAT_TIMESTAMP_NTZ_AS_UTC";
  private static final String JDBC_FORMAT_DATE_WITH_TIMEZONE = "JDBC_FORMAT_DATE_WITH_TIMEZONE";
  private static final String JDBC_USE_SESSION_TIMEZONE = "JDBC_USE_SESSION_TIMEZONE";
  public static final String JDBC_CHUNK_DOWNLOADER_MAX_RETRY = "JDBC_CHUNK_DOWNLOADER_MAX_RETRY";
  private static final String CLIENT_RESULT_CHUNK_SIZE_JVM =
      "net.snowflake.jdbc.clientResultChunkSize";
  public static final String CLIENT_RESULT_CHUNK_SIZE = "CLIENT_RESULT_CHUNK_SIZE";
  public static final String CLIENT_MEMORY_LIMIT_JVM = "net.snowflake.jdbc.clientMemoryLimit";
  public static final String CLIENT_MEMORY_LIMIT = "CLIENT_MEMORY_LIMIT";
  public static final String QUERY_CONTEXT_CACHE_SIZE = "QUERY_CONTEXT_CACHE_SIZE";
  public static final String JDBC_ENABLE_PUT_GET = "JDBC_ENABLE_PUT_GET";
  public static final String CLIENT_PREFETCH_THREADS_JVM =
      "net.snowflake.jdbc.clientPrefetchThreads";
  public static final String CLIENT_PREFETCH_THREADS = "CLIENT_PREFETCH_THREADS";
  public static final String CLIENT_ENABLE_CONSERVATIVE_MEMORY_USAGE_JVM =
      "net.snowflake.jdbc.clientEnableConservativeMemoryUsage";
  public static final String CLIENT_ENABLE_CONSERVATIVE_MEMORY_USAGE =
      "CLIENT_ENABLE_CONSERVATIVE_MEMORY_USAGE";
  public static final String CLIENT_CONSERVATIVE_MEMORY_ADJUST_STEP =
      "CLIENT_CONSERVATIVE_MEMORY_ADJUST_STEP";
  public static final String OCSP_FAIL_OPEN_JVM = "net.snowflake.jdbc.ocspFailOpen";
  private static final String OCSP_FAIL_OPEN = "ocspFailOpen";
  public static final String CLIENT_SESSION_KEEP_ALIVE_HEARTBEAT_FREQUENCY =
      "CLIENT_SESSION_KEEP_ALIVE_HEARTBEAT_FREQUENCY";
  public static final String CLIENT_SFSQL = "CLIENT_SFSQL";
  public static final String CLIENT_VALIDATE_DEFAULT_PARAMETERS =
      "CLIENT_VALIDATE_DEFAULT_PARAMETERS";
  public static final String CLIENT_ENABLE_LOG_INFO_STATEMENT_PARAMETERS =
      "CLIENT_ENABLE_LOG_INFO_STATEMENT_PARAMETERS";
  public static final String CLIENT_METADATA_REQUEST_USE_CONNECTION_CTX =
      "CLIENT_METADATA_REQUEST_USE_CONNECTION_CTX";
  public static final String CLIENT_METADATA_USE_SESSION_DATABASE =
      "CLIENT_METADATA_USE_SESSION_DATABASE";
  public static final String ENABLE_STAGE_S3_PRIVATELINK_FOR_US_EAST_1 =
      "ENABLE_STAGE_S3_PRIVATELINK_FOR_US_EAST_1";

  static final String SF_HEADER_SERVICE_NAME = "X-Snowflake-Service";

  public static final String SF_HEADER_CLIENT_APP_ID = "CLIENT_APP_ID";

  public static final String SF_HEADER_CLIENT_APP_VERSION = "CLIENT_APP_VERSION";

  private static final String ID_TOKEN_AUTHENTICATOR = "ID_TOKEN";

  private static final String NO_QUERY_ID = "";
  private static final String SF_PATH_SESSION = "/session";
  public static long DEFAULT_CLIENT_MEMORY_LIMIT = 1536; // MB
  public static int DEFAULT_CLIENT_PREFETCH_THREADS = 4;
  public static int MIN_CLIENT_CHUNK_SIZE = 48;
  public static int MAX_CLIENT_CHUNK_SIZE = 160;
  public static Map JVM_PARAMS_TO_PARAMS =
      Stream.of(
              new String[][] {
                {CLIENT_RESULT_CHUNK_SIZE_JVM, CLIENT_RESULT_CHUNK_SIZE},
                {CLIENT_MEMORY_LIMIT_JVM, CLIENT_MEMORY_LIMIT},
                {CLIENT_PREFETCH_THREADS_JVM, CLIENT_PREFETCH_THREADS},
                {OCSP_FAIL_OPEN_JVM, OCSP_FAIL_OPEN},
                {
                  CLIENT_ENABLE_CONSERVATIVE_MEMORY_USAGE_JVM,
                  CLIENT_ENABLE_CONSERVATIVE_MEMORY_USAGE
                }
              })
          .collect(Collectors.toMap(data -> data[0], data -> data[1]));
  private static ObjectMapper mapper = ObjectMapperFactory.getObjectMapper();
  private static int DEFAULT_HEALTH_CHECK_INTERVAL = 45; // sec
  private static Set STRING_PARAMS =
      new HashSet<>(
          Arrays.asList(
              "TIMEZONE",
              "TIMESTAMP_OUTPUT_FORMAT",
              "TIMESTAMP_NTZ_OUTPUT_FORMAT",
              "TIMESTAMP_LTZ_OUTPUT_FORMAT",
              "TIMESTAMP_TZ_OUTPUT_FORMAT",
              "DATE_OUTPUT_FORMAT",
              "TIME_OUTPUT_FORMAT",
              "BINARY_OUTPUT_FORMAT",
              "CLIENT_TIMESTAMP_TYPE_MAPPING",
              SERVICE_NAME,
              "GEOGRAPHY_OUTPUT_FORMAT"));
  private static final Set INT_PARAMS =
      new HashSet<>(
          Arrays.asList(
              CLIENT_PREFETCH_THREADS,
              CLIENT_MEMORY_LIMIT,
              CLIENT_RESULT_CHUNK_SIZE,
              "CLIENT_STAGE_ARRAY_BINDING_THRESHOLD",
              "CLIENT_SESSION_KEEP_ALIVE_HEARTBEAT_FREQUENCY"));
  private static final Set BOOLEAN_PARAMS =
      new HashSet<>(
          Arrays.asList(
              CLIENT_SESSION_KEEP_ALIVE_HEARTBEAT_FREQUENCY,
              "CLIENT_HONOR_CLIENT_TZ_FOR_TIMESTAMP_NTZ",
              "CLIENT_DISABLE_INCIDENTS",
              "CLIENT_SESSION_KEEP_ALIVE",
              CLIENT_ENABLE_LOG_INFO_STATEMENT_PARAMETERS,
              CLIENT_IN_BAND_TELEMETRY_ENABLED,
              CLIENT_OUT_OF_BAND_TELEMETRY_ENABLED,
              CLIENT_STORE_TEMPORARY_CREDENTIAL,
              CLIENT_REQUEST_MFA_TOKEN,
              "JDBC_USE_JSON_PARSER",
              "AUTOCOMMIT",
              "JDBC_EFFICIENT_CHUNK_STORAGE",
              JDBC_RS_COLUMN_CASE_INSENSITIVE,
              JDBC_TREAT_TIMESTAMP_NTZ_AS_UTC,
              JDBC_FORMAT_DATE_WITH_TIMEZONE,
              JDBC_USE_SESSION_TIMEZONE,
              CLIENT_RESULT_COLUMN_CASE_INSENSITIVE,
              CLIENT_METADATA_REQUEST_USE_CONNECTION_CTX,
              CLIENT_METADATA_USE_SESSION_DATABASE,
              "JDBC_TREAT_DECIMAL_AS_INT",
              "JDBC_ENABLE_COMBINED_DESCRIBE",
              CLIENT_ENABLE_CONSERVATIVE_MEMORY_USAGE,
              CLIENT_VALIDATE_DEFAULT_PARAMETERS,
              ENABLE_STAGE_S3_PRIVATELINK_FOR_US_EAST_1,
              "SNOWPARK_LAZY_ANALYSIS"));

  /**
   * Returns Authenticator type
   *
   * @param loginInput login information
   * @return Authenticator type
   */
  private static ClientAuthnDTO.AuthenticatorType getAuthenticator(SFLoginInput loginInput) {
    if (loginInput.getAuthenticator() != null) {
      if (loginInput
          .getAuthenticator()
          .equalsIgnoreCase(ClientAuthnDTO.AuthenticatorType.EXTERNALBROWSER.name())) {
        // SAML 2.0 compliant service/application
        return ClientAuthnDTO.AuthenticatorType.EXTERNALBROWSER;
      } else if (loginInput
          .getAuthenticator()
          .equalsIgnoreCase(ClientAuthnDTO.AuthenticatorType.OAUTH.name())) {
        // OAuth Authentication
        return ClientAuthnDTO.AuthenticatorType.OAUTH;
      } else if (loginInput
          .getAuthenticator()
          .equalsIgnoreCase(ClientAuthnDTO.AuthenticatorType.SNOWFLAKE_JWT.name())) {
        return ClientAuthnDTO.AuthenticatorType.SNOWFLAKE_JWT;
      } else if (loginInput
          .getAuthenticator()
          .equalsIgnoreCase(ClientAuthnDTO.AuthenticatorType.USERNAME_PASSWORD_MFA.name())) {
        return ClientAuthnDTO.AuthenticatorType.USERNAME_PASSWORD_MFA;
      } else if (!loginInput
          .getAuthenticator()
          .equalsIgnoreCase(ClientAuthnDTO.AuthenticatorType.SNOWFLAKE.name())) {
        // OKTA authenticator v1.
        return ClientAuthnDTO.AuthenticatorType.OKTA;
      }
    }

    // authenticator is null, then jdbc will decide authenticator depends on
    // if privateKey is specified or not. If yes, authenticator type will be
    // SNOWFLAKE_JWT, otherwise it will use SNOWFLAKE.
    return loginInput.isPrivateKeyProvided()
        ? ClientAuthnDTO.AuthenticatorType.SNOWFLAKE_JWT
        : ClientAuthnDTO.AuthenticatorType.SNOWFLAKE;
  }

  /**
   * Open a new session
   *
   * @param loginInput login information
   * @return information get after login such as token information
   * @throws SFException if unexpected uri syntax
   * @throws SnowflakeSQLException if failed to establish connection with snowflake
   */
  static SFLoginOutput openSession(
      SFLoginInput loginInput,
      Map connectionPropertiesMap,
      String tracingLevel)
      throws SFException, SnowflakeSQLException {
    AssertUtil.assertTrue(
        loginInput.getServerUrl() != null, "missing server URL for opening session");

    AssertUtil.assertTrue(loginInput.getAppId() != null, "missing app id for opening session");

    AssertUtil.assertTrue(
        loginInput.getLoginTimeout() >= 0, "negative login timeout for opening session");

    final ClientAuthnDTO.AuthenticatorType authenticator = getAuthenticator(loginInput);
    if (!authenticator.equals(ClientAuthnDTO.AuthenticatorType.OAUTH)) {
      // OAuth does not require a username
      AssertUtil.assertTrue(
          loginInput.getUserName() != null, "missing user name for opening session");
    } else {
      // OAUTH needs either token or passord
      AssertUtil.assertTrue(
          loginInput.getToken() != null || loginInput.getPassword() != null,
          "missing token or password for opening session");
    }
    if (authenticator.equals(ClientAuthnDTO.AuthenticatorType.EXTERNALBROWSER)) {
      if ((Constants.getOS() == Constants.OS.MAC || Constants.getOS() == Constants.OS.WINDOWS)
          && loginInput.isEnableClientStoreTemporaryCredential()) {
        // force to set the flag for Mac/Windows users
        loginInput.getSessionParameters().put(CLIENT_STORE_TEMPORARY_CREDENTIAL, true);
      } else {
        // Linux should read from JDBC configuration. For other unsupported OS, we set it to false
        // as default value
        if (!loginInput.getSessionParameters().containsKey(CLIENT_STORE_TEMPORARY_CREDENTIAL)) {
          loginInput.getSessionParameters().put(CLIENT_STORE_TEMPORARY_CREDENTIAL, false);
        }
      }
    } else {
      // TODO: patch for now. We should update mergeProperties
      // to normalize all parameters using STRING_PARAMS, INT_PARAMS and
      // BOOLEAN_PARAMS.
      Object value = loginInput.getSessionParameters().get(CLIENT_STORE_TEMPORARY_CREDENTIAL);
      if (value != null) {
        loginInput.getSessionParameters().put(CLIENT_STORE_TEMPORARY_CREDENTIAL, asBoolean(value));
      }
    }

    if (authenticator.equals(ClientAuthnDTO.AuthenticatorType.USERNAME_PASSWORD_MFA)) {
      if ((Constants.getOS() == Constants.OS.MAC || Constants.getOS() == Constants.OS.WINDOWS)
          && loginInput.isEnableClientRequestMfaToken()) {
        loginInput.getSessionParameters().put(CLIENT_REQUEST_MFA_TOKEN, true);
      }
    }

    preNewSession(loginInput);

    try {
      return newSession(loginInput, connectionPropertiesMap, tracingLevel);
    } catch (SnowflakeReauthenticationRequest ex) {
      // Id Token expired. We run newSession again with id_token cache cleared
      logger.debug("ID Token being used has expired. Reauthenticating with ID Token cleared...");
      return newSession(loginInput, connectionPropertiesMap, tracingLevel);
    }
  }

  private static void preNewSession(SFLoginInput loginInput) throws SFException {
    if (asBoolean(loginInput.getSessionParameters().get(CLIENT_STORE_TEMPORARY_CREDENTIAL))) {
      CredentialManager.getInstance().fillCachedIdToken(loginInput);
    }

    if (asBoolean(loginInput.getSessionParameters().get(CLIENT_REQUEST_MFA_TOKEN))) {
      CredentialManager.getInstance().fillCachedMfaToken(loginInput);
    }
  }

  private static boolean asBoolean(Object value) {
    if (value == null) {
      return false;
    }
    switch (value.getClass().getName()) {
      case "java.lang.Boolean":
        return (Boolean) value;
      case "java.lang.String":
        return Boolean.valueOf((String) value);
    }
    return false;
  }

  private static SFLoginOutput newSession(
      SFLoginInput loginInput,
      Map connectionPropertiesMap,
      String tracingLevel)
      throws SFException, SnowflakeSQLException {
    Stopwatch stopwatch = new Stopwatch();
    stopwatch.start();
    // build URL for login request
    URIBuilder uriBuilder;
    URI loginURI;
    String tokenOrSamlResponse = null;
    String samlProofKey = null;
    boolean consentCacheIdToken = true;

    String sessionToken;
    String masterToken;
    String sessionDatabase;
    String sessionSchema;
    String sessionRole;
    String sessionWarehouse;
    String sessionId;
    long masterTokenValidityInSeconds;
    String idToken;
    String mfaToken;
    String databaseVersion = null;
    int databaseMajorVersion = 0;
    int databaseMinorVersion = 0;
    String newClientForUpgrade;
    int healthCheckInterval = DEFAULT_HEALTH_CHECK_INTERVAL;
    int httpClientSocketTimeout = loginInput.getSocketTimeoutInMillis();
    int httpClientConnectionTimeout = loginInput.getConnectionTimeoutInMillis();
    final ClientAuthnDTO.AuthenticatorType authenticatorType = getAuthenticator(loginInput);
    Map commonParams;

    String oktaUsername = loginInput.getOKTAUserName();
    logger.debug(
        "Authenticating user: {}, host: {} with authentication method: {}."
            + " Login timeout: {} s, auth timeout: {} s, OCSP mode: {}{}",
        loginInput.getUserName(),
        loginInput.getHostFromServerUrl(),
        authenticatorType,
        loginInput.getLoginTimeout(),
        loginInput.getAuthTimeout(),
        loginInput.getOCSPMode(),
        Strings.isNullOrEmpty(oktaUsername) ? "" : ", okta username: " + oktaUsername);

    try {

      uriBuilder = new URIBuilder(loginInput.getServerUrl());
      // add database name and schema name as query parameters
      if (loginInput.getDatabaseName() != null) {
        uriBuilder.addParameter(SF_QUERY_DATABASE, loginInput.getDatabaseName());
      }

      if (loginInput.getSchemaName() != null) {
        uriBuilder.addParameter(SF_QUERY_SCHEMA, loginInput.getSchemaName());
      }

      if (loginInput.getWarehouse() != null) {
        uriBuilder.addParameter(SF_QUERY_WAREHOUSE, loginInput.getWarehouse());
      }

      if (loginInput.getRole() != null) {
        uriBuilder.addParameter(SF_QUERY_ROLE, loginInput.getRole());
      }

      if (authenticatorType == ClientAuthnDTO.AuthenticatorType.EXTERNALBROWSER) {
        // try to reuse id_token if exists
        if (loginInput.getIdToken() == null) {
          // SAML 2.0 compliant service/application
          SessionUtilExternalBrowser s = SessionUtilExternalBrowser.createInstance(loginInput);
          s.authenticate();
          tokenOrSamlResponse = s.getToken();
          samlProofKey = s.getProofKey();
          consentCacheIdToken = s.isConsentCacheIdToken();
        }
      } else if (authenticatorType == ClientAuthnDTO.AuthenticatorType.OKTA) {
        // okta authenticator v1
        tokenOrSamlResponse = getSamlResponseUsingOkta(loginInput);
      } else if (authenticatorType == ClientAuthnDTO.AuthenticatorType.SNOWFLAKE_JWT) {
        SessionUtilKeyPair s =
            new SessionUtilKeyPair(
                loginInput.getPrivateKey(),
                loginInput.getPrivateKeyFile(),
                loginInput.getPrivateKeyBase64(),
                loginInput.getPrivateKeyPwd(),
                loginInput.getAccountName(),
                loginInput.getUserName());

        loginInput.setToken(s.issueJwtToken());
        loginInput.setAuthTimeout(SessionUtilKeyPair.getTimeout());
      }

      uriBuilder.addParameter(SFSession.SF_QUERY_REQUEST_ID, UUIDUtils.getUUID().toString());

      uriBuilder.setPath(SF_PATH_LOGIN_REQUEST);
      loginURI = uriBuilder.build();
    } catch (URISyntaxException ex) {
      logger.error("Exception when building URL", ex);

      throw new SFException(ex, ErrorCode.INTERNAL_ERROR, "unexpected URI syntax exception:1");
    }

    try {
      // Adjust OCSP cache server if it is private link
      resetOCSPUrlIfNecessary(loginInput.getServerUrl());
    } catch (IOException ex) {
      throw new SFException(ex, ErrorCode.IO_ERROR, "unexpected URL syntax exception");
    }

    HttpPost postRequest = null;

    try {
      ClientAuthnDTO authnData = new ClientAuthnDTO();
      authnData.setInFlightCtx(loginInput.getInFlightCtx());

      Map data = new HashMap<>();
      data.put(ClientAuthnParameter.CLIENT_APP_ID.name(), loginInput.getAppId());

      /*
       * username is always included regardless of authenticator to identify
       * the user.
       */
      data.put(ClientAuthnParameter.LOGIN_NAME.name(), loginInput.getUserName());

      /*
       * only include password information in the request to GS if federated
       * authentication method is not specified.
       * When specified, this password information is really to be used to
       * authenticate with the IDP provider only, and GS should not have any
       * trace for this information.
       */
      if (authenticatorType == ClientAuthnDTO.AuthenticatorType.SNOWFLAKE) {
        data.put(ClientAuthnParameter.PASSWORD.name(), loginInput.getPassword());
      } else if (authenticatorType == ClientAuthnDTO.AuthenticatorType.EXTERNALBROWSER) {
        if (loginInput.getIdToken() != null) {
          data.put(ClientAuthnParameter.AUTHENTICATOR.name(), ID_TOKEN_AUTHENTICATOR);
          data.put(ClientAuthnParameter.TOKEN.name(), loginInput.getIdToken());
        } else {
          data.put(
              ClientAuthnParameter.AUTHENTICATOR.name(),
              ClientAuthnDTO.AuthenticatorType.EXTERNALBROWSER.name());
          data.put(ClientAuthnParameter.PROOF_KEY.name(), samlProofKey);
          data.put(ClientAuthnParameter.TOKEN.name(), tokenOrSamlResponse);
        }
      } else if (authenticatorType == ClientAuthnDTO.AuthenticatorType.OKTA) {
        data.put(ClientAuthnParameter.RAW_SAML_RESPONSE.name(), tokenOrSamlResponse);
      } else if (authenticatorType == ClientAuthnDTO.AuthenticatorType.OAUTH) {
        data.put(ClientAuthnParameter.AUTHENTICATOR.name(), authenticatorType.name());

        // Fix for HikariCP refresh token issue:SNOW-533673.
        // If token value is not set but password field is set then
        // the driver treats password as token.
        if (loginInput.getToken() != null) {
          data.put(ClientAuthnParameter.TOKEN.name(), loginInput.getToken());
        } else {
          data.put(ClientAuthnParameter.TOKEN.name(), loginInput.getPassword());
        }

      } else if (authenticatorType == ClientAuthnDTO.AuthenticatorType.SNOWFLAKE_JWT) {
        data.put(ClientAuthnParameter.AUTHENTICATOR.name(), authenticatorType.name());
        data.put(ClientAuthnParameter.TOKEN.name(), loginInput.getToken());
      } else if (authenticatorType == ClientAuthnDTO.AuthenticatorType.USERNAME_PASSWORD_MFA) {
        // No authenticator name should be added here, since this will be treated as snowflake
        // default authenticator by backend
        data.put(ClientAuthnParameter.PASSWORD.name(), loginInput.getPassword());
        if (loginInput.getMfaToken() != null) {
          data.put(ClientAuthnParameter.TOKEN.name(), loginInput.getMfaToken());
        }
      }

      // map of client environment parameters, including connection parameters
      // and environment properties like OS version, etc.
      Map clientEnv = new HashMap<>();

      clientEnv.put("OS", systemGetProperty("os.name"));
      clientEnv.put("OS_VERSION", systemGetProperty("os.version"));
      clientEnv.put("JAVA_VERSION", systemGetProperty("java.version"));
      clientEnv.put("JAVA_RUNTIME", systemGetProperty("java.runtime.name"));
      clientEnv.put("JAVA_VM", systemGetProperty("java.vm.name"));
      clientEnv.put("OCSP_MODE", loginInput.getOCSPMode().name());

      if (loginInput.getApplication() != null) {
        clientEnv.put("APPLICATION", loginInput.getApplication());
      } else {
        // When you add new client environment info, please add new keys to
        // messages_en_US.src.json so that they can be displayed properly in UI
        // detect app name
        String appName = systemGetProperty("sun.java.command");
        // remove the arguments
        if (appName != null) {
          if (appName.indexOf(" ") > 0) {
            appName = appName.substring(0, appName.indexOf(" "));
          }

          clientEnv.put("APPLICATION", appName);
        }
      }

      // SNOW-20103: track additional client info in session
      String clientInfoJSONStr;
      if (connectionPropertiesMap.containsKey(SFSessionProperty.CLIENT_INFO)) {
        clientInfoJSONStr = (String) connectionPropertiesMap.get(SFSessionProperty.CLIENT_INFO);
      }
      // if connection property is not set, check session property
      else {
        clientInfoJSONStr = systemGetProperty("snowflake.client.info");
      }
      if (clientInfoJSONStr != null) {
        JsonNode clientInfoJSON = null;

        try {
          clientInfoJSON = mapper.readTree(clientInfoJSONStr);
        } catch (Throwable ex) {
          logger.debug(
              "failed to process snowflake.client.info property as JSON: {}",
              clientInfoJSONStr,
              ex);
        }

        if (clientInfoJSON != null) {
          Iterator> fields = clientInfoJSON.fields();
          while (fields.hasNext()) {
            Map.Entry field = fields.next();
            clientEnv.put(field.getKey(), field.getValue().asText());
          }
        }
      }
      /*
       Add all connection parameters and their values that have been set for this
       * current session into clientEnv. These are the params set via the Properties map or in the
       * connection string. Includes username, password, serverUrl, timeout values, etc
      */

      for (Map.Entry entry : connectionPropertiesMap.entrySet()) {
        // exclude client parameters already covered by other runtime parameters that have been
        // added to clientEnv
        if (entry.getKey().equals(SFSessionProperty.APP_ID)
            || entry.getKey().equals(SFSessionProperty.APP_VERSION)) {
          continue;
        }
        String propKey = entry.getKey().getPropertyKey();
        // mask sensitive values like passwords, tokens, etc
        String propVal = SecretDetector.maskParameterValue(propKey, entry.getValue().toString());
        clientEnv.put(propKey, propVal);
      }
      // if map does not contain the tracing property, the default is set. Add
      // this default value to the map.
      if (!connectionPropertiesMap.containsKey(SFSessionProperty.TRACING)) {
        clientEnv.put(SFSessionProperty.TRACING.getPropertyKey(), tracingLevel);
      }

      clientEnv.put("JDBC_JAR_NAME", SnowflakeDriver.getJdbcJarname());

      data.put(ClientAuthnParameter.CLIENT_ENVIRONMENT.name(), clientEnv);

      // Initialize the session parameters
      Map sessionParameter = loginInput.getSessionParameters();
      if (loginInput.isValidateDefaultParameters()) {
        sessionParameter.put(CLIENT_VALIDATE_DEFAULT_PARAMETERS, true);
      }

      if (sessionParameter != null) {
        data.put(ClientAuthnParameter.SESSION_PARAMETERS.name(), loginInput.getSessionParameters());
      }

      if (loginInput.getAccountName() != null) {
        data.put(ClientAuthnParameter.ACCOUNT_NAME.name(), loginInput.getAccountName());
      }

      // Second Factor Authentication
      if (loginInput.isPasscodeInPassword()) {
        data.put(ClientAuthnParameter.EXT_AUTHN_DUO_METHOD.name(), "passcode");
      } else if (loginInput.getPasscode() != null) {
        data.put(ClientAuthnParameter.EXT_AUTHN_DUO_METHOD.name(), "passcode");
        data.put(ClientAuthnParameter.PASSCODE.name(), loginInput.getPasscode());
      } else {
        data.put(ClientAuthnParameter.EXT_AUTHN_DUO_METHOD.name(), "push");
      }

      data.put(ClientAuthnParameter.CLIENT_APP_VERSION.name(), loginInput.getAppVersion());

      authnData.setData(data);
      String json = mapper.writeValueAsString(authnData);

      postRequest = new HttpPost(loginURI);

      // Add custom headers before adding common headers
      HttpUtil.applyAdditionalHeadersForSnowsight(
          postRequest, loginInput.getAdditionalHttpHeadersForSnowsight());

      // Add headers for driver name and version
      postRequest.addHeader(SF_HEADER_CLIENT_APP_ID, loginInput.getAppId());
      postRequest.addHeader(SF_HEADER_CLIENT_APP_VERSION, loginInput.getAppVersion());

      // attach the login info json body to the post request
      StringEntity input = new StringEntity(json, StandardCharsets.UTF_8);
      input.setContentType("application/json");
      postRequest.setEntity(input);

      postRequest.addHeader("accept", "application/json");
      postRequest.addHeader("Accept-Encoding", "");

      /*
       * HttpClient should take authorization header from char[] instead of
       * String.
       */
      postRequest.setHeader(SFSession.SF_HEADER_AUTHORIZATION, SF_HEADER_BASIC_AUTHTYPE);

      setServiceNameHeader(loginInput, postRequest);

      String theString = null;

      int leftRetryTimeout = loginInput.getLoginTimeout();
      int leftsocketTimeout = loginInput.getSocketTimeoutInMillis();
      int retryCount = 0;

      Exception lastRestException = null;

      while (true) {
        try {
          theString =
              HttpUtil.executeGeneralRequest(
                  postRequest,
                  leftRetryTimeout,
                  loginInput.getAuthTimeout(),
                  leftsocketTimeout,
                  retryCount,
                  loginInput.getHttpClientSettingsKey());
        } catch (SnowflakeSQLException ex) {
          lastRestException = ex;
          if (ex.getErrorCode() == ErrorCode.AUTHENTICATOR_REQUEST_TIMEOUT.getMessageCode()) {
            if (authenticatorType == ClientAuthnDTO.AuthenticatorType.SNOWFLAKE_JWT
                || authenticatorType == ClientAuthnDTO.AuthenticatorType.OKTA) {

              if (authenticatorType == ClientAuthnDTO.AuthenticatorType.SNOWFLAKE_JWT) {
                SessionUtilKeyPair s =
                    new SessionUtilKeyPair(
                        loginInput.getPrivateKey(),
                        loginInput.getPrivateKeyFile(),
                        loginInput.getPrivateKeyBase64(),
                        loginInput.getPrivateKeyPwd(),
                        loginInput.getAccountName(),
                        loginInput.getUserName());

                data.put(ClientAuthnParameter.TOKEN.name(), s.issueJwtToken());
              } else if (authenticatorType == ClientAuthnDTO.AuthenticatorType.OKTA) {
                logger.debug("Retrieve new token for Okta authentication.");
                // If we need to retry, we need to get a new Okta token
                tokenOrSamlResponse = getSamlResponseUsingOkta(loginInput);
                data.put(ClientAuthnParameter.RAW_SAML_RESPONSE.name(), tokenOrSamlResponse);
                authnData.setData(data);
                String updatedJson = mapper.writeValueAsString(authnData);

                StringEntity updatedInput = new StringEntity(updatedJson, StandardCharsets.UTF_8);
                updatedInput.setContentType("application/json");
                postRequest.setEntity(updatedInput);
              }

              long elapsedSeconds = ex.getElapsedSeconds();

              if (loginInput.getLoginTimeout() > 0) {
                if (leftRetryTimeout > elapsedSeconds) {
                  leftRetryTimeout -= elapsedSeconds;
                } else {
                  leftRetryTimeout = 1;
                }
              }

              // In RestRequest.execute(), socket timeout is replaced with auth timeout
              // so we can renew the request within auth timeout.
              // auth timeout within socket timeout is thrown without backoff,
              // and we need to update time remained in socket timeout here to control the
              // the actual socket timeout from customer setting.
              if (loginInput.getSocketTimeoutInMillis() > 0) {
                if (ex.issocketTimeoutNoBackoff()) {
                  if (leftsocketTimeout > elapsedSeconds) {
                    leftsocketTimeout -= elapsedSeconds;
                  } else {
                    leftsocketTimeout = 1;
                  }
                } else {
                  // reset curl timeout for retry with backoff.
                  leftsocketTimeout = loginInput.getSocketTimeoutInMillis();
                }
              }

              // JWT or Okta renew should not count as a retry, so we pass back the current retry
              // count.
              retryCount = ex.getRetryCount();

              continue;
            }
          } else {
            throw ex;
          }
        } catch (Exception ex) {
          lastRestException = ex;
        }
        break;
      }

      if (theString == null) {
        if (lastRestException != null) {
          logger.error(
              "Failed to open new session for user: {}, host: {}. Error: {}",
              loginInput.getUserName(),
              loginInput.getHostFromServerUrl(),
              lastRestException);
          throw lastRestException;
        } else {
          SnowflakeSQLException exception =
              new SnowflakeSQLException(
                  NO_QUERY_ID,
                  "empty authentication response",
                  SqlState.CONNECTION_EXCEPTION,
                  ErrorCode.CONNECTION_ERROR.getMessageCode());
          logger.error(
              "Failed to open new session for user: {}, host: {}. Error: {}",
              loginInput.getUserName(),
              loginInput.getHostFromServerUrl(),
              exception);
          throw exception;
        }
      }

      // general method, same as with data binding
      JsonNode jsonNode = mapper.readTree(theString);

      // check the success field first
      if (!jsonNode.path("success").asBoolean()) {
        logger.debug("Response: {}", theString);

        int errorCode = jsonNode.path("code").asInt();
        if (errorCode == Constants.ID_TOKEN_INVALID_LOGIN_REQUEST_GS_CODE) {
          // clean id_token first
          loginInput.setIdToken(null);
          deleteIdTokenCache(loginInput.getHostFromServerUrl(), loginInput.getUserName());

          logger.debug(
              "ID Token Expired / Not Applicable. Reauthenticating without ID Token...: {}",
              errorCode);
          SnowflakeUtil.checkErrorAndThrowExceptionIncludingReauth(jsonNode);
        }

        if (authenticatorType == ClientAuthnDTO.AuthenticatorType.USERNAME_PASSWORD_MFA) {
          deleteMfaTokenCache(loginInput.getHostFromServerUrl(), loginInput.getUserName());
        }

        String errorMessage = jsonNode.path("message").asText();

        logger.error(
            "Failed to open new session for user: {}, host: {}. Error: {}",
            loginInput.getUserName(),
            loginInput.getHostFromServerUrl(),
            errorMessage);
        throw new SnowflakeSQLException(
            NO_QUERY_ID,
            errorMessage,
            SqlState.SQLCLIENT_UNABLE_TO_ESTABLISH_SQLCONNECTION,
            errorCode);
      }

      // session token is in the data field of the returned json response
      sessionToken = jsonNode.path("data").path("token").asText();
      masterToken = jsonNode.path("data").path("masterToken").asText();
      idToken = nullStringAsEmptyString(jsonNode.path("data").path("idToken").asText());
      mfaToken = nullStringAsEmptyString(jsonNode.path("data").path("mfaToken").asText());
      masterTokenValidityInSeconds = jsonNode.path("data").path("masterValidityInSeconds").asLong();
      String serverVersion = jsonNode.path("data").path("serverVersion").asText();
      sessionId = jsonNode.path("data").path("sessionId").asText();

      JsonNode dbNode = jsonNode.path("data").path("sessionInfo").path("databaseName");
      sessionDatabase = dbNode.isNull() ? null : dbNode.asText();
      JsonNode schemaNode = jsonNode.path("data").path("sessionInfo").path("schemaName");
      sessionSchema = schemaNode.isNull() ? null : schemaNode.asText();
      JsonNode roleNode = jsonNode.path("data").path("sessionInfo").path("roleName");
      sessionRole = roleNode.isNull() ? null : roleNode.asText();
      JsonNode warehouseNode = jsonNode.path("data").path("sessionInfo").path("warehouseName");
      sessionWarehouse = warehouseNode.isNull() ? null : warehouseNode.asText();

      commonParams = SessionUtil.getCommonParams(jsonNode.path("data").path("parameters"));

      if (serverVersion != null) {
        logger.debug("Server version: {}", serverVersion);

        if (serverVersion.indexOf(" ") > 0) {
          databaseVersion = serverVersion.substring(0, serverVersion.indexOf(" "));
        } else {
          databaseVersion = serverVersion;
        }
      } else {
        logger.debug("Server version is null", false);
      }

      if (databaseVersion != null) {
        String[] components = databaseVersion.split("\\.");
        if (components.length >= 2) {
          try {
            databaseMajorVersion = Integer.parseInt(components[0]);
            databaseMinorVersion = Integer.parseInt(components[1]);
          } catch (Exception ex) {
            logger.error(
                "Exception encountered when parsing server " + "version: {} Exception: {}",
                databaseVersion,
                ex.getMessage());
          }
        }
      } else {
        logger.debug("database version is null", false);
      }

      if (!jsonNode.path("data").path("newClientForUpgrade").isNull()) {
        newClientForUpgrade = jsonNode.path("data").path("newClientForUpgrade").asText();

        logger.debug("New client: {}", newClientForUpgrade);
      }

      // get health check interval and adjust network timeouts if different
      int healthCheckIntervalFromGS = jsonNode.path("data").path("healthCheckInterval").asInt();

      logger.debug("Health check interval: {}", healthCheckIntervalFromGS);

      if (healthCheckIntervalFromGS > 0 && healthCheckIntervalFromGS != healthCheckInterval) {
        // add health check interval to socket timeout
        httpClientSocketTimeout =
            loginInput.getSocketTimeoutInMillis() + (healthCheckIntervalFromGS * 1000);

        final RequestConfig requestConfig =
            RequestConfig.copy(HttpUtil.getRequestConfigWithoutCookies())
                .setConnectTimeout(httpClientConnectionTimeout)
                .setSocketTimeout(httpClientSocketTimeout)
                .build();

        HttpUtil.setRequestConfig(requestConfig);

        logger.debug("Adjusted connection timeout to: {}", httpClientConnectionTimeout);

        logger.debug("Adjusted socket timeout to: {}", httpClientSocketTimeout);
      }
    } catch (SnowflakeSQLException ex) {
      throw ex; // must catch here to avoid Throwable to get the exception
    } catch (IOException ex) {
      logger.error("IOException when creating session: " + postRequest, ex);

      throw new SnowflakeSQLException(
          ex,
          SqlState.IO_ERROR,
          ErrorCode.NETWORK_ERROR.getMessageCode(),
          "Exception encountered when opening connection: " + ex.getMessage());
    } catch (Throwable ex) {
      logger.error("Exception when creating session: " + postRequest, ex);

      throw new SnowflakeSQLException(
          ex,
          SqlState.SQLCLIENT_UNABLE_TO_ESTABLISH_SQLCONNECTION,
          ErrorCode.CONNECTION_ERROR.getMessageCode(),
          ErrorCode.CONNECTION_ERROR.getMessageCode(),
          ex.getMessage());
    }

    SFLoginOutput ret =
        new SFLoginOutput(
            sessionToken,
            masterToken,
            masterTokenValidityInSeconds,
            idToken,
            mfaToken,
            databaseVersion,
            databaseMajorVersion,
            databaseMinorVersion,
            httpClientSocketTimeout,
            httpClientConnectionTimeout,
            sessionDatabase,
            sessionSchema,
            sessionRole,
            sessionWarehouse,
            sessionId,
            commonParams);

    if (consentCacheIdToken
        && asBoolean(loginInput.getSessionParameters().get(CLIENT_STORE_TEMPORARY_CREDENTIAL))) {
      CredentialManager.getInstance().writeIdToken(loginInput, ret);
    }

    if (asBoolean(loginInput.getSessionParameters().get(CLIENT_REQUEST_MFA_TOKEN))) {
      CredentialManager.getInstance().writeMfaToken(loginInput, ret);
    }

    stopwatch.stop();
    logger.debug(
        "User: {}, host: {} with authentication method: {} authenticated successfully in {} ms",
        loginInput.getUserName(),
        loginInput.getHostFromServerUrl(),
        authenticatorType,
        stopwatch.elapsedMillis());
    return ret;
  }

  private static void setServiceNameHeader(SFLoginInput loginInput, HttpPost postRequest) {
    if (!Strings.isNullOrEmpty(loginInput.getServiceName())) {
      // service name is used to route a request to appropriate cluster.
      postRequest.setHeader(SF_HEADER_SERVICE_NAME, loginInput.getServiceName());
    }
  }

  private static String nullStringAsEmptyString(String value) {
    if (Strings.isNullOrEmpty(value) || "null".equals(value)) {
      return "";
    }
    return value;
  }

  /** Delete the id token cache */
  public static void deleteIdTokenCache(String host, String user) {
    CredentialManager.getInstance().deleteIdTokenCache(host, user);
  }

  public static void deleteMfaTokenCache(String host, String user) {
    CredentialManager.getInstance().deleteMfaTokenCache(host, user);
  }

  /**
   * Renew a session.
   *
   * 

Use cases: - Session and Master tokens are provided. No Id token: - succeed in getting a new * Session token. - fail and raise SnowflakeReauthenticationRequest because Master token expires. * Since no id token exists, the exception is thrown to the upstream. - Session and Id tokens are * provided. No Master token: - fail and raise SnowflakeReauthenticationRequest and issue a new * Session token - fail and raise SnowflakeReauthenticationRequest and fail to issue a new Session * token as the * * @param loginInput login information * @return login output * @throws SFException if unexpected uri information * @throws SnowflakeSQLException if failed to renew the session */ static SFLoginOutput renewSession(SFLoginInput loginInput) throws SFException, SnowflakeSQLException { return tokenRequest(loginInput, TokenRequestType.RENEW); } private static SFLoginOutput tokenRequest(SFLoginInput loginInput, TokenRequestType requestType) throws SFException, SnowflakeSQLException { AssertUtil.assertTrue(loginInput.getServerUrl() != null, "missing server URL for tokenRequest"); AssertUtil.assertTrue( loginInput.getMasterToken() != null, "missing master token for tokenRequest"); AssertUtil.assertTrue( loginInput.getSessionToken() != null, "missing session token for tokenRequest"); AssertUtil.assertTrue( loginInput.getLoginTimeout() >= 0, "negative login timeout for tokenRequest"); // build URL for login request URIBuilder uriBuilder; HttpPost postRequest; String sessionToken; String masterToken; try { uriBuilder = new URIBuilder(loginInput.getServerUrl()); uriBuilder.setPath(SF_PATH_TOKEN_REQUEST); uriBuilder.addParameter(SFSession.SF_QUERY_REQUEST_ID, UUIDUtils.getUUID().toString()); postRequest = new HttpPost(uriBuilder.build()); // Add headers for driver name and version postRequest.addHeader(SF_HEADER_CLIENT_APP_ID, loginInput.getAppId()); postRequest.addHeader(SF_HEADER_CLIENT_APP_VERSION, loginInput.getAppVersion()); // Add custom headers before adding common headers HttpUtil.applyAdditionalHeadersForSnowsight( postRequest, loginInput.getAdditionalHttpHeadersForSnowsight()); } catch (URISyntaxException ex) { logger.error("Exception when creating http request", ex); throw new SFException(ex, ErrorCode.INTERNAL_ERROR, "unexpected URI syntax exception:3"); } try { // input json with old session token and request type, notice the // session token needs to be quoted. Map payload = new HashMap<>(); String headerToken = loginInput.getMasterToken(); payload.put("oldSessionToken", loginInput.getSessionToken()); payload.put("requestType", requestType.value); String json = mapper.writeValueAsString(payload); // attach the login info json body to the post request StringEntity input = new StringEntity(json, StandardCharsets.UTF_8); input.setContentType("application/json"); postRequest.setEntity(input); postRequest.addHeader("accept", "application/json"); postRequest.setHeader( SFSession.SF_HEADER_AUTHORIZATION, SFSession.SF_HEADER_SNOWFLAKE_AUTHTYPE + " " + SFSession.SF_HEADER_TOKEN_TAG + "=\"" + headerToken + "\""); setServiceNameHeader(loginInput, postRequest); logger.debug( "Request type: {}, old session token: {}, " + "master token: {}", requestType.value, (ArgSupplier) () -> loginInput.getSessionToken() != null ? "******" : null, (ArgSupplier) () -> loginInput.getMasterToken() != null ? "******" : null); String theString = HttpUtil.executeGeneralRequest( postRequest, loginInput.getLoginTimeout(), loginInput.getAuthTimeout(), loginInput.getSocketTimeoutInMillis(), 0, loginInput.getHttpClientSettingsKey()); // general method, same as with data binding JsonNode jsonNode = mapper.readTree(theString); // check the success field first if (!jsonNode.path("success").asBoolean()) { logger.debug("Response: {}", theString); String errorCode = jsonNode.path("code").asText(); String message = jsonNode.path("message").asText(); EventUtil.triggerBasicEvent( Event.EventType.NETWORK_ERROR, "SessionUtil:renewSession failure, error code=" + errorCode + ", message=" + message, true); SnowflakeUtil.checkErrorAndThrowExceptionIncludingReauth(jsonNode); } // session token is in the data field of the returned json response sessionToken = jsonNode.path("data").path("sessionToken").asText(); masterToken = jsonNode.path("data").path("masterToken").asText(); } catch (IOException ex) { logger.error("IOException when renewing session: " + postRequest, ex); // Any EventType.NETWORK_ERRORs should have been triggered before // exception was thrown. throw new SFException(ex, ErrorCode.NETWORK_ERROR, ex.getMessage()); } SFLoginOutput loginOutput = new SFLoginOutput(); loginOutput.setSessionToken(sessionToken).setMasterToken(masterToken); return loginOutput; } /** * Close a session * * @param loginInput login information * @throws SnowflakeSQLException if failed to close session * @throws SFException if failed to close session */ static void closeSession(SFLoginInput loginInput) throws SFException, SnowflakeSQLException { logger.trace("void close() throws SFException"); // assert the following inputs are valid AssertUtil.assertTrue( loginInput.getServerUrl() != null, "missing server URL for closing session"); AssertUtil.assertTrue( loginInput.getSessionToken() != null, "missing session token for closing session"); AssertUtil.assertTrue( loginInput.getLoginTimeout() >= 0, "missing login timeout for closing session"); HttpPost postRequest = null; try { URIBuilder uriBuilder; uriBuilder = new URIBuilder(loginInput.getServerUrl()); uriBuilder.addParameter(SF_QUERY_SESSION_DELETE, Boolean.TRUE.toString()); uriBuilder.addParameter(SFSession.SF_QUERY_REQUEST_ID, UUIDUtils.getUUID().toString()); uriBuilder.setPath(SF_PATH_SESSION); postRequest = new HttpPost(uriBuilder.build()); // Add custom headers before adding common headers HttpUtil.applyAdditionalHeadersForSnowsight( postRequest, loginInput.getAdditionalHttpHeadersForSnowsight()); postRequest.setHeader( SFSession.SF_HEADER_AUTHORIZATION, SFSession.SF_HEADER_SNOWFLAKE_AUTHTYPE + " " + SFSession.SF_HEADER_TOKEN_TAG + "=\"" + loginInput.getSessionToken() + "\""); setServiceNameHeader(loginInput, postRequest); String theString = HttpUtil.executeGeneralRequest( postRequest, loginInput.getLoginTimeout(), loginInput.getAuthTimeout(), loginInput.getSocketTimeoutInMillis(), 0, loginInput.getHttpClientSettingsKey()); JsonNode rootNode; logger.debug("Connection close response: {}", theString); rootNode = mapper.readTree(theString); SnowflakeUtil.checkErrorAndThrowException(rootNode); } catch (URISyntaxException ex) { throw new RuntimeException("Unexpected URI syntax exception", ex); } catch (IOException ex) { logger.error("Unexpected IO exception for: " + postRequest, ex); } catch (SnowflakeSQLException ex) { // ignore exceptions for session expiration exceptions and for // sessions that no longer exist if (ex.getErrorCode() != Constants.SESSION_EXPIRED_GS_CODE && ex.getErrorCode() != Constants.SESSION_GONE) { throw ex; } } } /** * Given access token, query IDP URL snowflake app to get SAML response We also need to perform * important client side validation: validate the post back url come back with the SAML response * contains the same prefix as the Snowflake's server url, which is the intended destination url * to Snowflake. Explanation: This emulates the behavior of IDP initiated login flow in the user * browser where the IDP instructs the browser to POST the SAML assertion to the specific SP * endpoint. This is critical in preventing a SAML assertion issued to one SP from being sent to * another SP. * * @param loginInput Login Info for the request * @param ssoUrl URL to use for SSO * @param oneTimeToken The token used for SSO * @return The response in HTML form * @throws SnowflakeSQLException Will be thrown if the destination URL in the SAML assertion does * not match */ private static String federatedFlowStep4( SFLoginInput loginInput, String ssoUrl, String oneTimeToken) throws SnowflakeSQLException { String responseHtml = ""; try { final URL url = new URL(ssoUrl); URI oktaGetUri = new URIBuilder() .setScheme(url.getProtocol()) .setHost(url.getHost()) .setPath(url.getPath()) .setParameter("RelayState", "%2Fsome%2Fdeep%2Flink") .setParameter("onetimetoken", oneTimeToken) .build(); HttpGet httpGet = new HttpGet(oktaGetUri); HeaderGroup headers = new HeaderGroup(); headers.addHeader(new BasicHeader(HttpHeaders.ACCEPT, "*/*")); httpGet.setHeaders(headers.getAllHeaders()); responseHtml = HttpUtil.executeGeneralRequest( httpGet, loginInput.getLoginTimeout(), loginInput.getAuthTimeout(), loginInput.getSocketTimeoutInMillis(), 0, loginInput.getHttpClientSettingsKey()); // step 5 validateSAML(responseHtml, loginInput); } catch (IOException | URISyntaxException ex) { handleFederatedFlowError(loginInput, ex); } return responseHtml; } private static void validateSAML(String responseHtml, SFLoginInput loginInput) throws SnowflakeSQLException, MalformedURLException { if (!loginInput.getDisableSamlURLCheck()) { String postBackUrl = getPostBackUrlFromHTML(responseHtml); if (!isPrefixEqual(postBackUrl, loginInput.getServerUrl())) { URL idpDestinationUrl = new URL(postBackUrl); URL clientDestinationUrl = new URL(loginInput.getServerUrl()); String idpDestinationHostName = idpDestinationUrl.getHost(); String clientDestinationHostName = clientDestinationUrl.getHost(); logger.error( "The Snowflake hostname specified in the client connection {} does not match " + "the destination hostname in the SAML response returned by the IdP: {}", clientDestinationHostName, idpDestinationHostName); // Session is in process of getting created, so exception constructor takes in null throw new SnowflakeSQLLoggedException( null, ErrorCode.IDP_INCORRECT_DESTINATION.getMessageCode(), SqlState.SQLCLIENT_UNABLE_TO_ESTABLISH_SQLCONNECTION); } } } /** * Query IDP token url to authenticate and retrieve access token * * @param loginInput The login info for the request * @param tokenUrl The URL used to retrieve the access token * @return Returns the one time token * @throws SnowflakeSQLException Will be thrown if the execute request fails */ private static String federatedFlowStep3(SFLoginInput loginInput, String tokenUrl) throws SnowflakeSQLException { String oneTimeToken = ""; try { URL url = new URL(tokenUrl); URI tokenUri = url.toURI(); final HttpPost postRequest = new HttpPost(tokenUri); String userName; if (Strings.isNullOrEmpty(loginInput.getOKTAUserName())) { userName = loginInput.getUserName(); } else { userName = loginInput.getOKTAUserName(); } StringEntity params = new StringEntity( "{\"username\":\"" + userName + "\",\"password\":\"" + loginInput.getPassword() + "\"}"); postRequest.setEntity(params); HeaderGroup headers = new HeaderGroup(); headers.addHeader(new BasicHeader(HttpHeaders.ACCEPT, "application/json")); headers.addHeader(new BasicHeader(HttpHeaders.CONTENT_TYPE, "application/json")); postRequest.setHeaders(headers.getAllHeaders()); final String idpResponse = HttpUtil.executeRequestWithoutCookies( postRequest, loginInput.getLoginTimeout(), loginInput.getAuthTimeout(), loginInput.getSocketTimeoutInMillis(), 0, 0, null, loginInput.getHttpClientSettingsKey()); logger.debug("User is authenticated against {}.", loginInput.getAuthenticator()); // session token is in the data field of the returned json response final JsonNode jsonNode = mapper.readTree(idpResponse); oneTimeToken = jsonNode.get("sessionToken") != null ? jsonNode.get("sessionToken").asText() : jsonNode.get("cookieToken").asText(); } catch (IOException | URISyntaxException ex) { handleFederatedFlowError(loginInput, ex); } return oneTimeToken; } /** * Perform important client side validation: validate both token url and sso url contains same * prefix (protocol + host + port) as the given authenticator url. Explanation: This provides a * way for the user to 'authenticate' the IDP it is sending his/her credentials to. Without such a * check, the user could be coerced to provide credentials to an IDP impersonator. * * @param loginInput The login info for the request * @param tokenUrl The token URL * @param ssoUrl The SSO URL * @throws SnowflakeSQLException Will be thrown if the prefix for the tokenUrl and ssoUrl do not * match */ private static void federatedFlowStep2(SFLoginInput loginInput, String tokenUrl, String ssoUrl) throws SnowflakeSQLException { try { if (!isPrefixEqual(loginInput.getAuthenticator(), tokenUrl) || !isPrefixEqual(loginInput.getAuthenticator(), ssoUrl)) { logger.debug( "The specified authenticator {} is not supported.", loginInput.getAuthenticator()); // Session is in process of getting created, so exception constructor takes in null session // value throw new SnowflakeSQLLoggedException( null, ErrorCode.IDP_CONNECTION_ERROR.getMessageCode(), SqlState.SQLCLIENT_UNABLE_TO_ESTABLISH_SQLCONNECTION /* session= */ ); } } catch (MalformedURLException ex) { handleFederatedFlowError(loginInput, ex); } } /** * Query Snowflake to obtain IDP token url and IDP SSO url * * @param loginInput The login info for the request * @throws SnowflakeSQLException Will be thrown if the execute request step fails */ private static JsonNode federatedFlowStep1(SFLoginInput loginInput) throws SnowflakeSQLException { JsonNode dataNode = null; try { URIBuilder fedUriBuilder = new URIBuilder(loginInput.getServerUrl()); fedUriBuilder.setPath(SF_PATH_AUTHENTICATOR_REQUEST); URI fedUrlUri = fedUriBuilder.build(); Map data = new HashMap<>(); data.put(ClientAuthnParameter.ACCOUNT_NAME.name(), loginInput.getAccountName()); data.put(ClientAuthnParameter.AUTHENTICATOR.name(), loginInput.getAuthenticator()); data.put(ClientAuthnParameter.CLIENT_APP_ID.name(), loginInput.getAppId()); data.put(ClientAuthnParameter.CLIENT_APP_VERSION.name(), loginInput.getAppVersion()); ClientAuthnDTO authnData = new ClientAuthnDTO(); authnData.setData(data); String json = mapper.writeValueAsString(authnData); // attach the login info json body to the post request StringEntity input = new StringEntity(json, StandardCharsets.UTF_8); input.setContentType("application/json"); HttpPost postRequest = new HttpPost(fedUrlUri); postRequest.setEntity(input); postRequest.addHeader("accept", "application/json"); // Add headers for driver name and version postRequest.addHeader(SF_HEADER_CLIENT_APP_ID, loginInput.getAppId()); postRequest.addHeader(SF_HEADER_CLIENT_APP_VERSION, loginInput.getAppVersion()); final String gsResponse = HttpUtil.executeGeneralRequest( postRequest, loginInput.getLoginTimeout(), loginInput.getAuthTimeout(), loginInput.getSocketTimeoutInMillis(), 0, loginInput.getHttpClientSettingsKey()); logger.debug("Authenticator-request response: {}", gsResponse); JsonNode jsonNode = mapper.readTree(gsResponse); // check the success field first if (!jsonNode.path("success").asBoolean()) { logger.debug("Response: {}", gsResponse); int errorCode = jsonNode.path("code").asInt(); throw new SnowflakeSQLException( NO_QUERY_ID, jsonNode.path("message").asText(), SqlState.SQLCLIENT_UNABLE_TO_ESTABLISH_SQLCONNECTION, errorCode); } // session token is in the data field of the returned json response dataNode = jsonNode.path("data"); } catch (IOException | URISyntaxException ex) { handleFederatedFlowError(loginInput, ex); } return dataNode; } /** * Logs an error generated during the federated authentication flow and re-throws it as a * SnowflakeSQLException. Note that we separate IOExceptions since those tend to be network * related. * * @param loginInput The login info from the request * @param ex The exception to process * @throws SnowflakeSQLException Will be thrown for all calls to this method */ private static void handleFederatedFlowError(SFLoginInput loginInput, Exception ex) throws SnowflakeSQLException { if (ex instanceof IOException) { logger.error("IOException when authenticating with " + loginInput.getAuthenticator(), ex); throw new SnowflakeSQLException( ex, SqlState.IO_ERROR, ErrorCode.NETWORK_ERROR.getMessageCode(), "Exception encountered when opening connection: " + ex.getMessage()); } logger.error("Exception when authenticating with " + loginInput.getAuthenticator(), ex); throw new SnowflakeSQLException( ex, SqlState.SQLCLIENT_UNABLE_TO_ESTABLISH_SQLCONNECTION, ErrorCode.CONNECTION_ERROR.getMessageCode(), ErrorCode.CONNECTION_ERROR.getMessageCode(), ex.getMessage()); } /** * FEDERATED FLOW See SNOW-27798 for additional details. * * @param loginInput The login info from the request * @return saml response * @throws SnowflakeSQLException Will be thrown if any of the federated steps fail */ private static String getSamlResponseUsingOkta(SFLoginInput loginInput) throws SnowflakeSQLException { while (true) { try { JsonNode dataNode = federatedFlowStep1(loginInput); String tokenUrl = dataNode.path("tokenUrl").asText(); String ssoUrl = dataNode.path("ssoUrl").asText(); federatedFlowStep2(loginInput, tokenUrl, ssoUrl); final String oneTimeToken = federatedFlowStep3(loginInput, tokenUrl); return federatedFlowStep4(loginInput, ssoUrl, oneTimeToken); } catch (SnowflakeSQLException ex) { // This error gets thrown if the okta request encountered a retry-able error that // requires getting a new one-time token. if (ex.getErrorCode() == ErrorCode.AUTHENTICATOR_REQUEST_TIMEOUT.getMessageCode()) { logger.debug("Failed to get Okta SAML response. Retrying without changing retry count."); } else { throw ex; } } } } /** * Verify if two input urls have the same protocol, host, and port. * * @param aUrlStr a source URL string * @param bUrlStr a target URL string * @return true if matched otherwise false * @throws MalformedURLException raises if a URL string is not valid. */ static boolean isPrefixEqual(String aUrlStr, String bUrlStr) throws MalformedURLException { URL aUrl = new URL(aUrlStr); URL bUrl = new URL(bUrlStr); int aPort = aUrl.getPort(); int bPort = bUrl.getPort(); if (aPort == -1 && "https".equals(aUrl.getProtocol())) { // default port number for HTTPS aPort = 443; } if (bPort == -1 && "https".equals(bUrl.getProtocol())) { // default port number for HTTPS bPort = 443; } // no default port number for HTTP is supported. return aUrl.getHost().equalsIgnoreCase(bUrl.getHost()) && aUrl.getProtocol().equalsIgnoreCase(bUrl.getProtocol()) && aPort == bPort; } /** * Extracts post back url from the HTML returned by the IDP * * @param html The HTML that we are parsing to find the post back url * @return The post back url */ private static String getPostBackUrlFromHTML(String html) { Document doc = Jsoup.parse(html); Elements e1 = doc.getElementsByTag("body"); Elements e2 = e1.get(0).getElementsByTag("form"); return e2.first().attr("action"); } /** * Helper function to parse a JsonNode from a GS response containing CommonParameters, emitting an * EnumMap of parameters * * @param paramsNode parameters in JSON form * @return map object including key and value pairs */ public static Map getCommonParams(JsonNode paramsNode) { Map parameters = new HashMap<>(); for (JsonNode child : paramsNode) { // If there isn't a name then the response from GS must be erroneous. if (!child.hasNonNull("name")) { logger.error("Common Parameter JsonNode encountered with " + "no parameter name!", false); continue; } // Look up the parameter based on the "name" attribute of the node. String paramName = child.path("name").asText(); // What type of value is it and what's the value? if (!child.hasNonNull("value")) { logger.debug("No value found for Common Parameter: {}", child.path("name").asText()); continue; } if (STRING_PARAMS.contains(paramName.toUpperCase())) { parameters.put(paramName, child.path("value").asText()); } else if (INT_PARAMS.contains(paramName.toUpperCase())) { parameters.put(paramName, child.path("value").asInt()); } else if (BOOLEAN_PARAMS.contains(paramName.toUpperCase())) { parameters.put(paramName, child.path("value").asBoolean()); } else { try { // Value should only be boolean, int or string so we don't expect exceptions here. parameters.put(paramName, mapper.treeToValue(child.path("value"), Object.class)); } catch (Exception e) { logger.debug( "Unknown Common Parameter Failed to Parse: {} -> {}. Exception: {}", paramName, child.path("value"), e.getMessage()); } logger.debug("Unknown Common Parameter: {}", paramName); } logger.debug("Parameter {}: {}", paramName, child.path("value").asText()); } return parameters; } static void updateSfDriverParamValues(Map parameters, SFBaseSession session) { if (parameters != null && !parameters.isEmpty()) { session.setCommonParameters(parameters); } for (Map.Entry entry : parameters.entrySet()) { logger.debug("Processing parameter {}", entry.getKey()); if ("CLIENT_DISABLE_INCIDENTS".equalsIgnoreCase(entry.getKey())) { SnowflakeDriver.setDisableIncidents((Boolean) entry.getValue()); } else if ("CLIENT_SESSION_KEEP_ALIVE".equalsIgnoreCase(entry.getKey())) { if (session != null) { session.setEnableHeartbeat((Boolean) entry.getValue()); } } else if (CLIENT_SESSION_KEEP_ALIVE_HEARTBEAT_FREQUENCY.equalsIgnoreCase(entry.getKey())) { if (session != null) { session.setHeartbeatFrequency((int) entry.getValue()); } } else if ("CLIENT_ENABLE_LOG_INFO_STATEMENT_PARAMETERS".equalsIgnoreCase(entry.getKey())) { boolean enableLogging = (Boolean) entry.getValue(); if (session != null && session.getPreparedStatementLogging() != enableLogging) { session.setPreparedStatementLogging(enableLogging); } } else if ("AUTOCOMMIT".equalsIgnoreCase(entry.getKey())) { boolean autoCommit = (Boolean) entry.getValue(); if (session != null && session.getAutoCommit() != autoCommit) { session.setAutoCommit(autoCommit); } } else if (JDBC_RS_COLUMN_CASE_INSENSITIVE.equalsIgnoreCase(entry.getKey()) || CLIENT_RESULT_COLUMN_CASE_INSENSITIVE.equalsIgnoreCase(entry.getKey())) { if (session != null && !session.isResultColumnCaseInsensitive()) { session.setResultColumnCaseInsensitive((boolean) entry.getValue()); } } else if (CLIENT_METADATA_REQUEST_USE_CONNECTION_CTX.equalsIgnoreCase(entry.getKey())) { if (session != null) { session.setMetadataRequestUseConnectionCtx((boolean) entry.getValue()); } } else if (CLIENT_METADATA_USE_SESSION_DATABASE.equalsIgnoreCase(entry.getKey())) { if (session != null) { session.setMetadataRequestUseSessionDatabase((boolean) entry.getValue()); } } else if (JDBC_TREAT_TIMESTAMP_NTZ_AS_UTC.equalsIgnoreCase(entry.getKey())) { if (session != null) { session.setTreatNTZAsUTC((boolean) entry.getValue()); } } else if (JDBC_FORMAT_DATE_WITH_TIMEZONE.equalsIgnoreCase(entry.getKey())) { if (session != null) { session.setFormatDateWithTimezone((boolean) entry.getValue()); } } else if (JDBC_USE_SESSION_TIMEZONE.equalsIgnoreCase(entry.getKey())) { if (session != null) { session.setUseSessionTimezone((boolean) entry.getValue()); } } else if ("CLIENT_TIMESTAMP_TYPE_MAPPING".equalsIgnoreCase(entry.getKey())) { if (session != null) { session.setTimestampMappedType( SnowflakeType.valueOf(((String) entry.getValue()).toUpperCase())); } } else if ("JDBC_TREAT_DECIMAL_AS_INT".equalsIgnoreCase(entry.getKey())) { if (session != null) { session.setJdbcTreatDecimalAsInt((boolean) entry.getValue()); } } else if ("JDBC_ENABLE_COMBINED_DESCRIBE".equalsIgnoreCase(entry.getKey())) { if (session != null) { session.setEnableCombineDescribe((boolean) entry.getValue()); } } else if (CLIENT_IN_BAND_TELEMETRY_ENABLED.equalsIgnoreCase(entry.getKey())) { if (session != null) { session.setClientTelemetryEnabled((boolean) entry.getValue()); } } else if ("CLIENT_STAGE_ARRAY_BINDING_THRESHOLD".equalsIgnoreCase(entry.getKey())) { if (session != null) { session.setArrayBindStageThreshold((int) entry.getValue()); } } else if (CLIENT_STORE_TEMPORARY_CREDENTIAL.equalsIgnoreCase(entry.getKey())) { if (session != null) { session.setStoreTemporaryCredential((boolean) entry.getValue()); } } else if (SERVICE_NAME.equalsIgnoreCase(entry.getKey())) { if (session != null) { session.setServiceName((String) entry.getValue()); } } else if (CLIENT_ENABLE_CONSERVATIVE_MEMORY_USAGE.equalsIgnoreCase(entry.getKey())) { if (session != null) { session.setEnableConservativeMemoryUsage((boolean) entry.getValue()); } } else if (CLIENT_CONSERVATIVE_MEMORY_ADJUST_STEP.equalsIgnoreCase(entry.getKey())) { if (session != null) { session.setConservativeMemoryAdjustStep((int) entry.getValue()); } } else if (CLIENT_MEMORY_LIMIT.equalsIgnoreCase(entry.getKey())) { if (session != null) { session.setClientMemoryLimit((int) entry.getValue()); } } else if (CLIENT_RESULT_CHUNK_SIZE.equalsIgnoreCase(entry.getKey())) { if (session != null) { session.setClientResultChunkSize((int) entry.getValue()); } } else if (CLIENT_PREFETCH_THREADS.equalsIgnoreCase(entry.getKey())) { if (session != null) { session.setClientPrefetchThreads((int) entry.getValue()); } } else if (CLIENT_OUT_OF_BAND_TELEMETRY_ENABLED.equalsIgnoreCase(entry.getKey())) { // we ignore the parameter CLIENT_OUT_OF_BAND_TELEMETRY_ENABLED // OOB telemetry is always disabled TelemetryService.disableOOBTelemetry(); } else if (CLIENT_VALIDATE_DEFAULT_PARAMETERS.equalsIgnoreCase(entry.getKey())) { if (session != null) { session.setValidateDefaultParameters(SFLoginInput.getBooleanValue(entry.getValue())); } } else if (ENABLE_STAGE_S3_PRIVATELINK_FOR_US_EAST_1.equalsIgnoreCase((entry.getKey()))) { if (session != null) { session.setUseRegionalS3EndpointsForPresignedURL( SFLoginInput.getBooleanValue(entry.getValue())); } } else if (QUERY_CONTEXT_CACHE_SIZE.equalsIgnoreCase(entry.getKey())) { if (session != null) { session.setQueryContextCacheSize((int) entry.getValue()); } } else if (JDBC_ENABLE_PUT_GET.equalsIgnoreCase(entry.getKey())) { if (session != null) { session.setJdbcEnablePutGet(SFLoginInput.getBooleanValue(entry.getValue())); } } else { if (session != null) { session.setOtherParameter(entry.getKey(), entry.getValue()); } } } } enum TokenRequestType { RENEW("RENEW"), CLONE("CLONE"), ISSUE("ISSUE"); private String value; TokenRequestType(String value) { this.value = value; } } /** * Reset OCSP cache server if the snowflake server URL is for private link. If the URL is not for * private link, do nothing. * * @param serverUrl The Snowflake URL includes protocol such as "https://" */ public static void resetOCSPUrlIfNecessary(String serverUrl) throws IOException { if (PrivateLinkDetector.isPrivateLink(serverUrl)) { // Privatelink uses special OCSP Cache server URL url = new URL(serverUrl); String host = url.getHost(); logger.debug("HOST: {}", host); String ocspCacheServerUrl = String.format("http://ocsp.%s/%s", host, SFTrustManager.CACHE_FILE_NAME); logger.debug("OCSP Cache Server for Privatelink: {}", ocspCacheServerUrl); resetOCSPResponseCacherServerURL(ocspCacheServerUrl); } } /** * Helper function to generate a JWT token * * @param privateKey private key * @param privateKeyFile path to private key file * @param privateKeyBase64 base64 encoded content of the private key file * @param privateKeyPwd password for private key file or base64 encoded private key * @param accountName account name * @param userName user name * @return JWT token * @throws SFException if Snowflake error occurs */ public static String generateJWTToken( PrivateKey privateKey, String privateKeyFile, String privateKeyBase64, String privateKeyPwd, String accountName, String userName) throws SFException { SessionUtilKeyPair s = new SessionUtilKeyPair( privateKey, privateKeyFile, privateKeyBase64, privateKeyPwd, accountName, userName); return s.issueJwtToken(); } /** * Helper function to generate a JWT token. Use {@link #generateJWTToken(PrivateKey, String, * String, String, String, String)} * * @param privateKey private key * @param privateKeyFile path to private key file * @param privateKeyFilePwd password for private key file * @param accountName account name * @param userName user name * @return JWT token * @throws SFException if Snowflake error occurs */ @Deprecated public static String generateJWTToken( PrivateKey privateKey, String privateKeyFile, String privateKeyFilePwd, String accountName, String userName) throws SFException { return generateJWTToken( privateKey, privateKeyFile, null, privateKeyFilePwd, accountName, userName); } /** * Helper method to check if the request path is a login/auth request to use for retry strategy. * * @param request the post request * @return true if this is a login/auth request, false otherwise */ public static boolean isNewRetryStrategyRequest(HttpRequestBase request) { URI requestURI = request.getURI(); String requestPath = requestURI.getPath(); if (requestPath != null) { if (requestPath.equals(SF_PATH_LOGIN_REQUEST) || requestPath.equals(SF_PATH_AUTHENTICATOR_REQUEST) || requestPath.equals(SF_PATH_TOKEN_REQUEST)) { return true; } } return false; } }





© 2015 - 2025 Weber Informatics LLC | Privacy Policy