[SNOW-1346233] Tests for authentication methods (external browser, oauth, okta, keypair)

Jenkinsfile

@@ -18,9 +18,26 @@ timestamps {
       string(name: 'parent_job', value: env.JOB_NAME),
       string(name: 'parent_build_number', value: env.BUILD_NUMBER)
     ]
-    stage('Test') {
-      build job: 'RT-LanguageGo-PC',parameters: params
-    }
+    parallel(
+      'Test': {
+        stage('Test') {
+          build job: 'RT-LanguageGo-PC', parameters: params
+        }
+      },
+      'Test Authentication': {
+        stage('Test Authentication') {
+          withCredentials([
+            string(credentialsId: 'a791118f-a1ea-46cd-b876-56da1b9bc71c', variable: 'NEXUS_PASSWORD'),
+            string(credentialsId: 'sfctest0-parameters-secret', variable: 'PARAMETERS_SECRET')
+          ]) {
+            sh '''\
+            |#!/bin/bash -e
+            |$WORKSPACE/ci/test_authentication.sh
+            '''.stripMargin()
+          }
+        }
+      }
+    )
   }
 }
 

auth_generic_test_methods_test.go

@@ -0,0 +1,60 @@
+package gosnowflake
+
+import (
+	"context"
+	"database/sql"
+	"log"
+)
+
+func getAuthTestConfigFromEnv() (*Config, error) {
+	return GetConfigFromEnv([]*ConfigParam{
+		{Name: "Account", EnvName: "SNOWFLAKE_TEST_ACCOUNT", FailOnMissing: true},
+		{Name: "User", EnvName: "SNOWFLAKE_AUTH_TEST_OKTA_USER", FailOnMissing: true},
+		{Name: "Password", EnvName: "SNOWFLAKE_AUTH_TEST_OKTA_PASS", FailOnMissing: true},
+		{Name: "Host", EnvName: "SNOWFLAKE_TEST_HOST", FailOnMissing: false},
+		{Name: "Port", EnvName: "SNOWFLAKE_TEST_PORT", FailOnMissing: false},
+		{Name: "Protocol", EnvName: "SNOWFLAKE_AUTH_TEST_PROTOCOL", FailOnMissing: false},
+		{Name: "Role", EnvName: "SNOWFLAKE_TEST_ROLE", FailOnMissing: false},
+	})
+}
+
+func getAuthTestsConfig(authMethod AuthType) (*Config, error) {
+	cfg, err := getAuthTestConfigFromEnv()
+	if err != nil {
+		return nil, err
+	}
+
+	cfg.Authenticator = authMethod
+	cfg.DisableQueryContextCache = true
+
+	return cfg, nil
+}
+
+func executeQuery(query string, dsn string) (rows *sql.Rows, err error) {
+	db, err := sql.Open("snowflake", dsn)
+	if err != nil {
+		log.Fatalf("failed to connect. %v, err: %v", dsn, err)
+	}
+	defer db.Close()
+
+	rows, err = db.Query(query)
+	return rows, err
+}
+
+func getDbHandler(cfg *Config) *sql.DB {
+	dsn, err := DSN(cfg)
+	if err != nil {
+		log.Fatalf("failed to create DSN from Config: %v, err: %v", cfg, err)
+	}
+
+	db, err := sql.Open("snowflake", dsn)
+	if err != nil {
+		log.Fatalf("failed to open database. %v, err: %v", dsn, err)
+	}
+	return db
+}
+
+func createConnection(db *sql.DB) (*sql.Conn, error) {
+	conn, err := db.Conn(context.Background())
+	return conn, err
+}

auth_with_external_browser_test.go

@@ -0,0 +1,189 @@
+package gosnowflake
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"log"
+	"os/exec"
+	"sync"
+	"testing"
+	"time"
+)
+
+func TestExternalBrowserSuccessful(t *testing.T) {
+	cfg := setupExternalBrowserTest(t)
+	var wg sync.WaitGroup
+	wg.Add(2)
+	go func() {
+		defer wg.Done()
+		provideCredentials(externalBrowserType.Success, cfg.User, cfg.Password)
+	}()
+	go func() {
+		defer wg.Done()
+		err := connectToSnowflake(cfg, "SELECT 1", true)
+		assertNilF(t, err, fmt.Sprintf("Connection failed due to %v", err))
+	}()
+	wg.Wait()
+}
+
+func TestExternalBrowserFailed(t *testing.T) {
+	cfg := setupExternalBrowserTest(t)
+	cfg.ExternalBrowserTimeout = time.Duration(10) * time.Second
+	var wg sync.WaitGroup
+	wg.Add(2)
+	go func() {
+		defer wg.Done()
+		provideCredentials(externalBrowserType.Fail, "FakeAccount", "NotARealPassword")
+	}()
+	go func() {
+		defer wg.Done()
+		tOut := "authentication timed out"
+		err := connectToSnowflake(cfg, "SELECT 1", false)
+		assertTrueF(t, err.Error() == tOut, fmt.Sprintf("Expected %v, but got %v", tOut, err))
+	}()
+	wg.Wait()
+}
+
+func TestExternalBrowserTimeout(t *testing.T) {
+	cfg := setupExternalBrowserTest(t)
+	cfg.ExternalBrowserTimeout = time.Duration(1) * time.Second
+	var wg sync.WaitGroup
+	wg.Add(2)
+	go func() {
+		defer wg.Done()
+		provideCredentials(externalBrowserType.Timeout, cfg.User, cfg.Password)
+	}()
+	go func() {
+		defer wg.Done()
+		tOut := "authentication timed out"
+		err := connectToSnowflake(cfg, "SELECT 1", false)
+		assertTrueF(t, err.Error() == tOut, fmt.Sprintf("Expected %v, but got %v", tOut, err))
+	}()
+	wg.Wait()
+}
+
+func TestExternalBrowserMismatchUser(t *testing.T) {
+	cfg := setupExternalBrowserTest(t)
+	correctUsername := cfg.User
+	cfg.User = "fakeAccount"
+	var wg sync.WaitGroup
+
+	wg.Add(2)
+	go func() {
+		defer wg.Done()
+		provideCredentials(externalBrowserType.Success, correctUsername, cfg.Password)
+	}()
+	go func() {
+		defer wg.Done()
+		expectedErrorMsg := "390191 (08004): The user you were trying to authenticate " +
+			"as differs from the user currently logged in at the IDP."
+		err := connectToSnowflake(cfg, "SELECT 1", false)
+		assertTrueF(t, err.Error() == expectedErrorMsg, fmt.Sprintf("Expected %v, but got %v", expectedErrorMsg, err))
+	}()
+	wg.Wait()
+}
+
+func TestClientStoreCredentials(t *testing.T) {
+	cfg := setupExternalBrowserTest(t)
+	cfg.ClientStoreTemporaryCredential = 1
+	cfg.ExternalBrowserTimeout = time.Duration(10) * time.Second
+
+	t.Run("Obtains the ID token from the server and saves it on the local storage", func(t *testing.T) {
+		cleanupBrowserProcesses()
+		var wg sync.WaitGroup
+		wg.Add(2)
+		go func() {
+			defer wg.Done()
+			provideCredentials(externalBrowserType.Success, cfg.User, cfg.Password)
+		}()
+		go func() {
+			defer wg.Done()
+			err := connectToSnowflake(cfg, "SELECT 1", true)
+			assertNilF(t, err, fmt.Sprintf("Connection failed: err %v", err))
+		}()
+		wg.Wait()
+	})
+
+	t.Run("Verify validation of ID token if option enabled", func(t *testing.T) {
+		cleanupBrowserProcesses()
+		cfg.ClientStoreTemporaryCredential = 1
+		conn, _ := createConnection(getDbHandler(cfg))
+		_, err := conn.QueryContext(context.Background(), "SELECT 1")
+		assertNilF(t, err, fmt.Sprintf("Failed to run a query. err: %v", err))
+	})
+
+	t.Run("Verify validation of IDToken if option disabled", func(t *testing.T) {
+		cleanupBrowserProcesses()
+		cfg.ClientStoreTemporaryCredential = 0
+		tOut := "authentication timed out"
+		_, err := createConnection(getDbHandler(cfg))
+		assertTrueF(t, err.Error() == tOut, fmt.Sprintf("Expected %v, but got %v", tOut, err))
+	})
+}
+
+type ExternalBrowserProcess struct {
+	Success string
+	Fail    string
+	Timeout string
+}
+
+var externalBrowserType = ExternalBrowserProcess{
+	Success: "success",
+	Fail:    "fail",
+	Timeout: "timeout",
+}
+
+func cleanupBrowserProcesses() {
+	const cleanBrowserProcessesPath = "/externalbrowser/cleanBrowserProcesses.js"
+	_, err := exec.Command("node", cleanBrowserProcessesPath).Output()
+	if err != nil {
+		log.Fatalf("failed to execute command: %v", err)
+	}
+}
+
+func provideCredentials(ExternalBrowserProcess string, user string, password string) {
+	const provideBrowserCredentialsPath = "/externalbrowser/provideBrowserCredentials.js"
+	_, err := exec.Command("node", provideBrowserCredentialsPath, ExternalBrowserProcess, user, password).Output()
+	if err != nil {
+		log.Fatalf("failed to execute command: %v", err)
+	}
+}
+
+func connectToSnowflake(cfg *Config, query string, isCatchException bool) (err error) {
+	dsn, err := DSN(cfg)
+	if err != nil {
+		log.Fatalf("failed to create DSN from Config: %v, err: %v", cfg, err)
+	}
+	rows, err := executeQuery(query, dsn)
+	if isCatchException && err != nil {
+		log.Fatalf("failed to run a query. %v, err: %v", query, err)
+	} else if err != nil {
+		return err
+	}
+	defer rows.Close()
+	var v int
+	var hasAnyRows bool
+	for rows.Next() {
+		hasAnyRows = true
+		err := rows.Scan(&v)
+		if isCatchException && err != nil {
+			log.Fatalf("failed to get result. err: %v", err)
+		}
+	}
+	if !hasAnyRows {
+		return errors.New("There were no results for query: ")
+	}
+	fmt.Printf("Congrats! You have successfully run '%v' with Snowflake DB! \n", query)
+	return err
+}
+
+func setupExternalBrowserTest(t *testing.T) *Config {
+	runOnlyOnDockerContainer(t, "Running only on Docker container")
+	cleanupBrowserProcesses()
+	cfg, err := getAuthTestsConfig(AuthTypeExternalBrowser)
+	if err != nil {
+		t.Fatalf("failed to get config: %v", err)
+	}
+	return cfg
+}

auth_with_keypair_test.go

@@ -0,0 +1,53 @@
+package gosnowflake
+
+import (
+	"crypto/rsa"
+	"fmt"
+	"golang.org/x/crypto/ssh"
+	"os"
+	"strings"
+	"testing"
+)
+
+func TestKeypairSuccessful(t *testing.T) {
+	cfg := setupKeyPairTest(t)
+	cfg.PrivateKey = loadRsaPrivateKeyForKeyPair(t, "SNOWFLAKE_AUTH_TEST_PRIVATE_KEY_PATH")
+
+	err := connectToSnowflake(cfg, "SELECT 1", true)
+	assertNilF(t, err, fmt.Sprintf("failed to connect. err: %v", err))
+}
+
+func TestKeypairInvalidKey(t *testing.T) {
+	cfg := setupKeyPairTest(t)
+	cfg.PrivateKey = loadRsaPrivateKeyForKeyPair(t, "SNOWFLAKE_AUTH_TEST_INVALID_PRIVATE_KEY_PATH")
+	var errParts string
+	errMsg := "390144 (08004): JWT token is invalid."
+	err := connectToSnowflake(cfg, "SELECT 1", false)
+	if err != nil {
+		errParts = strings.Split(err.Error(), " [")[0]
+	}
+	assertTrueF(t, err != nil, "Expected error, but got nil")
+	assertTrueF(t, errParts == errMsg, fmt.Sprintf("Expected %v, but got %v", errMsg, errParts))
+}
+
+func setupKeyPairTest(t *testing.T) *Config {
+	runOnlyOnDockerContainer(t, "Running only on Docker container")
+
+	cfg, err := getAuthTestsConfig(AuthTypeJwt)
+	assertTrueF(t, err == nil, fmt.Sprintf("failed to get config: %v", err))
+
+	return cfg
+}
+
+func loadRsaPrivateKeyForKeyPair(t *testing.T, envName string) *rsa.PrivateKey {
+	filePath, err := GetFromEnv(envName, true)
+	assertNilF(t, err, fmt.Sprintf("failed to get env: %v", err))
+
+	bytes, err := os.ReadFile(filePath)
+	assertNilF(t, err, fmt.Sprintf("failed to read file: %v", err))
+
+	key, err := ssh.ParseRawPrivateKey(bytes)
+	assertNilF(t, err, fmt.Sprintf("failed to parse private key: %v", err))
+
+	return key.(*rsa.PrivateKey)
+}