Applying suggestions

Snowflake.Data.Tests/IntegrationTests/SFConnectionIT.cs

@@ -2281,18 +2281,18 @@ public void TestMFATokenCaching()
         {
             using (SnowflakeDbConnection conn = new SnowflakeDbConnection())
             {
-                //conn.Passcode = SecureStringHelper.Encode("014350");
+                //conn.Passcode = SecureStringHelper.Encode("123456");
                 conn.ConnectionString
                     = ConnectionString
-                      + ";authenticator=username_password_mfa;minPoolSize=2;application=DuoTest;POOLINGENABLED=false;";
+                      + ";authenticator=username_password_mfa;minPoolSize=2;application=DuoTest;authenticator=username_password_mfa;";
 
 
                 // Authenticate to retrieve and store the token if doesn't exist or invalid
                 Task connectTask = conn.OpenAsync(CancellationToken.None);
                 connectTask.Wait();
                 Assert.AreEqual(ConnectionState.Open, conn.State);
 
-                // Authenticate using the SSO token (the connector will automatically use the token and a browser should not pop-up in this step)
+                // Authenticate using the MFA token cache
                 connectTask = conn.OpenAsync(CancellationToken.None);
                 connectTask.Wait();
                 Assert.AreEqual(ConnectionState.Open, conn.State);
@@ -2310,7 +2310,7 @@ public void TestMfaWithPasswordConnection()
             // arrange
             using (SnowflakeDbConnection conn = new SnowflakeDbConnection())
             {
-                conn.Passcode = SecureStringHelper.Encode("323438");
+                conn.Passcode = SecureStringHelper.Encode("123456");
                 // manual action: stop here in breakpoint to provide proper passcode by: conn.Passcode = SecureStringHelper.Encode("...");
                 conn.ConnectionString = ConnectionString + "minPoolSize=2;application=DuoTest;";
 

Snowflake.Data.Tests/UnitTests/Session/SFHttpClientPropertiesTest.cs

@@ -17,8 +17,7 @@ public class SFHttpClientPropertiesTest
         [Test]
         public void TestConvertToMapOnly2Properties(
             [Values(true, false)] bool validateDefaultParameters,
-            [Values(true, false)] bool clientSessionKeepAlive,
-            [Values(true, false)] bool clientStoreTemporaryCredential)
+            [Values(true, false)] bool clientSessionKeepAlive)
         {
             // arrange
             var proxyProperties = new SFSessionHttpClientProxyProperties()

Snowflake.Data/Core/CredentialManager/SFCredentialManagerFactory.cs → Snowflake.Data/Client/SFCredentialManagerFactory.cs

@@ -2,30 +2,24 @@
  * Copyright (c) 2024 Snowflake Computing Inc. All rights reserved.
  */
 
-using Snowflake.Data.Client;
-using Snowflake.Data.Core.CredentialManager.Infrastructure;
-using Snowflake.Data.Log;
-using System.Runtime.InteropServices;
-
-namespace Snowflake.Data.Core.CredentialManager
+namespace Snowflake.Data.Client
 {
-    internal enum TokenType
-    {
-        [StringAttr(value = "ID_TOKEN")]
-        IdToken,
-        [StringAttr(value = "MFA_TOKEN")]
-        MFAToken
-    }
-
-    internal class SFCredentialManagerFactory
+    using System;
+    using Snowflake.Data.Core;
+    using Snowflake.Data.Core.CredentialManager;
+    using Snowflake.Data.Core.CredentialManager.Infrastructure;
+    using Snowflake.Data.Log;
+    using System.Runtime.InteropServices;
+
+    public class SFCredentialManagerFactory
     {
         private static readonly SFLogger s_logger = SFLoggerFactory.GetLogger<SFCredentialManagerFactory>();
 
         private static ISnowflakeCredentialManager s_customCredentialManager = null;
 
-        internal static string BuildCredentialKey(string host, string user, TokenType tokenType)
+        internal static string BuildCredentialKey(string host, string user, TokenType tokenType, string authenticator = null)
         {
-            return $"{host.ToUpper()}:{user.ToUpper()}:{SFEnvironment.DriverName}:{tokenType.ToString().ToUpper()}";
+            return $"{host.ToUpper()}:{user.ToUpper()}:{SFEnvironment.DriverName}:{tokenType.ToString().ToUpper()}:{authenticator?.ToUpper() ?? string.Empty}";
         }
 
         public static void UseDefaultCredentialManager()
@@ -40,7 +34,7 @@ public static void SetCredentialManager(ISnowflakeCredentialManager customCreden
             s_customCredentialManager = customCredentialManager;
         }
 
-        internal static ISnowflakeCredentialManager GetCredentialManager()
+        public static ISnowflakeCredentialManager GetCredentialManager()
         {
             if (s_customCredentialManager == null)
             {
@@ -49,11 +43,8 @@ internal static ISnowflakeCredentialManager GetCredentialManager()
                 s_logger.Info($"Using the default credential manager: {defaultCredentialManager.GetType().Name}");
                 return defaultCredentialManager;
             }
-            else
-            {
-                s_logger.Info($"Using a custom credential manager: {s_customCredentialManager.GetType().Name}");
-                return s_customCredentialManager;
-            }
+            s_logger.Info($"Using a custom credential manager: {s_customCredentialManager.GetType().Name}");
+            return s_customCredentialManager;
         }
     }
 }

Snowflake.Data/Core/CredentialManager/Infrastructure/SFCredentialManagerFileImpl.cs

@@ -2,19 +2,19 @@
  * Copyright (c) 2024 Snowflake Computing Inc. All rights reserved.
  */
 
-using Mono.Unix;
-using Mono.Unix.Native;
-using Newtonsoft.Json;
-using Snowflake.Data.Client;
-using Snowflake.Data.Core.Tools;
-using Snowflake.Data.Log;
-using System;
-using System.IO;
-using System.Runtime.InteropServices;
-using KeyToken = System.Collections.Generic.Dictionary<string, string>;
-
 namespace Snowflake.Data.Core.CredentialManager.Infrastructure
 {
+    using Mono.Unix;
+    using Mono.Unix.Native;
+    using Newtonsoft.Json;
+    using Snowflake.Data.Client;
+    using Snowflake.Data.Core.Tools;
+    using Snowflake.Data.Log;
+    using System;
+    using System.IO;
+    using System.Runtime.InteropServices;
+    using KeyToken = System.Collections.Generic.Dictionary<string, string>;
+
     internal class SFCredentialManagerFileImpl : ISnowflakeCredentialManager
     {
         internal const string CredentialCacheDirectoryEnvironmentName = "SF_TEMPORARY_CREDENTIAL_CACHE_DIR";
@@ -103,7 +103,8 @@ internal void WriteToJsonFile(string content)
 
         internal KeyToken ReadJsonFile()
         {
-            return JsonConvert.DeserializeObject<KeyToken>(File.ReadAllText(_jsonCacheFilePath));
+            var contentFile = RuntimeInformation.IsOSPlatform(OSPlatform.Windows) ? File.ReadAllText(_jsonCacheFilePath) : _unixOperations.ReadAllText(_jsonCacheFilePath);
+            return JsonConvert.DeserializeObject<KeyToken>(contentFile);
         }
 
         public string GetCredentials(string key)

Snowflake.Data/Core/CredentialManager/Infrastructure/SFCredentialManagerInMemoryImpl.cs

@@ -2,12 +2,11 @@
  * Copyright (c) 2024 Snowflake Computing Inc. All rights reserved.
  */
 
-using Snowflake.Data.Client;
-using Snowflake.Data.Log;
-using System.Collections.Generic;
-
 namespace Snowflake.Data.Core.CredentialManager.Infrastructure
 {
+    using Snowflake.Data.Client;
+    using Snowflake.Data.Log;
+    using System.Collections.Generic;
     using System.Security;
     using Tools;
 

Snowflake.Data/Core/CredentialManager/Infrastructure/SFCredentialManagerWindowsNativeImpl.cs

@@ -2,15 +2,14 @@
  * Copyright (c) 2024 Snowflake Computing Inc. All rights reserved.
  */
 
-using Microsoft.Win32.SafeHandles;
-using Snowflake.Data.Client;
-using Snowflake.Data.Log;
-using System;
-using System.Runtime.InteropServices;
-using System.Text;
-
 namespace Snowflake.Data.Core.CredentialManager.Infrastructure
 {
+    using Microsoft.Win32.SafeHandles;
+    using Snowflake.Data.Client;
+    using Snowflake.Data.Log;
+    using System;
+    using System.Runtime.InteropServices;
+    using System.Text;
     using Tools;
 
     internal class SFCredentialManagerWindowsNativeImpl : ISnowflakeCredentialManager

Snowflake.Data/Core/CredentialManager/TokenType.cs

@@ -0,0 +1,14 @@
+/*
+ * Copyright (c) 2024 Snowflake Computing Inc. All rights reserved.
+ */
+
+namespace Snowflake.Data.Core.CredentialManager
+{
+    internal enum TokenType
+    {
+        [StringAttr(value = "ID_TOKEN")]
+        IdToken,
+        [StringAttr(value = "MFA_TOKEN")]
+        MFAToken
+    }
+}

Snowflake.Data/Core/SFError.cs

@@ -86,7 +86,10 @@ public enum SFError
         EXECUTE_COMMAND_ON_CLOSED_CONNECTION,
 
         [SFErrorAttr(errorCode = 270060)]
-        INCONSISTENT_RESULT_ERROR
+        INCONSISTENT_RESULT_ERROR,
+
+        [SFErrorAttr(errorCode = 390127)]
+        EXT_AUTHN_INVALID
     }
 
     class SFErrorAttr : Attribute

Snowflake.Data/Core/Session/SFSession.cs

@@ -128,7 +128,7 @@ internal void ProcessLoginResponse(LoginResponse authnResponse)
                 if (!string.IsNullOrEmpty(authnResponse.data.mfaToken))
                 {
                     _mfaToken = SecureStringHelper.Encode(authnResponse.data.mfaToken);
-                    var key = SFCredentialManagerFactory.BuildCredentialKey(properties[SFSessionProperty.HOST], properties[SFSessionProperty.USER], TokenType.MFAToken);
+                    var key = SFCredentialManagerFactory.BuildCredentialKey(properties[SFSessionProperty.HOST], properties[SFSessionProperty.USER], TokenType.MFAToken, properties[SFSessionProperty.AUTHENTICATOR]);
                     _credManager.SaveCredentials(key, authnResponse.data.mfaToken);
                 }
                 logger.Debug($"Session opened: {sessionId}");
@@ -143,6 +143,14 @@ internal void ProcessLoginResponse(LoginResponse authnResponse)
                     "");
 
                 logger.Error("Authentication failed", e);
+                if (e.ErrorCode == SFError.EXT_AUTHN_INVALID.GetAttribute<SFErrorAttr>().errorCode)
+                {
+                    logger.Info("MFA Token has expired or not valid.", e);
+                    _mfaToken = null;
+                    var mfaKey = SFCredentialManagerFactory.BuildCredentialKey(properties[SFSessionProperty.HOST], properties[SFSessionProperty.USER], TokenType.MFAToken, properties[SFSessionProperty.AUTHENTICATOR]);
+                    _credManager.RemoveCredentials(mfaKey);
+                }
+
                 throw e;
             }
         }
@@ -211,7 +219,7 @@ internal SFSession(
 
                 if (properties.TryGetValue(SFSessionProperty.AUTHENTICATOR, out var _authenticatorType) &&  _authenticatorType == "username_password_mfa")
                 {
-                    var mfaKey = SFCredentialManagerFactory.BuildCredentialKey(properties[SFSessionProperty.HOST], properties[SFSessionProperty.USER], TokenType.MFAToken);
+                    var mfaKey = SFCredentialManagerFactory.BuildCredentialKey(properties[SFSessionProperty.HOST], properties[SFSessionProperty.USER], TokenType.MFAToken, _authenticatorType);
                     _mfaToken = SecureStringHelper.Encode(_credManager.GetCredentials(mfaKey));
                 }
             }

Snowflake.Data/Core/Tools/UnixOperations.cs

@@ -2,11 +2,16 @@
  * Copyright (c) 2024 Snowflake Computing Inc. All rights reserved.
  */
 
-using Mono.Unix;
-using Mono.Unix.Native;
+
 
 namespace Snowflake.Data.Core.Tools
 {
+    using System.IO;
+    using System.Security;
+    using System.Text;
+    using Mono.Unix;
+    using Mono.Unix.Native;
+
     internal class UnixOperations
     {
         public static readonly UnixOperations Instance = new UnixOperations();
@@ -38,5 +43,34 @@ public virtual bool CheckFileHasAnyOfPermissions(string path, FileAccessPermissi
             var fileInfo = new UnixFileInfo(path);
             return (permissions & fileInfo.FileAccessPermissions) != 0;
         }
+
+
+        /// <summary>
+        /// Reads all text from a file at the specified path, ensuring the file is owned by the effective user and group of the current process,
+        /// and does not have broader permissions than specified.
+        /// </summary>
+        /// <param name="path">The path to the file.</param>
+        /// <param name="forbiddenPermissions">Permissions that are not allowed for the file. Defaults to OtherReadWriteExecute.</param>
+        /// <returns>The content of the file as a string.</returns>
+        /// <exception cref="SecurityException">Thrown if the file is not owned by the effective user or group, or if it has forbidden permissions.</exception>
+
+        public string ReadAllText(string path, FileAccessPermissions forbiddenPermissions = FileAccessPermissions.OtherReadWriteExecute)
+        {
+            var fileInfo = new UnixFileInfo(path: path);
+
+            using (var handle = fileInfo.OpenRead())
+            {
+                if (handle.OwnerUser.UserId != Syscall.geteuid())
+                    throw new SecurityException("Attempting to read a file not owned by the effective user of the current process");
+                if (handle.OwnerGroup.GroupId != Syscall.getegid())
+                    throw new SecurityException("Attempting to read a file not owned by the effective group of the current process");
+                if ((handle.FileAccessPermissions & forbiddenPermissions) != 0)
+                    throw new SecurityException("Attempting to read a file with too broad permissions assigned");
+                using (var streamReader = new StreamReader(handle, Encoding.Default))
+                {
+                    return streamReader.ReadToEnd();
+                }
+            }
+        }
     }
 }