SNOW-1825482: PAT, Native OAuth & Secure Token Cache support (#1978)

snowflakedb · Feb 25, 2025 · 891a900 · 891a900
1 parent dcb60b2
commit 891a900
Show file tree

Hide file tree

Showing 77 changed files with 4,804 additions and 469 deletions.
diff --git a/FIPS/scripts/check_content.sh b/FIPS/scripts/check_content.sh
@@ -6,7 +6,7 @@ set -o pipefail
 
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )"
 
-if jar tvf $DIR/../target/snowflake-jdbc-fips.jar  | awk '{print $8}' | grep -v -E "/$" | grep -v -E "^(net|com)/snowflake" | grep -v -E "(com|net)/\$" | grep -v -E "^META-INF" | grep -v -E "^mozilla" | grep -v -E "^com/sun/jna" | grep -v com/sun/ | grep -v mime.types | grep -v -E "^com/github/luben/zstd/" | grep -v -E "^aix/" | grep -v -E "^darwin/" | grep -v -E "^freebsd/" | grep -v -E "^linux/" | grep -v -E "^win/"; then
+if jar tvf $DIR/../target/snowflake-jdbc-fips.jar  | awk '{print $8}' | grep -v -E "/$" | grep -v -E "^(net|com)/snowflake" | grep -v -E "(com|net)/\$" | grep -v -E "^META-INF" | grep -v -E "^iso3166_" | grep -v -E "^mozilla" | grep -v -E "^com/sun/jna" | grep -v com/sun/ | grep -v mime.types | grep -v -E "^com/github/luben/zstd/" | grep -v -E "^aix/" | grep -v -E "^darwin/" | grep -v -E "^freebsd/" | grep -v -E "^linux/" | grep -v -E "^win/"; then
   echo "[ERROR] JDBC jar includes class not under the snowflake namespace"
   exit 1
 fi
diff --git a/ci/container/test_authentication.sh b/ci/container/test_authentication.sh
@@ -9,6 +9,8 @@ MVNW_EXE=$SOURCE_ROOT/mvnw
 AUTH_PARAMETER_FILE=./.github/workflows/parameters_aws_auth_tests.json
 eval $(jq -r '.authtestparams | to_entries | map("export \(.key)=\(.value|tostring)")|.[]' $AUTH_PARAMETER_FILE)
 
+export SF_ENABLE_EXPERIMENTAL_AUTHENTICATION=true
+
 $MVNW_EXE -DjenkinsIT \
     -Djava.io.tmpdir=$WORKSPACE \
     -Djacoco.skip.instrument=true \

diff --git a/ci/container/test_component.sh b/ci/container/test_component.sh
@@ -76,6 +76,8 @@ cd $SOURCE_ROOT
 # Avoid connection timeout on plugin dependency fetch or fail-fast when dependency cannot be fetched
 $MVNW_EXE --batch-mode --show-version dependency:go-offline
 
+export SF_ENABLE_EXPERIMENTAL_AUTHENTICATION=true
+
 if [[ "$is_old_driver" == "true" ]]; then
     pushd TestOnly >& /dev/null
         JDBC_VERSION=$($MVNW_EXE org.apache.maven.plugins:maven-help-plugin:2.1.1:evaluate -Dexpression=project.version --batch-mode | grep -v "[INFO]")

diff --git a/ci/scripts/check_content.sh b/ci/scripts/check_content.sh
@@ -8,7 +8,7 @@ set -o pipefail
 
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )"
 
-if jar tvf $DIR/../../target/snowflake-jdbc${package_modifier}.jar | awk '{print $8}' | grep -v -E "/$" | grep -v -E "^(net|com)/snowflake" | grep -v -E "(com|net)/\$" | grep -v -E "^META-INF" | grep -v -E "^mozilla" | grep -v -E "^com/sun/jna" | grep -v com/sun/ | grep -v mime.types | grep -v -E "^com/github/luben/zstd/" | grep -v -E "^aix/" | grep -v -E "^darwin/" | grep -v -E "^freebsd/" | grep -v -E "^linux/" | grep -v -E "^win/"; then
+if jar $DIR/../../target/snowflake-jdbc${package_modifier}.jar | awk '{print $8}' | grep -v -E "/$" | grep -v -E "^(net|com)/snowflake" | grep -v -E "(com|net)/\$" | grep -v -E "^META-INF" | grep -v -E "^iso3166_" | grep -v -E "^mozilla" | grep -v -E "^com/sun/jna" | grep -v com/sun/ | grep -v mime.types | grep -v -E "^com/github/luben/zstd/" | grep -v -E "^aix/" | grep -v -E "^darwin/" | grep -v -E "^freebsd/" | grep -v -E "^linux/" | grep -v -E "^win/"; then
   echo "[ERROR] JDBC jar includes class not under the snowflake namespace"
   exit 1
 fi

diff --git a/ci/test_windows.bat b/ci/test_windows.bat
@@ -111,6 +111,8 @@ echo "MAVEN OPTIONS %MAVEN_OPTS%"
 REM Avoid connection timeout on plugin dependency fetch or fail-fast when dependency cannot be fetched
 cmd /c %MVNW_EXE% --batch-mode --show-version dependency:go-offline
 
+set SF_ENABLE_EXPERIMENTAL_AUTHENTICATION=true
+
 if "%JDBC_TEST_SUITES%"=="FipsTestSuite" (
     pushd FIPS
     echo "[INFO] Run Fips tests"

diff --git a/linkage-checker-exclusion-rules.xml b/linkage-checker-exclusion-rules.xml
@@ -29,6 +29,7 @@
         <Source><Package name="com.google.api.gax"/></Source>
         <Reason>?</Reason>
     </LinkageError>
+
     <LinkageError>
         <Target><Package name="org.osgi"/></Target>
         <Source><Package name="org.apache.tika.config"/></Source>
@@ -49,6 +50,26 @@
         <Source><Package name="org.bouncycastle.pqc.legacy.crypto.ntru"/></Source>
         <Reason>?</Reason>
     </LinkageError>
+    <LinkageError>
+        <Target><Package name="org.cryptomator"/></Target>
+        <Source><Package name="com.nimbusds"/></Source>
+        <Reason>?</Reason>
+    </LinkageError>
+    <LinkageError>
+        <Target><Package name="org.opensaml"/></Target>
+        <Source><Package name="com.nimbusds"/></Source>
+        <Reason>?</Reason>
+    </LinkageError>
+    <LinkageError>
+        <Target><Package name="jakarta.servlet"/></Target>
+        <Source><Package name="com.nimbusds"/></Source>
+        <Reason>?</Reason>
+    </LinkageError>
+    <LinkageError>
+        <Target><Package name="net.shibboleth.utilities"/></Target>
+        <Source><Package name="com.nimbusds"/></Source>
+        <Reason>?</Reason>
+    </LinkageError>
     <!--
     <LinkageError>
         <Target><Package name=""/></Target>

diff --git a/parent-pom.xml b/parent-pom.xml
@@ -21,7 +21,7 @@
     <apache.httpcore.version>4.4.16</apache.httpcore.version>
     <zstd-jni.version>1.5.6-5</zstd-jni.version>
     <arrow.version>17.0.0</arrow.version>
-    <asm.version>9.3</asm.version>
+    <asm.version>9.6</asm.version>
     <avro.version>1.8.1</avro.version>
     <awaitility.version>4.2.0</awaitility.version>
     <awssdk.version>1.12.655</awssdk.version>
@@ -60,16 +60,17 @@
     <javax.servlet.version>3.1.0</javax.servlet.version>
     <jna.version>5.13.0</jna.version>
     <joda.time.version>2.8.1</joda.time.version>
-    <json.smart.version>2.4.9</json.smart.version>
+    <json.smart.version>2.5.1</json.smart.version>
     <junit4.version>4.13.2</junit4.version>
     <junit.version>5.11.1</junit.version>
     <junit.platform.version>1.11.1</junit.platform.version>
     <jsoup.version>1.15.3</jsoup.version>
     <logback.version>1.3.6</logback.version>
     <metrics.version>2.2.0</metrics.version>
     <mockito.version>4.11.0</mockito.version>
+    <nimbusds.oauth2.version>11.20.1</nimbusds.oauth2.version>
     <netty.version>4.1.118.Final</netty.version>
-    <nimbusds.version>9.37.3</nimbusds.version>
+    <nimbusds.version>9.40</nimbusds.version>
     <opencensus.version>0.31.1</opencensus.version>
     <plexus.container.version>1.0-alpha-9-stable-1</plexus.container.version>
     <plexus.utils.version>3.4.2</plexus.utils.version>
@@ -219,6 +220,11 @@
         <artifactId>nimbus-jose-jwt</artifactId>
         <version>${nimbusds.version}</version>
       </dependency>
+      <dependency>
+        <groupId>com.nimbusds</groupId>
+        <artifactId>oauth2-oidc-sdk</artifactId>
+        <version>${nimbusds.oauth2.version}</version>
+      </dependency>
       <dependency>
         <groupId>com.yammer.metrics</groupId>
         <artifactId>metrics-core</artifactId>
@@ -657,6 +663,10 @@
       <groupId>com.nimbusds</groupId>
       <artifactId>nimbus-jose-jwt</artifactId>
     </dependency>
+    <dependency>
+      <groupId>com.nimbusds</groupId>
+      <artifactId>oauth2-oidc-sdk</artifactId>
+    </dependency>
     <dependency>
       <groupId>com.yammer.metrics</groupId>
       <artifactId>metrics-core</artifactId>

diff --git a/src/main/java/net/snowflake/client/config/SFClientConfigParser.java b/src/main/java/net/snowflake/client/config/SFClientConfigParser.java
@@ -58,11 +58,13 @@ public static SFClientConfig loadSFClientConfig(String configFilePath) throws IO
         derivedConfigFilePath = driverLocation;
       } else {
         // 4. Read SF_CLIENT_CONFIG_FILE_NAME if it is present in user home directory.
-        String userHomeFilePath =
-            Paths.get(systemGetProperty("user.home"), SF_CLIENT_CONFIG_FILE_NAME).toString();
-        if (Files.exists(Paths.get(userHomeFilePath))) {
-          logger.info("Using config file specified from home directory: {}", userHomeFilePath);
-          derivedConfigFilePath = userHomeFilePath;
+        String homeDirectory = systemGetProperty("user.home");
+        if (homeDirectory != null) {
+          String userHomeFilePath = Paths.get(homeDirectory, SF_CLIENT_CONFIG_FILE_NAME).toString();
+          if (Files.exists(Paths.get(userHomeFilePath))) {
+            logger.info("Using config file specified from home directory: {}", userHomeFilePath);
+            derivedConfigFilePath = userHomeFilePath;
+          }
         }
       }
     }

diff --git a/src/main/java/net/snowflake/client/core/AssertUtil.java b/src/main/java/net/snowflake/client/core/AssertUtil.java
@@ -16,7 +16,8 @@ public class AssertUtil {
    * @param internalErrorMesg The error message to display if condition is false
    * @throws SFException Will be thrown if condition is false
    */
-  static void assertTrue(boolean condition, String internalErrorMesg) throws SFException {
+  @SnowflakeJdbcInternalApi
+  public static void assertTrue(boolean condition, String internalErrorMesg) throws SFException {
     if (!condition) {
       throw new SFException(ErrorCode.INTERNAL_ERROR, internalErrorMesg);
     }

diff --git a/src/main/java/net/snowflake/client/core/CachedCredentialType.java b/src/main/java/net/snowflake/client/core/CachedCredentialType.java
@@ -0,0 +1,22 @@
+/*
+ * Copyright (c) 2024-2025 Snowflake Computing Inc. All rights reserved.
+ */
+
+package net.snowflake.client.core;
+
+enum CachedCredentialType {
+  ID_TOKEN("ID_TOKEN"),
+  MFA_TOKEN("MFATOKEN"),
+  OAUTH_ACCESS_TOKEN("OAUTH_ACCESS_TOKEN"),
+  OAUTH_REFRESH_TOKEN("OAUTH_REFRESH_TOKEN");
+
+  private final String value;
+
+  CachedCredentialType(String value) {
+    this.value = value;
+  }
+
+  String getValue() {
+    return value;
+  }
+}
diff --git a/src/main/java/net/snowflake/client/core/Constants.java b/src/main/java/net/snowflake/client/core/Constants.java
@@ -22,6 +22,10 @@ public final class Constants {
   // Error code for all invalid id token cases during login request
   public static final int ID_TOKEN_INVALID_LOGIN_REQUEST_GS_CODE = 390195;
 
+  public static final int OAUTH_ACCESS_TOKEN_EXPIRED_GS_CODE = 390318;
+
+  public static final int OAUTH_ACCESS_TOKEN_INVALID_GS_CODE = 390303;
+
   // Error message for IOException when no space is left for GET
   public static final String NO_SPACE_LEFT_ON_DEVICE_ERR = "No space left on device";