Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Snow 893925 ocsp responders in privatelink #915

Merged
merged 11 commits into from
Sep 20, 2023
2 changes: 1 addition & 1 deletion arrow_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ import (
"time"
)

//A test just to show Snowflake version
// A test just to show Snowflake version
func TestCheckVersion(t *testing.T) {
conn := openConn(t)
defer conn.Close()
Expand Down
2 changes: 2 additions & 0 deletions connection_util.go
Original file line number Diff line number Diff line change
Expand Up @@ -281,10 +281,12 @@ func populateChunkDownloader(

func (sc *snowflakeConn) setupOCSPPrivatelink(app string, host string) error {
ocspCacheServer := fmt.Sprintf("http://ocsp.%v/ocsp_response_cache.json", host)
logger.Debugf("OCSP Cache Server for Privatelink: %v\n", ocspCacheServer)
if err := os.Setenv(cacheServerURLEnv, ocspCacheServer); err != nil {
return err
}
ocspRetryHost := fmt.Sprintf("http://ocsp.%v/retry/", host) + "%v/%v"
sfc-gh-dheyman marked this conversation as resolved.
Show resolved Hide resolved
logger.Debugf("OCSP Retry URL for Privatelink: %v\n", ocspRetryHost)
if err := os.Setenv(ocspRetryURLEnv, ocspRetryHost); err != nil {
return err
}
Expand Down
92 changes: 88 additions & 4 deletions ocsp.go
Original file line number Diff line number Diff line change
Expand Up @@ -428,15 +428,65 @@
err: fmt.Errorf("HTTP code is not OK. %v: %v", res.StatusCode, res.Status),
}
}
logger.Debug("reading contents")
ocspResBytes, err = io.ReadAll(res.Body)
if err != nil {
return ocspRes, ocspResBytes, &ocspStatus{
code: ocspFailedExtractResponse,
err: err,
}
}
logger.Debug("parsing OCSP response")
ocspRes, err = ocsp.ParseResponse(ocspResBytes, issuer)
sfc-gh-dprzybysz marked this conversation as resolved.
Show resolved Hide resolved
if err != nil {
logger.Warnf("error when parsing ocsp response: %v\n", err)
sfc-gh-dheyman marked this conversation as resolved.
Show resolved Hide resolved
logger.Warnf("performing GET fallback request to OCSP\n")
return fallbackRetryOCSPToGETRequest(ctx, client, req, ocspHost, headers, issuer, totalTimeout)
}

logger.Debugf("OCSP Status from server: %v\n", ocspRes.Status)
return ocspRes, ocspResBytes, &ocspStatus{
code: ocspSuccess,
}
}

func fallbackRetryOCSPToGETRequest(
ctx context.Context,
client clientInterface,
req requestFunc,
ocspHost *url.URL,
headers map[string]string,
issuer *x509.Certificate,
totalTimeout time.Duration) (
ocspRes *ocsp.Response,
ocspResBytes []byte,
ocspS *ocspStatus) {
multiplier := 1
if atomic.LoadUint32((*uint32)(&ocspFailOpen)) == (uint32)(OCSPFailOpenFalse) {
multiplier = 3 // up to 3 times for Fail Close mode
}
res, err := newRetryHTTP(
ctx, client, req, ocspHost, headers,
totalTimeout*time.Duration(multiplier)).execute()

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / GCP Go 1.19 on Ubuntu

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / GCP Go 1.19 on Ubuntu

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / AZURE Go 1.19 on Ubuntu

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / AZURE Go 1.19 on Ubuntu

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / AZURE Go 1.20 on Ubuntu

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / AZURE Go 1.20 on Ubuntu

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / AWS Go 1.19 on Ubuntu

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / AWS Go 1.19 on Ubuntu

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / AWS Go 1.20 on Ubuntu

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / AWS Go 1.20 on Ubuntu

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / GCP Go 1.19 on Mac

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / GCP Go 1.19 on Mac

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / GCP Go 1.20 on Ubuntu

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / GCP Go 1.20 on Ubuntu

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / GCP Go 1.20 on Mac

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / GCP Go 1.20 on Mac

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / AWS Go 1.19 on Mac

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / AWS Go 1.19 on Mac

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / AZURE Go 1.19 on Mac

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / AZURE Go 1.19 on Mac

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / AWS Go 1.20 on Mac

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / AWS Go 1.20 on Mac

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / AZURE Go 1.20 on Mac

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / AZURE Go 1.20 on Mac

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / GCP Go 1.20 on Windows

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / GCP Go 1.20 on Windows

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / GCP Go 1.20 on Windows

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / GCP Go 1.20 on Windows

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / GCP Go 1.20 on Windows

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / GCP Go 1.20 on Windows

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / GCP Go 1.20 on Windows

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / GCP Go 1.20 on Windows

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / GCP Go 1.20 on Windows

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / GCP Go 1.19 on Windows

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / GCP Go 1.19 on Windows

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / GCP Go 1.19 on Windows

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / GCP Go 1.19 on Windows

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / GCP Go 1.19 on Windows

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / GCP Go 1.19 on Windows

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / GCP Go 1.19 on Windows

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / GCP Go 1.19 on Windows

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / AWS Go 1.20 on Windows

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / AWS Go 1.20 on Windows

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / AWS Go 1.20 on Windows

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / AWS Go 1.20 on Windows

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / AWS Go 1.20 on Windows

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / AWS Go 1.20 on Windows

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / AWS Go 1.20 on Windows

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / AWS Go 1.20 on Windows

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / AWS Go 1.20 on Windows

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / AWS Go 1.19 on Windows

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / AWS Go 1.19 on Windows

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / AWS Go 1.19 on Windows

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / AWS Go 1.19 on Windows

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / AWS Go 1.19 on Windows

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / AWS Go 1.19 on Windows

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / AWS Go 1.19 on Windows

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / AWS Go 1.19 on Windows

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / AZURE Go 1.20 on Windows

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / AZURE Go 1.20 on Windows

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / AZURE Go 1.20 on Windows

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / AZURE Go 1.20 on Windows

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / AZURE Go 1.20 on Windows

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / AZURE Go 1.20 on Windows

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / AZURE Go 1.20 on Windows

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / AZURE Go 1.20 on Windows

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / AZURE Go 1.20 on Windows

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / AZURE Go 1.19 on Windows

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / AZURE Go 1.19 on Windows

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / AZURE Go 1.19 on Windows

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / AZURE Go 1.19 on Windows

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / AZURE Go 1.19 on Windows

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / AZURE Go 1.19 on Windows

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / AZURE Go 1.19 on Windows

not enough arguments in call to newRetryHTTP

Check failure on line 468 in ocsp.go

View workflow job for this annotation

GitHub Actions / AZURE Go 1.19 on Windows

not enough arguments in call to newRetryHTTP
if err != nil {
return ocspRes, ocspResBytes, &ocspStatus{
code: ocspFailedSubmit,
err: err,
}
}
defer res.Body.Close()
logger.Debugf("GET fallback StatusCode from OCSP Server: %v\n", res.StatusCode)
if res.StatusCode != http.StatusOK {
return ocspRes, ocspResBytes, &ocspStatus{
code: ocspFailedResponse,
err: fmt.Errorf("HTTP code is not OK. %v: %v", res.StatusCode, res.Status),
}
}
ocspResBytes, err = io.ReadAll(res.Body)
if err != nil {
return ocspRes, ocspResBytes, &ocspStatus{
code: ocspFailedExtractResponse,
err: err,
}
}
ocspRes, err = ocsp.ParseResponse(ocspResBytes, issuer)
if err != nil {
return ocspRes, ocspResBytes, &ocspStatus{
Expand All @@ -445,11 +495,36 @@
}
}

logger.Debugf("GET fallback OCSP Status from server: %v\n", printStatus(ocspRes))
return ocspRes, ocspResBytes, &ocspStatus{
code: ocspSuccess,
}
}

func printStatus(response *ocsp.Response) string {
switch response.Status {
case ocsp.Good:
return "Good"
case ocsp.Revoked:
return "Revoked"
case ocsp.Unknown:
return "Unknown"
default:
return fmt.Sprintf("%d", response.Status)
}
}

func fullOCSPURL(url *url.URL) string {
fullURL := url.Hostname()
if url.Path != "" {
if !strings.HasPrefix(url.Path, "/") {
fullURL += "/"
}
fullURL += url.Path
sfc-gh-dheyman marked this conversation as resolved.
Show resolved Hide resolved
}
return fullURL
}

// getRevocationStatus checks the certificate revocation status for subject using issuer certificate.
func getRevocationStatus(ctx context.Context, subject, issuer *x509.Certificate) *ocspStatus {
logger.Infof("Subject: %v, Issuer: %v\n", subject.Subject, issuer.Subject)
Expand Down Expand Up @@ -484,9 +559,14 @@
hostnameStr := os.Getenv(ocspTestResponderURLEnv)
var hostname string
if retryURL := os.Getenv(ocspRetryURLEnv); retryURL != "" {
hostname = fmt.Sprintf(retryURL, u.Hostname(), base64.StdEncoding.EncodeToString(ocspReq))
hostname = fmt.Sprintf(retryURL, fullOCSPURL(u), base64.StdEncoding.EncodeToString(ocspReq))
sfc-gh-dheyman marked this conversation as resolved.
Show resolved Hide resolved
u0, err := url.Parse(hostname)
if err == nil {
hostname = u0.Hostname()
u = u0
}
} else {
hostname = u.Hostname()
hostname = fullOCSPURL(u)
}
if hostnameStr != "" {
u0, err := url.Parse(hostnameStr)
Expand All @@ -495,6 +575,10 @@
u = u0
}
}

logger.Debugf("Fetching OCSP response from server: %v\n", u)
logger.Debugf("Host in headers: %v\n", hostname)

headers := make(map[string]string)
headers[httpHeaderContentType] = "application/ocsp-request"
headers[httpHeaderAccept] = "application/ocsp-response"
Expand Down
Loading