SNOW-618478: support passing private key as base64 encoded string (private_key_base64) as alternative to (private_key_file) #1810
Conversation
|
All contributors have signed the CLA ✍️ ✅ |
|
I have read the CLA Document and I hereby sign the CLA |
|
recheck |
src/main/java/net/snowflake/client/core/SessionUtilKeyPair.java
Outdated
Show resolved
Hide resolved
src/main/java/net/snowflake/client/jdbc/SnowflakeBasicDataSource.java
Outdated
Show resolved
Hide resolved
| + privateKeyBase64; | ||
|
|
||
| try (Connection connection = DriverManager.getConnection(uri, properties)) {} | ||
| // test with incorrect password for private key |
There was a problem hiding this comment.
let's make it a separate test - the same also in other sections below
| } | ||
|
|
||
| // test with invalid public/private key combo (using 1st public key with 2nd private key) | ||
| try (Connection connection = getConnection(); |
There was a problem hiding this comment.
can we create a method for adding public key and reuse it?
| } | ||
| } | ||
|
|
||
| // This will only work with JDBC driver versions higher than 3.15.1 |
There was a problem hiding this comment.
it will work in version higher than 3.17.0 probably
There was a problem hiding this comment.
Not my insight... this comment exists above testPrivateKeyInConnectionStringWithBouncyCastle and if it does apply there then it also should apply here.
There was a problem hiding this comment.
Still we wants to have LatestIT tests marked with comment with version
| @@ -891,6 +950,146 @@ public void testPrivateKeyInConnectionStringWithBouncyCastle() throws SQLExcepti | |||
| testPrivateKeyInConnectionString(); | |||
| } | |||
|
|
|||
| @Test | |||
There was a problem hiding this comment.
please add a comment about version when the test will work > 3.17.0 probably
There was a problem hiding this comment.
Not clear on the ask here. I assume the version limitation is based upon historical support for BouncyCastle - right?
System.setProperty(SecurityUtil.ENABLE_BOUNCYCASTLE_PROVIDER_JVM, "true");
So if that was introduced in 3.15.1 as the existing comment on testPrivateKeyInConnectionStringWithBouncyCastle suggests..then it should apply equally to the new testPrivateKeyBase64InConnectionStringWithBouncyCastle
Right?
There was a problem hiding this comment.
On each our test added to classes ...LatestIT we add comment to mark from which version this test is correct. Currently the last released version is 3.17.0 so above newly added test that use new connection property you added there should be comment e.g. in other tests
|
Hey @sfc-gh-dprzybysz thanks for reviewing this one. I knocked out most of your asks but see my feedback on the proposed changes to ConnectionLatestIt where I've introduced a couple test methods that are carbon copies of testPrivatekKeyFileXXX equivalents. I'm thinking we should keep those more or less in sync with respect to design - agreed? |
|
Hey SF folks, any timeline of when this PR will be merged and released? This currently blocks several users of Spark and Hikari from using Key Pair Auth properly. |
| } | ||
|
|
||
| /** | ||
| * Helper function to generate a JWT token |
There was a problem hiding this comment.
please add link in javadoc to function above
| import java.util.Map; | ||
| import java.nio.file.Files; | ||
| import java.nio.file.Paths; | ||
| import java.util.*; |
There was a problem hiding this comment.
it should still fail on checkstyle, please run mvn -P check-style validate
| import java.util.List; | ||
| import java.util.Map; | ||
| import java.util.Properties; | ||
| import java.util.*; |
There was a problem hiding this comment.
here also the checkstyle check will fail
| @@ -891,6 +950,146 @@ public void testPrivateKeyInConnectionStringWithBouncyCastle() throws SQLExcepti | |||
| testPrivateKeyInConnectionString(); | |||
| } | |||
|
|
|||
| @Test | |||
There was a problem hiding this comment.
On each our test added to classes ...LatestIT we add comment to mark from which version this test is correct. Currently the last released version is 3.17.0 so above newly added test that use new connection property you added there should be comment e.g. in other tests
| properties.put("port", parameters.get("port")); | ||
| try (Connection connection = DriverManager.getConnection(uri, properties)) {} | ||
|
|
||
| // PKCS #1 |
There was a problem hiding this comment.
@ets could you split the test into smaller ones?
| } | ||
| } | ||
|
|
||
| // This will only work with JDBC driver versions higher than 3.15.1 |
There was a problem hiding this comment.
Still we wants to have LatestIT tests marked with comment with version
|
@ets Please also rebase your change when you will be addressing the comments |
|
@sfc-gh-dprzybysz I see that you got to the open items here before me. Are there any remaining that you'd like me to look into or is this PR ready for next steps now? |
…ew session property key "private_key_base64" Rename private key password variable for clarity Add deprecation to private key file password
|
Merged with #1847 |
Overview
SNOW-618478
What GitHub issue is this PR addressing? Make sure that there is an accompanying issue to your PR.
SNOW-618478: Unable to authenticate with a private key by using spring datasource properties #1053
Fill out the following pre-review checklist:
- None were added but a few log messages were tweaked for clarity
@SnowflakeJdbcInternalApi(note that public/protected methods/fields in classes marked with this annotation are already internal)Please describe how your code solves the related issue.
Please write a short description of how your code change solves the related issue.
There are currently only two options for passing a privateKey for authentication purposes. The key can be supplied as a fully instantiated PrivateKey object or a path to a private key file can be supplied and the PrivateKey object will be extracted. Neither option supports the usecase where the calling code needs to pass the privateKey as a String.
As the GitHub issue documents, there are several scenarios where passing the privateKey as a String is required (Hikari pool only accepts property values of type String, Spark.read if you don't want to push the file to every executor, etc..). This PR adds a new session property "private_key_base64" which complements the existing "private_key_file". The new logic ensures that only one of private_key_base64, private_key_file, or private_key are not null. Then it extracts, decrypts, and instantiates the needed private_key as appropriate.
The PR piggy-backs upon the existing tests for private_key_file and adds variants that instead leverage private_key_base64 to demonstrate expected behavior.