Storagetest

ci/image/Dockerfile.nodejs-centos7-node14-test

@@ -4,7 +4,7 @@ FROM centos:7
 # update OS
 RUN yum -y update && \
     yum -y install epel-release && \
-    yum -y install centos-release-scl
+    yum -y install centos-release-scl 
 
 # nvm environment variables
 ENV NVM_DIR /usr/local/nvm

lib/agent/ocsp_response_cache.js

@@ -30,7 +30,7 @@ var maxAgeSec = GlobalConfig.getOcspResponseCacheMaxAge();
 Errors.assertInternal(Util.number.isPositiveInteger(sizeLimit));
 Errors.assertInternal(Util.number.isPositiveInteger(maxAgeSec));
 
-const cacheDir = GlobalConfig.mkdirCacheDir();
+const cacheDir = GlobalConfig.mkdirCacheDir(process.env.SF_OCSP_RESPONSE_CACHE_DIR);
 const cacheFileName = path.join(cacheDir, "ocsp_response_cache.json");
 // create a cache to store the responses, dynamically changes in size
 var cache;

lib/authentication/auth_default.js

@@ -30,6 +30,10 @@
   {
     return;
   };
+
+  this.reauthenticate = async function (body) {
+    return;
+  }
 }
 
 module.exports = auth_default;

lib/authentication/auth_idtoken.js

@@ -0,0 +1,49 @@
+/*
+ * Copyright (c) 2015-2023 Snowflake Computing Inc. All rights reserved.
+ */
+
+const auth_web = require('./auth_web');
+
+/**
+ * Creates an oauth authenticator.
+ *
+ * @param {String} token
+ *
+ * @returns {Object}
+ * @constructor
+ */
+function auth_idToken(connectionConfig, httpClient) {
+
+  this.idToken = connectionConfig.idToken;
+
+  /**
+   * Update JSON body with token.
+   *
+   * @param {JSON} body
+   *
+   * @returns {null}
+   */
+  this.updateBody = function (body) {
+    body['data']['TOKEN'] = this.idToken;
+    body['data']['AUTHENTICATOR'] = 'ID_TOKEN';
+  };
+
+  this.resetSecret = function () {
+    this.idToken = null;
+  };
+
+  this.authenticate = async function (authenticator, serviceName, account, username) {
+    return;
+  };
+
+  this.reauthenticate = async function (body) {
+    const auth = new auth_web(connectionConfig, httpClient);
+    await auth.authenticate(connectionConfig.getAuthenticator(),
+      connectionConfig.getServiceName(),
+      connectionConfig.account,
+      connectionConfig.username);
+    auth.updateBody(body);
+  };
+}
+
+module.exports = auth_idToken;

lib/authentication/auth_keypair.js

@@ -192,6 +192,10 @@
       throw jwtErr;
     }
   }
+
+  this.reauthenticate = async function (body) {
+    return;
+  }
 }
 
 module.exports = auth_keypair;

lib/authentication/auth_oauth.js

@@ -30,6 +30,10 @@
   {
     return;
   };
+
+  this.reauthenticate = async function (body) {
+    return;
+  }
 }
 
 module.exports = auth_oauth;

lib/authentication/auth_okta.js

@@ -97,6 +97,10 @@
     step5(responseHtml);
   };
 
+  this.reauthenticate = async function (body) {
+    return;
+  }
+
   /**
   * Obtain the SSO URL and token URL.
   *

lib/authentication/auth_web.js

@@ -48,6 +48,7 @@
    */
   this.updateBody = function (body)
   {
+    body['data']['AUTHENTICATOR'] = 'EXTERNALBROWSER'
     body['data']['TOKEN'] = token;
     body['data']['PROOF_KEY'] = proofKey;
   };
@@ -99,6 +100,10 @@
     processGet(tokenData);
   };
 
+  this.reauthenticate = async function (body) {
+    return;
+  }
+
   /**
    * Create server to retrieve SAML token.
    *

lib/authentication/authentication.js

@@ -1,19 +1,21 @@
 /*
- * Copyright (c) 2015-2021 Snowflake Computing Inc. All rights reserved.
+ * Copyright (c) 2015-2023 Snowflake Computing Inc. All rights reserved.
  */
 
 const auth_default = require('./auth_default');
 const auth_web = require('./auth_web');
 const auth_keypair = require('./auth_keypair');
 const auth_oauth = require('./auth_oauth');
 const auth_okta = require('./auth_okta');
+const auth_idToken = require('./auth_idtoken');
 
 const authenticationTypes =
 {
   DEFAULT_AUTHENTICATOR: 'SNOWFLAKE', // default authenticator name
   EXTERNAL_BROWSER_AUTHENTICATOR: 'EXTERNALBROWSER',
   KEY_PAIR_AUTHENTICATOR: 'SNOWFLAKE_JWT',
   OAUTH_AUTHENTICATOR: 'OAUTH',
+  ID_TOKEN_AUTHENTICATOR: 'ID_TOKEN',
 };
 
 exports.authenticationTypes = authenticationTypes;
@@ -73,9 +75,13 @@
   if (auth === authenticationTypes.DEFAULT_AUTHENTICATOR) {
     return new auth_default(connectionConfig.password);
   } else if (auth === authenticationTypes.EXTERNAL_BROWSER_AUTHENTICATOR) {
-    return new auth_web(connectionConfig, httpClient);
-  }
-  if (auth === authenticationTypes.KEY_PAIR_AUTHENTICATOR) {
+    if(connectionConfig.getClientStoreTemporaryCredential() && connectionConfig.idToken !== null) {
+      return new auth_idToken(connectionConfig, httpClient);
+    }
+    else {
+      return new auth_web(connectionConfig, httpClient);
+    }
+  } else if (auth === authenticationTypes.KEY_PAIR_AUTHENTICATOR) {
     return new auth_keypair(connectionConfig.getPrivateKey(),
       connectionConfig.getPrivateKeyPath(),
       connectionConfig.getPrivateKeyPass());
@@ -87,13 +93,12 @@
       connectionConfig.account,
       connectionConfig.getClientType(),
       connectionConfig.getClientVersion(),
-      httpClient
-    );
+      httpClient);
   } else {
     // Authenticator specified does not exist
     return new auth_default(connectionConfig.password);
   }
-};
+}
 
 /**
  * Returns the boolean describing if the provided authenticator is okta or not.

lib/authentication/secureStorage.js

@@ -0,0 +1,84 @@
+/*
+ * Copyright (c) 2015-2023 Snowflake Computing Inc. All rights reserved.
+ */
+
+const path = require('path');
+const GlobalConfig = require('../global_config');
+const Logger = require('../logger');
+const fs = require('fs/promises');
+
+function createCredentialCacheDir() {
+  const cacheDirectory = GlobalConfig.mkdirCacheDir(process.env.SF_TEMPORARY_CREDENTIAL_CACHE_DIR);
+  const credCache = path.join(cacheDirectory, 'temporary_credential.json');
+  Logger.getInstance().info('Cache directory: ', credCache);
+  return credCache;
+}
+
+/**
+ * 
+ * @param {String} host 
+ * @param {String} user 
+ * @param {String} credType 
+ * @returns 
+ */
+
+function buildTemporaryCredentialName(host, user, credType) {
+  return `{${host.toUpperCase()}}:{${user.toUpperCase()}}:{SF_NODE_JS_DRIVER}:{${credType}}}`;
+}
+
+async function writeCredential(host, user, credType, token){
+  if (!token || token === '') {
+    Logger.getInstance().debug('Token is not provided');
+    return;
+  } else {
+    try {
+      try {
+        const keytar = require('keytar');
+        await keytar.setPassword(host, buildTemporaryCredentialName(host, user, credType), token);
+      } catch (err) {
+        const dir = createCredentialCacheDir();
+        Logger.getInstance().trace('Failed to save the token in the credential manager. The token will be saved on the the local machine at', dir);
+        await fs.writeFile(dir, token, 'utf8');
+      }
+    } catch (err){
+      Logger.getInstance().error('Failed to save Credential: ', err.message);
+    } 
+  }
+}
+
+async function readCredential(host, user, credType) {
+  try {
+    try {
+      const keytar = require('keytar');
+      return await keytar.getPassword(host, buildTemporaryCredentialName(host, user, credType));
+    } catch (err) {
+      const dir = createCredentialCacheDir();
+      Logger.getInstance().trace('Failed to read the token from the credential manager. Searching the token at ', dir);
+      return await fs.readFile(dir, 'utf8');
+    }
+  } catch (err){
+    Logger.getInstance().error('Failed to save Credential: ', err.message);
+  } 
+}
+
+async function deleteCredential(host, user, credType) {
+  try {
+    try {
+      const keytar = require('keytar');
+      return await keytar.deletePassword(host, buildTemporaryCredentialName(host, user, credType));
+    } catch (err) {
+      const dir = createCredentialCacheDir();
+      return await fs.unlink(dir);
+    }
+  } catch (err){
+    Logger.getInstance().error('Failed to save Credential: ', err.message);
+  } 
+}
+
+module.exports = { 
+  createCredentialCacheDir, 
+  buildTemporaryCredentialName, 
+  writeCredential,
+  readCredential, 
+  deleteCredential 
+};

lib/connection/connection.js

@@ -5,6 +5,7 @@
 const Url = require('url');
 const QueryString = require('querystring');
 const GSErrors = require('../constants/gs_errors')
+const SecureStorage = require('../authentication/secureStorage');
 const QueryStatus = require('../constants/query_status');
 
 var Util = require('../util');
@@ -302,6 +303,12 @@
     // the connection can be passed in when invoking the connection.connect()
     // callback
     var self = this;
+    const authType = Authenticator.authenticationTypes;
+
+    if (connectionConfig.getClientStoreTemporaryCredential()) {
+      connectionConfig.idToken = await SecureStorage.readCredential(connectionConfig.account, 
+        connectionConfig.username, authType.ID_TOKEN_AUTHENTICATOR);
+    }
 
     // Get authenticator to use
     const auth = Authenticator.getAuthenticator(connectionConfig, context.getHttpClient());
@@ -311,32 +318,30 @@
       await auth.authenticate(connectionConfig.getAuthenticator(),
         connectionConfig.getServiceName(),
         connectionConfig.account,
-        connectionConfig.username)
-        .then(() =>
-        {
+        connectionConfig.username);
+
           // JSON for connection
           var body = Authenticator.formAuthJSON(connectionConfig.getAuthenticator(),
             connectionConfig.account,
             connectionConfig.username,
             connectionConfig.getClientType(),
             connectionConfig.getClientVersion(),
             connectionConfig.getClientEnvironment());
-
+    
           // Update JSON body with the authentication values
           auth.updateBody(body);
-
+    
           // Request connection
           services.sf.connect({
             callback: connectCallback(self, callback),
             json: body
           });
-        });
     }
     catch (authErr)
     {
       callback(authErr);
     }
-
+    
     // return the connection to facilitate chaining
     return this;
   };

lib/connection/connection_config.js

@@ -52,6 +52,7 @@
   'includeRetryReason',
   'disableQueryContextCache',
   'retryTimeout',
+  'clientStoreTemporaryCredential',
 ];
 const Logger = require('../logger');
 
@@ -520,6 +521,14 @@
     includeRetryReason = options.includeRetryReason;
   }
 
+  let clientStoreTemporaryCredential = true;
+  if (Util.exists(options.clientStoreTemporaryCredential)) {
+    Errors.checkArgumentValid(Util.isBoolean(options.clientStoreTemporaryCredential),
+    ErrorCodes.ERR_CONN_CREATE_INVALID_CLIENT_STORE_TEMPORARY_CREDENTIAL);
+
+    clientStoreTemporaryCredential = options.clientStoreTemporaryCredential;
+  }
+
   /**
    * Returns an object that contains information about the proxy hostname, port,
    * etc. for when http requests are made.
@@ -801,6 +810,15 @@
     return disableQueryContextCache;
   }
 
+  /** 
+   * Returns whether the auth token saves on the local machine or not. 
+   *
+   * @returns {Boolean}
+   */
+  this.getClientStoreTemporaryCredential = function () {
+    return clientStoreTemporaryCredential;
+  }
+
   /**
    * Returns the client config file
    *
@@ -992,7 +1010,7 @@
       name: PARAM_RETRY_SF_MAX_SLEEP_TIME,
       defaultValue: 16,
       validate: isNonNegativeNumber
-    }
+    },
   ];
 }
 

lib/constants/error_messages.js

@@ -71,6 +71,7 @@ exports[404043] = 'Invalid clientConfigFile value. The specified value must be a
 exports[404044] = 'Invalid retryTimeout value. The specified value must be a number.';
 exports[404045] = 'Invalid account. The specified value must be a valid subdomain string.';
 exports[404046] = 'Invalid region. The specified value must be a valid subdomain string.';
+exports[404047] = 'Invalid clientStoreTemporaryCredential. The specified value must be a boolean.';
 
 // 405001
 exports[405001] = 'Invalid callback. The specified value must be a function.';

lib/errors.js

@@ -76,6 +76,7 @@ codes.ERR_CONN_CREATE_INVALID_CLIENT_CONFIG_FILE = 404043;
 codes.ERR_CONN_CREATE_INVALID_RETRY_TIMEOUT = 404044;
 codes.ERR_CONN_CREATE_INVALID_ACCOUNT_REGEX = 404045;
 codes.ERR_CONN_CREATE_INVALID_REGION_REGEX = 404046;
+codes.ERR_CONN_CREATE_INVALID_CLIENT_STORE_TEMPORARY_CREDENTIAL = 404047;
 
 // 405001
 codes.ERR_CONN_CONNECT_INVALID_CALLBACK = 405001;