SNOW-1729580 + SNOW-1739682 Remove encryption storage information in logs, remove retry on 400 (#882)

Co-authored-by: Jakub Szczerbiński <jakub.szczerbinski@snowflake.com>
Co-authored-by: Piotr Bulawa <piotr.bulawa@snowflake.com>

Author: 3 people

cpp/logger/SecretDetector.cpp

@@ -17,10 +17,14 @@ namespace Client
 
   boost::regex SecretDetector::PRIVATE_KEY_DATA_PATTERN = boost::regex("\"privateKeyData\": \"([A-Za-z0-9/+=\\\\n]{10,})\"", boost::regex::extended | boost::regex::icase);
 
-  boost::regex SecretDetector::CONNECTION_TOKEN_PATTERN = boost::regex("(token|assertion content)(['\"\\s:=]+)([A-Za-z0-9=/_+-]{8,})", boost::regex::icase);
+  boost::regex SecretDetector::CONNECTION_TOKEN_PATTERN = boost::regex("(token|assertion content|queryStageMasterKey|aws_key_id|aws_secret_key|aws_token)(['\"\\s:=]+)([A-Za-z0-9=/_+-]{8,})", boost::regex::icase);
 
   boost::regex SecretDetector::PASSWORD_PATTERN = boost::regex("(password|passcode|pwd)(['\"\\s:=]+)([A-Za-z0-9!\"#$%&'\\()*+,-./:;<=>?@\\[\\]^_`\\{|\\}~]{6,})", boost::regex::icase);
 
+  boost::regex SecretDetector::ENCRYPTION_CREDS_IN_JSON_PATTERN = boost::regex("\"(encryptionMaterial|creds)\"\\s*:\\s*\\{.*?\\}", boost::regex::icase);
+
+  boost::regex SecretDetector::TOKEN_IN_JSON_PATTERN = boost::regex("\"(mastertoken|token)\":(\\t|\\s+)\"[a-zA-Z0-9=/_+-:]+\"", boost::regex::icase);
+
   std::string SecretDetector::maskAwsKeys(std::string text)
   {
     return boost::regex_replace(text, SecretDetector::AWS_KEY_PATTERN, "$1$2'****'");
@@ -56,6 +60,16 @@ namespace Client
     return boost::regex_replace(text, SecretDetector::PASSWORD_PATTERN, "$1$2****");
   }
 
+  std::string SecretDetector::maskEncryptioncCredsInJson(std::string text)
+  {
+      return boost::regex_replace(text, SecretDetector::ENCRYPTION_CREDS_IN_JSON_PATTERN, "\"$1\": ****");
+  }
+
+  std::string SecretDetector::maskTokenInJson(std::string text)
+  {
+      return boost::regex_replace(text, SecretDetector::TOKEN_IN_JSON_PATTERN, "\"$1\": ****");
+  }
+
   std::string SecretDetector::maskSecrets(std::string text)
   {
     return SecretDetector::maskAwsKeys(
@@ -65,7 +79,11 @@ namespace Client
             SecretDetector::maskPrivateKeyData(
               SecretDetector::maskConnectionToken(
                 SecretDetector::maskPassword(
-                  text
+                  SecretDetector::maskEncryptioncCredsInJson(
+                    SecretDetector::maskTokenInJson(
+                      text
+                      )
+                    )
                   )
                 )
               )

cpp/logger/SecretDetector.hpp

@@ -27,6 +27,8 @@ class SecretDetector
     static boost::regex PRIVATE_KEY_DATA_PATTERN;
     static boost::regex CONNECTION_TOKEN_PATTERN;
     static boost::regex PASSWORD_PATTERN;
+    static boost::regex ENCRYPTION_CREDS_IN_JSON_PATTERN;
+    static boost::regex TOKEN_IN_JSON_PATTERN;
 
     static std::string maskAwsKeys(std::string text);
     static std::string maskAwsTokens(std::string text);
@@ -35,6 +37,8 @@ class SecretDetector
     static std::string maskPrivateKeyData(std::string text);
     static std::string maskConnectionToken(std::string text);
     static std::string maskPassword(std::string text);
+    static std::string maskEncryptioncCredsInJson(std::string text);
+    static std::string maskTokenInJson(std::string text);
 };
 
 }

lib/connection.c

@@ -851,7 +851,7 @@ char_resp_cb(char *data, size_t size, size_t nmemb, RAW_CHAR_BUFFER *raw_buf) {
 }
 
 sf_bool STDCALL is_retryable_http_code(long int code) {
-    return ((code >= 500 && code < 600) || code == 400 || code == 403 ||
+    return ((code >= 500 && code < 600) || code == 403 ||
             code == 408 || code == 429) ? SF_BOOLEAN_TRUE : SF_BOOLEAN_FALSE;
 }
 

tests/test_unit_logger.c

@@ -502,6 +502,38 @@ void test_mask_secret_log() {
             "\"privateKeyData\": \"abcdefghijk\"",
             "\"privateKeyData\": \"XXXX\""
         },
+        {//13
+            "queryStageMasterKey: 123asdfasdfASDFasdf456asdfasdfASDFasdf==",
+            "queryStageMasterKey: ****"
+        },
+        {//14
+            "AWS_KEY_ID: AKIAIOSFODNN7EXAMPLE",
+            "AWS_KEY_ID: ****"
+        },
+        {//15
+            "AWS_SECRET_KEY: 123asdfasdfASDFasdf/456asdfasdfASDF/asdf",
+            "AWS_SECRET_KEY: ****"
+        },
+        {//16
+            "AWS_TOKEN: ETMsDgAAAXI0IS9NABRBRVMvQ0JDL1BLQ1M1UGFkZGluZwCAABAAEEb/xAQlmT+mwIx9G32E+ikAAACA/CPlEkq//+jWZnQkOj5VhjayruDsCVRGS/B6GzHUugXLc94EfEwuto94gS/oKSVrUg/JRPekypLAx4Afa1KW8n1RqXRF9Hzy1VVLmVEBMtei3yFJPNSHtfbeFHSr9eVB/OL8dOGbxQluGCh6XmaqTjyrh3fqUTWz7+n74+gu2ugAFFZ18iT+DStK0TTdmy4vBC6xUcHQ==",
+            "AWS_TOKEN: ****"
+        },
+        {//17
+            "\"encryptionMaterial\":\t{\n\t\t\t\"queryStageMasterKey\":\t\"123asdfasdfASDFasdf==\",\n\t\t\t\"queryId\":\t\"01b6f5ba-0002-0181-0000-11111111da\",\n\t\t\t\"smkId\":\t1111\n\t\t}",
+            "\"encryptionMaterial\": ****"
+        },
+        {//18
+            "\"creds\":\t{\n\t\t\t\t\"AWS_KEY_ID\":\t\"AKIAIOSFODNN7EXAMPLE\",\n\t\t\t\t\"AWS_SECRET_KEY\":\t\"123asdfasdfASDFasdf456asdfasdfASDFasdf\",\n\t\t\t\t\"AWS_TOKEN\":\t\"abc\",\n\t\t\t\t\"AWS_ID\":\t\"AKIAIOSFODNN7EXAMPLE\",\n\t\t\t\t\"AWS_KEY\":\t\"123asdfasdfASDFasdf456asdfasdfASDFasdf\"\n\t\t\t}",
+            "\"creds\": ****"
+        },
+        {//19
+            "\"token\":\t\"ETM:sDgAAA-XI0IS9NABRBRVMvQ0JDL1BLQ1M1UGFkZGluZwCAABAAEEb/xAQlmT+mwIx9G32E+ikAAACA/CPlEkq//+jWZnQkOj5VhjayruDsCVRGS/B6GzHUugXLc94EfEwuto94gS/oKSVrUg/JRPekypLAx4Afa1KW8n1RqXRF9Hzy1VVLmVEBMtei3yFJPNSHtfbeFHSr9eVB/OL8dOGbxQluGCh6XmaqTjyrh3fqUTWz7+n74+gu2ugAFFZ18iT+DStK0TTdmy4vBC6xUcHQ==\"",
+            "\"token\": ****"
+        },
+        {//20
+            "\"masterToken\":\t\"ETM:sDgAAA-XI0IS9NABRBRVMvQ0JDL1BLQ1M1UGFkZGluZwCAABAAEEb/xAQlmT+mwIx9G32E+ikAAACA/CPlEkq//+jWZnQkOj5VhjayruDsCVRGS/B6GzHUugXLc94EfEwuto94gS/oKSVrUg/JRPekypLAx4Afa1KW8n1RqXRF9Hzy1VVLmVEBMtei3yFJPNSHtfbeFHSr9eVB/OL8dOGbxQluGCh6XmaqTjyrh3fqUTWz7+n74+gu2ugAFFZ18iT+DStK0TTdmy4vBC6xUcHQ==\"",
+            "\"masterToken\": ****"
+        },
     };
 
     char * line = NULL;

tests/test_unit_retry_context.c

@@ -20,6 +20,7 @@
 #define URL_AUTHENTICATOR "http://snowflake.com/session/authenticator-request"
 
 void test_update_url_no_guid(void **unused) {
+    SF_UNUSED(unused);
     char urlbuf[512];
     sf_sprintf(urlbuf, sizeof(urlbuf), "%s", URL_NO_GUID);
     RETRY_CONTEXT retry_ctx = {
@@ -36,6 +37,7 @@ void test_update_url_no_guid(void **unused) {
 }
 
 void test_update_other_url_with_guid(void **unused) {
+  SF_UNUSED(unused);
   char urlbuf[512];
   sf_sprintf(urlbuf, sizeof(urlbuf), "%s", URL_NON_QUERY_WITH_GUID);
   RETRY_CONTEXT retry_ctx = {
@@ -62,6 +64,7 @@ void test_update_other_url_with_guid(void **unused) {
 }
 
 void test_update_query_url_with_retry_reason_disabled(void **unused) {
+  SF_UNUSED(unused);
   char urlbuf[512];
   sf_sprintf(urlbuf, sizeof(urlbuf), "%s", URL_QUERY);
   RETRY_CONTEXT retry_ctx = {
@@ -138,6 +141,7 @@ void test_update_query_url_with_retry_reason_disabled(void **unused) {
 }
 
 void test_update_query_url_with_retry_reason_enabled(void **unused) {
+  SF_UNUSED(unused);
   char urlbuf[512];
   sf_sprintf(urlbuf, sizeof(urlbuf), "%s", URL_QUERY);
   RETRY_CONTEXT retry_ctx = {
@@ -205,6 +209,7 @@ void test_update_query_url_with_retry_reason_enabled(void **unused) {
 }
 
 void test_new_retry_strategy(void **unused) {
+  SF_UNUSED(unused);
   DECORRELATE_JITTER_BACKOFF djb = {
     SF_BACKOFF_BASE,    //base
     SF_NEW_STRATEGY_BACKOFF_CAP      //cap
@@ -218,7 +223,7 @@ void test_new_retry_strategy(void **unused) {
     sf_get_current_time_millis() // start time
   };
 
-  uint32 error_codes[SF_MAX_RETRY] = {429, 503, 403, 408, 400, 538, 525};
+  uint32 error_codes[SF_MAX_RETRY] = {429, 503, 403, 503, 408, 538, 525};
   uint32 backoff = SF_BACKOFF_BASE;
   uint32 next_sleep_in_secs = 0;
   uint32 total_backoff = 0;
@@ -256,6 +261,7 @@ void test_new_retry_strategy(void **unused) {
 }
 
 void test_retry_request_header(void **unused) {
+  SF_UNUSED(unused);
   struct TESTCASE {
     const char* url;
     sf_bool has_app_header;
@@ -303,6 +309,29 @@ void test_retry_request_header(void **unused) {
   }
 }
 
+void test_retryable_http_code(void **unused) {
+  SF_UNUSED(unused);
+  struct TEST_CODE {
+    uint32 code;
+    sf_bool retryable;
+  };
+
+  struct TEST_CODE cases[] = {
+    { 400, SF_BOOLEAN_FALSE },
+    { 403, SF_BOOLEAN_TRUE },
+    { 404, SF_BOOLEAN_FALSE },
+    { 408, SF_BOOLEAN_TRUE },
+    { 429, SF_BOOLEAN_TRUE },
+    { 503, SF_BOOLEAN_TRUE },
+    { 600, SF_BOOLEAN_FALSE },
+  };
+
+  for (unsigned i = 0; i < sizeof(cases) / sizeof(struct TEST_CODE); i++)
+  {
+    assert_int_equal(is_retryable_http_code(cases[i].code), cases[i].retryable);
+  }
+}
+
 int main(void) {
     const struct CMUnitTest tests[] = {
         cmocka_unit_test(test_update_url_no_guid),
@@ -311,6 +340,7 @@ int main(void) {
         cmocka_unit_test(test_update_query_url_with_retry_reason_enabled),
         cmocka_unit_test(test_new_retry_strategy),
         cmocka_unit_test(test_retry_request_header),
+        cmocka_unit_test(test_retryable_http_code),
     };
     return cmocka_run_group_tests(tests, NULL, NULL);
 }