SNOW-1825501 SNOW-1917238 OAuth Authorization Code flow, OAuth Client Credential flow and Programmatic Access Token authentications (#1154)

Co-authored-by: Patryk Cyrek <[email protected]>

Author: sfc-gh-knozderko

.github/workflows/main.yml

@@ -3,9 +3,9 @@ name: DotNet Build and Test
 # Triggers the workflow on push or pull request events but only for the master branch
 on:
   push:
-    branches: [ master ]
+    branches: [ master, oauth_flows ]
   pull_request:
-    branches: [ master ]
+    branches: [ master, oauth_flows ]
   workflow_dispatch:
     inputs:
       logLevel:

.github/workflows/parameters/parameters_aws_auth_tests.json.gpg

@@ -17,6 +17,9 @@ static class AuthConnectionString
         public static readonly string SsoUser = Environment.GetEnvironmentVariable("SNOWFLAKE_AUTH_TEST_BROWSER_USER");
         public static readonly string Host = Environment.GetEnvironmentVariable("SNOWFLAKE_AUTH_TEST_HOST");
         public static readonly string SsoPassword = Environment.GetEnvironmentVariable("SNOWFLAKE_TEST_OKTA_PASS");
+        public static readonly string SnowflakeUser = Environment.GetEnvironmentVariable("SNOWFLAKE_AUTH_TEST_SNOWFLAKE_USER");
+        public static readonly string SnowflakeRole = Environment.GetEnvironmentVariable("SNOWFLAKE_AUTH_TEST_INTERNAL_OAUTH_SNOWFLAKE_ROLE");
+
 
         private static SFSessionProperties GetBaseConnectionParameters()
         {
@@ -29,7 +32,20 @@ private static SFSessionProperties GetBaseConnectionParameters()
                 {SFSessionProperty.DB, Environment.GetEnvironmentVariable("SNOWFLAKE_AUTH_TEST_DATABASE") },
                 {SFSessionProperty.SCHEMA, Environment.GetEnvironmentVariable("SNOWFLAKE_AUTH_TEST_SCHEMA") },
                 {SFSessionProperty.WAREHOUSE, Environment.GetEnvironmentVariable("SNOWFLAKE_AUTH_TEST_WAREHOUSE") },
+                {SFSessionProperty.MINPOOLSIZE, "0"},
+                {SFSessionProperty.CLIENT_STORE_TEMPORARY_CREDENTIAL, "false"}
+            };
+            return properties;
+        }
+
+        public static SFSessionProperties GetSnowflakeLoginCredentials()
+        {
+            var properties = new SFSessionProperties()
+            {
+                { SFSessionProperty.USER, Environment.GetEnvironmentVariable("SNOWFLAKE_AUTH_TEST_EXTERNAL_OAUTH_OKTA_CLIENT_ID") },
+                { SFSessionProperty.PASSWORD, Environment.GetEnvironmentVariable("SNOWFLAKE_AUTH_TEST_EXTERNAL_OAUTH_OKTA_USER_PASSWORD") }
             };
+
             return properties;
         }
 
@@ -41,6 +57,57 @@ public static SFSessionProperties GetExternalBrowserConnectionString()
             return properties;
         }
 
+        public static SFSessionProperties GetOAuthExternalAuthorizationCodeConnectionString()
+        {
+            var properties = GetBaseConnectionParameters();
+            properties.Add(SFSessionProperty.AUTHENTICATOR, "OAUTH_AUTHORIZATION_CODE");
+            properties.Add(SFSessionProperty.OAUTHCLIENTID, Environment.GetEnvironmentVariable("SNOWFLAKE_AUTH_TEST_EXTERNAL_OAUTH_OKTA_CLIENT_ID"));
+            properties.Add(SFSessionProperty.OAUTHCLIENTSECRET, Environment.GetEnvironmentVariable("SNOWFLAKE_AUTH_TEST_EXTERNAL_OAUTH_OKTA_CLIENT_SECRET"));
+            properties.Add(SFSessionProperty.OAUTHREDIRECTURI, Environment.GetEnvironmentVariable("SNOWFLAKE_AUTH_TEST_EXTERNAL_OAUTH_OKTA_REDIRECT_URI"));
+            properties.Add(SFSessionProperty.OAUTHAUTHORIZATIONURL, Environment.GetEnvironmentVariable("SNOWFLAKE_AUTH_TEST_EXTERNAL_OAUTH_OKTA_AUTH_URL"));
+            properties.Add(SFSessionProperty.OAUTHTOKENREQUESTURL, Environment.GetEnvironmentVariable("SNOWFLAKE_AUTH_TEST_EXTERNAL_OAUTH_OKTA_TOKEN"));
+            properties.Add(SFSessionProperty.USER, SsoUser);
+
+            return properties;
+        }
+
+        public static SFSessionProperties GetOAuthSnowflakeAuthorizationCodeConnectionParameters()
+        {
+            var properties = GetBaseConnectionParameters();
+            properties.Add(SFSessionProperty.AUTHENTICATOR, "OAUTH_AUTHORIZATION_CODE");
+            properties.Add(SFSessionProperty.OAUTHCLIENTID, Environment.GetEnvironmentVariable("SNOWFLAKE_AUTH_TEST_INTERNAL_OAUTH_SNOWFLAKE_CLIENT_ID"));
+            properties.Add(SFSessionProperty.OAUTHCLIENTSECRET, Environment.GetEnvironmentVariable("SNOWFLAKE_AUTH_TEST_INTERNAL_OAUTH_SNOWFLAKE_CLIENT_SECRET"));
+            properties.Add(SFSessionProperty.OAUTHREDIRECTURI, Environment.GetEnvironmentVariable("SNOWFLAKE_AUTH_TEST_INTERNAL_OAUTH_SNOWFLAKE_REDIRECT_URI"));
+            properties[SFSessionProperty.ROLE] = Environment.GetEnvironmentVariable("SNOWFLAKE_AUTH_TEST_INTERNAL_OAUTH_SNOWFLAKE_ROLE");
+            properties.Add(SFSessionProperty.USER, Environment.GetEnvironmentVariable("SNOWFLAKE_AUTH_TEST_EXTERNAL_OAUTH_OKTA_CLIENT_ID"));
+
+            return properties;
+        }
+
+        public static SFSessionProperties GetOAuthSnowflakeAuthorizationCodeWilidcardsConnectionParameters()
+        {
+            var properties = GetBaseConnectionParameters();
+            properties.Add(SFSessionProperty.AUTHENTICATOR, "OAUTH_AUTHORIZATION_CODE");
+            properties.Add(SFSessionProperty.OAUTHCLIENTID, Environment.GetEnvironmentVariable("SNOWFLAKE_AUTH_TEST_INTERNAL_OAUTH_SNOWFLAKE_WILDCARDS_CLIENT_ID"));
+            properties.Add(SFSessionProperty.OAUTHCLIENTSECRET, Environment.GetEnvironmentVariable("SNOWFLAKE_AUTH_TEST_INTERNAL_OAUTH_SNOWFLAKE_WILDCARDS_CLIENT_SECRET"));
+            properties[SFSessionProperty.ROLE] = Environment.GetEnvironmentVariable("SNOWFLAKE_AUTH_TEST_INTERNAL_OAUTH_SNOWFLAKE_ROLE");
+            properties.Add(SFSessionProperty.USER, Environment.GetEnvironmentVariable("SNOWFLAKE_AUTH_TEST_EXTERNAL_OAUTH_OKTA_CLIENT_ID"));
+
+            return properties;
+        }
+
+        public static SFSessionProperties GetOAuthExternalClientCredentialParameters()
+        {
+            var properties = GetBaseConnectionParameters();
+            properties.Add(SFSessionProperty.AUTHENTICATOR, "OAUTH_CLIENT_CREDENTIALS");
+            properties.Add(SFSessionProperty.OAUTHCLIENTID, Environment.GetEnvironmentVariable("SNOWFLAKE_AUTH_TEST_EXTERNAL_OAUTH_OKTA_CLIENT_ID"));
+            properties.Add(SFSessionProperty.OAUTHCLIENTSECRET, Environment.GetEnvironmentVariable("SNOWFLAKE_AUTH_TEST_EXTERNAL_OAUTH_OKTA_CLIENT_SECRET"));
+            properties.Add(SFSessionProperty.OAUTHTOKENREQUESTURL, Environment.GetEnvironmentVariable("SNOWFLAKE_AUTH_TEST_EXTERNAL_OAUTH_OKTA_TOKEN"));
+            properties.Add(SFSessionProperty.USER, Environment.GetEnvironmentVariable("SNOWFLAKE_AUTH_TEST_EXTERNAL_OAUTH_OKTA_CLIENT_ID"));
+
+            return properties;
+        }
+
         public static SFSessionProperties GetOauthConnectionString(string token)
         {
             var properties = GetBaseConnectionParameters();
@@ -71,6 +138,13 @@ public static SFSessionProperties GetKeyPairFromFileContentParameters(string pri
             return properties;
         }
 
+        public static SFSessionProperties GetPatConnectionParameters()
+        {
+            var properties = GetBaseConnectionParameters();
+            properties.Add(SFSessionProperty.AUTHENTICATOR, "PROGRAMMATIC_ACCESS_TOKEN");
+            properties.Add(SFSessionProperty.USER, SsoUser);
+            return properties;
+        }
 
         public static SFSessionProperties GetKeyPairFromFilePathConnectionString(string privateKeyPath)
         {

Snowflake.Data.Tests/AuthenticationTests/AuthConnectionString.cs

@@ -4,6 +4,7 @@
 using System.Data;
 using NUnit.Framework;
 using Snowflake.Data.Client;
+using Snowflake.Data.Core.CredentialManager;
 using Snowflake.Data.Log;
 
 namespace Snowflake.Data.AuthenticationTests
@@ -61,6 +62,36 @@ public void ConnectAndExecuteSimpleQuery(string connectionString)
             }
         }
 
+        public string ConnectUsingOktaConnectionAndExecuteCustomCommand(string command, bool returnToken = false)
+        {
+            try
+            {
+                using (IDbConnection conn = new SnowflakeDbConnection())
+                {
+                    var parameters = AuthConnectionString.GetOktaConnectionString();
+                    conn.ConnectionString = AuthConnectionString.ConvertToConnectionString(parameters);
+                    conn.Open();
+                    Assert.AreEqual(ConnectionState.Open, conn.State);
+                    using (IDbCommand dbCommand = conn.CreateCommand())
+                    {
+                        dbCommand.CommandText = command;
+                        using (var reader = dbCommand.ExecuteReader())
+                        {
+                            if (returnToken && reader.Read())
+                            {
+                                return reader["token_secret"].ToString();
+                            }
+                        }
+                    }
+                }
+            }
+            catch (SnowflakeDbException e)
+            {
+                _exception = e;
+            }
+            return null;
+        }
+
         public Thread GetConnectAndExecuteSimpleQueryThread(string parameters)
         {
             return new Thread(() => ConnectAndExecuteSimpleQuery(parameters));
@@ -124,11 +155,17 @@ private void StartNodeProcess(string path, TimeSpan timeout)
             }
         }
 
+        internal void RemoveTokenFromCache(string tokenHost, string user, TokenType tokenType)
+        {
+            var cacheKey = SnowflakeCredentialManagerFactory.GetSecureCredentialKey(tokenHost, user, tokenType);
+            SnowflakeCredentialManagerFactory.GetCredentialManager().RemoveCredentials(cacheKey);
+        }
+
         private void ProvideCredentials(string scenario, string login, string password)
         {
             try
             {
-                StartNodeProcess($"/externalbrowser/provideBrowserCredentials.js {scenario} {login} {password}", TimeSpan.FromSeconds(15));
+                StartNodeProcess($"/externalbrowser/provideBrowserCredentials.js {scenario} {login} {password}", TimeSpan.FromSeconds(25));
             }
             catch (Exception e)
             {
@@ -137,4 +174,3 @@ private void ProvideCredentials(string scenario, string login, string password)
         }
     }
 }
-

Snowflake.Data.Tests/AuthenticationTests/AuthTestHelper.cs

@@ -40,16 +40,16 @@ public void TestAuthenticateUsingOauthInvalidToken()
              authTestHelper.VerifyExceptionIsThrown("Invalid OAuth access token");
          }
 
-          [Test, Ignore("Skipped, waits for SNOW-1893041")]
+         [Test, Ignore("Skipped, waits for SNOW-1893041")]
           public void TestAuthenticateUsingOauthMismatchedUser()
           {
               AuthTestHelper authTestHelper = new AuthTestHelper();
 
               string token = AuthConnectionString.GetOauthToken();
               var parameters = AuthConnectionString.GetOauthConnectionString(token);
-              parameters.Add(SFSessionProperty.USER, "fakeAccount");
+              parameters[SFSessionProperty.USER] = "fakeAccount";
               parameters.Add(SFSessionProperty.POOLINGENABLED, "false");
-              parameters.Add(SFSessionProperty.MINPOOLSIZE, "0");
+              _connectionString = AuthConnectionString.ConvertToConnectionString(parameters);
 
               authTestHelper.ConnectAndExecuteSimpleQuery(_connectionString);
               authTestHelper.VerifyExceptionIsThrown("The user you were trying to authenticate as differs from the user tied to the access token");

Snowflake.Data.Tests/AuthenticationTests/OauthConnectionTest.cs

@@ -0,0 +1,120 @@
+using System.Threading;
+using NUnit.Framework;
+using Snowflake.Data.Core;
+using Snowflake.Data.Core.CredentialManager;
+using Snowflake.Data.Tests;
+
+namespace Snowflake.Data.AuthenticationTests
+{
+    [NonParallelizable, IgnoreOnCI]
+    public class OktaAuthorizationCodeTest
+    {
+        private string _connectionString = "";
+        private string _login = AuthConnectionString.SsoUser;
+        private string _password = AuthConnectionString.SsoPassword;
+
+        [SetUp, IgnoreOnCI]
+        public void SetUp()
+        {
+            AuthTestHelper authTestHelper = new AuthTestHelper();
+            _login = AuthConnectionString.SsoUser;
+            _password = AuthConnectionString.SsoPassword;
+            authTestHelper.CleanBrowserProcess();
+            var parameters = AuthConnectionString.GetOAuthExternalAuthorizationCodeConnectionString();
+            _connectionString = AuthConnectionString.ConvertToConnectionString(parameters);
+        }
+
+        [Test, IgnoreOnCI]
+        public void TestAuthenticateOktaAuthorizationCodeSuccessful()
+
+        {
+            AuthTestHelper authTestHelper = new AuthTestHelper();
+
+            Thread connectThread = authTestHelper.GetConnectAndExecuteSimpleQueryThread(_connectionString);
+            Thread provideCredentialsThread = authTestHelper.GetProvideCredentialsThread("success", _login, _password);
+
+            authTestHelper.ConnectAndProvideCredentials(provideCredentialsThread, connectThread);
+            authTestHelper.VerifyExceptionIsNotThrown();
+        }
+
+        [Test, IgnoreOnCI]
+        public void TestAuthenticateOktaAuthorizationCodeMismatchedUser()
+        {
+            AuthTestHelper authTestHelper = new AuthTestHelper();
+
+            var parameters = AuthConnectionString.GetOAuthExternalAuthorizationCodeConnectionString();
+            parameters[SFSessionProperty.USER] = "differentUser";
+
+            _connectionString = AuthConnectionString.ConvertToConnectionString(parameters);
+
+            Thread connectThread = authTestHelper.GetConnectAndExecuteSimpleQueryThread(_connectionString);
+            Thread provideCredentialsThread = authTestHelper.GetProvideCredentialsThread("success", _login, _password);
+
+            authTestHelper.ConnectAndProvideCredentials(provideCredentialsThread, connectThread);
+            authTestHelper.VerifyExceptionIsThrown("The user you were trying to authenticate as differs from the user tied to the access token");
+        }
+
+        [Test, IgnoreOnCI]
+        public void TestAuthenticateOktaAuthorizationCodeWrongCredentials()
+        {
+            AuthTestHelper authTestHelper = new AuthTestHelper();
+
+            var parameters = AuthConnectionString.GetOAuthExternalAuthorizationCodeConnectionString();
+            parameters.Add(SFSessionProperty.BROWSER_RESPONSE_TIMEOUT, "15");
+            _connectionString = AuthConnectionString.ConvertToConnectionString(parameters);
+
+            _login = "itsnotanaccount.com";
+            _password = "fakepassword";
+
+            Thread connectThread = authTestHelper.GetConnectAndExecuteSimpleQueryThread(_connectionString);
+            Thread provideCredentialsThread = authTestHelper.GetProvideCredentialsThread("fail", _login, _password);
+
+            authTestHelper.ConnectAndProvideCredentials(provideCredentialsThread, connectThread);
+            authTestHelper.VerifyExceptionIsThrown("Browser response timed out after 15 seconds");
+            }
+
+        [Test, IgnoreOnCI]
+        public void TestAuthenticateOktaAuthorizationCodeTimeout()
+        {
+            AuthTestHelper authTestHelper = new AuthTestHelper();
+
+            var parameters = AuthConnectionString.GetOAuthExternalAuthorizationCodeConnectionString();
+            parameters.Add(SFSessionProperty.BROWSER_RESPONSE_TIMEOUT, "1");
+            _connectionString = AuthConnectionString.ConvertToConnectionString(parameters);
+
+            authTestHelper.ConnectAndExecuteSimpleQuery(_connectionString);
+            authTestHelper.VerifyExceptionIsThrown("Browser response timed out after 1 seconds");
+        }
+
+        [Test, IgnoreOnCI]
+        public void TestAuthenticateOktaAuthorizationCodeWithTokenCache()
+        {
+            AuthTestHelper authTestHelper = new AuthTestHelper();
+            var parameters = AuthConnectionString.GetOAuthExternalAuthorizationCodeConnectionString();
+            parameters.Add(SFSessionProperty.BROWSER_RESPONSE_TIMEOUT, "10");
+            parameters.Add(SFSessionProperty.POOLINGENABLED, "false");
+            parameters[SFSessionProperty.CLIENT_STORE_TEMPORARY_CREDENTIAL] = "true";
+            var host = parameters[SFSessionProperty.HOST];
+
+            _connectionString = AuthConnectionString.ConvertToConnectionString(parameters);
+            Thread connectThread = authTestHelper.GetConnectAndExecuteSimpleQueryThread(_connectionString);
+            Thread provideCredentialsThread = authTestHelper.GetProvideCredentialsThread("success", _login, _password);
+
+            try
+            {
+                authTestHelper.ConnectAndProvideCredentials(provideCredentialsThread, connectThread);
+                authTestHelper.VerifyExceptionIsNotThrown();
+
+                authTestHelper.CleanBrowserProcess();
+
+                authTestHelper.ConnectAndExecuteSimpleQuery(_connectionString);
+                authTestHelper.VerifyExceptionIsNotThrown();
+            }
+            finally
+            {
+                authTestHelper.RemoveTokenFromCache(host, _login, TokenType.OAuthAccessToken);
+                authTestHelper.RemoveTokenFromCache(host, _login, TokenType.OAuthRefreshToken);
+            }
+        }
+    }
+}

Snowflake.Data.Tests/AuthenticationTests/OktaAuthorizationCodeTest.cs

@@ -0,0 +1,49 @@
+using NUnit.Framework;
+using Snowflake.Data.Tests;
+using Snowflake.Data.Core;
+
+namespace Snowflake.Data.AuthenticationTests
+{
+    [NonParallelizable, IgnoreOnCI]
+    public class OktaClientsCredentialsTest
+    {
+        private string _connectionString = "";
+
+        [Test, IgnoreOnCI]
+        public void TestAuthenticateOktaClientCredentialsSuccessful()
+        {
+            AuthTestHelper authTestHelper = new AuthTestHelper();
+            var parameters = AuthConnectionString.GetOAuthExternalClientCredentialParameters();
+            _connectionString = AuthConnectionString.ConvertToConnectionString(parameters);
+
+            authTestHelper.ConnectAndExecuteSimpleQuery(_connectionString);
+            authTestHelper.VerifyExceptionIsNotThrown();
+        }
+
+
+        [Test, IgnoreOnCI]
+        public void TestAuthenticateOktaClientCredentialsMismatchedUsername()
+        {
+            AuthTestHelper authTestHelper = new AuthTestHelper();
+            var parameters = AuthConnectionString.GetOAuthExternalClientCredentialParameters();
+            parameters[SFSessionProperty.USER] = "differentUser";
+            _connectionString = AuthConnectionString.ConvertToConnectionString(parameters);
+
+            authTestHelper.ConnectAndExecuteSimpleQuery(_connectionString);
+            authTestHelper.VerifyExceptionIsThrown("The user you were trying to authenticate as differs from the user tied to the access token");
+        }
+
+
+        [Test, IgnoreOnCI]
+        public void TestAuthenticateOktaClientCredentialsUnauthorized()
+        {
+            AuthTestHelper authTestHelper = new AuthTestHelper();
+            var parameters = AuthConnectionString.GetOAuthExternalClientCredentialParameters();
+            parameters[SFSessionProperty.OAUTHCLIENTID] = "invalidClientId";
+            _connectionString = AuthConnectionString.ConvertToConnectionString(parameters);
+
+            authTestHelper.ConnectAndExecuteSimpleQuery(_connectionString);
+            authTestHelper.VerifyExceptionIsThrown("Error on getting an OAuth token from IDP:");
+        }
+    }
+}