SNOW-715524: Add SSO token cache (#921)

Co-authored-by: Krzysztof Nozderko <[email protected]>

Author: sfc-gh-ext-simba-lf

README.md

@@ -143,6 +143,12 @@ Logging description and configuration:
 Method of validating the connection's certificates in the .NET driver differs from the rest of the Snowflake drivers.
 Read more in [certificate validation](doc/CertficateValidation.md) docs.
 
+## Cache
+
+Storing tokens in cache for SSO/MFA authentication.
+
+Read more in [cache](doc/Cache.md) docs.
+
 ---------------
 
 ## Notice

Snowflake.Data.Tests/IntegrationTests/SFConnectionIT.cs

@@ -9,6 +9,8 @@
 using NUnit.Framework;
 using Snowflake.Data.Client;
 using Snowflake.Data.Core;
+using Snowflake.Data.Core.CredentialManager;
+using Snowflake.Data.Core.CredentialManager.Infrastructure;
 using Snowflake.Data.Core.Session;
 using Snowflake.Data.Core.Tools;
 using Snowflake.Data.Log;
@@ -17,7 +19,6 @@
 
 namespace Snowflake.Data.Tests.IntegrationTests
 {
-
     [TestFixture]
     class SFConnectionIT : SFBaseTest
     {
@@ -1042,6 +1043,75 @@ public void TestSSOConnectionTimeoutAfter10s()
             Assert.LessOrEqual(stopwatch.ElapsedMilliseconds, (waitSeconds + 5) * 1000);
         }
 
+        [Test]
+        [Ignore("This test requires manual interaction and therefore cannot be run in CI")]
+        public void TestSSOConnectionWithTokenCaching()
+        {
+            /*
+             * This test checks that the connector successfully stores an SSO token and uses it for authentication if it exists
+             * 1. Login normally using external browser with CLIENT_STORE_TEMPORARY_CREDENTIAL enabled
+             * 2. Login again, this time without a browser, as the connector should be using the SSO token retrieved from step 1
+            */
+
+            // Set the CLIENT_STORE_TEMPORARY_CREDENTIAL property to true to enable token caching
+            // The specified user should be configured for SSO
+            var externalBrowserConnectionString
+                = ConnectionStringWithoutAuth
+                    + $";authenticator=externalbrowser;user={testConfig.user};CLIENT_STORE_TEMPORARY_CREDENTIAL=true;poolingEnabled=false";
+
+            using (IDbConnection conn = new SnowflakeDbConnection())
+            {
+                conn.ConnectionString = externalBrowserConnectionString;
+
+                // Authenticate to retrieve and store the token if doesn't exist or invalid
+                conn.Open();
+                Assert.AreEqual(ConnectionState.Open, conn.State);
+            }
+
+            using (IDbConnection conn = new SnowflakeDbConnection())
+            {
+                conn.ConnectionString = externalBrowserConnectionString;
+
+                // Authenticate using the SSO token (the connector will automatically use the token and a browser should not pop-up in this step)
+                conn.Open();
+                Assert.AreEqual(ConnectionState.Open, conn.State);
+            }
+        }
+
+        [Test]
+        [Ignore("This test requires manual interaction and therefore cannot be run in CI")]
+        public void TestSSOConnectionWithInvalidCachedToken()
+        {
+            /*
+             * This test checks that the connector will attempt to re-authenticate using external browser if the token retrieved from the cache is invalid
+             * 1. Create a credential manager and save credentials for the user with a wrong token
+             * 2. Open a connection which initially should try to use the token and then switch to external browser when the token fails
+            */
+
+            using (IDbConnection conn = new SnowflakeDbConnection())
+            {
+                // Set the CLIENT_STORE_TEMPORARY_CREDENTIAL property to true to enable token caching
+                conn.ConnectionString
+                    = ConnectionStringWithoutAuth
+                        + $";authenticator=externalbrowser;user={testConfig.user};CLIENT_STORE_TEMPORARY_CREDENTIAL=true;";
+
+                // Create a credential manager and save a wrong token for the test user
+                var key = SnowflakeCredentialManagerFactory.GetSecureCredentialKey(testConfig.host, testConfig.user, TokenType.IdToken);
+                var credentialManager = SFCredentialManagerInMemoryImpl.Instance;
+                credentialManager.SaveCredentials(key, "wrongToken");
+
+                // Use the credential manager with the wrong token
+                SnowflakeCredentialManagerFactory.SetCredentialManager(credentialManager);
+
+                // Open a connection which should switch to external browser after trying to connect using the wrong token
+                conn.Open();
+                Assert.AreEqual(ConnectionState.Open, conn.State);
+
+                // Switch back to the default credential manager
+                SnowflakeCredentialManagerFactory.UseDefaultCredentialManager();
+            }
+        }
+
         [Test]
         [Ignore("This test requires manual interaction and therefore cannot be run in CI")]
         public void TestSSOConnectionWithWrongUser()
@@ -2353,6 +2423,44 @@ public void TestOpenAsyncThrowExceptionWhenOperationIsCancelled()
             }
         }
 
+        [Test]
+        [Ignore("This test requires manual interaction and therefore cannot be run in CI")]
+        public void TestSSOConnectionWithTokenCachingAsync()
+        {
+            /*
+             * This test checks that the connector successfully stores an SSO token and uses it for authentication if it exists
+             * 1. Login normally using external browser with CLIENT_STORE_TEMPORARY_CREDENTIAL enabled
+             * 2. Login again, this time without a browser, as the connector should be using the SSO token retrieved from step 1
+            */
+
+            // Set the CLIENT_STORE_TEMPORARY_CREDENTIAL property to true to enable token caching
+            // The specified user should be configured for SSO
+            var externalBrowserConnectionString
+                = ConnectionStringWithoutAuth
+                    + $";authenticator=externalbrowser;user={testConfig.user};CLIENT_STORE_TEMPORARY_CREDENTIAL=true;poolingEnabled=false";
+
+            using (SnowflakeDbConnection conn = new SnowflakeDbConnection())
+            {
+                conn.ConnectionString = externalBrowserConnectionString;
+
+                // Authenticate to retrieve and store the token if doesn't exist or invalid
+                Task connectTask = conn.OpenAsync(CancellationToken.None);
+                connectTask.Wait();
+                Assert.AreEqual(ConnectionState.Open, conn.State);
+            }
+
+            using (SnowflakeDbConnection conn = new SnowflakeDbConnection())
+            {
+                conn.ConnectionString = externalBrowserConnectionString;
+
+                // Authenticate using the SSO token (the connector will automatically use the token and a browser should not pop-up in this step)
+                Task connectTask = conn.OpenAsync(CancellationToken.None);
+                connectTask.Wait();
+                Assert.AreEqual(ConnectionState.Open, conn.State);
+            }
+
+        }
+
         [Test]
         public void TestCloseSessionWhenGarbageCollectorFinalizesConnection()
         {

Snowflake.Data.Tests/Mock/MockExternalBrowserRestRequester.cs

@@ -0,0 +1,127 @@
+using Snowflake.Data.Core;
+using System.Net.Http;
+using System.Threading;
+using System.Threading.Tasks;
+
+namespace Snowflake.Data.Tests.Mock
+{
+
+    class MockExternalBrowserRestRequester : IMockRestRequester
+    {
+        public string ProofKey { get; set; }
+
+        public string SSOUrl { get; set; }
+
+        public string IdToken { get; set; }
+
+        public bool ThrowInvalidIdToken { get; set; } = false;
+
+        public bool ThrowNonInvalidIdToken { get; set; } = false;
+
+        public T Get<T>(IRestRequest request)
+        {
+            throw new System.NotImplementedException();
+        }
+
+        public Task<T> GetAsync<T>(IRestRequest request, CancellationToken cancellationToken)
+        {
+            throw new System.NotImplementedException();
+        }
+
+        public T Post<T>(IRestRequest postRequest)
+        {
+            return Task.Run(async () => await (PostAsync<T>(postRequest, CancellationToken.None)).ConfigureAwait(false)).Result;
+        }
+
+        public Task<T> PostAsync<T>(IRestRequest postRequest, CancellationToken cancellationToken)
+        {
+            SFRestRequest sfRequest = (SFRestRequest)postRequest;
+            if (sfRequest.jsonBody is AuthenticatorRequest)
+            {
+                if (string.IsNullOrEmpty(SSOUrl))
+                {
+                    var body = (AuthenticatorRequest)sfRequest.jsonBody;
+                    var port = body.Data.BrowserModeRedirectPort;
+                    SSOUrl = $"http://localhost:{port}/?token=mockToken";
+                }
+
+                // authenticator
+                var authnResponse = new AuthenticatorResponse
+                {
+                    success = true,
+                    data = new AuthenticatorResponseData
+                    {
+                        proofKey = ProofKey,
+                        ssoUrl = SSOUrl,
+                    }
+                };
+
+                return Task.FromResult<T>((T)(object)authnResponse);
+            }
+            else
+            {
+                // login
+                LoginResponse loginResponse;
+                if (ThrowInvalidIdToken)
+                {
+                    ThrowInvalidIdToken = false;
+                    loginResponse = new LoginResponse
+                    {
+                        success = false,
+                        code = SFError.ID_TOKEN_INVALID.GetAttribute<SFErrorAttr>().errorCode,
+                        message = "",
+                    };
+                }
+                else if (ThrowNonInvalidIdToken)
+                {
+                    ThrowInvalidIdToken = false;
+                    loginResponse = new LoginResponse
+                    {
+                        success = false,
+                        code = SFError.INTERNAL_ERROR.GetAttribute<SFErrorAttr>().errorCode,
+                        message = "",
+                    };
+                }
+                else
+                {
+                    loginResponse = new LoginResponse
+                    {
+                        success = true,
+                        data = new LoginResponseData
+                        {
+                            idToken = IdToken,
+                            sessionId = "",
+                            token = "",
+                            masterToken = "",
+                            masterValidityInSeconds = 0,
+                            authResponseSessionInfo = new SessionInfo
+                            {
+                                databaseName = "",
+                                schemaName = "",
+                                roleName = "",
+                                warehouseName = "",
+                            }
+                        }
+                    };
+                }
+
+                return Task.FromResult<T>((T)(object)loginResponse);
+            }
+        }
+
+        public HttpResponseMessage Get(IRestRequest request)
+        {
+            throw new System.NotImplementedException();
+        }
+
+        public Task<HttpResponseMessage> GetAsync(IRestRequest request, CancellationToken cancellationToken)
+        {
+            throw new System.NotImplementedException();
+        }
+
+        public void setHttpClient(HttpClient httpClient)
+        {
+            // Nothing to do
+        }
+    }
+}

Snowflake.Data.Tests/UnitTests/CredentialManager/SFCredentialManagerFileImplTest.cs

@@ -258,9 +258,10 @@ public void TestReadingAndWritingAreUnavailableIfDirLockExists()
         }
 
         [Test]
-        public void TestChangeCacheDirPermissionsWhenInsecure()
+        public void TestThatDoesNotChangeCacheDirPermissionsWhenInsecure()
         {
             // arrange
+            var insecurePermissions = FileAccessPermissions.UserReadWriteExecute | FileAccessPermissions.GroupRead;
             var tempDirectory = Path.Combine(Path.GetTempPath(), Path.GetRandomFileName());
             t_environmentOperations
                 .Setup(e => e.GetEnvironmentVariable(SFCredentialManagerFileStorage.CredentialCacheDirectoryEnvironmentName))
@@ -269,15 +270,15 @@ public void TestChangeCacheDirPermissionsWhenInsecure()
             try
             {
                 DirectoryOperations.Instance.CreateDirectory(tempDirectory);
-                UnixOperations.Instance.ChangePermissions(tempDirectory, FileAccessPermissions.UserReadWriteExecute | FileAccessPermissions.GroupRead);
+                UnixOperations.Instance.ChangePermissions(tempDirectory, insecurePermissions);
 
                 // act
                 _credentialManager.SaveCredentials("key", "token");
                 var result = _credentialManager.GetCredentials("key");
 
                 // assert
                 Assert.AreEqual("token", result);
-                Assert.AreEqual(FileAccessPermissions.UserReadWriteExecute, UnixOperations.Instance.GetDirectoryInfo(tempDirectory).Permissions);
+                Assert.AreEqual(insecurePermissions, UnixOperations.Instance.GetDirectoryInfo(tempDirectory).Permissions);
             }
             finally
             {