SNOW-890625 Do not write cache when we have no OCSP response (#1690)

sfc-gh-sfan · web-flow · commit 32d3c4b6cbe5 · 2023-08-14T09:44:52.000-07:00
Description

When there is connection error, we will get None as OCSP response,
which should not be written to cache.

Testing

unit test
diff --git a/src/snowflake/connector/ocsp_snowflake.py b/src/snowflake/connector/ocsp_snowflake.py
@@ -1189,6 +1189,7 @@ def _validate_certificates_sequential(
                 ocsp_response_validation_result is None
                 or not ocsp_response_validation_result.validated
             ):
+                # r is a tuple of (err, issuer, subject, cert_id, ocsp_response)
                 r = self.validate_by_direct_connection(
                     issuer,
                     subject,
@@ -1197,12 +1198,18 @@ def _validate_certificates_sequential(
                     do_retry=do_retry,
                     cache_key=cache_key,
                 )
-                to_update_cache_dict[cache_key] = OCSPResponseValidationResult(
-                    *r,
-                    ts=int(time.time()),
-                    validated=True,
-                )
-                OCSPCache.CACHE_UPDATED = True
+
+                # When OCSP server is down, the validation fails and the oscp_response will be None, and in fail open
+                # case, we will also reset err to None.
+                # In this case we don't need to write the response to cache because there is no information from a
+                # connection error.
+                if r[0] is not None or r[4] is not None:
+                    to_update_cache_dict[cache_key] = OCSPResponseValidationResult(
+                        *r,
+                        ts=int(time.time()),
+                        validated=True,
+                    )
+                    OCSPCache.CACHE_UPDATED = True
                 results.append(r)
             else:
                 results.append(
diff --git a/test/unit/test_ocsp.py b/test/unit/test_ocsp.py
@@ -308,6 +308,22 @@ def test_ocsp_with_invalid_cache_file():
         assert ocsp.validate(url, connection), f"Failed to validate: {url}"
 
 
+@mock.patch(
+    "snowflake.connector.ocsp_snowflake.SnowflakeOCSP._fetch_ocsp_response",
+    side_effect=BrokenPipeError("fake error"),
+)
+def test_ocsp_cache_when_server_is_down(mock_fetch_ocsp_response, tmpdir):
+    ocsp = SFOCSP()
+
+    """Attempts to use outdated OCSP response cache file."""
+    cache_file_name, target_hosts = _store_cache_in_file(tmpdir)
+
+    # reading cache file
+    OCSPCache.read_ocsp_response_cache_file(ocsp, cache_file_name)
+    cache_data = snowflake.connector.ocsp_snowflake.OCSP_RESPONSE_VALIDATION_CACHE
+    assert not cache_data, "no cache should present because of broken pipe"
+
+
 def test_concurrent_ocsp_requests(tmpdir):
     """Run OCSP revocation checks in parallel. The memory and file caches are deleted randomly."""
     cache_file_name = path.join(str(tmpdir), "cache_file.txt")
