Snow 2355881 Add CERT_REVOCATION_CHECK_MODE to CLIENT_ENVIRONMENT (#2562)

sfc-gh-pczajka · web-flow · commit b7c49ba83948 · 2025-10-07T11:19:50.000+02:00
diff --git a/DESCRIPTION.md b/DESCRIPTION.md
@@ -8,6 +8,7 @@ Source code is also available at: https://github.com/snowflakedb/snowflake-conne
 
 # Release Notes
 - v4.1.0(TBD)
+  - Added `CERT_REVOCATION_CHECK_MODE` to `CLIENT_ENVIRONMENT`
 
 - v4.0.0(October 01,2025)
   - Added support for checking certificates revocation using revocation lists (CRLs)
diff --git a/src/snowflake/connector/auth/_auth.py b/src/snowflake/connector/auth/_auth.py
@@ -101,6 +101,7 @@ def base_auth_data(
         internal_application_name,
         internal_application_version,
         ocsp_mode,
+        cert_revocation_check_mode,
         login_timeout: int | None = None,
         network_timeout: int | None = None,
         socket_timeout: int | None = None,
@@ -123,6 +124,7 @@ def base_auth_data(
                     "PYTHON_RUNTIME": IMPLEMENTATION,
                     "PYTHON_COMPILER": COMPILER,
                     "OCSP_MODE": ocsp_mode.name,
+                    "CERT_REVOCATION_CHECK_MODE": cert_revocation_check_mode,
                     "TRACING": logger.getEffectiveLevel(),
                     "LOGIN_TIMEOUT": login_timeout,
                     "NETWORK_TIMEOUT": network_timeout,
@@ -183,6 +185,7 @@ def authenticate(
             self._rest._connection._internal_application_name,
             self._rest._connection._internal_application_version,
             self._rest._connection._ocsp_mode(),
+            self._rest._connection.cert_revocation_check_mode,
             self._rest._connection.login_timeout,
             self._rest._connection._network_timeout,
             self._rest._connection._socket_timeout,
diff --git a/src/snowflake/connector/auth/okta.py b/src/snowflake/connector/auth/okta.py
@@ -166,6 +166,7 @@ def _step1(
             conn._internal_application_name,
             conn._internal_application_version,
             conn._ocsp_mode(),
+            conn.cert_revocation_check_mode,
             conn.login_timeout,
             conn.network_timeout,
             conn.socket_timeout,
diff --git a/src/snowflake/connector/auth/webbrowser.py b/src/snowflake/connector/auth/webbrowser.py
@@ -460,6 +460,7 @@ def _get_sso_url(
             conn._internal_application_name,
             conn._internal_application_version,
             conn._ocsp_mode(),
+            conn.cert_revocation_check_mode,
             conn.login_timeout,
             conn.network_timeout,
             conn.socket_timeout,
diff --git a/src/snowflake/connector/connection.py b/src/snowflake/connector/connection.py
@@ -87,6 +87,7 @@
     QueryStatus,
 )
 from .converter import SnowflakeConverter
+from .crl import CRLConfig
 from .cursor import LOG_MAX_QUERY_LENGTH, SnowflakeCursor, SnowflakeCursorBase
 from .description import (
     CLIENT_NAME,
@@ -438,7 +439,7 @@ def _get_private_bytes_from_file(
     ),  # Read timeout for CRL downloads in milliseconds
     "crl_cache_validity_hours": (
         None,
-        (type(None), int),
+        (type(None), float),
     ),  # CRL cache validity time in hours
     "enable_crl_cache": (None, (type(None), bool)),  # Enable CRL caching
     "enable_crl_file_cache": (None, (type(None), bool)),  # Enable file-based CRL cache
@@ -592,6 +593,7 @@ def __init__(
 
         # Placeholder attributes; will be initialized in connect()
         self._http_config: HttpConfig | None = None
+        self._crl_config: CRLConfig | None = None
         self._session_manager: SessionManager | None = None
         self._rest: SnowflakeRestful | None = None
 
@@ -688,57 +690,81 @@ def _ocsp_mode(self) -> OCSPMode:
     @property
     def cert_revocation_check_mode(self) -> str | None:
         """Certificate revocation check mode: DISABLED, ENABLED, or ADVISORY."""
-        return self._cert_revocation_check_mode
+        if not self._crl_config:
+            return self._cert_revocation_check_mode
+        return self._crl_config.cert_revocation_check_mode.value
 
     @property
     def allow_certificates_without_crl_url(self) -> bool | None:
         """Whether to allow certificates without CRL distribution points."""
-        return self._allow_certificates_without_crl_url
+        if not self._crl_config:
+            return self._allow_certificates_without_crl_url
+        return self._crl_config.allow_certificates_without_crl_url
 
     @property
     def crl_connection_timeout_ms(self) -> int | None:
         """Connection timeout for CRL downloads in milliseconds."""
-        return self._crl_connection_timeout_ms
+        if not self._crl_config:
+            return self._crl_connection_timeout_ms
+        return self._crl_config.connection_timeout_ms
 
     @property
     def crl_read_timeout_ms(self) -> int | None:
         """Read timeout for CRL downloads in milliseconds."""
-        return self._crl_read_timeout_ms
+        if not self._crl_config:
+            return self._crl_read_timeout_ms
+        return self._crl_config.read_timeout_ms
 
     @property
-    def crl_cache_validity_hours(self) -> int | None:
+    def crl_cache_validity_hours(self) -> float | None:
         """CRL cache validity time in hours."""
-        return self._crl_cache_validity_hours
+        if not self._crl_config:
+            return self._crl_cache_validity_hours
+        return self._crl_config.cache_validity_time.total_seconds() / 3600
 
     @property
     def enable_crl_cache(self) -> bool | None:
         """Whether CRL caching is enabled."""
-        return self._enable_crl_cache
+        if not self._crl_config:
+            return self._enable_crl_cache
+        return self._crl_config.enable_crl_cache
 
     @property
     def enable_crl_file_cache(self) -> bool | None:
         """Whether file-based CRL cache is enabled."""
-        return self._enable_crl_file_cache
+        if not self._crl_config:
+            return self._enable_crl_file_cache
+        return self._crl_config.enable_crl_file_cache
 
     @property
     def crl_cache_dir(self) -> str | None:
         """Directory for CRL file cache."""
-        return self._crl_cache_dir
+        if not self._crl_config:
+            return self._crl_cache_dir
+        if not self._crl_config.crl_cache_dir:
+            return None
+        return str(self._crl_config.crl_cache_dir)
 
     @property
     def crl_cache_removal_delay_days(self) -> int | None:
         """Days to keep expired CRL files before removal."""
-        return self._crl_cache_removal_delay_days
+        if not self._crl_config:
+            return self._crl_cache_removal_delay_days
+        return self._crl_config.crl_cache_removal_delay_days
 
     @property
     def crl_cache_cleanup_interval_hours(self) -> int | None:
         """CRL cache cleanup interval in hours."""
-        return self._crl_cache_cleanup_interval_hours
+        if not self._crl_config:
+            return self._crl_cache_cleanup_interval_hours
+        return self._crl_config.crl_cache_cleanup_interval_hours
 
     @property
     def crl_cache_start_cleanup(self) -> bool | None:
         """Whether to start CRL cache cleanup immediately."""
-        return self._crl_cache_start_cleanup
+        if not self._crl_config:
+            return self._crl_cache_start_cleanup
+        return self._crl_config.crl_cache_start_cleanup
 
     @property
     def session_id(self) -> int:
@@ -1041,6 +1067,8 @@ def connect(self, **kwargs) -> None:
         if len(kwargs) > 0:
             self.__config(**kwargs)
 
+        self._crl_config: CRLConfig = CRLConfig.from_connection(self)
+
         self._http_config = HttpConfig(
             adapter_factory=ProxySupportAdapterFactory(),
             use_pooling=(not self.disable_request_pooling),
diff --git a/src/snowflake/connector/crl.py b/src/snowflake/connector/crl.py
@@ -105,15 +105,11 @@ def from_connection(cls, sf_connection) -> CRLConfig:
             )
             cert_revocation_check_mode = cls.cert_revocation_check_mode
 
-        if cert_revocation_check_mode == CertRevocationCheckMode.DISABLED:
-            # The rest of the parameters don't matter if CRL checking is disabled
-            return cls(cert_revocation_check_mode=cert_revocation_check_mode)
-
         # Apply default value logic for all other parameters when connection attribute is None
         cache_validity_time = (
             cls.cache_validity_time
             if sf_connection.crl_cache_validity_hours is None
-            else timedelta(hours=int(sf_connection.crl_cache_validity_hours))
+            else timedelta(hours=float(sf_connection.crl_cache_validity_hours))
         )
         crl_cache_dir = (
             cls.crl_cache_dir
diff --git a/test/helpers.py b/test/helpers.py
@@ -277,6 +277,7 @@ def create_mock_auth_body():
         "internal_application_name",
         "internal_application_version",
         ocsp_mode,
+        "CRL_MODE",
         login_timeout=60 * 60,
         network_timeout=60 * 60,
         socket_timeout=60 * 60,
diff --git a/test/integ/test_crl.py b/test/integ/test_crl.py
@@ -63,6 +63,10 @@ def test_crl_validation_advisory_mode(conn_cnx):
         assert cnx.cert_revocation_check_mode == "ADVISORY"
         assert cnx.allow_certificates_without_crl_url is False
         assert cnx.enable_crl_cache is True
+        assert cnx.crl_connection_timeout_ms == 3000
+        assert cnx.crl_read_timeout_ms == 3000
+        assert cnx.crl_cache_validity_hours == 1
+        assert cnx.crl_cache_dir is None
 
 
 @pytest.mark.skipolddriver
diff --git a/test/unit/test_auth.py b/test/unit/test_auth.py
@@ -42,6 +42,7 @@ def _init_rest(application, post_requset):
     connection = mock_connection()
     connection.errorhandler = Mock(return_value=None)
     connection._ocsp_mode = Mock(return_value=OCSPMode.FAIL_OPEN)
+    connection.cert_revocation_check_mode = "TEST_CRL_MODE"
     type(connection).application = PropertyMock(return_value=application)
     type(connection)._internal_application_name = PropertyMock(return_value=CLIENT_NAME)
     type(connection)._internal_application_version = PropertyMock(
diff --git a/test/unit/test_auth_keypair.py b/test/unit/test_auth_keypair.py
@@ -155,6 +155,7 @@ def _init_rest(application, post_requset):
     connection = mock_connection()
     connection.errorhandler = Mock(return_value=None)
     connection._ocsp_mode = Mock(return_value=OCSPMode.FAIL_OPEN)
+    connection.cert_revocation_check_mode = "TEST_CRL_MODE"
     type(connection).application = PropertyMock(return_value=application)
     type(connection)._internal_application_name = PropertyMock(return_value=CLIENT_NAME)
     type(connection)._internal_application_version = PropertyMock(
diff --git a/test/unit/test_auth_okta.py b/test/unit/test_auth_okta.py
@@ -345,6 +345,7 @@ def post_request(url, headers, body, **kwargs):
     connection = mock_connection(disable_saml_url_check=disable_saml_url_check)
     connection.errorhandler = Mock(return_value=None)
     connection._ocsp_mode = Mock(return_value=OCSPMode.FAIL_OPEN)
+    connection.cert_revocation_check_mode = "TEST_CRL_MODE"
     type(connection).application = PropertyMock(return_value=CLIENT_NAME)
     type(connection)._internal_application_name = PropertyMock(return_value=CLIENT_NAME)
     type(connection)._internal_application_version = PropertyMock(
diff --git a/test/unit/test_auth_webbrowser.py b/test/unit/test_auth_webbrowser.py
@@ -366,6 +366,7 @@ def post_request(url, headers, body, **kwargs):
     connection = mock_connection()
     connection.errorhandler = Mock(return_value=None)
     connection._ocsp_mode = Mock(return_value=OCSPMode.FAIL_OPEN)
+    connection.cert_revocation_check_mode = "TEST_CRL_MODE"
     connection._disable_console_login = disable_console_login
     type(connection).application = PropertyMock(return_value=CLIENT_NAME)
     type(connection)._internal_application_name = PropertyMock(return_value=CLIENT_NAME)
diff --git a/test/unit/test_crl.py b/test/unit/test_crl.py
@@ -812,6 +812,16 @@ def test_crl_config_from_connection_disabled_mode():
 
     mock_connection = Mock()
     mock_connection.cert_revocation_check_mode = "DISABLED"
+    mock_connection.allow_certificates_without_crl_url = None
+    mock_connection.crl_connection_timeout_ms = None
+    mock_connection.crl_read_timeout_ms = None
+    mock_connection.crl_cache_validity_hours = None
+    mock_connection.enable_crl_cache = None
+    mock_connection.enable_crl_file_cache = None
+    mock_connection.crl_cache_dir = None
+    mock_connection.crl_cache_removal_delay_days = None
+    mock_connection.crl_cache_cleanup_interval_hours = None
+    mock_connection.crl_cache_start_cleanup = None
 
     config = CRLConfig.from_connection(mock_connection)
 
diff --git a/test/unit/test_telemetry.py b/test/unit/test_telemetry.py
@@ -409,6 +409,16 @@ def get_mocked_telemetry_connection(telemetry_enabled: bool = True) -> Mock:
     mock_connection.is_closed = False
     mock_connection.socket_timeout = None
     mock_connection.messages = []
+    mock_connection.crl_cache_validity_hours = None
+    mock_connection.crl_cache_dir = None
+    mock_connection.crl_connection_timeout_ms = None
+    mock_connection.crl_read_timeout_ms = None
+    mock_connection.crl_cache_removal_delay_days = None
+    mock_connection.crl_cache_cleanup_interval_hours = None
+    mock_connection.crl_cache_start_cleanup = None
+    mock_connection.enable_crl_cache = None
+    mock_connection.enable_crl_file_cache = None
+    mock_connection.allow_certificates_without_crl_url = None
 
     from src.snowflake.connector.errors import Error
 
