SNOW-1859664 use correct transport for calling cloud providers (#1288)

sfc-gh-dszmolka · web-flow · commit 72a121fe2053 · 2025-01-17T12:10:56.000+01:00
diff --git a/azure_storage_client.go b/azure_storage_client.go
@@ -52,7 +52,7 @@ func (util *snowflakeAzureClient) createClient(info *execResponseStageInfo, _ bo
 				RetryDelay: 2 * time.Second,
 			},
 			Transport: &http.Client{
-				Transport: SnowflakeTransport,
+				Transport: getTransport(util.cfg),
 			},
 		},
 	})
@@ -74,7 +74,7 @@ func (util *snowflakeAzureClient) getFileHeader(meta *fileMetadata, filename str
 		return nil, err
 	}
 	path := azureLoc.path + strings.TrimLeft(filename, "/")
-	containerClient, err := createContainerClient(client.URL())
+	containerClient, err := createContainerClient(client.URL(), util.cfg)
 	if err != nil {
 		return nil, &SnowflakeError{
 			Message: "failed to create container client",
@@ -188,7 +188,7 @@ func (util *snowflakeAzureClient) uploadFile(
 			Message: "failed to cast to azure client",
 		}
 	}
-	containerClient, err := createContainerClient(client.URL())
+	containerClient, err := createContainerClient(client.URL(), util.cfg)
 
 	if err != nil {
 		return &SnowflakeError{
@@ -273,7 +273,7 @@ func (util *snowflakeAzureClient) nativeDownloadFile(
 			Message: "failed to cast to azure client",
 		}
 	}
-	containerClient, err := createContainerClient(client.URL())
+	containerClient, err := createContainerClient(client.URL(), util.cfg)
 	if err != nil {
 		return &SnowflakeError{
 			Message: "failed to create container client",
@@ -348,10 +348,10 @@ func (util *snowflakeAzureClient) detectAzureTokenExpireError(resp *http.Respons
 		strings.Contains(errStr, "Server failed to authenticate the request")
 }
 
-func createContainerClient(clientURL string) (*container.Client, error) {
+func createContainerClient(clientURL string, cfg *Config) (*container.Client, error) {
 	return container.NewClientWithNoCredential(clientURL, &container.ClientOptions{ClientOptions: azcore.ClientOptions{
 		Transport: &http.Client{
-			Transport: SnowflakeTransport,
+			Transport: getTransport(cfg),
 		},
 	}})
 }
diff --git a/client_test.go b/client_test.go
@@ -23,7 +23,7 @@ func (t *DummyTransport) RoundTrip(r *http.Request) (*http.Response, error) {
 		}
 		return &http.Response{StatusCode: 200}, nil
 	}
-	return snowflakeInsecureTransport.RoundTrip(r)
+	return snowflakeNoOcspTransport.RoundTrip(r)
 }
 
 func TestInternalClient(t *testing.T) {
diff --git a/connection.go b/connection.go
@@ -790,7 +790,7 @@ func buildSnowflakeConn(ctx context.Context, config Config) (*snowflakeConn, err
 	if sc.cfg.Transporter == nil {
 		if sc.cfg.DisableOCSPChecks || sc.cfg.InsecureMode {
 			// no revocation check with OCSP. Think twice when you want to enable this option.
-			st = snowflakeInsecureTransport
+			st = snowflakeNoOcspTransport
 		} else {
 			// set OCSP fail open mode
 			ocspResponseCacheLock.Lock()
@@ -856,3 +856,21 @@ func buildSnowflakeConn(ctx context.Context, config Config) (*snowflakeConn, err
 
 	return sc, nil
 }
+
+func getTransport(cfg *Config) http.RoundTripper {
+	if cfg == nil {
+		logger.Debug("getTransport: got nil Config, will perform OCSP validation for cloud storage")
+		return SnowflakeTransport
+	}
+	// if user configured a custom Transporter, prioritize that
+	if cfg.Transporter != nil {
+		logger.Debug("getTransport: using Transporter configured by the user")
+		return cfg.Transporter
+	}
+	if cfg.DisableOCSPChecks || cfg.InsecureMode {
+		logger.Debug("getTransport: skipping OCSP validation for cloud storage")
+		return snowflakeNoOcspTransport
+	}
+	logger.Debug("getTransport: will perform OCSP validation for cloud storage")
+	return SnowflakeTransport
+}
diff --git a/connection_test.go b/connection_test.go
@@ -826,3 +826,56 @@ func TestBeginCreatesTransaction(t *testing.T) {
 		}
 	})
 }
+
+type EmptyTransporter struct{}
+
+func (t EmptyTransporter) RoundTrip(*http.Request) (*http.Response, error) {
+	return nil, nil
+}
+
+func TestGetTransport(t *testing.T) {
+	testcases := []struct {
+		name      string
+		cfg       *Config
+		transport http.RoundTripper
+	}{
+		{
+			name:      "DisableOCSPChecks and InsecureMode false",
+			cfg:       &Config{Account: "one", DisableOCSPChecks: false, InsecureMode: false},
+			transport: SnowflakeTransport,
+		},
+		{
+			name:      "DisableOCSPChecks true and InsecureMode false",
+			cfg:       &Config{Account: "two", DisableOCSPChecks: true, InsecureMode: false},
+			transport: snowflakeNoOcspTransport,
+		},
+		{
+			name:      "DisableOCSPChecks false and InsecureMode true",
+			cfg:       &Config{Account: "three", DisableOCSPChecks: false, InsecureMode: true},
+			transport: snowflakeNoOcspTransport,
+		},
+		{
+			name:      "DisableOCSPChecks and InsecureMode missing from Config",
+			cfg:       &Config{Account: "four"},
+			transport: SnowflakeTransport,
+		},
+		{
+			name:      "whole Config is missing",
+			cfg:       nil,
+			transport: SnowflakeTransport,
+		},
+		{
+			name:      "Using custom Transporter",
+			cfg:       &Config{Account: "five", DisableOCSPChecks: true, InsecureMode: false, Transporter: EmptyTransporter{}},
+			transport: EmptyTransporter{},
+		},
+	}
+	for _, test := range testcases {
+		t.Run(test.name, func(t *testing.T) {
+			result := getTransport(test.cfg)
+			if test.transport != result {
+				t.Errorf("Failed to return the correct transport, input :%#v, expected: %v, got: %v", test.cfg, test.transport, result)
+			}
+		})
+	}
+}
diff --git a/driver_test.go b/driver_test.go
@@ -1993,7 +1993,7 @@ type CountingTransport struct {
 
 func (t *CountingTransport) RoundTrip(r *http.Request) (*http.Response, error) {
 	t.requests++
-	return snowflakeInsecureTransport.RoundTrip(r)
+	return snowflakeNoOcspTransport.RoundTrip(r)
 }
 
 func TestOpenWithTransport(t *testing.T) {
diff --git a/file_transfer_agent.go b/file_transfer_agent.go
@@ -597,15 +597,15 @@ type s3BucketAccelerateConfigGetter interface {
 
 type s3ClientCreator interface {
 	extractBucketNameAndPath(location string) (*s3Location, error)
-	createClient(info *execResponseStageInfo, useAccelerateEndpoint bool) (cloudClient, error)
+	createClientWithConfig(info *execResponseStageInfo, useAccelerateEndpoint bool, cfg *Config) (cloudClient, error)
 }
 
 func (sfa *snowflakeFileTransferAgent) transferAccelerateConfigWithUtil(s3Util s3ClientCreator) error {
 	s3Loc, err := s3Util.extractBucketNameAndPath(sfa.stageInfo.Location)
 	if err != nil {
 		return err
 	}
-	s3Cli, err := s3Util.createClient(sfa.stageInfo, false)
+	s3Cli, err := s3Util.createClientWithConfig(sfa.stageInfo, false, sfa.sc.cfg)
 	if err != nil {
 		return err
 	}
diff --git a/file_transfer_agent_test.go b/file_transfer_agent_test.go
@@ -53,15 +53,15 @@ func TestGetBucketAccelerateConfiguration(t *testing.T) {
 
 type s3ClientCreatorMock struct {
 	extract func(string) (*s3Location, error)
-	create  func(info *execResponseStageInfo, useAccelerateEndpoint bool) (cloudClient, error)
+	create  func(info *execResponseStageInfo, useAccelerateEndpoint bool, cfg *Config) (cloudClient, error)
 }
 
 func (mock *s3ClientCreatorMock) extractBucketNameAndPath(location string) (*s3Location, error) {
 	return mock.extract(location)
 }
 
-func (mock *s3ClientCreatorMock) createClient(info *execResponseStageInfo, useAccelerateEndpoint bool) (cloudClient, error) {
-	return mock.create(info, useAccelerateEndpoint)
+func (mock *s3ClientCreatorMock) createClientWithConfig(info *execResponseStageInfo, useAccelerateEndpoint bool, cfg *Config) (cloudClient, error) {
+	return mock.create(info, useAccelerateEndpoint, cfg)
 }
 
 type s3BucketAccelerateConfigGetterMock struct {
@@ -96,7 +96,7 @@ func TestGetBucketAccelerateConfigurationTooManyRetries(t *testing.T) {
 			extract: func(s string) (*s3Location, error) {
 				return &s3Location{bucketName: "test", s3Path: "test"}, nil
 			},
-			create: func(info *execResponseStageInfo, useAccelerateEndpoint bool) (cloudClient, error) {
+			create: func(info *execResponseStageInfo, useAccelerateEndpoint bool, cfg *Config) (cloudClient, error) {
 				return &s3BucketAccelerateConfigGetterMock{err: errors.New("testing")}, nil
 			},
 		})
@@ -146,7 +146,7 @@ func TestGetBucketAccelerateConfigurationFailedCreateClient(t *testing.T) {
 			extract: func(s string) (*s3Location, error) {
 				return &s3Location{bucketName: "test", s3Path: "test"}, nil
 			},
-			create: func(info *execResponseStageInfo, useAccelerateEndpoint bool) (cloudClient, error) {
+			create: func(info *execResponseStageInfo, useAccelerateEndpoint bool, cfg *Config) (cloudClient, error) {
 				return nil, errors.New("failed creation")
 			},
 		})
@@ -172,7 +172,7 @@ func TestGetBucketAccelerateConfigurationInvalidClient(t *testing.T) {
 			extract: func(s string) (*s3Location, error) {
 				return &s3Location{bucketName: "test", s3Path: "test"}, nil
 			},
-			create: func(info *execResponseStageInfo, useAccelerateEndpoint bool) (cloudClient, error) {
+			create: func(info *execResponseStageInfo, useAccelerateEndpoint bool, cfg *Config) (cloudClient, error) {
 				return 1, nil
 			},
 		})
diff --git a/gcs_storage_client.go b/gcs_storage_client.go
@@ -73,7 +73,7 @@ func (util *snowflakeGcsClient) getFileHeader(meta *fileMetadata, filename strin
 			for k, v := range gcsHeaders {
 				req.Header.Add(k, v)
 			}
-			client := newGcsClient()
+			client := newGcsClient(util.cfg)
 			// for testing only
 			if meta.mockGcsClient != nil {
 				client = meta.mockGcsClient
@@ -226,7 +226,7 @@ func (util *snowflakeGcsClient) uploadFile(
 		for k, v := range gcsHeaders {
 			req.Header.Add(k, v)
 		}
-		client := newGcsClient()
+		client := newGcsClient(util.cfg)
 		// for testing only
 		if meta.mockGcsClient != nil {
 			client = meta.mockGcsClient
@@ -307,7 +307,7 @@ func (util *snowflakeGcsClient) nativeDownloadFile(
 		for k, v := range gcsHeaders {
 			req.Header.Add(k, v)
 		}
-		client := newGcsClient()
+		client := newGcsClient(util.cfg)
 		// for testing only
 		if meta.mockGcsClient != nil {
 			client = meta.mockGcsClient
@@ -409,9 +409,9 @@ func (util *snowflakeGcsClient) isTokenExpired(resp *http.Response) bool {
 	return resp.StatusCode == 401
 }
 
-func newGcsClient() gcsAPI {
+func newGcsClient(cfg *Config) gcsAPI {
 	return &http.Client{
-		Transport: SnowflakeTransport,
+		Transport: getTransport(cfg),
 	}
 }
 
diff --git a/ocsp.go b/ocsp.go
@@ -637,7 +637,7 @@ func getRevocationStatus(ctx context.Context, subject, issuer *x509.Certificate)
 	}
 	ocspClient := &http.Client{
 		Timeout:   timeout,
-		Transport: snowflakeInsecureTransport,
+		Transport: snowflakeNoOcspTransport,
 	}
 	ocspRes, ocspResBytes, ocspS := retryOCSP(
 		ctx, ocspClient, http.NewRequest, u, headers, ocspReq, issuer, timeout)
@@ -786,7 +786,7 @@ func downloadOCSPCacheServer() {
 	}
 	ocspClient := &http.Client{
 		Timeout:   timeout,
-		Transport: snowflakeInsecureTransport,
+		Transport: snowflakeNoOcspTransport,
 	}
 	ret, ocspStatus := checkOCSPCacheServer(context.Background(), ocspClient, http.NewRequest, u, timeout)
 	if ocspStatus.code != ocspSuccess {
@@ -1075,8 +1075,8 @@ func init() {
 	initOCSPCache()
 }
 
-// snowflakeInsecureTransport is the transport object that doesn't do certificate revocation check.
-var snowflakeInsecureTransport = &http.Transport{
+// snowflakeNoOcspTransport is the transport object that doesn't do certificate revocation check with OCSP.
+var snowflakeNoOcspTransport = &http.Transport{
 	MaxIdleConns:    10,
 	IdleConnTimeout: 30 * time.Minute,
 	Proxy:           http.ProxyFromEnvironment,
diff --git a/ocsp_test.go b/ocsp_test.go
@@ -34,7 +34,7 @@ func TestOCSP(t *testing.T) {
 	}
 
 	transports := []*http.Transport{
-		snowflakeInsecureTransport,
+		snowflakeNoOcspTransport,
 		SnowflakeTransport,
 	}
 
diff --git a/s3_storage_client.go b/s3_storage_client.go
@@ -59,13 +59,20 @@ func (util *snowflakeS3Client) createClient(info *execResponseStageInfo, useAcce
 		BaseEndpoint:  endPoint,
 		UseAccelerate: useAccelerateEndpoint,
 		HTTPClient: &http.Client{
-			Transport: SnowflakeTransport,
+			Transport: getTransport(util.cfg),
 		},
 		ClientLogMode: S3LoggingMode,
 		Logger:        s3Logger,
 	}), nil
 }
 
+// to be used with S3 transferAccelerateConfigWithUtil
+func (util *snowflakeS3Client) createClientWithConfig(info *execResponseStageInfo, useAccelerateEndpoint bool, cfg *Config) (cloudClient, error) {
+	// copy snowflakeFileTransferAgent's config onto the cloud client so we could decide which Transport to use
+	util.cfg = cfg
+	return util.createClient(info, useAccelerateEndpoint)
+}
+
 func getS3CustomEndpoint(info *execResponseStageInfo) *string {
 	var endPoint *string
 	isRegionalURLEnabled := info.UseRegionalURL || info.UseS3RegionalURL

Original file line number	Diff line number	Diff line change
`@@ -23,7 +23,7 @@ func (t DummyTransport) RoundTrip(r http.Request) (*http.Response, error) {`
`23`	`23`	`}`
`24`	`24`	`return &http.Response{StatusCode: 200}, nil`
`25`	`25`	`}`
`26`		`- return snowflakeInsecureTransport.RoundTrip(r)`
	`26`	`+ return snowflakeNoOcspTransport.RoundTrip(r)`
`27`	`27`	`}`
`28`	`28`
`29`	`29`	`func TestInternalClient(t *testing.T) {`
Original file line number	Diff line number	Diff line change
`@@ -1993,7 +1993,7 @@ type CountingTransport struct {`
`1993`	`1993`
`1994`	`1994`	`func (t CountingTransport) RoundTrip(r http.Request) (*http.Response, error) {`
`1995`	`1995`	`t.requests++`
`1996`		`- return snowflakeInsecureTransport.RoundTrip(r)`
	`1996`	`+ return snowflakeNoOcspTransport.RoundTrip(r)`
`1997`	`1997`	`}`
`1998`	`1998`
`1999`	`1999`	`func TestOpenWithTransport(t *testing.T) {`
Original file line number	Diff line number	Diff line change
`@@ -597,15 +597,15 @@ type s3BucketAccelerateConfigGetter interface {`
`597`	`597`
`598`	`598`	`type s3ClientCreator interface {`
`599`	`599`	`extractBucketNameAndPath(location string) (*s3Location, error)`
`600`		`- createClient(info *execResponseStageInfo, useAccelerateEndpoint bool) (cloudClient, error)`
	`600`	`+ createClientWithConfig(info execResponseStageInfo, useAccelerateEndpoint bool, cfg Config) (cloudClient, error)`
`601`	`601`	`}`
`602`	`602`
`603`	`603`	`func (sfa *snowflakeFileTransferAgent) transferAccelerateConfigWithUtil(s3Util s3ClientCreator) error {`
`604`	`604`	`s3Loc, err := s3Util.extractBucketNameAndPath(sfa.stageInfo.Location)`
`605`	`605`	`if err != nil {`
`606`	`606`	`return err`
`607`	`607`	`}`
`608`		`- s3Cli, err := s3Util.createClient(sfa.stageInfo, false)`
	`608`	`+ s3Cli, err := s3Util.createClientWithConfig(sfa.stageInfo, false, sfa.sc.cfg)`
`609`	`609`	`if err != nil {`
`610`	`610`	`return err`
`611`	`611`	`}`
Original file line number	Diff line number	Diff line change
`@@ -73,7 +73,7 @@ func (util snowflakeGcsClient) getFileHeader(meta fileMetadata, filename strin`
`73`	`73`	`for k, v := range gcsHeaders {`
`74`	`74`	`req.Header.Add(k, v)`
`75`	`75`	`}`
`76`		`- client := newGcsClient()`
	`76`	`+ client := newGcsClient(util.cfg)`
`77`	`77`	`// for testing only`
`78`	`78`	`if meta.mockGcsClient != nil {`
`79`	`79`	`client = meta.mockGcsClient`
`@@ -226,7 +226,7 @@ func (util *snowflakeGcsClient) uploadFile(`
`226`	`226`	`for k, v := range gcsHeaders {`
`227`	`227`	`req.Header.Add(k, v)`
`228`	`228`	`}`
`229`		`- client := newGcsClient()`
	`229`	`+ client := newGcsClient(util.cfg)`
`230`	`230`	`// for testing only`
`231`	`231`	`if meta.mockGcsClient != nil {`
`232`	`232`	`client = meta.mockGcsClient`
`@@ -307,7 +307,7 @@ func (util *snowflakeGcsClient) nativeDownloadFile(`
`307`	`307`	`for k, v := range gcsHeaders {`
`308`	`308`	`req.Header.Add(k, v)`
`309`	`309`	`}`
`310`		`- client := newGcsClient()`
	`310`	`+ client := newGcsClient(util.cfg)`
`311`	`311`	`// for testing only`
`312`	`312`	`if meta.mockGcsClient != nil {`
`313`	`313`	`client = meta.mockGcsClient`
`@@ -409,9 +409,9 @@ func (util snowflakeGcsClient) isTokenExpired(resp http.Response) bool {`
`409`	`409`	`return resp.StatusCode == 401`
`410`	`410`	`}`
`411`	`411`
`412`		`-func newGcsClient() gcsAPI {`
	`412`	`+func newGcsClient(cfg *Config) gcsAPI {`
`413`	`413`	`return &http.Client{`
`414`		`- Transport: SnowflakeTransport,`
	`414`	`+ Transport: getTransport(cfg),`
`415`	`415`	`}`
`416`	`416`	`}`
`417`	`417`
Original file line number	Diff line number	Diff line change
`@@ -637,7 +637,7 @@ func getRevocationStatus(ctx context.Context, subject, issuer *x509.Certificate)`
`637`	`637`	`}`
`638`	`638`	`ocspClient := &http.Client{`
`639`	`639`	`Timeout: timeout,`
`640`		`- Transport: snowflakeInsecureTransport,`
	`640`	`+ Transport: snowflakeNoOcspTransport,`
`641`	`641`	`}`
`642`	`642`	`ocspRes, ocspResBytes, ocspS := retryOCSP(`
`643`	`643`	`ctx, ocspClient, http.NewRequest, u, headers, ocspReq, issuer, timeout)`
`@@ -786,7 +786,7 @@ func downloadOCSPCacheServer() {`
`786`	`786`	`}`
`787`	`787`	`ocspClient := &http.Client{`
`788`	`788`	`Timeout: timeout,`
`789`		`- Transport: snowflakeInsecureTransport,`
	`789`	`+ Transport: snowflakeNoOcspTransport,`
`790`	`790`	`}`
`791`	`791`	`ret, ocspStatus := checkOCSPCacheServer(context.Background(), ocspClient, http.NewRequest, u, timeout)`
`792`	`792`	`if ocspStatus.code != ocspSuccess {`
`@@ -1075,8 +1075,8 @@ func init() {`
`1075`	`1075`	`initOCSPCache()`
`1076`	`1076`	`}`
`1077`	`1077`
`1078`		`-// snowflakeInsecureTransport is the transport object that doesn't do certificate revocation check.`
`1079`		`-var snowflakeInsecureTransport = &http.Transport{`
	`1078`	`+// snowflakeNoOcspTransport is the transport object that doesn't do certificate revocation check with OCSP.`
	`1079`	`+var snowflakeNoOcspTransport = &http.Transport{`
`1080`	`1080`	`MaxIdleConns: 10,`
`1081`	`1081`	`IdleConnTimeout: 30 * time.Minute,`
`1082`	`1082`	`Proxy: http.ProxyFromEnvironment,`
Original file line number	Diff line number	Diff line change
`@@ -34,7 +34,7 @@ func TestOCSP(t *testing.T) {`
`34`	`34`	`}`
`35`	`35`
`36`	`36`	`transports := []*http.Transport{`
`37`		`- snowflakeInsecureTransport,`
	`37`	`+ snowflakeNoOcspTransport,`
`38`	`38`	`SnowflakeTransport,`
`39`	`39`	`}`
`40`	`40`