snowflakedb · sfc-gh-dheyman · Nov 30, 2024 · Nov 30, 2024 · Dec 2, 2024 · Dec 2, 2024
@@ -6,7 +6,7 @@ set -o pipefail
 
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )"
 
-if jar tvf $DIR/../target/snowflake-jdbc-fips.jar  | awk '{print $8}' | grep -v -E "/$" | grep -v -E "^(net|com)/snowflake" | grep -v -E "(com|net)/\$" | grep -v -E "^META-INF" | grep -v -E "^mozilla" | grep -v -E "^com/sun/jna" | grep -v com/sun/ | grep -v mime.types | grep -v -E "^com/github/luben/zstd/" | grep -v -E "^aix/" | grep -v -E "^darwin/" | grep -v -E "^freebsd/" | grep -v -E "^linux/" | grep -v -E "^win/"; then
+if jar tvf $DIR/../target/snowflake-jdbc-fips.jar  | awk '{print $8}' | grep -v -E "/$" | grep -v -E "^(net|com)/snowflake" | grep -v -E "(com|net)/\$" | grep -v -E "^META-INF" | grep -v -E "^iso3166_" | grep -v -E "^mozilla" | grep -v -E "^com/sun/jna" | grep -v com/sun/ | grep -v mime.types | grep -v -E "^com/github/luben/zstd/" | grep -v -E "^aix/" | grep -v -E "^darwin/" | grep -v -E "^freebsd/" | grep -v -E "^linux/" | grep -v -E "^win/"; then
   echo "[ERROR] JDBC jar includes class not under the snowflake namespace"
   exit 1
 fi
@@ -8,7 +8,7 @@ set -o pipefail
 
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )"
 
-if jar tvf $DIR/../../target/snowflake-jdbc${package_modifier}.jar | awk '{print $8}' | grep -v -E "/$" | grep -v -E "^(net|com)/snowflake" | grep -v -E "(com|net)/\$" | grep -v -E "^META-INF" | grep -v -E "^mozilla" | grep -v -E "^com/sun/jna" | grep -v com/sun/ | grep -v mime.types | grep -v -E "^com/github/luben/zstd/" | grep -v -E "^aix/" | grep -v -E "^darwin/" | grep -v -E "^freebsd/" | grep -v -E "^linux/" | grep -v -E "^win/"; then
+if jar $DIR/../../target/snowflake-jdbc${package_modifier}.jar | awk '{print $8}' | grep -v -E "/$" | grep -v -E "^(net|com)/snowflake" | grep -v -E "(com|net)/\$" | grep -v -E "^META-INF" | grep -v -E "^iso3166_" | grep -v -E "^mozilla" | grep -v -E "^com/sun/jna" | grep -v com/sun/ | grep -v mime.types | grep -v -E "^com/github/luben/zstd/" | grep -v -E "^aix/" | grep -v -E "^darwin/" | grep -v -E "^freebsd/" | grep -v -E "^linux/" | grep -v -E "^win/"; then
   echo "[ERROR] JDBC jar includes class not under the snowflake namespace"
   exit 1
 fi

@@ -14,11 +14,6 @@
         <Source><Package name="com.nimbusds.jose"/></Source>
         <Reason>Optional</Reason>
     </LinkageError>
-    <LinkageError>
-        <Target><Package name="org.brotli.dec"/></Target>
-        <Source><Package name="org.apache.commons.compress.compressors"/></Source>
-        <Reason>Optional</Reason>
-    </LinkageError>
     <LinkageError>
         <Target><Package name="com.google.appengine.api.urlfetch"/></Target>
         <Source><Package name="com.google.api.client.extensions.appengine"/></Source>
@@ -29,6 +24,7 @@
         <Source><Package name="com.google.api.gax"/></Source>
         <Reason>?</Reason>
     </LinkageError>
+
     <LinkageError>
         <Target><Package name="org.osgi"/></Target>
         <Source><Package name="org.apache.tika.config"/></Source>
@@ -49,6 +45,26 @@
         <Source><Package name="org.bouncycastle.pqc.legacy.crypto.ntru"/></Source>
         <Reason>?</Reason>
     </LinkageError>
+    <LinkageError>
+        <Target><Package name="org.cryptomator"/></Target>
+        <Source><Package name="com.nimbusds"/></Source>
+        <Reason>?</Reason>
+    </LinkageError>
+    <LinkageError>
+        <Target><Package name="org.opensaml"/></Target>
+        <Source><Package name="com.nimbusds"/></Source>
+        <Reason>?</Reason>
+    </LinkageError>
+    <LinkageError>
+        <Target><Package name="jakarta.servlet"/></Target>
+        <Source><Package name="com.nimbusds"/></Source>
+        <Reason>?</Reason>
+    </LinkageError>
+    <LinkageError>
+        <Target><Package name="net.shibboleth.utilities"/></Target>
+        <Source><Package name="com.nimbusds"/></Source>
+        <Reason>?</Reason>
+    </LinkageError>
     <!--
     <LinkageError>
         <Target><Package name=""/></Target>

@@ -21,7 +21,7 @@
     <apache.httpcore.version>4.4.16</apache.httpcore.version>
     <zstd-jni.version>1.5.6-5</zstd-jni.version>
     <arrow.version>17.0.0</arrow.version>
-    <asm.version>9.3</asm.version>
+    <asm.version>9.6</asm.version>
     <avro.version>1.8.1</avro.version>
     <awaitility.version>4.2.0</awaitility.version>
     <awssdk.version>1.12.655</awssdk.version>
@@ -60,7 +60,7 @@
     <javax.servlet.version>3.1.0</javax.servlet.version>
     <jna.version>5.13.0</jna.version>
     <joda.time.version>2.8.1</joda.time.version>
-    <json.smart.version>2.4.9</json.smart.version>
+    <json.smart.version>2.5.1</json.smart.version>
     <junit4.version>4.13.2</junit4.version>
     <junit.version>5.11.1</junit.version>
     <junit.platform.version>1.11.1</junit.platform.version>
@@ -69,7 +69,8 @@
     <metrics.version>2.2.0</metrics.version>
     <mockito.version>4.11.0</mockito.version>
     <netty.version>4.1.115.Final</netty.version>
-    <nimbusds.version>9.37.3</nimbusds.version>
+    <nimbusds.version>9.40</nimbusds.version>
+    <nimbusds.oauth2.version>11.20.1</nimbusds.oauth2.version>
     <opencensus.version>0.31.1</opencensus.version>
     <plexus.container.version>1.0-alpha-9-stable-1</plexus.container.version>
     <plexus.utils.version>3.4.2</plexus.utils.version>
@@ -218,6 +219,11 @@
         <artifactId>nimbus-jose-jwt</artifactId>
         <version>${nimbusds.version}</version>
       </dependency>
+      <dependency>
+        <groupId>com.nimbusds</groupId>
+        <artifactId>oauth2-oidc-sdk</artifactId>
+        <version>${nimbusds.oauth2.version}</version>
+      </dependency>
       <dependency>
         <groupId>com.yammer.metrics</groupId>
         <artifactId>metrics-core</artifactId>
@@ -645,6 +651,10 @@
       <groupId>com.nimbusds</groupId>
       <artifactId>nimbus-jose-jwt</artifactId>
     </dependency>
+    <dependency>
+      <groupId>com.nimbusds</groupId>
+      <artifactId>oauth2-oidc-sdk</artifactId>
+    </dependency>
     <dependency>
       <groupId>com.yammer.metrics</groupId>
       <artifactId>metrics-core</artifactId>

@@ -49,6 +49,8 @@ public class SFLoginInput {
   private String privateKeyPwd;
   private String inFlightCtx; // Opaque string sent for Snowsight account activation
 
+  private SFOauthLoginInput oauthLoginInput;
+
   private boolean disableConsoleLogin = true;
   private boolean disableSamlURLCheck = false;
   private boolean enableClientStoreTemporaryCredential;
@@ -59,7 +61,8 @@ public class SFLoginInput {
   // Additional headers to add for Snowsight.
   Map<String, String> additionalHttpHeadersForSnowsight;
 
-  SFLoginInput() {}
+  @SnowflakeJdbcInternalApi
+  public SFLoginInput() {}
 
   Duration getBrowserResponseTimeout() {
     return browserResponseTimeout;
@@ -74,7 +77,8 @@ public String getServerUrl() {
     return serverUrl;
   }
 
-  SFLoginInput setServerUrl(String serverUrl) {
+  @SnowflakeJdbcInternalApi
+  public SFLoginInput setServerUrl(String serverUrl) {
     this.serverUrl = serverUrl;
     return this;
   }
@@ -160,7 +164,8 @@ public SFLoginInput setAccountName(String accountName) {
     return this;
   }
 
-  int getLoginTimeout() {
+  @SnowflakeJdbcInternalApi
+  public int getLoginTimeout() {
     return loginTimeout;
   }
 
@@ -184,7 +189,7 @@ SFLoginInput setRetryTimeout(int retryTimeout) {
     return this;
   }
 
-  int getAuthTimeout() {
+  public int getAuthTimeout() {
     return authTimeout;
   }
 
@@ -238,11 +243,13 @@ SFLoginInput setConnectionTimeout(Duration connectionTimeout) {
     return this;
   }
 
-  int getSocketTimeoutInMillis() {
+  @SnowflakeJdbcInternalApi
+  public int getSocketTimeoutInMillis() {
     return (int) socketTimeout.toMillis();
   }
 
-  SFLoginInput setSocketTimeout(Duration socketTimeout) {
+  @SnowflakeJdbcInternalApi
+  public SFLoginInput setSocketTimeout(Duration socketTimeout) {
     this.socketTimeout = socketTimeout;
     return this;
   }
@@ -388,11 +395,13 @@ SFLoginInput setOCSPMode(OCSPMode ocspMode) {
     return this;
   }
 
-  HttpClientSettingsKey getHttpClientSettingsKey() {
+  @SnowflakeJdbcInternalApi
+  public HttpClientSettingsKey getHttpClientSettingsKey() {
     return httpClientKey;
   }
 
-  SFLoginInput setHttpClientSettingsKey(HttpClientSettingsKey key) {
+  @SnowflakeJdbcInternalApi
+  public SFLoginInput setHttpClientSettingsKey(HttpClientSettingsKey key) {
     this.httpClientKey = key;
     return this;
   }
@@ -485,4 +494,15 @@ SFLoginInput setEnableClientRequestMfaToken(boolean enableClientRequestMfaToken)
     this.enableClientRequestMfaToken = enableClientRequestMfaToken;
     return this;
   }
+
+  @SnowflakeJdbcInternalApi
+  public SFOauthLoginInput getOauthLoginInput() {
+    return oauthLoginInput;
+  }
+
+  @SnowflakeJdbcInternalApi
+  public SFLoginInput setOauthLoginInput(SFOauthLoginInput oauthLoginInput) {
+    this.oauthLoginInput = oauthLoginInput;
+    return this;
+  }
 }
@@ -0,0 +1,51 @@
+package net.snowflake.client.core;
+
+@SnowflakeJdbcInternalApi
+public class SFOauthLoginInput {
+
+  private final String clientId;
+  private final String clientSecret;
+  private final String redirectUri;
+  private final String externalAuthorizationUrl;
+  private final String externalTokenRequestUrl;
+  private final String scope;
+
+  public SFOauthLoginInput(
+      String clientId,
+      String clientSecret,
+      String redirectUri,
+      String externalAuthorizationUrl,
+      String externalTokenRequestUrl,
+      String scope) {
+    this.redirectUri = redirectUri;
+    this.clientId = clientId;
+    this.clientSecret = clientSecret;
+    this.externalAuthorizationUrl = externalAuthorizationUrl;
+    this.externalTokenRequestUrl = externalTokenRequestUrl;
+    this.scope = scope;
+  }
+
+  public String getRedirectUri() {
+    return redirectUri;
+  }
+
+  public String getClientId() {
+    return clientId;
+  }
+
+  public String getClientSecret() {
+    return clientSecret;
+  }
+
+  public String getExternalAuthorizationUrl() {
+    return externalAuthorizationUrl;
+  }
+
+  public String getExternalTokenRequestUrl() {
+    return externalTokenRequestUrl;
+  }
+
+  public String getScope() {
+    return scope;
+  }
+}
@@ -640,6 +640,14 @@ public synchronized void open() throws SFException, SnowflakeSQLException {
 
     // TODO: temporarily hardcode sessionParameter debug info. will be changed in the future
     SFLoginInput loginInput = new SFLoginInput();
+    SFOauthLoginInput oauthLoginInput =
+        new SFOauthLoginInput(
+            (String) connectionPropertiesMap.get(SFSessionProperty.CLIENT_ID),
+            (String) connectionPropertiesMap.get(SFSessionProperty.CLIENT_SECRET),
+            (String) connectionPropertiesMap.get(SFSessionProperty.OAUTH_REDIRECT_URI),
+            (String) connectionPropertiesMap.get(SFSessionProperty.OAUTH_SCOPE),
+            (String) connectionPropertiesMap.get(SFSessionProperty.EXTERNAL_AUTHORIZATION_URL),
+            (String) connectionPropertiesMap.get(SFSessionProperty.EXTERNAL_TOKEN_REQUEST_URL));
 
     loginInput
         .setServerUrl((String) connectionPropertiesMap.get(SFSessionProperty.SERVER_URL))
@@ -677,6 +685,7 @@ public synchronized void open() throws SFException, SnowflakeSQLException {
         .setSessionParameters(sessionParametersMap)
         .setPrivateKey((PrivateKey) connectionPropertiesMap.get(SFSessionProperty.PRIVATE_KEY))
         .setPrivateKeyFile((String) connectionPropertiesMap.get(SFSessionProperty.PRIVATE_KEY_FILE))
+        .setOauthLoginInput(oauthLoginInput)
         .setPrivateKeyBase64(
             (String) connectionPropertiesMap.get(SFSessionProperty.PRIVATE_KEY_BASE64))
         .setPrivateKeyPwd(

@@ -29,6 +29,12 @@ public enum SFSessionProperty {
   AUTHENTICATOR("authenticator", false, String.class),
   OKTA_USERNAME("oktausername", false, String.class),
   PRIVATE_KEY("privateKey", false, PrivateKey.class),
+  OAUTH_REDIRECT_URI("redirectUri", false, String.class),
+  CLIENT_ID("clientID", false, String.class),
+  CLIENT_SECRET("clientSecret", false, String.class),
+  OAUTH_SCOPE("scope", false, String.class),
+  EXTERNAL_AUTHORIZATION_URL("externalAuthorizationUrl", false, String.class),
+  EXTERNAL_TOKEN_REQUEST_URL("externalTokenRequestUrl", false, String.class),
   WAREHOUSE("warehouse", false, String.class),
   LOGIN_TIMEOUT("loginTimeout", false, Integer.class),
   NETWORK_TIMEOUT("networkTimeout", false, Integer.class),

@@ -28,6 +28,8 @@
 import net.snowflake.client.core.auth.AuthenticatorType;
 import net.snowflake.client.core.auth.ClientAuthnDTO;
 import net.snowflake.client.core.auth.ClientAuthnParameter;
+import net.snowflake.client.core.auth.oauth.AuthorizationCodeFlowAccessTokenProvider;
+import net.snowflake.client.core.auth.oauth.OauthAccessTokenProvider;
 import net.snowflake.client.jdbc.ErrorCode;
 import net.snowflake.client.jdbc.SnowflakeDriver;
 import net.snowflake.client.jdbc.SnowflakeReauthenticationRequest;
@@ -138,6 +140,7 @@ public class SessionUtil {
   public static int DEFAULT_CLIENT_PREFETCH_THREADS = 4;
   public static int MIN_CLIENT_CHUNK_SIZE = 48;
   public static int MAX_CLIENT_CHUNK_SIZE = 160;
+
   public static Map<String, String> JVM_PARAMS_TO_PARAMS =
       Stream.of(
               new String[][] {
@@ -217,8 +220,13 @@ private static AuthenticatorType getAuthenticator(SFLoginInput loginInput) {
           .equalsIgnoreCase(AuthenticatorType.EXTERNALBROWSER.name())) {
         // SAML 2.0 compliant service/application
         return AuthenticatorType.EXTERNALBROWSER;
+      } else if (loginInput
+          .getAuthenticator()
+          .equalsIgnoreCase(AuthenticatorType.OAUTH_AUTHORIZATION_CODE.name())) {
+        // OAuth authorization code flow authentication
+        return AuthenticatorType.OAUTH_AUTHORIZATION_CODE;
       } else if (loginInput.getAuthenticator().equalsIgnoreCase(AuthenticatorType.OAUTH.name())) {
-        // OAuth Authentication
+        // OAuth access code Authentication
         return AuthenticatorType.OAUTH;
       } else if (loginInput
           .getAuthenticator()
@@ -265,6 +273,22 @@ static SFLoginOutput openSession(
     AssertUtil.assertTrue(
         loginInput.getLoginTimeout() >= 0, "negative login timeout for opening session");
 
+    if (getAuthenticator(loginInput).equals(AuthenticatorType.OAUTH_AUTHORIZATION_CODE)) {
+      AssertUtil.assertTrue(
+          loginInput.getOauthLoginInput().getClientId() != null,
+          "passing clientId is required for OAUTH_AUTHORIZATION_CODE_FLOW authentication");
+      AssertUtil.assertTrue(
+          loginInput.getOauthLoginInput().getClientSecret() != null,
+          "passing clientSecret is required for OAUTH_AUTHORIZATION_CODE_FLOW authentication");
+      OauthAccessTokenProvider accessTokenProvider =
+          new AuthorizationCodeFlowAccessTokenProvider(
+              new SessionUtilExternalBrowser.DefaultAuthExternalBrowserHandlers(),
+              (int) loginInput.getBrowserResponseTimeout().getSeconds());
+      String oauthAccessToken = accessTokenProvider.getAccessToken(loginInput);
+      loginInput.setAuthenticator(AuthenticatorType.OAUTH.name());
+      loginInput.setToken(oauthAccessToken);
+    }
+
     final AuthenticatorType authenticator = getAuthenticator(loginInput);
     if (!authenticator.equals(AuthenticatorType.OAUTH)) {
       // OAuth does not require a username

@@ -61,7 +61,8 @@ public interface AuthExternalBrowserHandlers {
     void output(String msg);
   }
 
-  static class DefaultAuthExternalBrowserHandlers implements AuthExternalBrowserHandlers {
+  @SnowflakeJdbcInternalApi
+  public static class DefaultAuthExternalBrowserHandlers implements AuthExternalBrowserHandlers {
     @Override
     public HttpPost build(URI uri) {
       return new HttpPost(uri);

@@ -41,5 +41,10 @@ public enum AuthenticatorType {
   /*
    * Authenticator to enable token for regular login with mfa
    */
-  USERNAME_PASSWORD_MFA
+  USERNAME_PASSWORD_MFA,
+
+  /*
+   * Authorization code flow with browser popup
+   */
+  OAUTH_AUTHORIZATION_CODE
 }