SNOW-1739611 add oauth and okta automated tests (#1994)

snowflakedb · Dec 17, 2024 · b3a2763 · b3a2763
1 parent 871df20
commit b3a2763
Show file tree

Hide file tree

Showing 8 changed files with 231 additions and 78 deletions.
diff --git a/src/test/java/net/snowflake/client/authentication/AuthConnectionParameters.java b/src/test/java/net/snowflake/client/authentication/AuthConnectionParameters.java
@@ -34,4 +34,20 @@ static Properties getStoreIDTokenConnectionParameters() {
     properties.put("CLIENT_STORE_TEMPORARY_CREDENTIAL", true);
     return properties;
   }
+
+  static Properties getOktaConnectionParameters() {
+    Properties properties = getBaseConnectionParameters();
+    properties.put("user", SSO_USER);
+    properties.put("password", SSO_PASSWORD);
+    properties.put("authenticator", systemGetEnv("SNOWFLAKE_AUTH_TEST_OAUTH_URL"));
+    return properties;
+  }
+
+  static Properties getOauthConnectionParameters(String token) {
+    Properties properties = getBaseConnectionParameters();
+    properties.put("user", SSO_USER);
+    properties.put("authenticator", "OAUTH");
+    properties.put("token", token);
+    return properties;
+  }
 }
diff --git a/...flake/client/authentication/AuthTest.java → ...client/authentication/AuthTestHelper.java b/...flake/client/authentication/AuthTest.java → ...client/authentication/AuthTestHelper.java
@@ -18,13 +18,13 @@
 import net.snowflake.client.jdbc.SnowflakeConnectionV1;
 import net.snowflake.client.jdbc.SnowflakeSQLException;
 
-public class AuthTest {
+public class AuthTestHelper {
 
   private Exception exception;
   private String idToken;
   private final boolean runAuthTestsManually;
 
-  public AuthTest() {
+  public AuthTestHelper() {
     this.runAuthTestsManually = Boolean.parseBoolean(System.getenv("RUN_AUTH_TESTS_MANUALLY"));
   }
 

diff --git a/...ent/authentication/ExternalBrowserIT.java → ...thentication/ExternalBrowserLatestIT.java b/...ent/authentication/ExternalBrowserIT.java → ...thentication/ExternalBrowserLatestIT.java
@@ -11,44 +11,45 @@
 import org.junit.jupiter.api.Test;
 
 @Tag(TestTags.AUTHENTICATION)
-class ExternalBrowserIT {
+class ExternalBrowserLatestIT {
 
   String login = AuthConnectionParameters.SSO_USER;
   String password = AuthConnectionParameters.SSO_PASSWORD;
-  AuthTest authTest = new AuthTest();
+  AuthTestHelper authTestHelper = new AuthTestHelper();
 
   @BeforeEach
   public void setUp() throws IOException {
-    AuthTest.deleteIdToken();
+    AuthTestHelper.deleteIdToken();
   }
 
   @AfterEach
   public void tearDown() {
-    authTest.cleanBrowserProcesses();
-    AuthTest.deleteIdToken();
+    authTestHelper.cleanBrowserProcesses();
+    AuthTestHelper.deleteIdToken();
   }
 
   @Test
   void shouldAuthenticateUsingExternalBrowser() throws InterruptedException {
     Thread provideCredentialsThread =
-        new Thread(() -> authTest.provideCredentials("success", login, password));
+        new Thread(() -> authTestHelper.provideCredentials("success", login, password));
     Thread connectThread =
-        authTest.getConnectAndExecuteSimpleQueryThread(getExternalBrowserConnectionParameters());
+        authTestHelper.getConnectAndExecuteSimpleQueryThread(
+            getExternalBrowserConnectionParameters());
 
-    authTest.connectAndProvideCredentials(provideCredentialsThread, connectThread);
-    authTest.verifyExceptionIsNotThrown();
+    authTestHelper.connectAndProvideCredentials(provideCredentialsThread, connectThread);
+    authTestHelper.verifyExceptionIsNotThrown();
   }
 
   @Test
   void shouldThrowErrorForMismatchedUsername() throws InterruptedException {
     Properties properties = getExternalBrowserConnectionParameters();
     properties.put("user", "differentUsername");
     Thread provideCredentialsThread =
-        new Thread(() -> authTest.provideCredentials("success", login, password));
-    Thread connectThread = authTest.getConnectAndExecuteSimpleQueryThread(properties);
+        new Thread(() -> authTestHelper.provideCredentials("success", login, password));
+    Thread connectThread = authTestHelper.getConnectAndExecuteSimpleQueryThread(properties);
 
-    authTest.connectAndProvideCredentials(provideCredentialsThread, connectThread);
-    authTest.verifyExceptionIsThrown(
+    authTestHelper.connectAndProvideCredentials(provideCredentialsThread, connectThread);
+    authTestHelper.verifyExceptionIsThrown(
         "The user you were trying to authenticate as differs from the user currently logged in at the IDP.");
   }
 
@@ -57,26 +58,26 @@ void shouldThrowErrorForWrongCredentials() throws InterruptedException {
     String login = "itsnotanaccount.com";
     String password = "fakepassword";
     Thread provideCredentialsThread =
-        new Thread(() -> authTest.provideCredentials("fail", login, password));
+        new Thread(() -> authTestHelper.provideCredentials("fail", login, password));
     Thread connectThread =
-        authTest.getConnectAndExecuteSimpleQueryThread(
+        authTestHelper.getConnectAndExecuteSimpleQueryThread(
             getExternalBrowserConnectionParameters(), "BROWSER_RESPONSE_TIMEOUT=10");
 
-    authTest.connectAndProvideCredentials(provideCredentialsThread, connectThread);
-    authTest.verifyExceptionIsThrown(
+    authTestHelper.connectAndProvideCredentials(provideCredentialsThread, connectThread);
+    authTestHelper.verifyExceptionIsThrown(
         "JDBC driver encountered communication error. Message: External browser authentication failed within timeout of 10000 milliseconds.");
   }
 
   @Test
   void shouldThrowErrorForBrowserTimeout() throws InterruptedException {
     Thread provideCredentialsThread =
-        new Thread(() -> authTest.provideCredentials("timeout", login, password));
+        new Thread(() -> authTestHelper.provideCredentials("timeout", login, password));
     Thread connectThread =
-        authTest.getConnectAndExecuteSimpleQueryThread(
+        authTestHelper.getConnectAndExecuteSimpleQueryThread(
             getExternalBrowserConnectionParameters(), "BROWSER_RESPONSE_TIMEOUT=1");
 
-    authTest.connectAndProvideCredentials(provideCredentialsThread, connectThread);
-    authTest.verifyExceptionIsThrown(
+    authTestHelper.connectAndProvideCredentials(provideCredentialsThread, connectThread);
+    authTestHelper.verifyExceptionIsThrown(
         "JDBC driver encountered communication error. Message: External browser authentication failed within timeout of 1000 milliseconds.");
   }
 }
diff --git a/...lake/client/authentication/IdTokenIT.java → ...lient/authentication/IdTokenLatestIT.java b/...lake/client/authentication/IdTokenIT.java → ...lient/authentication/IdTokenLatestIT.java
@@ -17,58 +17,58 @@
 
 @Tag(TestTags.AUTHENTICATION)
 @TestMethodOrder(MethodOrderer.OrderAnnotation.class)
-class IdTokenIT {
+class IdTokenLatestIT {
 
   String login = AuthConnectionParameters.SSO_USER;
   String password = AuthConnectionParameters.SSO_PASSWORD;
-  AuthTest authTest = new AuthTest();
+  AuthTestHelper authTestHelper = new AuthTestHelper();
   private static String firstToken;
 
   @BeforeAll
   public static void globalSetUp() {
-    AuthTest.deleteIdToken();
+    AuthTestHelper.deleteIdToken();
   }
 
   @AfterEach
   public void tearDown() {
-    authTest.cleanBrowserProcesses();
+    authTestHelper.cleanBrowserProcesses();
   }
 
   @Test
   @Order(1)
   void shouldAuthenticateUsingExternalBrowserAndSaveToken() throws InterruptedException {
     Thread provideCredentialsThread =
-        new Thread(() -> authTest.provideCredentials("success", login, password));
+        new Thread(() -> authTestHelper.provideCredentials("success", login, password));
     Thread connectThread =
-        authTest.getConnectAndExecuteSimpleQueryThread(getStoreIDTokenConnectionParameters());
+        authTestHelper.getConnectAndExecuteSimpleQueryThread(getStoreIDTokenConnectionParameters());
 
-    authTest.connectAndProvideCredentials(provideCredentialsThread, connectThread);
-    authTest.verifyExceptionIsNotThrown();
-    firstToken = authTest.getIdToken();
+    authTestHelper.connectAndProvideCredentials(provideCredentialsThread, connectThread);
+    authTestHelper.verifyExceptionIsNotThrown();
+    firstToken = authTestHelper.getIdToken();
     assertThat("Id token was not saved", firstToken, notNullValue());
   }
 
   @Test
   @Order(2)
   void shouldAuthenticateUsingTokenWithoutBrowser() {
     verifyFirstTokenWasSaved();
-    authTest.connectAndExecuteSimpleQuery(getStoreIDTokenConnectionParameters(), null);
-    authTest.verifyExceptionIsNotThrown();
+    authTestHelper.connectAndExecuteSimpleQuery(getStoreIDTokenConnectionParameters(), null);
+    authTestHelper.verifyExceptionIsNotThrown();
   }
 
   @Test
   @Order(3)
   void shouldOpenBrowserAgainWhenTokenIsDeleted() throws InterruptedException {
     verifyFirstTokenWasSaved();
-    AuthTest.deleteIdToken();
+    AuthTestHelper.deleteIdToken();
     Thread provideCredentialsThread =
-        new Thread(() -> authTest.provideCredentials("success", login, password));
+        new Thread(() -> authTestHelper.provideCredentials("success", login, password));
     Thread connectThread =
-        authTest.getConnectAndExecuteSimpleQueryThread(getStoreIDTokenConnectionParameters());
+        authTestHelper.getConnectAndExecuteSimpleQueryThread(getStoreIDTokenConnectionParameters());
 
-    authTest.connectAndProvideCredentials(provideCredentialsThread, connectThread);
-    authTest.verifyExceptionIsNotThrown();
-    String secondToken = authTest.getIdToken();
+    authTestHelper.connectAndProvideCredentials(provideCredentialsThread, connectThread);
+    authTestHelper.verifyExceptionIsNotThrown();
+    String secondToken = authTestHelper.getIdToken();
     assertThat("Id token was not saved", secondToken, notNullValue());
     assertThat("Id token was not updated", secondToken, not(firstToken));
   }

diff --git a/src/test/java/net/snowflake/client/authentication/OauthLatestIT.java b/src/test/java/net/snowflake/client/authentication/OauthLatestIT.java
@@ -0,0 +1,94 @@
+package net.snowflake.client.authentication;
+
+import static net.snowflake.client.authentication.AuthConnectionParameters.getOauthConnectionParameters;
+import static org.hamcrest.CoreMatchers.is;
+import static org.hamcrest.MatcherAssert.assertThat;
+
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import java.io.DataOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.HttpURLConnection;
+import java.net.URL;
+import java.nio.charset.StandardCharsets;
+import java.util.Base64;
+import java.util.List;
+import java.util.Properties;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
+import net.snowflake.client.category.TestTags;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Tag;
+import org.junit.jupiter.api.Test;
+
+@Tag(TestTags.AUTHENTICATION)
+public class OauthLatestIT {
+
+  AuthTestHelper authTestHelper;
+
+  @BeforeEach
+  public void setUp() throws IOException {
+    authTestHelper = new AuthTestHelper();
+  }
+
+  @Test
+  void shouldAuthenticateUsingOauth() throws IOException {
+    authTestHelper.connectAndExecuteSimpleQuery(getOauthConnectionParameters(getToken()), null);
+    authTestHelper.verifyExceptionIsNotThrown();
+  }
+
+  @Test
+  void shouldThrowErrorForInvalidToken() {
+    authTestHelper.connectAndExecuteSimpleQuery(getOauthConnectionParameters("invalidToken"), null);
+    authTestHelper.verifyExceptionIsThrown("Invalid OAuth access token. ");
+  }
+
+  @Test
+  void shouldThrowErrorForMismatchedOauthUsername() throws IOException {
+    Properties properties = getOauthConnectionParameters(getToken());
+    properties.put("user", "differentUsername");
+    authTestHelper.connectAndExecuteSimpleQuery(properties, null);
+    authTestHelper.verifyExceptionIsThrown(
+        "The user you were trying to authenticate as differs from the user tied to the access token.");
+  }
+
+  private String getToken() throws IOException {
+    List<String> data =
+        Stream.of(
+                "username=" + System.getenv("SNOWFLAKE_AUTH_TEST_OKTA_USER"),
+                "password=" + System.getenv("SNOWFLAKE_AUTH_TEST_OKTA_PASS"),
+                "grant_type=password",
+                "scope=session:role:" + System.getenv("SNOWFLAKE_AUTH_TEST_ROLE").toLowerCase())
+            .collect(Collectors.toList());
+
+    String auth =
+        System.getenv("SNOWFLAKE_AUTH_TEST_OAUTH_CLIENT_ID")
+            + ":"
+            + System.getenv("SNOWFLAKE_AUTH_TEST_OAUTH_CLIENT_SECRET");
+    String encodedAuth = Base64.getEncoder().encodeToString(auth.getBytes(StandardCharsets.UTF_8));
+
+    URL url = new URL(System.getenv("SNOWFLAKE_AUTH_TEST_OAUTH_URL"));
+    HttpURLConnection connection = (HttpURLConnection) url.openConnection();
+    connection.setRequestMethod("POST");
+    connection.setRequestProperty(
+        "Content-Type", "application/x-www-form-urlencoded;charset=UTF-8");
+    connection.setRequestProperty("Authorization", "Basic " + encodedAuth);
+    connection.setDoOutput(true);
+
+    try (DataOutputStream out = new DataOutputStream(connection.getOutputStream())) {
+      out.writeBytes(String.join("&", data));
+      out.flush();
+    }
+
+    int responseCode = connection.getResponseCode();
+    assertThat("Failed to get access token, response code: " + responseCode, responseCode, is(200));
+
+    ObjectMapper mapper = new ObjectMapper();
+    JsonNode jsonNode;
+    try (InputStream inputStream = connection.getInputStream()) {
+      jsonNode = mapper.readTree(inputStream);
+    }
+    return jsonNode.get("access_token").asText();
+  }
+}
diff --git a/src/test/java/net/snowflake/client/authentication/OktaAuthLatestIT.java b/src/test/java/net/snowflake/client/authentication/OktaAuthLatestIT.java
@@ -0,0 +1,74 @@
+package net.snowflake.client.authentication;
+
+import static net.snowflake.client.authentication.AuthConnectionParameters.SSO_USER;
+import static net.snowflake.client.authentication.AuthConnectionParameters.getOktaConnectionParameters;
+
+import java.io.IOException;
+import java.util.Properties;
+import net.snowflake.client.category.TestTags;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Disabled;
+import org.junit.jupiter.api.Tag;
+import org.junit.jupiter.api.Test;
+
+@Tag(TestTags.AUTHENTICATION)
+class OktaAuthLatestIT {
+
+  AuthTestHelper authTestHelper;
+
+  @BeforeEach
+  public void setUp() throws IOException {
+    authTestHelper = new AuthTestHelper();
+  }
+
+  @Test
+  void shouldAuthenticateUsingOkta() {
+    authTestHelper.connectAndExecuteSimpleQuery(getOktaConnectionParameters(), null);
+    authTestHelper.verifyExceptionIsNotThrown();
+  }
+
+  @Test
+  void shouldAuthenticateUsingOktaWithOktaUsernameParam() {
+    Properties properties = getOktaConnectionParameters();
+    properties.replace("user", "differentUsername");
+    authTestHelper.connectAndExecuteSimpleQuery(properties, "oktausername=" + SSO_USER);
+    authTestHelper.verifyExceptionIsNotThrown();
+  }
+
+  @Test
+  void shouldThrowErrorForWrongOktaCredentials() {
+    Properties properties = getOktaConnectionParameters();
+    properties.put("user", "invalidUsername");
+    properties.put("password", "fakepassword");
+    authTestHelper.connectAndExecuteSimpleQuery(properties, null);
+    authTestHelper.verifyExceptionIsThrown(
+        "JDBC driver encountered communication error. Message: HTTP status=401.");
+  }
+
+  @Test
+  void shouldThrowErrorForWrongOktaCredentialsInOktaUsernameParam() {
+    Properties properties = getOktaConnectionParameters();
+    properties.replace("user", "differentUsername");
+    authTestHelper.connectAndExecuteSimpleQuery(properties, "oktausername=invalidUser");
+    authTestHelper.verifyExceptionIsThrown(
+        "JDBC driver encountered communication error. Message: HTTP status=401.");
+  }
+
+  @Test
+  void shouldThrowErrorForWrongOktaUrl() {
+    Properties properties = getOktaConnectionParameters();
+    properties.put("authenticator", "https://invalid.okta.com/");
+    authTestHelper.connectAndExecuteSimpleQuery(properties, null);
+    authTestHelper.verifyExceptionIsThrown(
+        "The specified authenticator is not accepted by your Snowflake account configuration.  Please contact your local system administrator to get the correct URL to use.");
+  }
+
+  @Test
+  @Disabled // todo SNOW-1852279 implement error handling for invalid URL
+  void shouldThrowErrorForWrongUrlWithoutOktaPath() {
+    Properties properties = getOktaConnectionParameters();
+    properties.put("authenticator", "https://invalid.abc.com/");
+    authTestHelper.connectAndExecuteSimpleQuery(properties, null);
+    authTestHelper.verifyExceptionIsThrown("todo");
+  }
+}
diff --git a/src/test/java/net/snowflake/client/core/HttpUtilLatestIT.java b/src/test/java/net/snowflake/client/core/HttpUtilLatestIT.java
@@ -14,6 +14,7 @@
 import org.apache.http.impl.client.CloseableHttpClient;
 import org.hamcrest.CoreMatchers;
 import org.hamcrest.MatcherAssert;
+import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Tag;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.Timeout;
@@ -23,6 +24,11 @@ public class HttpUtilLatestIT {
 
   private static final String HANG_WEBSERVER_ADDRESS = "http://localhost:12345/hang";
 
+  @BeforeEach
+  public void resetHttpClientsCache() {
+    HttpUtil.httpClient.clear();
+  }
+
   /** Added in > 3.14.5 */
   @Test
   public void shouldGetDefaultConnectionAndSocketTimeouts() {