SNOW-1902244: Workflow identity federation attestations #871
Conversation
sfc-gh-jszczerbinski
force-pushed
the
SNOW-1902244-odbc-csp-in-driver
branch
from
74fa2a6 to
3b1aba1
Compare
sfc-gh-jszczerbinski
force-pushed
the
SNOW-1902244-odbc-csp-in-driver
branch
from
eca7ee8 to
5c4618c
Compare
sfc-gh-jszczerbinski
changed the title
sfc-gh-jszczerbinski
force-pushed
the
SNOW-1902244-odbc-csp-in-driver
branch
from
82f9e4b to
3593e97
Compare
cpp/AwsAttestation.cpp
Outdated
| } | ||
|
|
||
| auto request = Aws::Http::CreateHttpRequest( | ||
| Aws::String("https://sts.us-west-2.amazonaws.com/?Action=GetCallerIdentity&Version=2011-06-15"), |
There was a problem hiding this comment.
should it always be us-west-2?
There was a problem hiding this comment.
Fixed
cpp/AwsAttestation.cpp
Outdated
| return Attestation{AttestationType::AWS, base64}; | ||
| } | ||
|
|
||
|
|
There was a problem hiding this comment.
🧐 random empty lines
cpp/AzureAttestation.cpp
Outdated
| std::string err = picojson::parse(json, response_body); | ||
| if (!err.empty()) { | ||
| CXX_LOG_ERROR("Error parsing Azure response: %s", err.c_str()); | ||
| return Attestation{AttestationType::AZURE, ""}; |
There was a problem hiding this comment.
does boost::none mean error connecting to csp while Attestation with empty credentials means csp side issue?
There was a problem hiding this comment.
This should return boost::none here, it's a refactor leftover.
| } | ||
|
|
||
| boost::url AzureAttestationConfig::getRequestURL() const { | ||
| boost::urls::url url = boost::url("http://169.254.169.254/metadata/identity/oauth2/token"); |
There was a problem hiding this comment.
Could we hide this ip behind some constant like CSP_METADATA_SERVICE_IP to make it less scary?
There was a problem hiding this comment.
Yes, but this well known ip. I think the code is more readable this way as this IP is well known.
| boost::optional<Attestation> createOIDCAttestation(const AttestationConfig& config) { | ||
| if (!config.token) { | ||
| CXX_LOG_WARN("No token provided for OIDC attestation."); | ||
| return {}; |
There was a problem hiding this comment.
sometimes we return {} and sometimes boost:none, let's commit to one option
There was a problem hiding this comment.
Changing to boost::none for clarity
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #871 +/- ##
==========================================
- Coverage 80.61% 78.10% -2.52%
==========================================
Files 117 125 +8
Lines 10463 10683 +220
==========================================
- Hits 8435 8344 -91
- Misses 2028 2339 +311 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
cpp/AwsAttestation.cpp
Outdated
| } | ||
|
|
||
| std::string region = getAwsRegion(); | ||
| std::string host = std::string("sts.") + getAwsRegion() + ".amazonaws.com"; |
There was a problem hiding this comment.
Don't we want to use SnowflakeS3Client::getDomainSuffixForRegionalUrl here?
| ); | ||
|
|
||
| request->SetHeaderValue("Host", host); | ||
| request->SetHeaderValue("X-Snowflake-Audience", "snowflakecomputing.com"); |
There was a problem hiding this comment.
What about .cn?
cpp/AwsAttestation.cpp
Outdated
| std::string json = picojson::value(obj).serialize(true); | ||
| std::string base64; | ||
| Util::Base64::encodePadding(json.begin(), json.end(), std::back_inserter(base64)); | ||
| Aws::ShutdownAPI(options); |
There was a problem hiding this comment.
Maybe it would be better to integrate aws init and shutdown with awsdk_init struct?
cpp/http/HttpClient.cpp
Outdated
| CXX_LOG_INFO("Running request: %s", req.url.c_str()); | ||
| CXX_LOG_INFO("Method: %s", HttpRequest::methodToString(req.method).c_str()); | ||
| for (const auto &h: req.headers) { | ||
| CXX_LOG_INFO("Header: %s: %s", h.first.c_str(), h.second.c_str()); |
There was a problem hiding this comment.
Is it OK to log all headers on INFO level? What about secrets?
There was a problem hiding this comment.
Those were development prints i forgot to delete.
cpp/http/HttpClient.cpp
Outdated
|
|
||
| private: | ||
| static size_t write(void *ptr, size_t size, size_t nmemb, HttpResponse *response) { | ||
| CXX_LOG_INFO("Writing %d bytes", (int) (size * nmemb)); |
There was a problem hiding this comment.
It's rather debug or trace level.
cpp/http/HttpClient.cpp
Outdated
| private: | ||
| static size_t write(void *ptr, size_t size, size_t nmemb, HttpResponse *response) { | ||
| CXX_LOG_INFO("Writing %d bytes", (int) (size * nmemb)); | ||
| response->m_buffer.insert(response->m_buffer.end(), (char *) ptr, (char *) ptr + size * nmemb); |
There was a problem hiding this comment.
I think HttpResponse should be responsible for writing to m_buffer. Maybe whole method write should be there as well?
There was a problem hiding this comment.
This write method is implementation specific (for curl) if I used other http library it would not exist. I would like to keep it within a curl client implementation.
| namespace Snowflake { | ||
| namespace Client { | ||
| struct HttpResponse { | ||
| long code; |
There was a problem hiding this comment.
m_code? or buffer
| int main() | ||
| { | ||
| const struct CMUnitTest tests[] = { | ||
| #ifndef _WIN32 |
There was a problem hiding this comment.
Why? A comment would be nice.
Adds Workflow identity federation attestations for AWS, Azure, GCP and OIDC