SNOW-3018675: Snowflake-CLI emits an \'Unauthorized users\' warning on non-english Windows machines

[Tijoxa]

SnowCLI version

3.14.0

Python version

3.10

Platform

Windows

What happened

The _read_confile_file() function warns the user when there is an unauthorized access to the config file containing the credentials. However, this function's call stack contains the _get_windows_whitelisted_users function, which hard codes the "SYSTEM", "Administrators" values.
For example, for French Windows machines, those are called "Système" and "Administrateurs", which then fails to get whitelisted.

To solve this issue, it is either possible to include many languages in this list, or it is possible to compute the "SYSTEM" and "Administrator" aliases using a library like pywin32:

def _get_windows_whitelisted_users():
    # whitelisted users list obtained in consultation with prodsec: CASEC-9627
    import os

    import win32security

    system_sid = win32security.ConvertStringSidToSid("S-1-5-18")
    system_name, _, _ = win32security.LookupAccountSid(None, system_sid)

    admins_sid = win32security.ConvertStringSidToSid("S-1-5-32-544")
    admins_name, _, _ = win32security.LookupAccountSid(None, admins_sid)

    return [
        system_name,
        admins_name,
        "Network",
        "Domain Admins",
        "Domain Users",
        os.getlogin(),
    ]

To avoid having to add a new dependency, it is possible to use the Windows API, but it requires extra work, something like that:

def get_account_name(sid_str: str):
    import ctypes
    from ctypes import wintypes

    advapi32 = ctypes.WinDLL("advapi32", use_last_error=True)
    kernel32 = ctypes.WinDLL("kernel32", use_last_error=True)

    convert_string_sid_to_sid = advapi32.ConvertStringSidToSidW
    convert_string_sid_to_sid.argtypes = [wintypes.LPCWSTR, ctypes.POINTER(ctypes.c_void_p)]
    convert_string_sid_to_sid.restype = wintypes.BOOL

    lookup_accound_sid = advapi32.LookupAccountSidW
    lookup_accound_sid.argtypes = [
        wintypes.LPCWSTR,
        ctypes.c_void_p,
        wintypes.LPWSTR,
        wintypes.LPDWORD,
        wintypes.LPWSTR,
        wintypes.LPDWORD,
        ctypes.POINTER(wintypes.DWORD),
    ]
    lookup_accound_sid.restype = wintypes.BOOL

    local_free = kernel32.LocalFree
    local_free.argtypes = [wintypes.HLOCAL]

    sid = ctypes.c_void_p()
    if not convert_string_sid_to_sid(sid_str, ctypes.byref(sid)):
        return None

    name = ctypes.create_unicode_buffer(256)
    domain = ctypes.create_unicode_buffer(256)
    name_size = wintypes.DWORD(256)
    domain_size = wintypes.DWORD(256)
    use = wintypes.DWORD()
    if not lookup_accound_sid(
        None, sid, name, ctypes.byref(name_size), domain, ctypes.byref(domain_size), ctypes.byref(use)
    ):
        local_free(sid)
        return None

    account_name = name.value
    local_free(sid)
    return account_name


system_name = get_account_name("S-1-5-18") or "SYSTEM"
admins_name = get_account_name("S-1-5-32-544") or "Administrators"

Console output

Unauthorized users ({users}) have access to configuration file ~/.snowflake/config.toml.
Run `icacls "~/.snowflake/config.toml" /remove:g <USER_ID>` on those users to restrict permissions.

How to reproduce

You need a non-English Windows machine to see the warning whenever you use the CLI tool.

[sfc-gh-jwilkowski]

hey @Tijoxa, thanks for reporting and submitting the PR. We'll try to understand better this issue and come back to you later.