Merge branch 'master' into SNOW-1883649-wiremock

Author: sfc-gh-pmotacki

README.md

@@ -114,6 +114,22 @@ npm pack
 
 Note it is not required to build a package to run tests blow.
 
+
+Verifying the package signature
+----------------------------------------------------------------------
+
+Starting from version v1.13.0 the driver package is signed with a signature allowing to verify its authenticity and integrity.
+Steps to verify the signature:
+1. Install `cosign`
+2. Download the driver package file (`tgz`) from npmjs.org, e.g.: https://registry.npmjs.org/snowflake-sdk/-/snowflake-sdk-1.13.0.tgz
+3. Download the signatures file (.sig and .pub) from the release, e.g.: https://github.com/snowflakedb/snowflake-connector-nodejs/releases/download/v1.13.0
+4. Verify the signature:
+```shell
+cosign verify-blob snowflake-sdk-1.13.0.tgz --key snowflake-connector-nodejs-v1.13.0.pub --signature resources.snowflake-sdk-1.13.0.tgz.sig
+
+Verified OK
+```
+
 Development
 ======================================================================
 

ci/container/test_authentication.sh

@@ -9,4 +9,4 @@ export SNOWFLAKE_AUTH_TEST_PRIVATE_KEY_PATH=./.github/workflows/rsa_keys/rsa_key
 export SNOWFLAKE_AUTH_TEST_ENCRYPTED_PRIVATE_KEY_PATH=./.github/workflows/rsa_keys/rsa_encrypted_key.p8
 export SNOWFLAKE_AUTH_TEST_INVALID_PRIVATE_KEY_PATH=./.github/workflows/rsa_keys/rsa_key_invalid.p8
 
-npm run test:authentication
+npm run test:authentication

ci/image/proxy/Dockerfile

@@ -1,3 +1,4 @@
+#This file is intended for testing purposes only and should not be used in production or released.
 # Based on the Fedora image
 FROM fedora
 

ci/image/proxy/Dockerfile.auth

@@ -1,3 +1,4 @@
+#This file is intended for testing purposes only and should not be used in production or released.
 # Based on the Fedora image
 FROM fedora
 

lib/authentication/secure_storage/json_credential_manager.js

@@ -7,26 +7,9 @@ const Logger = require('../../logger');
 const fs = require('node:fs/promises');
 const os = require('os');
 const Util = require('../../util');
+const { validateOnlyUserReadWritePermissionAndOwner } = require('../../file_util');
 
 function JsonCredentialManager(credentialCacheDir) {
-
-  async function validatePermission(filePath) {
-    try {
-      await fs.access(filePath, fs.constants.F_OK);
-    } catch (err) {
-      return;
-    }
-
-    const mode = (await fs.stat(filePath)).mode;
-    const permission = mode & 0o600;
-
-    //This should be 600 permission, which means the file permission has not been changed by others.
-    if (permission.toString(8) === '600') {
-      Logger.getInstance().debug('Validated that the user has read and write permission');
-    } else {
-      throw new Error('You do not have read permission or the file has been changed on the user side. Please remove the token file and re run the driver.');
-    }
-  }
 
   this.getTokenDir = async function () {
     let tokenDir = credentialCacheDir;
@@ -38,11 +21,11 @@ function JsonCredentialManager(credentialCacheDir) {
 
     if (!Util.exists(tokenDir)) {
       throw new Error(`Temporary credential cache directory is invalid, and the driver is unable to use the default location(home). 
-      Please assign the environment variable value SF_TEMPORARY_CREDENTIAL_CACHE_DIR to enable the default credential manager.`);
+      Please set 'credentialCacheDir' connection configuration option to enable the default credential manager.`);
     }
 
     const tokenCacheFile = path.join(tokenDir, 'temporary_credential.json');
-    await validatePermission(tokenCacheFile);
+    await validateOnlyUserReadWritePermissionAndOwner(tokenCacheFile);
     return tokenCacheFile;
   };
 
@@ -51,7 +34,7 @@ function JsonCredentialManager(credentialCacheDir) {
       const cred = await fs.readFile(await this.getTokenDir(), 'utf8');
       return JSON.parse(cred);
     } catch (err) {
-      Logger.getInstance().warn('Failed to read token data from the file. Please check the permission or the file format of the token.');
+      Logger.getInstance().warn('Failed to read token data from the file. Err: %s', err.message);
       return null;
     }
   };

lib/configuration/client_configuration.js

@@ -5,8 +5,9 @@
 const os = require('os');
 const path = require('path');
 const fs = require('fs');
-const { isString, exists, isFileNotWritableByGroupOrOthers, getDriverDirectory } = require('../util');
+const { isString, exists, getDriverDirectory } = require('../util');
 const Logger = require('../logger');
+const { isFileNotWritableByGroupOrOthers } = require('../file_util');
 const clientConfigFileName = 'sf_client_config.json';
 
 const Levels = Object.freeze({

lib/configuration/connection_configuration.js

@@ -5,7 +5,7 @@
 const toml = require('toml');
 const os = require('os');
 const fs = require('fs');
-const { validateOnlyUserReadWritePermission, generateChecksum } = require('../file_transfer_agent/file_util');
+const { validateOnlyUserReadWritePermissionAndOwner, generateChecksum } = require('../file_util');
 const path = require('path');
 const Logger = require('../logger');
 const AuthenticationTypes = require('../authentication/authentication_types');
@@ -29,7 +29,7 @@ function readTokenFromFile(fixedConfiguration) {
   const tokenFilePath = fixedConfiguration.token_file_path ? fixedConfiguration.token_file_path : '/snowflake/session/token';
   const resolvedPath = fs.realpathSync(tokenFilePath);
   Logger.getInstance().trace('Token file path is : %s', tokenFilePath);
-  validateOnlyUserReadWritePermission(resolvedPath);
+  validateOnlyUserReadWritePermissionAndOwner(resolvedPath);
   fixedConfiguration.token = fs.readFileSync(resolvedPath, 'utf-8').trim();
   if (!fixedConfiguration.token) {
     Logger.getInstance().error('The token does not exist or has empty value.');
@@ -47,7 +47,7 @@ function loadConnectionConfiguration() {
   const resolvedPath = fs.realpathSync(filePath);
   Logger.getInstance().trace('Connection configuration file found under the path %s. Validating file access.', resolvedPath);
 
-  validateOnlyUserReadWritePermission(resolvedPath);
+  validateOnlyUserReadWritePermissionAndOwner(resolvedPath);
   const str = fs.readFileSync(resolvedPath, { encoding: 'utf8' });
   const configurationChecksum = generateChecksum(str);
   Logger.getInstance().info('Connection configuration file is read from path: %s. Checksum: %s', resolvedPath, configurationChecksum);

lib/connection/connection_config.js

@@ -17,7 +17,6 @@ const levenshtein = require('fastest-levenshtein');
 const RowMode = require('./../constants/row_mode');
 const DataTypes = require('./result/data_types');
 const Logger = require('../logger');
-const LoggingUtil = require('../logger/logging_util');
 const WAIT_FOR_BROWSER_ACTION_TIMEOUT = 120000;
 const DEFAULT_PARAMS =
 [
@@ -531,7 +530,6 @@ function ConnectionConfig(options, validateCredentials, qaMode, clientInfo) {
 
     passcode = options.passcode;
   }
-
 
   if (validateDefaultParameters) {
     for (const [key] of Object.entries(options)) {
@@ -865,21 +863,7 @@ function ConnectionConfig(options, validateCredentials, qaMode, clientInfo) {
   this.describeIdentityAttributes = function () {
     return `host: ${this.host}, account: ${this.account}, accessUrl: ${this.accessUrl}, `
         + `user: ${this.username}, role: ${this.getRole()}, database: ${this.getDatabase()}, `
-        + `schema: ${this.getSchema()}, warehouse: ${this.getWarehouse()}, ` + this.describeProxy();
-  };
-
-  /**
-   * @returns {string}
-   */
-  this.describeProxy = function () {
-    const proxy = this.getProxy();
-    if (Util.exists(proxy)) {
-      return `proxyHost: ${proxy.host}, proxyPort: ${proxy.port}, proxyUser: ${proxy.user}, `
-      + `proxyPassword is ${LoggingUtil.describePresence(proxy.password)}, `
-      + `proxyProtocol: ${proxy.protocol}, noProxy: ${proxy.noProxy}`;
-    } else {
-      return 'proxy was not configured';
-    }
+        + `schema: ${this.getSchema()}, warehouse: ${this.getWarehouse()}, ` + ProxyUtil.describeProxy(this.getProxy());
   };
 
   // save config options

lib/file_transfer_agent/azure_util.js

@@ -3,9 +3,9 @@
  */
 
 const EncryptionMetadata = require('./encrypt_util').EncryptionMetadata;
-const FileHeader = require('./file_util').FileHeader;
+const FileHeader = require('../file_util').FileHeader;
 const expandTilde = require('expand-tilde');
-const resultStatus = require('./file_util').resultStatus;
+const resultStatus = require('../file_util').resultStatus;
 const ProxyUtil = require('../proxy_util');
 const { isBypassProxy } = require('../http/node');
 const Logger = require('../logger');
@@ -50,9 +50,8 @@ function AzureUtil(connectionConfig, azure, filestream) {
     if (proxy && !isBypassProxy(proxy, connectionString)) {
       Logger.getInstance().debug(`The destination host is: ${ProxyUtil.getHostFromURL(connectionString)} and the proxy host is: ${proxy.host}`);
       Logger.getInstance().trace(`Initializing the proxy information for the Azure Client: ${ProxyUtil.describeProxy(proxy)}`);
-      
+
       proxy = ProxyUtil.getAzureProxy(proxy);
-      Logger.getInstance().trace(connectionConfig.describe);
     }
     ProxyUtil.hideEnvironmentProxy();
     const blobServiceClient = new AZURE.BlobServiceClient(
@@ -218,7 +217,7 @@ function AzureUtil(connectionConfig, azure, filestream) {
           blobContentEncoding: 'UTF-8',
           blobContentType: 'application/octet-stream'
         }
-      });    
+      });
     } catch (err) {
       if (err['statusCode'] === 403 && detectAzureTokenExpireError(err)) {
         meta['lastError'] = err;

lib/file_transfer_agent/file_transfer_agent.js

@@ -16,8 +16,8 @@ const SnowflakeRemoteStorageUtil = require('./remote_storage_util').RemoteStorag
 const LocalUtil = require('./local_util').LocalUtil;
 const SnowflakeFileEncryptionMaterial = require('./remote_storage_util').SnowflakeFileEncryptionMaterial;
 const SnowflakeS3Util = require('./s3_util');
-const { FileUtil, getMatchingFilePaths } = require('./file_util');
-const resultStatus = require('./file_util').resultStatus;
+const { FileUtil, getMatchingFilePaths } = require('../file_util');
+const resultStatus = require('../file_util').resultStatus;
 
 const SnowflakeFileUtil = new FileUtil();
 const SnowflakeLocalUtil = new LocalUtil();