SNOW-2208073 Implement locking of prompting authenticators

Author: sfc-gh-pfus

assert_test.go

@@ -11,6 +11,7 @@ import (
 	"slices"
 	"strings"
 	"testing"
+	"time"
 )
 
 func assertNilE(t *testing.T, actual any, descriptions ...string) {
@@ -134,7 +135,7 @@ func errorOnNonEmpty(t *testing.T, errMsg string) {
 }
 
 func formatErrorMessage(errMsg string) string {
-	return fmt.Sprintf("%s. Thrown from %s", maskSecrets(errMsg), thrownFrom())
+	return fmt.Sprintf("[%s] %s. Thrown from %s", time.Now().Format(time.RFC3339Nano), maskSecrets(errMsg), thrownFrom())
 }
 
 func validateNil(actual any, descriptions ...string) string {

auth.go

@@ -537,11 +537,7 @@ func createRequestBody(sc *snowflakeConn, sessionParameters map[string]interface
 		}
 	case AuthTypeOAuthAuthorizationCode:
 		logger.WithContext(sc.ctx).Debug("OAuth authorization code")
-		oauthClient, err := newOauthClient(sc.ctx, sc.cfg, sc)
-		if err != nil {
-			return nil, err
-		}
-		token, err := oauthClient.authenticateByOAuthAuthorizationCode()
+		token, err := authenticateByAuthorizationCode(sc)
 		if err != nil {
 			return nil, err
 		}
@@ -584,6 +580,62 @@ func createRequestBody(sc *snowflakeConn, sessionParameters map[string]interface
 	return jsonBody, nil
 }
 
+type oauthLockKey struct {
+	tokenRequestUrl string
+	user            string
+	flowType        string
+}
+
+func newOAuthAuthorizationCodeLockKey(tokenRequestUrl, user string) *oauthLockKey {
+	return &oauthLockKey{
+		tokenRequestUrl: tokenRequestUrl,
+		user:            user,
+		flowType:        "authorization_code",
+	}
+}
+
+func newRefreshTokenLockKey(tokenRequestUrl, user string) *oauthLockKey {
+	return &oauthLockKey{
+		tokenRequestUrl: tokenRequestUrl,
+		user:            user,
+		flowType:        "refresh_token",
+	}
+}
+
+func (o *oauthLockKey) lockId() string {
+	return o.tokenRequestUrl + "|" + o.user + "|" + o.flowType
+}
+
+func authenticateByAuthorizationCode(sc *snowflakeConn) (string, error) {
+	oauthClient, err := newOauthClient(sc.ctx, sc.cfg, sc)
+	if err != nil {
+		return "", err
+	}
+	if !isEligibleForParallelLogin(sc.cfg, sc.cfg.ClientStoreTemporaryCredential) {
+		return oauthClient.authenticateByOAuthAuthorizationCode()
+	}
+
+	lockKey := newOAuthAuthorizationCodeLockKey(oauthClient.tokenURL(), sc.cfg.User)
+	valueAwaiter := valueAwaitHolder.get(lockKey)
+	defer valueAwaiter.resumeOne()
+	token, err := awaitValue(valueAwaiter, func() (string, error) {
+		return credentialsStorage.getCredential(newOAuthAccessTokenSpec(oauthClient.tokenURL(), sc.cfg.User)), nil
+	}, func(s string, err error) bool {
+		return s != ""
+	}, func() string {
+		return ""
+	})
+	if err != nil || token != "" {
+		return token, err
+	}
+	token, err = oauthClient.authenticateByOAuthAuthorizationCode()
+	if err != nil {
+		return "", err
+	}
+	valueAwaiter.done()
+	return token, err
+}
+
 // Generate a JWT token in string given the configuration
 func prepareJWTToken(config *Config) (string, error) {
 	if config.PrivateKey == nil {
@@ -619,20 +671,60 @@ func prepareJWTToken(config *Config) (string, error) {
 	return tokenString, err
 }
 
-// Authenticate with sc.cfg
+type tokenLockKey struct {
+	snowflakeHost string
+	user          string
+	tokenType     string
+}
+
+func newMfaTokenLockKey(snowflakeHost, user string) *tokenLockKey {
+	return &tokenLockKey{
+		snowflakeHost: snowflakeHost,
+		user:          user,
+		tokenType:     "MFA",
+	}
+}
+
+func newIDTokenLockKey(snowflakeHost, user string) *tokenLockKey {
+	return &tokenLockKey{
+		snowflakeHost: snowflakeHost,
+		user:          user,
+		tokenType:     "ID",
+	}
+}
+
+func (m *tokenLockKey) lockId() string {
+	return m.snowflakeHost + "|" + m.user + "|" + m.tokenType
+}
+
 func authenticateWithConfig(sc *snowflakeConn) error {
 	var authData *authResponseMain
 	var samlResponse []byte
 	var proofKey []byte
 	var err error
-	//var consentCacheIdToken = true
+
+	mfaTokenLockKey := newMfaTokenLockKey(sc.cfg.Host, sc.cfg.User)
+	idTokenLockKey := newIDTokenLockKey(sc.cfg.Host, sc.cfg.User)
 
 	if sc.cfg.Authenticator == AuthTypeExternalBrowser || sc.cfg.Authenticator == AuthTypeOAuthAuthorizationCode || sc.cfg.Authenticator == AuthTypeOAuthClientCredentials {
 		if (runtime.GOOS == "windows" || runtime.GOOS == "darwin") && sc.cfg.ClientStoreTemporaryCredential == configBoolNotSet {
 			sc.cfg.ClientStoreTemporaryCredential = ConfigBoolTrue
 		}
-		if sc.cfg.Authenticator == AuthTypeExternalBrowser && sc.cfg.ClientStoreTemporaryCredential == ConfigBoolTrue {
-			sc.cfg.IDToken = credentialsStorage.getCredential(newIDTokenSpec(sc.cfg.Host, sc.cfg.User))
+		if sc.cfg.Authenticator == AuthTypeExternalBrowser {
+			if isEligibleForParallelLogin(sc.cfg, sc.cfg.ClientStoreTemporaryCredential) {
+				valueAwaiter := valueAwaitHolder.get(idTokenLockKey)
+				defer valueAwaiter.resumeOne()
+				sc.cfg.IDToken, _ = awaitValue(valueAwaiter, func() (string, error) {
+					credential := credentialsStorage.getCredential(newIDTokenSpec(sc.cfg.Host, sc.cfg.User))
+					return credential, nil
+				}, func(s string, err error) bool {
+					return s != ""
+				}, func() string {
+					return ""
+				})
+			} else {
+				sc.cfg.IDToken = credentialsStorage.getCredential(newIDTokenSpec(sc.cfg.Host, sc.cfg.User))
+			}
 		}
 		// Disable console login by default
 		if sc.cfg.DisableConsoleLogin == configBoolNotSet {
@@ -644,7 +736,18 @@ func authenticateWithConfig(sc *snowflakeConn) error {
 		if (runtime.GOOS == "windows" || runtime.GOOS == "darwin") && sc.cfg.ClientRequestMfaToken == configBoolNotSet {
 			sc.cfg.ClientRequestMfaToken = ConfigBoolTrue
 		}
-		if sc.cfg.ClientRequestMfaToken == ConfigBoolTrue {
+		if isEligibleForParallelLogin(sc.cfg, sc.cfg.ClientRequestMfaToken) {
+			valueAwaiter := valueAwaitHolder.get(mfaTokenLockKey)
+			defer valueAwaiter.resumeOne()
+			sc.cfg.MfaToken, _ = awaitValue(valueAwaiter, func() (string, error) {
+				credential := credentialsStorage.getCredential(newMfaTokenSpec(sc.cfg.Host, sc.cfg.User))
+				return credential, nil
+			}, func(s string, err error) bool {
+				return s != ""
+			}, func() string {
+				return ""
+			})
+		} else {
 			sc.cfg.MfaToken = credentialsStorage.getCredential(newMfaTokenSpec(sc.cfg.Host, sc.cfg.User))
 		}
 	}
@@ -660,7 +763,6 @@ func authenticateWithConfig(sc *snowflakeConn) error {
 				sc.cfg.Application,
 				sc.cfg.Account,
 				sc.cfg.User,
-				sc.cfg.Password,
 				sc.cfg.ExternalBrowserTimeout,
 				sc.cfg.DisableConsoleLogin)
 			if err != nil {
@@ -680,15 +782,7 @@ func authenticateWithConfig(sc *snowflakeConn) error {
 			credentialsStorage.deleteCredential(newOAuthAccessTokenSpec(sc.cfg.OauthTokenRequestURL, sc.cfg.User))
 
 			if sc.cfg.Authenticator == AuthTypeOAuthAuthorizationCode {
-				var oauthClient *oauthClient
-				if oauthClient, err = newOauthClient(sc.ctx, sc.cfg, sc); err != nil {
-					logger.Warnf("failed to create oauth client. %v", err)
-				} else {
-					if err = oauthClient.refreshToken(); err != nil {
-						logger.Warnf("cannot refresh token. %v", err)
-						credentialsStorage.deleteCredential(newOAuthRefreshTokenSpec(sc.cfg.OauthTokenRequestURL, sc.cfg.User))
-					}
-				}
+				doRefreshTokenWithLock(sc)
 			}
 
 			// if refreshing succeeds for authorization code, we will take a token from cache
@@ -700,7 +794,47 @@ func authenticateWithConfig(sc *snowflakeConn) error {
 			return err
 		}
 	}
+	if sc.cfg.Authenticator == AuthTypeUsernamePasswordMFA && isEligibleForParallelLogin(sc.cfg, sc.cfg.ClientRequestMfaToken) {
+		valueAwaiter := valueAwaitHolder.get(mfaTokenLockKey)
+		valueAwaiter.done()
+	}
+	if sc.cfg.Authenticator == AuthTypeExternalBrowser && isEligibleForParallelLogin(sc.cfg, sc.cfg.ClientStoreTemporaryCredential) {
+		valueAwaiter := valueAwaitHolder.get(idTokenLockKey)
+		valueAwaiter.done()
+	}
 	sc.populateSessionParameters(authData.Parameters)
 	sc.ctx = context.WithValue(sc.ctx, SFSessionIDKey, authData.SessionID)
 	return nil
 }
+
+func doRefreshTokenWithLock(sc *snowflakeConn) {
+	if oauthClient, err := newOauthClient(sc.ctx, sc.cfg, sc); err != nil {
+		logger.Warnf("failed to create oauth client. %v", err)
+	} else {
+		lockKey := newRefreshTokenLockKey(oauthClient.tokenURL(), sc.cfg.User)
+		if _, err = getValueWithLock(chooseLockerForAuth(sc.cfg), lockKey, func() (string, error) {
+			if err = oauthClient.refreshToken(); err != nil {
+				logger.Warnf("cannot refresh token. %v", err)
+				credentialsStorage.deleteCredential(newOAuthRefreshTokenSpec(sc.cfg.OauthTokenRequestURL, sc.cfg.User))
+				return "", err
+			}
+			return "", nil
+		}); err != nil {
+			logger.Warnf("failed to refresh token with lock. %v", err)
+		}
+	}
+}
+
+func chooseLockerForAuth(cfg *Config) locker {
+	if cfg.SingleAuthenticationPrompt == ConfigBoolFalse {
+		return noopLocker
+	}
+	if cfg.User == "" {
+		return noopLocker
+	}
+	return exclusiveLocker
+}
+
+func isEligibleForParallelLogin(cfg *Config, cacheEnabled ConfigBool) bool {
+	return cfg.SingleAuthenticationPrompt != ConfigBoolFalse && cfg.User != "" && cacheEnabled == ConfigBoolTrue
+}

auth_oauth_test.go

@@ -57,7 +57,7 @@ func TestUnitOAuthAuthorizationCode(t *testing.T) {
 		credentialsStorage.deleteCredential(accessTokenSpec)
 		credentialsStorage.deleteCredential(refreshTokenSpec)
 		wiremock.registerMappings(t, newWiremockMapping("oauth2/authorization_code/successful_flow.json"))
-		authCodeProvider := &nonInteractiveAuthorizationCodeProvider{}
+		authCodeProvider := &nonInteractiveAuthorizationCodeProvider{t: t}
 		client.authorizationCodeProviderFactory = func() authorizationCodeProvider {
 			return authCodeProvider
 		}
@@ -71,7 +71,7 @@ func TestUnitOAuthAuthorizationCode(t *testing.T) {
 		roundTripper.reset()
 		credentialsStorage.setCredential(accessTokenSpec, "access-token-123")
 		wiremock.registerMappings(t, newWiremockMapping("oauth2/authorization_code/successful_flow.json"))
-		authCodeProvider := &nonInteractiveAuthorizationCodeProvider{}
+		authCodeProvider := &nonInteractiveAuthorizationCodeProvider{t: t}
 		for i := 0; i < 3; i++ {
 			client, err := newOauthClient(context.WithValue(context.Background(), oauth2.HTTPClient, httpClient), cfg, &snowflakeConn{})
 			assertNilF(t, err)
@@ -91,6 +91,7 @@ func TestUnitOAuthAuthorizationCode(t *testing.T) {
 		wiremock.registerMappings(t, newWiremockMapping("oauth2/authorization_code/successful_flow.json"))
 		authCodeProvider := &nonInteractiveAuthorizationCodeProvider{
 			tamperWithState: true,
+			t:               t,
 		}
 		client.authorizationCodeProviderFactory = func() authorizationCodeProvider {
 			return authCodeProvider
@@ -105,7 +106,7 @@ func TestUnitOAuthAuthorizationCode(t *testing.T) {
 		credentialsStorage.deleteCredential(accessTokenSpec)
 		credentialsStorage.deleteCredential(refreshTokenSpec)
 		wiremock.registerMappings(t, newWiremockMapping("oauth2/authorization_code/error_from_idp.json"))
-		authCodeProvider := &nonInteractiveAuthorizationCodeProvider{}
+		authCodeProvider := &nonInteractiveAuthorizationCodeProvider{t: t}
 		client.authorizationCodeProviderFactory = func() authorizationCodeProvider {
 			return authCodeProvider
 		}
@@ -130,7 +131,7 @@ func TestUnitOAuthAuthorizationCode(t *testing.T) {
 		credentialsStorage.deleteCredential(accessTokenSpec)
 		credentialsStorage.deleteCredential(refreshTokenSpec)
 		wiremock.registerMappings(t, newWiremockMapping("oauth2/authorization_code/invalid_code.json"))
-		authCodeProvider := &nonInteractiveAuthorizationCodeProvider{}
+		authCodeProvider := &nonInteractiveAuthorizationCodeProvider{t: t}
 		client.authorizationCodeProviderFactory = func() authorizationCodeProvider {
 			return authCodeProvider
 		}
@@ -148,7 +149,9 @@ func TestUnitOAuthAuthorizationCode(t *testing.T) {
 		wiremock.registerMappings(t, newWiremockMapping("oauth2/authorization_code/successful_flow.json"))
 		client.cfg.ExternalBrowserTimeout = 2 * time.Second
 		authCodeProvider := &nonInteractiveAuthorizationCodeProvider{
-			sleepTime: 3 * time.Second,
+			sleepTime:    3 * time.Second,
+			triggerError: "timed out",
+			t:            t,
 		}
 		client.authorizationCodeProviderFactory = func() authorizationCodeProvider {
 			return authCodeProvider
@@ -289,6 +292,48 @@ func TestAuthorizationCodeFlow(t *testing.T) {
 		runSmokeQuery(t, db)
 	})
 
+	t.Run("successful flow with multiple threads", func(t *testing.T) {
+		for _, singleAuthenticationPrompt := range []ConfigBool{ConfigBoolFalse, ConfigBoolTrue, configBoolNotSet} {
+			t.Run("singleAuthenticationPrompt="+singleAuthenticationPrompt.String(), func(t *testing.T) {
+				currentDefaultAuthorizationCodeProviderFactory := defaultAuthorizationCodeProviderFactory
+				defer func() {
+					defaultAuthorizationCodeProviderFactory = currentDefaultAuthorizationCodeProviderFactory
+				}()
+				defaultAuthorizationCodeProviderFactory = func() authorizationCodeProvider {
+					return &nonInteractiveAuthorizationCodeProvider{
+						t:         t,
+						mu:        sync.Mutex{},
+						sleepTime: 500 * time.Millisecond,
+					}
+				}
+				roundTripper.reset()
+				wiremock.registerMappings(t,
+					newWiremockMapping("oauth2/authorization_code/successful_flow.json"),
+					newWiremockMapping("oauth2/login_request.json"),
+					newWiremockMapping("select1.json"),
+					newWiremockMapping("close_session.json"))
+				cfg := wiremock.connectionConfig()
+				cfg.Role = "ANALYST"
+				cfg.Authenticator = AuthTypeOAuthAuthorizationCode
+				cfg.Transporter = roundTripper
+				cfg.SingleAuthenticationPrompt = singleAuthenticationPrompt
+				oauthAccessTokenSpec := newOAuthAccessTokenSpec(cfg.OauthTokenRequestURL, cfg.User)
+				oauthRefreshTokenSpec := newOAuthRefreshTokenSpec(cfg.OauthTokenRequestURL, cfg.User)
+				credentialsStorage.deleteCredential(oauthAccessTokenSpec)
+				credentialsStorage.deleteCredential(oauthRefreshTokenSpec)
+				connector := NewConnector(SnowflakeDriver{}, *cfg)
+				db := sql.OpenDB(connector)
+				initPoolWithSize(t, db, 20)
+				println(roundTripper.postReqCount[cfg.OauthTokenRequestURL])
+				if singleAuthenticationPrompt == ConfigBoolFalse {
+					assertTrueE(t, roundTripper.postReqCount[cfg.OauthTokenRequestURL] > 1)
+				} else {
+					assertEqualE(t, roundTripper.postReqCount[cfg.OauthTokenRequestURL], 1)
+				}
+			})
+		}
+	})
+
 	t.Run("successful flow with single-use refresh token enabled", func(t *testing.T) {
 		wiremock.registerMappings(t,
 			newWiremockMapping("oauth2/authorization_code/successful_flow_with_single_use_refresh_token.json"),
@@ -683,7 +728,9 @@ type nonInteractiveAuthorizationCodeProvider struct {
 func (provider *nonInteractiveAuthorizationCodeProvider) run(authorizationURL string) error {
 	if provider.sleepTime != 0 {
 		time.Sleep(provider.sleepTime)
-		return errors.New("ignore me")
+		if provider.triggerError != "" {
+			return errors.New(provider.triggerError)
+		}
 	}
 	if provider.triggerError != "" {
 		return errors.New(provider.triggerError)