ɯei2  UddlmZddlZddlZddlZddlZddlZddlZddlZddl Z ddl Z ddl m Z m Z ddlmZmZddlmZddlmZmZddlmZddlmZmZdd l mZmZdd lmZmZdd lmZm Z m!Z!dd l"m#Z#dd l$m%Z%ddl&m'Z'ddl(m)Z)m*Z*m+Z+ddl,m-Z-ddl.m/Z/m0Z0m1Z1m2Z2m3Z3m4Z4m5Z5m6Z6m7Z7m8Z8m9Z9m:Z:m;Z;mZ>m?Z?m@Z@mAZAddlBmCZCddlDmEZEddlFmGZGddlHmIZIddlJmKZKddlLmMZMddlNmOZOmPZPmQZQddlKmRZRddlSmTZTddlUmVZVmWZWddlXmYZYmZZZddl[m\Z\Gdd eZ]Gd!d"eQZ^ e^eKjej&jd#d$d%d&ej&jd#d'd(d)d&ej&jd#d*d+d)d(d&d,-Zad.ebd/<eedZe d;d2ZfGd3d4ZgGd5d6ZhGd7d8ZieijGd9d:Zky#ec$rePeKj0Zad1ebd/<YhwxYw)<) annotationsN) b64decode b64encode)datetimetimezone) getLogger)environpath) expanduser)LockRLock)gmtimestrftime)Any NamedTuple)CertId OCSPRequestSingleResponse) Certificate) Connection)SNOWFLAKE_CONNECTOR_VERSION)OKurlsplit urlunparse)HTTP_HEADER_USER_AGENT)ER_INVALID_OCSP_RESPONSE_SSDER_INVALID_SSD&ER_OCSP_FAILED_TO_CONNECT_CACHE_SERVER&ER_OCSP_RESPONSE_ATTACHED_CERT_EXPIRED&ER_OCSP_RESPONSE_ATTACHED_CERT_INVALID$ER_OCSP_RESPONSE_CACHE_DECODE_FAILED&ER_OCSP_RESPONSE_CACHE_DOWNLOAD_FAILED$ER_OCSP_RESPONSE_CERT_STATUS_INVALID$ER_OCSP_RESPONSE_CERT_STATUS_REVOKED$ER_OCSP_RESPONSE_CERT_STATUS_UNKNOWNER_OCSP_RESPONSE_EXPIRED ER_OCSP_RESPONSE_FETCH_EXCEPTIONER_OCSP_RESPONSE_FETCH_FAILURE,ER_OCSP_RESPONSE_INVALID_EXPIRY_INFO_MISSING"ER_OCSP_RESPONSE_INVALID_SIGNATUREER_OCSP_RESPONSE_LOAD_FAILURE$ER_OCSP_RESPONSE_STATUS_UNSUCCESSFULER_OCSP_RESPONSE_UNAVAILABLEER_OCSP_URL_INFO_MISSING)RevocationCheckError)PYTHON_CONNECTOR_USER_AGENT)SessionManager)get_current_session_manager) constants)exponential_backoff) CacheEntry SFDictCacheSFDictFileCache)4OCSP_ROOT_CERTS_DICT_LOCK_TIMEOUT_DEFAULT_NO_TIMEOUT)SessionManagerFactory)TelemetryFieldgenerate_telemetry_data_dict)&extract_top_level_domain_from_hostnameurl_encode_str)_base64_bytes_to_strceZdZUdZded<dZded<dZded<dZded<dZd ed <dZ d ed <d Z ded<dZ e ddZ y)OCSPResponseValidationResultNException | None exceptionCertificate | Noneissuersubjectz CertId | Nonecert_idz bytes | None ocsp_responsez int | NonetsFbool validatedc d}tj||j|jr#t |jj nd|j r#t |j j nd|jr#t |jj ndt |j|j|jdS)Nc|syt|}|j|jd}t|tr*|j |j |jd|S|j dt|i|S)N)classmodule)errnomsgrQ) type__name__ __module__ isinstancer/updaterPraw_msgstr)excexc_typerets d/var/www/html/glpi_dashboard/venv/lib/python3.12/site-packages/snowflake/connector/ocsp_snowflake.pyserialize_exceptionzDOCSPResponseValidationResult._serialize..serialize_exceptionNsp CyH$--9L9LMC#34 SYYs{{CDJ E3s8,-JrCrErFrGrHrIrK) jsondumpsrCrEr?dumprFrGrHrIrK)selfr]s r\ _serializez'OCSPResponseValidationResult._serializeMs "zz0@@D ()9)9);.deserialize_exceptionus "&**73I'++H5J !77"&BB/*51,W5 '44Z@F%fi8G">%#899  $S%9$:;GGPkQVWefkWlVmo,$S%9$:;22P2Z2Z1[]8  s$A0+A00 C9ACCCrCrErFrGrHrIrKr_)rqz dict | NonereturnrB)r`loadsrArhrloadrr)clsjson_strjson_objrvs r\ _deserializez)OCSPResponseValidationResult._deserializeqs::h' B,+HLL,EF<<)  8<<+A!BC<< *  8<< +B!CD<< * Ihll9&=>?<<0(,,78||D!ll;//  r^)r{rXrwrA)rSrT __qualname__rC__annotations__rErFrGrHrIrKrd classmethodr}r^r\rArADse"&I&!%F %"&G &!G]!"&M<&B It" H< < r^rAc&eZdZddZeddZy)"_OCSPResponseValidationResultCachec |jjDcic]a\}}t|dt|dt|df|jj |j j fc}}}tjt|jt|j|jjt|j|j |j"r|j"j nd|j$t&dj)Scc}}w)Nrr3) cache_keys cache_itemsentry_lifetimerp file_timeout last_loaded telemetryconnector_version)_cacheitemsr?expiry isoformatentryrdr`ralistkeysvalues_entry_lifetime total_secondsrXrprrrrencode)rckventriess r\rdz-_OCSPResponseValidationResultCache._serializes ))+  1 %QqT*$QqT*$QqT* ""$agg&8&8&:;  <  zz"7<<>2#GNN$45"&"6"6"D"D"F 0 $ 1 1484D4DD$$..0$!^^%@    &(  sA&E c Ztj|jj}||dt |d|dd}t j j|d|_|d|_ |drtj|dnd|_ t|d|d D]q\}}ttj|d tj!|d |j"t%|d t%|d t%|d f<s|S) NrprrF)rprrload_if_file_existsrrrrrr3r)r`rxreaddecodeintosr r rprr fromisoformatrzipr6rAr}rr)rz opened_fddatacache_instancerrs r\r}z/_OCSPResponseValidationResultCache._deserializes)zz)..*1134;'t$456n- %   $&77#5#5d;6G#H #' #4 ;? ;NH " "4 #6 7TX "\*D,?@ DAq&&qt,,99!A$?  ! !1Q4)AaD/9QqT?C  r^N)rwbytes)rwr)rSrTr~rdrr}rr^r\rrs2r^r~.cache snowflakez#ocsp_response_validation_cache.jsonLibraryCaches SnowflakeAppDataLocal)linuxdarwinwindows)rrpzISFDictFileCache[tuple[bytes, bytes, bytes], OCSPResponseValidationResult]ro)rzESFDictCache[tuple[bytes, bytes, bytes], OCSPResponseValidationResult]cr|dj|dj|djfS)Nissuer_name_hashissuer_key_hash serial_number)rbrGs r\generate_cache_keyr sC "#((*!"'') %%' r^cLeZdZdZdZdZdZdZdZdZ dZ d Z d Z d Z d Zd ZdZdZdZdZdZdZieeeeeeeeeeee ee ee ee ee e ee!ee"ee#ee$ee%ee&ee'ee(eiZ)d#dZ*d$dZ+d%dZ,d#dZ-d#dZ.d#dZ/d#dZ0d#dZ1d#dZ2d#dZ3d#dZ4d#dZ5d#d Z6 d& d'd!Z7y")(OCSPTelemetryDataCertificateExtractionFailedOCSPURLMissingOCSPResponseUnavailableOCSPResponseFetchException&OCSPResponseFailedToConnectCacheServerOCSPResponseCertStatusInvalidOCSPResponseCertStatusRevokedOCSPResponseCertStatusUnknownOCSPResponseStatusUnsuccessfulOCSPResponseAttachedCertInvalidOCSPResponseAttachedCertExpiredOCSPResponseSignatureInvalidOCSPResponseExpiryInfoMissingOCSPResponseExpiredOCSPResponseFetchFailureOCSPResponseCacheDownloadFailedOCSPResponseCacheDecodeFailedOCSPResponseLoadFailureOCSPResponseInvalidSSDcd|_d|_d|_d|_d|_d|_d|_d|_d|_d|_ d|_ yNF) event_sub_typeocsp_connection_methodrG sfc_peer_hostocsp_urlocsp_req error_msg cache_enabled cache_hit fail_opendisable_ocsp_checksrcs r\__init__zOCSPTelemetryData.__init__BsT"&*# !  "#( r^cX|j|jd||_y||_y)a Sets sub type for OCSP Telemetry Event. There can be multiple event_sub_type that could have happened during a single connection establishment. Ensure that all of them are captured. :param event_sub_type: :return: N|)r)rcrs r\set_event_sub_typez$OCSPTelemetryData.set_event_sub_typeOs3    *%)%8%8$9>:J"KD "0D r^c||_yN)r)rcocsp_conn_methods r\set_ocsp_connection_methodz,OCSPTelemetryData.set_ocsp_connection_method^s &6#r^c||_yrrrcrGs r\ set_cert_idzOCSPTelemetryData.set_cert_idas  r^c||_yr)r)rcrs r\set_sfc_peer_hostz#OCSPTelemetryData.set_sfc_peer_hostds *r^c||_yr)r)rcrs r\ set_ocsp_urlzOCSPTelemetryData.set_ocsp_urlg   r^c||_yr)r)rcrs r\ set_ocsp_reqzOCSPTelemetryData.set_ocsp_reqjrr^c||_yr)r)rcrs r\ set_error_msgzOCSPTelemetryData.set_error_msgm "r^c&||_|sd|_yyrrr)rcrs r\set_cache_enabledz#OCSPTelemetryData.set_cache_enabledps*"DNr^c:|jsd|_y||_yrr)rcrs r\ set_cache_hitzOCSPTelemetryData.set_cache_hitus!!"DN&DNr^c||_yr)r)rcrs r\ set_fail_openzOCSPTelemetryData.set_fail_open{rr^c||_yrr)rc insecure_modes r\set_insecure_modez#OCSPTelemetryData.set_insecure_modes #0 r^c||_yrr)rcrs r\set_disable_ocsp_checksz)OCSPTelemetryData.set_disable_ocsp_checkss #6 r^cTtj\}}}ttjj |tj j |jtjj |jtjj |jtjj |jtjj |jtj j |j"tj$j |j&tj(j |j*tj,j |j.tj0j |j2i d}|S)NT) from_dictis_oob_telemetry)sysexc_infor<r;KEY_OOB_EVENT_TYPEvalueKEY_OOB_EVENT_SUB_TYPErKEY_OOB_SFC_PEER_HOSTrKEY_OOB_CERT_IDrGKEY_OOB_OCSP_REQUEST_BASE64rKEY_OOB_OCSP_RESPONDER_URLrKEY_OOB_ERROR_MESSAGErKEY_OOB_INSECURE_MODErKEY_OOB_FAIL_OPENrKEY_OOB_CACHE_ENABLEDrKEY_OOB_CACHE_HITr)rc event_typeurgent_rCtelemetry_datas r\generate_telemetry_dataz)OCSPTelemetryData.generate_telemetry_datas,,.9a5117755;;T=P=P44::D-? @ % 22B1C6 J .668$&II311;;%D !%'II.Q$RD ! II=v F' Q !#r^cPtjddjdk(S)z-Checks if new OCSP Endpoint has been enabled.SF_OCSP_ACTIVATE_NEW_ENDPOINTr3r2)rr9lowerrr^r\r8z'OCSPServer.is_enabled_new_ocsp_endpoints$yy8'BHHJfTTr^ct|}d|vrdjd|dg}nvd|vr)||jdd}djd|dg}nI|jd |s |j}n(||jd d}djd|dg}dj|d g|_dj|d g|_y) ajResets current object members CACHE_SERVER_URL and RETRY_URL_PATTERN. They will point at the new OCSP Fetch and Retry endpoints respectively. The new OCSP Endpoint address is based on the hostname the customer is trying to connect to. The deployment or in case of client failover, the replication ID is copied from the hostname. zprivatelink.snowflakecomputing.zhttps://ocspssd.r/zglobal.snowflakecomputing.-Nzhttps://ocspssdzsnowflakecomputing..fetchretry)r=joinfindendswithr7r=r?)rchnamer.temp_ocsp_endpoint rep_id_begin hname_wo_accs r\reset_ocsp_endpointzOCSPServer.reset_ocsp_endpointsB%H , 5!#*rmrnr=r? startswithr6rrschemenetloc)rcuse_ocsp_cache_server parsed_urls r\#reset_ocsp_dynamic_cache_server_urlz.OCSPServer.reset_ocsp_dynamic_cache_server_urls ! ,(=D %  $ $ LL;T=R=R  LLA B    &$$0))44T5R5RS&d&;&;< )3Z5F5F HYHY[]_acegi4j)k(ll~&# >@S@STr^c|jr tj||j}|st dt t jd|jt jdttjyy#t$r(}t jd|jzd}~wwxYw)NzOCSP Cache Server Unavailable.rgz+downloaded OCSP response cache file from %sz# of certificates: %uz~OCSP Response cache download failed. The clientwill reach out to the OCSP Responder directly forany missing OCSP responses %s ) r>r*_download_ocsp_response_cacher=r/r"rmrnlenrorrQ)rcocspretvalrces r\download_cache_from_serverz%OCSPServer.download_cache_from_servers  $ $ #AA$//.<D A4CXCX  +6==># %*(  68;@   sBB C#B<<CcZtti}tj} t j}t j d||j=tjdd}tjdd}| t|}||}tdxstjd}|j|5} |rtjnd} d} t!} t#| D]} | j%|||}|j&t(k(rN|j+|j-t j|z }t j d |ni| dkDs~t/| } t j d |j&| t j0| t j3d |  dddy dddy #1swYyxYw#t4$r3}t j d ||t7d|d|t8d}~wwxYw)z4Downloads OCSP response cache from the cache server.z0started downloading OCSP response cache file: %sN,SF_TEST_OCSP_CACHE_SERVER_CONNECTION_TIMEOUTSF_TEST_OCSP_CACHE_SERVER_URLF use_poolingr3)timeoutheadersz=ended downloading OCSP response cache file. elapsed time: %ss*OCSP server returned %s. Retrying in %s(s)z-Failed to get OCSP response after %s attempt.Tz-Failed to get OCSP response cache from %s: %sz'Failed to get OCSP Response Cache from z: rg)rr0 SnowflakeOCSP$OCSP_CACHE_SERVER_CONNECTION_TIMEOUTtimermrn test_moderr9rr2r: get_manager use_sessionOCSP_CACHE_SERVER_MAX_RETRYr5rangerh status_coderdecode_ocsp_response_cacher`nextsleeperrorrlr/r)r\urldo_retryrf sf_timeout start_time test_timeoutsf_cache_server_urlsession_managersession max_retry sleep_timebackoffrresponse elapsed_timees r\rZz(OCSPServer._download_ocsp_response_caches*+FG"GG 8 J LLKS Q~~)!yyBD  ')ii0OQU&V#+!$\!2J&2-C:!F&22uE !,,S1 WIQMEEWX  /-/1y)!A&{{ * ' + H  ++r177 H'+yy{Z'?  0( "Q%)']  H$00&  :.-!0LLG!?  @A   B  LLH#q Q&=cU"QCH<  sJB(G.B.G"5AG"G.G"G."G+'G.+G.. H*7.H%%H*ct|}t|}|j|d|}nF|jdk7r |jnd}|jj |j |z|}t jd||S)N/rEzOCSP Retry URL is - %s)rr>r?r r:rUrmrn)rcrb64datarWurl_encoded_b64data target_urlr s r\generate_get_urlzOCSPServer.generate_get_urlTsh' ,W5    &$:Q':&;  FBB  LL +H s6AC%B8*6C!C8C=C C* C%%C*ctjrXtttrtj tj |tjdt_yy)a7 Updates OCSP Response Cache file. Two file shall be updated/saved: 1. file for OCSP_RESPONSE_VALIDATION_CACHE which keeps ocsp response validation result 2. ocsp_response_cache.json, the file in the same format as the one downloaded from snowflake cache service FN)r; CACHE_UPDATEDrUror8saveupdate_ocsp_response_cache_filer)r\s r\ update_filezOCSPCache.update_filesL  " "8/J.335  5 5i77 ',I # #r^c.| t|}|jdk(rtj|j|j}|dz}t dD].}t j|rntjd0 t j||t j|ytjd|yy#t j|wxYw#t$r#}tjd||d Yd}~yd}~wwxYw) zUpdates OCSP Response Cache.Nr.lckd{Gz?z\No OCSP response cache file is written, because the given URI is not a file: %s. Ignoring...zJFailed to write OCSP response cache file. file: %s, error: %s, Ignoring...Tr)rrTr rJrUror;lock_cache_filerjrswrite_ocsp_response_cache_fileunlock_cache_filermrnrl)r\rrWrlock_dirrrs r\rz)OCSPCache.update_ocsp_response_cache_files # . %&=> $$.#yy):):JOOLH'&0H"3Z)%44X>! 4( ) >!@@xP!33H=LLC/# /"33H=  =+!  s6BC( C C(6C(C%%C(( D1DDctjd|i}|j|tj|ddd5}t j ||dddy#1swYyxYw)zWrites OCSP Response Cache.z$writing OCSP response cache file to wrrrN)rmrnencode_ocsp_response_cacherrr`rb)r\rfile_cache_datars r\rz(OCSPCache.write_ocsp_response_cache_file sb  ;H:FG ''8 [[3 J *a IIoq ) * * *s A%%A.cnttj}|dz} tj|}t j |s|tj z |kryt j |rbtj|}||dz kr,tj|tjd|y tjd|| y tj|tjd| y #t$r"}tjd|||Yd}~y d}~wwxYw) zChecks if the lock directory exists. Returns: True if it can update the cache file or False when some other process may be updating the cache file. rT<zbThe lock directory is older than 60 seconds. Deleted the lock directory and ignoring the cache: %szOThe lock directory exists. Other process may be updating the cache file: %s, %sz9The cache is older than 1 day. Deleted the cache file: %sz~Failed to check OCSP response cache file. No worry. It will validate with OCSP server: file: %s, lock directory: %s, error: %sNF) rrjr;_file_timestampr rCACHE_EXPIRATIONrrmrnrrrl)r current_timer ts_cache_file ts_lock_dirrs r\rz,OCSPCache.check_ocsp_response_cache_lock_dir)s#499;' f$) %55h?MKK) 9#=#==N{{8$'77A !22//9LLP 6+LL:  * (# R  LL    s+AD %AD D +D D4D//D4c.|tjz |kSr)r;r)rrIs r\is_cache_freshzOCSPCache.is_cache_fresh_si888B>>r^c |r|j|nd}ttj}|jd|j |}|jdd} |r t |nt j |} tj||jrB|j||jr&|rtjd|d|jfStj|||| dt_y #t$r%} tjd|d| Yd} ~ 5d} ~ wwxYw#t"$r|rtjd|d Yy wxYw) N cache_key lock_cacheTzhit cache for subject: %srrzCould not validate cache entry  zcache miss for subject: '')FN) subject_namerrjrhdecode_cert_id_keyro_getitem_non_lockingr;rrI is_valid_timerHrmrn delete_cacherlrKeyError) r\rGrFr@rrrrocsp_response_validation_resultrs r\ find_cachezOCSPCache.find_cachecsm6=t((1$ 499;' 06 0091 "::lD9  J/y93HHS ,  O++ "A"D"D((<JJ$ %@,O!@!N!NNN**gz+ '+I #  O >wiqMNN O J 8aHI JsC' EA!D*D E D>D94E9D>>E$E('E(c |jd|j|}|jdd} |rt|=ntj|dt_y#t $rYywxYw)NrrT)rhrro_delitemr;rr)r\rGr@rrs r\rzOCSPCache.delete_cachesj06 0091 "::lD9  29=.77 B&*I #   s*A A,+A,ctjdk(r ttj|}|St j |}t|drt|j}|St|j}|S)z0Gets the last created timestamp of the file/dir.r st_birthtime) rrrr getctimerstathasattrrst_mtime)rrIrs r\rzOCSPCache._file_timestampss ??  )T]]8,-B 778$Dt^,**+ ' r^cN tj|y#t$rYywxYw)z+Locks a cache file by creating a directory.TF)rmkdirOSErrorfnames r\rzOCSPCache.lock_cache_file'  HHUO    $$cN tj|y#t$rYywxYw)z-Unlocks a cache file by deleting a directory.TF)rrmdirrrs r\rzOCSPCache.unlock_cache_filerrcnttj}tj|j |j}tj | tjd|tj|tj|y#tj|wxYw)z+Deletes the cache file. Used by tests only.z(deleting cache file, used by tests only N) rr;rr rJrUrrmrnrrr)rWrs r\delete_cache_filezOCSPCache.delete_cache_files~i??@  *++Z__=!!%( / LLCE7K L IIe   ' ' .I ' ' .s -BB4c,tjy)z Clears cache.N)roclearrr^r\ clear_cachezOCSPCache.clear_caches ',,.r^c ttS)zReturns the cache's size.)r[rorr^r\ cache_sizezOCSPCache.cache_sizes122r^rr)rrrIrrwrJ) r\rhrGrrFrDr@rrwztuple[bool, bytes | None])r\rhrGrr@rrwr)rSrTr~r CACHE_LOCKrrrr<rrrrrrrrrrrrrrrrrrrrrr^r\r;r;jsJM#%?!I++8""  ,.2 , ,B**33j??$$&,$7I$UX$ "$$L     / ///33r^r;c.eZdZdZiZeZeZe jdZ dZ dZ ejdej"j%dZdZd Zd Zd Zd Zd Zddd d ef d:dZd;d d?dZed@dZ dAdZ!dBdZ"d@dZ#edCdZ$ dD dEdZ%dZ& dD dFdZ' dGdZ(dCdZ)edHdZ*e dI dJdZ+edKdZ,edCdZ-ed Z.edCd!Z/ed"Z0 dD dLd#Z1 dMd$Z2d%Z3d&Z4d'Z5dCd(Z6dId)Z7d*Z8d+Z9d,Z:d-Z; dNd.Zd1Z?d2Z@d3ZAd4ZBd5ZCd6ZDd7ZEd8ZFd9ZGy)Orhz5OCSP validator using PyOpenSSL and asn1crypto/pyasn1.z^(.*\.snowflakecomputing(\.[a-zA-Z]{1,63}){1,2}$|(?:|.*\.)s3.*\.amazonaws(\.[a-zA-Z]{1,63}){1,2}$|.*\.okta\.com$|(?:|.*\.)storage\.googleapis\.com$|.*\.blob\.core\.windows\.net$|.*\.blob\.core\.usgovcloudapi\.net$)rirNtzinfoz%Y-%m-%d %H:%M:%SZ r3Tc ztjdd|_|jdk(rtj d||_||_tt|jdd|_ d|_ tjd,tjdjdk(|_ n||_ tjj!|tj#s|jj%| t&s tjj)|yy)NSF_OCSP_TEST_MODEr2z(WARNING - DRIVER CONFIGURED IN TEST MODEhostname)r.SF_OCSP_FAIL_OPEN)rr9rkrmrn_use_post_method_root_certs_dict_lock_timeoutr*r=r4OCSP_CACHE_SERVERdebug_ocsp_failure_urlrC FAIL_OPENrh OCSP_CACHErr8rXror)rcrrVuse_post_method use_fail_openroot_certs_dict_lock_timeoutr@s r\rzSnowflakeOCSP.__init__ s#6= >>V # LLC D /-I*!+C :t,"  '+# 99( ) 5 YY':;AACvMDN*DN  >>?VW668  " " F F%  *.  $ $ . .t 4.r^ci}t}|j|jj|j d|j ||j |j |j|||j|}|jd||d|S#t$r&}tjdt||d}~wwxYw)z.Validates that the certificate is NOT revoked.Fz-Caught exception while validating certfile %sN)rv no_exception)rrrr>rrris_enabled_fail_openread_cert_bundlecreate_pair_issuer_subjectrlrmrnrX _validate)rc cert_filenamer cert_mapr cert_datars r\validate_certfilezSnowflakeOCSP.validate_certfileJs*,(()?)?)T)TU..u5((7$$T%>%>%@A   ! !- :77AI ~~ )^e,    LLH#b' RH s4#B-- C6!CCc tjd|tj}tjj | }|s|j drtjd|gdStjr|jj|t}|j|jj|jd|j||j!|j# |j%|}|j/|||||S#t&$rF|j)tj*tj|j-dYywxYw)z4Validates the certificate is not revoked using OCSP.zvalidating certificate: %socspssdzskipping OCSP check: %s)NNNNNFRevocationCheckFailureN)rmrnrhget_ocsp_retry_choiceOCSP_WHITELISTmatchrSr*r8rrQrrr>rrrr extract_certificate_chainr/rrrr)rcr connectionr rvmrrs r\validatezSnowflakeOCSP.validate]sQ$  18< 668,,228< < ##I. LL2H =1 1  2 2 4  " " 6 6x @*,(()?)?)T)TU..u5((2$$T%>%>%@A 66zBI~~ i<  $   - -!??  LL667OP  sD>>A F  F c0|j||||}tjj|d}|D];\}} } } } t |t r|xj d|z c_|s|||:d}=tj|sd|Sd|S)zBValidate certs sequentially if OCSP response cache server is used.)rvFz for Tokfailed) !_validate_certificates_sequentialrhrrrUr/rQrmrn) rcrrrrvr resultsany_errerrrs r\rzSnowflakeOCSP._validates88 ~x(9    ,,T2& OCAq!#34U8*--CO     T7/77r^c4tjdddk(S)NSF_OCSP_DO_RETRYr2)rr9rr^r\rz#SnowflakeOCSP.get_ocsp_retry_choicesyy+V4>>r^c Ttjj|||fi|\}}||fS)zDecides whether OCSP CertID is in cache. Args: cert_id: OCSP CertID. subject: Subject certificate. Returns: True if in cache otherwise False, followed by the cached OCSP Response. )rhrr)rcrGrFr@foundcaches r\is_cert_id_in_cachez!SnowflakeOCSP.is_cert_id_in_caches9%//:: '7 &, ue|r^cl|jd}d|vr|djdd}|S|d}|S)zExtracts the account name part from the hostname. Args: hostname: Hostname that account name is in. Returns: The extracted account name. rGglobalrrF)split)rcr split_hnameacc_names r\get_account_from_hostnamez'SnowflakeOCSP.get_account_from_hostnamesJnnS) { ""1~++C03H#1~Hr^c|jSr)rrs r\r z"SnowflakeOCSP.is_enabled_fail_opens ~~r^c@d}|d|}tj|y)NzWOCSP responder didn't respond correctly. Assuming certificate is not revoked. Details: z )rmrn)ocsp_log static_debug ocsp_debugs r\print_fail_open_debugz#SnowflakeOCSP.print_fail_open_debugs#p $~T(4  Z r^c |j||\}}|j||fi|\} } | s=|jdtj d|j ||||||} n|j |} |j|j|} |jdtj||| |_ |j| |j||j| tj d| s0|jt j"t%dt& |j)||| d} | |||| fS#t$$r3}|jt j*|j,|d}~wwxYw#t$$r7}|j/|j0|j3||} Yd}~d}~wt4$ru}tj dt7||j/t7||j3||} tj8j;||Yd}~d}~wwxYw)NFz+getting OCSP response from CA's OCSP serverTzusing OCSP response cachezACould not retrieve OCSP Response. Cannot perform Revocation CheckrgzOCSP Validation failed %s)create_ocsp_requestr+rrmrn_fetch_ocsp_responseextract_ocsp_urlencode_cert_id_base64rrhcreate_ocsp_debug_inforrrrrrrr/r-process_ocsp_responser(rPrrQverify_fail_openrlrXrr)rcrErFrrrvr@rGreq cache_statusrHr cert_id_encr%op_err^rs r\validate_by_direct_connectionz+SnowflakeOCSP.validate_by_direct_connections9//@ &>d&>&> W' &' # m. A,,U3 JK $ 9 9'>8X!  009"88++G4 ,,T2.;.R.R#x/+++H5++C0**;7 89 11%??+[6 **67MJ"FGWm;;!( 11%44U[[A   $ =  ( ( 1''^  ( (R 1''N;C  $ $ 1 1$ @ @  AsCDF"E## F,.FFF"" I+-G I)A+IIc|js_|jtur'tj |j dd|Stj |j d|S|jtur'tj |j dd|St j|j dy)NRevokedCertificateErrorTr)r rPr$rmrnrrhr7)rcex_objrs r\r?zSnowflakeOCSP.verify_fail_opens((*||CC "::14M "::;STM||CC "::14  33"::;STr^c Pg} |j|i}|D]\} } |j| | \} } |j| } tj| }| |jsh|j| | |||| }|d|d5t!|t#t%j$dd|| <dt&_|j+||j+|j,|j.|j0|j2|j4ftj7||S#t$r7}|jtj|j Yd}~Zd}~wt $r*}tjdt|Yd}~d}~wwxYw)NzHCaught unknown exception - %s. Continue to validate by direct connection)rErF)rvrrT)rIrK)!_check_ocsp_response_cache_serverr/rrr(rPrlrmrnrXr9rrorhrKrDrArrjr;rappendrCrErFrGrHrV)rcrrrrvr#r^rto_update_cache_dictrErFrGrrrrs r\r"z/SnowflakeOCSP._validate_certificates_sequential4s   2 29 = "(* OFG111QJGQ//8I.L.P.P/ + 076@@66"%' 7Q4#qt'76Rtyy{+"&7(3 /3I+q!7AA7>>7??7??7EE E* V '--.BCo$   - -!00;    LLZB   s#D44 F%=,E// F%;F  F%cd}|D]B\}}|j||\}}tjj|||\}}|rBn|s|jj |yy)zChecks if OCSP response is in cache, and if not it downloads the OCSP response cache from the server. Args: cert_data: Tuple of issuer and subject certificates. FN)r9rhrrrr_)rcrin_cacherErFrGrs r\rJz/SnowflakeOCSP._check_ocsp_response_cache_serverwst( OFG11&'BJGQ'22==dGWUKHa    " " = =d Cr^ctjj|j}|r* tjr tjj y t jdxst jd}|r(tj|r|j|n^ddl }ddl m }t|drtj|jrtjtj tj"|jdrEtj tj"|jd}|j|nzt|d rngd d dgdgg}|D]J}tj |j$g|}tj|s9|j|nt&j)d  ddl}|j|j-tjst&j)dtjj yt&j3dy#t.$rt&j1d YzwxYw#t.$r }t&j)d|Yd}~d}~wwxYw#tjj wxYw)z5Reads the local cabundle file and cache it in memory.)reNREQUESTS_CA_BUNDLECURL_CA_BUNDLEr)certs__file__ cacert.pem_MEIPASS)botocorevendoredrequestsrTrXz%No cabundle file is found in _MEIPASSz!no certifi is installed. ignored.zFailed to read ca_bundle: %szMNo CA bundle file is found in the system. Set REQUESTS_CA_BUNDLE to the file.zSFailed to acquire lock for ROOT_CERTIFICATES_DICT_LOCK. Skipping reading CA bundle.)rhROOT_CERTIFICATES_DICT_LOCKacquirerROOT_CERTIFICATES_DICTreleaser rhr rrrrXrRrrSrJdirnamerUrmrtcertifiwhererlrninfo) rc lock_acquired ca_bundlerrRcabundle_candidatesrr^rs r\_lazy_read_ca_bundlez"SnowflakeOCSP._lazy_read_ca_bundlesQ%AAII66J  > D 77v99AACs1D ' ,@ A!W[[(FI!T[[%;--i8"3$E:6 $ ENN ; $ $ $,,u~~*F U! )- $ U^^  99AAC KK.  % )N"LL)LMN!DLL!?CCD99AACsZJ> E&J)J1#I.%J>.J JJJ J;J61J>6J;;J>> Kcptttj||z ztjSr)maxrrhTOLERABLE_VALIDITY_RANGE_RATIOMAX_CLOCK_SKEW) this_update next_updates r\_calculate_tolerable_validityz+SnowflakeOCSP._calculate_tolerable_validitys8 <<,.   ( (   r^c|tjd}|ytj||}|tjz |cxkxr||zkScS)N(SF_TEST_OCSP_FORCE_BAD_RESPONSE_VALIDITYF)rr9rhrkrh)rrirjrkforce_validity_failtolerable_validitys r\_is_validaity_rangez!SnowflakeOCSP._is_validaity_rangesn  "$)),V"W ".*HH   -66 6 0// 0  0 r^c dtj||}djttjt |ttjt |ttjt |ttjt ||zS)NzResponse is unreliable. Its validity date is out of range: current_time={}, this_update={}, next_update={}, tolerable next_update={}. A potential cause is client clock is skewed, CA fails to update OCSP response in time.)rhrkr:rOUTPUT_TIMESTAMP_FORMATr)rrirjros r\_validity_error_messagez%SnowflakeOCSP._validity_error_messages*HH   !'>>|@TU>>{@ST>>{@ST!99;);;< !  r^c@tjjyr)rhrrrr^r\rzSnowflakeOCSP.clear_cache s  ,,.r^c>tjjSr)rhrrrr^r\rzSnowflakeOCSP.cache_sizes''2244r^c@tjjyr)rhrrrr^r\rzSnowflakeOCSP.delete_cache_files  224r^c6|j|}|d|}|S)Nr)decode_ocsp_request_b64)r\ ocsp_requestrrrs r\r=z$SnowflakeOCSP.create_ocsp_debug_infos(..|< z7), r^c tj}|j|}|j|j |} |s0|j t jtdttti} tjsv|jrdnd} |jj rd} | dk(r0|j#|} |jj%|| } d}na|} |j'|}d| d<nHd} |jj } |j#|}t)j*||| |d}d | d<|j-| |j.Rt0j3d t5j6d d}t5j6d d}| t9|}||} tj;||||_|j?|j#||jA||jC| d}t0j3d | tjD}|jGstjH}tKd}||ntMjNd}|jQ| 5}|r|nd}d}tS}tU|D]} |jW| | | ||}|jXtZk(r#t0j3d|j\}n|dkDrAt_|}t0j3d|jX|tajb|t0jodji||j t jptdji|tr ddd|S#td$r}|dkDr7t_|}t0j3d|tajb|nH|j t jftdjitk|tlYd}~d}~wwxYw#1swY|SxYw)z(Fetches OCSP response using OCSPRequest.zFNo OCSP URL found in cert. Cannot perform Certificate Revocation checkrgpostrhNzapplication/ocsp-requestz Content-Type)rryrGocsp_responder_urlzapplication/jsonz+WARNING - DRIVER IS CONFIGURED IN TESTMODE.SF_TEST_OCSP_URL,SF_TEST_CA_OCSP_RESPONDER_CONNECTION_TIMEOUTzurl: %sFrcr3)rfmethodrurerz9OCSP response was successfully returned from OCSP server.rgz:Could not fetch OCSP Response from serverRetrying in %s(s)z\Could not fetch OCSP Response from server. Considerchecking your whitelists : Exception - {}z[Failed to get OCSP response after {} attempt. Consider checking for OCSP URLs being blockedz-Failed to get OCSP response after {} attempt.):rh$CA_OCSP_RESPONDER_CONNECTION_TIMEOUTr;r<rrrrr/r.rr0r*r8rrr?rxrdecode_ocsp_requestr`rarrkrmrnrr9rr=rrrrCA_OCSP_RESPONDER_MAX_RETRY_FOr CA_OCSP_RESPONDER_MAX_RETRY_FCr2r:rlrmr5rorequestrprcontentrrrjrsrlrr:rXr'rtr#r()rcryrFrGrrrvrwrrBrf actual_methodrrpayload ocsp_req_enc test_ocsp_urlryr[ sf_max_retrycontext_session_managerr{r|r}r~rrrrs r\r:z"SnowflakeOCSP._fetch_ocsp_responses<#GG ((1001H1H1QR   - -.?.P.P Q&\. *+FG668&*&;&;FM%%44 % %66|D!33DDXwW % 22<@*D'"M//>>J77 ELjj ($0**2 G'9GN #11-@ >> % LLF GII&8$?M99>L' . (* &3&J&J ,' # ##D$@$@$NO##H-"";/ Y +$CC ((*(GGL #>%"P'2 $&22uE   ( ( 4; (0 aIJ+)+-G9%7 (& ',& *$ / H ++r1 &'.."Q%)']  H$00&  :./7 V 228&2C11%AA+GNN!9 G'; z C! 1}%)']  0&  :.&99-KK3!HHNsSUw"B /9; z sF&Q"A OQ"AOA%Q" QBQQ"QQ""Q,cttj}|j|\}}||!tdj ||t |j dtjz j}|j dtjz j}tj||||js&ttj|||ty)zProcesses GOOD status.NzKEither this update or next update is None. this_update: {}, next_update: {}rgr)rrjextract_good_statusr/r:r)rrh ZERO_EPOCHrrprkrsr&) rcsingle_responserGrHrthis_update_nativenext_update_nativerirjs r\_process_good_statusz"SnowflakeOCSP._process_good_statuss499;' 151I1I 2 ..  %);)C&CCI6&(:DC    & &d & 3m6N6N N -/   & &d & 3m6N6N N -/ 00 +{DNN '!99 +{/   r^c xttj}|j~tjd}|dk(rdt dj ttjt|ttjt|dttjj|||j|\}}t dj ttjt||jtj|t)zProcesses REVOKED status.SF_TEST_OCSP_CERT_STATUSrevokedzPThe certificate has been revoked: current_time={}, revocation_time={}, reason={}z Force Revokerg)rrjrkrr9r/r:rrhrrrr$rrextract_revoked_status)rcrrGrtest_cert_statusrevocation_timerevocation_reasons r\_process_revoked_statusz%SnowflakeOCSP._process_revoked_statuss 499;' >> %!yy)CD 9,*44:F )AA6,CW!)AA6,CW'5?     --dG<-1-H-H . **#,,2F>>|@TU(()N)NO!- 7  r^cdtjj||tdt)zProcesses UNKNOWN status.z0The certificate is in UNKNOWN revocation status.rg)rhrrr/r%rs r\_process_unknown_statusz%SnowflakeOCSP._process_unknown_statuss+  --dG<"B6  r^c  tj5i}|jD]\}\}}|j|}t |}|j ||s8t tj}|j|} tj||d| d\} } tj||rt||d|| <| stj||| d dddr!tj|dt_yy#1swY-xYw#t $rF} t"j%d| dj't)| } t+| t,d} ~ wwxYw) z&Decodes OCSP response cache from JSON.NFr)rHrIrKTzCaught here - %sz6Exception raised while decoding OCSP Response Cache {}rg)ro_lockrdecode_cert_id_base64rrrrjrr;rrrArrVrrlrmrnr:rXr/r!)rcocsp_response_cache_jsonnew_cache_dictcert_id_base64rIrHrGb64decoded_ocsp_responserrr)rrermsgs r\rqz(SnowflakeOCSP.decode_ocsp_response_caches& /55 !#.335N%!"88HG/8/G,--g7OP #&tyy{#3L<@Reads a certificate file including certificates in PEM format.NotImplementedError)rcca_bundle_filestorages r\rzSnowflakeOCSP.read_cert_bundle4!!r^ct)z%Encodes Cert ID key to native CertID.rrcrs r\encode_cert_id_keyz SnowflakeOCSP.encode_cert_id_key8rr^ct)z#Decodes name CertID to Cert ID key.rrs r\rz SnowflakeOCSP.decode_cert_id_key<rr^ct)z(Encodes native CertID to base64 Cert ID.r)rchkeys r\r<z#SnowflakeOCSP.encode_cert_id_base64@rr^ct)z(Decodes base64 Cert ID to native CertID.r)rcrs r\rz#SnowflakeOCSP.decode_cert_id_base64Drr^ct)zCreates CertId and OCSPRequest.r)rcrErFs r\r9z!SnowflakeOCSP.create_ocsp_requestHs "!r^ct)z#Extracts OCSP URL from Certificate.r)rccerts r\r;zSnowflakeOCSP.extract_ocsp_urlPrr^ct)zDecodes OCSP request to DER.rrcrys r\rz!SnowflakeOCSP.decode_ocsp_requestTrr^ct)z#Decodes OCSP Request object to b64.rrs r\rxz%SnowflakeOCSP.decode_ocsp_request_b64Xrr^ct)z Extracts Revocation Status GOOD.rrcrs r\rz!SnowflakeOCSP.extract_good_status\rr^ct)z#Extracts Revocation Status REVOKED.rrs r\rz$SnowflakeOCSP.extract_revoked_status`rr^ct)zProcesses OCSP response.r)rcrErGrHs r\r>z#SnowflakeOCSP.process_ocsp_responsedrr^ct)zVerifies signature.r)rcsignature_algorithm signaturerrs r\verify_signaturezSnowflakeOCSP.verify_signaturehrr^ct)zHGets certificate chain and extract the key info from OpenSSL connection.r)rcrs r\rz'SnowflakeOCSP.extract_certificate_chainlrr^ct)z1Creates pairs of issuer and subject certificates.r)rcrs r\rz(SnowflakeOCSP.create_pair_issuer_subjectprr^ct)z!Gets human readable Subject name.r)rcrFs r\rzSnowflakeOCSP.subject_nametrr^ct)z4Checks whether ocsp_response is in valid time range.r)rcrGrHs r\rzSnowflakeOCSP.is_valid_timexrr^)rrJr rJr rrwrr)r rJ)r str | Nonerrr rJrwzSlist[tuple[Exception | None, Certificate, Certificate, CertId, str | bytes]] | None)TF) rrr%list[tuple[Certificate, Certificate]]rrrvrJr rJrwFlist[tuple[Exception | None, Certificate, Certificate, CertId, bytes]]r)rGrrFrDr@r)rrXrwrXr)NT)rErrFrrrrrXrvrJr@rrwz@tuple[Exception | None, Certificate, Certificate, CertId, bytes]) rrrrrrrvrJrwr)rrrwr)rifloatrjrrwrr) rrrirrjrrkz Any | NonerwrJ)rwrX)rvrJ)rrrGrrHrrwr)rErrFrrwztuple[CertId, OCSPRequest])HrSrTr~__doc__r[r rYr;rrecompilerrgrhr fromtimestamprutcrrrrrrirrrnr9rrrrrrr+r1r r7rDr?r"rJrdrkrprsrrrr=r:rrrrqrrrrr<rr9r;rrxrrr>rrrrrrr^r\rhrhs? #('JRZZ 1N$&*"N(''8<<8@@@MJ3,.(,-(&'"&'"#$!%" $",` <5 <5  <5 '* <5 <5| .# 1 1 1  1  1 p" 9*      P6??(:FI" !! ><><><* ><  ><  ><>< J><@> $ A8A*A A  A P AFD8D D*JX   !%          (  *//5555RRh - 8> OT   D  D (T R"""""""" $ """"""""""""r^rh)rGrrwztuple[bytes, bytes, bytes])l __future__rrrir`rrrrrrjbase64rrrrloggingrr r os.pathr threadingr r rrtypingrrasn1crypto.ocsprrrasn1crypto.x509r OpenSSL.SSLrsnowflake.connectorrsnowflake.connector.compatrrrsnowflake.connector.constantsrsnowflake.connector.errorcoderrrrr r!r"r#r$r%r&r'r(r)r*r+r,r-r.snowflake.connector.errorsr/snowflake.connector.networkr0#snowflake.connector.session_managerr1#snowflake.connector.ssl_wrap_socketr2rEr4backoff_policiesr5r*r6r7r8r9r{r:rr;r<url_utilr=r> util_textr?rArDAY_IN_SECONDSrJrorrrSrmrrr*r;rrhrr^r\rs"    ''!!" @?'";??@*<C>K1;;K2CL+j :j Z//d# + //WW\\X{,Qggll5 ww||5   #%H 8  EEVGGTb3b3L  g"g"k  // #%s%A4G""HH