SNOW-1902245: Add support for GCP Workload Identity Federation (#2144)

Author: sfc-gh-dheyman

src/main/java/net/snowflake/client/core/HttpUtil.java

@@ -659,6 +659,32 @@ public static String executeGeneralRequest(
         null);
   }
 
+  @SnowflakeJdbcInternalApi
+  public static String executeGeneralRequestOmitRequestGuid(
+      HttpRequestBase httpRequest,
+      int retryTimeout,
+      int authTimeout,
+      int socketTimeout,
+      int retryCount,
+      HttpClientSettingsKey ocspAndProxyAndGzipKey)
+      throws SnowflakeSQLException, IOException {
+    return executeRequestInternal(
+        httpRequest,
+        retryTimeout,
+        authTimeout,
+        socketTimeout,
+        retryCount,
+        0,
+        null,
+        false,
+        false,
+        false,
+        false,
+        getHttpClient(ocspAndProxyAndGzipKey),
+        new ExecTimeTelemetryData(),
+        null);
+  }
+
   /**
    * Executes an HTTP request for Snowflake.
    *

src/main/java/net/snowflake/client/core/SFLoginInput.java

@@ -261,7 +261,8 @@ public int getSocketTimeoutInMillis() {
     return (int) socketTimeout.toMillis();
   }
 
-  SFLoginInput setSocketTimeout(Duration socketTimeout) {
+  @SnowflakeJdbcInternalApi
+  public SFLoginInput setSocketTimeout(Duration socketTimeout) {
     this.socketTimeout = socketTimeout;
     return this;
   }
@@ -461,7 +462,8 @@ public HttpClientSettingsKey getHttpClientSettingsKey() {
     return httpClientKey;
   }
 
-  SFLoginInput setHttpClientSettingsKey(HttpClientSettingsKey key) {
+  @SnowflakeJdbcInternalApi
+  public SFLoginInput setHttpClientSettingsKey(HttpClientSettingsKey key) {
     this.httpClientKey = key;
     return this;
   }

src/main/java/net/snowflake/client/core/SessionUtil.java

@@ -342,7 +342,7 @@ static SFLoginOutput openSession(
       WorkloadIdentityAttestationProvider attestationProvider =
           new WorkloadIdentityAttestationProvider(
               new AwsIdentityAttestationCreator(new AWSAttestationService()),
-              new GcpIdentityAttestationCreator(),
+              new GcpIdentityAttestationCreator(loginInput),
               new AzureIdentityAttestationCreator(),
               new OidcIdentityAttestationCreator());
       WorkloadIdentityAttestation attestation =

src/main/java/net/snowflake/client/core/auth/wif/AwsIdentityAttestationCreator.java

@@ -19,9 +19,6 @@ public class AwsIdentityAttestationCreator implements WorkloadIdentityAttestatio
   private static final SFLogger logger =
       SFLoggerFactory.getLogger(AwsIdentityAttestationCreator.class);
 
-  private static final String SNOWFLAKE_AUDIENCE_HEADER_NAME = "X-Snowflake-Audience";
-  private static final String SNOWFLAKE_AUDIENCE = "snowflakecomputing.com";
-
   private final AWSAttestationService attestationService;
 
   public AwsIdentityAttestationCreator(AWSAttestationService attestationService) {
@@ -63,7 +60,9 @@ private Request<Void> createStsRequest(String hostname) {
         URI.create(
             String.format("https://%s/?Action=GetCallerIdentity&Version=2011-06-15", hostname)));
     request.addHeader("Host", hostname);
-    request.addHeader(SNOWFLAKE_AUDIENCE_HEADER_NAME, SNOWFLAKE_AUDIENCE);
+    request.addHeader(
+        WorkloadIdentityUtil.SNOWFLAKE_AUDIENCE_HEADER_NAME,
+        WorkloadIdentityUtil.SNOWFLAKE_AUDIENCE);
     return request;
   }
 

src/main/java/net/snowflake/client/core/auth/wif/GcpIdentityAttestationCreator.java

@@ -1,19 +1,101 @@
 package net.snowflake.client.core.auth.wif;
 
-import net.snowflake.client.core.SFException;
+import com.nimbusds.jwt.JWT;
+import com.nimbusds.jwt.JWTParser;
+import java.util.Collections;
+import java.util.Map;
+import net.snowflake.client.core.HttpUtil;
+import net.snowflake.client.core.SFLoginInput;
 import net.snowflake.client.core.SnowflakeJdbcInternalApi;
-import net.snowflake.client.jdbc.ErrorCode;
 import net.snowflake.client.log.SFLogger;
 import net.snowflake.client.log.SFLoggerFactory;
+import org.apache.http.client.methods.HttpGet;
 
 @SnowflakeJdbcInternalApi
 public class GcpIdentityAttestationCreator implements WorkloadIdentityAttestationCreator {
 
+  private static final String METADATA_FLAVOR_HEADER_NAME = "Metadata-Flavor";
+  private static final String METADATA_FLAVOR = "Google";
+  private static final String EXPECTED_GCP_TOKEN_ISSUER = "https://accounts.google.com";
+  private static final String DEFAULT_GCP_METADATA_SERVICE_BASE_URL = "http://169.254.169.254";
+
+  private final String gcpMetadataServiceBaseUrl;
+
   private static final SFLogger logger =
       SFLoggerFactory.getLogger(GcpIdentityAttestationCreator.class);
 
+  private final SFLoginInput loginInput;
+
+  public GcpIdentityAttestationCreator(SFLoginInput loginInput) {
+    this.loginInput = loginInput;
+    gcpMetadataServiceBaseUrl = DEFAULT_GCP_METADATA_SERVICE_BASE_URL;
+  }
+
+  /** Only for testing purpose */
+  GcpIdentityAttestationCreator(SFLoginInput loginInput, String gcpBaseUrl) {
+    this.loginInput = loginInput;
+    this.gcpMetadataServiceBaseUrl = gcpBaseUrl;
+  }
+
   @Override
-  public WorkloadIdentityAttestation createAttestation() throws SFException {
-    throw new SFException(ErrorCode.FEATURE_UNSUPPORTED, "GCP Workload Identity not supported");
+  public WorkloadIdentityAttestation createAttestation() {
+    String token = fetchTokenFromMetadataService();
+    if (token == null) {
+      logger.debug("No GCP token was found.");
+      return null;
+    }
+    // if the token has been returned, we can assume that we're on GCP environment
+    Map<String, Object> claims = extractClaims(token);
+    if (claims == null) {
+      logger.error("Failed to parse JWT and extract claims");
+      return null;
+    }
+    String issuer = (String) claims.get("iss");
+    if (issuer == null) {
+      logger.error("Missing issuer claim in GCP token");
+      return null;
+    }
+    String subject = (String) claims.get("sub");
+    if (subject == null) {
+      logger.error("Missing sub claim in GCP token");
+      return null;
+    }
+    if (!issuer.equals(EXPECTED_GCP_TOKEN_ISSUER)) {
+      logger.error("Unexpected GCP token issuer:" + issuer);
+      return null;
+    }
+    return new WorkloadIdentityAttestation(
+        WorkloadIdentityProviderType.GCP, token, Collections.singletonMap("sub", subject));
+  }
+
+  private Map<String, Object> extractClaims(String token) {
+    try {
+      JWT jwt = JWTParser.parse(token);
+      return jwt.getJWTClaimsSet().getClaims();
+    } catch (Exception e) {
+      logger.debug("Unable to extract JWT claims from token", e);
+      return null;
+    }
+  }
+
+  private String fetchTokenFromMetadataService() {
+    String uri =
+        gcpMetadataServiceBaseUrl
+            + "/computeMetadata/v1/instance/service-accounts/default/identity?audience="
+            + WorkloadIdentityUtil.SNOWFLAKE_AUDIENCE;
+    HttpGet tokenRequest = new HttpGet(uri);
+    tokenRequest.setHeader(METADATA_FLAVOR_HEADER_NAME, METADATA_FLAVOR);
+    try {
+      return HttpUtil.executeGeneralRequestOmitRequestGuid(
+          tokenRequest,
+          loginInput.getLoginTimeout(),
+          3, // 3s timeout
+          loginInput.getSocketTimeoutInMillis(),
+          0,
+          loginInput.getHttpClientSettingsKey());
+    } catch (Exception e) {
+      logger.debug("GCP metadata server request was not successful: " + e.getMessage());
+      return null;
+    }
   }
 }

src/main/java/net/snowflake/client/core/auth/wif/WorkloadIdentityUtil.java

@@ -0,0 +1,6 @@
+package net.snowflake.client.core.auth.wif;
+
+class WorkloadIdentityUtil {
+  static final String SNOWFLAKE_AUDIENCE_HEADER_NAME = "X-Snowflake-Audience";
+  static final String SNOWFLAKE_AUDIENCE = "snowflakecomputing.com";
+}

src/test/java/net/snowflake/client/core/auth/wif/GcpIdentityAttestationCreatorLatestIT.java

@@ -0,0 +1,136 @@
+package net.snowflake.client.core.auth.wif;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertNull;
+
+import java.time.Duration;
+import net.snowflake.client.category.TestTags;
+import net.snowflake.client.core.HttpClientSettingsKey;
+import net.snowflake.client.core.OCSPMode;
+import net.snowflake.client.core.SFLoginInput;
+import net.snowflake.client.jdbc.BaseWiremockTest;
+import org.junit.jupiter.api.Tag;
+import org.junit.jupiter.api.Test;
+
+@Tag(TestTags.AUTHENTICATION)
+class GcpIdentityAttestationCreatorLatestIT extends BaseWiremockTest {
+
+  private static final String SCENARIOS_BASE_DIR = MAPPINGS_BASE_DIR + "/wif/gcp";
+
+  /*
+   * {
+   *     "iss": "https://accounts.google.com",
+   *     "iat": 1743692017,
+   *     "exp": 1775228014,
+   *     "aud": "www.example.com",
+   *     "sub": "some-subject"
+   * }
+   */
+  private static final String SUCCESSFUL_FLOW_SCENARIO_MAPPINGS =
+      SCENARIOS_BASE_DIR + "/successful_flow.json";
+
+  /*
+   * {
+   *   "iss": "https://not.google.com",
+   *   "iat": 1743761213,
+   *   "exp": 1743764813,
+   *   "aud": "www.example.com",
+   *   "sub": "some-subject"
+   * }
+   */
+  private static final String INVALID_ISSUER_SCENARIO_MAPPINGS =
+      SCENARIOS_BASE_DIR + "/invalid_issuer_claim.json";
+
+  /*
+   * {
+   *   "sub": "some-subject",
+   *   "iat": 1743761213,
+   *   "exp": 1743764813,
+   *   "aud": "www.example.com"
+   * }
+   */
+  private static final String MISSING_ISSUER_SCENARIO_MAPPINGS =
+      SCENARIOS_BASE_DIR + "/missing_issuer_claim.json";
+
+  /*
+   * {
+   *   "iss": "https://accounts.google.com",
+   *   "iat": 1743761213,
+   *   "exp": 1743764813,
+   *   "aud": "www.example.com"
+   * }
+   */
+  private static final String MISSING_SUB_SCENARIO_MAPPINGS =
+      SCENARIOS_BASE_DIR + "/missing_sub_claim.json";
+
+  // token equal to "unparsable.token"
+  private static final String TOKEN_PARSE_ERROR_SCENARIO_MAPPINGS =
+      SCENARIOS_BASE_DIR + "/unparsable_token.json";
+
+  // 400 Bad Request
+  private static final String HTTP_ERROR_MAPPINGS = SCENARIOS_BASE_DIR + "/http_error.json";
+
+  @Test
+  public void successfulFlowScenario() {
+    importMappingFromResources(SUCCESSFUL_FLOW_SCENARIO_MAPPINGS);
+    SFLoginInput loginInput = createLoginInputStub();
+
+    GcpIdentityAttestationCreator attestationCreator =
+        new GcpIdentityAttestationCreator(loginInput, getBaseUrl());
+    WorkloadIdentityAttestation attestation = attestationCreator.createAttestation();
+    assertNotNull(attestation);
+    assertEquals(WorkloadIdentityProviderType.GCP, attestation.getProvider());
+    assertEquals("some-subject", attestation.getUserIdentifiedComponents().get("sub"));
+    assertNotNull(attestation.getCredential());
+  }
+
+  @Test
+  public void invalidIssuerScenario() {
+    importMappingFromResources(INVALID_ISSUER_SCENARIO_MAPPINGS);
+    creatAttestationAndAssertNull();
+  }
+
+  @Test
+  public void missingIssuerScenario() {
+    importMappingFromResources(MISSING_ISSUER_SCENARIO_MAPPINGS);
+    creatAttestationAndAssertNull();
+  }
+
+  @Test
+  public void missingSubScenario() {
+    importMappingFromResources(MISSING_SUB_SCENARIO_MAPPINGS);
+    creatAttestationAndAssertNull();
+  }
+
+  @Test
+  public void unparsableTokenScenario() {
+    importMappingFromResources(TOKEN_PARSE_ERROR_SCENARIO_MAPPINGS);
+    creatAttestationAndAssertNull();
+  }
+
+  @Test
+  public void httpErrorScenario() {
+    importMappingFromResources(HTTP_ERROR_MAPPINGS);
+    creatAttestationAndAssertNull();
+  }
+
+  private void creatAttestationAndAssertNull() {
+    SFLoginInput loginInput = createLoginInputStub();
+    GcpIdentityAttestationCreator attestationCreator =
+        new GcpIdentityAttestationCreator(loginInput, getBaseUrl());
+    WorkloadIdentityAttestation attestation = attestationCreator.createAttestation();
+    assertNull(attestation);
+  }
+
+  private String getBaseUrl() {
+    return String.format("http://%s:%d/", WIREMOCK_HOST, wiremockHttpPort);
+  }
+
+  private SFLoginInput createLoginInputStub() {
+    SFLoginInput loginInputStub = new SFLoginInput();
+    loginInputStub.setSocketTimeout(Duration.ofMinutes(5));
+    loginInputStub.setHttpClientSettingsKey(new HttpClientSettingsKey(OCSPMode.FAIL_OPEN));
+    return loginInputStub;
+  }
+}

src/test/java/net/snowflake/client/core/auth/wif/WorkloadIdentityAttestationProviderTest.java

@@ -32,7 +32,7 @@ public void shouldCreateProperAttestationCreatorByType() throws SFException {
     WorkloadIdentityAttestationProvider provider =
         new WorkloadIdentityAttestationProvider(
             new AwsIdentityAttestationCreator(null),
-            new GcpIdentityAttestationCreator(),
+            new GcpIdentityAttestationCreator(null),
             new AzureIdentityAttestationCreator(),
             new OidcIdentityAttestationCreator());
     WorkloadIdentityAttestationCreator attestationCreator =

src/test/resources/wiremock/mappings/wif/gcp/http_error.json

@@ -0,0 +1,23 @@
+{
+  "mappings": [
+    {
+      "request": {
+        "urlPattern": "/computeMetadata/v1/instance/service-accounts/default/identity.*",
+        "queryParameters": {
+          "audience": {
+            "equalTo": "snowflakecomputing.com"
+          }
+        },
+        "method": "GET",
+        "headers": {
+          "Metadata-Flavor": {
+            "equalTo": "Google"
+          }
+        }
+      },
+      "response": {
+        "status": 400
+      }
+    }
+  ]
+}

src/test/resources/wiremock/mappings/wif/gcp/invalid_issuer_claim.json

@@ -0,0 +1,24 @@
+{
+  "mappings": [
+    {
+      "request": {
+        "urlPattern": "/computeMetadata/v1/instance/service-accounts/default/identity.*",
+        "queryParameters": {
+          "audience": {
+            "equalTo": "snowflakecomputing.com"
+          }
+        },
+        "method": "GET",
+        "headers": {
+          "Metadata-Flavor": {
+            "equalTo": "Google"
+          }
+        }
+      },
+      "response": {
+        "status": 200,
+        "body": "eyJ0eXAiOiJhdCtqd3QiLCJhbGciOiJFUzI1NiIsImtpZCI6ImU2M2I5NzA1OTRiY2NmZTAxMDlkOTg4OWM2MDk3OWEwIn0.eyJpc3MiOiJodHRwczovL25vdC5nb29nbGUuY29tIiwiaWF0IjoxNzQzNzYxMjEzLCJleHAiOjE3NDM3NjQ4MTMsImF1ZCI6Ind3dy5leGFtcGxlLmNvbSIsInN1YiI6InNvbWUtc3ViamVjdCJ9.lQjch0MLams6AprSVOdZfVnHxqySB1sgDPW8sV839QPFUutMPj3SNkxGvrkIJj2QPDeCh02bdAzXe4N75tLORg"
+      }
+    }
+  ]
+}