SNOW-2032706 Implement AWS SDK strategy for GCS

sfc-gh-anbauer · sfc-gh-anbauer · commit ca5588878fa2 · 2025-06-24T23:08:35.000+02:00
diff --git a/src/main/java/net/snowflake/client/jdbc/cloud/storage/AwsSdkGCPSigner.java b/src/main/java/net/snowflake/client/jdbc/cloud/storage/AwsSdkGCPSigner.java
@@ -0,0 +1,50 @@
+package net.snowflake.client.jdbc.cloud.storage;
+
+import com.amazonaws.SignableRequest;
+import com.amazonaws.auth.AWS4Signer;
+import com.amazonaws.auth.AWSCredentials;
+import com.amazonaws.http.HttpMethodName;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.stream.Collectors;
+
+public class AwsSdkGCPSigner extends AWS4Signer {
+  private static final Map<String, String> headerMap =
+      new HashMap<String, String>() {
+        {
+          put("x-amz-storage-class", "x-goog-storage-class");
+          put("x-amz-acl", "x-goog-acl");
+          put("x-amz-date", "x-goog-date");
+          put("x-amz-copy-source", "x-goog-copy-source");
+          put("x-amz-metadata-directive", "x-goog-metadata-directive");
+          put("x-amz-copy-source-if-match", "x-goog-copy-source-if-match");
+          put("x-amz-copy-source-if-none-match", "x-goog-copy-source-if-none-match");
+          put("x-amz-copy-source-if-unmodified-since", "x-goog-copy-source-if-unmodified-since");
+          put("x-amz-copy-source-if-modified-since", "x-goog-copy-source-if-modified-since");
+        }
+      };
+
+  @Override
+  public void sign(SignableRequest<?> request, AWSCredentials credentials) {
+    if (credentials.getAWSAccessKeyId() != null && !"".equals(credentials.getAWSAccessKeyId())) {
+      request.addHeader("Authorization", "Bearer " + credentials.getAWSAccessKeyId());
+    }
+
+    if (request.getHttpMethod() == HttpMethodName.GET) {
+      request.addHeader("Accept-Encoding", "gzip,deflate");
+    }
+
+    Map<String, String> headerCopy =
+        request.getHeaders().entrySet().stream()
+            .collect(Collectors.toMap(Map.Entry::getKey, Map.Entry::getValue));
+
+    for (Map.Entry<String, String> entry : headerCopy.entrySet()) {
+      String entryKey = entry.getKey().toLowerCase();
+      if (headerMap.containsKey(entryKey)) {
+        request.addHeader(headerMap.get(entryKey), entry.getValue());
+      } else if (entryKey.startsWith("x-amz-meta-")) {
+        request.addHeader(entryKey.replace("x-amz-meta-", "x-goog-meta-"), entry.getValue());
+      }
+    }
+  }
+}
diff --git a/src/main/java/net/snowflake/client/jdbc/cloud/storage/GCSAccessStrategyAwsSdk.java b/src/main/java/net/snowflake/client/jdbc/cloud/storage/GCSAccessStrategyAwsSdk.java
@@ -0,0 +1,302 @@
+package net.snowflake.client.jdbc.cloud.storage;
+
+import static net.snowflake.client.core.Constants.CLOUD_STORAGE_CREDENTIALS_EXPIRED;
+import static net.snowflake.client.jdbc.SnowflakeUtil.createDefaultExecutorService;
+import static net.snowflake.client.jdbc.cloud.storage.SnowflakeS3Client.EXPIRED_AWS_TOKEN_ERROR_CODE;
+
+import com.amazonaws.AmazonClientException;
+import com.amazonaws.AmazonServiceException;
+import com.amazonaws.ClientConfiguration;
+import com.amazonaws.auth.AWSStaticCredentialsProvider;
+import com.amazonaws.auth.BasicAWSCredentials;
+import com.amazonaws.auth.SignerFactory;
+import com.amazonaws.client.builder.AwsClientBuilder;
+import com.amazonaws.services.s3.AmazonS3;
+import com.amazonaws.services.s3.AmazonS3Client;
+import com.amazonaws.services.s3.AmazonS3ClientBuilder;
+import com.amazonaws.services.s3.model.AmazonS3Exception;
+import com.amazonaws.services.s3.model.ObjectListing;
+import com.amazonaws.services.s3.model.ObjectMetadata;
+import com.amazonaws.services.s3.model.S3Object;
+import com.amazonaws.services.s3.transfer.Download;
+import com.amazonaws.services.s3.transfer.TransferManager;
+import com.amazonaws.services.s3.transfer.TransferManagerBuilder;
+import com.amazonaws.services.s3.transfer.Upload;
+import java.io.File;
+import java.io.InputStream;
+import java.util.Map;
+import java.util.Optional;
+import java.util.stream.Collectors;
+import net.snowflake.client.core.SFSession;
+import net.snowflake.client.jdbc.ErrorCode;
+import net.snowflake.client.jdbc.SnowflakeFileTransferAgent;
+import net.snowflake.client.jdbc.SnowflakeSQLException;
+import net.snowflake.client.jdbc.SnowflakeSQLLoggedException;
+import net.snowflake.client.jdbc.SnowflakeUtil;
+import net.snowflake.client.log.SFLogger;
+import net.snowflake.client.log.SFLoggerFactory;
+import net.snowflake.client.util.SFPair;
+import net.snowflake.common.core.SqlState;
+import org.apache.http.HttpStatus;
+
+public class GCSAccessStrategyAwsSdk implements GCSAccessStrategy {
+  private static final SFLogger logger = SFLoggerFactory.getLogger(GCSAccessStrategyAwsSdk.class);
+  private final AmazonS3 amazonClient;
+
+  GCSAccessStrategyAwsSdk(StageInfo stage) {
+    String accessToken = (String) stage.getCredentials().get("GCS_ACCESS_TOKEN");
+
+    // todo: fix client configuration needed
+    /*
+    clientConfig.getApacheHttpClientConfig().setSslSocketFactory(getSSLConnectionSocketFactory());
+    if (session != null) {
+        S3HttpUtil.setProxyForS3(session.getHttpClientKey(), clientConfig);
+    } else {
+        S3HttpUtil.setSessionlessProxyForS3(proxyProperties, clientConfig);
+    }*/
+
+    Optional<String> oEndpoint = stage.gcsCustomEndpoint();
+    String endpoint = "storage.googleapis.com";
+    if (oEndpoint.isPresent()) {
+      endpoint = oEndpoint.get();
+    }
+    if (endpoint.startsWith("https://")) {
+      endpoint = endpoint.replaceFirst("https://", "");
+    }
+    if (endpoint.startsWith(stage.getStorageAccount())) {
+      endpoint = endpoint.replaceFirst(stage.getStorageAccount() + ".", "");
+    }
+
+    AmazonS3ClientBuilder amazonS3Builder =
+        AmazonS3Client.builder()
+            .withPathStyleAccessEnabled(false)
+            .withEndpointConfiguration(
+                new AwsClientBuilder.EndpointConfiguration(endpoint, "auto"));
+
+    ClientConfiguration clientConfig = new ClientConfiguration();
+
+    SignerFactory.registerSigner(
+        "net.snowflake.client.jdbc.cloud.storage.AwsSdkGCPSigner",
+        net.snowflake.client.jdbc.cloud.storage.AwsSdkGCPSigner.class);
+    clientConfig.setSignerOverride("net.snowflake.client.jdbc.cloud.storage.AwsSdkGCPSigner");
+
+    if (accessToken != null) {
+      amazonS3Builder.withCredentials(
+          new AWSStaticCredentialsProvider(new BasicAWSCredentials(accessToken, "")));
+    } else {
+      logger.debug("no credentials provided, configuring bucket client without credentials");
+      amazonS3Builder.withCredentials(
+          new AWSStaticCredentialsProvider(new BasicAWSCredentials("", "")));
+    }
+
+    amazonClient = amazonS3Builder.withClientConfiguration(clientConfig).build();
+  }
+
+  @Override
+  public StorageObjectSummaryCollection listObjects(String remoteStorageLocation, String prefix) {
+    ObjectListing objListing = amazonClient.listObjects(remoteStorageLocation, prefix);
+
+    return new StorageObjectSummaryCollection(objListing.getObjectSummaries());
+  }
+
+  @Override
+  public StorageObjectMetadata getObjectMetadata(String remoteStorageLocation, String prefix) {
+    ObjectMetadata meta = amazonClient.getObjectMetadata(remoteStorageLocation, prefix);
+
+    Map<String, String> userMetadata =
+        meta.getRawMetadata().entrySet().stream()
+            .filter(entry -> entry.getKey().startsWith("x-goog-meta-"))
+            .collect(
+                Collectors.toMap(
+                    e -> e.getKey().replaceFirst("x-goog-meta-", ""),
+                    e -> e.getValue().toString()));
+
+    meta.setUserMetadata(userMetadata);
+    return new S3ObjectMetadata(meta);
+  }
+
+  @Override
+  public Map<String, String> download(
+      int parallelism, String remoteStorageLocation, String stageFilePath, File localFile)
+      throws InterruptedException {
+
+    logger.debug(
+        "Staring download of file from S3 stage path: {} to {}",
+        stageFilePath,
+        localFile.getAbsolutePath());
+    TransferManager tx;
+
+    logger.debug("Creating executor service for transfer manager with {} threads", parallelism);
+
+    // download files from s3
+    tx =
+        TransferManagerBuilder.standard()
+            .withS3Client(amazonClient)
+            .withDisableParallelDownloads(true)
+            .withExecutorFactory(
+                () -> createDefaultExecutorService("s3-transfer-manager-downloader-", parallelism))
+            .build();
+
+    Download myDownload = tx.download(remoteStorageLocation, stageFilePath, localFile);
+
+    // Pull object metadata from S3
+    StorageObjectMetadata meta = this.getObjectMetadata(remoteStorageLocation, stageFilePath);
+
+    Map<String, String> metaMap = SnowflakeUtil.createCaseInsensitiveMap(meta.getUserMetadata());
+    myDownload.waitForCompletion();
+
+    return metaMap;
+  }
+
+  @Override
+  public SFPair<InputStream, Map<String, String>> downloadToStream(
+      String remoteStorageLocation, String stageFilePath, boolean isEncrypting) {
+    S3Object file = amazonClient.getObject(remoteStorageLocation, stageFilePath);
+    ObjectMetadata meta = amazonClient.getObjectMetadata(remoteStorageLocation, stageFilePath);
+    InputStream stream = file.getObjectContent();
+
+    Map<String, String> metaMap = SnowflakeUtil.createCaseInsensitiveMap(meta.getUserMetadata());
+
+    return SFPair.of(stream, metaMap);
+  }
+
+  @Override
+  public void uploadWithDownScopedToken(
+      int parallelism,
+      String remoteStorageLocation,
+      String destFileName,
+      String contentEncoding,
+      Map<String, String> metadata,
+      long contentLength,
+      InputStream content,
+      String queryId)
+      throws InterruptedException {
+    // we need to assemble an ObjectMetadata object here, as we are not using S3ObjectMatadata for
+    // GCS
+    ObjectMetadata s3Meta = new ObjectMetadata();
+    if (contentEncoding != null) {
+      s3Meta.setContentEncoding(contentEncoding);
+    }
+    s3Meta.setContentLength(contentLength);
+    s3Meta.setUserMetadata(metadata);
+
+    TransferManager tx;
+    logger.debug("Creating executor service for transfer" + "manager with {} threads", parallelism);
+
+    // upload files to s3
+    tx =
+        TransferManagerBuilder.standard()
+            .withS3Client(amazonClient)
+            .withExecutorFactory(
+                () -> createDefaultExecutorService("s3-transfer-manager-uploader-", parallelism))
+            .build();
+
+    final Upload myUpload;
+
+    myUpload = tx.upload(remoteStorageLocation, destFileName, content, s3Meta);
+    myUpload.waitForCompletion();
+
+    logger.info("Uploaded data from input stream to S3 location: {}.", destFileName);
+  }
+
+  @Override
+  public boolean handleStorageException(
+      Exception ex,
+      int retryCount,
+      String operation,
+      SFSession session,
+      String command,
+      String queryId,
+      SnowflakeGCSClient gcsClient)
+      throws SnowflakeSQLException {
+    if (ex instanceof AmazonClientException) {
+      logger.debug("GCSAccessStrategyAwsSdk: " + ex.getMessage());
+      if (retryCount > gcsClient.getMaxRetries()
+          || SnowflakeS3Client.isClientException400Or404(ex)) {
+        String extendedRequestId = "none";
+
+        if (ex instanceof AmazonS3Exception) {
+          AmazonS3Exception ex1 = (AmazonS3Exception) ex;
+          extendedRequestId = ex1.getExtendedRequestId();
+        }
+
+        if (ex instanceof AmazonServiceException) {
+          AmazonServiceException ex1 = (AmazonServiceException) ex;
+
+          // The AWS credentials might have expired when server returns error 400 and
+          // does not return the ExpiredToken error code.
+          // If session is null we cannot renew the token so throw the exception
+          if (ex1.getStatusCode() == HttpStatus.SC_BAD_REQUEST && session != null) {
+            SnowflakeFileTransferAgent.renewExpiredToken(session, command, gcsClient);
+          } else {
+            throw new SnowflakeSQLLoggedException(
+                queryId,
+                session,
+                SqlState.SYSTEM_ERROR,
+                ErrorCode.S3_OPERATION_ERROR.getMessageCode(),
+                ex1,
+                operation,
+                ex1.getErrorType().toString(),
+                ex1.getErrorCode(),
+                ex1.getMessage(),
+                ex1.getRequestId(),
+                extendedRequestId);
+          }
+
+        } else {
+          throw new SnowflakeSQLLoggedException(
+              queryId,
+              session,
+              SqlState.SYSTEM_ERROR,
+              ErrorCode.AWS_CLIENT_ERROR.getMessageCode(),
+              ex,
+              operation,
+              ex.getMessage());
+        }
+      } else {
+        logger.debug(
+            "Encountered exception ({}) during {}, retry count: {}",
+            ex.getMessage(),
+            operation,
+            retryCount);
+        logger.debug("Stack trace: ", ex);
+
+        // exponential backoff up to a limit
+        int backoffInMillis = gcsClient.getRetryBackoffMin();
+
+        if (retryCount > 1) {
+          backoffInMillis <<= (Math.min(retryCount - 1, gcsClient.getRetryBackoffMaxExponent()));
+        }
+
+        try {
+          logger.debug("Sleep for {} milliseconds before retry", backoffInMillis);
+
+          Thread.sleep(backoffInMillis);
+        } catch (InterruptedException ex1) {
+          // ignore
+        }
+
+        // If the exception indicates that the AWS token has expired,
+        // we need to refresh our S3 client with the new token
+        if (ex instanceof AmazonS3Exception) {
+          AmazonS3Exception s3ex = (AmazonS3Exception) ex;
+          if (s3ex.getErrorCode().equalsIgnoreCase(EXPIRED_AWS_TOKEN_ERROR_CODE)) {
+            // If session is null we cannot renew the token so throw the ExpiredToken exception
+            if (session != null) {
+              SnowflakeFileTransferAgent.renewExpiredToken(session, command, gcsClient);
+            } else {
+              throw new SnowflakeSQLException(
+                  queryId,
+                  s3ex.getErrorCode(),
+                  CLOUD_STORAGE_CREDENTIALS_EXPIRED,
+                  "S3 credentials have expired");
+            }
+          }
+        }
+      }
+      return true;
+    } else {
+      return false;
+    }
+  }
+}
diff --git a/src/main/java/net/snowflake/client/jdbc/cloud/storage/SnowflakeGCSClient.java b/src/main/java/net/snowflake/client/jdbc/cloud/storage/SnowflakeGCSClient.java
@@ -1221,7 +1221,11 @@ private void setupGCSClient(
     logger.debug("Setting up the GCS client ", false);
 
     try {
-      this.gcsAccessStrategy = new GCSDefaultAccessStrategy(stage, session);
+      if (stage.getUseVirtualUrl()) {
+        this.gcsAccessStrategy = new GCSAccessStrategyAwsSdk(stage);
+      } else {
+        this.gcsAccessStrategy = new GCSDefaultAccessStrategy(stage, session);
+      }
 
       if (encMat != null) {
         byte[] decodedKey = Base64.getDecoder().decode(encMat.getQueryStageMasterKey());
diff --git a/src/main/java/net/snowflake/client/jdbc/cloud/storage/SnowflakeS3Client.java b/src/main/java/net/snowflake/client/jdbc/cloud/storage/SnowflakeS3Client.java
@@ -86,7 +86,7 @@ public class SnowflakeS3Client implements SnowflakeStorageClient {
   private static final String S3_STREAMING_INGEST_CLIENT_KEY = "ingestclientkey";
 
   // expired AWS token error code
-  private static final String EXPIRED_AWS_TOKEN_ERROR_CODE = "ExpiredToken";
+  protected static final String EXPIRED_AWS_TOKEN_ERROR_CODE = "ExpiredToken";
 
   private int encryptionKeySize = 0; // used for PUTs
   private AmazonS3 amazonClient = null;
@@ -953,7 +953,7 @@ private static void handleS3Exception(
    * @param ex exception
    * @return true if it's a 400 or 404 status code
    */
-  public boolean isClientException400Or404(Exception ex) {
+  public static boolean isClientException400Or404(Exception ex) {
     if (ex instanceof AmazonServiceException) {
       AmazonServiceException asEx = (AmazonServiceException) (ex);
       return asEx.getStatusCode() == HttpStatus.SC_NOT_FOUND
