SNOW-1432112 verify / sanitize account name before creating JWT (#1146)

* SNOW-1432112 verify / sanitize account name before creating JWT Attempt to fix the issue caused by certain applications putting * regioned (e.g. myaccount.eu-central-1) * privatelink (e.g. myorg-myaccount.privatelink) values in the `Account` field of the configuration, which could result in unsuccessful keypair authentication, as this value was relayed into the JWT unchanged and led to an invalid JWT
snowflakedb · May 28, 2024 · a08fc08 · a08fc08
1 parent 6ee8545
commit a08fc08
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 1 deletion.
diff --git a/auth.go b/auth.go
@@ -480,7 +480,7 @@ func prepareJWTToken(config *Config) (string, error) {
 	}
 	hash := sha256.Sum256(pubBytes)
 
-	accountName := strings.ToUpper(config.Account)
+	accountName := extractAccountName(config.Account)
 	userName := strings.ToUpper(config.User)
 
 	issueAtTime := time.Now().UTC()

diff --git a/dsn.go b/dsn.go
@@ -907,3 +907,11 @@ func parsePrivateKeyFromFile(path string) (*rsa.PrivateKey, error) {
 	}
 	return pk, nil
 }
+
+func extractAccountName(rawAccount string) string {
+	posDot := strings.Index(rawAccount, ".")
+	if posDot > 0 {
+		return strings.ToUpper(rawAccount[:posDot])
+	}
+	return strings.ToUpper(rawAccount)
+}
diff --git a/dsn_test.go b/dsn_test.go
@@ -1616,3 +1616,26 @@ func TestConfigValidateTmpDirPath(t *testing.T) {
 		t.Fatalf("Should fail on not existing TmpDirPath")
 	}
 }
+
+func TestExtractAccountName(t *testing.T) {
+	testcases := map[string]string{
+		"myaccount":                          "MYACCOUNT",
+		"myaccount.eu-central-1":             "MYACCOUNT",
+		"myaccount.eu-central-1.privatelink": "MYACCOUNT",
+		"myorg-myaccount":                    "MYORG-MYACCOUNT",
+		"myorg-myaccount.privatelink":        "MYORG-MYACCOUNT",
+		"myorg-my-account":                   "MYORG-MY-ACCOUNT",
+		"myorg-my-account.privatelink":       "MYORG-MY-ACCOUNT",
+		"myorg-my_account":                   "MYORG-MY_ACCOUNT",
+		"myorg-my_account.privatelink":       "MYORG-MY_ACCOUNT",
+	}
+
+	for account, expected := range testcases {
+		t.Run(account, func(t *testing.T) {
+			accountPart := extractAccountName(account)
+			if accountPart != expected {
+				t.Fatalf("extractAccountName returned unexpected response (%v), should be %v", accountPart, expected)
+			}
+		})
+	}
+}