From c2219f0fddc9ca4dd810907ea3e7dcd589cf2da6 Mon Sep 17 00:00:00 2001
From: sfc-gh-dszmolka <david.szmolka@snowflake.com>
Date: Thu, 9 Jan 2025 21:49:29 +0100
Subject: [PATCH] SNOW-1859664 honour OCSP check settings in cloud storage
 clients too

---
 azure_storage_client.go | 14 ++++++++------
 gcs_storage_client.go   | 11 ++++++-----
 s3_storage_client.go    |  3 ++-
 util.go                 | 10 ++++++++++
 4 files changed, 26 insertions(+), 12 deletions(-)

diff --git a/azure_storage_client.go b/azure_storage_client.go
index de611fcb3..ef28112d6 100644
--- a/azure_storage_client.go
+++ b/azure_storage_client.go
@@ -45,6 +45,7 @@ func (util *snowflakeAzureClient) createClient(info *execResponseStageInfo, _ bo
 	if err != nil {
 		return nil, err
 	}
+	transport := getTransport(util.cfg)
 	client, err := azblob.NewClientWithNoCredential(u.String(), &azblob.ClientOptions{
 		ClientOptions: azcore.ClientOptions{
 			Retry: policy.RetryOptions{
@@ -52,7 +53,7 @@ func (util *snowflakeAzureClient) createClient(info *execResponseStageInfo, _ bo
 				RetryDelay: 2 * time.Second,
 			},
 			Transport: &http.Client{
-				Transport: SnowflakeTransport,
+				Transport: transport,
 			},
 		},
 	})
@@ -74,7 +75,7 @@ func (util *snowflakeAzureClient) getFileHeader(meta *fileMetadata, filename str
 		return nil, err
 	}
 	path := azureLoc.path + strings.TrimLeft(filename, "/")
-	containerClient, err := createContainerClient(client.URL())
+	containerClient, err := createContainerClient(client.URL(), util.cfg)
 	if err != nil {
 		return nil, &SnowflakeError{
 			Message: "failed to create container client",
@@ -188,7 +189,7 @@ func (util *snowflakeAzureClient) uploadFile(
 			Message: "failed to cast to azure client",
 		}
 	}
-	containerClient, err := createContainerClient(client.URL())
+	containerClient, err := createContainerClient(client.URL(), util.cfg)
 
 	if err != nil {
 		return &SnowflakeError{
@@ -273,7 +274,7 @@ func (util *snowflakeAzureClient) nativeDownloadFile(
 			Message: "failed to cast to azure client",
 		}
 	}
-	containerClient, err := createContainerClient(client.URL())
+	containerClient, err := createContainerClient(client.URL(), util.cfg)
 	if err != nil {
 		return &SnowflakeError{
 			Message: "failed to create container client",
@@ -348,10 +349,11 @@ func (util *snowflakeAzureClient) detectAzureTokenExpireError(resp *http.Respons
 		strings.Contains(errStr, "Server failed to authenticate the request")
 }
 
-func createContainerClient(clientURL string) (*container.Client, error) {
+func createContainerClient(clientURL string, cfg *Config) (*container.Client, error) {
+	transport := getTransport(cfg)
 	return container.NewClientWithNoCredential(clientURL, &container.ClientOptions{ClientOptions: azcore.ClientOptions{
 		Transport: &http.Client{
-			Transport: SnowflakeTransport,
+			Transport: transport,
 		},
 	}})
 }
diff --git a/gcs_storage_client.go b/gcs_storage_client.go
index 8558094ba..f2f736d4d 100644
--- a/gcs_storage_client.go
+++ b/gcs_storage_client.go
@@ -73,7 +73,7 @@ func (util *snowflakeGcsClient) getFileHeader(meta *fileMetadata, filename strin
 			for k, v := range gcsHeaders {
 				req.Header.Add(k, v)
 			}
-			client := newGcsClient()
+			client := newGcsClient(util.cfg)
 			// for testing only
 			if meta.mockGcsClient != nil {
 				client = meta.mockGcsClient
@@ -221,7 +221,7 @@ func (util *snowflakeGcsClient) uploadFile(
 		for k, v := range gcsHeaders {
 			req.Header.Add(k, v)
 		}
-		client := newGcsClient()
+		client := newGcsClient(util.cfg)
 		// for testing only
 		if meta.mockGcsClient != nil {
 			client = meta.mockGcsClient
@@ -302,7 +302,7 @@ func (util *snowflakeGcsClient) nativeDownloadFile(
 		for k, v := range gcsHeaders {
 			req.Header.Add(k, v)
 		}
-		client := newGcsClient()
+		client := newGcsClient(util.cfg)
 		// for testing only
 		if meta.mockGcsClient != nil {
 			client = meta.mockGcsClient
@@ -404,9 +404,10 @@ func (util *snowflakeGcsClient) isTokenExpired(resp *http.Response) bool {
 	return resp.StatusCode == 401
 }
 
-func newGcsClient() gcsAPI {
+func newGcsClient(cfg *Config) gcsAPI {
+	transport := getTransport(cfg)
 	return &http.Client{
-		Transport: SnowflakeTransport,
+		Transport: transport,
 	}
 }
 
diff --git a/s3_storage_client.go b/s3_storage_client.go
index 35d962bfc..b0a197da2 100644
--- a/s3_storage_client.go
+++ b/s3_storage_client.go
@@ -49,6 +49,7 @@ func (util *snowflakeS3Client) createClient(info *execResponseStageInfo, useAcce
 	stageCredentials := info.Creds
 	s3Logger := logging.LoggerFunc(s3LoggingFunc)
 	endPoint := getS3CustomEndpoint(info)
+	transport := getTransport(util.cfg)
 
 	return s3.New(s3.Options{
 		Region: info.Region,
@@ -59,7 +60,7 @@ func (util *snowflakeS3Client) createClient(info *execResponseStageInfo, useAcce
 		BaseEndpoint:  endPoint,
 		UseAccelerate: useAccelerateEndpoint,
 		HTTPClient: &http.Client{
-			Transport: SnowflakeTransport,
+			Transport: transport,
 		},
 		ClientLogMode: S3LoggingMode,
 		Logger:        s3Logger,
diff --git a/util.go b/util.go
index 3319777dd..6bb6c6313 100644
--- a/util.go
+++ b/util.go
@@ -8,6 +8,7 @@ import (
 	"fmt"
 	"io"
 	"math/rand"
+	"net/http"
 	"os"
 	"strings"
 	"sync"
@@ -348,3 +349,12 @@ func findByPrefix(in []string, prefix string) int {
 	}
 	return -1
 }
+
+func getTransport(cfg *Config) *http.Transport {
+	if cfg.DisableOCSPChecks || cfg.InsecureMode {
+		logger.Debug("getTransport: won't perform OCSP validation")
+		return snowflakeInsecureTransport
+	}
+	logger.Debug("getTransport: will perform OCSP validation")
+	return SnowflakeTransport
+}