Jw/snow 3349955 handle empty passphrases (#2893)

* feat: [SNOW-3063581] handle empty passphrases

* feat: [SNOW-3063581] handle empty passphrases

* feat: [SNOW-3349955] add tests and release notes entry

# Conflicts:
#	RELEASE-NOTES.md

* fix: [SNOW-3349955] add tests and release notes entry

Author: sfc-gh-jwilkowski

RELEASE-NOTES.md

@@ -29,6 +29,7 @@
 ## Fixes and improvements
 * Fixed `snow streamlit deploy` failing with a collision error when `pages/*.py` glob in `additional_source_files` overlaps with the automatically-included `pages/` directory. Overlapping glob patterns are now deduplicated during v1-to-v2 definition conversion.
 * Updated `snowflake-connector-python` to version 4.4.0. Connector python 4.x series introduced stricter permission checks. In future versions of Snowflake CLI strict configuration file permissions will become mandatory. To test if your files have correct permissions set SNOWFLAKE_CLI_FEATURES_ENFORCE_STRICT_CONFIG_PERMISSIONS=1 before running CLI commands.
+* Fixed error message when `PRIVATE_KEY_PASSPHRASE` environment variable is set to an empty string.
 
 # v3.16.0
 

src/snowflake/cli/_app/snow_connector.py

@@ -351,31 +351,35 @@ def _load_pem_from_parameters(private_key_raw: str) -> SecretType:
     return SecretType(private_key_raw.encode("utf-8"))
 
 
+def _validate_passphrase(passphrase: SecretType) -> None:
+    if passphrase.value is None:
+        raise CliError(
+            "Encrypted private key, you must provide the "
+            "passphrase in the environment variable PRIVATE_KEY_PASSPHRASE."
+        )
+    if passphrase.value == "":
+        raise CliError(
+            "PRIVATE_KEY_PASSPHRASE environment variable is set but empty. "
+            "Provide a non-empty passphrase or use an unencrypted private key."
+        )
+
+
 def _load_pem_to_der(private_key_pem: SecretType) -> SecretType:
     """
     Given a private key file path (in PEM format), decode key data into DER
     format
     """
     private_key_passphrase = SecretType(os.getenv("PRIVATE_KEY_PASSPHRASE", None))
-    if (
-        private_key_pem.value.startswith(ENCRYPTED_PKCS8_PK_HEADER)
-        and private_key_passphrase.value is None
-    ):
-        raise ClickException(
-            "Encrypted private key, you must provide the "
-            "passphrase in the environment variable PRIVATE_KEY_PASSPHRASE"
-        )
 
-    if not private_key_pem.value.startswith(
-        ENCRYPTED_PKCS8_PK_HEADER
-    ) and not private_key_pem.value.startswith(UNENCRYPTED_PKCS8_PK_HEADER):
-        raise ClickException(
+    if private_key_pem.value.startswith(ENCRYPTED_PKCS8_PK_HEADER):
+        _validate_passphrase(private_key_passphrase)
+    elif private_key_pem.value.startswith(UNENCRYPTED_PKCS8_PK_HEADER):
+        private_key_passphrase = SecretType(None)
+    else:
+        raise CliError(
             "Private key provided is not in PKCS#8 format. Please use correct format."
         )
 
-    if private_key_pem.value.startswith(UNENCRYPTED_PKCS8_PK_HEADER):
-        private_key_passphrase = SecretType(None)
-
     return prepare_private_key(private_key_pem, private_key_passphrase)
 
 

tests/test_connection.py

@@ -21,6 +21,9 @@
 
 import pytest
 import tomlkit
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.primitives.asymmetric import rsa
 from snowflake.cli._plugins.connection import commands as connection_commands
 from snowflake.cli.api.config import ConnectionConfig
 from snowflake.cli.api.config_ng.masking import MASKED_VALUE
@@ -681,9 +684,6 @@ def test_temporary_connection(mock_connector, mock_ctx, option, runner):
 def test_key_pair_authentication(
     mock_connector, mock_ctx, runner, private_key_flag_name
 ):
-    from cryptography.hazmat.backends import default_backend
-    from cryptography.hazmat.primitives import serialization
-    from cryptography.hazmat.primitives.asymmetric import rsa
 
     ctx = mock_ctx()
     mock_connector.return_value = ctx
@@ -877,6 +877,81 @@ def test_key_pair_authentication_from_config(
     )
 
 
+@mock.patch.dict(os.environ, {}, clear=True)
+def test_key_pair_authentication_no_passphrase_error(
+    mock_ctx, temporary_directory, runner
+):
+    private_key = rsa.generate_private_key(public_exponent=65537, key_size=2048)
+    encrypted_pem = private_key.private_bytes(
+        encoding=serialization.Encoding.PEM,
+        format=serialization.PrivateFormat.PKCS8,
+        encryption_algorithm=serialization.BestAvailableEncryption(b"notempty"),
+    )
+
+    with NamedTemporaryFile("wb", suffix=".p8") as tmp_file:
+        tmp_file.write(encrypted_pem)
+        tmp_file.flush()
+
+        result = runner.invoke(
+            [
+                "object",
+                "list",
+                "warehouse",
+                "--temporary-connection",
+                "--account",
+                "test_account",
+                "--user",
+                "snowcli_test",
+                "--authenticator",
+                "SNOWFLAKE_JWT",
+                "--private-key-file",
+                tmp_file.name,
+            ]
+        )
+
+    assert result.exit_code == 1
+    assert "Encrypted private key, you must provide the passphrase" in result.output
+    assert "PRIVATE_KEY_PASSPHRASE" in result.output
+
+
+@mock.patch.dict(os.environ, {"PRIVATE_KEY_PASSPHRASE": ""}, clear=True)
+def test_key_pair_authentication_empty_passphrase_error(
+    mock_ctx, temporary_directory, runner
+):
+    private_key = rsa.generate_private_key(public_exponent=65537, key_size=2048)
+    encrypted_pem = private_key.private_bytes(
+        encoding=serialization.Encoding.PEM,
+        format=serialization.PrivateFormat.PKCS8,
+        encryption_algorithm=serialization.BestAvailableEncryption(b"notempty"),
+    )
+
+    with NamedTemporaryFile("wb", suffix=".p8") as tmp_file:
+        tmp_file.write(encrypted_pem)
+        tmp_file.flush()
+
+        result = runner.invoke(
+            [
+                "object",
+                "list",
+                "warehouse",
+                "--temporary-connection",
+                "--account",
+                "test_account",
+                "--user",
+                "snowcli_test",
+                "--authenticator",
+                "SNOWFLAKE_JWT",
+                "--private-key-file",
+                tmp_file.name,
+            ]
+        )
+
+    assert result.exit_code == 1
+    assert (
+        "PRIVATE_KEY_PASSPHRASE environment variable is set but empty" in result.output
+    )
+
+
 @pytest.mark.parametrize(
     "command",
     [