Error "Invalid connection property value sslmode" when trying to connect with webIdentityToken

[oscarpg]

Driver version

Upgrade from 2.1.0.9 to 2.1.0.28

Redshift version

PostgreSQL 8.0.2 on i686-pc-linux-gnu, compiled by GCC gcc (GCC) 3.4.2 20041017 (Red Hat 3.4.2-6.fc3), Redshift 1.0.66954

Client Operating System

Windows 10

JAVA/JVM version

OpenJDK Runtime Environment Temurin-17.0.8.1+1 (build 17.0.8.1+1)

Problem description

When trying to create a connection to Redshift with the property webIdentityToken set to an access token, I receive the error

java.sql.SQLException: Invalid connection property value sslmode : allow

1. Expected behaviour: No error
2. Actual behaviour: Error
3. Error message/stack trace:
   java.sql.SQLException: Invalid connection property value sslmode : allow
   at com.amazon.redshift.util.RedshiftException.getSQLException(RedshiftException.java:56)
   at com.amazon.redshift.Driver.connect(Driver.java:326)
4. Any other details that can be helpful: This didn't happen with a previous version of the Redshift JDBC Driver (2.1.0.9)

JDBC trace logs

may. 22 12:14:41.561 DEBUG [1 main] com.amazon.redshift.Driver.connect: ===================================
may. 22 12:14:41.562 FUNCTION [1 main] com.amazon.redshift.Driver.connect: Enter (jdbc:redshift://:5439/redshiftdb?authmech=allow;logpath=c:/tmp/redshift_logs;loglevel=trace,{logpath=c:/tmp/redshift_logs, plugin_name=com.amazon.redshift.plugin.BasicJwtCredentialsProvider, authmech=allow, webidentitytoken=***, dbname=redshiftdb, port=5439, loglevel=trace, host=, iamauth=false})
may. 22 12:14:41.563 DEBUG [1 main] com.amazon.redshift.Driver.connect: Connecting with URL: jdbc:redshift://:5439/redshiftdb?authmech=allow;logpath=c:/tmp/redshift_logs;loglevel=trace
may. 22 12:14:41.563 DEBUG [1 main] com.amazon.redshift.Driver.connect: Caller stack[main]: RedshiftOAuthTest.main(RedshiftOAuthTest.java:40)
may. 22 12:14:41.572 DEBUG [1 main] com.amazon.redshift.jdbc.RedshiftConnectionImpl.RedshiftConnectionImpl: Redshift JDBC Driver 2.1.0.28
may. 22 12:14:41.572 DEBUG [1 main] com.amazon.redshift.jdbc.RedshiftConnectionImpl.RedshiftConnectionImpl: JVM architecture is 64-bit
may. 22 12:14:41.578 ERROR [1 main] com.amazon.redshift.jdbc.RedshiftConnectionImpl.setAuthMech: com.amazon.redshift.util.RedshiftException: Invalid connection property value sslmode : allow
may. 22 12:14:41.578 ERROR [1 main] com.amazon.redshift.Driver.connect: com.amazon.redshift.util.RedshiftException: Invalid connection property value sslmode : allow
at com.amazon.redshift.jdbc.RedshiftConnectionImpl.setAuthMech(RedshiftConnectionImpl.java:2389)
at com.amazon.redshift.jdbc.RedshiftConnectionImpl.(RedshiftConnectionImpl.java:251)
at com.amazon.redshift.Driver.makeConnection(Driver.java:481)
at com.amazon.redshift.Driver.connect(Driver.java:302)
at RedshiftOAuthTest.testConnection(RedshiftOAuthTest.java:51)
at RedshiftOAuthTest.main(RedshiftOAuthTest.java:40)

Reproduction code

1. Test with driver 2.1.0.9 works fine
2. Test with lastest driver fails

import java.io.File;
import java.io.IOException;
import java.net.URL;
import java.net.URLClassLoader;
import java.sql.Connection;
import java.sql.Driver;
import java.sql.ResultSet;
import java.sql.Statement;
import java.util.Properties;

public class RedshiftOAuthTest {

    static String DRIVER_CLASS_NAME = "com.amazon.redshift.jdbc.Driver";
    static String CONNECTION_URI = "jdbc:redshift://<host>:5439/redshiftdb?authmech=allow";
    static String ACCESS_TOKEN_VALUE = "<access_token>";
    static String PLUGIN_NAME = "com.amazon.redshift.plugin.BasicJwtCredentialsProvider";

    static String REDSHIFT_LATEST_PATH = "<path_to_driver_2.1.0.28>"; // Folder that contains the JDBC driver 2.1.0.28 and the proper aws-java-sdk-redshift.jar
    static String REDSHIFT_PREV_PATH = "<path_to_driver_2.1.0.9>"; // Folder that contains the JDBC driver 2.1.0.9 and the proper aws-java-sdk-redshift.jar

    public static void main(String[] args) throws Exception {

        ClassLoader classLoader = getClassLoader(REDSHIFT_PREV_PATH);
        testConnection(REDSHIFT_PREV_PATH, classLoader);

        classLoader = getClassLoader(REDSHIFT_LATEST_PATH);
        testConnection(REDSHIFT_LATEST_PATH, classLoader);
    }

    private static void testConnection(String path, ClassLoader classLoader) throws Exception {
        System.out.println("Starting test with path " + path);
        String url = CONNECTION_URI;
        Driver driver = (Driver) Class.forName(DRIVER_CLASS_NAME, true, classLoader).newInstance();
        Properties props = new Properties();
        props.setProperty("webIdentityToken", ACCESS_TOKEN_VALUE);
        props.setProperty("plugin_name", PLUGIN_NAME);

        try (Connection con = driver.connect(url, props);Statement st = con.createStatement();) {
            st.execute("select 1");
            try (ResultSet rs = st.getResultSet()) {
                if (rs.next()) {
                    System.out.println("Result: " + rs.getString(1));
                }
            }
        } catch (Throwable t) {
            t.printStackTrace();
            return;
        }
        System.out.println("Test Finished OK");
    }

    private static ClassLoader getClassLoader(String folderPath) throws IOException {
        File folder = new File(folderPath);

        if (!folder.exists() || !folder.isDirectory()) {
            throw new IOException("Folder not found or not a directory: " + folderPath);
        }

        File[] jarFiles = folder.listFiles((dir, name) -> name.endsWith(".jar"));

        if (jarFiles == null || jarFiles.length == 0) {
            throw new IOException("No JAR files found in the folder: " + folderPath);
        }

        URL[] urls = new URL[jarFiles.length];
        for (int i = 0; i < jarFiles.length; i++) {
            urls[i] = jarFiles[i].toURI().toURL();
        }

        return new URLClassLoader(urls);
    }

}

[oscarpg]

Hello everyone.

At Denodo, we intend to update the Redshift JDBC driver to the latest version to avoid the CVE-2024-32888 vulnerability, but this problem prevents us from doing so.

Could you please confirm if there is a workaround?

[carlossc]

Is there a plan to address this bug soon? Please note that this is a regression; this bug did not happen in previous versions of the driver.

I work for Denodo. I am the lead engineer for the integrations of our product with technology partners. Currently, our product distributes the Redshift JDBC driver to make it easier for our mutual customers to connect from Denodo to Redshift (they do not have to download from anywhere and we update it regularly to keep up with the latest features and security fixes).

At this moment we are stuck between:

a. Distributing an older version of the Redshift driver that is affected by GHSA-x3wm-hffr-chwm.
b. Or, distribute the latest version but it is affected by this regression.
c. Or, remove the Redshift driver from Denodo. We would rather not do this because including the driver is convenient for our customers.

[oscarpg]

Hello

This bug has been open for more than six months now and has not been reviewed by anyone involved in the project.

Is there anything we can do to avoid the Invalid connection property value sslmode error when trying to authenticate with webIdentityToken?