will single test cause issues

Author: sfc-gh-fpawlowski

src/snowflake/connector/aio/_connection.py

@@ -1063,6 +1063,7 @@ async def connect(self, **kwargs) -> None:
             proxy_password=self.proxy_password,
             snowflake_ocsp_mode=self._ocsp_mode(),
             ocsp_root_certs_dict_lock_timeout=self._ocsp_root_certs_dict_lock_timeout,
+            ocsp_response_cache_file_name=self._ocsp_response_cache_filename,
             trust_env=True,  # Required for proxy support via environment variables
         )
         self._session_manager = SessionManagerFactory.get_manager(self._http_config)

src/snowflake/connector/aio/_session_manager.py

@@ -12,7 +12,6 @@
 from .. import OperationalError
 from ..constants import OCSP_ROOT_CERTS_DICT_LOCK_TIMEOUT_DEFAULT_NO_TIMEOUT
 from ..errorcode import ER_OCSP_RESPONSE_CERT_STATUS_REVOKED
-from ..ssl_wrap_socket import FEATURE_OCSP_RESPONSE_CACHE_FILE_NAME
 from ._ocsp_asn1crypto import SnowflakeOCSPAsn1Crypto
 
 if TYPE_CHECKING:
@@ -47,10 +46,12 @@ def __init__(
         snowflake_ocsp_mode: OCSPMode = OCSPMode.FAIL_OPEN,
         session_manager: SessionManager | None = None,
         ocsp_root_certs_dict_lock_timeout: int = OCSP_ROOT_CERTS_DICT_LOCK_TIMEOUT_DEFAULT_NO_TIMEOUT,
+        ocsp_response_cache_file_name: str | None = None,
         **kwargs,
     ):
         self._snowflake_ocsp_mode = snowflake_ocsp_mode
         self._ocsp_root_certs_dict_lock_timeout = ocsp_root_certs_dict_lock_timeout
+        self._ocsp_response_cache_file_name = ocsp_response_cache_file_name
         if session_manager is None:
             logger.warning(
                 "SessionManager instance was not passed to SSLConnector - OCSP will use default settings which may be distinct from the customer's specific one. Code should always pass such instance - verify why it isn't true in the current context"
@@ -102,12 +103,14 @@ async def validate_ocsp(
     ):
 
         v = await SnowflakeOCSPAsn1Crypto(
-            ocsp_response_cache_uri=FEATURE_OCSP_RESPONSE_CACHE_FILE_NAME,
+            ocsp_response_cache_uri=self._ocsp_response_cache_file_name,
             use_fail_open=self._snowflake_ocsp_mode == OCSPMode.FAIL_OPEN,
             hostname=hostname,
             root_certs_dict_lock_timeout=self._ocsp_root_certs_dict_lock_timeout,
         ).validate(hostname, protocol, session_manager=session_manager)
-        if not v:
+        # In fail_open mode, if validation returns None (certificate extraction failed),
+        # allow the connection to proceed. Otherwise, raise an error.
+        if not v and self._snowflake_ocsp_mode != OCSPMode.FAIL_OPEN:
             raise OperationalError(
                 msg=(
                     "The certificate is revoked or "
@@ -147,6 +150,7 @@ class AioHttpConfig(BaseHttpConfig):
     ocsp_root_certs_dict_lock_timeout: int = (
         OCSP_ROOT_CERTS_DICT_LOCK_TIMEOUT_DEFAULT_NO_TIMEOUT
     )
+    ocsp_response_cache_file_name: str | None = None
 
     trust_env: bool = True
     """Trust environment variables for proxy configuration (HTTP_PROXY, HTTPS_PROXY, NO_PROXY).
@@ -161,7 +165,11 @@ def get_connector(
         # We pass here only chosen attributes as kwargs to make the arguments received by the factory as compliant with the BaseConnector constructor interface as possible.
         # We could consider passing the whole HttpConfig as kwarg to the factory if necessary in the future.
         attributes_for_connector_factory = frozenset(
-            {"snowflake_ocsp_mode", "ocsp_root_certs_dict_lock_timeout"}
+            {
+                "snowflake_ocsp_mode",
+                "ocsp_root_certs_dict_lock_timeout",
+                "ocsp_response_cache_file_name",
+            }
         )
 
         self_kwargs_for_connector_factory = {

src/snowflake/connector/ssl_wrap_socket.py

@@ -184,7 +184,9 @@ def ssl_wrap_socket_with_ocsp(*args: Any, **kwargs: Any) -> WrappedSocket:
             hostname=server_hostname,
             root_certs_dict_lock_timeout=FEATURE_ROOT_CERTS_DICT_LOCK_TIMEOUT,
         ).validate(server_hostname, ret.connection)
-        if not v:
+        # In fail_open mode, if validation returns None (certificate extraction failed),
+        # allow the connection to proceed. Otherwise, raise an error.
+        if not v and FEATURE_OCSP_MODE != OCSPMode.FAIL_OPEN:
             raise OperationalError(
                 msg=f"The certificate is revoked or could not be validated: hostname={server_hostname}",
                 errno=ER_OCSP_RESPONSE_CERT_STATUS_REVOKED,

test/unit/aio/test_session_manager_async.py

@@ -373,6 +373,7 @@ def mock_connector_with_factory():
                 "pool_connections": 10,
                 "snowflake_ocsp_mode": OCSPMode.FAIL_OPEN,
                 "ocsp_root_certs_dict_lock_timeout": -1,
+                "ocsp_response_cache_file_name": None,
             },
         ),
         # Test with OCSPMode.FAIL_CLOSED + no extra kwargs
@@ -382,6 +383,7 @@ def mock_connector_with_factory():
             {
                 "snowflake_ocsp_mode": OCSPMode.FAIL_CLOSED,
                 "ocsp_root_certs_dict_lock_timeout": -1,
+                "ocsp_response_cache_file_name": None,
             },
         ),
         # Checks that None values also cause kwargs name to occur
@@ -391,6 +393,7 @@ def mock_connector_with_factory():
             {
                 "snowflake_ocsp_mode": None,
                 "ocsp_root_certs_dict_lock_timeout": -1,
+                "ocsp_response_cache_file_name": None,
             },
         ),
         # Test override by extra kwargs: config has FAIL_OPEN but extra_kwargs override with FAIL_CLOSED
@@ -400,6 +403,7 @@ def mock_connector_with_factory():
             {
                 "snowflake_ocsp_mode": OCSPMode.FAIL_CLOSED,
                 "ocsp_root_certs_dict_lock_timeout": -1,
+                "ocsp_response_cache_file_name": None,
             },
         ),
     ],