SNOW-1821509: add ocsp options (#407)

README.rst

@@ -362,11 +362,19 @@ Configuring OCSP Checking
 
 By default, OCSP (Online Certificate Status Protocol) checking is enabled and is set per PDO connection.
 
-To disable OCSP checking for a PDO connection, set :code:`insecure_mode=true` in the DSN connection string. For example:
+To disable OCSP checking for a PDO connection, set :code:`disableocspchecks=true` in the DSN connection string. For example:
 
 .. code-block:: php
 
-    $dbh = new PDO("snowflake:account=testaccount;insecure_mode=true", "user", "password");
+    $dbh = new PDO("snowflake:account=testaccount;disableocspchecks=true", "user", "password");
+
+By default, OCSP checking uses fail-open approach. For more details see `Fail-Open or Fail-Close behavior <https://docs.snowflake.com/en/user-guide/ocsp#fail-open-or-fail-close-behavior>`_.
+
+To switch to use fail-close approach, set :code:`ocspfailopen=false` in the DSN connection string. For example:
+
+.. code-block:: php
+
+    $dbh = new PDO("snowflake:account=testaccount;ocspfailopen=false", "user", "password");
 
 Proxy
 ----------------------------------------------------------------------

php_pdo_snowflake_int.h

@@ -101,5 +101,7 @@ enum {
 #define PDO_SNOWFLAKE_CONN_ATTR_LOGIN_TIMEOUT_IDX 19
 #define PDO_SNOWFLAKE_CONN_ATTR_MAX_RETRIES_IDX 20
 #define PDO_SNOWFLAKE_CONN_ATTR_RETRY_TIMEOUT_IDX 21
+#define PDO_SNOWFLAKE_CONN_ATTR_OCSP_FAIL_OPEN_IDX 22
+#define PDO_SNOWFLAKE_CONN_ATTR_OCSP_DISABLE_IDX 23
 
 #endif /* PHP_PDO_SNOWFLAKE_INT_H */

snowflake_driver.c

@@ -585,7 +585,9 @@ pdo_snowflake_handle_factory(pdo_dbh_t *dbh, zval *driver_options) /* {{{ */
         {"includeretryreason",  "true",       0},
         {"logintimeout",        "300",        0},
         {"maxhttpretries",      "7",          0},
-        {"retrytimeout",        "300",        0}
+        {"retrytimeout",        "300",        0},
+        {"ocspfailopen",        "true",       0},
+        {"disableocspchecks",   "false",      0}
     };
 
     // Parse the input data parameters
@@ -817,6 +819,21 @@ pdo_snowflake_handle_factory(pdo_dbh_t *dbh, zval *driver_options) /* {{{ */
             "retryimeout: %d", int_attr_value);
     }
 
+    snowflake_set_attribute(
+        H->server, SF_CON_OCSP_FAIL_OPEN,
+        (strcasecmp(vars[PDO_SNOWFLAKE_CONN_ATTR_OCSP_FAIL_OPEN_IDX].optval, "true") == 0) ?
+            &SF_BOOLEAN_TRUE : &SF_BOOLEAN_FALSE);
+    PDO_LOG_DBG(
+        "ocspfailopen: %s",
+        vars[PDO_SNOWFLAKE_CONN_ATTR_OCSP_FAIL_OPEN_IDX].optval);
+
+    snowflake_global_set_attribute(SF_GLOBAL_OCSP_CHECK,
+        (strcasecmp(vars[PDO_SNOWFLAKE_CONN_ATTR_OCSP_DISABLE_IDX].optval, "true") == 0) ?
+            &SF_BOOLEAN_TRUE : &SF_BOOLEAN_FALSE);
+    PDO_LOG_DBG(
+        "disableocspchecks: %s",
+        vars[PDO_SNOWFLAKE_CONN_ATTR_OCSP_DISABLE_IDX].optval);
+
     if (snowflake_connect(H->server) > 0) {
         pdo_snowflake_error(dbh);
         goto cleanup;

tests/connect.phpt

@@ -9,7 +9,7 @@ pdo_snowflake.cacert=libsnowflakeclient/cacert.pem
     include __DIR__ . "/common.php";
 
     // full parameters
-    $dbh = new PDO("$dsn;application=phptest;authenticator=snowflake;priv_key_file=tests/p8test.pem;priv_key_file_pwd=test;disablequerycontext=true;includeretryreason=false;logintimeout=250;maxhttpretries=8;retrytimeout=350", $user, $password);
+    $dbh = new PDO("$dsn;application=phptest;authenticator=snowflake;priv_key_file=tests/p8test.pem;priv_key_file_pwd=test;disablequerycontext=true;includeretryreason=false;logintimeout=250;maxhttpretries=8;retrytimeout=350;ocspfailopen=false;disableocspchecks=true", $user, $password);
     // create table for testing autocommit later
     $tablename = "autocommittest" . rand();
     $count = $dbh->exec("create or replace table " . $tablename . "(c1 int)");