fixup! NO-SNOW: Add more tests for async crl

sfc-gh-turbaszek · sfc-gh-turbaszek · commit df353061088f · 2025-11-12T16:00:13.000+01:00
diff --git a/src/snowflake/connector/aio/_session_manager.py b/src/snowflake/connector/aio/_session_manager.py
@@ -14,8 +14,8 @@
 from ..crl import CertRevocationCheckMode, CRLValidator
 from ..errorcode import ER_OCSP_RESPONSE_CERT_STATUS_REVOKED
 from ..ssl_wrap_socket import (
-    FEATURE_CRL_CONFIG,
     FEATURE_OCSP_RESPONSE_CACHE_FILE_NAME,
+    get_feature_crl_config,
     load_trusted_certificates,
     resolve_cafile,
 )
@@ -79,15 +79,16 @@ async def connect(
         connection = await super().connect(req, traces, timeout)
         protocol = connection.protocol
 
+        feature_crl_config = get_feature_crl_config()
         logger.debug(
             "CRL Check Mode: %s",
-            FEATURE_CRL_CONFIG.cert_revocation_check_mode.name,
+            feature_crl_config.cert_revocation_check_mode.name,
         )
         if (
-            FEATURE_CRL_CONFIG.cert_revocation_check_mode
+            feature_crl_config.cert_revocation_check_mode
             != CertRevocationCheckMode.DISABLED
         ):
-            self.validate_crl(protocol, req)
+            self.validate_crl(feature_crl_config, protocol, req)
             logger.debug(
                 "The certificate revocation check was successful. No additional checks will be performed."
             )
@@ -111,11 +112,13 @@ async def connect(
                 protocol._snowflake_ocsp_validated = True
         return connection
 
-    def validate_crl(self, protocol: ResponseHandler, req: ClientRequest):
+    def validate_crl(
+        self, feature_crl_config, protocol: ResponseHandler, req: ClientRequest
+    ):
         # Resolve CA file path from environment variables or use certifi default
         cafile_for_ctx = resolve_cafile({"ca_certs": certifi.where()})
         crl_validator = CRLValidator.from_config(
-            FEATURE_CRL_CONFIG,
+            feature_crl_config,
             self._session_manager,
             trusted_certificates=load_trusted_certificates(cafile_for_ctx),
         )
diff --git a/src/snowflake/connector/ssl_wrap_socket.py b/src/snowflake/connector/ssl_wrap_socket.py
@@ -271,3 +271,7 @@ def _openssl_connect(
             time.sleep(sleeping_time)
     if err:
         raise err
+
+
+def get_feature_crl_config() -> CRLConfig:
+    return FEATURE_CRL_CONFIG
diff --git a/test/integ/aio_it/test_crl_async.py b/test/integ/aio_it/test_crl_async.py
@@ -11,6 +11,8 @@
 
 import pytest
 
+from snowflake.connector.ssl_wrap_socket import get_feature_crl_config
+
 
 @pytest.mark.skipolddriver
 async def test_crl_validation_enabled_mode(conn_cnx):
@@ -25,6 +27,10 @@ async def test_crl_validation_enabled_mode(conn_cnx):
         disable_ocsp_checks=True,
     ) as cnx:
         assert cnx, "Connection should succeed with CRL validation in ENABLED mode"
+        assert (
+            get_feature_crl_config().cert_revocation_check_mode.value
+            == cnx.cert_revocation_check_mode
+        )
 
         # Verify we can execute a simple query
         cur = cnx.cursor()
@@ -51,6 +57,10 @@ async def test_crl_validation_advisory_mode(conn_cnx):
         crl_cache_validity_hours=1,  # Cache for 1 hour
     ) as cnx:
         assert cnx, "Connection should succeed with CRL validation in ADVISORY mode"
+        assert (
+            get_feature_crl_config().cert_revocation_check_mode.value
+            == cnx.cert_revocation_check_mode
+        )
 
         # Verify we can execute a simple query
         cur = cnx.cursor()
@@ -77,6 +87,10 @@ async def test_crl_validation_disabled_mode(conn_cnx):
         cert_revocation_check_mode="DISABLED",
     ) as cnx:
         assert cnx, "Connection should succeed with CRL validation in DISABLED mode"
+        assert (
+            get_feature_crl_config().cert_revocation_check_mode.value
+            == cnx.cert_revocation_check_mode
+        )
 
         # Verify we can execute a simple query
         cur = cnx.cursor()
@@ -112,6 +126,10 @@ async def test_crl_validation_modes_parametrized(
             crl_connection_timeout_ms=5000,
             crl_read_timeout_ms=5000,
         ) as cnx:
+            assert (
+                get_feature_crl_config().cert_revocation_check_mode.value
+                == cnx.cert_revocation_check_mode
+            )
             if should_succeed:
                 assert (
                     cnx
