Fixing error messages to not leak sensitive info (#3008)

burhan94 · web-flow · commit 689761f68e90 · 2025-09-17T18:53:50.000-04:00
diff --git a/athena-snowflake/src/main/java/com/amazonaws/athena/connectors/snowflake/SnowflakeCredentialsProvider.java b/athena-snowflake/src/main/java/com/amazonaws/athena/connectors/snowflake/SnowflakeCredentialsProvider.java
@@ -21,6 +21,7 @@
 
 import com.amazonaws.athena.connector.credentials.CredentialsProvider;
 import com.amazonaws.athena.connector.credentials.DefaultCredentials;
+import com.amazonaws.athena.connector.lambda.exceptions.AthenaConnectorException;
 import com.amazonaws.athena.connector.lambda.security.CachableSecretsManager;
 import com.amazonaws.athena.connectors.snowflake.utils.SnowflakeAuthType;
 import com.amazonaws.athena.connectors.snowflake.utils.SnowflakeAuthUtils;
@@ -29,6 +30,8 @@
 import com.google.common.annotations.VisibleForTesting;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import software.amazon.awssdk.services.glue.model.ErrorDetails;
+import software.amazon.awssdk.services.glue.model.FederationSourceErrorCode;
 import software.amazon.awssdk.services.secretsmanager.SecretsManagerClient;
 import software.amazon.awssdk.utils.Validate;
 
@@ -261,7 +264,8 @@ private ObjectNode requestToken(String requestBody, String tokenEndpoint, String
                 .reduce("", (acc, line) -> acc + line);
 
         if (responseCode != 200) {
-            throw new RuntimeException("Failed: " + responseCode + " - " + response);
+            LOGGER.error("OAuth token request failed with status: {} - {}", responseCode, response);
+            throw new AthenaConnectorException("OAuth authentication failed with status: " + responseCode, ErrorDetails.builder().errorCode(FederationSourceErrorCode.INVALID_RESPONSE_EXCEPTION.toString()).build());
         }
 
         ObjectNode tokenJson = objectMapper.readValue(response, ObjectNode.class);
diff --git a/athena-snowflake/src/main/java/com/amazonaws/athena/connectors/snowflake/utils/SnowflakeAuthUtils.java b/athena-snowflake/src/main/java/com/amazonaws/athena/connectors/snowflake/utils/SnowflakeAuthUtils.java
@@ -19,6 +19,7 @@
  */
 package com.amazonaws.athena.connectors.snowflake.utils;
 
+import com.amazonaws.athena.connector.lambda.exceptions.AthenaConnectorException;
 import com.amazonaws.athena.connectors.snowflake.SnowflakeConstants;
 import org.apache.commons.lang3.StringUtils;
 import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
@@ -30,6 +31,8 @@
 import org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import software.amazon.awssdk.services.glue.model.ErrorDetails;
+import software.amazon.awssdk.services.glue.model.FederationSourceErrorCode;
 
 import java.io.StringReader;
 import java.security.PrivateKey;
@@ -105,8 +108,8 @@ public static PrivateKey createPrivateKey(String privateKeyString, String passph
             return converter.getPrivateKey(privateKeyInfo);
         }
         catch (Exception e) {
-            LOGGER.error("Failed to create private key from string: ", e);
-            throw new Exception("Invalid private key format: " + e.getMessage(), e);
+            LOGGER.error("Private key parsing failed: {}", e.getMessage());
+            throw new AthenaConnectorException("Invalid private key format", ErrorDetails.builder().errorCode(FederationSourceErrorCode.INVALID_INPUT_EXCEPTION.toString()).build());
         }
     }
 
