Skip to content

Commit

Permalink
feat: Add Api Authentication security integration to sdk (#2840)
Browse files Browse the repository at this point in the history 
<!-- Feel free to delete comments as you fill this in -->
Add Api Authentication security integration to sdk. Implement all 3
flows, but integration tests for JWT bearer flow are skipped due to
errors during create. This will be fixed in a follow up.
<!-- summary of changes -->

## Test Plan
<!-- detail ways in which this PR has been tested or needs to be tested
-->
* [x] unit tests
<!-- add more below if you think they are relevant -->
* [x] integration tests

## References
<!-- issues documentation links, etc  -->

https://docs.snowflake.com/en/sql-reference/sql/create-security-integration-api-auth

https://docs.snowflake.com/en/sql-reference/sql/alter-security-integration-api-auth
  • Loading branch information
@sfc-gh-jmichalak
sfc-gh-jmichalak authored May 29, 2024
1 parent 64518a3 commit 57a07ee
Show file tree
Hide file tree
Showing 11 changed files with 2,168 additions and 33 deletions.
4 changes: 4 additions & 0 deletions pkg/sdk/poc/generator/util.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,10 @@ func wrapWith(s string, with string) string {
func sqlToFieldName(sql string, shouldExport bool) string {
sqlWords := splitSQLPattern.Split(sql, -1)
for i, s := range sqlWords {
if s == "=" {
sqlWords[i] = ""
continue
}
if !shouldExport && i == 0 {
sqlWords[i] = englishLowerCaser.String(s)
continue
Expand Down
189 changes: 189 additions & 0 deletions pkg/sdk/security_integrations_def.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,12 @@ import g "github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/sdk/poc/gen

//go:generate go run ./poc/main.go

type ApiAuthenticationSecurityIntegrationOauthClientAuthMethodOption string

const (
ApiAuthenticationSecurityIntegrationOauthClientAuthMethodClientSecretPost ApiAuthenticationSecurityIntegrationOauthClientAuthMethodOption = "CLIENT_SECRET_POST"
)

type ExternalOauthSecurityIntegrationTypeOption string

const (
Expand Down Expand Up @@ -67,6 +73,7 @@ const (
)

var (
allowedScopeDef = g.NewQueryStruct("AllowedScope").Text("Scope", g.KeywordOptions().SingleQuotes().Required())
userDomainDef = g.NewQueryStruct("UserDomain").Text("Domain", g.KeywordOptions().SingleQuotes().Required())
emailPatternDef = g.NewQueryStruct("EmailPattern").Text("Pattern", g.KeywordOptions().SingleQuotes().Required())
preAuthorizedRolesListDef = g.NewQueryStruct("PreAuthorizedRolesList").
Expand Down Expand Up @@ -109,6 +116,75 @@ func alterSecurityIntegrationOperation(structName string, opts func(qs *g.QueryS
return qs
}

var apiAuthClientCredentialsFlowIntegrationSetDef = g.NewQueryStruct("ApiAuthenticationWithClientCredentialsFlowIntegrationSet").
OptionalBooleanAssignment("ENABLED", g.ParameterOptions()).
OptionalTextAssignment("OAUTH_TOKEN_ENDPOINT", g.ParameterOptions().SingleQuotes()).
OptionalAssignment(
"OAUTH_CLIENT_AUTH_METHOD",
g.KindOfT[ApiAuthenticationSecurityIntegrationOauthClientAuthMethodOption](),
g.ParameterOptions(),
).
OptionalTextAssignment("OAUTH_CLIENT_ID", g.ParameterOptions().SingleQuotes()).
OptionalTextAssignment("OAUTH_CLIENT_SECRET", g.ParameterOptions().SingleQuotes()).
OptionalSQL("OAUTH_GRANT = CLIENT_CREDENTIALS").
OptionalNumberAssignment("OAUTH_ACCESS_TOKEN_VALIDITY", g.ParameterOptions()).
OptionalNumberAssignment("OAUTH_REFRESH_TOKEN_VALIDITY", g.ParameterOptions()).
ListAssignment("OAUTH_ALLOWED_SCOPES", "AllowedScope", g.ParameterOptions().Parentheses()).
OptionalComment().
WithValidation(g.AtLeastOneValueSet, "Enabled", "OauthTokenEndpoint", "OauthClientAuthMethod", "OauthClientId", "OauthClientSecret", "OauthGrantClientCredentials",
"OauthAccessTokenValidity", "OauthRefreshTokenValidity", "OauthAllowedScopes", "Comment")

var apiAuthClientCredentialsFlowIntegrationUnsetDef = g.NewQueryStruct("ApiAuthenticationWithClientCredentialsFlowIntegrationUnset").
OptionalSQL("ENABLED").
OptionalSQL("COMMENT").
WithValidation(g.AtLeastOneValueSet, "Enabled", "Comment")

var apiAuthCodeGrantFlowIntegrationSetDef = g.NewQueryStruct("ApiAuthenticationWithAuthorizationCodeGrantFlowIntegrationSet").
OptionalBooleanAssignment("ENABLED", g.ParameterOptions()).
OptionalTextAssignment("OAUTH_AUTHORIZATION_ENDPOINT", g.ParameterOptions().SingleQuotes()).
OptionalTextAssignment("OAUTH_TOKEN_ENDPOINT", g.ParameterOptions().SingleQuotes()).
OptionalAssignment(
"OAUTH_CLIENT_AUTH_METHOD",
g.KindOfT[ApiAuthenticationSecurityIntegrationOauthClientAuthMethodOption](),
g.ParameterOptions(),
).
OptionalTextAssignment("OAUTH_CLIENT_ID", g.ParameterOptions().SingleQuotes()).
OptionalTextAssignment("OAUTH_CLIENT_SECRET", g.ParameterOptions().SingleQuotes()).
OptionalSQL("OAUTH_GRANT = AUTHORIZATION_CODE").
OptionalNumberAssignment("OAUTH_ACCESS_TOKEN_VALIDITY", g.ParameterOptions()).
OptionalNumberAssignment("OAUTH_REFRESH_TOKEN_VALIDITY", g.ParameterOptions()).
OptionalComment().
WithValidation(g.AtLeastOneValueSet, "Enabled", "OauthAuthorizationEndpoint", "OauthTokenEndpoint", "OauthClientAuthMethod", "OauthClientId", "OauthClientSecret", "OauthGrantAuthorizationCode",
"OauthAccessTokenValidity", "OauthRefreshTokenValidity", "Comment")

var apiAuthCodeGrantFlowIntegrationUnsetDef = g.NewQueryStruct("ApiAuthenticationWithAuthorizationCodeGrantFlowIntegrationUnset").
OptionalSQL("ENABLED").
OptionalSQL("COMMENT").
WithValidation(g.AtLeastOneValueSet, "Enabled", "Comment")

var apiAuthJwtBearerFlowIntegrationSetDef = g.NewQueryStruct("ApiAuthenticationWithJwtBearerFlowIntegrationSet").
OptionalBooleanAssignment("ENABLED", g.ParameterOptions()).
OptionalTextAssignment("OAUTH_AUTHORIZATION_ENDPOINT", g.ParameterOptions().SingleQuotes()).
OptionalTextAssignment("OAUTH_TOKEN_ENDPOINT", g.ParameterOptions().SingleQuotes()).
OptionalAssignment(
"OAUTH_CLIENT_AUTH_METHOD",
g.KindOfT[ApiAuthenticationSecurityIntegrationOauthClientAuthMethodOption](),
g.ParameterOptions(),
).
OptionalTextAssignment("OAUTH_CLIENT_ID", g.ParameterOptions().SingleQuotes()).
OptionalTextAssignment("OAUTH_CLIENT_SECRET", g.ParameterOptions().SingleQuotes()).
OptionalSQL("OAUTH_GRANT = JWT_BEARER").
OptionalNumberAssignment("OAUTH_ACCESS_TOKEN_VALIDITY", g.ParameterOptions()).
OptionalNumberAssignment("OAUTH_REFRESH_TOKEN_VALIDITY", g.ParameterOptions()).
OptionalComment().
WithValidation(g.AtLeastOneValueSet, "Enabled", "OauthAuthorizationEndpoint", "OauthTokenEndpoint", "OauthClientAuthMethod", "OauthClientId", "OauthClientSecret", "OauthGrantJwtBearer",
"OauthAccessTokenValidity", "OauthRefreshTokenValidity", "Comment")

var apiAuthJwtBearerFlowIntegrationUnsetDef = g.NewQueryStruct("ApiAuthenticationWithJwtBearerFlowIntegrationUnset").
OptionalSQL("ENABLED").
OptionalSQL("COMMENT").
WithValidation(g.AtLeastOneValueSet, "Enabled", "Comment")

var externalOauthIntegrationSetDef = g.NewQueryStruct("ExternalOauthIntegrationSet").
OptionalBooleanAssignment("ENABLED", g.ParameterOptions()).
OptionalAssignment(
Expand Down Expand Up @@ -246,6 +322,74 @@ var SecurityIntegrationsDef = g.NewInterface(
"SecurityIntegration",
g.KindOfT[AccountObjectIdentifier](),
).
CustomOperation(
"CreateApiAuthenticationWithClientCredentialsFlow",
"https://docs.snowflake.com/en/sql-reference/sql/create-security-integration-api-auth",
createSecurityIntegrationOperation("CreateApiAuthenticationWithClientCredentialsFlow", func(qs *g.QueryStruct) *g.QueryStruct {
return qs.
PredefinedQueryStructField("integrationType", "string", g.StaticOptions().SQL("TYPE = API_AUTHENTICATION")).
PredefinedQueryStructField("authType", "string", g.StaticOptions().SQL("AUTH_TYPE = OAUTH2")).
BooleanAssignment("ENABLED", g.ParameterOptions().Required()).
OptionalTextAssignment("OAUTH_TOKEN_ENDPOINT", g.ParameterOptions().SingleQuotes()).
OptionalAssignment(
"OAUTH_CLIENT_AUTH_METHOD",
g.KindOfT[ApiAuthenticationSecurityIntegrationOauthClientAuthMethodOption](),
g.ParameterOptions(),
).
TextAssignment("OAUTH_CLIENT_ID", g.ParameterOptions().Required().SingleQuotes()).
TextAssignment("OAUTH_CLIENT_SECRET", g.ParameterOptions().Required().SingleQuotes()).
OptionalSQL("OAUTH_GRANT = CLIENT_CREDENTIALS").
OptionalNumberAssignment("OAUTH_ACCESS_TOKEN_VALIDITY", g.ParameterOptions()).
OptionalNumberAssignment("OAUTH_REFRESH_TOKEN_VALIDITY", g.ParameterOptions()).
ListAssignment("OAUTH_ALLOWED_SCOPES", "AllowedScope", g.ParameterOptions().Parentheses())
}),
allowedScopeDef,
).
CustomOperation(
"CreateApiAuthenticationWithAuthorizationCodeGrantFlow",
"https://docs.snowflake.com/en/sql-reference/sql/create-security-integration-api-auth",
createSecurityIntegrationOperation("CreateApiAuthenticationWithAuthorizationCodeGrantFlow", func(qs *g.QueryStruct) *g.QueryStruct {
return qs.
PredefinedQueryStructField("integrationType", "string", g.StaticOptions().SQL("TYPE = API_AUTHENTICATION")).
PredefinedQueryStructField("authType", "string", g.StaticOptions().SQL("AUTH_TYPE = OAUTH2")).
BooleanAssignment("ENABLED", g.ParameterOptions().Required()).
OptionalTextAssignment("OAUTH_AUTHORIZATION_ENDPOINT", g.ParameterOptions().SingleQuotes()).
OptionalTextAssignment("OAUTH_TOKEN_ENDPOINT", g.ParameterOptions().SingleQuotes()).
OptionalAssignment(
"OAUTH_CLIENT_AUTH_METHOD",
g.KindOfT[ApiAuthenticationSecurityIntegrationOauthClientAuthMethodOption](),
g.ParameterOptions(),
).
TextAssignment("OAUTH_CLIENT_ID", g.ParameterOptions().Required().SingleQuotes()).
TextAssignment("OAUTH_CLIENT_SECRET", g.ParameterOptions().Required().SingleQuotes()).
OptionalSQL("OAUTH_GRANT = AUTHORIZATION_CODE").
OptionalNumberAssignment("OAUTH_ACCESS_TOKEN_VALIDITY", g.ParameterOptions()).
OptionalNumberAssignment("OAUTH_REFRESH_TOKEN_VALIDITY", g.ParameterOptions())
}),
).
CustomOperation(
"CreateApiAuthenticationWithJwtBearerFlow",
"https://docs.snowflake.com/en/sql-reference/sql/create-security-integration-api-auth",
createSecurityIntegrationOperation("CreateApiAuthenticationWithJwtBearerFlow", func(qs *g.QueryStruct) *g.QueryStruct {
return qs.
PredefinedQueryStructField("integrationType", "string", g.StaticOptions().SQL("TYPE = API_AUTHENTICATION")).
PredefinedQueryStructField("authType", "string", g.StaticOptions().SQL("AUTH_TYPE = OAUTH2")).
BooleanAssignment("ENABLED", g.ParameterOptions().Required()).
TextAssignment("OAUTH_ASSERTION_ISSUER", g.ParameterOptions().Required().SingleQuotes()).
OptionalTextAssignment("OAUTH_AUTHORIZATION_ENDPOINT", g.ParameterOptions().SingleQuotes()).
OptionalTextAssignment("OAUTH_TOKEN_ENDPOINT", g.ParameterOptions().SingleQuotes()).
OptionalAssignment(
"OAUTH_CLIENT_AUTH_METHOD",
g.KindOfT[ApiAuthenticationSecurityIntegrationOauthClientAuthMethodOption](),
g.ParameterOptions(),
).
TextAssignment("OAUTH_CLIENT_ID", g.ParameterOptions().Required().SingleQuotes()).
TextAssignment("OAUTH_CLIENT_SECRET", g.ParameterOptions().Required().SingleQuotes()).
OptionalSQL("OAUTH_GRANT = JWT_BEARER").
OptionalNumberAssignment("OAUTH_ACCESS_TOKEN_VALIDITY", g.ParameterOptions()).
OptionalNumberAssignment("OAUTH_REFRESH_TOKEN_VALIDITY", g.ParameterOptions())
}),
).
CustomOperation(
"CreateExternalOauth",
"https://docs.snowflake.com/en/sql-reference/sql/create-security-integration-oauth-external",
Expand Down Expand Up @@ -391,6 +535,51 @@ var SecurityIntegrationsDef = g.NewInterface(
OptionalBooleanAssignment("SYNC_PASSWORD", g.ParameterOptions())
}),
).
CustomOperation(
"AlterApiAuthenticationWithClientCredentialsFlow",
"https://docs.snowflake.com/en/sql-reference/sql/alter-security-integration-api-auth",
alterSecurityIntegrationOperation("AlterApiAuthenticationWithClientCredentialsFlow", func(qs *g.QueryStruct) *g.QueryStruct {
return qs.OptionalQueryStructField(
"Set",
apiAuthClientCredentialsFlowIntegrationSetDef,
g.ListOptions().NoParentheses().SQL("SET"),
).OptionalQueryStructField(
"Unset",
apiAuthClientCredentialsFlowIntegrationUnsetDef,
g.ListOptions().NoParentheses().SQL("UNSET"),
).WithValidation(g.ExactlyOneValueSet, "Set", "Unset", "SetTags", "UnsetTags")
}),
).
CustomOperation(
"AlterApiAuthenticationWithAuthorizationCodeGrantFlow",
"https://docs.snowflake.com/en/sql-reference/sql/alter-security-integration-api-auth",
alterSecurityIntegrationOperation("AlterApiAuthenticationWithAuthorizationCodeGrantFlow", func(qs *g.QueryStruct) *g.QueryStruct {
return qs.OptionalQueryStructField(
"Set",
apiAuthCodeGrantFlowIntegrationSetDef,
g.ListOptions().NoParentheses().SQL("SET"),
).OptionalQueryStructField(
"Unset",
apiAuthCodeGrantFlowIntegrationUnsetDef,
g.ListOptions().NoParentheses().SQL("UNSET"),
).WithValidation(g.ExactlyOneValueSet, "Set", "Unset", "SetTags", "UnsetTags")
}),
).
CustomOperation(
"AlterApiAuthenticationWithJwtBearerFlow",
"https://docs.snowflake.com/en/sql-reference/sql/alter-security-integration-api-auth",
alterSecurityIntegrationOperation("AlterApiAuthenticationWithJwtBearerFlow", func(qs *g.QueryStruct) *g.QueryStruct {
return qs.OptionalQueryStructField(
"Set",
apiAuthJwtBearerFlowIntegrationSetDef,
g.ListOptions().NoParentheses().SQL("SET"),
).OptionalQueryStructField(
"Unset",
apiAuthJwtBearerFlowIntegrationUnsetDef,
g.ListOptions().NoParentheses().SQL("UNSET"),
).WithValidation(g.ExactlyOneValueSet, "Set", "Unset", "SetTags", "UnsetTags")
}),
).
CustomOperation(
"AlterExternalOauth",
"https://docs.snowflake.com/en/sql-reference/sql/alter-security-integration-oauth-external",
Expand Down
Loading

0 comments on commit 57a07ee

Please sign in to comment.