omnata-plugin-devkit 0.13.0a159__tar.gz → 0.13.1__tar.gz

{omnata_plugin_devkit-0.13.0a159 → omnata_plugin_devkit-0.13.1}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: omnata-plugin-devkit
-Version: 0.13.0a159
+Version: 0.13.1
 Summary: 
 License-File: LICENSE
 Author: James Weakley

{omnata_plugin_devkit-0.13.0a159 → omnata_plugin_devkit-0.13.1}/pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "omnata-plugin-devkit"
-version = "0.13.0a159"
+version = "0.13.1"
 description = ""
 authors = ["James Weakley <james.weakley@omnata.com>"]
 readme = "README.md"

omnata_plugin_devkit-0.13.1/src/omnata_plugin_devkit/jinja_templates/CHECK_CONNECTION_PROGRESS.sql.jinja

@@ -0,0 +1,112 @@
+create or replace procedure PLUGIN.CHECK_CONNECTION_PROGRESS(PARAMETERS OBJECT)
+   returns object
+   language javascript
+   COMMENT = $$
+   Reports the consumer-approval status of the application specifications and configuration
+   definitions associated with a connection. Input keys (all optional except the first):
+     external_access_integration_spec_name  (required)
+     security_integration_spec_name         (optional; omitted => null in the response)
+     oauth_secret_configuration_name        (optional; omitted => null in the response)
+   Returns:
+     {
+       latest_eai_spec_revision_approved: <bool>,
+       latest_si_spec_revision_approved: <bool|null>,
+       oauth_secret_configuration_done:   <bool|null>
+     }
+   A field is false (not null) when the name was provided but the object does not exist yet
+   or is not in APPROVED state.
+   $$
+   execute as owner
+as
+$$
+try{
+    var p = PARAMETERS || {};
+    var eaiSpecName = p.external_access_integration_spec_name || null;
+    var siSpecName  = p.security_integration_spec_name || null;
+    var cfgName     = p.oauth_secret_configuration_name || null;
+
+    if (!eaiSpecName){
+        throw `external_access_integration_spec_name is required`;
+    }
+
+    // Collect the status of every specification in this application.
+    var specStatus = {};
+    try {
+        var rs = snowflake.createStatement({
+            sqlText: `SHOW SPECIFICATIONS
+->> select * from $1
+qualify row_number() over (partition by "name" order by "sequence_number" desc) = 1`,
+            binds: []
+        }).execute();
+        var colCount = rs.getColumnCount();
+        var colIdx = {};
+        for (var i = 1; i <= colCount; i++){
+            colIdx[rs.getColumnName(i).toLowerCase()] = i;
+        }
+        while (rs.next()){
+            var nm = rs.getColumnValue(colIdx['name']);
+            var st = rs.getColumnValue(colIdx['status']);
+            specStatus[String(nm).toUpperCase()] = st;
+        }
+    } catch(e) {
+        snowflake.log("warn", `CHECK_CONNECTION_PROGRESS: could not list specifications: ${String(e)}`);
+    }
+
+    function specApproved(name){
+        if (!name) return null;
+        var s = specStatus[String(name).toUpperCase()];
+        if (s === undefined) return false;
+        return String(s).toUpperCase() === 'APPROVED';
+    }
+
+    var latestEaiApproved = specApproved(eaiSpecName);
+    var latestSiApproved  = specApproved(siSpecName);
+
+    // Secret authorization configuration status.
+    // https://docs.snowflake.com/en/developer-guide/native-apps/app-configuration-secret-authorization
+    var cfgDone = null;
+    if (cfgName){
+        cfgDone = false;
+        try {
+            var cfgRs = snowflake.createStatement({
+                sqlText: `SHOW CONFIGURATIONS`,
+                binds: []
+            }).execute();
+            var cfgColCount = cfgRs.getColumnCount();
+            var cfgColIdx = {};
+            for (var j = 1; j <= cfgColCount; j++){
+                cfgColIdx[cfgRs.getColumnName(j).toLowerCase()] = j;
+            }
+            while (cfgRs.next()){
+                var cfgRowName = cfgRs.getColumnValue(cfgColIdx['name']);
+                if (String(cfgRowName).toUpperCase() === String(cfgName).toUpperCase()){
+                    var cfgRowStatus = cfgRs.getColumnValue(cfgColIdx['status']);
+                    cfgDone = String(cfgRowStatus).toUpperCase() === 'DONE';
+                    break;
+                }
+            }
+        } catch(e) {
+            snowflake.log("warn", `CHECK_CONNECTION_PROGRESS: could not list configuration definitions: ${String(e)}`);
+        }
+    }
+
+    return {
+        "success": true,
+        "data": {
+            "latest_eai_spec_revision_approved": latestEaiApproved,
+            "latest_si_spec_revision_approved":  latestSiApproved,
+            "oauth_secret_configuration_done":   cfgDone
+        }
+    };
+}
+catch(e){
+    return {
+        "success": false,
+        "error": `CHECK_CONNECTION_PROGRESS: ${String(e)}`
+    };
+}
+$$
+;
+
+grant usage on procedure PLUGIN.CHECK_CONNECTION_PROGRESS(OBJECT)
+to application role OMNATA_MANAGEMENT;

{omnata_plugin_devkit-0.13.0a159 → omnata_plugin_devkit-0.13.1}/src/omnata_plugin_devkit/jinja_templates/CONFIGURE_APIS.sql.jinja

@@ -142,6 +142,11 @@ try{
     var candidateEais = [];
     while (showEaiResults.next()) {
         var eaiName = showEaiResults.getColumnValue(1);
+        var eaiEnabled = showEaiResults.getColumnValue(4);
+        if (eaiEnabled === false || String(eaiEnabled).toLowerCase() === 'false'){
+            snowflake.log("warn", `Excluding EAI ${eaiName} because it is disabled (enabled=false)`);
+            continue;
+        }
         if (eaiName.includes('__') || registeredV1EaiNames.has(eaiName)) {
             if (registeredV1EaiNames.has(eaiName)){
                 snowflake.log("warn",`Legacy EAI still in use: ${eaiName}`)

omnata_plugin_devkit-0.13.1/src/omnata_plugin_devkit/jinja_templates/GET_MISSING_APP_PRIVILEGES.sql.jinja

@@ -0,0 +1,35 @@
+create or replace procedure PLUGIN.GET_MISSING_APP_PRIVILEGES()
+returns object
+language python
+RUNTIME_VERSION = '3.10'
+PACKAGES = ('snowflake-snowpark-python','snowflake-native-apps-permission')
+HANDLER = 'run'
+COMMENT = $$
+Returns the list of account-level privileges this application has requested but the consumer
+has not yet granted. Wraps snowflake.permissions.get_missing_account_privileges.
+$$
+execute as owner
+as
+$$
+from snowflake.permissions import get_missing_account_privileges
+
+def run(session):
+   try:
+      missing = get_missing_account_privileges([
+         'CREATE EXTERNAL ACCESS INTEGRATION',
+         'CREATE SECURITY INTEGRATION'
+      ])
+      return {
+         "success": True,
+         "data": list(missing) if missing is not None else []
+      }
+   except Exception as exception:
+      return {
+         "success": False,
+         "error": f"GET_MISSING_APP_PRIVILEGES: {str(exception)}"
+      }
+$$
+;
+
+grant usage on procedure PLUGIN.GET_MISSING_APP_PRIVILEGES()
+to application role OMNATA_MANAGEMENT;

omnata_plugin_devkit-0.13.1/src/omnata_plugin_devkit/jinja_templates/LIST_APP_SPECIFICATIONS.sql.jinja

@@ -0,0 +1,40 @@
+create or replace procedure PLUGIN.LIST_APP_SPECIFICATIONS()
+   returns object
+   language javascript
+   COMMENT = $$
+   Runs SHOW SPECIFICATIONS and returns the rows as an array of objects keyed by column name.
+   $$
+   execute as owner
+as
+$$
+try{
+    var rs = snowflake.createStatement({ sqlText: `show specifications`, binds: [] }).execute();
+    var colCount = rs.getColumnCount();
+    var colNames = [];
+    for (var i = 1; i <= colCount; i++) {
+        colNames.push(rs.getColumnName(i));
+    }
+    var results = [];
+    while (rs.next()) {
+        var row = {};
+        for (var i = 1; i <= colCount; i++) {
+            row[colNames[i - 1]] = rs.getColumnValue(i);
+        }
+        results.push(row);
+    }
+    return {
+        "success": true,
+        "data": results
+    };
+}
+catch(e){
+    return {
+        "success": false,
+        "error": `LIST_APP_SPECIFICATIONS: ${String(e)}`
+    };
+}
+$$
+;
+
+grant usage on procedure PLUGIN.LIST_APP_SPECIFICATIONS()
+to application role OMNATA_MANAGEMENT;

{omnata_plugin_devkit-0.13.0a159 → omnata_plugin_devkit-0.13.1}/src/omnata_plugin_devkit/jinja_templates/NETWORK_ADDRESSES.sql.jinja

@@ -16,6 +16,7 @@ execute as owner
 as
 $$
 from logging import getLogger
+from pydantic_core import to_jsonable_python
 from omnata_plugin_runtime.logging import log_exception
 import json
 logger = getLogger(__name__)
@@ -33,7 +34,7 @@ def run(session,connectivity_option,method,connection_parameters):
       logger.info(f'result from plugin: {result}')
       return {
          "success": True,
-         "data": result
+         "data": to_jsonable_python(result)
       }
    except Exception as exception:
       log_exception(exception,logger)

omnata_plugin_devkit-0.13.1/src/omnata_plugin_devkit/jinja_templates/SET_CONNECTION_OBJECTS.sql.jinja

@@ -0,0 +1,357 @@
+create or replace procedure PLUGIN.SET_CONNECTION_OBJECTS(PARAMETERS OBJECT)
+   returns object
+   language javascript
+   COMMENT = $$
+   Creates or replaces every Snowflake object required to provision a connection: network
+   rules, OAuth security integration, OAuth secret, secret authorization configuration,
+   other_secrets generic secret, External Access Integration, EAI application specification,
+   and Security Integration application specification. OAuth-related objects are only created
+   when oauth_security_integration_name is provided.
+
+   Expected keys on PARAMETERS:
+     external_access_integration_name             (required; account-level, no schema)
+     network_rule_name                            (required; unqualified — DATA schema is prepended)
+     network_addresses                            (required, array of strings)
+     network_rule_name_privatelink                (optional; unqualified — DATA schema is prepended)
+     network_rule_addresses_privatelink           (required if privatelink rule set)
+     oauth_security_integration_name              (optional; account-level, no schema — enables the oauth branch)
+     oauth_parameters                             (required if oauth SI set; object with
+                                                   oauth_grant, oauth_token_endpoint,
+                                                   oauth_authorization_endpoint,
+                                                   oauth_allowed_scopes, oauth_client_id,
+                                                   oauth_client_secret)
+     oauth_secret_name                            (optional; unqualified — DATA schema is prepended; requires oauth SI)
+     oauth_secret_configuration_name              (optional; application-scope, no schema; requires oauth_secret_name)
+     other_secrets_name                           (required; unqualified — DATA schema is prepended)
+     connection_secrets                           (optional object; merged into the generic secret
+                                                   contents, overwriting any matching keys from
+                                                   merge_with_secret_name)
+     merge_with_secret_name                       (optional; unqualified name of an existing generic
+                                                   secret in DATA whose contents are read via
+                                                   RETRIEVE_SECRETS_UDF and used as the baseline for
+                                                   the new other_secrets generic secret.)
+     external_access_integration_spec_name        (required; application-scope, no schema)
+     security_integration_spec_name               (optional; application-scope, no schema; requires oauth SI)
+     connection_slug                              (required; human-readable connection identifier
+                                                   included in spec labels/descriptions so the
+                                                   consumer knows which connection they are
+                                                   approving)
+   $$
+   execute as owner
+as
+$$
+try{
+    var p = PARAMETERS || {};
+
+    function isIdent(n){
+        return typeof n === 'string' && /^[A-Za-z_][A-Za-z0-9_$.]*$/.test(n) && n.length <= 255;
+    }
+    function isBareIdent(n){
+        return typeof n === 'string' && /^[A-Za-z_][A-Za-z0-9_$]*$/.test(n) && n.length <= 255;
+    }
+    function requireIdent(key){
+        if (!isIdent(p[key])){ throw `parameter '${key}' is required and must be a valid identifier`; }
+        return p[key];
+    }
+    function optIdent(key){
+        if (p[key] == null) return null;
+        if (!isIdent(p[key])){ throw `parameter '${key}' must be a valid identifier`; }
+        return p[key];
+    }
+    function requireBareIdent(key){
+        if (!isBareIdent(p[key])){ throw `parameter '${key}' is required and must be an unqualified identifier (no schema prefix; DATA. is prepended automatically)`; }
+        return p[key];
+    }
+    function optBareIdent(key){
+        if (p[key] == null) return null;
+        if (!isBareIdent(p[key])){ throw `parameter '${key}' must be an unqualified identifier (no schema prefix; DATA. is prepended automatically)`; }
+        return p[key];
+    }
+    function requireArrayOfStrings(key){
+        if (!Array.isArray(p[key])){ throw `parameter '${key}' must be an array of strings`; }
+        p[key].forEach(function(s){ if (typeof s !== 'string'){ throw `parameter '${key}' entries must be strings`; } });
+        return p[key];
+    }
+    function optArrayOfStrings(key){
+        if (p[key] == null) return null;
+        return requireArrayOfStrings(key);
+    }
+    function esc(s){ return String(s).replace(/'/g, "''"); }
+    function callProc(sql, binds){
+        var rs = snowflake.createStatement({sqlText: sql, binds: binds}).execute();
+        rs.next();
+        var r = rs.getColumnValue(1);
+        if (r && r.success === false){ throw r.error || `delegate proc failed: ${sql}`; }
+        return r;
+    }
+
+    // Required parameters.
+    var eaiName            = requireIdent('external_access_integration_name');
+    var networkRuleName    = requireBareIdent('network_rule_name');
+    var networkRuleFqn     = `DATA.${networkRuleName}`;
+    var networkAddresses   = requireArrayOfStrings('network_addresses');
+    var eaiSpecName        = requireIdent('external_access_integration_spec_name');
+    var connectionSlug     = p.connection_slug;
+    if (typeof connectionSlug !== 'string' || connectionSlug.length === 0 || connectionSlug.length > 255){
+        throw `parameter 'connection_slug' is required and must be a non-empty string`;
+    }
+
+    // Optional privatelink network rule.
+    var privatelinkRuleName   = optBareIdent('network_rule_name_privatelink');
+    var privatelinkRuleFqn    = privatelinkRuleName ? `DATA.${privatelinkRuleName}` : null;
+    var privatelinkAddresses  = optArrayOfStrings('network_rule_addresses_privatelink');
+    if (privatelinkRuleName && privatelinkAddresses === null){
+        throw `network_rule_addresses_privatelink is required when network_rule_name_privatelink is provided`;
+    }
+
+    // Optional OAuth bundle.
+    var oauthSiName            = optIdent('oauth_security_integration_name');
+    var oauthSecretName        = optBareIdent('oauth_secret_name');
+    var oauthSecretFqn         = oauthSecretName ? `DATA.${oauthSecretName}` : null;
+    var oauthSecretConfigName  = optIdent('oauth_secret_configuration_name');
+    var siSpecName             = optIdent('security_integration_spec_name');
+    var oauthParameters        = (typeof p.oauth_parameters === 'object' && p.oauth_parameters !== null) ? p.oauth_parameters : null;
+    if (oauthSiName && !oauthParameters){
+        throw `oauth_parameters (object) is required when oauth_security_integration_name is provided`;
+    }
+    if (oauthSecretName && !oauthSiName){
+        throw `oauth_security_integration_name is required when oauth_secret_name is provided`;
+    }
+    if (oauthSecretConfigName && !oauthSecretName){
+        throw `oauth_secret_name is required when oauth_secret_configuration_name is provided`;
+    }
+    if (siSpecName && !oauthSiName){
+        throw `oauth_security_integration_name is required when security_integration_spec_name is provided`;
+    }
+
+    // Other-secrets (mandatory) plus optional seed/merge inputs.
+    var otherSecretsName     = requireBareIdent('other_secrets_name');
+    var otherSecretsFqn      = `DATA.${otherSecretsName}`;
+    var mergeWithSecretName  = optBareIdent('merge_with_secret_name');
+    var connectionSecrets    = (typeof p.connection_secrets === 'object' && p.connection_secrets !== null && !Array.isArray(p.connection_secrets))
+                               ? p.connection_secrets
+                               : null;
+    if (p.connection_secrets != null && connectionSecrets === null){
+        throw `connection_secrets must be an object`;
+    }
+
+    snowflake.log("info", `SET_CONNECTION_OBJECTS: provisioning connection '${connectionSlug}' (EAI ${eaiName})`);
+
+    // (1) Direct network rule — delegate to CREATE_NETWORK_RULE_OBJECT.
+    callProc(
+        `call PLUGIN.CREATE_NETWORK_RULE_OBJECT(?, PARSE_JSON(?), ?)`,
+        [networkRuleFqn, JSON.stringify(networkAddresses), 'HOST_PORT']
+    );
+
+    // (2) Privatelink network rule — optional.
+    if (privatelinkRuleFqn){
+        callProc(
+            `call PLUGIN.CREATE_NETWORK_RULE_OBJECT(?, PARSE_JSON(?), ?)`,
+            [privatelinkRuleFqn, JSON.stringify(privatelinkAddresses), 'PRIVATE_HOST_PORT']
+        );
+    }
+
+    // (3) OAuth security integration — inline DDL (no existing proc).
+    if (oauthSiName){
+        var op = oauthParameters;
+        var oauthGrant        = String(op.oauth_grant || 'authorization_code').toLowerCase();
+        var oauthTokenEp      = op.oauth_token_endpoint || '';
+        var oauthAuthEp       = op.oauth_authorization_endpoint || '';
+        var oauthScopes       = Array.isArray(op.oauth_allowed_scopes) ? op.oauth_allowed_scopes : [];
+        var oauthClientId     = op.oauth_client_id;
+        var oauthClientSecret = op.oauth_client_secret;
+
+        if (oauthGrant !== 'authorization_code' && oauthGrant !== 'client_credentials'){
+            throw `oauth_parameters.oauth_grant must be 'authorization_code' or 'client_credentials'`;
+        }
+
+        var clauses = [
+            "TYPE = API_AUTHENTICATION",
+            "AUTH_TYPE = OAUTH2",
+            "OAUTH_CLIENT_AUTH_METHOD = CLIENT_SECRET_POST",
+            `OAUTH_GRANT = ${oauthGrant.toUpperCase()}`
+        ];
+        if (oauthGrant === 'authorization_code' && oauthAuthEp){
+            clauses.push(`OAUTH_AUTHORIZATION_ENDPOINT = '${esc(oauthAuthEp)}'`);
+        }
+        if (oauthTokenEp){
+            clauses.push(`OAUTH_TOKEN_ENDPOINT = '${esc(oauthTokenEp)}'`);
+        }
+        if (oauthScopes.length > 0){
+            var scopesList = oauthScopes.map(function(s){
+                if (typeof s !== 'string'){ throw `oauth_parameters.oauth_allowed_scopes entries must be strings`; }
+                return `'${esc(s)}'`;
+            }).join(', ');
+            clauses.push(`OAUTH_ALLOWED_SCOPES = (${scopesList})`);
+        }
+        if (oauthClientId != null){
+            if (typeof oauthClientId !== 'string'){ throw `oauth_parameters.oauth_client_id must be a string`; }
+            clauses.push(`OAUTH_CLIENT_ID = '${esc(oauthClientId)}'`);
+        }
+        if (oauthClientSecret != null){
+            if (typeof oauthClientSecret !== 'string'){ throw `oauth_parameters.oauth_client_secret must be a string`; }
+            clauses.push(`OAUTH_CLIENT_SECRET = '${esc(oauthClientSecret)}'`);
+        }
+        clauses.push("ENABLED = TRUE");
+
+        var siSql = `CREATE OR REPLACE SECURITY INTEGRATION IDENTIFIER(?)\n  ` + clauses.join('\n  ');
+        snowflake.log("info", `Executing SQL: ${siSql}`);
+        snowflake.createStatement({sqlText: siSql, binds: [oauthSiName]}).execute();
+        // USAGE on the security integration is required for any APPLICATION_ROLES listed in an
+        // ALTER APPLICATION SET CONFIGURATION DEFINITION SECRET_AUTHORIZATION (the referenced
+        // OAuth secret's API_AUTHENTICATION points to this integration).
+        snowflake.createStatement({
+            sqlText: `grant usage on integration IDENTIFIER(?) to application role OMNATA_MANAGEMENT`,
+            binds: [oauthSiName]
+        }).execute();
+    }
+
+    // (4) OAuth secret — delegate to CREATE_OAUTH_SECRET_OBJECT.
+    if (oauthSecretFqn){
+        callProc(`call PLUGIN.CREATE_OAUTH_SECRET_OBJECT(?, ?)`, [oauthSecretFqn, oauthSiName]);
+        // CREATE_OAUTH_SECRET_OBJECT grants USAGE only. MODIFY is required on the secret for
+        // any APPLICATION_ROLES listed in an ALTER APPLICATION SET CONFIGURATION DEFINITION
+        // SECRET_AUTHORIZATION, otherwise the configuration fails with
+        // "role ... is missing 'MODIFY' privilege on Secret".
+        snowflake.createStatement({
+            sqlText: `grant modify, usage on secret IDENTIFIER(?) to application role OMNATA_MANAGEMENT`,
+            binds: [oauthSecretFqn]
+        }).execute();
+    }
+
+    // (5) Secret authorization configuration.
+    // TODO: verify exact DDL and keywords against Snowflake docs; WebFetch was unavailable during authoring.
+    // https://docs.snowflake.com/en/developer-guide/native-apps/app-configuration-secret-authorization#step-5-create-the-secret-authorization-configuration
+    if (oauthSecretConfigName){
+        // The secret name alternates its trailing __A / __B suffix on each edit; include that
+        // letter in the label so the edit-flow configuration is distinct from the prior one
+        // (configuration definition labels must be unique).
+        var secretAlt      = oauthSecretName.slice(-1);
+        var cfgLabel       = `Authorize OAuth connection: ${connectionSlug} (${secretAlt})`;
+        var cfgDescription = `Complete the OAuth flow so this application can access the external service for connection '${connectionSlug}'`;
+        var cfgSql = `ALTER APPLICATION SET CONFIGURATION DEFINITION ${oauthSecretConfigName}\n` +
+                     `  TYPE = SECRET_AUTHORIZATION\n` +
+                     `  SECRET = ${oauthSecretFqn}\n` +
+                     `  LABEL = '${esc(cfgLabel)}'\n` +
+                     `  DESCRIPTION = '${esc(cfgDescription)}'\n` +
+                     `  APPLICATION_ROLES = (OMNATA_MANAGEMENT)`;
+        snowflake.log("info", `Executing SQL: ${cfgSql}`);
+        snowflake.createStatement({sqlText: cfgSql, binds: []}).execute();
+    }
+
+    // (6) Other secrets — seeded from an existing secret and/or caller-supplied values.
+    var seedSecrets = {};
+    if (mergeWithSecretName){
+        // RETRIEVE_SECRETS_UDF reads the secret contents via _snowflake.get_generic_secret_string,
+        // which takes the binding alias (the unqualified name) — not the FQN. The source secret
+        // must already be bound to RETRIEVE_SECRETS_UDF via a prior CONFIGURE_APIS run.
+        // Passing NULL for the OAuth secret name keeps the access_token key out of the returned object.
+        var seedRs = snowflake.createStatement({
+            sqlText: `select PLUGIN.RETRIEVE_SECRETS_UDF(NULL, ?)`,
+            binds: [mergeWithSecretName]
+        }).execute();
+        seedRs.next();
+        var seedValue = seedRs.getColumnValue(1);
+        if (seedValue && typeof seedValue === 'object'){
+            seedSecrets = seedValue;
+        }
+    }
+    if (connectionSecrets){
+        Object.keys(connectionSecrets).forEach(function(k){
+            seedSecrets[k] = connectionSecrets[k];
+        });
+    }
+    callProc(`call PLUGIN.CREATE_GENERIC_SECRET_OBJECT(?, ?)`, [otherSecretsFqn, JSON.stringify(seedSecrets)]);
+
+    // (7) External Access Integration.
+    var eaiRules = [networkRuleFqn];
+    if (privatelinkRuleFqn){ eaiRules.push(privatelinkRuleFqn); }
+    var eaiSecrets = [otherSecretsFqn];
+    if (oauthSecretFqn){ eaiSecrets.push(oauthSecretFqn); }
+
+    var eaiRulesSql = eaiRules.join(', ');
+    var eaiSecretsClause = '';
+    if (eaiSecrets.length > 0){
+        eaiSecretsClause = `\n  ALLOWED_AUTHENTICATION_SECRETS = (${eaiSecrets.join(', ')})`;
+    }
+    var eaiSql = `CREATE OR REPLACE EXTERNAL ACCESS INTEGRATION IDENTIFIER(?)\n` +
+                 `  ALLOWED_NETWORK_RULES = (${eaiRulesSql})` +
+                 eaiSecretsClause + `\n` +
+                 `  ENABLED = FALSE`;
+    snowflake.log("info", `Executing SQL: ${eaiSql}`);
+    snowflake.createStatement({sqlText: eaiSql, binds: [eaiName]}).execute();
+    // Grant USAGE so the sync engine (via OMNATA_MANAGEMENT) can see/use the EAI.
+    snowflake.createStatement({
+        sqlText: `grant usage on integration IDENTIFIER(?) to application role OMNATA_MANAGEMENT`,
+        binds: [eaiName]
+    }).execute();
+
+    // (8) EAI application specification — delegate to SET_EAI_SPECIFICATION.
+    // Unlike for security integrations/configurations, this specification does not need to alternate when editing as it's not bound to any objects
+    var eaiSpecProps = {
+        LABEL: `External access for connection: ${connectionSlug}`,
+        DESCRIPTION: `Allows this app to communicate with external services for connection '${connectionSlug}'`,
+        HOST_PORTS: networkAddresses
+    };
+    if (privatelinkAddresses){
+        eaiSpecProps.PRIVATE_HOST_PORTS = privatelinkAddresses;
+    }
+    callProc(
+        `call PLUGIN.SET_EAI_SPECIFICATION(?, PARSE_JSON(?))`,
+        [eaiSpecName, JSON.stringify(eaiSpecProps)]
+    );
+
+    // (9) SI application specification — delegate to SET_SI_SPECIFICATION (OAuth only).
+    if (siSpecName){
+        var op2 = oauthParameters;
+        var grantUc = String(op2.oauth_grant || 'authorization_code').toUpperCase();
+        // Include the alternating suffix letter so the edit-flow spec gets a distinct label.
+        var siSpecAlt = siSpecName.slice(-1);
+        var siSpecProps = {
+            LABEL: `OAuth integration for connection: ${connectionSlug} (${siSpecAlt})`,
+            DESCRIPTION: `Allows this app to use an OAuth security integration for connection '${connectionSlug}'`,
+            OAUTH_TYPE: grantUc
+        };
+        if (op2.oauth_token_endpoint){
+            siSpecProps.OAUTH_TOKEN_ENDPOINT = op2.oauth_token_endpoint;
+        }
+        if (grantUc === 'AUTHORIZATION_CODE' && op2.oauth_authorization_endpoint){
+            siSpecProps.OAUTH_AUTHORIZATION_ENDPOINT = op2.oauth_authorization_endpoint;
+        }
+        if (Array.isArray(op2.oauth_allowed_scopes) && op2.oauth_allowed_scopes.length > 0){
+            siSpecProps.OAUTH_ALLOWED_SCOPES = op2.oauth_allowed_scopes;
+        }
+        callProc(
+            `call PLUGIN.SET_SI_SPECIFICATION(?, PARSE_JSON(?))`,
+            [siSpecName, JSON.stringify(siSpecProps)]
+        );
+    }
+
+    return {
+        "success": true,
+        "data": {
+            "connection_slug": connectionSlug,
+            "external_access_integration_name": eaiName,
+            "network_rule_name": networkRuleFqn,
+            "network_rule_name_privatelink": privatelinkRuleFqn,
+            "oauth_security_integration_name": oauthSiName,
+            "oauth_secret_name": oauthSecretFqn,
+            "oauth_secret_configuration_name": oauthSecretConfigName,
+            "other_secrets_name": otherSecretsFqn,
+            "external_access_integration_spec_name": eaiSpecName,
+            "security_integration_spec_name": siSpecName
+        }
+    };
+}
+catch(e){
+    snowflake.log("error", e);
+    return {
+        "success": false,
+        "error": `SET_CONNECTION_OBJECTS: ${String(e)}`
+    };
+}
+$$
+;
+
+grant usage on procedure PLUGIN.SET_CONNECTION_OBJECTS(OBJECT)
+to application role OMNATA_MANAGEMENT;

omnata_plugin_devkit-0.13.1/src/omnata_plugin_devkit/jinja_templates/SET_EAI_ENABLED.sql.jinja

@@ -0,0 +1,43 @@
+create or replace procedure PLUGIN.SET_EAI_ENABLED(EAI_NAME VARCHAR, ENABLED BOOLEAN)
+   returns object
+   language javascript
+   COMMENT = $$
+   Enables or disables an External Access Integration owned by this application via
+   ALTER EXTERNAL ACCESS INTEGRATION <name> SET ENABLED = TRUE|FALSE.
+   $$
+   execute as owner
+as
+$$
+try{
+    if (typeof EAI_NAME !== 'string' || EAI_NAME.length === 0 || EAI_NAME.length > 255){
+        throw `SET_EAI_ENABLED: EAI_NAME must be a non-empty string`;
+    }
+    /*
+    From docs:
+    The values true and false are represented by 1 and 0 respectively. 
+    Note that this behavior may change in future releases, so you should rely 
+    on JavaScript truthiness rather than direct value comparisons.
+    */
+    var enabledSql = ENABLED ? 'TRUE' : 'FALSE';
+    var sql = `ALTER EXTERNAL ACCESS INTEGRATION IDENTIFIER(?) SET ENABLED = ${enabledSql}`;
+    snowflake.log("info", `Executing SQL: ${sql}`);
+    snowflake.createStatement({sqlText: sql, binds: [EAI_NAME]}).execute();
+    return {
+        "success": true,
+        "data": {
+            "name": EAI_NAME,
+            "enabled": ENABLED
+        }
+    };
+}
+catch(e){
+    return {
+        "success": false,
+        "error": `SET_EAI_ENABLED: ${String(e)}`
+    };
+}
+$$
+;
+
+grant usage on procedure PLUGIN.SET_EAI_ENABLED(VARCHAR, BOOLEAN)
+to application role OMNATA_MANAGEMENT;

omnata_plugin_devkit-0.13.1/src/omnata_plugin_devkit/jinja_templates/SET_EAI_SPECIFICATION.sql.jinja

@@ -0,0 +1,61 @@
+create or replace procedure PLUGIN.SET_EAI_SPECIFICATION(SPEC_NAME VARCHAR, PROPERTIES OBJECT)
+   returns object
+   language javascript
+   COMMENT = $$
+   Sets an EXTERNAL_ACCESS application specification via ALTER APPLICATION SET SPECIFICATION.
+   TYPE is hard-coded to EXTERNAL_ACCESS. Permitted properties:
+   LABEL, DESCRIPTION, HOST_PORTS, PRIVATE_HOST_PORTS.
+   Raises an error if any input is invalid or the ALTER fails.
+   $$
+   execute as owner
+as
+$$
+    // Validate spec name as a simple identifier so it can be safely interpolated
+    // into ALTER APPLICATION SET SPECIFICATION <name>.
+    if (typeof SPEC_NAME !== 'string' || !/^[A-Za-z_][A-Za-z0-9_$]*$/.test(SPEC_NAME) || SPEC_NAME.length > 255) {
+        throw `SET_EAI_SPECIFICATION: invalid specification name`;
+    }
+    var props = PROPERTIES || {};
+    var allowed = ['LABEL', 'DESCRIPTION', 'HOST_PORTS', 'PRIVATE_HOST_PORTS'];
+    function escSql(s) {
+        return String(s).replace(/'/g, "''");
+    }
+    var clauses = [`TYPE = EXTERNAL_ACCESS`];
+    Object.keys(props).forEach(function(key){
+        var upperKey = key.toUpperCase();
+        if (allowed.indexOf(upperKey) === -1) {
+            throw `SET_EAI_SPECIFICATION: property ${key} is not permitted`;
+        }
+        var value = props[key];
+        if (upperKey === 'LABEL' || upperKey === 'DESCRIPTION') {
+            if (typeof value !== 'string') {
+                throw `SET_EAI_SPECIFICATION: ${upperKey} must be a string`;
+            }
+            clauses.push(`${upperKey} = '${escSql(value)}'`);
+        } else if (upperKey === 'HOST_PORTS' || upperKey === 'PRIVATE_HOST_PORTS') {
+            if (!Array.isArray(value)) {
+                throw `SET_EAI_SPECIFICATION: ${upperKey} must be an array of strings`;
+            }
+            var listSql = value.map(function(v){
+                if (typeof v !== 'string') {
+                    throw `SET_EAI_SPECIFICATION: ${upperKey} entries must be strings`;
+                }
+                return `'${escSql(v)}'`;
+            }).join(', ');
+            clauses.push(`${upperKey} = (${listSql})`);
+        }
+    });
+    var sql = `ALTER APPLICATION SET SPECIFICATION ${SPEC_NAME}\n  ` + clauses.join('\n  ');
+    snowflake.log("info", `Executing SQL: ${sql}`);
+    snowflake.createStatement({ sqlText: sql, binds: [] }).execute();
+    return {
+        "success": true,
+        "data": {
+            "name": SPEC_NAME
+        }
+    };
+$$
+;
+
+grant usage on procedure PLUGIN.SET_EAI_SPECIFICATION(VARCHAR, OBJECT)
+to application role OMNATA_MANAGEMENT;

omnata_plugin_devkit-0.13.1/src/omnata_plugin_devkit/jinja_templates/SET_SI_SPECIFICATION.sql.jinja

@@ -0,0 +1,69 @@
+create or replace procedure PLUGIN.SET_SI_SPECIFICATION(SPEC_NAME VARCHAR, PROPERTIES OBJECT)
+   returns object
+   language javascript
+   COMMENT = $$
+   Sets a SECURITY_INTEGRATION application specification via ALTER APPLICATION SET SPECIFICATION.
+   TYPE is hard-coded to SECURITY_INTEGRATION. Permitted properties:
+   LABEL, DESCRIPTION, OAUTH_TYPE (AUTHORIZATION_CODE or CLIENT_CREDENTIALS),
+   OAUTH_TOKEN_ENDPOINT, OAUTH_ALLOWED_SCOPES, OAUTH_AUTHORIZATION_ENDPOINT.
+   Raises an error if any input is invalid or the ALTER fails.
+   $$
+   execute as owner
+as
+$$
+    // Validate spec name as a simple identifier so it can be safely interpolated
+    // into ALTER APPLICATION SET SPECIFICATION <name>.
+    if (typeof SPEC_NAME !== 'string' || !/^[A-Za-z_][A-Za-z0-9_$]*$/.test(SPEC_NAME) || SPEC_NAME.length > 255) {
+        throw `SET_SI_SPECIFICATION: invalid specification name`;
+    }
+    var props = PROPERTIES || {};
+    var stringProps = ['LABEL', 'DESCRIPTION', 'OAUTH_TOKEN_ENDPOINT', 'OAUTH_AUTHORIZATION_ENDPOINT'];
+    var allowedOauthTypes = ['AUTHORIZATION_CODE', 'CLIENT_CREDENTIALS'];
+    var allowed = stringProps.concat(['OAUTH_TYPE', 'OAUTH_ALLOWED_SCOPES']);
+    function escSql(s) {
+        return String(s).replace(/'/g, "''");
+    }
+    var clauses = [`TYPE = SECURITY_INTEGRATION`];
+    Object.keys(props).forEach(function(key){
+        var upperKey = key.toUpperCase();
+        if (allowed.indexOf(upperKey) === -1) {
+            throw `SET_SI_SPECIFICATION: property ${key} is not permitted`;
+        }
+        var value = props[key];
+        if (stringProps.indexOf(upperKey) !== -1) {
+            if (typeof value !== 'string') {
+                throw `SET_SI_SPECIFICATION: ${upperKey} must be a string`;
+            }
+            clauses.push(`${upperKey} = '${escSql(value)}'`);
+        } else if (upperKey === 'OAUTH_TYPE') {
+            if (typeof value !== 'string' || allowedOauthTypes.indexOf(value.toUpperCase()) === -1) {
+                throw `SET_SI_SPECIFICATION: OAUTH_TYPE must be one of: ${allowedOauthTypes.join(', ')}`;
+            }
+            clauses.push(`OAUTH_TYPE = ${value.toUpperCase()}`);
+        } else if (upperKey === 'OAUTH_ALLOWED_SCOPES') {
+            if (!Array.isArray(value)) {
+                throw `SET_SI_SPECIFICATION: OAUTH_ALLOWED_SCOPES must be an array of strings`;
+            }
+            var listSql = value.map(function(v){
+                if (typeof v !== 'string') {
+                    throw `SET_SI_SPECIFICATION: OAUTH_ALLOWED_SCOPES entries must be strings`;
+                }
+                return `'${escSql(v)}'`;
+            }).join(', ');
+            clauses.push(`OAUTH_ALLOWED_SCOPES = (${listSql})`);
+        }
+    });
+    var sql = `ALTER APPLICATION SET SPECIFICATION ${SPEC_NAME}\n  ` + clauses.join('\n  ');
+    snowflake.log("info", `Executing SQL: ${sql}`);
+    snowflake.createStatement({ sqlText: sql, binds: [] }).execute();
+    return {
+        "success": true,
+        "data": {
+            "name": SPEC_NAME
+        }
+    };
+$$
+;
+
+grant usage on procedure PLUGIN.SET_SI_SPECIFICATION(VARCHAR, OBJECT)
+to application role OMNATA_MANAGEMENT;

{omnata_plugin_devkit-0.13.0a159 → omnata_plugin_devkit-0.13.1}/src/omnata_plugin_devkit/jinja_templates/manifest.yml.jinja

@@ -28,3 +28,8 @@ configuration:
     - type: METRICS
       sharing: OPTIONAL
 
+privileges:
+  - CREATE EXTERNAL ACCESS INTEGRATION:
+      description: "To create external access integrations for Omnata to communicate with external services"
+  - CREATE SECURITY INTEGRATION:
+      description: "To create security integrations for OAuth"

{omnata_plugin_devkit-0.13.0a159 → omnata_plugin_devkit-0.13.1}/src/omnata_plugin_devkit/native_app_packaging.py

@@ -81,7 +81,6 @@ class NativeAppPackaging:
         application_name: str,
         version_name: str,
         patch_number: Optional[int] = None,
-        debug_mode: bool = True,
         authorize_telemetry_event_sharing: bool = True,
     ) -> bool:
         """
@@ -109,7 +108,6 @@ class NativeAppPackaging:
                 f"""CREATE APPLICATION {application_name} 
                                         FROM APPLICATION PACKAGE {self.package_name}
                                         USING VERSION {version_name} patch {patch_number}
-                                        DEBUG_MODE={str(debug_mode).upper()}
                                         AUTHORIZE_TELEMETRY_EVENT_SHARING={str(authorize_telemetry_event_sharing).upper()}"""
             ).collect()
             return True

{omnata_plugin_devkit-0.13.0a159 → omnata_plugin_devkit-0.13.1}/src/omnata_plugin_devkit/plugin_uploader.py

@@ -485,7 +485,16 @@ class PluginUploader:
                 "RETRIEVE_NETWORK_RULE_OBJECT",
                 "POST_INSTALL_ACTIONS",
                 "RENAME_CONNECTION_METHODS",
-                "RETRIEVE_SECRETS_UDF"
+                "RETRIEVE_SECRETS_UDF",
+                "SET_EAI_SPECIFICATION",
+                "SET_SI_SPECIFICATION",
+                "LIST_APP_SPECIFICATIONS",
+                "SET_CONNECTION_OBJECTS",
+                "CHECK_CONNECTION_PROGRESS",
+                "DROP_SECRETS",
+                "DROP_NETWORK_RULES",
+                "SET_EAI_ENABLED",
+                "GET_MISSING_APP_PRIVILEGES"
             ]:
                 template = environment.get_template(f"{proc_template}.sql.jinja")
                 content = template.render({