omnata-plugin-devkit 0.13.2a184__tar.gz → 0.13.2a186__tar.gz

{omnata_plugin_devkit-0.13.2a184 → omnata_plugin_devkit-0.13.2a186}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: omnata-plugin-devkit
-Version: 0.13.2a184
+Version: 0.13.2a186
 Summary: 
 License-File: LICENSE
 Author: James Weakley

{omnata_plugin_devkit-0.13.2a184 → omnata_plugin_devkit-0.13.2a186}/pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "omnata-plugin-devkit"
-version = "0.13.2a184"
+version = "0.13.2a186"
 description = ""
 authors = ["James Weakley <james.weakley@omnata.com>"]
 readme = "README.md"

omnata_plugin_devkit-0.13.2a186/src/omnata_plugin_devkit/jinja_templates/CREATE_GENERIC_SECRET_OBJECT.sql.jinja

@@ -0,0 +1,50 @@
+create or replace procedure PLUGIN.CREATE_GENERIC_SECRET_OBJECT(SECRET_NAME VARCHAR, SECRET_CONTENTS VARCHAR)
+returns object
+language python
+RUNTIME_VERSION = '3.10'
+PACKAGES = ({{packages}})
+HANDLER = 'run'
+COMMENT = $$
+Creates a generic secret object. SECRET_STRING is written via a dollar-quoted
+literal rather than a bind parameter: bind binding for SECRET_STRING = ? was
+observed to interpret backslash escapes inside the value, turning a JSON `\n`
+two-byte escape into a raw LF byte and corrupting the stored JSON. Dollar
+quoting is byte-faithful.
+$$
+execute as owner
+as
+$$
+from logging import getLogger
+logger = getLogger(__name__)
+
+# Avoid putting two literal dollar signs in this proc body (the body itself
+# is dollar-quoted, so a stray `$$` would close it early).
+_TWO_DOLLARS = "$" + "$"
+
+
+def run(session, secret_name, secret_contents):
+   try:
+      if secret_contents is None:
+         secret_contents = ""
+      if _TWO_DOLLARS in secret_contents:
+         raise ValueError(
+            "secret_contents contains '" + _TWO_DOLLARS + "', which is "
+            "currently not supported due to Snowflake delimiter requirements."
+         )
+      sql = (
+         "CREATE OR REPLACE SECRET IDENTIFIER(?) TYPE = GENERIC_STRING "
+         "SECRET_STRING = " + _TWO_DOLLARS + secret_contents + _TWO_DOLLARS
+      )
+      session.sql(sql, params=[secret_name]).collect()
+      session.sql(
+         "grant usage on secret IDENTIFIER(?) to application role OMNATA_MANAGEMENT",
+         params=[secret_name],
+      ).collect()
+      return {"success": True, "data": None}
+   except Exception as e:
+      return {"success": False, "error": f"CREATE_GENERIC_SECRET_OBJECT: {str(e)}"}
+$$
+;
+
+grant usage on procedure PLUGIN.CREATE_GENERIC_SECRET_OBJECT(VARCHAR, VARCHAR)
+to application role OMNATA_MANAGEMENT;

omnata_plugin_devkit-0.13.2a186/src/omnata_plugin_devkit/jinja_templates/CREATE_GENERIC_SECRET_OBJECT_FROM_EXISTING.sql.jinja

@@ -0,0 +1,82 @@
+create or replace procedure PLUGIN.CREATE_GENERIC_SECRET_OBJECT_FROM_EXISTING(
+   SECRET_NAME VARCHAR,
+   SECRET_TO_CLONE VARCHAR,
+   KEYS_TO_INCLUDE ARRAY,
+   NEW_CONTENTS_TO_MERGE VARCHAR DEFAULT NULL
+)
+returns object
+language python
+RUNTIME_VERSION = '3.10'
+PACKAGES = ({{packages}})
+HANDLER = 'run'
+COMMENT = $$
+Creates a generic secret object using an existing secret as the seed.
+  - KEYS_TO_INCLUDE (optional): if provided, restrict the cloned content to
+    these keys before any merging.
+  - NEW_CONTENTS_TO_MERGE (optional): JSON object string whose entries are
+    merged on top of the cloned content (overwriting matching keys). Use
+    this to add or update fields in one shot without a second proc call.
+The write itself is delegated to CREATE_GENERIC_SECRET_OBJECT, which uses a
+dollar-quoted SECRET_STRING literal to avoid bind-parameter escape
+interpretation that corrupts newlines in PEM values.
+$$
+execute as owner
+as
+$$
+import json
+from logging import getLogger
+logger = getLogger(__name__)
+
+
+def _call_proc(session, sql, params):
+   rows = session.sql(sql, params=params).collect()
+   if not rows:
+      raise RuntimeError(f"delegate proc returned no rows: {sql}")
+   val = rows[0][0]
+   if isinstance(val, str):
+      try:
+         val = json.loads(val)
+      except json.JSONDecodeError:
+         pass
+   if isinstance(val, dict) and val.get('success') is False:
+      raise RuntimeError(val.get('error') or f"delegate proc failed: {sql}")
+   return val.get('data') if isinstance(val, dict) else val
+
+
+def run(session, secret_name, secret_to_clone, keys_to_include, new_contents_to_merge):
+   try:
+      existing = _call_proc(
+         session,
+         "call PLUGIN.RETRIEVE_SECRETS(NULL, ?)",
+         [secret_to_clone],
+      ) or {}
+      if not isinstance(existing, dict):
+         existing = {}
+      if keys_to_include is not None:
+         existing = {k: existing[k] for k in keys_to_include if k in existing}
+      if new_contents_to_merge is not None:
+         try:
+            new_dict = json.loads(new_contents_to_merge)
+         except (TypeError, json.JSONDecodeError) as parse_err:
+            raise ValueError(
+               f"NEW_CONTENTS_TO_MERGE must be a JSON object string: {parse_err}"
+            ) from parse_err
+         if not isinstance(new_dict, dict):
+            raise ValueError("NEW_CONTENTS_TO_MERGE must decode to a JSON object")
+         existing = {**existing, **new_dict}
+      _call_proc(
+         session,
+         "call PLUGIN.CREATE_GENERIC_SECRET_OBJECT(?, ?)",
+         [secret_name, json.dumps(existing)],
+      )
+      return {"success": True, "data": None}
+   except Exception as e:
+      return {
+         "success": False,
+         "error": f"CREATE_GENERIC_SECRET_OBJECT_FROM_EXISTING: {str(e)}",
+      }
+$$
+;
+
+grant usage on procedure PLUGIN.CREATE_GENERIC_SECRET_OBJECT_FROM_EXISTING(VARCHAR, VARCHAR, ARRAY, VARCHAR)
+to application role OMNATA_MANAGEMENT;

{omnata_plugin_devkit-0.13.2a184 → omnata_plugin_devkit-0.13.2a186}/src/omnata_plugin_devkit/jinja_templates/RETRIEVE_SECRETS_UDF.sql.jinja

@@ -25,13 +25,11 @@ def run(oauth_secret_name,other_secrets_name):
                other_secrets_name
             )
             if len(secret_string_content) > 2:
-               logger.info(f"Raw secret string: {secret_string_content}")
                other_secrets = json.loads(secret_string_content)
                connection_secrets = {
                   **connection_secrets,
                   **other_secrets,
                }
-               logger.info(f"Parsed secret string: {connection_secrets}")
       except Exception as exception:
             logger.error(f"Error parsing secrets content for secret {other_secrets_name}: {str(exception)}")
             raise ValueError(f"Error parsing secrets content: {str(exception)}") from exception

{omnata_plugin_devkit-0.13.2a184 → omnata_plugin_devkit-0.13.2a186}/src/omnata_plugin_devkit/jinja_templates/SET_CONNECTION_OBJECTS.sql.jinja

@@ -244,36 +244,25 @@ def run(session, parameters):
          logger.info(f"Executing SQL: {cfg_sql}")
          session.sql(cfg_sql).collect()
 
-      # (6) Other secrets — seeded from an existing secret and/or caller-supplied values.
-      seed_secrets = {}
+      # (6) Other secrets — delegate to CREATE_GENERIC_SECRET_OBJECT[_FROM_EXISTING].
+      # Both procs write SECRET_STRING via a dollar-quoted literal; binding via
+      # SECRET_STRING = ? is byte-faithful for the value's bytes BUT interprets
+      # backslash escapes inside that VARCHAR (turning `\n` into a raw LF), which
+      # corrupts PEM-bearing JSON. Keep the read+merge logic centralised in
+      # CREATE_GENERIC_SECRET_OBJECT_FROM_EXISTING rather than duplicating it here.
+      new_contents_json = json.dumps(connection_secrets or {})
       if merge_with_secret_name:
-         # RETRIEVE_SECRETS_UDF reads the secret contents via _snowflake.get_generic_secret_string,
-         # which takes the binding alias (the unqualified name) — not the FQN. The source secret
-         # must already be bound to RETRIEVE_SECRETS_UDF via a prior CONFIGURE_APIS run.
-         # Passing NULL for the OAuth secret name keeps the access_token key out of the returned object.
-         seed_rows = session.sql(
-            "select PLUGIN.RETRIEVE_SECRETS_UDF(NULL, ?)",
-            params=[merge_with_secret_name],
-         ).collect()
-         seed_value = seed_rows[0][0] if seed_rows else None
-         if isinstance(seed_value, str):
-            try:
-               seed_value = json.loads(seed_value)
-            except json.JSONDecodeError:
-               seed_value = None
-         if isinstance(seed_value, dict):
-            seed_secrets = dict(seed_value)
-      if connection_secrets:
-         for k, v in connection_secrets.items():
-            seed_secrets[k] = v
-      # json.dumps emits strict JSON: every U+0000–U+001F byte is escaped, so PEM line breaks
-      # in caller-supplied values land in SECRET_STRING as `\n` (two bytes) rather than as a
-      # raw LF that would later trip strict json.loads on the read paths.
-      _call_proc(
-         session,
-         "call PLUGIN.CREATE_GENERIC_SECRET_OBJECT(?, ?)",
-         [other_secrets_fqn, json.dumps(seed_secrets)],
-      )
+         _call_proc(
+            session,
+            "call PLUGIN.CREATE_GENERIC_SECRET_OBJECT_FROM_EXISTING(?, ?, NULL, ?)",
+            [other_secrets_fqn, merge_with_secret_name, new_contents_json],
+         )
+      else:
+         _call_proc(
+            session,
+            "call PLUGIN.CREATE_GENERIC_SECRET_OBJECT(?, ?)",
+            [other_secrets_fqn, new_contents_json],
+         )
 
       # (7) External Access Integration.
       eai_rules = [network_rule_fqn]

omnata_plugin_devkit-0.13.2a184/src/omnata_plugin_devkit/jinja_templates/CREATE_GENERIC_SECRET_OBJECT.sql.jinja

@@ -1,35 +0,0 @@
-create or replace procedure PLUGIN.CREATE_GENERIC_SECRET_OBJECT(SECRET_NAME VARCHAR,SECRET_CONTENTS VARCHAR)
-   returns object
-   language javascript
-   COMMENT = $$
-   Creates a generic secret object.
-   $$
-   execute as owner
-as
-$$
-try{
-   snowflake.createStatement( {
-      sqlText: `CREATE OR REPLACE SECRET IDENTIFIER(?) TYPE = GENERIC_STRING SECRET_STRING = ?`,
-      binds:[SECRET_NAME,SECRET_CONTENTS]
-   } ).execute();
-   snowflake.createStatement( {
-      sqlText: `grant usage on secret IDENTIFIER(?) to application role OMNATA_MANAGEMENT`,
-      binds:[SECRET_NAME]
-   } ).execute();
-    return {
-        "success": true,
-        "data": null
-    }
-}
-catch(e){
-   return {
-      "success": false,
-      "error": `CREATE_GENERIC_SECRET_OBJECT: ${String(e)}`
-   }
-}
-$$
-;
-
-grant usage on procedure PLUGIN.CREATE_GENERIC_SECRET_OBJECT(VARCHAR,VARCHAR)
-to application role OMNATA_MANAGEMENT;
-

omnata_plugin_devkit-0.13.2a184/src/omnata_plugin_devkit/jinja_templates/CREATE_GENERIC_SECRET_OBJECT_FROM_EXISTING.sql.jinja

@@ -1,55 +0,0 @@
-create or replace procedure PLUGIN.CREATE_GENERIC_SECRET_OBJECT_FROM_EXISTING(SECRET_NAME VARCHAR,SECRET_TO_CLONE VARCHAR,KEYS_TO_INCLUDE ARRAY)
-   returns object
-   language javascript
-   COMMENT = $$
-   Creates a generic secret object, using an existing object as a starting point.
-   $$
-   execute as owner
-as
-$$
-try{
-   // retrieve the existing secrets
-   var results = snowflake.createStatement( {
-         sqlText: `call RETRIEVE_SECRETS(null,?)`,
-         binds:[SECRET_TO_CLONE]
-      } ).execute();
-   results.next();
-   var procResult = results.getColumnValue(1);
-   if (procResult.success===false){
-      throw procResult.error;
-   }
-   var existingSecrets = procResult.data;
-   if (KEYS_TO_INCLUDE != null){
-      // pick out the specific keys from the KEYS_TO_INCLUDE array
-      existingSecrets = KEYS_TO_INCLUDE.reduce((acc,key) => {
-         acc[key] = existingSecrets[key];
-         return acc;
-      }, {})
-   }
-   // create the secret object by calling the regular proc
-   var results = snowflake.createStatement( {
-         sqlText: `call CREATE_GENERIC_SECRET_OBJECT(?,?)`,
-         binds:[SECRET_NAME,JSON.stringify(existingSecrets)]
-      } ).execute();
-   results.next();
-   var procResult = results.getColumnValue(1);
-   if (procResult.success===false){
-      throw procResult.error;
-   }
-   return {
-      "success": true,
-      "data": null
-   }
-}
-catch(e){
-   return {
-      "success": false,
-      "error": `CREATE_GENERIC_SECRET_OBJECT_FROM_EXISTING: ${String(e)}`
-   }
-}
-$$
-;
-
-grant usage on procedure PLUGIN.CREATE_GENERIC_SECRET_OBJECT_FROM_EXISTING(VARCHAR,VARCHAR,ARRAY)
-to application role OMNATA_MANAGEMENT;
-