snowflake-cli-labs 3.0.0rc0__py3-none-any.whl → 3.0.0rc2__py3-none-any.whl

snowflake/cli/api/project/schemas/project_definition.py

@@ -19,13 +19,11 @@ from typing import Any, Dict, List, Optional, Union
 
 from packaging.version import Version
 from pydantic import Field, ValidationError, field_validator, model_validator
-from snowflake.cli.api.feature_flags import FeatureFlag
 from snowflake.cli.api.project.errors import SchemaValidationError
 from snowflake.cli.api.project.schemas.entities.application_entity_model import (
     ApplicationEntityModel,
 )
 from snowflake.cli.api.project.schemas.entities.common import (
-    DefaultsField,
     TargetField,
 )
 from snowflake.cli.api.project.schemas.entities.entities import (
@@ -43,6 +41,7 @@ from snowflake.cli.api.utils.types import Context
 from typing_extensions import Annotated
 
 AnnotatedEntity = Annotated[EntityModel, Field(discriminator="type")]
+scalar = str | int | float | bool
 
 
 @dataclass
@@ -63,6 +62,11 @@ class ProjectProperties:
     project_context: Context
 
 
+@dataclass
+class YamlOverride:
+    data: dict | list
+
+
 class _ProjectDefinitionBase(UpdatableModel):
     def __init__(self, *args, **kwargs):
         try:
@@ -115,31 +119,12 @@ class DefinitionV11(DefinitionV10):
 class DefinitionV20(_ProjectDefinitionBase):
     entities: Dict[str, AnnotatedEntity] = Field(title="Entity definitions.")
 
-    @model_validator(mode="before")
-    @classmethod
-    def apply_defaults(cls, data: Dict) -> Dict:
-        """
-        Applies default values that exist on the model but not specified in yml
-        """
-        if "defaults" in data and "entities" in data:
-            for key, entity in data["entities"].items():
-                entity_fields = get_allowed_fields_for_entity(entity)
-                if not entity_fields:
-                    continue
-                for default_key, default_value in data["defaults"].items():
-                    if default_key in entity_fields and default_key not in entity:
-                        entity[default_key] = default_value
-        return data
-
-    @field_validator("entities", mode="after")
-    @classmethod
-    def validate_entities_identifiers(
-        cls, entities: Dict[str, EntityModel]
-    ) -> Dict[str, EntityModel]:
-        for key, entity in entities.items():
+    @model_validator(mode="after")
+    def validate_entities_identifiers(self):
+        for key, entity in self.entities.items():
             entity.set_entity_id(key)
             entity.validate_identifier()
-        return entities
+        return self
 
     @field_validator("entities", mode="after")
     @classmethod
@@ -180,11 +165,6 @@ class DefinitionV20(_ProjectDefinitionBase):
                 f"Target type mismatch. Expected {target_type.__name__}, got {actual_target_type.__name__}"
             )
 
-    defaults: Optional[DefaultsField] = Field(
-        title="Default key/value entity values that are merged recursively for each entity.",
-        default=None,
-    )
-
     env: Optional[Dict[str, Union[str, int, bool]]] = Field(
         title="Default environment specification for this project.",
         default=None,
@@ -204,22 +184,92 @@ class DefinitionV20(_ProjectDefinitionBase):
         if "mixins" not in data or "entities" not in data:
             return data
 
-        for entity in data["entities"].values():
+        entities = data["entities"]
+        for entity_name, entity in entities.items():
             entity_mixins = entity_mixins_to_list(
                 entity.get("meta", {}).get("use_mixins")
             )
 
-            entity_fields = get_allowed_fields_for_entity(entity)
-            if entity_fields and entity_mixins:
-                for mixin_name in entity_mixins:
-                    if mixin_name in data["mixins"]:
-                        for key, value in data["mixins"][mixin_name].items():
-                            if key in entity_fields:
-                                entity[key] = value
-                    else:
-                        raise ValueError(f"Mixin {mixin_name} not found in mixins")
+            merged_values = cls._merge_mixins_with_entity(
+                entity_id=entity_name,
+                entity=entity,
+                entity_mixins_names=entity_mixins,
+                mixin_defs=data["mixins"],
+            )
+            entities[entity_name] = merged_values
+        return data
+
+    @classmethod
+    def _merge_mixins_with_entity(
+        cls,
+        entity_id: str,
+        entity: dict,
+        entity_mixins_names: list,
+        mixin_defs: dict,
+    ) -> dict:
+        # Validate mixins
+        for mixin_name in entity_mixins_names:
+            if mixin_name not in mixin_defs:
+                raise ValueError(f"Mixin {mixin_name} not defined")
+
+        # Build object override data from mixins
+        data: dict = {}
+        for mx_name in entity_mixins_names:
+            data = cls._merge_data(data, mixin_defs[mx_name])
+
+        for key, override_value in data.items():
+            if key not in get_allowed_fields_for_entity(entity):
+                raise ValueError(
+                    f"Unsupported key '{key}' for entity {entity_id} of type {entity['type']} "
+                )
+
+            entity_value = entity.get(key)
+            if (
+                entity_value is not None
+                and not isinstance(entity_value, YamlOverride)
+                and not isinstance(entity_value, type(override_value))
+            ):
+                raise ValueError(
+                    f"Value from mixins for property {key} is of type '{type(override_value).__name__}' "
+                    f"while entity {entity_id} expects value of type '{type(entity_value).__name__}'"
+                )
+
+        # Apply entity data on top of mixins
+        data = cls._merge_data(data, entity)
         return data
 
+    @classmethod
+    def _merge_data(
+        cls,
+        left: dict | list | scalar | None,
+        right: dict | list | scalar | None | YamlOverride,
+    ):
+        """
+        Merges right data into left. Right and left is expected to be of the same type, if not right is returned.
+        If left is sequence then missing elements from right are appended.
+        If left is dictionary then we update it with data from right. The update is done recursively key by key.
+        """
+        if isinstance(right, YamlOverride):
+            return right.data
+
+        if left is None:
+            return right
+
+        # At that point left and right are of the same type
+        if isinstance(left, dict) and isinstance(right, dict):
+            data = dict(left)
+            for key in right:
+                data[key] = cls._merge_data(left=data.get(key), right=right[key])
+            return data
+
+        if isinstance(left, list) and isinstance(right, list):
+            return _unique_extend(left, right)
+
+        if not isinstance(right, type(left)):
+            raise ValueError(f"Could not merge {type(right)} and {type(left)}.")
+
+        return right
+
     def get_entities_by_type(self, entity_type: str):
         return {i: e for i, e in self.entities.items() if e.get_type() == entity_type}
 
@@ -244,9 +294,7 @@ ProjectDefinition = Union[ProjectDefinitionV1, ProjectDefinitionV2]
 
 
 def get_version_map():
-    version_map = {"1": DefinitionV10, "1.1": DefinitionV11}
-    if FeatureFlag.ENABLE_PROJECT_DEFINITION_V2.is_enabled():
-        version_map["2"] = DefinitionV20
+    version_map = {"1": DefinitionV10, "1.1": DefinitionV11, "2": DefinitionV20}
     return version_map
 
 
@@ -266,8 +314,19 @@ def get_allowed_fields_for_entity(entity: Dict[str, Any]) -> List[str]:
     Get the allowed fields for the given entity.
     """
     entity_type = entity.get("type")
+    if entity_type is None:
+        raise ValueError("Entity is missing type declaration.")
+
     if entity_type not in v2_entity_model_types_map:
         return []
 
     entity_model = v2_entity_model_types_map[entity_type]
     return entity_model.model_fields
+
+
+def _unique_extend(list_a: List, list_b: List) -> List:
+    new_list = list(list_a)
+    for item in list_b:
+        if item not in list_a:
+            new_list.append(item)
+    return new_list

snowflake/cli/api/rendering/jinja.py

@@ -82,7 +82,7 @@ class IgnoreAttrEnvironment(Environment):
             return self.undefined(obj=obj, name=argument)
 
 
-def _get_jinja_env(loader: Optional[loaders.BaseLoader] = None) -> Environment:
+def get_basic_jinja_env(loader: Optional[loaders.BaseLoader] = None) -> Environment:
     return env_bootstrap(
         IgnoreAttrEnvironment(
             loader=loader or loaders.BaseLoader(),
@@ -92,20 +92,6 @@ def _get_jinja_env(loader: Optional[loaders.BaseLoader] = None) -> Environment:
     )
 
 
-def jinja_render_from_str(template_content: str, data: Dict[str, Any]) -> str:
-    """
-    Renders a jinja template and outputs either the rendered contents as string or writes to a file.
-
-    Args:
-        template_content (str): template contents
-        data (dict): A dictionary of jinja variables and their actual values
-
-    Returns:
-        None if file path is provided, else returns the rendered string.
-    """
-    return _get_jinja_env().from_string(template_content).render(data)
-
-
 def jinja_render_from_file(
     template_path: Path, data: Dict[str, Any], output_file_path: Optional[Path] = None
 ) -> Optional[str]:
@@ -120,7 +106,7 @@ def jinja_render_from_file(
     Returns:
         None if file path is provided, else returns the rendered string.
     """
-    env = _get_jinja_env(
+    env = get_basic_jinja_env(
         loader=loaders.FileSystemLoader(template_path.parent.as_posix())
     )
     loaded_template = env.get_template(template_path.name)

snowflake/cli/api/rendering/project_definition_templates.py

@@ -24,7 +24,11 @@ _YML_TEMPLATE_START = "<%"
 _YML_TEMPLATE_END = "%>"
 
 
-def get_project_definition_cli_jinja_env() -> Environment:
+def has_client_side_templates(template_content: str) -> bool:
+    return _YML_TEMPLATE_START in template_content
+
+
+def get_client_side_jinja_env() -> Environment:
     _random_block = "___very___unique___block___to___disable___logic___blocks___"
     return env_bootstrap(
         IgnoreAttrEnvironment(

snowflake/cli/api/rendering/sql_templates.py

@@ -14,7 +14,7 @@
 
 from __future__ import annotations
 
-from typing import Dict
+from typing import Dict, Optional
 
 from click import ClickException
 from jinja2 import Environment, StrictUndefined, loaders, meta
@@ -55,19 +55,29 @@ def _does_template_have_env_syntax(env: Environment, template_content: str) -> b
     return bool(meta.find_undeclared_variables(template))
 
 
-def choose_sql_jinja_env_based_on_template_syntax(template_content: str) -> Environment:
+def has_sql_templates(template_content: str) -> bool:
+    return (
+        _OLD_SQL_TEMPLATE_START in template_content
+        or _SQL_TEMPLATE_START in template_content
+    )
+
+
+def choose_sql_jinja_env_based_on_template_syntax(
+    template_content: str, reference_name: Optional[str] = None
+) -> Environment:
     old_syntax_env = _get_sql_jinja_env(_OLD_SQL_TEMPLATE_START, _OLD_SQL_TEMPLATE_END)
     new_syntax_env = _get_sql_jinja_env(_SQL_TEMPLATE_START, _SQL_TEMPLATE_END)
     has_old_syntax = _does_template_have_env_syntax(old_syntax_env, template_content)
     has_new_syntax = _does_template_have_env_syntax(new_syntax_env, template_content)
+    reference_name_str = f" in {reference_name}" if reference_name else ""
     if has_old_syntax and has_new_syntax:
         raise InvalidTemplate(
-            f"The SQL query mixes {_OLD_SQL_TEMPLATE_START} ... {_OLD_SQL_TEMPLATE_END} syntax"
+            f"The SQL query{reference_name_str} mixes {_OLD_SQL_TEMPLATE_START} ... {_OLD_SQL_TEMPLATE_END} syntax"
             f" and {_SQL_TEMPLATE_START} ... {_SQL_TEMPLATE_END} syntax."
         )
     if has_old_syntax:
         cli_console.warning(
-            f"Warning: {_OLD_SQL_TEMPLATE_START} ... {_OLD_SQL_TEMPLATE_END} syntax is deprecated."
+            f"Warning: {_OLD_SQL_TEMPLATE_START} ... {_OLD_SQL_TEMPLATE_END} syntax{reference_name_str} is deprecated."
             f" Use {_SQL_TEMPLATE_START} ... {_SQL_TEMPLATE_END} syntax instead."
         )
         return old_syntax_env

snowflake/cli/api/secure_path.py

@@ -24,6 +24,12 @@ from pathlib import Path
 from typing import Optional, Union
 
 from snowflake.cli.api.exceptions import DirectoryIsNotEmptyError, FileTooLargeError
+from snowflake.cli.api.secure_utils import (
+    chmod as secure_chmod,
+)
+from snowflake.cli.api.secure_utils import (
+    restrict_file_permissions,
+)
 
 log = logging.getLogger(__name__)
 
@@ -47,6 +53,12 @@ class SecurePath:
         """
         return self._path
 
+    def chmod(self, permissions_mask: int) -> None:
+        """
+        Change the file mode and permissions, like os.chmod().
+        """
+        secure_chmod(self._path, permissions_mask)
+
     @property
     def parent(self):
         """
@@ -97,28 +109,11 @@ class SecurePath:
         """A string representing the final path component."""
         return self._path.name
 
-    def chmod(self, permissions_mask: int) -> None:
-        """
-        Change the file mode and permissions, like os.chmod().
-        """
-        log.info(
-            "Update permissions of file %s to %s", self._path, oct(permissions_mask)
-        )
-        self._path.chmod(permissions_mask)
-
     def restrict_permissions(self) -> None:
         """
         Restrict file/directory permissions to owner-only.
         """
-        import stat
-
-        owner_permissions = (
-            # https://docs.python.org/3/library/stat.html
-            stat.S_IRUSR  # readable by owner
-            | stat.S_IWUSR  # writeable by owner
-            | stat.S_IXUSR  # executable by owner
-        )
-        self.chmod(self._path.stat().st_mode & owner_permissions)
+        restrict_file_permissions(self._path)
 
     def touch(self, permissions_mask: int = 0o600, exist_ok: bool = True) -> None:
         """

snowflake/cli/api/secure_utils.py

@@ -12,11 +12,64 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+import logging
 import stat
 from pathlib import Path
+from typing import List
 
+from snowflake.connector.compat import IS_WINDOWS
 
-def file_permissions_are_strict(file_path: Path) -> bool:
+log = logging.getLogger(__name__)
+
+
+def _get_windows_whitelisted_users():
+    # whitelisted users list obtained in consultation with prodsec: CASEC-9627
+    import os
+
+    return [
+        "SYSTEM",
+        "Administrators",
+        "Network",
+        "Domain Admins",
+        "Domain Users",
+        os.getlogin(),
+    ]
+
+
+def _run_icacls(file_path: Path) -> str:
+    import subprocess
+
+    return subprocess.check_output(["icacls", str(file_path)], text=True)
+
+
+def _windows_permissions_are_denied(permission_codes: str) -> bool:
+    # according to https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/icacls
+    return "(DENY)" in permission_codes or "(N)" in permission_codes
+
+
+def windows_get_not_whitelisted_users_with_access(file_path: Path) -> List[str]:
+    import re
+
+    # according to https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/icacls
+    icacls_output_regex = (
+        rf"({re.escape(str(file_path))})?.*\\(?P<user>.*):(?P<permissions>[(A-Z),]+)"
+    )
+    whitelisted_users = _get_windows_whitelisted_users()
+
+    users_with_access = []
+    for permission in re.finditer(icacls_output_regex, _run_icacls(file_path)):
+        if (permission.group("user") not in whitelisted_users) and (
+            not _windows_permissions_are_denied(permission.group("permissions"))
+        ):
+            users_with_access.append(permission.group("user"))
+    return list(set(users_with_access))
+
+
+def _windows_file_permissions_are_strict(file_path: Path) -> bool:
+    return windows_get_not_whitelisted_users_with_access(file_path) == []
+
+
+def _unix_file_permissions_are_strict(file_path: Path) -> bool:
     accessible_by_others = (
         # https://docs.python.org/3/library/stat.html
         stat.S_IRGRP  # readable by group
@@ -27,3 +80,39 @@ def file_permissions_are_strict(file_path: Path) -> bool:
         | stat.S_IXOTH  # executable by others
     )
     return (file_path.stat().st_mode & accessible_by_others) == 0
+
+
+def file_permissions_are_strict(file_path: Path) -> bool:
+    if IS_WINDOWS:
+        return _windows_file_permissions_are_strict(file_path)
+    return _unix_file_permissions_are_strict(file_path)
+
+
+def chmod(path: Path, permissions_mask: int) -> None:
+    log.info("Update permissions of file %s to %s", path, oct(permissions_mask))
+    path.chmod(permissions_mask)
+
+
+def _unix_restrict_file_permissions(path: Path) -> None:
+    owner_permissions = (
+        # https://docs.python.org/3/library/stat.html
+        stat.S_IRUSR  # readable by owner
+        | stat.S_IWUSR  # writeable by owner
+        | stat.S_IXUSR  # executable by owner
+    )
+    chmod(path, path.stat().st_mode & owner_permissions)
+
+
+def _windows_restrict_file_permissions(path: Path) -> None:
+    import subprocess
+
+    for user in windows_get_not_whitelisted_users_with_access(path):
+        log.info("Removing permissions of user %s from file %s", user, path)
+        subprocess.run(["icacls", str(path), "/DENY", f"{user}:F"])
+
+
+def restrict_file_permissions(file_path: Path) -> None:
+    if IS_WINDOWS:
+        _windows_restrict_file_permissions(file_path)
+    else:
+        _unix_restrict_file_permissions(file_path)

snowflake/cli/api/sql_execution.py

@@ -97,6 +97,13 @@ class SqlExecutor:
                 f"Could not use {object_type} {name}. Object does not exist, or operation cannot be performed."
             )
 
+    def current_role(self) -> str:
+        *_, cursor = self._execute_string(
+            "select current_role()", cursor_class=DictCursor
+        )
+        role_result = cursor.fetchone()
+        return role_result["CURRENT_ROLE()"]
+
     @contextmanager
     def use_role(self, new_role: str):
         """
@@ -117,6 +124,12 @@ class SqlExecutor:
             if is_different_role:
                 self._execute_query(f"use role {prev_role}")
 
+    def session_has_warehouse(self) -> bool:
+        result = self._execute_query(
+            "select current_warehouse() is not null as result", cursor_class=DictCursor
+        ).fetchone()
+        return bool(result.get("RESULT"))
+
     @contextmanager
     def use_warehouse(self, new_wh: str):
         """

snowflake/cli/api/utils/definition_rendering.py

@@ -28,7 +28,7 @@ from snowflake.cli.api.project.schemas.project_definition import (
 from snowflake.cli.api.project.schemas.updatable_model import context
 from snowflake.cli.api.rendering.jinja import CONTEXT_KEY, FUNCTION_KEY
 from snowflake.cli.api.rendering.project_definition_templates import (
-    get_project_definition_cli_jinja_env,
+    get_client_side_jinja_env,
 )
 from snowflake.cli.api.utils.dict_utils import deep_merge_dicts, traverse
 from snowflake.cli.api.utils.graph import Graph, Node
@@ -96,7 +96,7 @@ class TemplatedEnvironment:
             )
             or current_attr_chain is not None
         ):
-            raise InvalidTemplate(f"Unexpected templating syntax in {template_value}")
+            raise InvalidTemplate(f"Unexpected template syntax in {template_value}")
 
         for child_node in ast_node.iter_child_nodes():
             all_referenced_vars.update(
@@ -277,7 +277,9 @@ def _add_defaults_to_definition(original_definition: Definition) -> Definition:
     with context({"skip_validation_on_templates": True}):
         # pass a flag to Pydantic to skip validation for templated scalars
         # populate the defaults
-        project_definition = build_project_definition(**original_definition)
+        project_definition = build_project_definition(
+            **copy.deepcopy(original_definition)
+        )
 
     definition_with_defaults = project_definition.model_dump(
         exclude_none=True, warnings=False, by_alias=True
@@ -318,7 +320,7 @@ def render_definition_template(
     if definition is None:
         return ProjectProperties(None, {CONTEXT_KEY: {"env": environment_overrides}})
 
-    template_env = TemplatedEnvironment(get_project_definition_cli_jinja_env())
+    template_env = TemplatedEnvironment(get_client_side_jinja_env())
 
     if "definition_version" not in definition or Version(
         definition["definition_version"]
@@ -353,9 +355,7 @@ def render_definition_template(
     )
 
     def on_cycle_action(node: Node[TemplateVar]):
-        raise CycleDetectedError(
-            f"Cycle detected in templating variable {node.data.key}"
-        )
+        raise CycleDetectedError(f"Cycle detected in template variable {node.data.key}")
 
     dependencies_graph.dfs(
         visit_action=lambda node: _render_graph_node(template_env, node),

{snowflake_cli_labs-3.0.0rc0.dist-info → snowflake_cli_labs-3.0.0rc2.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.3
 Name: snowflake-cli-labs
-Version: 3.0.0rc0
+Version: 3.0.0rc2
 Summary: Snowflake CLI
 Project-URL: Source code, https://github.com/snowflakedb/snowflake-cli
 Project-URL: Bug Tracker, https://github.com/snowflakedb/snowflake-cli/issues
@@ -222,24 +222,24 @@ Requires-Dist: jinja2==3.1.4
 Requires-Dist: packaging
 Requires-Dist: pip
 Requires-Dist: pluggy==1.5.0
-Requires-Dist: pydantic==2.8.2
-Requires-Dist: pyyaml==6.0.1
+Requires-Dist: pydantic==2.9.1
+Requires-Dist: pyyaml==6.0.2
 Requires-Dist: requests==2.32.3
-Requires-Dist: requirements-parser==0.10.2
-Requires-Dist: rich==13.7.1
-Requires-Dist: setuptools==70.3.0
-Requires-Dist: snowflake-connector-python[secure-local-storage]==3.12.0
+Requires-Dist: requirements-parser==0.11.0
+Requires-Dist: rich==13.8.0
+Requires-Dist: setuptools==74.1.2
+Requires-Dist: snowflake-connector-python[secure-local-storage]==3.12.1
 Requires-Dist: snowflake-core==0.8.0; python_version < '3.12'
 Requires-Dist: snowflake-snowpark-python>=1.15.0; python_version < '3.12'
 Requires-Dist: tomlkit==0.13.2
-Requires-Dist: typer==0.12.4
+Requires-Dist: typer==0.12.5
 Requires-Dist: urllib3<2.3,>=1.24.3
 Provides-Extra: development
 Requires-Dist: coverage==7.6.1; extra == 'development'
 Requires-Dist: pre-commit>=3.5.0; extra == 'development'
 Requires-Dist: pytest-randomly==3.15.0; extra == 'development'
 Requires-Dist: pytest==8.3.2; extra == 'development'
-Requires-Dist: syrupy==4.6.1; extra == 'development'
+Requires-Dist: syrupy==4.7.1; extra == 'development'
 Description-Content-Type: text/markdown
 
 <!--