snowflake-cli 3.10.1__py3-none-any.whl → 3.12.0__py3-none-any.whl

snowflake/cli/__about__.py

@@ -16,7 +16,7 @@ from __future__ import annotations
 
 from enum import Enum, unique
 
-VERSION = "3.10.1"
+VERSION = "3.12.0"
 
 
 @unique

snowflake/cli/_app/auth/__init__.py

@@ -0,0 +1,13 @@
+# Copyright (c) 2024 Snowflake Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.

snowflake/cli/_app/auth/errors.py

@@ -0,0 +1,28 @@
+class OidcProviderError(Exception):
+    """Base exception for OIDC provider related errors."""
+
+    ...
+
+
+class OidcProviderNotFoundError(OidcProviderError):
+    """Exception raised when requested OIDC provider is not found or unknown."""
+
+    ...
+
+
+class OidcProviderUnavailableError(OidcProviderError):
+    """Exception raised when OIDC provider is not available in current environment."""
+
+    ...
+
+
+class OidcProviderAutoDetectionError(OidcProviderError):
+    """Exception raised when auto-detection of OIDC provider fails."""
+
+    ...
+
+
+class OidcTokenRetrievalError(OidcProviderError):
+    """Exception raised when OIDC token cannot be retrieved."""
+
+    ...

snowflake/cli/_app/auth/oidc_providers.py

@@ -0,0 +1,393 @@
+# Copyright (c) 2024 Snowflake Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import importlib
+import inspect
+import logging
+import os
+from abc import ABC, abstractmethod
+from enum import Enum
+from typing import Dict, List, Literal, Optional, Type
+
+import id as oidc_id
+from snowflake.cli._app.auth.errors import (
+    OidcProviderAutoDetectionError,
+    OidcProviderNotFoundError,
+    OidcProviderUnavailableError,
+    OidcTokenRetrievalError,
+)
+
+logger = logging.getLogger(__name__)
+
+
+ACTIONS_ID_TOKEN_REQUEST_URL_ENV: Literal[
+    "ACTIONS_ID_TOKEN_REQUEST_URL"
+] = "ACTIONS_ID_TOKEN_REQUEST_URL"
+GITHUB_ACTIONS_ENV: Literal["GITHUB_ACTIONS"] = "GITHUB_ACTIONS"
+SNOWFLAKE_AUDIENCE_ENV: Literal["SNOWFLAKE_AUDIENCE"] = "SNOWFLAKE_AUDIENCE"
+
+
+class OidcProviderType(Enum):
+    """Enum for OIDC provider types."""
+
+    GITHUB = "github"
+
+
+class OidcProviderTypeWithAuto(Enum):
+    """Extended version of OidcProviderType with AUTO."""
+
+    AUTO = "auto"
+    GITHUB = "github"
+
+
+class OidcTokenProvider(ABC):
+    """
+    Abstract base class for OIDC token providers.
+    Each CI environment should implement this interface.
+    """
+
+    @property
+    @abstractmethod
+    def provider_name(self) -> str:
+        """
+        Returns the name of the CI provider (e.g., 'github', 'gitlab', 'azure-devops').
+        """
+        pass
+
+    @property
+    @abstractmethod
+    def is_available(self) -> bool:
+        """
+        Checks if this provider is available in the current environment.
+        Should return True if the provider can detect credentials in the current context.
+        """
+        pass
+
+    @property
+    @abstractmethod
+    def issuer(self) -> str:
+        """
+        Returns the OIDC issuer URL for this provider.
+
+        Returns:
+            The OIDC issuer URL
+        """
+        pass
+
+    @abstractmethod
+    def get_token(self) -> str:
+        """
+        Retrieves the OIDC token from the CI environment.
+
+        Returns:
+            The OIDC token string
+
+        Raises:
+            OidcProviderError: If token cannot be retrieved
+        """
+        pass
+
+
+class GitHubOidcProvider(OidcTokenProvider):
+    """
+    OIDC token provider for GitHub Actions.
+    """
+
+    @property
+    def _is_ci(self):
+        logger.debug("Checking if GitHub Actions environment is available")
+
+        # Check if we're in a GitHub Actions environment
+        github_actions_env = os.getenv(GITHUB_ACTIONS_ENV)
+        logger.debug(
+            "%s environment variable: %s",
+            GITHUB_ACTIONS_ENV,
+            github_actions_env,
+        )
+
+        is_github_actions = github_actions_env == "true"
+        logger.debug("Running in GitHub Actions: %s", is_github_actions)
+        return is_github_actions
+
+    @property
+    def audience(self) -> str:
+        """
+        Returns the audience URL for GitHub OIDC.
+
+        Returns:
+            The audience URL, defaults to 'snowflakecomputing.com' if SNOWFLAKE_AUDIENCE environment variable is not set
+        """
+        return os.getenv(SNOWFLAKE_AUDIENCE_ENV, "snowflakecomputing.com")
+
+    @property
+    def issuer(self) -> str:
+        """
+        Returns the GitHub OIDC issuer URL.
+
+        Returns:
+            The GitHub OIDC issuer URL from ACTIONS_ID_TOKEN_REQUEST_URL environment variable,
+            or the default GitHub issuer URL if the environment variable is not set
+        """
+        issuer_url = os.getenv(ACTIONS_ID_TOKEN_REQUEST_URL_ENV)
+        if not issuer_url and self._is_ci:
+            raise OidcTokenRetrievalError(
+                "%s environment variable is not set. "
+                "This variable is required for Github Actions OIDC authentication"
+                % ACTIONS_ID_TOKEN_REQUEST_URL_ENV
+            )
+        return issuer_url or "https://token.actions.githubusercontent.com"
+
+    @property
+    def provider_name(self) -> str:
+        return OidcProviderType.GITHUB.value
+
+    @property
+    def is_available(self) -> bool:
+        """
+        Checks if GitHub Actions environment is available.
+        """
+        return self._is_ci
+
+    def get_token(self) -> str:
+        """
+        Retrieves the OIDC token from GitHub Actions.
+        """
+        logger.debug("Retrieving OIDC token from GitHub Actions")
+
+        try:
+            logger.debug("Detecting OIDC credentials for token retrieval")
+            # Use configurable audience for workload identity
+            token = oidc_id.detect_credential(self.audience)
+            if not token:
+                logger.error("No OIDC credentials detected")
+                raise OidcTokenRetrievalError(
+                    "No OIDC credentials detected. This command should be run in a GitHub Actions environment."
+                )
+
+            logger.info("Successfully retrieved OIDC token")
+            return token
+        except Exception as e:
+            logger.error("Failed to detect OIDC credentials: %s", str(e))
+            raise OidcTokenRetrievalError(
+                "Failed to detect OIDC credentials: %s" % str(e)
+            )
+
+
+class OidcProviderRegistry:
+    """
+    Registry for managing OIDC token providers.
+    Handles registration, storage, and retrieval of providers.
+    """
+
+    def __init__(self) -> None:
+        self._providers: Dict[str, Type[OidcTokenProvider]] = {}
+        self._auto_discover_providers()
+
+    def _auto_discover_providers(self) -> None:
+        """
+        Auto-discovers all OIDC token providers in the current module.
+        """
+        logger.debug("Auto-discovering OIDC token providers")
+        current_module = importlib.import_module(__name__)
+
+        for name, obj in inspect.getmembers(current_module):
+            if (
+                inspect.isclass(obj)
+                and issubclass(obj, OidcTokenProvider)
+                and obj != OidcTokenProvider
+            ):
+                provider_instance = obj()
+                provider_name = provider_instance.provider_name
+                logger.debug("Discovered OIDC provider: %s (%s)", provider_name, name)
+                self._providers[provider_name] = obj
+
+        logger.info(
+            "Auto-discovered %d OIDC provider(s): %s",
+            len(self._providers),
+            list(self._providers.keys()),
+        )
+
+    def register_provider(self, provider_class: Type[OidcTokenProvider]) -> None:
+        """
+        Manually register a provider class.
+        """
+        provider_instance = provider_class()
+        self._providers[provider_instance.provider_name] = provider_class
+
+    def get_provider(self, provider_name: str) -> Optional[OidcTokenProvider]:
+        """
+        Get a specific provider by name.
+        """
+        provider_class = self._providers.get(provider_name)
+        if provider_class:
+            return provider_class()
+        return None
+
+    def get_provider_class(
+        self, provider_name: str
+    ) -> Optional[Type[OidcTokenProvider]]:
+        """
+        Get a specific provider class by name.
+        """
+        return self._providers.get(provider_name)
+
+    @property
+    def provider_names(self) -> List[str]:
+        """
+        List all registered provider names.
+        """
+        return list(self._providers.keys())
+
+    @property
+    def all_providers(self) -> List[OidcTokenProvider]:
+        """
+        Get instances of all registered providers.
+        """
+        return [provider_class() for provider_class in self._providers.values()]
+
+
+# Global registry instance
+_registry = OidcProviderRegistry()
+
+
+def get_oidc_provider(provider_name: str) -> OidcTokenProvider:
+    """
+    Get a specific OIDC provider by name without checking availability.
+
+    Args:
+        provider_name: Name of the provider to get
+
+    Returns:
+        The requested OIDC provider instance
+
+    Raises:
+        OidcProviderNotFoundError: If provider is unknown
+    """
+    provider = _registry.get_provider(provider_name)
+
+    if not provider:
+        providers_list = ", ".join(_registry.provider_names)
+        raise OidcProviderNotFoundError(
+            "Unknown provider '%s'. Available providers: %s"
+            % (
+                provider_name,
+                providers_list,
+            )
+        )
+
+    return provider
+
+
+def get_active_oidc_provider(provider_name: str) -> OidcTokenProvider:
+    """
+    Get a specific OIDC provider by name and ensure it's available.
+
+    Args:
+        provider_name: Name of the provider to get
+
+    Returns:
+        The requested OIDC provider instance
+
+    Raises:
+        OidcProviderNotFoundError: If provider is unknown
+        OidcProviderUnavailableError: If provider is not available
+    """
+    provider = get_oidc_provider(provider_name)
+
+    if not provider.is_available:
+        raise OidcProviderUnavailableError(
+            "Provider '%s' is not available in the current environment." % provider_name
+        )
+
+    return provider
+
+
+def get_oidc_provider_class(provider_name: str) -> Type[OidcTokenProvider]:
+    """
+    Get a specific OIDC provider class by name.
+
+    Args:
+        provider_name: Name of the provider to get
+
+    Returns:
+        The requested OIDC provider class
+
+    Raises:
+        OidcProviderNotFoundError: If provider is unknown
+    """
+    provider_class = _registry.get_provider_class(provider_name)
+
+    if not provider_class:
+        providers_list = ", ".join(_registry.provider_names)
+        raise OidcProviderNotFoundError(
+            "Unknown provider '%s'. Available providers: %s"
+            % (
+                provider_name,
+                providers_list,
+            )
+        )
+
+    return provider_class
+
+
+def auto_detect_oidc_provider() -> OidcTokenProvider:
+    """
+    Auto-detect a single available OIDC provider in the current environment.
+
+    Returns:
+        The single available OIDC provider
+
+    Raises:
+        OidcProviderAutoDetectionError: If no providers are available or multiple providers are available
+    """
+    available = [
+        provider for provider in _registry.all_providers if provider.is_available
+    ]
+    available_names = [p.provider_name for p in available]
+
+    all_providers = _registry.provider_names
+    match (len(available), all_providers):
+        case (1, _):
+            # Happy path - single provider found
+            logger.info("Found 1 available provider: %s", available_names[0])
+            return available[0]
+        case (0, providers) if providers:
+            # No providers available but some are registered
+            providers_list = ", ".join(providers)
+            msg = (
+                "No OIDC provider detected in current environment. "
+                "Available providers: %s. "
+                "Use --type <provider> to specify a provider explicitly."
+            ) % providers_list
+            logger.info(msg)
+            raise OidcProviderAutoDetectionError(msg)
+        case (0, _):
+            # No providers available and none are registered
+            msg = "No OIDC providers are registered."
+            logger.info(msg)
+            raise OidcProviderAutoDetectionError(msg)
+        case _:
+            # Multiple providers available - raise error
+            providers_list = ", ".join(available_names)
+            msg = (
+                "Multiple OIDC providers detected: %s. "
+                "Please specify which provider to use with --type <provider>."
+            ) % providers_list
+            logger.info(msg)
+            raise OidcProviderAutoDetectionError(msg)
+
+    # This line should never be reached, but helps mypy understand all paths are covered
+    raise OidcProviderAutoDetectionError(
+        "Unexpected state in auto_detect_oidc_provider"
+    )

snowflake/cli/_app/cli_app.py

@@ -256,7 +256,6 @@ class CliAppFactory:
                 "--commands-registration",
                 help="Commands registration",
                 hidden=True,
-                is_eager=True,
                 callback=self._commands_registration_callback(),
             ),
         ) -> None:

snowflake/cli/_app/constants.py

@@ -21,3 +21,13 @@ PARAM_APPLICATION_NAME: Literal["snowcli"] = "snowcli"
 # This is also defined on server side. Changing this parameter would require
 # a change in https://github.com/snowflakedb/snowflake
 INTERNAL_APPLICATION_NAME: Literal["SNOWFLAKE_CLI"] = "SNOWFLAKE_CLI"
+
+# Authenticator types
+AUTHENTICATOR_WORKLOAD_IDENTITY: Literal["WORKLOAD_IDENTITY"] = "WORKLOAD_IDENTITY"
+AUTHENTICATOR_SNOWFLAKE_JWT: Literal["SNOWFLAKE_JWT"] = "SNOWFLAKE_JWT"
+AUTHENTICATOR_USERNAME_PASSWORD_MFA: Literal[
+    "username_password_mfa"
+] = "username_password_mfa"
+AUTHENTICATOR_OAUTH_AUTHORIZATION_CODE: Literal[
+    "OAUTH_AUTHORIZATION_CODE"
+] = "OAUTH_AUTHORIZATION_CODE"

snowflake/cli/_app/printing.py

@@ -22,7 +22,7 @@ from decimal import Decimal
 from json import JSONEncoder
 from pathlib import Path
 from textwrap import indent
-from typing import TextIO
+from typing import Any, Dict, TextIO
 
 from rich import box, get_console
 from rich import print as rich_print
@@ -61,13 +61,114 @@ class CustomJSONEncoder(JSONEncoder):
             return list(o.result)
         if isinstance(o, (date, datetime, time)):
             return o.isoformat()
-        if isinstance(o, (Path, Decimal)):
+        if isinstance(o, Path):
+            return o.as_posix()
+        if isinstance(o, Decimal):
             return str(o)
         if isinstance(o, bytearray):
             return o.hex()
         return super().default(o)
 
 
+class StreamingJSONEncoder(JSONEncoder):
+    """Streaming JSON encoder that doesn't materialize generators into lists"""
+
+    def default(self, o):
+        if isinstance(o, str):
+            return sanitize_for_terminal(o)
+        if isinstance(o, (ObjectResult, MessageResult)):
+            return o.result
+        if isinstance(o, (CollectionResult, MultipleResults)):
+            raise TypeError(
+                f"CollectionResult should be handled by streaming functions, not encoder"
+            )
+        if isinstance(o, (date, datetime, time)):
+            return o.isoformat()
+        if isinstance(o, Path):
+            return o.as_posix()
+        if isinstance(o, Decimal):
+            return str(o)
+        if isinstance(o, bytearray):
+            return o.hex()
+        return super().default(o)
+
+
+def _print_json_item_with_array_indentation(item: Any, indent: int):
+    """Print a JSON item with proper indentation for array context"""
+    if indent:
+        indented_output = json.dumps(item, cls=StreamingJSONEncoder, indent=indent)
+        indented_lines = indented_output.split("\n")
+        for i, line in enumerate(indented_lines):
+            if i == 0:
+                print(" " * indent + line, end="")
+            else:
+                print("\n" + " " * indent + line, end="")
+    else:
+        json.dump(item, sys.stdout, cls=StreamingJSONEncoder, separators=(",", ":"))
+
+
+def _stream_collection_as_json(result: CollectionResult, indent: int = 4):
+    """Stream a CollectionResult as a JSON array without loading all data into memory"""
+    items = iter(result.result)
+    try:
+        first_item = next(items)
+    except StopIteration:
+        print("[]", end="")
+        return
+
+    print("[")
+
+    _print_json_item_with_array_indentation(first_item, indent)
+
+    for item in items:
+        print(",")
+        _print_json_item_with_array_indentation(item, indent)
+
+    print("\n]", end="")
+
+
+def _stream_collection_as_csv(result: CollectionResult):
+    """Stream a CollectionResult as CSV without loading all data into memory"""
+    items = iter(result.result)
+    try:
+        first_item = next(items)
+    except StopIteration:
+        return
+
+    fieldnames = list(first_item.keys())
+    if not isinstance(first_item, dict):
+        raise TypeError("CSV output requires dictionary items")
+
+    writer = csv.DictWriter(sys.stdout, fieldnames=fieldnames, lineterminator="\n")
+    writer.writeheader()
+    _write_csv_row(writer, first_item)
+
+    for item in items:
+        _write_csv_row(writer, item)
+
+
+def _write_csv_row(writer: csv.DictWriter, row_data: Dict[str, Any]):
+    """Write a single CSV row, handling special data types"""
+    processed_row = {}
+    for key, value in row_data.items():
+        if isinstance(value, str):
+            processed_row[key] = sanitize_for_terminal(value)
+        elif isinstance(value, (date, datetime, time)):
+            processed_row[key] = value.isoformat()
+        elif isinstance(value, Path):
+            processed_row[key] = value.as_posix()
+        elif isinstance(value, Decimal):
+            processed_row[key] = str(value)
+        elif isinstance(value, bytearray):
+            processed_row[key] = value.hex()
+        elif value is None:
+            processed_row[key] = ""
+        else:
+            processed_row[key] = str(value)
+
+    writer.writerow(processed_row)
+
+
 def _get_format_type() -> OutputFormat:
     output_format = get_cli_context().output_format
     if output_format:
@@ -110,12 +211,13 @@ def is_structured_format(output_format):
 def print_structured(
     result: CommandResult, output_format: OutputFormat = OutputFormat.JSON
 ):
-    """Handles outputs like json, yml and other structured and parsable formats."""
+    """Handles outputs like json, csv and other structured and parsable formats with streaming."""
     printed_end_line = False
+
     if isinstance(result, MultipleResults):
         if output_format == OutputFormat.CSV:
             for command_result in result.result:
-                _print_csv_result(command_result)
+                _print_csv_result_streaming(command_result)
                 print(flush=True)
             printed_end_line = True
         else:
@@ -125,35 +227,67 @@ def print_structured(
         # instead of joining all the values into a JSON array or CSV entry set
         for r in result.result:
             if output_format == OutputFormat.CSV:
-                _print_csv_result(r.result)
+                _print_csv_result_streaming(r)
             else:
-                json.dump(r, sys.stdout, cls=CustomJSONEncoder)
+                json.dump(r, sys.stdout, cls=StreamingJSONEncoder)
             print(flush=True)
             printed_end_line = True
     else:
         if output_format == OutputFormat.CSV:
-            _print_csv_result(result)
+            _print_csv_result_streaming(result)
             printed_end_line = True
         else:
-            json.dump(result, sys.stdout, cls=CustomJSONEncoder, indent=4)
+            _print_json_result_streaming(result)
+
     # Adds empty line at the end
     if not printed_end_line:
         print(flush=True)
 
 
-def _print_csv_result(result: CommandResult):
-    data = json.loads(json.dumps(result, cls=CustomJSONEncoder))
+def _print_json_result_streaming(result: CommandResult):
+    """Print a single CommandResult as JSON with streaming support"""
+    if isinstance(result, CollectionResult):
+        _stream_collection_as_json(result, indent=4)
+    elif isinstance(result, (ObjectResult, MessageResult)):
+        json.dump(result, sys.stdout, cls=StreamingJSONEncoder, indent=4)
+    else:
+        json.dump(result, sys.stdout, cls=StreamingJSONEncoder, indent=4)
+
+
+def _print_object_result_as_csv(result: ObjectResult):
+    """Print an ObjectResult as a single-row CSV.
+
+    Converts the object's key-value pairs into a CSV with headers
+    from the keys and a single data row from the values.
+    """
+    data = result.result
     if isinstance(data, dict):
-        writer = csv.DictWriter(sys.stdout, [*data], lineterminator="\n")
-        writer.writeheader()
-        writer.writerow(data)
-    elif isinstance(data, list):
-        if not data:
-            return
-        writer = csv.DictWriter(sys.stdout, [*data[0]], lineterminator="\n")
+        writer = csv.DictWriter(
+            sys.stdout, fieldnames=list(data.keys()), lineterminator="\n"
+        )
         writer.writeheader()
-        for entry in data:
-            writer.writerow(entry)
+        _write_csv_row(writer, data)
+
+
+def _print_message_result_as_csv(result: MessageResult):
+    """Print a MessageResult as CSV with a single 'message' column.
+
+    Creates a simple CSV structure with one column named 'message'
+    containing the sanitized message text.
+    """
+    writer = csv.DictWriter(sys.stdout, fieldnames=["message"], lineterminator="\n")
+    writer.writeheader()
+    writer.writerow({"message": sanitize_for_terminal(result.message)})
+
+
+def _print_csv_result_streaming(result: CommandResult):
+    """Print a single CommandResult as CSV with streaming support"""
+    if isinstance(result, CollectionResult):
+        _stream_collection_as_csv(result)
+    elif isinstance(result, ObjectResult):
+        _print_object_result_as_csv(result)
+    elif isinstance(result, MessageResult):
+        _print_message_result_as_csv(result)
 
 
 def _stream_json(result):