feat(snowflake-driver): Ability to use encrypted private keys for auth

Author: KSDaemon

packages/cubejs-snowflake-driver/src/SnowflakeDriver.ts

@@ -22,6 +22,7 @@ import {
 } from '@cubejs-backend/base-driver';
 import { formatToTimeZone } from 'date-fns-timezone';
 import fs from 'fs/promises';
+import crypto from 'crypto';
 import { HydrationMap, HydrationStream } from './HydrationStream';
 
 const SUPPORTED_BUCKET_TYPES = ['s3', 'gcs', 'azure'];
@@ -245,8 +246,30 @@ export class SnowflakeDriver extends BaseDriver implements DriverInterface {
       assertDataSource('default');
 
     let privateKey = getEnv('snowflakePrivateKey', { dataSource });
-    if (privateKey && !privateKey.endsWith('\n')) {
-      privateKey += '\n';
+
+    if (privateKey) {
+      // If the private key is encrypted - we need to decrypt it before passing to
+      // snowflake sdk.
+      if (privateKey.includes('BEGIN ENCRYPTED PRIVATE KEY')) {
+        const keyPasswd = getEnv('snowflakePrivateKeyPass', { dataSource });
+
+        if (!keyPasswd) {
+          throw new Error(
+            'Snowflake encrypted private key provided, but no passphrase was given.'
+          );
+        }
+
+        const privateKeyObject = crypto.createPrivateKey({
+          key: privateKey,
+          format: 'pem',
+          passphrase: keyPasswd
+        });
+
+        privateKey = privateKeyObject.export({
+          format: 'pem',
+          type: 'pkcs8'
+        });
+      }
     }
 
     snowflake.configure({ logLevel: 'OFF' });
@@ -267,6 +290,7 @@ export class SnowflakeDriver extends BaseDriver implements DriverInterface {
       privateKeyPath: getEnv('snowflakePrivateKeyPath', { dataSource }),
       privateKeyPass: getEnv('snowflakePrivateKeyPass', { dataSource }),
       privateKey,
+      ...(privateKey ? { privateKey } : {}),
       exportBucket: this.getExportBucket(dataSource),
       resultPrefetch: 1,
       executionTimeout: getEnv('dbQueryTimeout', { dataSource }),

packages/cubejs-testing-drivers/fixtures/snowflake.json

@@ -40,6 +40,15 @@
           "CUBEJS_DB_EXPORT_GCS_CREDENTIALS": "${DRIVERS_TESTS_CUBEJS_DB_EXPORT_GCS_CREDENTIALS}"
         }
       }
+    },
+    "encrypted-pk": {
+      "cube": {
+        "environment": {
+          "CUBEJS_DB_SNOWFLAKE_AUTHENTICATOR": "SNOWFLAKE_JWT",
+          "CUBEJS_DB_SNOWFLAKE_PRIVATE_KEY": "${DRIVERS_TESTS_CUBEJS_DB_SNOWFLAKE_PRIVATE_KEY}",
+          "CUBEJS_DB_SNOWFLAKE_PRIVATE_KEY_PASS": "${DRIVERS_TESTS_CUBEJS_DB_SNOWFLAKE_PRIVATE_KEY_PASS}"
+        }
+      }
     }
   },
   "cube": {

packages/cubejs-testing-drivers/package.json

@@ -44,6 +44,7 @@
     "snowflake-driver": "yarn test-driver -i dist/test/snowflake-driver.test.js",
     "snowflake-core": "yarn test-driver -i dist/test/snowflake-core.test.js",
     "snowflake-full": "yarn test-driver -i dist/test/snowflake-full.test.js",
+    "snowflake-encrypted-pk-full": "yarn test-driver -i dist/test/snowflake-encrypted-pk-full.test.js",
     "snowflake-export-bucket-s3-full": "yarn test-driver -i dist/test/snowflake-export-bucket-s3-full.test.js",
     "snowflake-export-bucket-azure-full": "yarn test-driver -i dist/test/snowflake-export-bucket-azure-full.test.js",
     "snowflake-export-bucket-azure-via-storage-integration-full": "yarn test-driver -i dist/test/snowflake-export-bucket-azure-via-storage-integration-full.test.js",