Add CLIENT_POLICY parameter for AUTHENTICATION_POLICY object type

Author: littleK0i

CHANGELOG.md

@@ -4,6 +4,7 @@
 
 - Added `DECFLOAT` data type. You should never find yourself using it, but it exists nonetheless.
 - Renamed `SNAPSHOT_POLICY`, `SNAPSHOT_SET` object types to `BACKUP_POLICY`, `BACKUP_SET`. Config paths should be updated from `snapshot_*` to `backup_*`.
+- Added parameter `CLIENT_POLICY` for authentication policies.
 
 ## [0.60.0] - 2025-11-11
 

snowddl/blueprint/blueprint.py

@@ -89,6 +89,7 @@ class AuthenticationPolicyBlueprint(SchemaObjectBlueprint):
     mfa_enrollment: Optional[str] = None
     mfa_policy: Optional[Dict[str, Union[bool, float, int, str, list]]] = None
     client_types: Optional[List[str]] = None
+    client_policy: Optional[Dict[str, Dict[str, Union[bool, float, int, str, list]]]] = None
     security_integrations: Optional[List[str]] = None
     pat_policy: Optional[Dict[str, Union[bool, float, int, str, list]]] = None
     workload_identity_policy: Optional[Dict[str, Union[bool, float, int, str, list]]] = None

snowddl/parser/authentication_policy.py

@@ -36,6 +36,15 @@
             },
             "minItems": 1
         },
+        "client_policy": {
+            "type": "object",
+            "additionalProperties": {
+                "type": "object",
+                "additionalProperties": {
+                    "type": ["array", "boolean", "number", "string"]
+                }
+            }
+        },
         "security_integrations": {
             "type": "array",
             "items": {
@@ -78,10 +87,22 @@ def process_authentication_policy(self, f: ParsedFile):
             mfa_enrollment=f.params.get("mfa_enrollment").upper() if f.params.get("mfa_enrollment") else None,
             mfa_policy=self.normalise_params_dict(f.params.get("mfa_policy")),
             client_types=self.normalise_params_list(f.params.get("client_types")),
+            client_policy=self._normalise_client_policy(f.params.get("client_policy")),
             security_integrations=self.normalise_params_list(f.params.get("security_integrations")),
             pat_policy=self.normalise_params_dict(f.params.get("pat_policy")),
             workload_identity_policy=self.normalise_params_dict(f.params.get("workload_identity_policy")),
             comment=f.params.get("comment"),
         )
 
         self.config.add_blueprint(bp)
+
+    def _normalise_client_policy(self, client_policy):
+        if client_policy is None:
+            return None
+
+        result = {}
+
+        for k, v in client_policy.items():
+            result[k.upper()] = self.normalise_params_dict(v)
+
+        return result

snowddl/resolver/authentication_policy.py

@@ -158,6 +158,30 @@ def _build_common_authentication_policy_sql(self, bp: AuthenticationPolicyBluepr
                 },
             )
 
+        if bp.client_policy:
+            query.append_nl("CLIENT_POLICY = (")
+
+            for client_name, client_params in bp.client_policy.items():
+                query.append(
+                    "{client_name:r} = (",
+                    {
+                        "client_name": client_name,
+                    }
+                )
+
+                for param_name, param_value in client_params.items():
+                    query.append(
+                        "{param_name:r} = {param_value:dp}",
+                        {
+                            "param_name": param_name,
+                            "param_value": param_value,
+                        }
+                    )
+
+                query.append(")")
+
+            query.append(")")
+
         if bp.security_integrations:
             query.append_nl(
                 "SECURITY_INTEGRATIONS = ({security_integrations})",

test/_config/step1/db1/sc1/authentication_policy/aup002_aup1.yaml

@@ -1,4 +1,9 @@
 authentication_methods: [PASSWORD, SAML]
 mfa_enrollment: REQUIRED
 client_types: [ALL]
+client_policy:
+  python_driver:
+    minimum_version: 4.0.0
+  jdbc_driver:
+    minimum_version: 3.20.0
 security_integrations: [ALL]

test/_config/step2/db1/sc1/authentication_policy/aup002_aup1.yaml

@@ -1,4 +1,7 @@
 authentication_methods: [ALL]
 mfa_enrollment: REQUIRED
 client_types: [ALL]
+client_policy:
+  python_driver:
+    minimum_version: 4.1.0
 security_integrations: [ALL]

test/authentication_policy/aup002.py

@@ -4,6 +4,7 @@ def test_step1(helper):
     assert params["AUTHENTICATION_METHODS"]["value"] == "[PASSWORD, SAML]"
     assert params["MFA_ENROLLMENT"]["value"] == "REQUIRED"
     assert params["CLIENT_TYPES"]["value"] == "[ALL]"
+    assert params["CLIENT_POLICY"]["value"] == "{JDBC_DRIVER={MINIMUM_VERSION=3.20.0}, PYTHON_DRIVER={MINIMUM_VERSION=4.0.0}}"
     assert params["SECURITY_INTEGRATIONS"]["value"] == "[ALL]"
 
 
@@ -13,6 +14,7 @@ def test_step2(helper):
     assert params["AUTHENTICATION_METHODS"]["value"] == "[ALL]"
     assert params["MFA_ENROLLMENT"]["value"] == "REQUIRED"
     assert params["CLIENT_TYPES"]["value"] == "[ALL]"
+    assert params["CLIENT_POLICY"]["value"] == "{PYTHON_DRIVER={MINIMUM_VERSION=4.1.0}}"
     assert params["SECURITY_INTEGRATIONS"]["value"] == "[ALL]"