[SNOW-937596] Add chmod and chown suggestion to config manager message (#1763)

sfc-gh-lspiegelberg · sfc-gh-mkeller · web-flow · commit 1d87730162ef · 2023-10-13T00:44:46.000Z
Co-authored-by: Mark Keller &lt;mark.keller@snowflake.com&gt;
diff --git a/DESCRIPTION.md b/DESCRIPTION.md
@@ -10,6 +10,10 @@ Source code is also available at: https://github.com/snowflakedb/snowflake-conne
 - v3.2.2(TBD)
   - Fixed issue with connection diagnostics failing to complete certificate checks.
 
+- v3.3.1(Unreleased)
+
+  - Added for non-Windows platforms command suggestions (chown/chmod) for insufficient file permissions of config files.
+
 - v3.3.0(October 10,2023)
 
   - Updated to Apache arrow-nanoarrow project for result arrow data conversion.
diff --git a/src/snowflake/connector/config_manager.py b/src/snowflake/connector/config_manager.py
@@ -18,6 +18,7 @@
 import tomlkit
 from tomlkit.items import Table
 
+from snowflake.connector.compat import IS_WINDOWS
 from snowflake.connector.constants import CONFIG_FILE, CONNECTIONS_FILE
 from snowflake.connector.errors import (
     ConfigManagerError,
@@ -324,7 +325,7 @@ def read_config(
             if (
                 sliceoptions.check_permissions  # Skip checking if this file couldn't hold sensitive information
                 # Same check as openssh does for permissions
-                #  https://github.com/openssh/openssh-portable/blob/2709809fd616a0991dc18e3a58dea10fb383c3f0/readconf.c#LL2264C1-L2264C1
+                # https://github.com/openssh/openssh-portable/blob/2709809fd616a0991dc18e3a58dea10fb383c3f0/readconf.c#LL2264C1-L2264C1
                 and filep.stat().st_mode & READABLE_BY_OTHERS != 0
                 or (
                     # Windows doesn't have getuid, skip checking
@@ -333,7 +334,14 @@ def read_config(
                     and filep.stat().st_uid != os.getuid()
                 )
             ):
-                warn(f"Bad owner or permissions on {str(filep)}")
+                # for non-Windows, suggest change to 0600 permissions.
+                chmod_message = (
+                    f". To change owner, run `chown $USER {str(filep)}`. To restrict permissions, run `chmod 0600 {str(filep)}`."
+                    if not IS_WINDOWS
+                    else ""
+                )
+
+                warn(f"Bad owner or permissions on {str(filep)}{chmod_message}")
             LOGGER.debug(f"reading configuration file from {str(filep)}")
             try:
                 read_config_piece = tomlkit.parse(filep.read_text())
diff --git a/test/unit/test_configmanager.py b/test/unit/test_configmanager.py
@@ -553,7 +553,11 @@ def test_warn_config_file_owner(tmp_path, monkeypatch):
         with warnings.catch_warnings(record=True) as c:
             assert c1["b"] is True
         assert len(c) == 1
-        assert str(c[0].message) == f"Bad owner or permissions on {str(c_file)}"
+        assert (
+            str(c[0].message)
+            == f"Bad owner or permissions on {str(c_file)}"
+            + f". To change owner, run `chown $USER {str(c_file)}`. To restrict permissions, run `chmod 0600 {str(c_file)}`."
+        )
 
 
 def test_warn_config_file_permissions(tmp_path):
@@ -571,7 +575,15 @@ def test_warn_config_file_permissions(tmp_path):
     with warnings.catch_warnings(record=True) as c:
         assert c1["b"] is True
     assert len(c) == 1
-    assert str(c[0].message) == f"Bad owner or permissions on {str(c_file)}"
+    chmod_message = (
+        f". To change owner, run `chown $USER {str(c_file)}`. To restrict permissions, run `chmod 0600 {str(c_file)}`."
+        if not IS_WINDOWS
+        else ""
+    )
+    assert (
+        str(c[0].message)
+        == f"Bad owner or permissions on {str(c_file)}" + chmod_message
+    )
 
 
 def test_configoption_missing_root_manager():
