SNOW-2160717 add WIF e2e tests (#2433)

sfc-gh-akolodziejczyk · web-flow · commit 22b34a295ba1 · 2025-07-25T15:17:25.000+02:00
diff --git a/.gitignore b/.gitignore
@@ -129,3 +129,8 @@ src/snowflake/connector/nanoarrow_cpp/ArrowIterator/nanoarrow_arrow_iterator.cpp
 # Prober files
 prober/parameters.json
 prober/snowflake_prober.egg-info/
+
+# SSH private key for WIF tests
+ci/wif/parameters/rsa_wif_aws_azure
+ci/wif/parameters/rsa_wif_gcp
+ci/wif/parameters/parameters_wif.json
diff --git a/Jenkinsfile b/Jenkinsfile
@@ -71,6 +71,18 @@ timestamps {
             '''.stripMargin()
           }
         }
+      },
+      'Test WIF': {
+        stage('Test WIF') {
+          withCredentials([
+            string(credentialsId: 'sfctest0-parameters-secret', variable: 'PARAMETERS_SECRET')
+          ]) {
+            sh '''\
+            |#!/bin/bash -e
+            |$WORKSPACE/ci/test_wif.sh
+            '''.stripMargin()
+          }
+        }
       }
     )
   }
diff --git a/ci/container/test_authentication.sh b/ci/container/test_authentication.sh
@@ -6,7 +6,6 @@ set -o pipefail
 export WORKSPACE=${WORKSPACE:-/mnt/workspace}
 export SOURCE_ROOT=${SOURCE_ROOT:-/mnt/host}
 
-MVNW_EXE=$SOURCE_ROOT/mvnw
 AUTH_PARAMETER_FILE=./.github/workflows/parameters/private/parameters_aws_auth_tests.json
 eval $(jq -r '.authtestparams | to_entries | map("export \(.key)=\(.value|tostring)")|.[]' $AUTH_PARAMETER_FILE)
 
diff --git a/ci/test_wif.sh b/ci/test_wif.sh
@@ -0,0 +1,79 @@
+#!/bin/bash -e
+
+set -o pipefail
+
+export THIS_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+export RSA_KEY_PATH_AWS_AZURE="$THIS_DIR/wif/parameters/rsa_wif_aws_azure"
+export RSA_KEY_PATH_GCP="$THIS_DIR/wif/parameters/rsa_wif_gcp"
+export PARAMETERS_FILE_PATH="$THIS_DIR/wif/parameters/parameters_wif.json"
+
+run_tests_and_set_result() {
+  local provider="$1"
+  local host="$2"
+  local snowflake_host="$3"
+  local rsa_key_path="$4"
+
+  ssh -i "$rsa_key_path" -o IdentitiesOnly=yes -p 443 "$host" env BRANCH="$BRANCH" SNOWFLAKE_TEST_WIF_HOST="$snowflake_host" SNOWFLAKE_TEST_WIF_PROVIDER="$provider" SNOWFLAKE_TEST_WIF_ACCOUNT="$SNOWFLAKE_TEST_WIF_ACCOUNT" bash << EOF
+      set -e
+      set -o pipefail
+      docker run \
+        --rm \
+        -e BRANCH \
+        -e SNOWFLAKE_TEST_WIF_PROVIDER \
+        -e SNOWFLAKE_TEST_WIF_HOST \
+        -e SNOWFLAKE_TEST_WIF_ACCOUNT \
+        snowflakedb/client-python-test:1 \
+          bash -c "
+            echo 'Running tests on branch: \$BRANCH'
+            if [[ \"\$BRANCH\" =~ ^PR-[0-9]+\$ ]]; then
+              curl -L https://github.com/snowflakedb/snowflake-connector-python/archive/refs/pull/\$(echo \$BRANCH | cut -d- -f2)/head.tar.gz | tar -xz
+              mv snowflake-connector-python-* snowflake-connector-python
+            else
+              curl -L https://github.com/snowflakedb/snowflake-connector-python/archive/refs/heads/\$BRANCH.tar.gz | tar -xz
+              mv snowflake-connector-python-\$BRANCH snowflake-connector-python
+            fi
+            cd snowflake-connector-python
+            bash ci/wif/test_wif.sh
+          "
+EOF
+  local status=$?
+
+  if [[ $status -ne 0 ]]; then
+    echo "$provider tests failed with exit status: $status"
+    EXIT_STATUS=1
+  else
+    echo "$provider tests passed"
+  fi
+}
+
+get_branch() {
+  local branch
+  branch=$(git rev-parse --abbrev-ref HEAD)
+  if [[ "$branch" == "HEAD" ]]; then
+    branch=$(git name-rev --name-only HEAD | sed 's#^remotes/origin/##;s#^origin/##')
+  fi
+  echo "$branch"
+}
+
+setup_parameters() {
+  gpg --quiet --batch --yes --decrypt --passphrase="$PARAMETERS_SECRET" --output "$RSA_KEY_PATH_AWS_AZURE" "${RSA_KEY_PATH_AWS_AZURE}.gpg"
+  gpg --quiet --batch --yes --decrypt --passphrase="$PARAMETERS_SECRET" --output "$RSA_KEY_PATH_GCP" "${RSA_KEY_PATH_GCP}.gpg"
+  chmod 600 "$RSA_KEY_PATH_AWS_AZURE"
+  chmod 600 "$RSA_KEY_PATH_GCP"
+  gpg --quiet --batch --yes --decrypt --passphrase="$PARAMETERS_SECRET" --output "$PARAMETERS_FILE_PATH" "${PARAMETERS_FILE_PATH}.gpg"
+  eval $(jq -r '.wif | to_entries | map("export \(.key)=\(.value|tostring)")|.[]' $PARAMETERS_FILE_PATH)
+}
+
+BRANCH=$(get_branch)
+export BRANCH
+setup_parameters
+
+# Run tests for all cloud providers
+EXIT_STATUS=0
+set +e  # Don't exit on first failure
+run_tests_and_set_result "AZURE" "$HOST_AZURE" "$SNOWFLAKE_TEST_WIF_HOST_AZURE" "$RSA_KEY_PATH_AWS_AZURE"
+run_tests_and_set_result "AWS" "$HOST_AWS" "$SNOWFLAKE_TEST_WIF_HOST_AWS" "$RSA_KEY_PATH_AWS_AZURE"
+run_tests_and_set_result "GCP" "$HOST_GCP" "$SNOWFLAKE_TEST_WIF_HOST_GCP" "$RSA_KEY_PATH_GCP"
+set -e  # Re-enable exit on error
+echo "Exit status: $EXIT_STATUS"
+exit $EXIT_STATUS
diff --git a/ci/wif/parameters/parameters_wif.json.gpg b/ci/wif/parameters/parameters_wif.json.gpg
diff --git a/ci/wif/parameters/rsa_wif_aws_azure.gpg b/ci/wif/parameters/rsa_wif_aws_azure.gpg
diff --git a/ci/wif/parameters/rsa_wif_gcp.gpg b/ci/wif/parameters/rsa_wif_gcp.gpg
diff --git a/ci/wif/test_wif.sh b/ci/wif/test_wif.sh
@@ -0,0 +1,11 @@
+#!/bin/bash -e
+
+set -o pipefail
+
+export SF_OCSP_TEST_MODE=true
+export SF_ENABLE_EXPERIMENTAL_AUTHENTICATION=true
+export RUN_WIF_TESTS=true
+
+/opt/python/cp39-cp39/bin/python -m pip install --break-system-packages -e .
+/opt/python/cp39-cp39/bin/python -m pip install --break-system-packages pytest
+/opt/python/cp39-cp39/bin/python -m pytest test/wif/*
diff --git a/test/conftest.py b/test/conftest.py
@@ -149,6 +149,10 @@ def pytest_runtest_setup(item) -> None:
         if os.getenv("RUN_AUTH_TESTS") != "true":
             pytest.skip("Skipping auth test in current environment")
 
+    if "wif" in test_tags:
+        if os.getenv("RUN_WIF_TESTS") != "true":
+            pytest.skip("Skipping WIF test in current environment")
+
 
 def get_server_parameter_value(connection, parameter_name: str) -> str | None:
     """Get server parameter value, returns None if parameter doesn't exist."""
diff --git a/test/wif/test_wif.py b/test/wif/test_wif.py
@@ -0,0 +1,106 @@
+import logging.config
+import os
+import subprocess
+
+import pytest
+
+import snowflake.connector
+
+logger = logging.getLogger(__name__)
+logger.setLevel(logging.INFO)
+
+
+"""
+Running tests locally:
+
+1. Push branch to repository
+2. Set environment variables PARAMETERS_SECRET and BRANCH
+3. Run ci/test_wif.sh
+"""
+
+
+ACCOUNT = os.getenv("SNOWFLAKE_TEST_WIF_ACCOUNT")
+HOST = os.getenv("SNOWFLAKE_TEST_WIF_HOST")
+PROVIDER = os.getenv("SNOWFLAKE_TEST_WIF_PROVIDER")
+
+
+@pytest.mark.wif
+def test_wif_provider_autodetection():
+    connection_params = {
+        "account": ACCOUNT,
+        "authenticator": "WORKLOAD_IDENTITY",
+        "host": HOST,
+    }
+    assert connect_and_execute_simple_query(
+        connection_params
+    ), "Failed to connect with using WIF - automatic provider detection"
+
+
+@pytest.mark.wif
+def test_wif_defined_provider():
+    connection_params = {
+        "host": HOST,
+        "account": ACCOUNT,
+        "authenticator": "WORKLOAD_IDENTITY",
+        "workload_identity_provider": PROVIDER,
+    }
+    assert connect_and_execute_simple_query(
+        connection_params
+    ), "Failed to connect with using WIF - automatic provider detection"
+
+
+@pytest.mark.wif
+def test_should_authenticate_using_oidc():
+    if not is_provider_gcp():
+        pytest.skip("Skipping test - not running on GCP")
+
+    connection_params = {
+        "host": HOST,
+        "account": ACCOUNT,
+        "authenticator": "WORKLOAD_IDENTITY",
+        "workload_identity_provider": "OIDC",
+        "token": get_gcp_access_token(),
+    }
+
+    assert connect_and_execute_simple_query(
+        connection_params
+    ), "Failed to connect using WIF with OIDC provider"
+
+
+def is_provider_gcp() -> bool:
+    return PROVIDER == "GCP"
+
+
+def connect_and_execute_simple_query(connection_params) -> bool:
+    try:
+        logger.info("Trying to connect to Snowflake")
+        with snowflake.connector.connect(**connection_params) as con:
+            result = con.cursor().execute("select 1;")
+            logger.debug(result.fetchall())
+            logger.info("Successfully connected to Snowflake")
+            return True
+    except Exception as e:
+        logger.error(e)
+        return False
+
+
+def get_gcp_access_token() -> str:
+    try:
+        command = (
+            'curl -H "Metadata-Flavor: Google" '
+            '"http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/identity?audience=snowflakecomputing.com"'
+        )
+
+        result = subprocess.run(
+            ["bash", "-c", command], capture_output=True, text=True, check=False
+        )
+
+        if result.returncode == 0 and result.stdout and result.stdout.strip():
+            return result.stdout.strip()
+        else:
+            raise RuntimeError(
+                f"Failed to retrieve GCP access token, exit code: {result.returncode}"
+            )
+
+    except Exception as e:
+        raise RuntimeError(f"Error executing GCP metadata request: {e}")
diff --git a/tox.ini b/tox.ini
@@ -36,6 +36,7 @@ setenv =
     unit-integ: SNOWFLAKE_TEST_TYPE = (unit or integ)
     !unit-!integ: SNOWFLAKE_TEST_TYPE = (unit or integ)
     auth: SNOWFLAKE_TEST_TYPE = auth
+    wif: SNOWFLAKE_TEST_TYPE = wif
     unit: SNOWFLAKE_TEST_TYPE = unit
     integ: SNOWFLAKE_TEST_TYPE = integ
     single: SNOWFLAKE_TEST_TYPE = single
@@ -179,6 +180,7 @@ markers =
     integ: integration tests
     unit: unit tests
     auth: tests for authentication
+    wif: tests for Workload Identity Federation
     skipolddriver: skip for old driver tests
     # Other markers
     timeout: tests that need a timeout time

Original file line number	Diff line number	Diff line change
`@@ -71,6 +71,18 @@ timestamps {`
`71`	`71`	`'''.stripMargin()`
`72`	`72`	`}`
`73`	`73`	`}`
	`74`	`+ },`
	`75`	`+ 'Test WIF': {`
	`76`	`+ stage('Test WIF') {`
	`77`	`+ withCredentials([`
	`78`	`+ string(credentialsId: 'sfctest0-parameters-secret', variable: 'PARAMETERS_SECRET')`
	`79`	`+ ]) {`
	`80`	`+ sh '''\`
	`81`	`+ \|#!/bin/bash -e`
	`82`	`+ \|$WORKSPACE/ci/test_wif.sh`
	`83`	`+ '''.stripMargin()`
	`84`	`+ }`
	`85`	`+ }`
`74`	`86`	`}`
`75`	`87`	`)`
`76`	`88`	`}`