snowflakedb
diff --git a/‎.github/workflows/build_test.yml‎
Lines changed: 28 additions & 0 deletions b/‎.github/workflows/build_test.yml‎
Lines changed: 28 additions & 0 deletions
diff --git a/‎.github/workflows/parameters/public/parameters_aws.py.gpg‎
19 Bytes b/‎.github/workflows/parameters/public/parameters_aws.py.gpg‎
19 Bytes
diff --git a/‎.github/workflows/parameters/public/parameters_azure.py.gpg‎
18 Bytes b/‎.github/workflows/parameters/public/parameters_azure.py.gpg‎
18 Bytes
diff --git a/‎.github/workflows/parameters/public/parameters_gcp.py.gpg‎
17 Bytes b/‎.github/workflows/parameters/public/parameters_gcp.py.gpg‎
17 Bytes
diff --git a/‎.github/workflows/parameters/public/rsa_keys/rsa_key_python_aws.p8.gpg‎
1.38 KB b/‎.github/workflows/parameters/public/rsa_keys/rsa_key_python_aws.p8.gpg‎
1.38 KB
diff --git a/‎.github/workflows/parameters/public/rsa_keys/rsa_key_python_azure.p8.gpg‎
1.38 KB b/‎.github/workflows/parameters/public/rsa_keys/rsa_key_python_azure.p8.gpg‎
1.38 KB
diff --git a/‎.github/workflows/parameters/public/rsa_keys/rsa_key_python_gcp.p8.gpg‎
1.38 KB b/‎.github/workflows/parameters/public/rsa_keys/rsa_key_python_gcp.p8.gpg‎
1.38 KB
diff --git a/‎ci/test_fips_docker.sh‎
Lines changed: 1 addition & 0 deletions b/‎ci/test_fips_docker.sh‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎test/integ/conftest.py‎
Lines changed: 153 additions & 21 deletions b/‎test/integ/conftest.py‎
Lines changed: 153 additions & 21 deletions
diff --git a/‎test/integ/pandas/test_pandas_tools.py‎
Lines changed: 0 additions & 1 deletion b/‎test/integ/pandas/test_pandas_tools.py‎
Lines changed: 0 additions & 1 deletion
@@ -159,6 +159,13 @@ jobs:
         run: |
           gpg --quiet --batch --yes --decrypt --passphrase="$PARAMETERS_SECRET" \
           .github/workflows/parameters/public/parameters_${{ matrix.cloud-provider }}.py.gpg > test/parameters.py
+      - name: Setup private key file
+        shell: bash
+        env:
+          PYTHON_PRIVATE_KEY_SECRET: ${{ secrets.PYTHON_PRIVATE_KEY_SECRET }}
+        run: |
+          gpg --quiet --batch --yes --decrypt --passphrase="$PYTHON_PRIVATE_KEY_SECRET" \
+          .github/workflows/parameters/public/rsa_keys/rsa_key_python_${{ matrix.cloud-provider }}.p8.gpg > test/rsa_key_python_${{ matrix.cloud-provider }}.p8
       - name: Download wheel(s)
         uses: actions/download-artifact@v4
         with:
@@ -224,6 +231,13 @@ jobs:
         run: |
           gpg --quiet --batch --yes --decrypt --passphrase="$PARAMETERS_SECRET" \
           .github/workflows/parameters/public/parameters_${{ matrix.cloud-provider }}.py.gpg > test/parameters.py
+      - name: Setup private key file
+        shell: bash
+        env:
+          PYTHON_PRIVATE_KEY_SECRET: ${{ secrets.PYTHON_PRIVATE_KEY_SECRET }}
+        run: |
+          gpg --quiet --batch --yes --decrypt --passphrase="$PYTHON_PRIVATE_KEY_SECRET" \
+          .github/workflows/parameters/public/rsa_keys/rsa_key_python_${{ matrix.cloud-provider }}.p8.gpg > test/rsa_key_python_${{ matrix.cloud-provider }}.p8
       - name: Upgrade setuptools, pip and wheel
         run: python -m pip install -U setuptools pip wheel
       - name: Install tox
@@ -285,6 +299,13 @@ jobs:
         run: |
           gpg --quiet --batch --yes --decrypt --passphrase="$PARAMETERS_SECRET" \
           .github/workflows/parameters/public/parameters_${{ matrix.cloud-provider }}.py.gpg > test/parameters.py
+      - name: Setup private key file
+        shell: bash
+        env:
+          PYTHON_PRIVATE_KEY_SECRET: ${{ secrets.PYTHON_PRIVATE_KEY_SECRET }}
+        run: |
+          gpg --quiet --batch --yes --decrypt --passphrase="$PYTHON_PRIVATE_KEY_SECRET" \
+          .github/workflows/parameters/public/rsa_keys/rsa_key_python_${{ matrix.cloud-provider }}.p8.gpg > test/rsa_key_python_${{ matrix.cloud-provider }}.p8
       - name: Download wheel(s)
         uses: actions/download-artifact@v4
         with:
@@ -332,6 +353,13 @@ jobs:
         run: |
           gpg --quiet --batch --yes --decrypt --passphrase="$PARAMETERS_SECRET" \
           .github/workflows/parameters/public/parameters_${{ matrix.cloud-provider }}.py.gpg > test/parameters.py
+      - name: Setup private key file
+        shell: bash
+        env:
+          PYTHON_PRIVATE_KEY_SECRET: ${{ secrets.PYTHON_PRIVATE_KEY_SECRET }}
+        run: |
+          gpg --quiet --batch --yes --decrypt --passphrase="$PYTHON_PRIVATE_KEY_SECRET" \
+          .github/workflows/parameters/public/rsa_keys/rsa_key_python_${{ matrix.cloud-provider }}.p8.gpg > test/rsa_key_python_${{ matrix.cloud-provider }}.p8
       - name: Download wheel(s)
         uses: actions/download-artifact@v4
         with:
 
@@ -31,6 +31,7 @@ docker run --network=host \
     -e cloud_provider \
     -e PYTEST_ADDOPTS \
     -e GITHUB_ACTIONS \
+    -e JENKINS_HOME=${JENKINS_HOME:-false} \
     --mount type=bind,source="${CONNECTOR_DIR}",target=/home/user/snowflake-connector-python \
     ${CONTAINER_NAME}:1.0 \
     /home/user/snowflake-connector-python/ci/test_fips.sh $1
@@ -15,6 +15,15 @@
 
 import pytest
 
+# Add cryptography imports for private key handling
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.primitives.serialization import (
+    Encoding,
+    NoEncryption,
+    PrivateFormat,
+)
+
 import snowflake.connector
 from snowflake.connector.compat import IS_WINDOWS
 from snowflake.connector.connection import DefaultConverterClass
@@ -32,8 +41,47 @@
     from snowflake.connector import SnowflakeConnection
 
 RUNNING_ON_GH = os.getenv("GITHUB_ACTIONS") == "true"
+RUNNING_ON_JENKINS = os.getenv("JENKINS_HOME") not in (None, "false")
+RUNNING_OLD_DRIVER = os.getenv("TOX_ENV_NAME") == "olddriver"
 TEST_USING_VENDORED_ARROW = os.getenv("TEST_USING_VENDORED_ARROW") == "true"
 
+
+def _get_private_key_bytes_for_olddriver(private_key_file: str) -> bytes:
+    """Load private key file and convert to DER format bytes for olddriver compatibility.
+
+    The olddriver expects private keys in DER format as bytes.
+    This function handles both PEM and DER input formats.
+    """
+    with open(private_key_file, "rb") as key_file:
+        key_data = key_file.read()
+
+    # Try to load as PEM first, then DER
+    try:
+        # Try PEM format first
+        private_key = serialization.load_pem_private_key(
+            key_data,
+            password=None,
+            backend=default_backend(),
+        )
+    except ValueError:
+        try:
+            # Try DER format
+            private_key = serialization.load_der_private_key(
+                key_data,
+                password=None,
+                backend=default_backend(),
+            )
+        except ValueError as e:
+            raise ValueError(f"Could not load private key from {private_key_file}: {e}")
+
+    # Convert to DER format bytes as expected by olddriver
+    return private_key.private_bytes(
+        encoding=Encoding.DER,
+        format=PrivateFormat.PKCS8,
+        encryption_algorithm=NoEncryption(),
+    )
+
+
 if not isinstance(CONNECTION_PARAMETERS["host"], str):
     raise Exception("default host is not a string in parameters.py")
 RUNNING_AGAINST_LOCAL_SNOWFLAKE = CONNECTION_PARAMETERS["host"].endswith("local")
@@ -76,16 +124,42 @@ def _get_worker_specific_schema():
     )
 
 
-DEFAULT_PARAMETERS: dict[str, Any] = {
-    "account": "<account_name>",
-    "user": "<user_name>",
-    "password": "<password>",
-    "database": "<database_name>",
-    "schema": "<schema_name>",
-    "protocol": "https",
-    "host": "<host>",
-    "port": "443",
-}
+if RUNNING_ON_JENKINS:
+    DEFAULT_PARAMETERS: dict[str, Any] = {
+        "account": "<account_name>",
+        "user": "<user_name>",
+        "password": "<password>",
+        "database": "<database_name>",
+        "schema": "<schema_name>",
+        "protocol": "https",
+        "host": "<host>",
+        "port": "443",
+    }
+else:
+    if RUNNING_OLD_DRIVER:
+        DEFAULT_PARAMETERS: dict[str, Any] = {
+            "account": "<account_name>",
+            "user": "<user_name>",
+            "database": "<database_name>",
+            "schema": "<schema_name>",
+            "protocol": "https",
+            "host": "<host>",
+            "port": "443",
+            "authenticator": "SNOWFLAKE_JWT",
+            "private_key_file": "<private_key_file>",
+        }
+    else:
+        DEFAULT_PARAMETERS: dict[str, Any] = {
+            "account": "<account_name>",
+            "user": "<user_name>",
+            "database": "<database_name>",
+            "schema": "<schema_name>",
+            "protocol": "https",
+            "host": "<host>",
+            "port": "443",
+            "authenticator": "<authenticator>",
+            "private_key_file": "<private_key_file>",
+        }
 
 
 def print_help() -> None:
@@ -95,9 +169,10 @@ def print_help() -> None:
 CONNECTION_PARAMETERS = {
     'account': 'testaccount',
     'user': 'user1',
-    'password': 'test',
     'database': 'testdb',
     'schema': 'public',
+    'authenticator': 'KEY_PAIR_AUTHENTICATOR',
+    'private_key_file': '/path/to/private_key.p8',
 }
 """
     )
@@ -200,16 +275,55 @@ def init_test_schema(db_parameters) -> Generator[None]:
 
     This is automatically called per test session.
     """
-    ret = db_parameters
-    with snowflake.connector.connect(
-        user=ret["user"],
-        password=ret["password"],
-        host=ret["host"],
-        port=ret["port"],
-        database=ret["database"],
-        account=ret["account"],
-        protocol=ret["protocol"],
-    ) as con:
+    if RUNNING_ON_JENKINS:
+        connection_params = {
+            "user": db_parameters["user"],
+            "password": db_parameters["password"],
+            "host": db_parameters["host"],
+            "port": db_parameters["port"],
+            "database": db_parameters["database"],
+            "account": db_parameters["account"],
+            "protocol": db_parameters["protocol"],
+        }
+    else:
+        connection_params = {
+            "user": db_parameters["user"],
+            "host": db_parameters["host"],
+            "port": db_parameters["port"],
+            "database": db_parameters["database"],
+            "account": db_parameters["account"],
+            "protocol": db_parameters["protocol"],
+        }
+
+        # Handle private key authentication differently for old vs new driver
+        if RUNNING_OLD_DRIVER:
+            # Old driver expects private_key as bytes and SNOWFLAKE_JWT authenticator
+            private_key_file = db_parameters.get("private_key_file")
+            if private_key_file:
+                private_key_bytes = _get_private_key_bytes_for_olddriver(
+                    private_key_file
+                )
+                connection_params.update(
+                    {
+                        "authenticator": "SNOWFLAKE_JWT",
+                        "private_key": private_key_bytes,
+                    }
+                )
+        else:
+            # New driver expects private_key_file and KEY_PAIR_AUTHENTICATOR
+            connection_params.update(
+                {
+                    "authenticator": db_parameters["authenticator"],
+                    "private_key_file": db_parameters["private_key_file"],
+                }
+            )
+
+    # Role may be needed when running on preprod, but is not present on Jenkins jobs
+    optional_role = db_parameters.get("role")
+    if optional_role is not None:
+        connection_params.update(role=optional_role)
+
+    with snowflake.connector.connect(**connection_params) as con:
         con.cursor().execute(f"CREATE SCHEMA IF NOT EXISTS {TEST_SCHEMA}")
         yield
         con.cursor().execute(f"DROP SCHEMA IF EXISTS {TEST_SCHEMA}")
@@ -224,6 +338,24 @@ def create_connection(connection_name: str, **kwargs) -> SnowflakeConnection:
     """
     ret = get_db_parameters(connection_name)
     ret.update(kwargs)
+
+    # Handle private key authentication differently for old vs new driver (only if not on Jenkins)
+    if not RUNNING_ON_JENKINS and "private_key_file" in ret:
+        if RUNNING_OLD_DRIVER:
+            # Old driver (3.1.0) expects private_key as bytes and SNOWFLAKE_JWT authenticator
+            private_key_file = ret.get("private_key_file")
+            if (
+                private_key_file and "private_key" not in ret
+            ):  # Don't override if private_key already set
+                private_key_bytes = _get_private_key_bytes_for_olddriver(
+                    private_key_file
+                )
+                ret["authenticator"] = "SNOWFLAKE_JWT"
+                ret["private_key"] = private_key_bytes
+                ret.pop(
+                    "private_key_file", None
+                )  # Remove private_key_file for old driver
+
     connection = snowflake.connector.connect(**ret)
     return connection
 
 
@@ -244,7 +244,6 @@ def test_write_pandas(
     with conn_cnx(
         user=db_parameters["user"],
         account=db_parameters["account"],
-        password=db_parameters["password"],
     ) as cnx:
         table_name = "driver_versions"