Merge branch 'main' into sshetkar-SNOW-2171791-add-platform-telemetry

Author: sfc-gh-sshetkar

.gitignore

@@ -129,3 +129,8 @@ src/snowflake/connector/nanoarrow_cpp/ArrowIterator/nanoarrow_arrow_iterator.cpp
 # Prober files
 prober/parameters.json
 prober/snowflake_prober.egg-info/
+
+# SSH private key for WIF tests
+ci/wif/parameters/rsa_wif_aws_azure
+ci/wif/parameters/rsa_wif_gcp
+ci/wif/parameters/parameters_wif.json

DESCRIPTION.md

@@ -14,6 +14,7 @@ Source code is also available at: https://github.com/snowflakedb/snowflake-conne
   - Added in-band HTTP exception telemetry.
   - Fixed a bug where timezoned timestamps fetched as pandas.DataFrame or pyarrow.Table would overflow for the sake of unnecessary precision. In the case where an overflow cannot be prevented a clear error will be raised now.
   - Fix OAuth authenticator values.
+  - Add `unsafe_skip_file_permissions_check` flag to skip file permissions check on cache and config.
 
 - v3.16.0(July 04,2025)
   - Bumped numpy dependency from <2.1.0 to <=2.2.4.

Jenkinsfile

@@ -71,6 +71,18 @@ timestamps {
             '''.stripMargin()
           }
         }
+      },
+      'Test WIF': {
+        stage('Test WIF') {
+          withCredentials([
+            string(credentialsId: 'sfctest0-parameters-secret', variable: 'PARAMETERS_SECRET')
+          ]) {
+            sh '''\
+            |#!/bin/bash -e
+            |$WORKSPACE/ci/test_wif.sh
+            '''.stripMargin()
+          }
+        }
       }
     )
   }

ci/container/test_authentication.sh

@@ -6,7 +6,6 @@ set -o pipefail
 export WORKSPACE=${WORKSPACE:-/mnt/workspace}
 export SOURCE_ROOT=${SOURCE_ROOT:-/mnt/host}
 
-MVNW_EXE=$SOURCE_ROOT/mvnw
 AUTH_PARAMETER_FILE=./.github/workflows/parameters/private/parameters_aws_auth_tests.json
 eval $(jq -r '.authtestparams | to_entries | map("export \(.key)=\(.value|tostring)")|.[]' $AUTH_PARAMETER_FILE)
 

ci/test_wif.sh

@@ -0,0 +1,79 @@
+#!/bin/bash -e
+
+set -o pipefail
+
+export THIS_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+export RSA_KEY_PATH_AWS_AZURE="$THIS_DIR/wif/parameters/rsa_wif_aws_azure"
+export RSA_KEY_PATH_GCP="$THIS_DIR/wif/parameters/rsa_wif_gcp"
+export PARAMETERS_FILE_PATH="$THIS_DIR/wif/parameters/parameters_wif.json"
+
+run_tests_and_set_result() {
+  local provider="$1"
+  local host="$2"
+  local snowflake_host="$3"
+  local rsa_key_path="$4"
+
+  ssh -i "$rsa_key_path" -o IdentitiesOnly=yes -p 443 "$host" env BRANCH="$BRANCH" SNOWFLAKE_TEST_WIF_HOST="$snowflake_host" SNOWFLAKE_TEST_WIF_PROVIDER="$provider" SNOWFLAKE_TEST_WIF_ACCOUNT="$SNOWFLAKE_TEST_WIF_ACCOUNT" bash << EOF
+      set -e
+      set -o pipefail
+      docker run \
+        --rm \
+        -e BRANCH \
+        -e SNOWFLAKE_TEST_WIF_PROVIDER \
+        -e SNOWFLAKE_TEST_WIF_HOST \
+        -e SNOWFLAKE_TEST_WIF_ACCOUNT \
+        snowflakedb/client-python-test:1 \
+          bash -c "
+            echo 'Running tests on branch: \$BRANCH'
+            if [[ \"\$BRANCH\" =~ ^PR-[0-9]+\$ ]]; then
+              curl -L https://github.com/snowflakedb/snowflake-connector-python/archive/refs/pull/\$(echo \$BRANCH | cut -d- -f2)/head.tar.gz | tar -xz
+              mv snowflake-connector-python-* snowflake-connector-python
+            else
+              curl -L https://github.com/snowflakedb/snowflake-connector-python/archive/refs/heads/\$BRANCH.tar.gz | tar -xz
+              mv snowflake-connector-python-\$BRANCH snowflake-connector-python
+            fi
+            cd snowflake-connector-python
+            bash ci/wif/test_wif.sh
+          "
+EOF
+  local status=$?
+
+  if [[ $status -ne 0 ]]; then
+    echo "$provider tests failed with exit status: $status"
+    EXIT_STATUS=1
+  else
+    echo "$provider tests passed"
+  fi
+}
+
+get_branch() {
+  local branch
+  branch=$(git rev-parse --abbrev-ref HEAD)
+  if [[ "$branch" == "HEAD" ]]; then
+    branch=$(git name-rev --name-only HEAD | sed 's#^remotes/origin/##;s#^origin/##')
+  fi
+  echo "$branch"
+}
+
+setup_parameters() {
+  gpg --quiet --batch --yes --decrypt --passphrase="$PARAMETERS_SECRET" --output "$RSA_KEY_PATH_AWS_AZURE" "${RSA_KEY_PATH_AWS_AZURE}.gpg"
+  gpg --quiet --batch --yes --decrypt --passphrase="$PARAMETERS_SECRET" --output "$RSA_KEY_PATH_GCP" "${RSA_KEY_PATH_GCP}.gpg"
+  chmod 600 "$RSA_KEY_PATH_AWS_AZURE"
+  chmod 600 "$RSA_KEY_PATH_GCP"
+  gpg --quiet --batch --yes --decrypt --passphrase="$PARAMETERS_SECRET" --output "$PARAMETERS_FILE_PATH" "${PARAMETERS_FILE_PATH}.gpg"
+  eval $(jq -r '.wif | to_entries | map("export \(.key)=\(.value|tostring)")|.[]' $PARAMETERS_FILE_PATH)
+}
+
+BRANCH=$(get_branch)
+export BRANCH
+setup_parameters
+
+# Run tests for all cloud providers
+EXIT_STATUS=0
+set +e  # Don't exit on first failure
+run_tests_and_set_result "AZURE" "$HOST_AZURE" "$SNOWFLAKE_TEST_WIF_HOST_AZURE" "$RSA_KEY_PATH_AWS_AZURE"
+run_tests_and_set_result "AWS" "$HOST_AWS" "$SNOWFLAKE_TEST_WIF_HOST_AWS" "$RSA_KEY_PATH_AWS_AZURE"
+run_tests_and_set_result "GCP" "$HOST_GCP" "$SNOWFLAKE_TEST_WIF_HOST_GCP" "$RSA_KEY_PATH_GCP"
+set -e  # Re-enable exit on error
+echo "Exit status: $EXIT_STATUS"
+exit $EXIT_STATUS

ci/wif/parameters/parameters_wif.json.gpg

@@ -0,0 +1,11 @@
+#!/bin/bash -e
+
+set -o pipefail
+
+export SF_OCSP_TEST_MODE=true
+export SF_ENABLE_EXPERIMENTAL_AUTHENTICATION=true
+export RUN_WIF_TESTS=true
+
+/opt/python/cp39-cp39/bin/python -m pip install --break-system-packages -e .
+/opt/python/cp39-cp39/bin/python -m pip install --break-system-packages pytest
+/opt/python/cp39-cp39/bin/python -m pytest test/wif/*

ci/wif/parameters/rsa_wif_aws_azure.gpg

@@ -548,7 +548,9 @@ def _delete_temporary_credential(
 
     def get_token_cache(self) -> TokenCache:
         if self._token_cache is None:
-            self._token_cache = TokenCache.make()
+            self._token_cache = TokenCache.make(
+                skip_file_permissions_check=self._rest._connection._unsafe_skip_file_permissions_check
+            )
         return self._token_cache