SNOW-1944162 Add tests for programmatic access token (#2183)

sfc-gh-mkubik · sfc-gh-pczajka · commit 868d3c59a6d7 · 2025-07-28T16:02:06.000+02:00
diff --git a/src/snowflake/connector/connection.py b/src/snowflake/connector/connection.py
@@ -1141,6 +1141,8 @@ def __open_connection(self):
                     backoff_generator=self._backoff_generator,
                 )
             elif self._authenticator == PROGRAMMATIC_ACCESS_TOKEN:
+                if not self._token and self._password:
+                    self._token = self._password
                 self.auth_class = AuthByPAT(self._token)
             else:
                 # okta URL, e.g., https://<account>.okta.com/
diff --git a/test/data/wiremock/mappings/auth/pat/invalid_token.json b/test/data/wiremock/mappings/auth/pat/invalid_token.json
@@ -0,0 +1,39 @@
+{
+  "mappings": [
+    {
+      "scenarioName": "Invalid PAT authentication flow",
+      "requiredScenarioState": "Started",
+      "newScenarioState": "Authentication failed",
+      "request": {
+        "urlPathPattern": "/session/v1/login-request.*",
+        "method": "POST",
+        "bodyPatterns": [
+          {
+            "equalToJson" : {
+              "data": {
+                "LOGIN_NAME": "testUser",
+                "AUTHENTICATOR": "PROGRAMMATIC_ACCESS_TOKEN",
+                "TOKEN": "some PAT"
+              }
+            },
+            "ignoreExtraElements" : true
+          }
+        ]
+      },
+      "response": {
+        "status": 200,
+        "jsonBody": {
+          "data": {
+            "nextAction": "RETRY_LOGIN",
+            "authnMethod": "PAT",
+            "signInOptions": {}
+          },
+          "code": "394400",
+          "message": "Programmatic access token is invalid.",
+          "success": false,
+          "headers": null
+        }
+      }
+    }
+  ]
+}
diff --git a/test/data/wiremock/mappings/auth/pat/successful_flow.json b/test/data/wiremock/mappings/auth/pat/successful_flow.json
@@ -0,0 +1,70 @@
+{
+  "mappings": [
+    {
+      "scenarioName": "Successful PAT authentication flow",
+      "requiredScenarioState": "Started",
+      "newScenarioState": "Authenticated",
+      "request": {
+        "urlPathPattern": "/session/v1/login-request.*",
+        "method": "POST",
+        "bodyPatterns": [
+          {
+            "equalToJson" : {
+              "data": {
+                "LOGIN_NAME": "testUser",
+                "AUTHENTICATOR": "PROGRAMMATIC_ACCESS_TOKEN",
+                "TOKEN": "some PAT"
+              }
+            },
+            "ignoreExtraElements" : true
+          },
+          {
+            "matchesJsonPath": {
+              "expression": "$.data.PASSWORD",
+              "absent": "(absent)"
+            }
+          }
+        ]
+      },
+      "response": {
+        "status": 200,
+        "jsonBody": {
+          "data": {
+            "masterToken": "master token",
+            "token": "session token",
+            "validityInSeconds": 3600,
+            "masterValidityInSeconds": 14400,
+            "displayUserName": "OAUTH_TEST_AUTH_CODE",
+            "serverVersion": "8.48.0 b2024121104444034239f05",
+            "firstLogin": false,
+            "remMeToken": null,
+            "remMeValidityInSeconds": 0,
+            "healthCheckInterval": 45,
+            "newClientForUpgrade": "3.12.3",
+            "sessionId": 1172562260498,
+            "parameters": [
+              {
+                "name": "CLIENT_PREFETCH_THREADS",
+                "value": 4
+              }
+            ],
+            "sessionInfo": {
+              "databaseName": "TEST_DB",
+              "schemaName": "TEST_JDBC",
+              "warehouseName": "TEST_XSMALL",
+              "roleName": "ANALYST"
+            },
+            "idToken": null,
+            "idTokenValidityInSeconds": 0,
+            "responseData": null,
+            "mfaToken": null,
+            "mfaTokenValidityInSeconds": 0
+          },
+          "code": null,
+          "message": null,
+          "success": true
+        }
+      }
+    }
+  ]
+}
diff --git a/test/data/wiremock/mappings/generic/snowflake_disconnect_successful.json b/test/data/wiremock/mappings/generic/snowflake_disconnect_successful.json
@@ -0,0 +1,21 @@
+{
+  "requiredScenarioState": "Connected",
+  "newScenarioState": "Disconnected",
+  "request": {
+    "urlPathPattern": "/session",
+    "method": "POST",
+    "queryParameters": {
+      "delete": {
+        "matches": "true"
+      }
+    }
+  },
+  "response": {
+    "status": 200,
+    "jsonBody": {
+      "code": 200,
+      "message": "done",
+      "success": true
+    }
+  }
+}
diff --git a/test/unit/test_programmatic_access_token.py b/test/unit/test_programmatic_access_token.py
@@ -0,0 +1,125 @@
+#
+# Copyright (c) 2012-2023 Snowflake Computing Inc. All rights reserved.
+#
+
+import pathlib
+from typing import Any, Generator, Union
+
+import pytest
+
+try:
+    import snowflake.connector
+    from src.snowflake.connector.network import PROGRAMMATIC_ACCESS_TOKEN
+except ImportError:
+    pass
+
+from ..wiremock.wiremock_utils import WiremockClient
+
+
+@pytest.fixture(scope="session")
+def wiremock_client() -> Generator[Union[WiremockClient, Any], Any, None]:
+    with WiremockClient() as client:
+        yield client
+
+
+@pytest.mark.skipolddriver
+def test_valid_pat(wiremock_client: WiremockClient) -> None:
+    wiremock_data_dir = (
+        pathlib.Path(__file__).parent.parent
+        / "data"
+        / "wiremock"
+        / "mappings"
+        / "auth"
+        / "pat"
+    )
+
+    wiremock_generic_data_dir = (
+        pathlib.Path(__file__).parent.parent
+        / "data"
+        / "wiremock"
+        / "mappings"
+        / "generic"
+    )
+
+    wiremock_client.import_mapping(wiremock_data_dir / "successful_flow.json")
+    wiremock_client.add_mapping(
+        wiremock_generic_data_dir / "snowflake_disconnect_successful.json"
+    )
+
+    cnx = snowflake.connector.connect(
+        user="testUser",
+        authenticator=PROGRAMMATIC_ACCESS_TOKEN,
+        token="some PAT",
+        account="testAccount",
+        protocol="http",
+        host=wiremock_client.wiremock_host,
+        port=wiremock_client.wiremock_http_port,
+    )
+
+    assert cnx, "invalid cnx"
+    cnx.close()
+
+
+@pytest.mark.skipolddriver
+def test_invalid_pat(wiremock_client: WiremockClient) -> None:
+    wiremock_data_dir = (
+        pathlib.Path(__file__).parent.parent
+        / "data"
+        / "wiremock"
+        / "mappings"
+        / "auth"
+        / "pat"
+    )
+    wiremock_client.import_mapping(wiremock_data_dir / "invalid_token.json")
+
+    with pytest.raises(snowflake.connector.errors.DatabaseError) as execinfo:
+        snowflake.connector.connect(
+            user="testUser",
+            authenticator=PROGRAMMATIC_ACCESS_TOKEN,
+            token="some PAT",
+            account="testAccount",
+            protocol="http",
+            host=wiremock_client.wiremock_host,
+            port=wiremock_client.wiremock_http_port,
+        )
+
+    assert str(execinfo.value).endswith("Programmatic access token is invalid.")
+
+
+@pytest.mark.skipolddriver
+def test_pat_as_password(wiremock_client: WiremockClient) -> None:
+    wiremock_data_dir = (
+        pathlib.Path(__file__).parent.parent
+        / "data"
+        / "wiremock"
+        / "mappings"
+        / "auth"
+        / "pat"
+    )
+
+    wiremock_generic_data_dir = (
+        pathlib.Path(__file__).parent.parent
+        / "data"
+        / "wiremock"
+        / "mappings"
+        / "generic"
+    )
+
+    wiremock_client.import_mapping(wiremock_data_dir / "successful_flow.json")
+    wiremock_client.add_mapping(
+        wiremock_generic_data_dir / "snowflake_disconnect_successful.json"
+    )
+
+    cnx = snowflake.connector.connect(
+        user="testUser",
+        authenticator=PROGRAMMATIC_ACCESS_TOKEN,
+        token=None,
+        password="some PAT",
+        account="testAccount",
+        protocol="http",
+        host=wiremock_client.wiremock_host,
+        port=wiremock_client.wiremock_http_port,
+    )
+
+    assert cnx, "invalid cnx"
+    cnx.close()

Original file line number	Diff line number	Diff line change
`@@ -1141,6 +1141,8 @@ def __open_connection(self):`
`1141`	`1141`	`backoff_generator=self._backoff_generator,`
`1142`	`1142`	`)`
`1143`	`1143`	`elif self._authenticator == PROGRAMMATIC_ACCESS_TOKEN:`
	`1144`	`+ if not self._token and self._password:`
	`1145`	`+ self._token = self._password`
`1144`	`1146`	`self.auth_class = AuthByPAT(self._token)`
`1145`	`1147`	`else:`
`1146`	`1148`	`# okta URL, e.g., https://<account>.okta.com/`