SNOW-1940996 no-op auth for Stored Proc (#2182)

Author: sfc-gh-zyao

src/snowflake/connector/auth/__init__.py

@@ -9,6 +9,7 @@
 from .default import AuthByDefault
 from .idtoken import AuthByIdToken
 from .keypair import AuthByKeyPair
+from .no_auth import AuthNoAuth
 from .oauth import AuthByOAuth
 from .okta import AuthByOkta
 from .pat import AuthByPAT
@@ -25,6 +26,7 @@
         AuthByWebBrowser,
         AuthByIdToken,
         AuthByPAT,
+        AuthNoAuth,
     )
 )
 
@@ -37,6 +39,7 @@
     "AuthByOkta",
     "AuthByUsrPwdMfa",
     "AuthByWebBrowser",
+    "AuthNoAuth",
     "Auth",
     "AuthType",
     "FIRST_PARTY_AUTHENTICATORS",

src/snowflake/connector/auth/_auth.py

@@ -63,6 +63,7 @@
 from ..options import installed_keyring, keyring
 from ..sqlstate import SQLSTATE_CONNECTION_WAS_NOT_ESTABLISHED
 from ..version import VERSION
+from .no_auth import AuthNoAuth
 
 if TYPE_CHECKING:
     from . import AuthByPlugin
@@ -186,6 +187,10 @@ def authenticate(
     ) -> dict[str, str | int | bool]:
         logger.debug("authenticate")
 
+        # For no-auth connection, authentication is no-op, and we can return early here.
+        if isinstance(auth_instance, AuthNoAuth):
+            return {}
+
         if timeout is None:
             timeout = auth_instance.timeout
 

src/snowflake/connector/auth/by_plugin.py

@@ -55,6 +55,7 @@ class AuthType(Enum):
     USR_PWD_MFA = "USERNAME_PASSWORD_MFA"
     OKTA = "OKTA"
     PAT = "PROGRAMMATIC_ACCESS_TOKEN"
+    NO_AUTH = "NO_AUTH"
 
 
 class AuthByPlugin(ABC):

src/snowflake/connector/auth/no_auth.py

@@ -0,0 +1,43 @@
+#!/usr/bin/env python
+#
+# Copyright (c) 2012-2023 Snowflake Computing Inc. All rights reserved.
+#
+
+from __future__ import annotations
+
+from typing import Any
+
+from .by_plugin import AuthByPlugin, AuthType
+
+
+class AuthNoAuth(AuthByPlugin):
+    """No-auth Authentication.
+
+    It is a dummy auth that requires no extra connection establishment.
+    """
+
+    @property
+    def type_(self) -> AuthType:
+        return AuthType.NO_AUTH
+
+    @property
+    def assertion_content(self) -> str | None:
+        return None
+
+    def __init__(self) -> None:
+        super().__init__()
+
+    def reset_secrets(self) -> None:
+        pass
+
+    def prepare(
+        self,
+        **kwargs: Any,
+    ) -> None:
+        pass
+
+    def reauthenticate(self, **kwargs: Any) -> dict[str, bool]:
+        return {"success": True}
+
+    def update_body(self, body: dict[Any, Any]) -> None:
+        pass

src/snowflake/connector/connection.py

@@ -44,6 +44,7 @@
     AuthByPlugin,
     AuthByUsrPwdMfa,
     AuthByWebBrowser,
+    AuthNoAuth,
 )
 from .auth.idtoken import AuthByIdToken
 from .backoff_policies import exponential_backoff
@@ -98,6 +99,7 @@
     DEFAULT_AUTHENTICATOR,
     EXTERNAL_BROWSER_AUTHENTICATOR,
     KEY_PAIR_AUTHENTICATOR,
+    NO_AUTH_AUTHENTICATOR,
     OAUTH_AUTHENTICATOR,
     PROGRAMMATIC_ACCESS_TOKEN,
     REQUEST_ID,
@@ -1251,9 +1253,15 @@ def __config(self, **kwargs):
             with open(token_file_path) as f:
                 self._token = f.read()
 
+        # Set of authenticators allowing empty user.
+        empty_user_allowed_authenticators = {OAUTH_AUTHENTICATOR, NO_AUTH_AUTHENTICATOR}
+
         if not (self._master_token and self._session_token):
-            if not self.user and self._authenticator != OAUTH_AUTHENTICATOR:
-                # OAuth Authentication does not require a username
+            if (
+                not self.user
+                and self._authenticator not in empty_user_allowed_authenticators
+            ):
+                # OAuth and NoAuth Authentications does not require a username
                 Error.errorhandler_wrapper(
                     self,
                     None,
@@ -1282,14 +1290,15 @@ def __config(self, **kwargs):
                     {"msg": "Password is empty", "errno": ER_NO_PASSWORD},
                 )
 
-        if not self._account:
+        # Only AuthNoAuth allows account to be omitted.
+        if not self._account and not isinstance(self.auth_class, AuthNoAuth):
             Error.errorhandler_wrapper(
                 self,
                 None,
                 ProgrammingError,
                 {"msg": "Account must be specified", "errno": ER_NO_ACCOUNT_NAME},
             )
-        if "." in self._account:
+        if self._account and "." in self._account:
             self._account = parse_account(self._account)
 
         if not isinstance(self._backoff_policy, Callable) or not isinstance(

src/snowflake/connector/network.py

@@ -188,6 +188,7 @@
 ID_TOKEN_AUTHENTICATOR = "ID_TOKEN"
 USR_PWD_MFA_AUTHENTICATOR = "USERNAME_PASSWORD_MFA"
 PROGRAMMATIC_ACCESS_TOKEN = "PROGRAMMATIC_ACCESS_TOKEN"
+NO_AUTH_AUTHENTICATOR = "NO_AUTH"
 
 
 def is_retryable_http_code(code: int) -> bool:

test/integ/test_connection.py

@@ -40,7 +40,7 @@
 from snowflake.connector.telemetry import TelemetryField
 
 from ..randomize import random_string
-from .conftest import RUNNING_ON_GH
+from .conftest import RUNNING_ON_GH, create_connection
 
 try:  # pragma: no cover
     from ..parameters import CONNECTION_PARAMETERS_ADMIN
@@ -1568,3 +1568,26 @@ def test_is_valid(conn_cnx):
         assert conn
         assert conn.is_valid() is True
     assert conn.is_valid() is False
+
+
+def test_no_auth_connection_negative_case():
+    # AuthNoAuth does not exist in old drivers, so we import at test level to
+    # skip importing it for old driver tests.
+    from snowflake.connector.auth.no_auth import AuthNoAuth
+
+    no_auth = AuthNoAuth()
+
+    # Create a no-auth connection in an invalid way.
+    # We do not fail connection establishment because there is no validated way
+    # to tell whether the no-auth is a valid use case or not. But it is
+    # effectively protected because invalid no-auth will fail to run any query.
+    conn = create_connection("default", auth_class=no_auth)
+
+    # Make sure we are indeed passing the no-auth configuration to the
+    # connection.
+    assert isinstance(conn.auth_class, AuthNoAuth)
+
+    # We expect a failure here when executing queries, because invalid no-auth
+    # connection is not able to run any query
+    with pytest.raises(DatabaseError, match="Connection is closed"):
+        conn.execute_string("select 1")

test/unit/test_auth_no_auth.py

@@ -0,0 +1,40 @@
+#
+# Copyright (c) 2012-2023 Snowflake Computing Inc. All rights reserved.
+#
+
+from __future__ import annotations
+
+import pytest
+
+
+@pytest.mark.skipolddriver
+def test_auth_no_auth():
+    """Simple test for AuthNoAuth."""
+
+    # AuthNoAuth does not exist in old drivers, so we import at test level to
+    # skip importing it for old driver tests.
+    from snowflake.connector.auth.no_auth import AuthNoAuth
+
+    auth = AuthNoAuth()
+
+    body = {"data": {}}
+    old_body = body
+    auth.update_body(body)
+    # update_body should be no-op for SP auth, therefore the body content should remain the same.
+    assert body == old_body, f"body is {body}, old_body is {old_body}"
+
+    # assertion_content should always return None in SP auth.
+    assert auth.assertion_content is None, auth.assertion_content
+
+    # reauthenticate should always return success.
+    expected_reauth_response = {"success": True}
+    reauth_response = auth.reauthenticate()
+    assert (
+        reauth_response == expected_reauth_response
+    ), f"reauthenticate() is expected to return {expected_reauth_response}, but returns {reauth_response}"
+
+    # It also returns success response even if we pass extra keyword argument(s).
+    reauth_response = auth.reauthenticate(foo="bar")
+    assert (
+        reauth_response == expected_reauth_response
+    ), f'reauthenticate(foo="bar") is expected to return {expected_reauth_response}, but returns {reauth_response}'