Merge branch 'main' into SNOW-2043523-windows-313-support

# Conflicts:
#	DESCRIPTION.md

Author: sfc-gh-fpawlowski

DESCRIPTION.md

@@ -7,23 +7,41 @@ https://docs.snowflake.com/
 Source code is also available at: https://github.com/snowflakedb/snowflake-connector-python
 
 # Release Notes
-- v3.14.1(TBD)
+- v3.16(TBD)
+  - Added basic arrow support for Interval types.
+
+- v3.15.0(Apr 29,2025)
+  - Bumped up min boto and botocore version to 1.24.
+  - OCSP: terminate certificates chain traversal if a trusted certificate already reached.
+  - Added new authentication methods support for programmatic access tokens (PATs), OAuth 2.0 Authorization Code Flow, OAuth 2.0 Client Credentials Flow, and OAuth Token caching.
+    - For OAuth 2.0 Authorization Code Flow:
+      - Added the `oauth_client_id`, `oauth_client_secret`, `oauth_authorization_url`, `oauth_token_request_url`, `oauth_redirect_uri`, `oauth_scope`, `oauth_disable_pkce`, `oauth_enable_refresh_tokens` and `oauth_enable_single_use_refresh_tokens` parameters.
+      - Added the `OAUTH_AUTHORIZATION_CODE` value for the parameter authenticator.
+    - For OAuth 2.0 Client Credentials Flow:
+      - Added the `oauth_client_id`, `oauth_client_secret`, `oauth_token_request_url`, and `oauth_scope` parameters.
+      - Added the `OAUTH_CLIENT_CREDENTIALS` value for the parameter authenticator.
+    - For OAuth Token caching: Passing a username to driver configuration is required, and the `client_store_temporary_credential property` is to be set to `true`.
+  - Bumped numpy dependency from <2.1.0 to <2.2.4
+  - Added Windows support for Python 3.13.
+
+- v3.14.1(April 21, 2025)
   - Added support for Python 3.13.
+    - NOTE: Windows 64 support is still experimental and should not yet be used for production environments.
   - Dropped support for Python 3.8.
-  - Basic decimal floating-point type support.
-  - Added handling of PAT provided in `password` field.
-  - Added experimental support for OAuth authorization code and client credentials flows.
-  - Improved error message for client-side query cancellations due to timeouts.
+  - Added basic decimal floating-point type support.
+  - Added experimental authentication methods.
   - Added support of GCS regional endpoints.
-  - Fixed a bug that caused driver to fail silently on `TO_DATE` arrow to python conversion when invalid date was followed by the correct one.
+  - Added support of GCS virtual urls. See more: https://cloud.google.com/storage/docs/request-endpoints#xml-api
+  - Added `client_fetch_threads` experimental parameter to better utilize threads for fetching query results.
   - Added `check_arrow_conversion_error_on_every_column` connection property that can be set to `False` to restore previous behaviour in which driver will ignore errors until it occurs in the last column. This flag's purpose is to unblock workflows that may be impacted by the bugfix and will be removed in later releases.
-  - Lower log levels from info to debug for some of the messages to make the output easier to follow.
-  - Allow the connector to inherit a UUID4 generated upstream, provided in statement parameters (field: `requestId`), rather than automatically generate a UUID4 to use for the HTTP Request ID.
+  - Lowered log levels from info to debug for some of the messages to make the output easier to follow.
+  - Allowed the connector to inherit a UUID4 generated upstream, provided in statement parameters (field: `requestId`), rather than automatically generate a UUID4 to use for the HTTP Request ID.
   - Improved logging in urllib3, boto3, botocore - assured data masking even after migration to the external owned library in the future.
-  - Fix expired S3 credentials update and increment retry when expired credentials are found.
-  - Added `client_fetch_threads` experimental parameter to better utilize threads for fetching query results.
-  - Added support of GCS virtual urls. See more: https://cloud.google.com/storage/docs/request-endpoints#xml-api
-  - Bumped numpy dependency from <2.1.0 to <2.2.4
+  - Improved error message for client-side query cancellations due to timeouts.
+  - Improved security and robustness for the temporary credentials cache storage.
+  - Fixed a bug that caused driver to fail silently on `TO_DATE` arrow to python conversion when invalid date was followed by the correct one.
+  - Fixed expired S3 credentials update and increment retry when expired credentials are found.
+  - Deprecated `insecure_mode` connection property and replaced it with `disable_ocsp_checks` with the same behavior as the former property.
 
 - v3.14.0(March 03, 2025)
   - Bumped pyOpenSSL dependency upper boundary from <25.0.0 to <26.0.0.
@@ -35,7 +53,6 @@ Source code is also available at: https://github.com/snowflakedb/snowflake-conne
   - Fixed a bug where file permission check happened on Windows.
   - Added support for File types.
   - Added `unsafe_file_write` connection parameter that restores the previous behaviour of saving files downloaded with GET with 644 permissions.
-  - Deprecated `insecure_mode` connection property and replaced it with `disable_ocsp_checks` with the same behavior as the former property.
 
 - v3.13.2(January 29, 2025)
   - Changed not to use scoped temporary objects.

setup.cfg

@@ -44,8 +44,8 @@ python_requires = >=3.9
 packages = find_namespace:
 install_requires =
     asn1crypto>0.24.0,<2.0.0
-    boto3>=1.0
-    botocore>=1.0
+    boto3>=1.24
+    botocore>=1.24
     cffi>=1.9,<2.0.0
     cryptography>=3.1.0
     pyOpenSSL>=22.0.0,<26.0.0

setup.py

@@ -103,6 +103,7 @@ def build_extension(self, ext):
                         "FixedSizeListConverter.cpp",
                         "FloatConverter.cpp",
                         "IntConverter.cpp",
+                        "IntervalConverter.cpp",
                         "MapConverter.cpp",
                         "ObjectConverter.cpp",
                         "SnowflakeType.cpp",

src/snowflake/connector/arrow_context.py

@@ -15,7 +15,7 @@
 from .converter import _generate_tzinfo_from_tzoffset
 
 if TYPE_CHECKING:
-    from numpy import datetime64, float64, int64
+    from numpy import datetime64, float64, int64, timedelta64
 
 
 try:
@@ -163,3 +163,41 @@ def DECFLOAT_to_decimal(self, exponent: int, significand: bytes) -> decimal.Deci
 
     def DECFLOAT_to_numpy_float64(self, exponent: int, significand: bytes) -> float64:
         return numpy.float64(self.DECFLOAT_to_decimal(exponent, significand))
+
+    def INTERVAL_YEAR_MONTH_to_numpy_timedelta(self, months: int) -> timedelta64:
+        return numpy.timedelta64(months, "M")
+
+    def INTERVAL_DAY_TIME_int_to_numpy_timedelta(self, nanos: int) -> timedelta64:
+        return numpy.timedelta64(nanos, "ns")
+
+    def INTERVAL_DAY_TIME_int_to_timedelta(self, nanos: int) -> timedelta:
+        # Python timedelta only supports microsecond precision. We receive value in
+        # nanoseconds.
+        return timedelta(microseconds=nanos // 1000)
+
+    def INTERVAL_DAY_TIME_decimal_to_numpy_timedelta(self, value: bytes) -> timedelta64:
+        # Snowflake supports up to 9 digits leading field precision for the day-time
+        # interval. That when represented in nanoseconds can not be stored in a 64-bit
+        # integer. So we send these as Decimal128 from server to client.
+        # Arrow uses little-endian by default.
+        # https://arrow.apache.org/docs/format/Columnar.html#byte-order-endianness
+        nanos = int.from_bytes(value, byteorder="little", signed=True)
+        # Numpy timedelta only supports up to 64-bit integers, so we need to change the
+        # unit to milliseconds to avoid overflow.
+        # Max value received from server
+        #   = 10**9 * NANOS_PER_DAY - 1
+        #   = 86399999999999999999999 nanoseconds
+        #   = 86399999999999999 milliseconds
+        # math.log2(86399999999999999) = 56.3 < 64
+        return numpy.timedelta64(nanos // 1_000_000, "ms")
+
+    def INTERVAL_DAY_TIME_decimal_to_timedelta(self, value: bytes) -> timedelta:
+        # Snowflake supports up to 9 digits leading field precision for the day-time
+        # interval. That when represented in nanoseconds can not be stored in a 64-bit
+        # integer. So we send these as Decimal128 from server to client.
+        # Arrow uses little-endian by default.
+        # https://arrow.apache.org/docs/format/Columnar.html#byte-order-endianness
+        nanos = int.from_bytes(value, byteorder="little", signed=True)
+        # Python timedelta only supports microsecond precision. We receive value in
+        # nanoseconds.
+        return timedelta(microseconds=nanos // 1000)

src/snowflake/connector/auth/oauth_code.py

@@ -58,6 +58,7 @@ def __init__(
         token_cache: TokenCache | None = None,
         refresh_token_enabled: bool = False,
         external_browser_timeout: int | None = None,
+        enable_single_use_refresh_tokens: bool = False,
         **kwargs,
     ) -> None:
         super().__init__(
@@ -81,6 +82,7 @@ def __init__(
             logger.debug("oauth pkce is going to be used")
         self._verifier: str | None = None
         self._external_browser_timeout = external_browser_timeout
+        self._enable_single_use_refresh_tokens = enable_single_use_refresh_tokens
 
     def _get_oauth_type_id(self) -> str:
         return OAUTH_TYPE_AUTHORIZATION_CODE
@@ -296,6 +298,8 @@ def _do_token_request(
             "code": code,
             "redirect_uri": callback_server.url,
         }
+        if self._enable_single_use_refresh_tokens:
+            fields["enable_single_use_refresh_tokens"] = "true"
         if self._pkce_enabled:
             assert self._verifier is not None
             fields["code_verifier"] = self._verifier

src/snowflake/connector/connection.py

@@ -2,7 +2,6 @@
 from __future__ import annotations
 
 import atexit
-import collections.abc
 import logging
 import os
 import pathlib
@@ -94,6 +93,7 @@
     ER_INVALID_WIF_SETTINGS,
     ER_NO_ACCOUNT_NAME,
     ER_NO_CLIENT_ID,
+    ER_NO_CLIENT_SECRET,
     ER_NO_NUMPY,
     ER_NO_PASSWORD,
     ER_NO_USER,
@@ -346,11 +346,20 @@ def _get_private_bytes_from_file(
         str,
         # SNOW-1825621: OAUTH implementation
     ),
-    "oauth_security_features": (
-        ("pkce",),
-        collections.abc.Iterable,  # of strings
+    "oauth_disable_pkce": (
+        False,
+        bool,
         # SNOW-1825621: OAUTH PKCE
     ),
+    "oauth_enable_refresh_tokens": (
+        False,
+        bool,
+    ),
+    "oauth_enable_single_use_refresh_tokens": (
+        False,
+        bool,
+        # Client-side opt-in to single-use refresh tokens.
+    ),
     "check_arrow_conversion_error_on_every_column": (
         True,
         bool,
@@ -838,21 +847,6 @@ def unsafe_file_write(self) -> bool:
     def unsafe_file_write(self, value: bool) -> None:
         self._unsafe_file_write = value
 
-    class _OAuthSecurityFeatures(NamedTuple):
-        pkce_enabled: bool
-        refresh_token_enabled: bool
-
-    @property
-    def oauth_security_features(self) -> _OAuthSecurityFeatures:
-        features = self._oauth_security_features
-        if isinstance(features, str):
-            features = features.split(" ")
-        features = [feat.lower() for feat in features]
-        return self._OAuthSecurityFeatures(
-            pkce_enabled="pkce" in features,
-            refresh_token_enabled="refresh_token" in features,
-        )
-
     @property
     def check_arrow_conversion_error_on_every_column(self) -> bool:
         return self._check_arrow_conversion_error_on_every_column
@@ -1210,9 +1204,7 @@ def __open_connection(self):
                     backoff_generator=self._backoff_generator,
                 )
             elif self._authenticator == OAUTH_AUTHORIZATION_CODE:
-                self._check_experimental_authentication_flag()
-                self._check_oauth_required_parameters()
-                features = self.oauth_security_features
+                self._check_oauth_parameters()
                 if self._role and (self._oauth_scope == ""):
                     # if role is known then let's inject it into scope
                     self._oauth_scope = _OAUTH_DEFAULT_SCOPE.format(role=self._role)
@@ -1228,19 +1220,18 @@ def __open_connection(self):
                     ),
                     redirect_uri=self._oauth_redirect_uri,
                     scope=self._oauth_scope,
-                    pkce_enabled=features.pkce_enabled,
+                    pkce_enabled=not self._oauth_disable_pkce,
                     token_cache=(
                         auth.get_token_cache()
                         if self._client_store_temporary_credential
                         else None
                     ),
-                    refresh_token_enabled=features.refresh_token_enabled,
+                    refresh_token_enabled=self._oauth_enable_refresh_tokens,
                     external_browser_timeout=self._external_browser_timeout,
+                    enable_single_use_refresh_tokens=self._oauth_enable_single_use_refresh_tokens,
                 )
             elif self._authenticator == OAUTH_CLIENT_CREDENTIALS:
-                self._check_experimental_authentication_flag()
-                self._check_oauth_required_parameters()
-                features = self.oauth_security_features
+                self._check_oauth_parameters()
                 if self._role and (self._oauth_scope == ""):
                     # if role is known then let's inject it into scope
                     self._oauth_scope = _OAUTH_DEFAULT_SCOPE.format(role=self._role)
@@ -1257,7 +1248,7 @@ def __open_connection(self):
                         if self._client_store_temporary_credential
                         else None
                     ),
-                    refresh_token_enabled=features.refresh_token_enabled,
+                    refresh_token_enabled=self._oauth_enable_refresh_tokens,
                 )
             elif self._authenticator == USR_PWD_MFA_AUTHENTICATOR:
                 self._session_parameters[PARAMETER_CLIENT_REQUEST_MFA_TOKEN] = (
@@ -2245,7 +2236,7 @@ def _check_experimental_authentication_flag(self) -> None:
                 },
             )
 
-    def _check_oauth_required_parameters(self) -> None:
+    def _check_oauth_parameters(self) -> None:
         if self._oauth_client_id is None:
             Error.errorhandler_wrapper(
                 self,
@@ -2263,6 +2254,32 @@ def _check_oauth_required_parameters(self) -> None:
                 ProgrammingError,
                 {
                     "msg": "Oauth code flow requirement 'client_secret' is empty",
-                    "errno": ER_NO_CLIENT_ID,
+                    "errno": ER_NO_CLIENT_SECRET,
+                },
+            )
+        if (
+            self._oauth_authorization_url
+            and not self._oauth_authorization_url.startswith("https://")
+        ):
+            Error.errorhandler_wrapper(
+                self,
+                None,
+                ProgrammingError,
+                {
+                    "msg": "OAuth supports only authorization urls that use 'https' scheme",
+                    "errno": ER_INVALID_VALUE,
+                },
+            )
+        if self._oauth_redirect_uri and not (
+            self._oauth_redirect_uri.startswith("http://")
+            or self._oauth_redirect_uri.startswith("https://")
+        ):
+            Error.errorhandler_wrapper(
+                self,
+                None,
+                ProgrammingError,
+                {
+                    "msg": "OAuth supports only authorization urls that use 'http(s)' scheme",
+                    "errno": ER_INVALID_VALUE,
                 },
             )

src/snowflake/connector/connection_diagnostic.py

@@ -579,7 +579,7 @@ def __check_for_proxies(self) -> None:
                     cert_reqs=cert_reqs,
                 )
             resp = http.request(
-                "GET", "https://nonexistentdomain.invalidtld", timeout=10.0
+                "GET", "https://nonexistentdomain.invalid", timeout=10.0
             )
 
             # squid does not throw exception.  Check HTML

src/snowflake/connector/errorcode.py

@@ -34,6 +34,7 @@
 ER_INVALID_WIF_SETTINGS = 251017
 ER_WIF_CREDENTIALS_NOT_FOUND = 251018
 ER_EXPERIMENTAL_AUTHENTICATION_NOT_SUPPORTED = 251019
+ER_NO_CLIENT_SECRET = 251020
 
 # cursor
 ER_FAILED_TO_REWRITE_MULTI_ROW_INSERT = 252001

src/snowflake/connector/nanoarrow_cpp/ArrowIterator/CArrowChunkIterator.cpp

@@ -13,6 +13,7 @@
 #include "FixedSizeListConverter.hpp"
 #include "FloatConverter.hpp"
 #include "IntConverter.hpp"
+#include "IntervalConverter.hpp"
 #include "MapConverter.hpp"
 #include "ObjectConverter.hpp"
 #include "StringConverter.hpp"
@@ -479,6 +480,36 @@ std::shared_ptr<sf::IColumnConverter> getConverterFromSchema(
       break;
     }
 
+    case SnowflakeType::Type::INTERVAL_YEAR_MONTH: {
+      converter = std::make_shared<sf::IntervalYearMonthConverter>(
+          array, context, useNumpy);
+      break;
+    }
+
+    case SnowflakeType::Type::INTERVAL_DAY_TIME: {
+      switch (schemaView.type) {
+        case NANOARROW_TYPE_INT64:
+          converter = std::make_shared<sf::IntervalDayTimeConverterInt>(
+              array, context, useNumpy);
+          break;
+        case NANOARROW_TYPE_DECIMAL128:
+          converter = std::make_shared<sf::IntervalDayTimeConverterDecimal>(
+              array, context, useNumpy);
+          break;
+        default: {
+          std::string errorInfo = Logger::formatString(
+              "[Snowflake Exception] unknown arrow internal data type(%d) "
+              "for OBJECT data in %s",
+              NANOARROW_TYPE_ENUM_STRING[schemaView.type],
+              schemaView.schema->name);
+          logger->error(__FILE__, __func__, __LINE__, errorInfo.c_str());
+          PyErr_SetString(PyExc_Exception, errorInfo.c_str());
+          break;
+        }
+      }
+      break;
+    }
+
     default: {
       std::string errorInfo = Logger::formatString(
           "[Snowflake Exception] unknown snowflake data type : %d", st);