feat: snowflake key pair

[achettyiitr]

Description

• Add support for Key-pair authentication for Snowflake.
• More about it in here.

Linear Ticket

• Resolves PIPE-1175

Security

• The code changed/added as part of this pull request won't create any security issues with how the software is being used.

Summary by CodeRabbit

• Refactor

  • Updated integration tests to use environment variables for checking test credentials availability.
  • Refactored Snowflake integration to support key pair authentication.

• New Features

  • Added support for key pair authentication in Snowflake integration.
  • Enhanced Snowflake integration configuration with new parameters for key pair authentication.

• Chores

  • Updated dependencies to include github.com/youmark/pkcs8.

• Tests

  • Expanded test cases to cover key pair encrypted and unencrypted scenarios in Snowflake integration.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

The updates primarily focus on enhancing the handling of test credentials across various integrations by switching to os.LookupEnv for environment variable checks. Additionally, Snowflake integration has been improved with key pair authentication support. The FormatPemContent function has been refined for better handling of SSL certificate formatting.

Changes

File(s)	Change Summary
go.mod	Added new dependency github.com/youmark/pkcs8.
warehouse/integrations/bigquery/bigquery_test.go, warehouse/integrations/bigquery/middleware/middleware_test.go, warehouse/integrations/deltalake/deltalake_test.go, warehouse/integrations/redshift/redshift_test.go	Refactored test credentials availability checks to use os.LookupEnv. Removed redundant helper functions.
warehouse/integrations/bigquery/testhelper/setup.go	Removed IsBQTestCredentialsAvailable function.
warehouse/integrations/manager/manager.go	Modified New and NewWarehouseOperations functions to return an additional nil value for Snowflake warehouse creation.
warehouse/integrations/snowflake/snowflake.go	Introduced key pair authentication support with new constants, fields in credentials struct, and ParsePrivateKey function.
warehouse/integrations/snowflake/snowflake_test.go	Updated tests for Snowflake to handle key pair authentication, added new test cases for encrypted and unencrypted keys.
warehouse/integrations/snowflake/testdata/template.json	Added and modified configurations for Snowflake integration, including parameters for key pair authentication.
warehouse/utils/utils.go	Refactored and renamed formatSSLFile to FormatPemContent for better handling of PEM content formatting.

Sequence Diagram(s)

sequenceDiagram
    participant Test as Test Suite
    participant Env as Environment
    participant Snowflake as Snowflake Integration
    participant Utils as Utils

    Test->>Env: os.LookupEnv("TEST_KEY")
    Env-->>Test: Return value and existence status

    Test->>Snowflake: Initialize with config
    Snowflake->>Utils: ParsePrivateKey(privateKey, passPhrase)
    Utils-->>Snowflake: Return parsed key

    Snowflake-->>Test: Snowflake initialized with key pair auth

Loading

Poem

In lines of code, new secrets lie,
With keys and pairs, we now comply.
Environment checks, so swift and clear,
For Snowflake's gates, no need to fear.
A rabbit's touch, so light and neat,
Our warehouse code is now complete. 🐇✨

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share

• X
• Mastodon
• Reddit
• LinkedIn

Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai generate interesting stats about this repository and render them as a table.
  • @coderabbitai show all the console.log statements in this repository.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (invoked as PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Additionally, you can add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.

CodeRabbit Configration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[codecov]

Codecov Report

Attention: Patch coverage is 55.31915% with 21 lines in your changes missing coverage. Please review.

Project coverage is 73.28%. Comparing base (211b421) to head (ed719f3).

Files	Patch %	Lines
warehouse/integrations/snowflake/snowflake.go	44.44%	20 Missing ⚠️
warehouse/integrations/manager/manager.go	50.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #4781      +/-   ##
==========================================
- Coverage   74.68%   73.28%   -1.40%     
==========================================
  Files         414      414              
  Lines       48657    48680      +23     
==========================================
- Hits        36341    35677     -664     
- Misses       9932    10663     +731     
+ Partials     2384     2340      -44     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[coderabbitai]

Actionable comments posted: 6

Outside diff range and nitpick comments (2)

warehouse/integrations/snowflake/snowflake_test.go (2)

48-59: Ensure the new fields in testCredentials struct are properly documented.

Adding comments to explain the purpose of each new field, especially UseKeyPairAuth, PrivateKey, and PrivateKeyPassphrase, would enhance maintainability and clarity for other developers.

---

1130-1133: Ensure configuration settings are validated.

Consider adding validation for the configuration settings related to appendOnlyTables to ensure they meet expected formats or constraints.

Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

Commits

Files that changed from the base of the PR and between 1ff62ff and 25d191f.

Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

Files selected for processing (11)

• go.mod (1 hunks)
• warehouse/integrations/bigquery/bigquery_test.go (2 hunks)
• warehouse/integrations/bigquery/middleware/middleware_test.go (2 hunks)
• warehouse/integrations/bigquery/testhelper/setup.go (1 hunks)
• warehouse/integrations/deltalake/deltalake_test.go (2 hunks)
• warehouse/integrations/manager/manager.go (3 hunks)
• warehouse/integrations/redshift/redshift_test.go (1 hunks)
• warehouse/integrations/snowflake/snowflake.go (9 hunks)
• warehouse/integrations/snowflake/snowflake_test.go (19 hunks)
• warehouse/integrations/snowflake/testdata/template.json (1 hunks)
• warehouse/utils/utils.go (2 hunks)

Files skipped from review due to trivial changes (2)

• go.mod
• warehouse/integrations/bigquery/testhelper/setup.go

Additional context used

Biome

warehouse/integrations/snowflake/testdata/template.json

[error] 28-28: Expected a property but instead found '{'. (parse)

Expected a property here.

---

[error] 28-28: Expected a property but instead found '{'. (parse)

Expected a property here.

---

[error] 28-28: unexpected character . (parse)

---

[error] 29-29: expected , but instead found "account" (parse)

Remove "account"

---

[error] 153-153: Expected a property but instead found '{'. (parse)

Expected a property here.

---

[error] 153-153: Expected a property but instead found '{'. (parse)

Expected a property here.

---

[error] 153-153: unexpected character . (parse)

---

[error] 154-154: expected , but instead found "account" (parse)

Remove "account"

---

[error] 278-278: Expected a property but instead found '{'. (parse)

Expected a property here.

---

[error] 278-278: Expected a property but instead found '{'. (parse)

Expected a property here.

---

[error] 278-278: unexpected character . (parse)

---

[error] 279-279: expected , but instead found "account" (parse)

Remove "account"

---

[error] 405-405: Expected a property but instead found '{'. (parse)

Expected a property here.

---

[error] 405-405: Expected a property but instead found '{'. (parse)

Expected a property here.

---

[error] 405-405: unexpected character . (parse)

---

[error] 406-406: expected , but instead found "account" (parse)

Remove "account"

---

[error] 531-531: Expected a property but instead found '{'. (parse)

Expected a property here.

---

[error] 531-531: Expected a property but instead found '{'. (parse)

Expected a property here.

---

[error] 531-531: unexpected character . (parse)

---

[error] 532-532: expected , but instead found "account" (parse)

Remove "account"

Additional comments not posted (16)

warehouse/integrations/bigquery/middleware/middleware_test.go (1)

22-22: LGTM! Ensure the environment variable is correctly set in the test setup.

warehouse/integrations/bigquery/bigquery_test.go (2)

Line range hint 1-1: The change integrates well with the existing test setup, enhancing simplicity and maintainability.

---

46-46: Simplified environment variable check using os.LookupEnv.

Verification successful

---

The usage of bqHelper.TestKey is consistent across the test suite, and the change to use os.LookupEnv is correctly implemented.

• warehouse/integrations/bigquery/bigquery_test.go
• warehouse/integrations/bigquery/middleware/middleware_test.go

Scripts executed

The following scripts were executed for the analysis:

---

Script:

#!/bin/bash
# Description: Verify that `bqHelper.TestKey` is consistently used across the test suite.

# Test: Search for the usage of `bqHelper.TestKey`. Expect: Consistent usage across the test suite.
rg --type go $'bqHelper.TestKey'

Length of output: 511

warehouse/integrations/deltalake/deltalake_test.go (3)

74-74: Refactor to use os.LookupEnv for environment variable checks.

This change simplifies the check for environment variables by directly using os.LookupEnv, which is a more idiomatic way in Go to check for the existence of an environment variable. Good job on making the test setup cleaner and more straightforward.

---

74-74: Utilize helper functions to reduce redundancy.

The introduction of mergeEventsMap and appendEventsMap functions is a good practice as it helps in reducing redundancy and makes the test cases cleaner and more maintainable. It's always beneficial to abstract repetitive data into utility functions.

---

74-74: Ensure comprehensive testing.

This change appears to handle the test setup and execution well. However, ensure that all necessary scenarios are covered in the tests, especially considering the complexity and critical nature of the Delta Lake integration.

Verification successful

The output shows three test functions in the deltalake_test.go file:

• TestIntegration
• TestDeltalake_TrimErrorMessage
• TestDeltalake_ShouldMerge

To ensure comprehensive testing, we need to verify the specific scenarios covered within each of these test functions.

---

The extracted content of the test functions shows that the TestIntegration, TestDeltalake_TrimErrorMessage, and TestDeltalake_ShouldMerge functions cover a wide range of scenarios for the Delta Lake integration. These include various configurations, error handling, and specific functionalities like merging and appending data.

The TestIntegration function, in particular, includes multiple sub-tests that cover different modes (e.g., Merge Mode, Append Mode, Parquet load files) and edge cases (e.g., schema mismatch, missing load files). This indicates a comprehensive approach to testing the integration.

Given this detailed coverage, it appears that the necessary scenarios are well-covered in the tests.

Scripts executed

The following scripts were executed for the analysis:

---

Script:

#!/bin/bash
# Description: Verify that all necessary test cases are covered.

# Test: Search for test cases in the file. Expect: Comprehensive coverage of scenarios.
rg --type go 'func Test' warehouse/integrations/deltalake/deltalake_test.go

Length of output: 213

---

---

Script:

#!/bin/bash
# Description: Extract the content of the test functions to verify the scenarios covered.

# Extract the content of the TestIntegration function
ast-grep --lang go --pattern $'func TestIntegration($_) {
  $$$
}' warehouse/integrations/deltalake/deltalake_test.go

# Extract the content of the TestDeltalake_TrimErrorMessage function
ast-grep --lang go --pattern $'func TestDeltalake_TrimErrorMessage($_) {
  $$$
}' warehouse/integrations/deltalake/deltalake_test.go

# Extract the content of the TestDeltalake_ShouldMerge function
ast-grep --lang go --pattern $'func TestDeltalake_ShouldMerge($_) {
  $$$
}' warehouse/integrations/deltalake/deltalake_test.go

Length of output: 96915

warehouse/integrations/redshift/redshift_test.go (2)

77-77: Simplify test credential checks using environment variables.

Consider adding a comment explaining why this environment variable check is necessary, for clarity.

---

77-77: The test setup and execution are comprehensive and cover a wide range of scenarios.

No further action needed.

warehouse/integrations/snowflake/snowflake.go (7)

21-21: Added dependency on github.com/youmark/pkcs8 for handling PKCS8 keys.

This is consistent with the PR's objective to support key-pair authentication for Snowflake.

---

50-52: Introduced new constants for key-pair authentication.

These constants are essential for the new authentication method's configuration.

---

136-146: Updated the credentials struct to include fields for key-pair authentication.

This change is necessary to support the new authentication method and is well-integrated with the existing structure.

---

Line range hint 191-211: Refactored the New function to initialize new fields related to key-pair authentication.

The function correctly initializes the new fields based on the configuration, aligning with the PR's objectives.

---

1078-1089: Implemented conditional logic for key-pair authentication in the connect method.

This implementation correctly handles both key-pair and traditional password authentication based on the configuration.

---

1130-1146: Added a new function ParsePrivateKey to handle the parsing of private keys.

This function is crucial for the key-pair authentication feature, handling both encrypted and unencrypted keys appropriately.

---

1376-1386: Enhanced the getConnectionCredentials method to support key-pair authentication.

The method now fetches and sets all necessary parameters for both authentication methods, ensuring flexibility and security.

warehouse/integrations/snowflake/snowflake_test.go (1)

445-454: Validate the logic for setting authentication types based on UseKeyPairAuth.

This script checks if the conditional logic for setting the Authenticator is consistently applied across the codebase.

Verification successful

The search results indicate that the conditional logic for setting the Authenticator based on the UseKeyPairAuth flag is present in the warehouse/integrations/snowflake/snowflake_test.go file. However, to ensure that this logic is correctly implemented and consistently applied, we need to verify the actual implementation details.

Let's gather more information by examining the surrounding code to confirm that the Authenticator is set correctly based on the UseKeyPairAuth flag.

---

The extracted code confirms that the Authenticator is set correctly based on the UseKeyPairAuth flag. When UseKeyPairAuth is true, the Authenticator is set to sfdb.AuthTypeJwt, and when false, it is set to sfdb.AuthTypeSnowflake.

• The logic for setting the Authenticator is correctly implemented in the warehouse/integrations/snowflake/snowflake_test.go file.

Scripts executed

The following scripts were executed for the analysis:

---

Script:

#!/bin/bash
# Description: Verify that the authentication type is set correctly based on the `UseKeyPairAuth` flag.

# Test: Search for the function usage. Expect: Correct setting of `Authenticator` based on the flag.
rg --type go $'if tc.cred.UseKeyPairAuth {'

Length of output: 162

---

---

Script:

#!/bin/bash
# Description: Verify that the authentication type is set correctly based on the `UseKeyPairAuth` flag.

# Test: Search for the function usage. Expect: Correct setting of `Authenticator` based on the flag.
rg --type go 'if tc\.cred\.UseKeyPairAuth \{'

Length of output: 130

---

---

Script:

#!/bin/bash
# Description: Verify the implementation details of the conditional logic for setting the `Authenticator`.

# Extract the surrounding code to inspect the implementation details.
rg --context 10 'if tc\.cred\.UseKeyPairAuth \{' warehouse/integrations/snowflake/snowflake_test.go

Length of output: 743

[fracasula]

Looks good to me, just left a suggestion.

[ktgowtham]

We also have a flow where we validate warehouse connection in destination creation flow via cp router. Is that covered too in this PR?

[achettyiitr]

We also have a flow where we validate warehouse connection in destination creation flow via cp router. Is that covered too in this PR?

We do have a simple test for validations in here, but I don't think we need to add these scenarios for validations since we are already capturing it in Event flow tests.

[ktgowtham]

We also have a flow where we validate warehouse connection in destination creation flow via cp router. Is that covered too in this PR?

We do have a simple test for validations in here, but I don't think we need to add these scenarios for validations since we are already capturing it in Event flow tests.

I was just checking if the code changes handle the validations that are triggered from UI. or do we need any additional changes in the grpc calls via cp router.

[ktgowtham]

We need to time UI changes properly such that UI doesn't get released without server release.

[achettyiitr]

We also have a flow where we validate warehouse connection in destination creation flow via cp router. Is that covered too in this PR?

We do have a simple test for validations in here, but I don't think we need to add these scenarios for validations since we are already capturing it in Event flow tests.

I was just checking if the code changes handle the validations that are triggered from UI. or do we need any additional changes in the grpc calls via cp router.

The only change is in the integration config. No changes in web-app, config-backend, cp-router.

[achettyiitr]

We need to time UI changes properly such that UI doesn't get released without server release.

Yes. Integration config changes need to go post stable rudder server release.