Skip to content

feat(authentication_policy): support PROGRAMMATIC_ACCESS_TOKEN and PAT_POLICY#41

Open
GClunies wants to merge 1 commit into
datacoves:mainfrom
GClunies:snowcap-33
Open

feat(authentication_policy): support PROGRAMMATIC_ACCESS_TOKEN and PAT_POLICY#41
GClunies wants to merge 1 commit into
datacoves:mainfrom
GClunies:snowcap-33

Conversation

@GClunies

Copy link
Copy Markdown
Contributor

Summary

Closes #33. Authentication policies can now declare Snowflake's PAT governance: PROGRAMMATIC_ACCESS_TOKEN as an allowed authentication method, and a pat_policy property covering network_policy_evaluation, default_expiry_in_days, and max_expiry_in_days. Creating PATs themselves stays out of scope (non-declarative — the secret is returned exactly once); this is the policy side only.

Changes

  • AuthenticationMethods gains PROGRAMMATIC_ACCESS_TOKEN; new NetworkPolicyEvaluation enum (ENFORCED_REQUIRED / ENFORCED_NOT_REQUIRED / NOT_ENFORCED)
  • pat_policy modeled as a PropSet-backed dict (same shape as external_volume.encryption), with a single module-level _PAT_POLICY_PROPS schema driving render/parse, required-key validation, and value coercion. pat_policy must be None or fully specified — the diff engine compares whole field values, so partial dicts would produce permanent phantom drift
  • Fetch parses the DESC AUTHENTICATION POLICY brace value via the existing _parse_enum_map helper and suppresses Snowflake's documented defaults (ENFORCED_REQUIRED/15/365) to None to avoid false drift, mirroring the mfa_authentication_methods precedent. The parser enforces complete-or-raise and fetch degrades any failure to pat_policy=None with a logged warning, so a surprising live DESC format can't abort the account-wide fetch
  • Fixtures use non-default PAT values so default-suppression can't mask regressions; 22 new unit tests; the live-fetch integration fixture now covers the new fields
  • Docs page regenerated from the class docstring; fixed tools/generate_resource_docs.py, which wiped every doc's frontmatter description and CLI-label line on regeneration

Note for reviewers

The DESC AUTHENTICATION POLICY output format for pat_policy is derived from Snowflake docs and not yet verified against a live account. Before relying on fetch round-trip, run:

pytest tests/integration/data_provider/test_fetch_resource_simple.py --snowflake -k authentication_policy -v

The code degrades gracefully (field fetches as unset, with a logged warning) if the live format differs.

…T_POLICY

Snowflake authentication policies now govern programmatic access tokens,
but AuthenticationPolicy couldn't express any of it (issue datacoves#33).

Add PROGRAMMATIC_ACCESS_TOKEN to AuthenticationMethods and a pat_policy
property (network_policy_evaluation, default_expiry_in_days,
max_expiry_in_days) modeled as a PropSet-backed dict, following the
external_volume.encryption precedent. A module-level _PAT_POLICY_PROPS
Props object is the single source of truth for the sub-key schema:
render/parse, the required-key check, and value coercion all derive
from it. pat_policy must be None or fully specified — the blueprint
diff compares whole field values, so partial dicts would phantom-drift.

Fetch reuses _parse_enum_map for the DESC brace value and suppresses
Snowflake's documented defaults (ENFORCED_REQUIRED/15/365) back to None
to avoid false drift, mirroring the mfa_authentication_methods
precedent. Because the DESC shape for pat_policy is doc-derived and not
yet verified against a live account, the parser enforces a
complete-or-raise contract and fetch degrades any parse failure to
pat_policy=None with a logged warning instead of letting it abort the
account-wide fetch pipeline. Run the --snowflake integration round-trip
(fixture extended here) against a live account before relying on fetch.

Also fix tools/generate_resource_docs.py, which wiped each doc's
frontmatter description and CLI-label line on every regeneration; it
now preserves existing descriptions (multi-line safe) and falls back to
a generated default for new resources.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

feat(authentication_policy): support PROGRAMMATIC_ACCESS_TOKEN method and PAT_POLICY

1 participant