feat(authentication_policy): support PROGRAMMATIC_ACCESS_TOKEN and PAT_POLICY#41
Open
GClunies wants to merge 1 commit into
Open
feat(authentication_policy): support PROGRAMMATIC_ACCESS_TOKEN and PAT_POLICY#41GClunies wants to merge 1 commit into
GClunies wants to merge 1 commit into
Conversation
…T_POLICY Snowflake authentication policies now govern programmatic access tokens, but AuthenticationPolicy couldn't express any of it (issue datacoves#33). Add PROGRAMMATIC_ACCESS_TOKEN to AuthenticationMethods and a pat_policy property (network_policy_evaluation, default_expiry_in_days, max_expiry_in_days) modeled as a PropSet-backed dict, following the external_volume.encryption precedent. A module-level _PAT_POLICY_PROPS Props object is the single source of truth for the sub-key schema: render/parse, the required-key check, and value coercion all derive from it. pat_policy must be None or fully specified — the blueprint diff compares whole field values, so partial dicts would phantom-drift. Fetch reuses _parse_enum_map for the DESC brace value and suppresses Snowflake's documented defaults (ENFORCED_REQUIRED/15/365) back to None to avoid false drift, mirroring the mfa_authentication_methods precedent. Because the DESC shape for pat_policy is doc-derived and not yet verified against a live account, the parser enforces a complete-or-raise contract and fetch degrades any parse failure to pat_policy=None with a logged warning instead of letting it abort the account-wide fetch pipeline. Run the --snowflake integration round-trip (fixture extended here) against a live account before relying on fetch. Also fix tools/generate_resource_docs.py, which wiped each doc's frontmatter description and CLI-label line on every regeneration; it now preserves existing descriptions (multi-line safe) and falls back to a generated default for new resources.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes #33. Authentication policies can now declare Snowflake's PAT governance:
PROGRAMMATIC_ACCESS_TOKENas an allowed authentication method, and apat_policyproperty coveringnetwork_policy_evaluation,default_expiry_in_days, andmax_expiry_in_days. Creating PATs themselves stays out of scope (non-declarative — the secret is returned exactly once); this is the policy side only.Changes
AuthenticationMethodsgainsPROGRAMMATIC_ACCESS_TOKEN; newNetworkPolicyEvaluationenum (ENFORCED_REQUIRED/ENFORCED_NOT_REQUIRED/NOT_ENFORCED)pat_policymodeled as aPropSet-backed dict (same shape asexternal_volume.encryption), with a single module-level_PAT_POLICY_PROPSschema driving render/parse, required-key validation, and value coercion.pat_policymust beNoneor fully specified — the diff engine compares whole field values, so partial dicts would produce permanent phantom driftDESC AUTHENTICATION POLICYbrace value via the existing_parse_enum_maphelper and suppresses Snowflake's documented defaults (ENFORCED_REQUIRED/15/365) toNoneto avoid false drift, mirroring themfa_authentication_methodsprecedent. The parser enforces complete-or-raise and fetch degrades any failure topat_policy=Nonewith a logged warning, so a surprising live DESC format can't abort the account-wide fetchtools/generate_resource_docs.py, which wiped every doc's frontmatter description and CLI-label line on regenerationNote for reviewers
The
DESC AUTHENTICATION POLICYoutput format forpat_policyis derived from Snowflake docs and not yet verified against a live account. Before relying on fetch round-trip, run:The code degrades gracefully (field fetches as unset, with a logged warning) if the live format differs.