feat: Add secret to sdk #3091
feat: Add secret to sdk #3091
Conversation
|
Integration tests failure for 01a70062a3b2aed8351229d43d94e520ec3c1e05 |
|
Integration tests failure for 929c810a42e5eade5724b107bb10432ed35e376b |
sfc-gh-fbudzynski
force-pushed
the
add-secret-to-sdk
branch
from
929c810
to
8c5dcfb
Compare
sfc-gh-fbudzynski
requested review from
sfc-gh-jcieslak and
sfc-gh-jmichalak
|
Integration tests failure for 8c5dcfb3ad8ad5d7394d32c8c8f6896697c5e498 |
| return c.context.client.Secrets | ||
| } | ||
|
|
||
| func (c *SecretClient) CreateSecreteWithBasicFlow(t *testing.T, id sdk.SchemaObjectIdentifier, username, password string) (*sdk.Secret, func()) { |
There was a problem hiding this comment.
Writing error: "Secrete". Usually in testing client you don't have to emphasize that it's for Secret when it's already on SecretClient, the function may be renamed to just CreateWithBasicFlow. Same for CleanupSecretFunc where it can be just CleanupFunc or better DropFunc.
| IfNotExists(). | ||
| Name(). | ||
| PredefinedQueryStructField("Type", "string", g.StaticOptions().SQL("TYPE = OAUTH2")). | ||
| Identifier("SecurityIntegration", g.KindOfT[AccountObjectIdentifier](), g.IdentifierOptions().Required().Equals().SQL("API_AUTHENTICATION").Required()). |
There was a problem hiding this comment.
I would rename this field to ApiIntegration (same for other types of Create). Security integration is a very general term and can mean many types of objects ApiIntegration would be a specific security integration that can be used with this secret. Plus, you can remove one of those .Require(), calling it once is enough.
| OptionalComment(). | ||
| WithValidation(g.ValidIdentifier, "name"). | ||
| WithValidation(g.ConflictingFields, "OrReplace", "IfNotExists"), | ||
| secretsSecurityIntegrationScopeDef, |
There was a problem hiding this comment.
You also have it in the operation above. Wouldn't it produce the same struct (SecurityIntegrationScope) twice in the generated output? As far as I remember it should work like that, but maybe in the meantime we added some kind of filtering to prevent it from happening. Oh ok, there's filtering, even I did it 😅
There was a problem hiding this comment.
Should I remove the duplicate regardless of filtering or leave it as is?
| Name(). | ||
| WithValidation(g.ValidIdentifier, "name"), | ||
| ).ShowOperation( | ||
| "https://docs.snowflake.com/en/sql-reference/sql/show-secret", |
There was a problem hiding this comment.
it should be show-secrets
| }) | ||
|
|
||
| // regarding the https://docs.snowflake.com/en/sql-reference/sql/create-secret secret should inherit security_integration scopes, but it does not do so | ||
| t.Run("Create: SecretWithOAuthClientCredentialsFlow - No Scopes Specified", func(t *testing.T) { |
|
|
||
| integrationId := testClientHelper().Ids.RandomAccountObjectIdentifier() | ||
|
|
||
| refreshTokenExpiryTime := time.Now().Add(Day).Format(time.DateOnly) |
There was a problem hiding this comment.
Did you try other formats? How Snowflake behaves when we give it a different one? You can check manually.
| require.NotContains(t, returnedSecrets, *secret2) | ||
| }) | ||
|
|
||
| t.Run("Show: SecretWithGenericString with Like", func(t *testing.T) { |
There was a problem hiding this comment.
I wouldn't go that deep to test SHOW LIKE and SHOW IN for every secret type, but if we already have it lets leave it.
| }) | ||
|
|
||
| t.Run("ShowByID", func(t *testing.T) { | ||
| _, id := createSecretWithGenericString(t, "foo", nil) |
There was a problem hiding this comment.
To really test ShowById the best way would be to create a new schema on top of test database (you can do it with testClientHelper().Schema.CreateSchemaInDatabase(t, testClientHelper().Ids.DatabaseId())) and then create a secret with the same name as the first one in this newly created schema, and then see what ShowById returns. Take a look at this test "show by id - same name in different schemas", as a good example.
There was a problem hiding this comment.
The test seems similar to what you have at the bottom of this file, but not quite.
| return secret | ||
| } | ||
|
|
||
| t.Run("Show with In - same id in different schemas", func(t *testing.T) { |
There was a problem hiding this comment.
You have a lot of SHOW tests, isn't this case covered in one of them? You can also test it in the main function, no need to have it in TestInt_SecretsShowWithIn.
| return secret, c.CleanupSecretFunc(t, id) | ||
| } | ||
|
|
||
| func (c *SecretClient) CleanupSecretFunc(t *testing.T, id sdk.SchemaObjectIdentifier) func() { |
There was a problem hiding this comment.
Nit: In general, we name these functions like DropFunc. Also, Secret should be not present in function names.
| return func() { | ||
| _, err := c.client().ShowByID(ctx, id) | ||
| if errors.Is(err, sdk.ErrObjectNotExistOrAuthorized) { | ||
| return |
There was a problem hiding this comment.
Cool that you thought about checking an object here, but when we use IF EXISTS, this is not needed.
| Field("Owner", "string"). | ||
| Field("Comment", "string"). | ||
| Field("SecretType", "string"). | ||
| Field("OauthScopes", "sql.NullString"). |
There was a problem hiding this comment.
In general, we try to parse fields containing lists/objects in convert, so that they are available as slices in the object struct. So, this should be "[]string". The same applies to OauthScopes in SecretDetails.
| Field("OwnerRoleType", "string") | ||
|
|
||
| var secretDetailsDbRow = g.DbStruct("secretDetailsDBRow"). | ||
| Field("created_on", "string"). |
| SQL("SECRET"). | ||
| IfNotExists(). | ||
| Name(). | ||
| PredefinedQueryStructField("Type", "string", g.StaticOptions().SQL("TYPE = PASSWORD")). |
There was a problem hiding this comment.
Nit: rather than having this field exported, you could use a name like secretType. In other places as well.
| assert.NotEmpty(t, s.DatabaseName) | ||
| assert.NotEmpty(t, s.SchemaName) | ||
| assert.NotEmpty(t, s.OwnerRoleType) | ||
| assert.NotEmpty(t, s.Owner) |
There was a problem hiding this comment.
Now we use generated asserts - check views integration tests.
| SchemaName string | ||
| DatabaseName string | ||
| Owner string | ||
| Comment sql.NullString |
There was a problem hiding this comment.
These sql.* types should be present only in dbRows - we want to separate things returned from Snowflake from things returned by the SDK. You can use *string here.
| Name: id.Name(), | ||
| SecretType: "OAUTH2", | ||
| Comment: "a", | ||
| OauthRefreshTokenExpiryTime: stringDateToSnowflakeTimeFormat(time.DateOnly, refreshTokenExpiryTime), |
There was a problem hiding this comment.
@sfc-gh-jcieslak Do we have a helper function for comparing time? If not, this could be moved to helpers somewhere.
| ), | ||
| ) | ||
| err := client.Secrets.Alter(ctx, setRequest) | ||
| require.NoError(t, err) |
There was a problem hiding this comment.
You're missing assert here.
| require.Contains(t, returnedSecrets, *secretGenericString) | ||
| }) | ||
|
|
||
| t.Run("Show: SecretWithOAuthClientCredentialsFlow with Like", func(t *testing.T) { |
There was a problem hiding this comment.
It's cool you've provided all of these cases, but I think that one case for each filtering option is enough (with an arbitrary type).
Changes
References