diff --git a/pkg/acceptance/helpers/context_client.go b/pkg/acceptance/helpers/context_client.go index a753263562..c3c2f2358b 100644 --- a/pkg/acceptance/helpers/context_client.go +++ b/pkg/acceptance/helpers/context_client.go @@ -2,6 +2,7 @@ package helpers import ( "context" + "fmt" "testing" "github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/sdk" @@ -71,3 +72,15 @@ func (c *ContextClient) IsRoleInSession(t *testing.T, id sdk.AccountObjectIdenti return isInSession } + +// ACSURL returns Snowflake Assertion Consumer Service URL +func (c *ContextClient) ACSURL(t *testing.T) string { + t.Helper() + return fmt.Sprintf("https://%s.snowflakecomputing.com/fed/login", c.CurrentAccount(t)) +} + +// IssuerURL returns a URL containing the EntityID / Issuer for the Snowflake service provider +func (c *ContextClient) IssuerURL(t *testing.T) string { + t.Helper() + return fmt.Sprintf("https://%s.snowflakecomputing.com", c.CurrentAccount(t)) +} diff --git a/pkg/acceptance/helpers/random/certs.go b/pkg/acceptance/helpers/random/certs.go index aa23b530b4..80a53a83eb 100644 --- a/pkg/acceptance/helpers/random/certs.go +++ b/pkg/acceptance/helpers/random/certs.go @@ -7,6 +7,7 @@ import ( "crypto/x509" "crypto/x509/pkix" "encoding/pem" + "fmt" "math/big" "strings" "testing" @@ -34,14 +35,32 @@ func GenerateX509(t *testing.T) string { caBytes, err := x509.CreateCertificate(rand.Reader, ca, ca, &caPrivKey.PublicKey, caPrivKey) require.NoError(t, err) - certPEM := new(bytes.Buffer) - err = pem.Encode(certPEM, &pem.Block{ - Type: "CERTIFICATE", - Bytes: caBytes, - }) + return encode(t, "CERTIFICATE", caBytes) +} + +// GenerateRSA returns an RSA public key without BEGIN and END markers. +func GenerateRSAPublicKey(t *testing.T) string { + t.Helper() + key, err := rsa.GenerateKey(rand.Reader, 2048) require.NoError(t, err) - cert := strings.TrimPrefix(certPEM.String(), "-----BEGIN CERTIFICATE-----\n") - cert = strings.TrimSuffix(cert, "-----END CERTIFICATE-----\n") + pub := key.Public() + b, err := x509.MarshalPKIXPublicKey(pub.(*rsa.PublicKey)) + require.NoError(t, err) + return encode(t, "RSA PUBLIC KEY", b) +} + +func encode(t *testing.T, pemType string, b []byte) string { + t.Helper() + buffer := new(bytes.Buffer) + err := pem.Encode(buffer, + &pem.Block{ + Type: pemType, + Bytes: b, + }, + ) + require.NoError(t, err) + cert := strings.TrimPrefix(buffer.String(), fmt.Sprintf("-----BEGIN %s-----\n", pemType)) + cert = strings.TrimSuffix(cert, fmt.Sprintf("-----END %s-----\n", pemType)) return cert } diff --git a/pkg/acceptance/helpers/security_integration_client.go b/pkg/acceptance/helpers/security_integration_client.go index 0c37b0b48d..1b47feaaa6 100644 --- a/pkg/acceptance/helpers/security_integration_client.go +++ b/pkg/acceptance/helpers/security_integration_client.go @@ -66,7 +66,7 @@ func (c *SecurityIntegrationClient) DropSecurityIntegrationFunc(t *testing.T, id ctx := context.Background() return func() { - err := c.client().Drop(ctx, sdk.NewDropSecurityIntegrationRequest(id).WithIfExists(sdk.Bool(true))) + err := c.client().Drop(ctx, sdk.NewDropSecurityIntegrationRequest(id).WithIfExists(true)) require.NoError(t, err) } } diff --git a/pkg/internal/snowflakeroles/snowflake_predefined_roles.go b/pkg/internal/snowflakeroles/snowflake_predefined_roles.go index 067abc4fe7..f71bdef820 100644 --- a/pkg/internal/snowflakeroles/snowflake_predefined_roles.go +++ b/pkg/internal/snowflakeroles/snowflake_predefined_roles.go @@ -3,7 +3,11 @@ package snowflakeroles import "github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/sdk" var ( - Orgadmin = sdk.NewAccountObjectIdentifier("ORGADMIN") - Accountadmin = sdk.NewAccountObjectIdentifier("ACCOUNTADMIN") + Orgadmin = sdk.NewAccountObjectIdentifier("ORGADMIN") + Accountadmin = sdk.NewAccountObjectIdentifier("ACCOUNTADMIN") + SecurityAdmin = sdk.NewAccountObjectIdentifier("SECURITYADMIN") + + OktaProvisioner = sdk.NewAccountObjectIdentifier("OKTA_PROVISIONER") + AadProvisioner = sdk.NewAccountObjectIdentifier("AAD_PROVISIONER") GenericScimProvisioner = sdk.NewAccountObjectIdentifier("GENERIC_SCIM_PROVISIONER") ) diff --git a/pkg/sdk/security_integrations_def.go b/pkg/sdk/security_integrations_def.go index d2b5e47e90..eb543cc08c 100644 --- a/pkg/sdk/security_integrations_def.go +++ b/pkg/sdk/security_integrations_def.go @@ -4,9 +4,31 @@ import g "github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/sdk/poc/gen //go:generate go run ./poc/main.go +type OauthSecurityIntegrationUseSecondaryRolesOption string + +const ( + OauthSecurityIntegrationUseSecondaryRolesImplicit OauthSecurityIntegrationUseSecondaryRolesOption = "IMPLICIT" + OauthSecurityIntegrationUseSecondaryRolesNone OauthSecurityIntegrationUseSecondaryRolesOption = "NONE" +) + +type OauthSecurityIntegrationClientTypeOption string + +const ( + OauthSecurityIntegrationClientTypePublic OauthSecurityIntegrationClientTypeOption = "PUBLIC" + OauthSecurityIntegrationClientTypeConfidential OauthSecurityIntegrationClientTypeOption = "CONFIDENTIAL" +) + +type OauthSecurityIntegrationClientOption string + +const ( + OauthSecurityIntegrationClientLooker OauthSecurityIntegrationClientOption = "LOOKER" + OauthSecurityIntegrationClientTableauDesktop OauthSecurityIntegrationClientOption = "TABLEAU_DESKTOP" + OauthSecurityIntegrationClientTableauServer OauthSecurityIntegrationClientOption = "TABLEAU_SERVER" +) + type ScimSecurityIntegrationScimClientOption string -var ( +const ( ScimSecurityIntegrationScimClientOkta ScimSecurityIntegrationScimClientOption = "OKTA" ScimSecurityIntegrationScimClientAzure ScimSecurityIntegrationScimClientOption = "AZURE" ScimSecurityIntegrationScimClientGeneric ScimSecurityIntegrationScimClientOption = "GENERIC" @@ -14,32 +36,36 @@ var ( type ScimSecurityIntegrationRunAsRoleOption string -var ( +const ( ScimSecurityIntegrationRunAsRoleOktaProvisioner ScimSecurityIntegrationRunAsRoleOption = "OKTA_PROVISIONER" ScimSecurityIntegrationRunAsRoleAadProvisioner ScimSecurityIntegrationRunAsRoleOption = "AAD_PROVISIONER" ScimSecurityIntegrationRunAsRoleGenericScimProvisioner ScimSecurityIntegrationRunAsRoleOption = "GENERIC_SCIM_PROVISIONER" ) var ( - userDomainDef = g.NewQueryStruct("UserDomain").Text("Domain", g.KeywordOptions().SingleQuotes().Required()) - emailPatternDef = g.NewQueryStruct("EmailPattern").Text("Pattern", g.KeywordOptions().SingleQuotes().Required()) + userDomainDef = g.NewQueryStruct("UserDomain").Text("Domain", g.KeywordOptions().SingleQuotes().Required()) + emailPatternDef = g.NewQueryStruct("EmailPattern").Text("Pattern", g.KeywordOptions().SingleQuotes().Required()) + preAuthorizedRolesListDef = g.NewQueryStruct("PreAuthorizedRolesList"). + List("PreAuthorizedRolesList", "AccountObjectIdentifier", g.ListOptions().MustParentheses()) + blockedRolesListDef = g.NewQueryStruct("BlockedRolesList"). + List("BlockedRolesList", "AccountObjectIdentifier", g.ListOptions().MustParentheses()) ) -func createSecurityIntegrationOperation(structName string, apply func(qs *g.QueryStruct) *g.QueryStruct) *g.QueryStruct { +func createSecurityIntegrationOperation(structName string, opts func(qs *g.QueryStruct) *g.QueryStruct) *g.QueryStruct { qs := g.NewQueryStruct(structName). Create(). OrReplace(). SQL("SECURITY INTEGRATION"). IfNotExists(). Name() - qs = apply(qs) + qs = opts(qs) return qs. OptionalComment(). WithValidation(g.ValidIdentifier, "name"). WithValidation(g.ConflictingFields, "OrReplace", "IfNotExists") } -func alterSecurityIntegrationOperation(structName string, apply func(qs *g.QueryStruct) *g.QueryStruct) *g.QueryStruct { +func alterSecurityIntegrationOperation(structName string, opts func(qs *g.QueryStruct) *g.QueryStruct) *g.QueryStruct { qs := g.NewQueryStruct(structName). Alter(). SQL("SECURITY INTEGRATION"). @@ -48,10 +74,60 @@ func alterSecurityIntegrationOperation(structName string, apply func(qs *g.Query OptionalSetTags(). OptionalUnsetTags(). WithValidation(g.ValidIdentifier, "name") - qs = apply(qs) + qs = opts(qs) return qs } +var oauthForPartnerApplicationsIntegrationSetDef = g.NewQueryStruct("OauthForPartnerApplicationsIntegrationSet"). + OptionalBooleanAssignment("ENABLED", g.ParameterOptions()). + OptionalBooleanAssignment("OAUTH_ISSUE_REFRESH_TOKENS", g.ParameterOptions()). + OptionalTextAssignment("OAUTH_REDIRECT_URI", g.ParameterOptions().SingleQuotes()). + OptionalNumberAssignment("OAUTH_REFRESH_TOKEN_VALIDITY", g.ParameterOptions()). + OptionalAssignment( + "OAUTH_USE_SECONDARY_ROLES", + g.KindOfT[OauthSecurityIntegrationUseSecondaryRolesOption](), + g.ParameterOptions(), + ). + OptionalQueryStructField("BlockedRolesList", blockedRolesListDef, g.ParameterOptions().SQL("BLOCKED_ROLES_LIST").Parentheses()). + OptionalComment(). + WithValidation(g.AtLeastOneValueSet, "Enabled", "OauthIssueRefreshTokens", "OauthRedirectUri", "OauthRefreshTokenValidity", "OauthUseSecondaryRoles", + "BlockedRolesList", "Comment") + +var oauthForPartnerApplicationsIntegrationUnsetDef = g.NewQueryStruct("OauthForPartnerApplicationsIntegrationUnset"). + OptionalSQL("ENABLED"). + OptionalSQL("OAUTH_USE_SECONDARY_ROLES"). + WithValidation(g.AtLeastOneValueSet, "Enabled", "OauthUseSecondaryRoles") + +var oauthForCustomClientsIntegrationSetDef = g.NewQueryStruct("OauthForCustomClientsIntegrationSet"). + OptionalBooleanAssignment("ENABLED", g.ParameterOptions()). + OptionalTextAssignment("OAUTH_REDIRECT_URI", g.ParameterOptions().SingleQuotes()). + OptionalBooleanAssignment("OAUTH_ALLOW_NON_TLS_REDIRECT_URI", g.ParameterOptions()). + OptionalBooleanAssignment("OAUTH_ENFORCE_PKCE", g.ParameterOptions()). + OptionalQueryStructField("PreAuthorizedRolesList", preAuthorizedRolesListDef, g.ParameterOptions().SQL("PRE_AUTHORIZED_ROLES_LIST").Parentheses()). + OptionalQueryStructField("BlockedRolesList", blockedRolesListDef, g.ParameterOptions().SQL("BLOCKED_ROLES_LIST").Parentheses()). + OptionalBooleanAssignment("OAUTH_ISSUE_REFRESH_TOKENS", g.ParameterOptions()). + OptionalNumberAssignment("OAUTH_REFRESH_TOKEN_VALIDITY", g.ParameterOptions()). + OptionalAssignment( + "OAUTH_USE_SECONDARY_ROLES", + g.KindOfT[OauthSecurityIntegrationUseSecondaryRolesOption](), + g.ParameterOptions(), + ). + OptionalIdentifier("NetworkPolicy", g.KindOfT[AccountObjectIdentifier](), g.IdentifierOptions().Equals().SQL("NETWORK_POLICY")). + OptionalTextAssignment("OAUTH_CLIENT_RSA_PUBLIC_KEY", g.ParameterOptions().SingleQuotes()). + OptionalTextAssignment("OAUTH_CLIENT_RSA_PUBLIC_KEY_2", g.ParameterOptions().SingleQuotes()). + OptionalComment(). + WithValidation(g.AtLeastOneValueSet, "Enabled", "OauthRedirectUri", "OauthAllowNonTlsRedirectUri", "OauthEnforcePkce", "PreAuthorizedRolesList", + "BlockedRolesList", "OauthIssueRefreshTokens", "OauthRefreshTokenValidity", "OauthUseSecondaryRoles", "NetworkPolicy", "OauthClientRsaPublicKey", + "OauthClientRsaPublicKey2", "Comment") + +var oauthForCustomClientsIntegrationUnsetDef = g.NewQueryStruct("OauthForCustomClientsIntegrationUnset"). + OptionalSQL("ENABLED"). + OptionalSQL("NETWORK_POLICY"). + OptionalSQL("OAUTH_CLIENT_RSA_PUBLIC_KEY"). + OptionalSQL("OAUTH_CLIENT_RSA_PUBLIC_KEY_2"). + OptionalSQL("OAUTH_USE_SECONDARY_ROLES"). + WithValidation(g.AtLeastOneValueSet, "Enabled", "NetworkPolicy", "OauthUseSecondaryRoles", "OauthClientRsaPublicKey", "OauthClientRsaPublicKey2") + var saml2IntegrationSetDef = g.NewQueryStruct("Saml2IntegrationSet"). OptionalBooleanAssignment("ENABLED", g.ParameterOptions()). OptionalTextAssignment("SAML2_ISSUER", g.ParameterOptions().SingleQuotes()). @@ -100,6 +176,61 @@ var SecurityIntegrationsDef = g.NewInterface( "SecurityIntegration", g.KindOfT[AccountObjectIdentifier](), ). + CustomOperation( + "CreateOauthForPartnerApplications", + "https://docs.snowflake.com/en/sql-reference/sql/create-security-integration-oauth-snowflake", + createSecurityIntegrationOperation("CreateOauthForPartnerApplications", func(qs *g.QueryStruct) *g.QueryStruct { + return qs. + PredefinedQueryStructField("integrationType", "string", g.StaticOptions().SQL("TYPE = OAUTH")). + Assignment( + "OAUTH_CLIENT", + g.KindOfT[OauthSecurityIntegrationClientOption](), + g.ParameterOptions().Required(), + ). + OptionalTextAssignment("OAUTH_REDIRECT_URI", g.ParameterOptions().SingleQuotes()). + OptionalBooleanAssignment("ENABLED", g.ParameterOptions()). + OptionalBooleanAssignment("OAUTH_ISSUE_REFRESH_TOKENS", g.ParameterOptions()). + OptionalNumberAssignment("OAUTH_REFRESH_TOKEN_VALIDITY", g.ParameterOptions()). + OptionalAssignment( + "OAUTH_USE_SECONDARY_ROLES", + g.KindOfT[OauthSecurityIntegrationUseSecondaryRolesOption](), + g.ParameterOptions(), + ). + OptionalQueryStructField("BlockedRolesList", blockedRolesListDef, g.ParameterOptions().SQL("BLOCKED_ROLES_LIST").Parentheses()) + }), + preAuthorizedRolesListDef, + blockedRolesListDef, + ). + CustomOperation( + "CreateOauthForCustomClients", + "https://docs.snowflake.com/en/sql-reference/sql/create-security-integration-oauth-snowflake", + createSecurityIntegrationOperation("CreateOauthForCustomClients", func(qs *g.QueryStruct) *g.QueryStruct { + return qs. + PredefinedQueryStructField("integrationType", "string", g.StaticOptions().SQL("TYPE = OAUTH")). + PredefinedQueryStructField("oauthClient", "string", g.StaticOptions().SQL("OAUTH_CLIENT = CUSTOM")). + Assignment( + "OAUTH_CLIENT_TYPE", + g.KindOfT[OauthSecurityIntegrationClientTypeOption](), + g.ParameterOptions().Required().SingleQuotes(), + ). + TextAssignment("OAUTH_REDIRECT_URI", g.ParameterOptions().Required().SingleQuotes()). + OptionalBooleanAssignment("ENABLED", g.ParameterOptions()). + OptionalBooleanAssignment("OAUTH_ALLOW_NON_TLS_REDIRECT_URI", g.ParameterOptions()). + OptionalBooleanAssignment("OAUTH_ENFORCE_PKCE", g.ParameterOptions()). + OptionalAssignment( + "OAUTH_USE_SECONDARY_ROLES", + g.KindOfT[OauthSecurityIntegrationUseSecondaryRolesOption](), + g.ParameterOptions(), + ). + OptionalQueryStructField("PreAuthorizedRolesList", preAuthorizedRolesListDef, g.ParameterOptions().SQL("PRE_AUTHORIZED_ROLES_LIST").Parentheses()). + OptionalQueryStructField("BlockedRolesList", blockedRolesListDef, g.ParameterOptions().SQL("BLOCKED_ROLES_LIST").Parentheses()). + OptionalBooleanAssignment("OAUTH_ISSUE_REFRESH_TOKENS", g.ParameterOptions()). + OptionalNumberAssignment("OAUTH_REFRESH_TOKEN_VALIDITY", g.ParameterOptions()). + OptionalIdentifier("NetworkPolicy", g.KindOfT[AccountObjectIdentifier](), g.IdentifierOptions().Equals().SQL("NETWORK_POLICY")). + OptionalTextAssignment("OAUTH_CLIENT_RSA_PUBLIC_KEY", g.ParameterOptions().SingleQuotes()). + OptionalTextAssignment("OAUTH_CLIENT_RSA_PUBLIC_KEY_2", g.ParameterOptions().SingleQuotes()) + }), + ). CustomOperation( "CreateSaml2", "https://docs.snowflake.com/en/sql-reference/sql/create-security-integration-saml2", @@ -147,6 +278,36 @@ var SecurityIntegrationsDef = g.NewInterface( OptionalBooleanAssignment("SYNC_PASSWORD", g.ParameterOptions()) }), ). + CustomOperation( + "AlterOauthForPartnerApplications", + "https://docs.snowflake.com/en/sql-reference/sql/alter-security-integration-oauth-snowflake", + alterSecurityIntegrationOperation("AlterOauthForPartnerApplications", func(qs *g.QueryStruct) *g.QueryStruct { + return qs.OptionalQueryStructField( + "Set", + oauthForPartnerApplicationsIntegrationSetDef, + g.ListOptions().NoParentheses().SQL("SET"), + ).OptionalQueryStructField( + "Unset", + oauthForPartnerApplicationsIntegrationUnsetDef, + g.ListOptions().NoParentheses().SQL("UNSET"), + ).WithValidation(g.ExactlyOneValueSet, "Set", "Unset", "SetTags", "UnsetTags") + }), + ). + CustomOperation( + "AlterOauthForCustomClients", + "https://docs.snowflake.com/en/sql-reference/sql/alter-security-integration-oauth-snowflake", + alterSecurityIntegrationOperation("AlterOauthForCustomClients", func(qs *g.QueryStruct) *g.QueryStruct { + return qs.OptionalQueryStructField( + "Set", + oauthForCustomClientsIntegrationSetDef, + g.ListOptions().NoParentheses().SQL("SET"), + ).OptionalQueryStructField( + "Unset", + oauthForCustomClientsIntegrationUnsetDef, + g.ListOptions().NoParentheses().SQL("UNSET"), + ).WithValidation(g.ExactlyOneValueSet, "Set", "Unset", "SetTags", "UnsetTags") + }), + ). CustomOperation( "AlterSaml2", "https://docs.snowflake.com/en/sql-reference/sql/alter-security-integration-saml2", diff --git a/pkg/sdk/security_integrations_dto_builders_gen.go b/pkg/sdk/security_integrations_dto_builders_gen.go index d2a70ed326..baed7353ef 100644 --- a/pkg/sdk/security_integrations_dto_builders_gen.go +++ b/pkg/sdk/security_integrations_dto_builders_gen.go @@ -4,6 +4,161 @@ package sdk import () +func NewCreateOauthForPartnerApplicationsSecurityIntegrationRequest( + name AccountObjectIdentifier, + OauthClient OauthSecurityIntegrationClientOption, +) *CreateOauthForPartnerApplicationsSecurityIntegrationRequest { + s := CreateOauthForPartnerApplicationsSecurityIntegrationRequest{} + s.name = name + s.OauthClient = OauthClient + return &s +} + +func (s *CreateOauthForPartnerApplicationsSecurityIntegrationRequest) WithOrReplace(OrReplace bool) *CreateOauthForPartnerApplicationsSecurityIntegrationRequest { + s.OrReplace = &OrReplace + return s +} + +func (s *CreateOauthForPartnerApplicationsSecurityIntegrationRequest) WithIfNotExists(IfNotExists bool) *CreateOauthForPartnerApplicationsSecurityIntegrationRequest { + s.IfNotExists = &IfNotExists + return s +} + +func (s *CreateOauthForPartnerApplicationsSecurityIntegrationRequest) WithOauthRedirectUri(OauthRedirectUri string) *CreateOauthForPartnerApplicationsSecurityIntegrationRequest { + s.OauthRedirectUri = &OauthRedirectUri + return s +} + +func (s *CreateOauthForPartnerApplicationsSecurityIntegrationRequest) WithEnabled(Enabled bool) *CreateOauthForPartnerApplicationsSecurityIntegrationRequest { + s.Enabled = &Enabled + return s +} + +func (s *CreateOauthForPartnerApplicationsSecurityIntegrationRequest) WithOauthIssueRefreshTokens(OauthIssueRefreshTokens bool) *CreateOauthForPartnerApplicationsSecurityIntegrationRequest { + s.OauthIssueRefreshTokens = &OauthIssueRefreshTokens + return s +} + +func (s *CreateOauthForPartnerApplicationsSecurityIntegrationRequest) WithOauthRefreshTokenValidity(OauthRefreshTokenValidity int) *CreateOauthForPartnerApplicationsSecurityIntegrationRequest { + s.OauthRefreshTokenValidity = &OauthRefreshTokenValidity + return s +} + +func (s *CreateOauthForPartnerApplicationsSecurityIntegrationRequest) WithOauthUseSecondaryRoles(OauthUseSecondaryRoles OauthSecurityIntegrationUseSecondaryRolesOption) *CreateOauthForPartnerApplicationsSecurityIntegrationRequest { + s.OauthUseSecondaryRoles = &OauthUseSecondaryRoles + return s +} + +func (s *CreateOauthForPartnerApplicationsSecurityIntegrationRequest) WithBlockedRolesList(BlockedRolesList BlockedRolesListRequest) *CreateOauthForPartnerApplicationsSecurityIntegrationRequest { + s.BlockedRolesList = &BlockedRolesList + return s +} + +func (s *CreateOauthForPartnerApplicationsSecurityIntegrationRequest) WithComment(Comment string) *CreateOauthForPartnerApplicationsSecurityIntegrationRequest { + s.Comment = &Comment + return s +} + +func NewBlockedRolesListRequest() *BlockedRolesListRequest { + return &BlockedRolesListRequest{} +} + +func (s *BlockedRolesListRequest) WithBlockedRolesList(BlockedRolesList []AccountObjectIdentifier) *BlockedRolesListRequest { + s.BlockedRolesList = BlockedRolesList + return s +} + +func NewCreateOauthForCustomClientsSecurityIntegrationRequest( + name AccountObjectIdentifier, + OauthClientType OauthSecurityIntegrationClientTypeOption, + OauthRedirectUri string, +) *CreateOauthForCustomClientsSecurityIntegrationRequest { + s := CreateOauthForCustomClientsSecurityIntegrationRequest{} + s.name = name + s.OauthClientType = OauthClientType + s.OauthRedirectUri = OauthRedirectUri + return &s +} + +func (s *CreateOauthForCustomClientsSecurityIntegrationRequest) WithOrReplace(OrReplace bool) *CreateOauthForCustomClientsSecurityIntegrationRequest { + s.OrReplace = &OrReplace + return s +} + +func (s *CreateOauthForCustomClientsSecurityIntegrationRequest) WithIfNotExists(IfNotExists bool) *CreateOauthForCustomClientsSecurityIntegrationRequest { + s.IfNotExists = &IfNotExists + return s +} + +func (s *CreateOauthForCustomClientsSecurityIntegrationRequest) WithEnabled(Enabled bool) *CreateOauthForCustomClientsSecurityIntegrationRequest { + s.Enabled = &Enabled + return s +} + +func (s *CreateOauthForCustomClientsSecurityIntegrationRequest) WithOauthAllowNonTlsRedirectUri(OauthAllowNonTlsRedirectUri bool) *CreateOauthForCustomClientsSecurityIntegrationRequest { + s.OauthAllowNonTlsRedirectUri = &OauthAllowNonTlsRedirectUri + return s +} + +func (s *CreateOauthForCustomClientsSecurityIntegrationRequest) WithOauthEnforcePkce(OauthEnforcePkce bool) *CreateOauthForCustomClientsSecurityIntegrationRequest { + s.OauthEnforcePkce = &OauthEnforcePkce + return s +} + +func (s *CreateOauthForCustomClientsSecurityIntegrationRequest) WithOauthUseSecondaryRoles(OauthUseSecondaryRoles OauthSecurityIntegrationUseSecondaryRolesOption) *CreateOauthForCustomClientsSecurityIntegrationRequest { + s.OauthUseSecondaryRoles = &OauthUseSecondaryRoles + return s +} + +func (s *CreateOauthForCustomClientsSecurityIntegrationRequest) WithPreAuthorizedRolesList(PreAuthorizedRolesList PreAuthorizedRolesListRequest) *CreateOauthForCustomClientsSecurityIntegrationRequest { + s.PreAuthorizedRolesList = &PreAuthorizedRolesList + return s +} + +func (s *CreateOauthForCustomClientsSecurityIntegrationRequest) WithBlockedRolesList(BlockedRolesList BlockedRolesListRequest) *CreateOauthForCustomClientsSecurityIntegrationRequest { + s.BlockedRolesList = &BlockedRolesList + return s +} + +func (s *CreateOauthForCustomClientsSecurityIntegrationRequest) WithOauthIssueRefreshTokens(OauthIssueRefreshTokens bool) *CreateOauthForCustomClientsSecurityIntegrationRequest { + s.OauthIssueRefreshTokens = &OauthIssueRefreshTokens + return s +} + +func (s *CreateOauthForCustomClientsSecurityIntegrationRequest) WithOauthRefreshTokenValidity(OauthRefreshTokenValidity int) *CreateOauthForCustomClientsSecurityIntegrationRequest { + s.OauthRefreshTokenValidity = &OauthRefreshTokenValidity + return s +} + +func (s *CreateOauthForCustomClientsSecurityIntegrationRequest) WithNetworkPolicy(NetworkPolicy AccountObjectIdentifier) *CreateOauthForCustomClientsSecurityIntegrationRequest { + s.NetworkPolicy = &NetworkPolicy + return s +} + +func (s *CreateOauthForCustomClientsSecurityIntegrationRequest) WithOauthClientRsaPublicKey(OauthClientRsaPublicKey string) *CreateOauthForCustomClientsSecurityIntegrationRequest { + s.OauthClientRsaPublicKey = &OauthClientRsaPublicKey + return s +} + +func (s *CreateOauthForCustomClientsSecurityIntegrationRequest) WithOauthClientRsaPublicKey2(OauthClientRsaPublicKey2 string) *CreateOauthForCustomClientsSecurityIntegrationRequest { + s.OauthClientRsaPublicKey2 = &OauthClientRsaPublicKey2 + return s +} + +func (s *CreateOauthForCustomClientsSecurityIntegrationRequest) WithComment(Comment string) *CreateOauthForCustomClientsSecurityIntegrationRequest { + s.Comment = &Comment + return s +} + +func NewPreAuthorizedRolesListRequest() *PreAuthorizedRolesListRequest { + return &PreAuthorizedRolesListRequest{} +} + +func (s *PreAuthorizedRolesListRequest) WithPreAuthorizedRolesList(PreAuthorizedRolesList []AccountObjectIdentifier) *PreAuthorizedRolesListRequest { + s.PreAuthorizedRolesList = PreAuthorizedRolesList + return s +} + func NewCreateSaml2SecurityIntegrationRequest( name AccountObjectIdentifier, Enabled bool, @@ -22,13 +177,13 @@ func NewCreateSaml2SecurityIntegrationRequest( return &s } -func (s *CreateSaml2SecurityIntegrationRequest) WithOrReplace(OrReplace *bool) *CreateSaml2SecurityIntegrationRequest { - s.OrReplace = OrReplace +func (s *CreateSaml2SecurityIntegrationRequest) WithOrReplace(OrReplace bool) *CreateSaml2SecurityIntegrationRequest { + s.OrReplace = &OrReplace return s } -func (s *CreateSaml2SecurityIntegrationRequest) WithIfNotExists(IfNotExists *bool) *CreateSaml2SecurityIntegrationRequest { - s.IfNotExists = IfNotExists +func (s *CreateSaml2SecurityIntegrationRequest) WithIfNotExists(IfNotExists bool) *CreateSaml2SecurityIntegrationRequest { + s.IfNotExists = &IfNotExists return s } @@ -42,53 +197,53 @@ func (s *CreateSaml2SecurityIntegrationRequest) WithAllowedEmailPatterns(Allowed return s } -func (s *CreateSaml2SecurityIntegrationRequest) WithSaml2SpInitiatedLoginPageLabel(Saml2SpInitiatedLoginPageLabel *string) *CreateSaml2SecurityIntegrationRequest { - s.Saml2SpInitiatedLoginPageLabel = Saml2SpInitiatedLoginPageLabel +func (s *CreateSaml2SecurityIntegrationRequest) WithSaml2SpInitiatedLoginPageLabel(Saml2SpInitiatedLoginPageLabel string) *CreateSaml2SecurityIntegrationRequest { + s.Saml2SpInitiatedLoginPageLabel = &Saml2SpInitiatedLoginPageLabel return s } -func (s *CreateSaml2SecurityIntegrationRequest) WithSaml2EnableSpInitiated(Saml2EnableSpInitiated *bool) *CreateSaml2SecurityIntegrationRequest { - s.Saml2EnableSpInitiated = Saml2EnableSpInitiated +func (s *CreateSaml2SecurityIntegrationRequest) WithSaml2EnableSpInitiated(Saml2EnableSpInitiated bool) *CreateSaml2SecurityIntegrationRequest { + s.Saml2EnableSpInitiated = &Saml2EnableSpInitiated return s } -func (s *CreateSaml2SecurityIntegrationRequest) WithSaml2SnowflakeX509Cert(Saml2SnowflakeX509Cert *string) *CreateSaml2SecurityIntegrationRequest { - s.Saml2SnowflakeX509Cert = Saml2SnowflakeX509Cert +func (s *CreateSaml2SecurityIntegrationRequest) WithSaml2SnowflakeX509Cert(Saml2SnowflakeX509Cert string) *CreateSaml2SecurityIntegrationRequest { + s.Saml2SnowflakeX509Cert = &Saml2SnowflakeX509Cert return s } -func (s *CreateSaml2SecurityIntegrationRequest) WithSaml2SignRequest(Saml2SignRequest *bool) *CreateSaml2SecurityIntegrationRequest { - s.Saml2SignRequest = Saml2SignRequest +func (s *CreateSaml2SecurityIntegrationRequest) WithSaml2SignRequest(Saml2SignRequest bool) *CreateSaml2SecurityIntegrationRequest { + s.Saml2SignRequest = &Saml2SignRequest return s } -func (s *CreateSaml2SecurityIntegrationRequest) WithSaml2RequestedNameidFormat(Saml2RequestedNameidFormat *string) *CreateSaml2SecurityIntegrationRequest { - s.Saml2RequestedNameidFormat = Saml2RequestedNameidFormat +func (s *CreateSaml2SecurityIntegrationRequest) WithSaml2RequestedNameidFormat(Saml2RequestedNameidFormat string) *CreateSaml2SecurityIntegrationRequest { + s.Saml2RequestedNameidFormat = &Saml2RequestedNameidFormat return s } -func (s *CreateSaml2SecurityIntegrationRequest) WithSaml2PostLogoutRedirectUrl(Saml2PostLogoutRedirectUrl *string) *CreateSaml2SecurityIntegrationRequest { - s.Saml2PostLogoutRedirectUrl = Saml2PostLogoutRedirectUrl +func (s *CreateSaml2SecurityIntegrationRequest) WithSaml2PostLogoutRedirectUrl(Saml2PostLogoutRedirectUrl string) *CreateSaml2SecurityIntegrationRequest { + s.Saml2PostLogoutRedirectUrl = &Saml2PostLogoutRedirectUrl return s } -func (s *CreateSaml2SecurityIntegrationRequest) WithSaml2ForceAuthn(Saml2ForceAuthn *bool) *CreateSaml2SecurityIntegrationRequest { - s.Saml2ForceAuthn = Saml2ForceAuthn +func (s *CreateSaml2SecurityIntegrationRequest) WithSaml2ForceAuthn(Saml2ForceAuthn bool) *CreateSaml2SecurityIntegrationRequest { + s.Saml2ForceAuthn = &Saml2ForceAuthn return s } -func (s *CreateSaml2SecurityIntegrationRequest) WithSaml2SnowflakeIssuerUrl(Saml2SnowflakeIssuerUrl *string) *CreateSaml2SecurityIntegrationRequest { - s.Saml2SnowflakeIssuerUrl = Saml2SnowflakeIssuerUrl +func (s *CreateSaml2SecurityIntegrationRequest) WithSaml2SnowflakeIssuerUrl(Saml2SnowflakeIssuerUrl string) *CreateSaml2SecurityIntegrationRequest { + s.Saml2SnowflakeIssuerUrl = &Saml2SnowflakeIssuerUrl return s } -func (s *CreateSaml2SecurityIntegrationRequest) WithSaml2SnowflakeAcsUrl(Saml2SnowflakeAcsUrl *string) *CreateSaml2SecurityIntegrationRequest { - s.Saml2SnowflakeAcsUrl = Saml2SnowflakeAcsUrl +func (s *CreateSaml2SecurityIntegrationRequest) WithSaml2SnowflakeAcsUrl(Saml2SnowflakeAcsUrl string) *CreateSaml2SecurityIntegrationRequest { + s.Saml2SnowflakeAcsUrl = &Saml2SnowflakeAcsUrl return s } -func (s *CreateSaml2SecurityIntegrationRequest) WithComment(Comment *string) *CreateSaml2SecurityIntegrationRequest { - s.Comment = Comment +func (s *CreateSaml2SecurityIntegrationRequest) WithComment(Comment string) *CreateSaml2SecurityIntegrationRequest { + s.Comment = &Comment return s } @@ -106,28 +261,245 @@ func NewCreateScimSecurityIntegrationRequest( return &s } -func (s *CreateScimSecurityIntegrationRequest) WithOrReplace(OrReplace *bool) *CreateScimSecurityIntegrationRequest { - s.OrReplace = OrReplace +func (s *CreateScimSecurityIntegrationRequest) WithOrReplace(OrReplace bool) *CreateScimSecurityIntegrationRequest { + s.OrReplace = &OrReplace + return s +} + +func (s *CreateScimSecurityIntegrationRequest) WithIfNotExists(IfNotExists bool) *CreateScimSecurityIntegrationRequest { + s.IfNotExists = &IfNotExists + return s +} + +func (s *CreateScimSecurityIntegrationRequest) WithNetworkPolicy(NetworkPolicy AccountObjectIdentifier) *CreateScimSecurityIntegrationRequest { + s.NetworkPolicy = &NetworkPolicy + return s +} + +func (s *CreateScimSecurityIntegrationRequest) WithSyncPassword(SyncPassword bool) *CreateScimSecurityIntegrationRequest { + s.SyncPassword = &SyncPassword + return s +} + +func (s *CreateScimSecurityIntegrationRequest) WithComment(Comment string) *CreateScimSecurityIntegrationRequest { + s.Comment = &Comment + return s +} + +func NewAlterOauthForPartnerApplicationsSecurityIntegrationRequest( + name AccountObjectIdentifier, +) *AlterOauthForPartnerApplicationsSecurityIntegrationRequest { + s := AlterOauthForPartnerApplicationsSecurityIntegrationRequest{} + s.name = name + return &s +} + +func (s *AlterOauthForPartnerApplicationsSecurityIntegrationRequest) WithIfExists(IfExists bool) *AlterOauthForPartnerApplicationsSecurityIntegrationRequest { + s.IfExists = &IfExists return s } -func (s *CreateScimSecurityIntegrationRequest) WithIfNotExists(IfNotExists *bool) *CreateScimSecurityIntegrationRequest { - s.IfNotExists = IfNotExists +func (s *AlterOauthForPartnerApplicationsSecurityIntegrationRequest) WithSetTags(SetTags []TagAssociation) *AlterOauthForPartnerApplicationsSecurityIntegrationRequest { + s.SetTags = SetTags return s } -func (s *CreateScimSecurityIntegrationRequest) WithNetworkPolicy(NetworkPolicy *AccountObjectIdentifier) *CreateScimSecurityIntegrationRequest { - s.NetworkPolicy = NetworkPolicy +func (s *AlterOauthForPartnerApplicationsSecurityIntegrationRequest) WithUnsetTags(UnsetTags []ObjectIdentifier) *AlterOauthForPartnerApplicationsSecurityIntegrationRequest { + s.UnsetTags = UnsetTags return s } -func (s *CreateScimSecurityIntegrationRequest) WithSyncPassword(SyncPassword *bool) *CreateScimSecurityIntegrationRequest { - s.SyncPassword = SyncPassword +func (s *AlterOauthForPartnerApplicationsSecurityIntegrationRequest) WithSet(Set OauthForPartnerApplicationsIntegrationSetRequest) *AlterOauthForPartnerApplicationsSecurityIntegrationRequest { + s.Set = &Set return s } -func (s *CreateScimSecurityIntegrationRequest) WithComment(Comment *string) *CreateScimSecurityIntegrationRequest { - s.Comment = Comment +func (s *AlterOauthForPartnerApplicationsSecurityIntegrationRequest) WithUnset(Unset OauthForPartnerApplicationsIntegrationUnsetRequest) *AlterOauthForPartnerApplicationsSecurityIntegrationRequest { + s.Unset = &Unset + return s +} + +func NewOauthForPartnerApplicationsIntegrationSetRequest() *OauthForPartnerApplicationsIntegrationSetRequest { + return &OauthForPartnerApplicationsIntegrationSetRequest{} +} + +func (s *OauthForPartnerApplicationsIntegrationSetRequest) WithEnabled(Enabled bool) *OauthForPartnerApplicationsIntegrationSetRequest { + s.Enabled = &Enabled + return s +} + +func (s *OauthForPartnerApplicationsIntegrationSetRequest) WithOauthIssueRefreshTokens(OauthIssueRefreshTokens bool) *OauthForPartnerApplicationsIntegrationSetRequest { + s.OauthIssueRefreshTokens = &OauthIssueRefreshTokens + return s +} + +func (s *OauthForPartnerApplicationsIntegrationSetRequest) WithOauthRedirectUri(OauthRedirectUri string) *OauthForPartnerApplicationsIntegrationSetRequest { + s.OauthRedirectUri = &OauthRedirectUri + return s +} + +func (s *OauthForPartnerApplicationsIntegrationSetRequest) WithOauthRefreshTokenValidity(OauthRefreshTokenValidity int) *OauthForPartnerApplicationsIntegrationSetRequest { + s.OauthRefreshTokenValidity = &OauthRefreshTokenValidity + return s +} + +func (s *OauthForPartnerApplicationsIntegrationSetRequest) WithOauthUseSecondaryRoles(OauthUseSecondaryRoles OauthSecurityIntegrationUseSecondaryRolesOption) *OauthForPartnerApplicationsIntegrationSetRequest { + s.OauthUseSecondaryRoles = &OauthUseSecondaryRoles + return s +} + +func (s *OauthForPartnerApplicationsIntegrationSetRequest) WithBlockedRolesList(BlockedRolesList BlockedRolesListRequest) *OauthForPartnerApplicationsIntegrationSetRequest { + s.BlockedRolesList = &BlockedRolesList + return s +} + +func (s *OauthForPartnerApplicationsIntegrationSetRequest) WithComment(Comment string) *OauthForPartnerApplicationsIntegrationSetRequest { + s.Comment = &Comment + return s +} + +func NewOauthForPartnerApplicationsIntegrationUnsetRequest() *OauthForPartnerApplicationsIntegrationUnsetRequest { + return &OauthForPartnerApplicationsIntegrationUnsetRequest{} +} + +func (s *OauthForPartnerApplicationsIntegrationUnsetRequest) WithEnabled(Enabled bool) *OauthForPartnerApplicationsIntegrationUnsetRequest { + s.Enabled = &Enabled + return s +} + +func (s *OauthForPartnerApplicationsIntegrationUnsetRequest) WithOauthUseSecondaryRoles(OauthUseSecondaryRoles bool) *OauthForPartnerApplicationsIntegrationUnsetRequest { + s.OauthUseSecondaryRoles = &OauthUseSecondaryRoles + return s +} + +func NewAlterOauthForCustomClientsSecurityIntegrationRequest( + name AccountObjectIdentifier, +) *AlterOauthForCustomClientsSecurityIntegrationRequest { + s := AlterOauthForCustomClientsSecurityIntegrationRequest{} + s.name = name + return &s +} + +func (s *AlterOauthForCustomClientsSecurityIntegrationRequest) WithIfExists(IfExists bool) *AlterOauthForCustomClientsSecurityIntegrationRequest { + s.IfExists = &IfExists + return s +} + +func (s *AlterOauthForCustomClientsSecurityIntegrationRequest) WithSetTags(SetTags []TagAssociation) *AlterOauthForCustomClientsSecurityIntegrationRequest { + s.SetTags = SetTags + return s +} + +func (s *AlterOauthForCustomClientsSecurityIntegrationRequest) WithUnsetTags(UnsetTags []ObjectIdentifier) *AlterOauthForCustomClientsSecurityIntegrationRequest { + s.UnsetTags = UnsetTags + return s +} + +func (s *AlterOauthForCustomClientsSecurityIntegrationRequest) WithSet(Set OauthForCustomClientsIntegrationSetRequest) *AlterOauthForCustomClientsSecurityIntegrationRequest { + s.Set = &Set + return s +} + +func (s *AlterOauthForCustomClientsSecurityIntegrationRequest) WithUnset(Unset OauthForCustomClientsIntegrationUnsetRequest) *AlterOauthForCustomClientsSecurityIntegrationRequest { + s.Unset = &Unset + return s +} + +func NewOauthForCustomClientsIntegrationSetRequest() *OauthForCustomClientsIntegrationSetRequest { + return &OauthForCustomClientsIntegrationSetRequest{} +} + +func (s *OauthForCustomClientsIntegrationSetRequest) WithEnabled(Enabled bool) *OauthForCustomClientsIntegrationSetRequest { + s.Enabled = &Enabled + return s +} + +func (s *OauthForCustomClientsIntegrationSetRequest) WithOauthRedirectUri(OauthRedirectUri string) *OauthForCustomClientsIntegrationSetRequest { + s.OauthRedirectUri = &OauthRedirectUri + return s +} + +func (s *OauthForCustomClientsIntegrationSetRequest) WithOauthAllowNonTlsRedirectUri(OauthAllowNonTlsRedirectUri bool) *OauthForCustomClientsIntegrationSetRequest { + s.OauthAllowNonTlsRedirectUri = &OauthAllowNonTlsRedirectUri + return s +} + +func (s *OauthForCustomClientsIntegrationSetRequest) WithOauthEnforcePkce(OauthEnforcePkce bool) *OauthForCustomClientsIntegrationSetRequest { + s.OauthEnforcePkce = &OauthEnforcePkce + return s +} + +func (s *OauthForCustomClientsIntegrationSetRequest) WithPreAuthorizedRolesList(PreAuthorizedRolesList PreAuthorizedRolesListRequest) *OauthForCustomClientsIntegrationSetRequest { + s.PreAuthorizedRolesList = &PreAuthorizedRolesList + return s +} + +func (s *OauthForCustomClientsIntegrationSetRequest) WithBlockedRolesList(BlockedRolesList BlockedRolesListRequest) *OauthForCustomClientsIntegrationSetRequest { + s.BlockedRolesList = &BlockedRolesList + return s +} + +func (s *OauthForCustomClientsIntegrationSetRequest) WithOauthIssueRefreshTokens(OauthIssueRefreshTokens bool) *OauthForCustomClientsIntegrationSetRequest { + s.OauthIssueRefreshTokens = &OauthIssueRefreshTokens + return s +} + +func (s *OauthForCustomClientsIntegrationSetRequest) WithOauthRefreshTokenValidity(OauthRefreshTokenValidity int) *OauthForCustomClientsIntegrationSetRequest { + s.OauthRefreshTokenValidity = &OauthRefreshTokenValidity + return s +} + +func (s *OauthForCustomClientsIntegrationSetRequest) WithOauthUseSecondaryRoles(OauthUseSecondaryRoles OauthSecurityIntegrationUseSecondaryRolesOption) *OauthForCustomClientsIntegrationSetRequest { + s.OauthUseSecondaryRoles = &OauthUseSecondaryRoles + return s +} + +func (s *OauthForCustomClientsIntegrationSetRequest) WithNetworkPolicy(NetworkPolicy AccountObjectIdentifier) *OauthForCustomClientsIntegrationSetRequest { + s.NetworkPolicy = &NetworkPolicy + return s +} + +func (s *OauthForCustomClientsIntegrationSetRequest) WithOauthClientRsaPublicKey(OauthClientRsaPublicKey string) *OauthForCustomClientsIntegrationSetRequest { + s.OauthClientRsaPublicKey = &OauthClientRsaPublicKey + return s +} + +func (s *OauthForCustomClientsIntegrationSetRequest) WithOauthClientRsaPublicKey2(OauthClientRsaPublicKey2 string) *OauthForCustomClientsIntegrationSetRequest { + s.OauthClientRsaPublicKey2 = &OauthClientRsaPublicKey2 + return s +} + +func (s *OauthForCustomClientsIntegrationSetRequest) WithComment(Comment string) *OauthForCustomClientsIntegrationSetRequest { + s.Comment = &Comment + return s +} + +func NewOauthForCustomClientsIntegrationUnsetRequest() *OauthForCustomClientsIntegrationUnsetRequest { + return &OauthForCustomClientsIntegrationUnsetRequest{} +} + +func (s *OauthForCustomClientsIntegrationUnsetRequest) WithEnabled(Enabled bool) *OauthForCustomClientsIntegrationUnsetRequest { + s.Enabled = &Enabled + return s +} + +func (s *OauthForCustomClientsIntegrationUnsetRequest) WithNetworkPolicy(NetworkPolicy bool) *OauthForCustomClientsIntegrationUnsetRequest { + s.NetworkPolicy = &NetworkPolicy + return s +} + +func (s *OauthForCustomClientsIntegrationUnsetRequest) WithOauthClientRsaPublicKey(OauthClientRsaPublicKey bool) *OauthForCustomClientsIntegrationUnsetRequest { + s.OauthClientRsaPublicKey = &OauthClientRsaPublicKey + return s +} + +func (s *OauthForCustomClientsIntegrationUnsetRequest) WithOauthClientRsaPublicKey2(OauthClientRsaPublicKey2 bool) *OauthForCustomClientsIntegrationUnsetRequest { + s.OauthClientRsaPublicKey2 = &OauthClientRsaPublicKey2 + return s +} + +func (s *OauthForCustomClientsIntegrationUnsetRequest) WithOauthUseSecondaryRoles(OauthUseSecondaryRoles bool) *OauthForCustomClientsIntegrationUnsetRequest { + s.OauthUseSecondaryRoles = &OauthUseSecondaryRoles return s } @@ -139,8 +511,8 @@ func NewAlterSaml2SecurityIntegrationRequest( return &s } -func (s *AlterSaml2SecurityIntegrationRequest) WithIfExists(IfExists *bool) *AlterSaml2SecurityIntegrationRequest { - s.IfExists = IfExists +func (s *AlterSaml2SecurityIntegrationRequest) WithIfExists(IfExists bool) *AlterSaml2SecurityIntegrationRequest { + s.IfExists = &IfExists return s } @@ -154,18 +526,18 @@ func (s *AlterSaml2SecurityIntegrationRequest) WithUnsetTags(UnsetTags []ObjectI return s } -func (s *AlterSaml2SecurityIntegrationRequest) WithSet(Set *Saml2IntegrationSetRequest) *AlterSaml2SecurityIntegrationRequest { - s.Set = Set +func (s *AlterSaml2SecurityIntegrationRequest) WithSet(Set Saml2IntegrationSetRequest) *AlterSaml2SecurityIntegrationRequest { + s.Set = &Set return s } -func (s *AlterSaml2SecurityIntegrationRequest) WithUnset(Unset *Saml2IntegrationUnsetRequest) *AlterSaml2SecurityIntegrationRequest { - s.Unset = Unset +func (s *AlterSaml2SecurityIntegrationRequest) WithUnset(Unset Saml2IntegrationUnsetRequest) *AlterSaml2SecurityIntegrationRequest { + s.Unset = &Unset return s } -func (s *AlterSaml2SecurityIntegrationRequest) WithRefreshSaml2SnowflakePrivateKey(RefreshSaml2SnowflakePrivateKey *bool) *AlterSaml2SecurityIntegrationRequest { - s.RefreshSaml2SnowflakePrivateKey = RefreshSaml2SnowflakePrivateKey +func (s *AlterSaml2SecurityIntegrationRequest) WithRefreshSaml2SnowflakePrivateKey(RefreshSaml2SnowflakePrivateKey bool) *AlterSaml2SecurityIntegrationRequest { + s.RefreshSaml2SnowflakePrivateKey = &RefreshSaml2SnowflakePrivateKey return s } @@ -173,28 +545,28 @@ func NewSaml2IntegrationSetRequest() *Saml2IntegrationSetRequest { return &Saml2IntegrationSetRequest{} } -func (s *Saml2IntegrationSetRequest) WithEnabled(Enabled *bool) *Saml2IntegrationSetRequest { - s.Enabled = Enabled +func (s *Saml2IntegrationSetRequest) WithEnabled(Enabled bool) *Saml2IntegrationSetRequest { + s.Enabled = &Enabled return s } -func (s *Saml2IntegrationSetRequest) WithSaml2Issuer(Saml2Issuer *string) *Saml2IntegrationSetRequest { - s.Saml2Issuer = Saml2Issuer +func (s *Saml2IntegrationSetRequest) WithSaml2Issuer(Saml2Issuer string) *Saml2IntegrationSetRequest { + s.Saml2Issuer = &Saml2Issuer return s } -func (s *Saml2IntegrationSetRequest) WithSaml2SsoUrl(Saml2SsoUrl *string) *Saml2IntegrationSetRequest { - s.Saml2SsoUrl = Saml2SsoUrl +func (s *Saml2IntegrationSetRequest) WithSaml2SsoUrl(Saml2SsoUrl string) *Saml2IntegrationSetRequest { + s.Saml2SsoUrl = &Saml2SsoUrl return s } -func (s *Saml2IntegrationSetRequest) WithSaml2Provider(Saml2Provider *string) *Saml2IntegrationSetRequest { - s.Saml2Provider = Saml2Provider +func (s *Saml2IntegrationSetRequest) WithSaml2Provider(Saml2Provider string) *Saml2IntegrationSetRequest { + s.Saml2Provider = &Saml2Provider return s } -func (s *Saml2IntegrationSetRequest) WithSaml2X509Cert(Saml2X509Cert *string) *Saml2IntegrationSetRequest { - s.Saml2X509Cert = Saml2X509Cert +func (s *Saml2IntegrationSetRequest) WithSaml2X509Cert(Saml2X509Cert string) *Saml2IntegrationSetRequest { + s.Saml2X509Cert = &Saml2X509Cert return s } @@ -208,53 +580,53 @@ func (s *Saml2IntegrationSetRequest) WithAllowedEmailPatterns(AllowedEmailPatter return s } -func (s *Saml2IntegrationSetRequest) WithSaml2SpInitiatedLoginPageLabel(Saml2SpInitiatedLoginPageLabel *string) *Saml2IntegrationSetRequest { - s.Saml2SpInitiatedLoginPageLabel = Saml2SpInitiatedLoginPageLabel +func (s *Saml2IntegrationSetRequest) WithSaml2SpInitiatedLoginPageLabel(Saml2SpInitiatedLoginPageLabel string) *Saml2IntegrationSetRequest { + s.Saml2SpInitiatedLoginPageLabel = &Saml2SpInitiatedLoginPageLabel return s } -func (s *Saml2IntegrationSetRequest) WithSaml2EnableSpInitiated(Saml2EnableSpInitiated *bool) *Saml2IntegrationSetRequest { - s.Saml2EnableSpInitiated = Saml2EnableSpInitiated +func (s *Saml2IntegrationSetRequest) WithSaml2EnableSpInitiated(Saml2EnableSpInitiated bool) *Saml2IntegrationSetRequest { + s.Saml2EnableSpInitiated = &Saml2EnableSpInitiated return s } -func (s *Saml2IntegrationSetRequest) WithSaml2SnowflakeX509Cert(Saml2SnowflakeX509Cert *string) *Saml2IntegrationSetRequest { - s.Saml2SnowflakeX509Cert = Saml2SnowflakeX509Cert +func (s *Saml2IntegrationSetRequest) WithSaml2SnowflakeX509Cert(Saml2SnowflakeX509Cert string) *Saml2IntegrationSetRequest { + s.Saml2SnowflakeX509Cert = &Saml2SnowflakeX509Cert return s } -func (s *Saml2IntegrationSetRequest) WithSaml2SignRequest(Saml2SignRequest *bool) *Saml2IntegrationSetRequest { - s.Saml2SignRequest = Saml2SignRequest +func (s *Saml2IntegrationSetRequest) WithSaml2SignRequest(Saml2SignRequest bool) *Saml2IntegrationSetRequest { + s.Saml2SignRequest = &Saml2SignRequest return s } -func (s *Saml2IntegrationSetRequest) WithSaml2RequestedNameidFormat(Saml2RequestedNameidFormat *string) *Saml2IntegrationSetRequest { - s.Saml2RequestedNameidFormat = Saml2RequestedNameidFormat +func (s *Saml2IntegrationSetRequest) WithSaml2RequestedNameidFormat(Saml2RequestedNameidFormat string) *Saml2IntegrationSetRequest { + s.Saml2RequestedNameidFormat = &Saml2RequestedNameidFormat return s } -func (s *Saml2IntegrationSetRequest) WithSaml2PostLogoutRedirectUrl(Saml2PostLogoutRedirectUrl *string) *Saml2IntegrationSetRequest { - s.Saml2PostLogoutRedirectUrl = Saml2PostLogoutRedirectUrl +func (s *Saml2IntegrationSetRequest) WithSaml2PostLogoutRedirectUrl(Saml2PostLogoutRedirectUrl string) *Saml2IntegrationSetRequest { + s.Saml2PostLogoutRedirectUrl = &Saml2PostLogoutRedirectUrl return s } -func (s *Saml2IntegrationSetRequest) WithSaml2ForceAuthn(Saml2ForceAuthn *bool) *Saml2IntegrationSetRequest { - s.Saml2ForceAuthn = Saml2ForceAuthn +func (s *Saml2IntegrationSetRequest) WithSaml2ForceAuthn(Saml2ForceAuthn bool) *Saml2IntegrationSetRequest { + s.Saml2ForceAuthn = &Saml2ForceAuthn return s } -func (s *Saml2IntegrationSetRequest) WithSaml2SnowflakeIssuerUrl(Saml2SnowflakeIssuerUrl *string) *Saml2IntegrationSetRequest { - s.Saml2SnowflakeIssuerUrl = Saml2SnowflakeIssuerUrl +func (s *Saml2IntegrationSetRequest) WithSaml2SnowflakeIssuerUrl(Saml2SnowflakeIssuerUrl string) *Saml2IntegrationSetRequest { + s.Saml2SnowflakeIssuerUrl = &Saml2SnowflakeIssuerUrl return s } -func (s *Saml2IntegrationSetRequest) WithSaml2SnowflakeAcsUrl(Saml2SnowflakeAcsUrl *string) *Saml2IntegrationSetRequest { - s.Saml2SnowflakeAcsUrl = Saml2SnowflakeAcsUrl +func (s *Saml2IntegrationSetRequest) WithSaml2SnowflakeAcsUrl(Saml2SnowflakeAcsUrl string) *Saml2IntegrationSetRequest { + s.Saml2SnowflakeAcsUrl = &Saml2SnowflakeAcsUrl return s } -func (s *Saml2IntegrationSetRequest) WithComment(Comment *string) *Saml2IntegrationSetRequest { - s.Comment = Comment +func (s *Saml2IntegrationSetRequest) WithComment(Comment string) *Saml2IntegrationSetRequest { + s.Comment = &Comment return s } @@ -262,23 +634,23 @@ func NewSaml2IntegrationUnsetRequest() *Saml2IntegrationUnsetRequest { return &Saml2IntegrationUnsetRequest{} } -func (s *Saml2IntegrationUnsetRequest) WithSaml2ForceAuthn(Saml2ForceAuthn *bool) *Saml2IntegrationUnsetRequest { - s.Saml2ForceAuthn = Saml2ForceAuthn +func (s *Saml2IntegrationUnsetRequest) WithSaml2ForceAuthn(Saml2ForceAuthn bool) *Saml2IntegrationUnsetRequest { + s.Saml2ForceAuthn = &Saml2ForceAuthn return s } -func (s *Saml2IntegrationUnsetRequest) WithSaml2RequestedNameidFormat(Saml2RequestedNameidFormat *bool) *Saml2IntegrationUnsetRequest { - s.Saml2RequestedNameidFormat = Saml2RequestedNameidFormat +func (s *Saml2IntegrationUnsetRequest) WithSaml2RequestedNameidFormat(Saml2RequestedNameidFormat bool) *Saml2IntegrationUnsetRequest { + s.Saml2RequestedNameidFormat = &Saml2RequestedNameidFormat return s } -func (s *Saml2IntegrationUnsetRequest) WithSaml2PostLogoutRedirectUrl(Saml2PostLogoutRedirectUrl *bool) *Saml2IntegrationUnsetRequest { - s.Saml2PostLogoutRedirectUrl = Saml2PostLogoutRedirectUrl +func (s *Saml2IntegrationUnsetRequest) WithSaml2PostLogoutRedirectUrl(Saml2PostLogoutRedirectUrl bool) *Saml2IntegrationUnsetRequest { + s.Saml2PostLogoutRedirectUrl = &Saml2PostLogoutRedirectUrl return s } -func (s *Saml2IntegrationUnsetRequest) WithComment(Comment *bool) *Saml2IntegrationUnsetRequest { - s.Comment = Comment +func (s *Saml2IntegrationUnsetRequest) WithComment(Comment bool) *Saml2IntegrationUnsetRequest { + s.Comment = &Comment return s } @@ -290,8 +662,8 @@ func NewAlterScimSecurityIntegrationRequest( return &s } -func (s *AlterScimSecurityIntegrationRequest) WithIfExists(IfExists *bool) *AlterScimSecurityIntegrationRequest { - s.IfExists = IfExists +func (s *AlterScimSecurityIntegrationRequest) WithIfExists(IfExists bool) *AlterScimSecurityIntegrationRequest { + s.IfExists = &IfExists return s } @@ -305,13 +677,13 @@ func (s *AlterScimSecurityIntegrationRequest) WithUnsetTags(UnsetTags []ObjectId return s } -func (s *AlterScimSecurityIntegrationRequest) WithSet(Set *ScimIntegrationSetRequest) *AlterScimSecurityIntegrationRequest { - s.Set = Set +func (s *AlterScimSecurityIntegrationRequest) WithSet(Set ScimIntegrationSetRequest) *AlterScimSecurityIntegrationRequest { + s.Set = &Set return s } -func (s *AlterScimSecurityIntegrationRequest) WithUnset(Unset *ScimIntegrationUnsetRequest) *AlterScimSecurityIntegrationRequest { - s.Unset = Unset +func (s *AlterScimSecurityIntegrationRequest) WithUnset(Unset ScimIntegrationUnsetRequest) *AlterScimSecurityIntegrationRequest { + s.Unset = &Unset return s } @@ -319,23 +691,23 @@ func NewScimIntegrationSetRequest() *ScimIntegrationSetRequest { return &ScimIntegrationSetRequest{} } -func (s *ScimIntegrationSetRequest) WithEnabled(Enabled *bool) *ScimIntegrationSetRequest { - s.Enabled = Enabled +func (s *ScimIntegrationSetRequest) WithEnabled(Enabled bool) *ScimIntegrationSetRequest { + s.Enabled = &Enabled return s } -func (s *ScimIntegrationSetRequest) WithNetworkPolicy(NetworkPolicy *AccountObjectIdentifier) *ScimIntegrationSetRequest { - s.NetworkPolicy = NetworkPolicy +func (s *ScimIntegrationSetRequest) WithNetworkPolicy(NetworkPolicy AccountObjectIdentifier) *ScimIntegrationSetRequest { + s.NetworkPolicy = &NetworkPolicy return s } -func (s *ScimIntegrationSetRequest) WithSyncPassword(SyncPassword *bool) *ScimIntegrationSetRequest { - s.SyncPassword = SyncPassword +func (s *ScimIntegrationSetRequest) WithSyncPassword(SyncPassword bool) *ScimIntegrationSetRequest { + s.SyncPassword = &SyncPassword return s } -func (s *ScimIntegrationSetRequest) WithComment(Comment *string) *ScimIntegrationSetRequest { - s.Comment = Comment +func (s *ScimIntegrationSetRequest) WithComment(Comment string) *ScimIntegrationSetRequest { + s.Comment = &Comment return s } @@ -343,23 +715,23 @@ func NewScimIntegrationUnsetRequest() *ScimIntegrationUnsetRequest { return &ScimIntegrationUnsetRequest{} } -func (s *ScimIntegrationUnsetRequest) WithEnabled(Enabled *bool) *ScimIntegrationUnsetRequest { - s.Enabled = Enabled +func (s *ScimIntegrationUnsetRequest) WithEnabled(Enabled bool) *ScimIntegrationUnsetRequest { + s.Enabled = &Enabled return s } -func (s *ScimIntegrationUnsetRequest) WithNetworkPolicy(NetworkPolicy *bool) *ScimIntegrationUnsetRequest { - s.NetworkPolicy = NetworkPolicy +func (s *ScimIntegrationUnsetRequest) WithNetworkPolicy(NetworkPolicy bool) *ScimIntegrationUnsetRequest { + s.NetworkPolicy = &NetworkPolicy return s } -func (s *ScimIntegrationUnsetRequest) WithSyncPassword(SyncPassword *bool) *ScimIntegrationUnsetRequest { - s.SyncPassword = SyncPassword +func (s *ScimIntegrationUnsetRequest) WithSyncPassword(SyncPassword bool) *ScimIntegrationUnsetRequest { + s.SyncPassword = &SyncPassword return s } -func (s *ScimIntegrationUnsetRequest) WithComment(Comment *bool) *ScimIntegrationUnsetRequest { - s.Comment = Comment +func (s *ScimIntegrationUnsetRequest) WithComment(Comment bool) *ScimIntegrationUnsetRequest { + s.Comment = &Comment return s } @@ -371,8 +743,8 @@ func NewDropSecurityIntegrationRequest( return &s } -func (s *DropSecurityIntegrationRequest) WithIfExists(IfExists *bool) *DropSecurityIntegrationRequest { - s.IfExists = IfExists +func (s *DropSecurityIntegrationRequest) WithIfExists(IfExists bool) *DropSecurityIntegrationRequest { + s.IfExists = &IfExists return s } @@ -388,7 +760,7 @@ func NewShowSecurityIntegrationRequest() *ShowSecurityIntegrationRequest { return &ShowSecurityIntegrationRequest{} } -func (s *ShowSecurityIntegrationRequest) WithLike(Like *Like) *ShowSecurityIntegrationRequest { - s.Like = Like +func (s *ShowSecurityIntegrationRequest) WithLike(Like Like) *ShowSecurityIntegrationRequest { + s.Like = &Like return s } diff --git a/pkg/sdk/security_integrations_dto_gen.go b/pkg/sdk/security_integrations_dto_gen.go index 41019279fc..7d119a3c10 100644 --- a/pkg/sdk/security_integrations_dto_gen.go +++ b/pkg/sdk/security_integrations_dto_gen.go @@ -3,15 +3,69 @@ package sdk //go:generate go run ./dto-builder-generator/main.go var ( - _ optionsProvider[CreateSaml2SecurityIntegrationOptions] = new(CreateSaml2SecurityIntegrationRequest) - _ optionsProvider[CreateScimSecurityIntegrationOptions] = new(CreateScimSecurityIntegrationRequest) - _ optionsProvider[AlterSaml2SecurityIntegrationOptions] = new(AlterSaml2SecurityIntegrationRequest) - _ optionsProvider[AlterScimSecurityIntegrationOptions] = new(AlterScimSecurityIntegrationRequest) - _ optionsProvider[DropSecurityIntegrationOptions] = new(DropSecurityIntegrationRequest) - _ optionsProvider[DescribeSecurityIntegrationOptions] = new(DescribeSecurityIntegrationRequest) - _ optionsProvider[ShowSecurityIntegrationOptions] = new(ShowSecurityIntegrationRequest) + _ optionsProvider[CreateOauthForPartnerApplicationsSecurityIntegrationOptions] = new(CreateOauthForPartnerApplicationsSecurityIntegrationRequest) + _ optionsProvider[CreateOauthForCustomClientsSecurityIntegrationOptions] = new(CreateOauthForCustomClientsSecurityIntegrationRequest) + _ optionsProvider[CreateSaml2SecurityIntegrationOptions] = new(CreateSaml2SecurityIntegrationRequest) + _ optionsProvider[CreateScimSecurityIntegrationOptions] = new(CreateScimSecurityIntegrationRequest) + _ optionsProvider[AlterOauthForPartnerApplicationsSecurityIntegrationOptions] = new(AlterOauthForPartnerApplicationsSecurityIntegrationRequest) + _ optionsProvider[AlterOauthForCustomClientsSecurityIntegrationOptions] = new(AlterOauthForCustomClientsSecurityIntegrationRequest) + _ optionsProvider[AlterSaml2SecurityIntegrationOptions] = new(AlterSaml2SecurityIntegrationRequest) + _ optionsProvider[AlterScimSecurityIntegrationOptions] = new(AlterScimSecurityIntegrationRequest) + _ optionsProvider[DropSecurityIntegrationOptions] = new(DropSecurityIntegrationRequest) + _ optionsProvider[DescribeSecurityIntegrationOptions] = new(DescribeSecurityIntegrationRequest) + _ optionsProvider[ShowSecurityIntegrationOptions] = new(ShowSecurityIntegrationRequest) ) +type CreateOauthForPartnerApplicationsSecurityIntegrationRequest struct { + OrReplace *bool + IfNotExists *bool + name AccountObjectIdentifier // required + OauthClient OauthSecurityIntegrationClientOption // required + OauthRedirectUri *string + Enabled *bool + OauthIssueRefreshTokens *bool + OauthRefreshTokenValidity *int + OauthUseSecondaryRoles *OauthSecurityIntegrationUseSecondaryRolesOption + BlockedRolesList *BlockedRolesListRequest + Comment *string +} + +func (r *CreateOauthForPartnerApplicationsSecurityIntegrationRequest) GetName() AccountObjectIdentifier { + return r.name +} + +type BlockedRolesListRequest struct { + BlockedRolesList []AccountObjectIdentifier +} + +type CreateOauthForCustomClientsSecurityIntegrationRequest struct { + OrReplace *bool + IfNotExists *bool + name AccountObjectIdentifier // required + OauthClientType OauthSecurityIntegrationClientTypeOption // required + OauthRedirectUri string // required + Enabled *bool + OauthAllowNonTlsRedirectUri *bool + OauthEnforcePkce *bool + OauthUseSecondaryRoles *OauthSecurityIntegrationUseSecondaryRolesOption + PreAuthorizedRolesList *PreAuthorizedRolesListRequest + BlockedRolesList *BlockedRolesListRequest + OauthIssueRefreshTokens *bool + OauthRefreshTokenValidity *int + NetworkPolicy *AccountObjectIdentifier + OauthClientRsaPublicKey *string + OauthClientRsaPublicKey2 *string + Comment *string +} + +func (r *CreateOauthForCustomClientsSecurityIntegrationRequest) GetName() AccountObjectIdentifier { + return r.name +} + +type PreAuthorizedRolesListRequest struct { + PreAuthorizedRolesList []AccountObjectIdentifier +} + type CreateSaml2SecurityIntegrationRequest struct { OrReplace *bool IfNotExists *bool @@ -55,6 +109,63 @@ func (r *CreateScimSecurityIntegrationRequest) GetName() AccountObjectIdentifier return r.name } +type AlterOauthForPartnerApplicationsSecurityIntegrationRequest struct { + IfExists *bool + name AccountObjectIdentifier // required + SetTags []TagAssociation + UnsetTags []ObjectIdentifier + Set *OauthForPartnerApplicationsIntegrationSetRequest + Unset *OauthForPartnerApplicationsIntegrationUnsetRequest +} + +type OauthForPartnerApplicationsIntegrationSetRequest struct { + Enabled *bool + OauthIssueRefreshTokens *bool + OauthRedirectUri *string + OauthRefreshTokenValidity *int + OauthUseSecondaryRoles *OauthSecurityIntegrationUseSecondaryRolesOption + BlockedRolesList *BlockedRolesListRequest + Comment *string +} + +type OauthForPartnerApplicationsIntegrationUnsetRequest struct { + Enabled *bool + OauthUseSecondaryRoles *bool +} + +type AlterOauthForCustomClientsSecurityIntegrationRequest struct { + IfExists *bool + name AccountObjectIdentifier // required + SetTags []TagAssociation + UnsetTags []ObjectIdentifier + Set *OauthForCustomClientsIntegrationSetRequest + Unset *OauthForCustomClientsIntegrationUnsetRequest +} + +type OauthForCustomClientsIntegrationSetRequest struct { + Enabled *bool + OauthRedirectUri *string + OauthAllowNonTlsRedirectUri *bool + OauthEnforcePkce *bool + PreAuthorizedRolesList *PreAuthorizedRolesListRequest + BlockedRolesList *BlockedRolesListRequest + OauthIssueRefreshTokens *bool + OauthRefreshTokenValidity *int + OauthUseSecondaryRoles *OauthSecurityIntegrationUseSecondaryRolesOption + NetworkPolicy *AccountObjectIdentifier + OauthClientRsaPublicKey *string + OauthClientRsaPublicKey2 *string + Comment *string +} + +type OauthForCustomClientsIntegrationUnsetRequest struct { + Enabled *bool + NetworkPolicy *bool + OauthUseSecondaryRoles *bool + OauthClientRsaPublicKey *bool + OauthClientRsaPublicKey2 *bool +} + type AlterSaml2SecurityIntegrationRequest struct { IfExists *bool name AccountObjectIdentifier // required diff --git a/pkg/sdk/security_integrations_gen.go b/pkg/sdk/security_integrations_gen.go index 6c32053016..0bbc0017d8 100644 --- a/pkg/sdk/security_integrations_gen.go +++ b/pkg/sdk/security_integrations_gen.go @@ -7,8 +7,12 @@ import ( ) type SecurityIntegrations interface { + CreateOauthForPartnerApplications(ctx context.Context, request *CreateOauthForPartnerApplicationsSecurityIntegrationRequest) error + CreateOauthForCustomClients(ctx context.Context, request *CreateOauthForCustomClientsSecurityIntegrationRequest) error CreateSaml2(ctx context.Context, request *CreateSaml2SecurityIntegrationRequest) error CreateScim(ctx context.Context, request *CreateScimSecurityIntegrationRequest) error + AlterOauthForPartnerApplications(ctx context.Context, request *AlterOauthForPartnerApplicationsSecurityIntegrationRequest) error + AlterOauthForCustomClients(ctx context.Context, request *AlterOauthForCustomClientsSecurityIntegrationRequest) error AlterSaml2(ctx context.Context, request *AlterSaml2SecurityIntegrationRequest) error AlterScim(ctx context.Context, request *AlterScimSecurityIntegrationRequest) error Drop(ctx context.Context, request *DropSecurityIntegrationRequest) error @@ -17,6 +21,57 @@ type SecurityIntegrations interface { ShowByID(ctx context.Context, id AccountObjectIdentifier) (*SecurityIntegration, error) } +// CreateOauthForPartnerApplicationsSecurityIntegrationOptions is based on https://docs.snowflake.com/en/sql-reference/sql/create-security-integration-oauth-snowflake. +type CreateOauthForPartnerApplicationsSecurityIntegrationOptions struct { + create bool `ddl:"static" sql:"CREATE"` + OrReplace *bool `ddl:"keyword" sql:"OR REPLACE"` + securityIntegration bool `ddl:"static" sql:"SECURITY INTEGRATION"` + IfNotExists *bool `ddl:"keyword" sql:"IF NOT EXISTS"` + name AccountObjectIdentifier `ddl:"identifier"` + integrationType string `ddl:"static" sql:"TYPE = OAUTH"` + OauthClient OauthSecurityIntegrationClientOption `ddl:"parameter" sql:"OAUTH_CLIENT"` + OauthRedirectUri *string `ddl:"parameter,single_quotes" sql:"OAUTH_REDIRECT_URI"` + Enabled *bool `ddl:"parameter" sql:"ENABLED"` + OauthIssueRefreshTokens *bool `ddl:"parameter" sql:"OAUTH_ISSUE_REFRESH_TOKENS"` + OauthRefreshTokenValidity *int `ddl:"parameter" sql:"OAUTH_REFRESH_TOKEN_VALIDITY"` + OauthUseSecondaryRoles *OauthSecurityIntegrationUseSecondaryRolesOption `ddl:"parameter" sql:"OAUTH_USE_SECONDARY_ROLES"` + BlockedRolesList *BlockedRolesList `ddl:"parameter,parentheses" sql:"BLOCKED_ROLES_LIST"` + Comment *string `ddl:"parameter,single_quotes" sql:"COMMENT"` +} + +type PreAuthorizedRolesList struct { + PreAuthorizedRolesList []AccountObjectIdentifier `ddl:"list,must_parentheses"` +} + +type BlockedRolesList struct { + BlockedRolesList []AccountObjectIdentifier `ddl:"list,must_parentheses"` +} + +// CreateOauthForCustomClientsSecurityIntegrationOptions is based on https://docs.snowflake.com/en/sql-reference/sql/create-security-integration-oauth-snowflake. +type CreateOauthForCustomClientsSecurityIntegrationOptions struct { + create bool `ddl:"static" sql:"CREATE"` + OrReplace *bool `ddl:"keyword" sql:"OR REPLACE"` + securityIntegration bool `ddl:"static" sql:"SECURITY INTEGRATION"` + IfNotExists *bool `ddl:"keyword" sql:"IF NOT EXISTS"` + name AccountObjectIdentifier `ddl:"identifier"` + integrationType string `ddl:"static" sql:"TYPE = OAUTH"` + oauthClient string `ddl:"static" sql:"OAUTH_CLIENT = CUSTOM"` + OauthClientType OauthSecurityIntegrationClientTypeOption `ddl:"parameter,single_quotes" sql:"OAUTH_CLIENT_TYPE"` + OauthRedirectUri string `ddl:"parameter,single_quotes" sql:"OAUTH_REDIRECT_URI"` + Enabled *bool `ddl:"parameter" sql:"ENABLED"` + OauthAllowNonTlsRedirectUri *bool `ddl:"parameter" sql:"OAUTH_ALLOW_NON_TLS_REDIRECT_URI"` + OauthEnforcePkce *bool `ddl:"parameter" sql:"OAUTH_ENFORCE_PKCE"` + OauthUseSecondaryRoles *OauthSecurityIntegrationUseSecondaryRolesOption `ddl:"parameter" sql:"OAUTH_USE_SECONDARY_ROLES"` + PreAuthorizedRolesList *PreAuthorizedRolesList `ddl:"parameter,parentheses" sql:"PRE_AUTHORIZED_ROLES_LIST"` + BlockedRolesList *BlockedRolesList `ddl:"parameter,parentheses" sql:"BLOCKED_ROLES_LIST"` + OauthIssueRefreshTokens *bool `ddl:"parameter" sql:"OAUTH_ISSUE_REFRESH_TOKENS"` + OauthRefreshTokenValidity *int `ddl:"parameter" sql:"OAUTH_REFRESH_TOKEN_VALIDITY"` + NetworkPolicy *AccountObjectIdentifier `ddl:"identifier,equals" sql:"NETWORK_POLICY"` + OauthClientRsaPublicKey *string `ddl:"parameter,single_quotes" sql:"OAUTH_CLIENT_RSA_PUBLIC_KEY"` + OauthClientRsaPublicKey2 *string `ddl:"parameter,single_quotes" sql:"OAUTH_CLIENT_RSA_PUBLIC_KEY_2"` + Comment *string `ddl:"parameter,single_quotes" sql:"COMMENT"` +} + // CreateSaml2SecurityIntegrationOptions is based on https://docs.snowflake.com/en/sql-reference/sql/create-security-integration-saml2. type CreateSaml2SecurityIntegrationOptions struct { create bool `ddl:"static" sql:"CREATE"` @@ -68,6 +123,69 @@ type CreateScimSecurityIntegrationOptions struct { Comment *string `ddl:"parameter,single_quotes" sql:"COMMENT"` } +// AlterOauthForPartnerApplicationsSecurityIntegrationOptions is based on https://docs.snowflake.com/en/sql-reference/sql/alter-security-integration-oauth-snowflake. +type AlterOauthForPartnerApplicationsSecurityIntegrationOptions struct { + alter bool `ddl:"static" sql:"ALTER"` + securityIntegration bool `ddl:"static" sql:"SECURITY INTEGRATION"` + IfExists *bool `ddl:"keyword" sql:"IF EXISTS"` + name AccountObjectIdentifier `ddl:"identifier"` + SetTags []TagAssociation `ddl:"keyword" sql:"SET TAG"` + UnsetTags []ObjectIdentifier `ddl:"keyword" sql:"UNSET TAG"` + Set *OauthForPartnerApplicationsIntegrationSet `ddl:"list,no_parentheses" sql:"SET"` + Unset *OauthForPartnerApplicationsIntegrationUnset `ddl:"list,no_parentheses" sql:"UNSET"` +} + +type OauthForPartnerApplicationsIntegrationSet struct { + Enabled *bool `ddl:"parameter" sql:"ENABLED"` + OauthIssueRefreshTokens *bool `ddl:"parameter" sql:"OAUTH_ISSUE_REFRESH_TOKENS"` + OauthRedirectUri *string `ddl:"parameter,single_quotes" sql:"OAUTH_REDIRECT_URI"` + OauthRefreshTokenValidity *int `ddl:"parameter" sql:"OAUTH_REFRESH_TOKEN_VALIDITY"` + OauthUseSecondaryRoles *OauthSecurityIntegrationUseSecondaryRolesOption `ddl:"parameter" sql:"OAUTH_USE_SECONDARY_ROLES"` + BlockedRolesList *BlockedRolesList `ddl:"parameter,parentheses" sql:"BLOCKED_ROLES_LIST"` + Comment *string `ddl:"parameter,single_quotes" sql:"COMMENT"` +} + +type OauthForPartnerApplicationsIntegrationUnset struct { + Enabled *bool `ddl:"keyword" sql:"ENABLED"` + OauthUseSecondaryRoles *bool `ddl:"keyword" sql:"OAUTH_USE_SECONDARY_ROLES"` +} + +// AlterOauthForCustomClientsSecurityIntegrationOptions is based on https://docs.snowflake.com/en/sql-reference/sql/alter-security-integration-oauth-snowflake. +type AlterOauthForCustomClientsSecurityIntegrationOptions struct { + alter bool `ddl:"static" sql:"ALTER"` + securityIntegration bool `ddl:"static" sql:"SECURITY INTEGRATION"` + IfExists *bool `ddl:"keyword" sql:"IF EXISTS"` + name AccountObjectIdentifier `ddl:"identifier"` + SetTags []TagAssociation `ddl:"keyword" sql:"SET TAG"` + UnsetTags []ObjectIdentifier `ddl:"keyword" sql:"UNSET TAG"` + Set *OauthForCustomClientsIntegrationSet `ddl:"list,no_parentheses" sql:"SET"` + Unset *OauthForCustomClientsIntegrationUnset `ddl:"list,no_parentheses" sql:"UNSET"` +} + +type OauthForCustomClientsIntegrationSet struct { + Enabled *bool `ddl:"parameter" sql:"ENABLED"` + OauthRedirectUri *string `ddl:"parameter,single_quotes" sql:"OAUTH_REDIRECT_URI"` + OauthAllowNonTlsRedirectUri *bool `ddl:"parameter" sql:"OAUTH_ALLOW_NON_TLS_REDIRECT_URI"` + OauthEnforcePkce *bool `ddl:"parameter" sql:"OAUTH_ENFORCE_PKCE"` + PreAuthorizedRolesList *PreAuthorizedRolesList `ddl:"parameter,parentheses" sql:"PRE_AUTHORIZED_ROLES_LIST"` + BlockedRolesList *BlockedRolesList `ddl:"parameter,parentheses" sql:"BLOCKED_ROLES_LIST"` + OauthIssueRefreshTokens *bool `ddl:"parameter" sql:"OAUTH_ISSUE_REFRESH_TOKENS"` + OauthRefreshTokenValidity *int `ddl:"parameter" sql:"OAUTH_REFRESH_TOKEN_VALIDITY"` + OauthUseSecondaryRoles *OauthSecurityIntegrationUseSecondaryRolesOption `ddl:"parameter" sql:"OAUTH_USE_SECONDARY_ROLES"` + NetworkPolicy *AccountObjectIdentifier `ddl:"identifier,equals" sql:"NETWORK_POLICY"` + OauthClientRsaPublicKey *string `ddl:"parameter,single_quotes" sql:"OAUTH_CLIENT_RSA_PUBLIC_KEY"` + OauthClientRsaPublicKey2 *string `ddl:"parameter,single_quotes" sql:"OAUTH_CLIENT_RSA_PUBLIC_KEY_2"` + Comment *string `ddl:"parameter,single_quotes" sql:"COMMENT"` +} + +type OauthForCustomClientsIntegrationUnset struct { + Enabled *bool `ddl:"keyword" sql:"ENABLED"` + NetworkPolicy *bool `ddl:"keyword" sql:"NETWORK_POLICY"` + OauthClientRsaPublicKey *bool `ddl:"keyword" sql:"OAUTH_CLIENT_RSA_PUBLIC_KEY"` + OauthClientRsaPublicKey2 *bool `ddl:"keyword" sql:"OAUTH_CLIENT_RSA_PUBLIC_KEY_2"` + OauthUseSecondaryRoles *bool `ddl:"keyword" sql:"OAUTH_USE_SECONDARY_ROLES"` +} + // AlterSaml2SecurityIntegrationOptions is based on https://docs.snowflake.com/en/sql-reference/sql/alter-security-integration-saml2. type AlterSaml2SecurityIntegrationOptions struct { alter bool `ddl:"static" sql:"ALTER"` diff --git a/pkg/sdk/security_integrations_gen_test.go b/pkg/sdk/security_integrations_gen_test.go index 6f0d835cef..d22e3c5234 100644 --- a/pkg/sdk/security_integrations_gen_test.go +++ b/pkg/sdk/security_integrations_gen_test.go @@ -4,6 +4,115 @@ import ( "testing" ) +func TestSecurityIntegrations_CreateOauthCustom(t *testing.T) { + id := randomAccountObjectIdentifier() + + // Minimal valid CreateOauthForCustomClientsSecurityIntegrationOptions + defaultOpts := func() *CreateOauthForCustomClientsSecurityIntegrationOptions { + return &CreateOauthForCustomClientsSecurityIntegrationOptions{ + name: id, + OauthClientType: OauthSecurityIntegrationClientTypePublic, + OauthRedirectUri: "uri", + } + } + + t.Run("validation: nil options", func(t *testing.T) { + var opts *CreateOauthForCustomClientsSecurityIntegrationOptions = nil + assertOptsInvalidJoinedErrors(t, opts, ErrNilOptions) + }) + + t.Run("validation: conflicting fields for [opts.OrReplace opts.IfNotExists]", func(t *testing.T) { + opts := defaultOpts() + opts.OrReplace = Bool(true) + opts.IfNotExists = Bool(true) + assertOptsInvalidJoinedErrors(t, opts, errOneOf("CreateOauthForCustomClientsSecurityIntegrationOptions", "OrReplace", "IfNotExists")) + }) + + t.Run("basic", func(t *testing.T) { + opts := defaultOpts() + opts.OrReplace = Bool(true) + assertOptsValidAndSQLEquals(t, opts, "CREATE OR REPLACE SECURITY INTEGRATION %s TYPE = OAUTH OAUTH_CLIENT = CUSTOM OAUTH_CLIENT_TYPE = 'PUBLIC' OAUTH_REDIRECT_URI = 'uri'", id.FullyQualifiedName()) + }) + + t.Run("all options", func(t *testing.T) { + opts := defaultOpts() + roleID, role2ID, npID := randomAccountObjectIdentifier(), randomAccountObjectIdentifier(), randomAccountObjectIdentifier() + opts.IfNotExists = Bool(true) + opts.OauthClientType = OauthSecurityIntegrationClientTypePublic + opts.OauthRedirectUri = "uri" + opts.Enabled = Pointer(true) + opts.OauthAllowNonTlsRedirectUri = Pointer(true) + opts.OauthEnforcePkce = Pointer(true) + opts.OauthUseSecondaryRoles = Pointer(OauthSecurityIntegrationUseSecondaryRolesNone) + opts.PreAuthorizedRolesList = &PreAuthorizedRolesList{PreAuthorizedRolesList: []AccountObjectIdentifier{roleID}} + opts.BlockedRolesList = &BlockedRolesList{BlockedRolesList: []AccountObjectIdentifier{role2ID}} + opts.OauthIssueRefreshTokens = Pointer(true) + opts.OauthRefreshTokenValidity = Pointer(42) + opts.NetworkPolicy = Pointer(npID) + opts.OauthClientRsaPublicKey = Pointer("key") + opts.OauthClientRsaPublicKey2 = Pointer("key2") + opts.Comment = Pointer("a") + assertOptsValidAndSQLEquals(t, opts, "CREATE SECURITY INTEGRATION IF NOT EXISTS %s TYPE = OAUTH OAUTH_CLIENT = CUSTOM OAUTH_CLIENT_TYPE = 'PUBLIC' OAUTH_REDIRECT_URI = 'uri' ENABLED = true"+ + " OAUTH_ALLOW_NON_TLS_REDIRECT_URI = true OAUTH_ENFORCE_PKCE = true OAUTH_USE_SECONDARY_ROLES = NONE PRE_AUTHORIZED_ROLES_LIST = (%s) BLOCKED_ROLES_LIST = (%s)"+ + " OAUTH_ISSUE_REFRESH_TOKENS = true OAUTH_REFRESH_TOKEN_VALIDITY = 42 NETWORK_POLICY = %s OAUTH_CLIENT_RSA_PUBLIC_KEY = 'key' OAUTH_CLIENT_RSA_PUBLIC_KEY_2 = 'key2' COMMENT = 'a'", + id.FullyQualifiedName(), roleID.FullyQualifiedName(), role2ID.FullyQualifiedName(), npID.FullyQualifiedName()) + }) +} + +func TestSecurityIntegrations_CreateOauthPartner(t *testing.T) { + id := randomAccountObjectIdentifier() + + // Minimal valid CreateOauthForPartnerApplicationsSecurityIntegrationOptions + defaultOpts := func() *CreateOauthForPartnerApplicationsSecurityIntegrationOptions { + return &CreateOauthForPartnerApplicationsSecurityIntegrationOptions{ + name: id, + OauthClient: OauthSecurityIntegrationClientTableauDesktop, + } + } + + t.Run("validation: nil options", func(t *testing.T) { + var opts *CreateOauthForPartnerApplicationsSecurityIntegrationOptions = nil + assertOptsInvalidJoinedErrors(t, opts, ErrNilOptions) + }) + + t.Run("validation: conflicting fields for [opts.OrReplace opts.IfNotExists]", func(t *testing.T) { + opts := defaultOpts() + opts.OrReplace = Bool(true) + opts.IfNotExists = Bool(true) + assertOptsInvalidJoinedErrors(t, opts, errOneOf("CreateOauthForPartnerApplicationsSecurityIntegrationOptions", "OrReplace", "IfNotExists")) + }) + + t.Run("validation: OAUTH_REDIRECT_URI is required when OAUTH_CLIENT=LOOKER", func(t *testing.T) { + opts := &CreateOauthForPartnerApplicationsSecurityIntegrationOptions{ + name: id, + OauthClient: OauthSecurityIntegrationClientLooker, + } + assertOptsInvalidJoinedErrors(t, opts, NewError("OauthRedirectUri is required when OauthClient is LOOKER")) + }) + + t.Run("basic", func(t *testing.T) { + opts := defaultOpts() + opts.OrReplace = Bool(true) + assertOptsValidAndSQLEquals(t, opts, "CREATE OR REPLACE SECURITY INTEGRATION %s TYPE = OAUTH OAUTH_CLIENT = TABLEAU_DESKTOP", id.FullyQualifiedName()) + }) + + t.Run("all options", func(t *testing.T) { + opts := defaultOpts() + blockedRoleID := randomAccountObjectIdentifier() + opts.IfNotExists = Bool(true) + opts.OauthClient = OauthSecurityIntegrationClientLooker + opts.OauthRedirectUri = Pointer("uri") + opts.Enabled = Pointer(true) + opts.OauthIssueRefreshTokens = Pointer(true) + opts.OauthRefreshTokenValidity = Pointer(42) + opts.OauthUseSecondaryRoles = Pointer(OauthSecurityIntegrationUseSecondaryRolesNone) + opts.BlockedRolesList = &BlockedRolesList{BlockedRolesList: []AccountObjectIdentifier{blockedRoleID}} + opts.Comment = Pointer("a") + assertOptsValidAndSQLEquals(t, opts, "CREATE SECURITY INTEGRATION IF NOT EXISTS %s TYPE = OAUTH OAUTH_CLIENT = LOOKER OAUTH_REDIRECT_URI = 'uri' ENABLED = true OAUTH_ISSUE_REFRESH_TOKENS = true"+ + " OAUTH_REFRESH_TOKEN_VALIDITY = 42 OAUTH_USE_SECONDARY_ROLES = NONE BLOCKED_ROLES_LIST = (%s) COMMENT = 'a'", id.FullyQualifiedName(), blockedRoleID.FullyQualifiedName()) + }) +} + func TestSecurityIntegrations_CreateSaml2(t *testing.T) { id := randomAccountObjectIdentifier() @@ -103,6 +212,234 @@ func TestSecurityIntegrations_CreateScim(t *testing.T) { }) } +func TestSecurityIntegrations_AlterOauthPartner(t *testing.T) { + id := randomAccountObjectIdentifier() + + // Minimal valid AlterOauthForPartnerApplicationsSecurityIntegrationOptions + defaultOpts := func() *AlterOauthForPartnerApplicationsSecurityIntegrationOptions { + return &AlterOauthForPartnerApplicationsSecurityIntegrationOptions{ + name: id, + } + } + + t.Run("validation: nil options", func(t *testing.T) { + var opts *AlterOauthForPartnerApplicationsSecurityIntegrationOptions = nil + assertOptsInvalidJoinedErrors(t, opts, ErrNilOptions) + }) + + t.Run("validation: valid identifier for [opts.name]", func(t *testing.T) { + opts := defaultOpts() + opts.Set = &OauthForPartnerApplicationsIntegrationSet{ + Enabled: Pointer(true), + } + opts.name = NewAccountObjectIdentifier("") + assertOptsInvalidJoinedErrors(t, opts, ErrInvalidObjectIdentifier) + }) + + t.Run("validation: exactly of the fields [opts.*] should be set", func(t *testing.T) { + opts := defaultOpts() + assertOptsInvalidJoinedErrors(t, opts, errExactlyOneOf("AlterOauthForPartnerApplicationsSecurityIntegrationOptions", "Set", "Unset", "SetTags", "UnsetTags")) + }) + + t.Run("validation: at least one of the fields [opts.Set.*] should be set", func(t *testing.T) { + opts := defaultOpts() + opts.Set = &OauthForPartnerApplicationsIntegrationSet{} + assertOptsInvalidJoinedErrors(t, opts, errAtLeastOneOf("AlterOauthForPartnerApplicationsSecurityIntegrationOptions.Set", "Enabled", "OauthIssueRefreshTokens", + "OauthRedirectUri", "OauthRefreshTokenValidity", "OauthUseSecondaryRoles", "BlockedRolesList", "Comment")) + }) + + t.Run("validation: at least one of the fields [opts.Unset.*] should be set", func(t *testing.T) { + opts := defaultOpts() + opts.Unset = &OauthForPartnerApplicationsIntegrationUnset{} + assertOptsInvalidJoinedErrors(t, opts, errAtLeastOneOf("AlterOauthForPartnerApplicationsSecurityIntegrationOptions.Unset", + "Enabled", "OauthUseSecondaryRoles")) + }) + + t.Run("validation: exactly one of the fields [opts.*] should be set", func(t *testing.T) { + opts := defaultOpts() + opts.Set = &OauthForPartnerApplicationsIntegrationSet{} + opts.Unset = &OauthForPartnerApplicationsIntegrationUnset{} + assertOptsInvalidJoinedErrors(t, opts, errExactlyOneOf("AlterOauthForPartnerApplicationsSecurityIntegrationOptions", "Set", "Unset", "SetTags", "UnsetTags")) + }) + + t.Run("empty roles lists", func(t *testing.T) { + opts := defaultOpts() + opts.Set = &OauthForPartnerApplicationsIntegrationSet{ + BlockedRolesList: &BlockedRolesList{}, + } + assertOptsValidAndSQLEquals(t, opts, "ALTER SECURITY INTEGRATION %s SET BLOCKED_ROLES_LIST = ()", id.FullyQualifiedName()) + }) + + t.Run("all options - set", func(t *testing.T) { + opts := defaultOpts() + roleID := randomAccountObjectIdentifier() + opts.Set = &OauthForPartnerApplicationsIntegrationSet{ + Enabled: Pointer(true), + OauthRedirectUri: Pointer("uri"), + OauthIssueRefreshTokens: Pointer(true), + OauthRefreshTokenValidity: Pointer(42), + OauthUseSecondaryRoles: Pointer(OauthSecurityIntegrationUseSecondaryRolesNone), + BlockedRolesList: &BlockedRolesList{BlockedRolesList: []AccountObjectIdentifier{roleID}}, + Comment: Pointer("a"), + } + assertOptsValidAndSQLEquals(t, opts, "ALTER SECURITY INTEGRATION %s SET ENABLED = true, OAUTH_ISSUE_REFRESH_TOKENS = true, OAUTH_REDIRECT_URI = 'uri', OAUTH_REFRESH_TOKEN_VALIDITY = 42,"+ + " OAUTH_USE_SECONDARY_ROLES = NONE, BLOCKED_ROLES_LIST = (%s), COMMENT = 'a'", id.FullyQualifiedName(), roleID.FullyQualifiedName()) + }) + + t.Run("all options - unset", func(t *testing.T) { + opts := defaultOpts() + opts.Unset = &OauthForPartnerApplicationsIntegrationUnset{ + Enabled: Pointer(true), + OauthUseSecondaryRoles: Pointer(true), + } + assertOptsValidAndSQLEquals(t, opts, "ALTER SECURITY INTEGRATION %s UNSET ENABLED, OAUTH_USE_SECONDARY_ROLES", id.FullyQualifiedName()) + }) + + t.Run("set tags", func(t *testing.T) { + opts := defaultOpts() + opts.SetTags = []TagAssociation{ + { + Name: NewAccountObjectIdentifier("name"), + Value: "value", + }, + { + Name: NewAccountObjectIdentifier("second-name"), + Value: "second-value", + }, + } + assertOptsValidAndSQLEquals(t, opts, `ALTER SECURITY INTEGRATION %s SET TAG "name" = 'value', "second-name" = 'second-value'`, id.FullyQualifiedName()) + }) + + t.Run("unset tags", func(t *testing.T) { + opts := defaultOpts() + opts.UnsetTags = []ObjectIdentifier{ + NewAccountObjectIdentifier("name"), + NewAccountObjectIdentifier("second-name"), + } + assertOptsValidAndSQLEquals(t, opts, `ALTER SECURITY INTEGRATION %s UNSET TAG "name", "second-name"`, id.FullyQualifiedName()) + }) +} + +func TestSecurityIntegrations_AlterOauthCustom(t *testing.T) { + id := randomAccountObjectIdentifier() + + // Minimal valid AlterOauthForCustomClientsSecurityIntegrationOptions + defaultOpts := func() *AlterOauthForCustomClientsSecurityIntegrationOptions { + return &AlterOauthForCustomClientsSecurityIntegrationOptions{ + name: id, + } + } + + t.Run("validation: nil options", func(t *testing.T) { + var opts *AlterOauthForCustomClientsSecurityIntegrationOptions = nil + assertOptsInvalidJoinedErrors(t, opts, ErrNilOptions) + }) + + t.Run("validation: valid identifier for [opts.name]", func(t *testing.T) { + opts := defaultOpts() + opts.Set = &OauthForCustomClientsIntegrationSet{ + Enabled: Pointer(true), + } + opts.name = NewAccountObjectIdentifier("") + assertOptsInvalidJoinedErrors(t, opts, ErrInvalidObjectIdentifier) + }) + + t.Run("validation: exactly of the fields [opts.*] should be set", func(t *testing.T) { + opts := defaultOpts() + assertOptsInvalidJoinedErrors(t, opts, errExactlyOneOf("AlterOauthForCustomClientsSecurityIntegrationOptions", "Set", "Unset", "SetTags", "UnsetTags")) + }) + + t.Run("validation: at least one of the fields [opts.Set.*] should be set", func(t *testing.T) { + opts := defaultOpts() + opts.Set = &OauthForCustomClientsIntegrationSet{} + assertOptsInvalidJoinedErrors(t, opts, errAtLeastOneOf("AlterOauthForCustomClientsSecurityIntegrationOptions.Set", "Enabled", "OauthRedirectUri", "OauthAllowNonTlsRedirectUri", + "OauthEnforcePkce", "PreAuthorizedRolesList", "BlockedRolesList", "OauthIssueRefreshTokens", "OauthRefreshTokenValidity", "OauthUseSecondaryRoles", + "NetworkPolicy", "OauthClientRsaPublicKey", "OauthClientRsaPublicKey2", "Comment")) + }) + + t.Run("validation: at least one of the fields [opts.Unset.*] should be set", func(t *testing.T) { + opts := defaultOpts() + opts.Unset = &OauthForCustomClientsIntegrationUnset{} + assertOptsInvalidJoinedErrors(t, opts, errAtLeastOneOf("AlterOauthForCustomClientsSecurityIntegrationOptions.Unset", + "Enabled", "NetworkPolicy", "OauthUseSecondaryRoles", "OauthClientRsaPublicKey", "OauthClientRsaPublicKey2")) + }) + + t.Run("validation: exactly one of the fields [opts.*] should be set", func(t *testing.T) { + opts := defaultOpts() + opts.Set = &OauthForCustomClientsIntegrationSet{} + opts.Unset = &OauthForCustomClientsIntegrationUnset{} + assertOptsInvalidJoinedErrors(t, opts, errExactlyOneOf("AlterOauthForCustomClientsSecurityIntegrationOptions", "Set", "Unset", "SetTags", "UnsetTags")) + }) + + t.Run("empty roles lists", func(t *testing.T) { + opts := defaultOpts() + opts.Set = &OauthForCustomClientsIntegrationSet{ + PreAuthorizedRolesList: &PreAuthorizedRolesList{}, + BlockedRolesList: &BlockedRolesList{}, + } + assertOptsValidAndSQLEquals(t, opts, "ALTER SECURITY INTEGRATION %s SET PRE_AUTHORIZED_ROLES_LIST = (), BLOCKED_ROLES_LIST = ()", id.FullyQualifiedName()) + }) + + t.Run("all options - set", func(t *testing.T) { + opts := defaultOpts() + roleID, role2ID, npID := randomAccountObjectIdentifier(), randomAccountObjectIdentifier(), randomAccountObjectIdentifier() + opts.Set = &OauthForCustomClientsIntegrationSet{ + Enabled: Pointer(true), + OauthRedirectUri: Pointer("uri"), + OauthAllowNonTlsRedirectUri: Pointer(true), + OauthEnforcePkce: Pointer(true), + OauthUseSecondaryRoles: Pointer(OauthSecurityIntegrationUseSecondaryRolesNone), + PreAuthorizedRolesList: &PreAuthorizedRolesList{PreAuthorizedRolesList: []AccountObjectIdentifier{roleID}}, + BlockedRolesList: &BlockedRolesList{BlockedRolesList: []AccountObjectIdentifier{role2ID}}, + OauthIssueRefreshTokens: Pointer(true), + OauthRefreshTokenValidity: Pointer(42), + NetworkPolicy: Pointer(npID), + OauthClientRsaPublicKey: Pointer("key"), + OauthClientRsaPublicKey2: Pointer("key2"), + Comment: Pointer("a"), + } + assertOptsValidAndSQLEquals(t, opts, "ALTER SECURITY INTEGRATION %s SET ENABLED = true, OAUTH_REDIRECT_URI = 'uri', OAUTH_ALLOW_NON_TLS_REDIRECT_URI = true, OAUTH_ENFORCE_PKCE = true,"+ + " PRE_AUTHORIZED_ROLES_LIST = (%s), BLOCKED_ROLES_LIST = (%s), OAUTH_ISSUE_REFRESH_TOKENS = true, OAUTH_REFRESH_TOKEN_VALIDITY = 42, OAUTH_USE_SECONDARY_ROLES = NONE,"+ + " NETWORK_POLICY = %s, OAUTH_CLIENT_RSA_PUBLIC_KEY = 'key', OAUTH_CLIENT_RSA_PUBLIC_KEY_2 = 'key2', COMMENT = 'a'", id.FullyQualifiedName(), roleID.FullyQualifiedName(), role2ID.FullyQualifiedName(), npID.FullyQualifiedName()) + }) + + t.Run("all options - unset", func(t *testing.T) { + opts := defaultOpts() + opts.Unset = &OauthForCustomClientsIntegrationUnset{ + Enabled: Pointer(true), + OauthUseSecondaryRoles: Pointer(true), + NetworkPolicy: Pointer(true), + OauthClientRsaPublicKey: Pointer(true), + OauthClientRsaPublicKey2: Pointer(true), + } + assertOptsValidAndSQLEquals(t, opts, "ALTER SECURITY INTEGRATION %s UNSET ENABLED, NETWORK_POLICY, OAUTH_CLIENT_RSA_PUBLIC_KEY, OAUTH_CLIENT_RSA_PUBLIC_KEY_2, OAUTH_USE_SECONDARY_ROLES", id.FullyQualifiedName()) + }) + + t.Run("set tags", func(t *testing.T) { + opts := defaultOpts() + opts.SetTags = []TagAssociation{ + { + Name: NewAccountObjectIdentifier("name"), + Value: "value", + }, + { + Name: NewAccountObjectIdentifier("second-name"), + Value: "second-value", + }, + } + assertOptsValidAndSQLEquals(t, opts, `ALTER SECURITY INTEGRATION %s SET TAG "name" = 'value', "second-name" = 'second-value'`, id.FullyQualifiedName()) + }) + + t.Run("unset tags", func(t *testing.T) { + opts := defaultOpts() + opts.UnsetTags = []ObjectIdentifier{ + NewAccountObjectIdentifier("name"), + NewAccountObjectIdentifier("second-name"), + } + assertOptsValidAndSQLEquals(t, opts, `ALTER SECURITY INTEGRATION %s UNSET TAG "name", "second-name"`, id.FullyQualifiedName()) + }) +} + func TestSecurityIntegrations_AlterSaml2(t *testing.T) { id := randomAccountObjectIdentifier() diff --git a/pkg/sdk/security_integrations_impl_gen.go b/pkg/sdk/security_integrations_impl_gen.go index 479af50878..ac29b7722c 100644 --- a/pkg/sdk/security_integrations_impl_gen.go +++ b/pkg/sdk/security_integrations_impl_gen.go @@ -12,6 +12,16 @@ type securityIntegrations struct { client *Client } +func (v *securityIntegrations) CreateOauthForPartnerApplications(ctx context.Context, request *CreateOauthForPartnerApplicationsSecurityIntegrationRequest) error { + opts := request.toOpts() + return validateAndExec(v.client, ctx, opts) +} + +func (v *securityIntegrations) CreateOauthForCustomClients(ctx context.Context, request *CreateOauthForCustomClientsSecurityIntegrationRequest) error { + opts := request.toOpts() + return validateAndExec(v.client, ctx, opts) +} + func (v *securityIntegrations) CreateSaml2(ctx context.Context, request *CreateSaml2SecurityIntegrationRequest) error { opts := request.toOpts() return validateAndExec(v.client, ctx, opts) @@ -22,6 +32,16 @@ func (v *securityIntegrations) CreateScim(ctx context.Context, request *CreateSc return validateAndExec(v.client, ctx, opts) } +func (v *securityIntegrations) AlterOauthForPartnerApplications(ctx context.Context, request *AlterOauthForPartnerApplicationsSecurityIntegrationRequest) error { + opts := request.toOpts() + return validateAndExec(v.client, ctx, opts) +} + +func (v *securityIntegrations) AlterOauthForCustomClients(ctx context.Context, request *AlterOauthForCustomClientsSecurityIntegrationRequest) error { + opts := request.toOpts() + return validateAndExec(v.client, ctx, opts) +} + func (v *securityIntegrations) AlterSaml2(ctx context.Context, request *AlterSaml2SecurityIntegrationRequest) error { opts := request.toOpts() return validateAndExec(v.client, ctx, opts) @@ -59,7 +79,7 @@ func (v *securityIntegrations) Show(ctx context.Context, request *ShowSecurityIn } func (v *securityIntegrations) ShowByID(ctx context.Context, id AccountObjectIdentifier) (*SecurityIntegration, error) { - securityIntegrations, err := v.Show(ctx, NewShowSecurityIntegrationRequest().WithLike(&Like{ + securityIntegrations, err := v.Show(ctx, NewShowSecurityIntegrationRequest().WithLike(Like{ Pattern: String(id.Name()), })) if err != nil { @@ -68,6 +88,60 @@ func (v *securityIntegrations) ShowByID(ctx context.Context, id AccountObjectIde return collections.FindOne(securityIntegrations, func(r SecurityIntegration) bool { return r.Name == id.Name() }) } +func (r *CreateOauthForPartnerApplicationsSecurityIntegrationRequest) toOpts() *CreateOauthForPartnerApplicationsSecurityIntegrationOptions { + opts := &CreateOauthForPartnerApplicationsSecurityIntegrationOptions{ + OrReplace: r.OrReplace, + IfNotExists: r.IfNotExists, + name: r.name, + OauthClient: r.OauthClient, + OauthRedirectUri: r.OauthRedirectUri, + Enabled: r.Enabled, + OauthIssueRefreshTokens: r.OauthIssueRefreshTokens, + OauthRefreshTokenValidity: r.OauthRefreshTokenValidity, + OauthUseSecondaryRoles: r.OauthUseSecondaryRoles, + + Comment: r.Comment, + } + if r.BlockedRolesList != nil { + opts.BlockedRolesList = &BlockedRolesList{ + BlockedRolesList: r.BlockedRolesList.BlockedRolesList, + } + } + return opts +} + +func (r *CreateOauthForCustomClientsSecurityIntegrationRequest) toOpts() *CreateOauthForCustomClientsSecurityIntegrationOptions { + opts := &CreateOauthForCustomClientsSecurityIntegrationOptions{ + OrReplace: r.OrReplace, + IfNotExists: r.IfNotExists, + name: r.name, + OauthClientType: r.OauthClientType, + OauthRedirectUri: r.OauthRedirectUri, + Enabled: r.Enabled, + OauthAllowNonTlsRedirectUri: r.OauthAllowNonTlsRedirectUri, + OauthEnforcePkce: r.OauthEnforcePkce, + OauthUseSecondaryRoles: r.OauthUseSecondaryRoles, + + OauthIssueRefreshTokens: r.OauthIssueRefreshTokens, + OauthRefreshTokenValidity: r.OauthRefreshTokenValidity, + NetworkPolicy: r.NetworkPolicy, + OauthClientRsaPublicKey: r.OauthClientRsaPublicKey, + OauthClientRsaPublicKey2: r.OauthClientRsaPublicKey2, + Comment: r.Comment, + } + if r.PreAuthorizedRolesList != nil { + opts.PreAuthorizedRolesList = &PreAuthorizedRolesList{ + PreAuthorizedRolesList: r.PreAuthorizedRolesList.PreAuthorizedRolesList, + } + } + if r.BlockedRolesList != nil { + opts.BlockedRolesList = &BlockedRolesList{ + BlockedRolesList: r.BlockedRolesList.BlockedRolesList, + } + } + return opts +} + func (r *CreateSaml2SecurityIntegrationRequest) toOpts() *CreateSaml2SecurityIntegrationOptions { opts := &CreateSaml2SecurityIntegrationOptions{ OrReplace: r.OrReplace, @@ -109,6 +183,83 @@ func (r *CreateScimSecurityIntegrationRequest) toOpts() *CreateScimSecurityInteg return opts } +func (r *AlterOauthForPartnerApplicationsSecurityIntegrationRequest) toOpts() *AlterOauthForPartnerApplicationsSecurityIntegrationOptions { + opts := &AlterOauthForPartnerApplicationsSecurityIntegrationOptions{ + IfExists: r.IfExists, + name: r.name, + SetTags: r.SetTags, + UnsetTags: r.UnsetTags, + } + if r.Set != nil { + opts.Set = &OauthForPartnerApplicationsIntegrationSet{ + Enabled: r.Set.Enabled, + OauthIssueRefreshTokens: r.Set.OauthIssueRefreshTokens, + OauthRedirectUri: r.Set.OauthRedirectUri, + OauthRefreshTokenValidity: r.Set.OauthRefreshTokenValidity, + OauthUseSecondaryRoles: r.Set.OauthUseSecondaryRoles, + + Comment: r.Set.Comment, + } + if r.Set.BlockedRolesList != nil { + opts.Set.BlockedRolesList = &BlockedRolesList{ + BlockedRolesList: r.Set.BlockedRolesList.BlockedRolesList, + } + } + } + if r.Unset != nil { + opts.Unset = &OauthForPartnerApplicationsIntegrationUnset{ + Enabled: r.Unset.Enabled, + OauthUseSecondaryRoles: r.Unset.OauthUseSecondaryRoles, + } + } + return opts +} + +func (r *AlterOauthForCustomClientsSecurityIntegrationRequest) toOpts() *AlterOauthForCustomClientsSecurityIntegrationOptions { + opts := &AlterOauthForCustomClientsSecurityIntegrationOptions{ + IfExists: r.IfExists, + name: r.name, + SetTags: r.SetTags, + UnsetTags: r.UnsetTags, + } + if r.Set != nil { + opts.Set = &OauthForCustomClientsIntegrationSet{ + Enabled: r.Set.Enabled, + OauthRedirectUri: r.Set.OauthRedirectUri, + OauthAllowNonTlsRedirectUri: r.Set.OauthAllowNonTlsRedirectUri, + OauthEnforcePkce: r.Set.OauthEnforcePkce, + + OauthIssueRefreshTokens: r.Set.OauthIssueRefreshTokens, + OauthRefreshTokenValidity: r.Set.OauthRefreshTokenValidity, + OauthUseSecondaryRoles: r.Set.OauthUseSecondaryRoles, + NetworkPolicy: r.Set.NetworkPolicy, + OauthClientRsaPublicKey: r.Set.OauthClientRsaPublicKey, + OauthClientRsaPublicKey2: r.Set.OauthClientRsaPublicKey2, + Comment: r.Set.Comment, + } + if r.Set.PreAuthorizedRolesList != nil { + opts.Set.PreAuthorizedRolesList = &PreAuthorizedRolesList{ + PreAuthorizedRolesList: r.Set.PreAuthorizedRolesList.PreAuthorizedRolesList, + } + } + if r.Set.BlockedRolesList != nil { + opts.Set.BlockedRolesList = &BlockedRolesList{ + BlockedRolesList: r.Set.BlockedRolesList.BlockedRolesList, + } + } + } + if r.Unset != nil { + opts.Unset = &OauthForCustomClientsIntegrationUnset{ + Enabled: r.Unset.Enabled, + NetworkPolicy: r.Unset.NetworkPolicy, + OauthClientRsaPublicKey: r.Unset.OauthClientRsaPublicKey, + OauthClientRsaPublicKey2: r.Unset.OauthClientRsaPublicKey2, + OauthUseSecondaryRoles: r.Unset.OauthUseSecondaryRoles, + } + } + return opts +} + func (r *AlterSaml2SecurityIntegrationRequest) toOpts() *AlterSaml2SecurityIntegrationOptions { opts := &AlterSaml2SecurityIntegrationOptions{ IfExists: r.IfExists, diff --git a/pkg/sdk/security_integrations_validations_gen.go b/pkg/sdk/security_integrations_validations_gen.go index c3330209b6..b7b4d37d2d 100644 --- a/pkg/sdk/security_integrations_validations_gen.go +++ b/pkg/sdk/security_integrations_validations_gen.go @@ -1,8 +1,12 @@ package sdk var ( + _ validatable = new(CreateOauthForPartnerApplicationsSecurityIntegrationOptions) + _ validatable = new(CreateOauthForCustomClientsSecurityIntegrationOptions) _ validatable = new(CreateSaml2SecurityIntegrationOptions) _ validatable = new(CreateScimSecurityIntegrationOptions) + _ validatable = new(AlterOauthForPartnerApplicationsSecurityIntegrationOptions) + _ validatable = new(AlterOauthForCustomClientsSecurityIntegrationOptions) _ validatable = new(AlterSaml2SecurityIntegrationOptions) _ validatable = new(AlterScimSecurityIntegrationOptions) _ validatable = new(DropSecurityIntegrationOptions) @@ -10,6 +14,37 @@ var ( _ validatable = new(ShowSecurityIntegrationOptions) ) +func (opts *CreateOauthForPartnerApplicationsSecurityIntegrationOptions) validate() error { + if opts == nil { + return ErrNilOptions + } + var errs []error + if !ValidObjectIdentifier(opts.name) { + errs = append(errs, ErrInvalidObjectIdentifier) + } + if everyValueSet(opts.OrReplace, opts.IfNotExists) { + errs = append(errs, errOneOf("CreateOauthForPartnerApplicationsSecurityIntegrationOptions", "OrReplace", "IfNotExists")) + } + if opts.OauthClient == OauthSecurityIntegrationClientLooker && opts.OauthRedirectUri == nil { + errs = append(errs, NewError("OauthRedirectUri is required when OauthClient is LOOKER")) + } + return JoinErrors(errs...) +} + +func (opts *CreateOauthForCustomClientsSecurityIntegrationOptions) validate() error { + if opts == nil { + return ErrNilOptions + } + var errs []error + if !ValidObjectIdentifier(opts.name) { + errs = append(errs, ErrInvalidObjectIdentifier) + } + if everyValueSet(opts.OrReplace, opts.IfNotExists) { + errs = append(errs, errOneOf("CreateOauthForCustomClientsSecurityIntegrationOptions", "OrReplace", "IfNotExists")) + } + return JoinErrors(errs...) +} + func (opts *CreateSaml2SecurityIntegrationOptions) validate() error { if opts == nil { return ErrNilOptions @@ -38,6 +73,54 @@ func (opts *CreateScimSecurityIntegrationOptions) validate() error { return JoinErrors(errs...) } +func (opts *AlterOauthForPartnerApplicationsSecurityIntegrationOptions) validate() error { + if opts == nil { + return ErrNilOptions + } + var errs []error + if !ValidObjectIdentifier(opts.name) { + errs = append(errs, ErrInvalidObjectIdentifier) + } + if !exactlyOneValueSet(opts.Set, opts.Unset, opts.SetTags, opts.UnsetTags) { + errs = append(errs, errExactlyOneOf("AlterOauthForPartnerApplicationsSecurityIntegrationOptions", "Set", "Unset", "SetTags", "UnsetTags")) + } + if valueSet(opts.Set) { + if !anyValueSet(opts.Set.Enabled, opts.Set.OauthIssueRefreshTokens, opts.Set.OauthRedirectUri, opts.Set.OauthRefreshTokenValidity, opts.Set.OauthUseSecondaryRoles, opts.Set.BlockedRolesList, opts.Set.Comment) { + errs = append(errs, errAtLeastOneOf("AlterOauthForPartnerApplicationsSecurityIntegrationOptions.Set", "Enabled", "OauthIssueRefreshTokens", "OauthRedirectUri", "OauthRefreshTokenValidity", "OauthUseSecondaryRoles", "BlockedRolesList", "Comment")) + } + } + if valueSet(opts.Unset) { + if !anyValueSet(opts.Unset.Enabled, opts.Unset.OauthUseSecondaryRoles) { + errs = append(errs, errAtLeastOneOf("AlterOauthForPartnerApplicationsSecurityIntegrationOptions.Unset", "Enabled", "OauthUseSecondaryRoles")) + } + } + return JoinErrors(errs...) +} + +func (opts *AlterOauthForCustomClientsSecurityIntegrationOptions) validate() error { + if opts == nil { + return ErrNilOptions + } + var errs []error + if !ValidObjectIdentifier(opts.name) { + errs = append(errs, ErrInvalidObjectIdentifier) + } + if !exactlyOneValueSet(opts.Set, opts.Unset, opts.SetTags, opts.UnsetTags) { + errs = append(errs, errExactlyOneOf("AlterOauthForCustomClientsSecurityIntegrationOptions", "Set", "Unset", "SetTags", "UnsetTags")) + } + if valueSet(opts.Set) { + if !anyValueSet(opts.Set.Enabled, opts.Set.OauthRedirectUri, opts.Set.OauthAllowNonTlsRedirectUri, opts.Set.OauthEnforcePkce, opts.Set.PreAuthorizedRolesList, opts.Set.BlockedRolesList, opts.Set.OauthIssueRefreshTokens, opts.Set.OauthRefreshTokenValidity, opts.Set.OauthUseSecondaryRoles, opts.Set.NetworkPolicy, opts.Set.OauthClientRsaPublicKey, opts.Set.OauthClientRsaPublicKey2, opts.Set.Comment) { + errs = append(errs, errAtLeastOneOf("AlterOauthForCustomClientsSecurityIntegrationOptions.Set", "Enabled", "OauthRedirectUri", "OauthAllowNonTlsRedirectUri", "OauthEnforcePkce", "PreAuthorizedRolesList", "BlockedRolesList", "OauthIssueRefreshTokens", "OauthRefreshTokenValidity", "OauthUseSecondaryRoles", "NetworkPolicy", "OauthClientRsaPublicKey", "OauthClientRsaPublicKey2", "Comment")) + } + } + if valueSet(opts.Unset) { + if !anyValueSet(opts.Unset.Enabled, opts.Unset.NetworkPolicy, opts.Unset.OauthUseSecondaryRoles, opts.Unset.OauthClientRsaPublicKey, opts.Unset.OauthClientRsaPublicKey2) { + errs = append(errs, errAtLeastOneOf("AlterOauthForCustomClientsSecurityIntegrationOptions.Unset", "Enabled", "NetworkPolicy", "OauthUseSecondaryRoles", "OauthClientRsaPublicKey", "OauthClientRsaPublicKey2")) + } + } + return JoinErrors(errs...) +} + func (opts *AlterSaml2SecurityIntegrationOptions) validate() error { if opts == nil { return ErrNilOptions diff --git a/pkg/sdk/testint/security_integrations_gen_integration_test.go b/pkg/sdk/testint/security_integrations_gen_integration_test.go index 4c2a3c164f..1971bded6a 100644 --- a/pkg/sdk/testint/security_integrations_gen_integration_test.go +++ b/pkg/sdk/testint/security_integrations_gen_integration_test.go @@ -1,12 +1,13 @@ package testint import ( - "fmt" + "strings" "testing" "github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/acceptance/helpers/random" "github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/internal/snowflakeroles" "github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/sdk" + "github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/sdk/internal/collections" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) @@ -15,53 +16,88 @@ func TestInt_SecurityIntegrations(t *testing.T) { client := testClient(t) ctx := testContext(t) - // TODO: move URL to helpers - acsURL := fmt.Sprintf("https://%s.snowflakecomputing.com/fed/login", testClientHelper().Context.CurrentAccount(t)) - issuerURL := fmt.Sprintf("https://%s.snowflakecomputing.com", testClientHelper().Context.CurrentAccount(t)) + acsURL := testClientHelper().Context.ACSURL(t) + issuerURL := testClientHelper().Context.IssuerURL(t) cert := random.GenerateX509(t) + rsaKey := random.GenerateRSAPublicKey(t) + revertParameter := testClientHelper().Parameter.UpdateAccountParameterTemporarily(t, sdk.AccountParameterEnableIdentifierFirstLogin, "true") t.Cleanup(revertParameter) cleanupSecurityIntegration := func(t *testing.T, id sdk.AccountObjectIdentifier) { t.Helper() t.Cleanup(func() { - err := client.SecurityIntegrations.Drop(ctx, sdk.NewDropSecurityIntegrationRequest(id).WithIfExists(sdk.Pointer(true))) + err := client.SecurityIntegrations.Drop(ctx, sdk.NewDropSecurityIntegrationRequest(id).WithIfExists(true)) assert.NoError(t, err) }) } - createSAML2Integration := func(t *testing.T, siID sdk.AccountObjectIdentifier, issuer string, with func(*sdk.CreateSaml2SecurityIntegrationRequest)) *sdk.SecurityIntegration { + createOauthCustom := func(t *testing.T, with func(*sdk.CreateOauthForCustomClientsSecurityIntegrationRequest)) (*sdk.SecurityIntegration, sdk.AccountObjectIdentifier) { t.Helper() + id := testClientHelper().Ids.RandomAccountObjectIdentifier() + req := sdk.NewCreateOauthForCustomClientsSecurityIntegrationRequest(id, sdk.OauthSecurityIntegrationClientTypePublic, "https://example.com") + if with != nil { + with(req) + } + err := client.SecurityIntegrations.CreateOauthForCustomClients(ctx, req) + require.NoError(t, err) + cleanupSecurityIntegration(t, id) + integration, err := client.SecurityIntegrations.ShowByID(ctx, id) + require.NoError(t, err) + + return integration, id + } + createOauthPartner := func(t *testing.T, with func(*sdk.CreateOauthForPartnerApplicationsSecurityIntegrationRequest)) (*sdk.SecurityIntegration, sdk.AccountObjectIdentifier) { + t.Helper() + id := testClientHelper().Ids.RandomAccountObjectIdentifier() + req := sdk.NewCreateOauthForPartnerApplicationsSecurityIntegrationRequest(id, sdk.OauthSecurityIntegrationClientLooker). + WithOauthRedirectUri("http://example.com") + + if with != nil { + with(req) + } + err := client.SecurityIntegrations.CreateOauthForPartnerApplications(ctx, req) + require.NoError(t, err) + cleanupSecurityIntegration(t, id) + integration, err := client.SecurityIntegrations.ShowByID(ctx, id) + require.NoError(t, err) - saml2Req := sdk.NewCreateSaml2SecurityIntegrationRequest(siID, false, issuer, "https://example.com", "Custom", cert) + return integration, id + } + createSAML2Integration := func(t *testing.T, with func(*sdk.CreateSaml2SecurityIntegrationRequest)) (*sdk.SecurityIntegration, sdk.AccountObjectIdentifier, string) { + t.Helper() + id := testClientHelper().Ids.RandomAccountObjectIdentifier() + issuer := testClientHelper().Ids.Alpha() + saml2Req := sdk.NewCreateSaml2SecurityIntegrationRequest(id, false, issuer, "https://example.com", "Custom", cert) if with != nil { with(saml2Req) } err := client.SecurityIntegrations.CreateSaml2(ctx, saml2Req) require.NoError(t, err) - cleanupSecurityIntegration(t, siID) - integration, err := client.SecurityIntegrations.ShowByID(ctx, siID) + cleanupSecurityIntegration(t, id) + integration, err := client.SecurityIntegrations.ShowByID(ctx, id) require.NoError(t, err) - return integration + return integration, id, issuer } - createSCIMIntegration := func(t *testing.T, siID sdk.AccountObjectIdentifier, with func(*sdk.CreateScimSecurityIntegrationRequest)) *sdk.SecurityIntegration { + createSCIMIntegration := func(t *testing.T, with func(*sdk.CreateScimSecurityIntegrationRequest)) (*sdk.SecurityIntegration, sdk.AccountObjectIdentifier) { t.Helper() role, roleCleanup := testClientHelper().Role.CreateRoleWithRequest(t, sdk.NewCreateRoleRequest(snowflakeroles.GenericScimProvisioner).WithOrReplace(true)) t.Cleanup(roleCleanup) testClientHelper().Role.GrantRoleToCurrentRole(t, role.ID()) - scimReq := sdk.NewCreateScimSecurityIntegrationRequest(siID, false, sdk.ScimSecurityIntegrationScimClientGeneric, sdk.ScimSecurityIntegrationRunAsRoleGenericScimProvisioner) + id := testClientHelper().Ids.RandomAccountObjectIdentifier() + scimReq := sdk.NewCreateScimSecurityIntegrationRequest(id, false, sdk.ScimSecurityIntegrationScimClientGeneric, sdk.ScimSecurityIntegrationRunAsRoleGenericScimProvisioner) if with != nil { with(scimReq) } err := client.SecurityIntegrations.CreateScim(ctx, scimReq) require.NoError(t, err) - cleanupSecurityIntegration(t, siID) - integration, err := client.SecurityIntegrations.ShowByID(ctx, siID) + cleanupSecurityIntegration(t, id) + integration, err := client.SecurityIntegrations.ShowByID(ctx, id) require.NoError(t, err) - return integration + return integration, id } assertSecurityIntegration := func(t *testing.T, si *sdk.SecurityIntegration, id sdk.AccountObjectIdentifier, siType string, enabled bool, comment string) { @@ -73,6 +109,48 @@ func TestInt_SecurityIntegrations(t *testing.T) { assert.Equal(t, "SECURITY", si.Category) } + type oauthPartnerDetails struct { + enabled string + oauthIssueRefreshTokens string + refreshTokenValidity string + useSecondaryRoles string + preAuthorizedRolesList string + blockedRolesList string + networkPolicy string + comment string + } + + assertOauthPartner := func(details []sdk.SecurityIntegrationProperty, d oauthPartnerDetails) { + assert.Contains(t, details, sdk.SecurityIntegrationProperty{Name: "ENABLED", Type: "Boolean", Value: d.enabled, Default: "false"}) + assert.Contains(t, details, sdk.SecurityIntegrationProperty{Name: "OAUTH_ISSUE_REFRESH_TOKENS", Type: "Boolean", Value: d.oauthIssueRefreshTokens, Default: "true"}) + assert.Contains(t, details, sdk.SecurityIntegrationProperty{Name: "OAUTH_REFRESH_TOKEN_VALIDITY", Type: "Integer", Value: d.refreshTokenValidity, Default: "7776000"}) + assert.Contains(t, details, sdk.SecurityIntegrationProperty{Name: "OAUTH_USE_SECONDARY_ROLES", Type: "String", Value: d.useSecondaryRoles, Default: "NONE"}) + assert.Contains(t, details, sdk.SecurityIntegrationProperty{Name: "PRE_AUTHORIZED_ROLES_LIST", Type: "List", Value: d.preAuthorizedRolesList, Default: "[]"}) + assert.Contains(t, details, sdk.SecurityIntegrationProperty{Name: "NETWORK_POLICY", Type: "String", Value: d.networkPolicy, Default: ""}) + assert.Contains(t, details, sdk.SecurityIntegrationProperty{Name: "COMMENT", Type: "String", Value: d.comment, Default: ""}) + // Check one-by-one because snowflake returns a few extra roles + found, err := collections.FindOne(details, func(d sdk.SecurityIntegrationProperty) bool { return d.Name == "BLOCKED_ROLES_LIST" }) + assert.NoError(t, err) + roles := strings.Split(found.Value, ",") + for _, exp := range strings.Split(d.blockedRolesList, ",") { + assert.Contains(t, roles, exp) + } + } + + assertOauthCustom := func(details []sdk.SecurityIntegrationProperty, d oauthPartnerDetails, allowNonTlsRedirectUri, clientType, enforcePkce string) { + assertOauthPartner(details, d) + assert.Contains(t, details, sdk.SecurityIntegrationProperty{Name: "OAUTH_ALLOW_NON_TLS_REDIRECT_URI", Type: "Boolean", Value: allowNonTlsRedirectUri, Default: "false"}) + assert.Contains(t, details, sdk.SecurityIntegrationProperty{Name: "OAUTH_CLIENT_TYPE", Type: "String", Value: clientType, Default: "CONFIDENTIAL"}) + assert.Contains(t, details, sdk.SecurityIntegrationProperty{Name: "OAUTH_ENFORCE_PKCE", Type: "Boolean", Value: enforcePkce, Default: "false"}) + // Keys are hashed in snowflake, so we check only if these fields are present + keys := make(map[string]struct{}) + for _, detail := range details { + keys[detail.Name] = struct{}{} + } + assert.Contains(t, keys, "OAUTH_CLIENT_RSA_PUBLIC_KEY_FP") + assert.Contains(t, keys, "OAUTH_CLIENT_RSA_PUBLIC_KEY_2_FP") + } + assertSCIMDescribe := func(details []sdk.SecurityIntegrationProperty, enabled, networkPolicy, runAsRole, syncPassword, comment string) { assert.Contains(t, details, sdk.SecurityIntegrationProperty{Name: "ENABLED", Type: "Boolean", Value: enabled, Default: "false"}) assert.Contains(t, details, sdk.SecurityIntegrationProperty{Name: "NETWORK_POLICY", Type: "String", Value: networkPolicy, Default: ""}) @@ -81,7 +159,7 @@ func TestInt_SecurityIntegrations(t *testing.T) { assert.Contains(t, details, sdk.SecurityIntegrationProperty{Name: "COMMENT", Type: "String", Value: comment, Default: ""}) } - type saml2details struct { + type saml2Details struct { provider string enableSPInitiated string spInitiatedLoginPageLabel string @@ -98,7 +176,7 @@ func TestInt_SecurityIntegrations(t *testing.T) { allowedEmailPatterns string } - assertSAML2Describe := func(details []sdk.SecurityIntegrationProperty, d saml2details) { + assertSAML2Describe := func(details []sdk.SecurityIntegrationProperty, d saml2Details) { assert.Contains(t, details, sdk.SecurityIntegrationProperty{Name: "SAML2_X509_CERT", Type: "String", Value: cert, Default: ""}) assert.Contains(t, details, sdk.SecurityIntegrationProperty{Name: "SAML2_PROVIDER", Type: "String", Value: d.provider, Default: ""}) assert.Contains(t, details, sdk.SecurityIntegrationProperty{Name: "SAML2_ENABLE_SP_INITIATED", Type: "Boolean", Value: d.enableSPInitiated, Default: "false"}) @@ -118,29 +196,92 @@ func TestInt_SecurityIntegrations(t *testing.T) { assert.Contains(t, details, sdk.SecurityIntegrationProperty{Name: "ALLOWED_EMAIL_PATTERNS", Type: "List", Value: d.allowedEmailPatterns, Default: "[]"}) } - t.Run("CreateSaml2", func(t *testing.T) { - id := testClientHelper().Ids.RandomAccountObjectIdentifier() - issuer := testClientHelper().Ids.Alpha() + t.Run("CreateOauthPartner", func(t *testing.T) { + role1, role1Cleanup := testClientHelper().Role.CreateRole(t) + t.Cleanup(role1Cleanup) + + integration, id := createOauthPartner(t, func(r *sdk.CreateOauthForPartnerApplicationsSecurityIntegrationRequest) { + r.WithBlockedRolesList(sdk.BlockedRolesListRequest{BlockedRolesList: []sdk.AccountObjectIdentifier{role1.ID()}}). + WithComment("a"). + WithEnabled(true). + WithOauthIssueRefreshTokens(true). + WithOauthRefreshTokenValidity(12345). + WithOauthUseSecondaryRoles(sdk.OauthSecurityIntegrationUseSecondaryRolesImplicit) + }) + details, err := client.SecurityIntegrations.Describe(ctx, id) + require.NoError(t, err) + + assertOauthPartner(details, oauthPartnerDetails{ + enabled: "true", + oauthIssueRefreshTokens: "true", + refreshTokenValidity: "12345", + useSecondaryRoles: string(sdk.OauthSecurityIntegrationUseSecondaryRolesImplicit), + blockedRolesList: role1.Name, + comment: "a", + }) + + assertSecurityIntegration(t, integration, id, "OAUTH - LOOKER", true, "a") + }) - createSAML2Integration(t, id, issuer, func(r *sdk.CreateSaml2SecurityIntegrationRequest) { + t.Run("CreateOauthCustom", func(t *testing.T) { + networkPolicy, networkPolicyCleanup := testClientHelper().NetworkPolicy.CreateNetworkPolicy(t) + t.Cleanup(networkPolicyCleanup) + role1, role1Cleanup := testClientHelper().Role.CreateRole(t) + t.Cleanup(role1Cleanup) + role2, role2Cleanup := testClientHelper().Role.CreateRole(t) + t.Cleanup(role2Cleanup) + + integration, id := createOauthCustom(t, func(r *sdk.CreateOauthForCustomClientsSecurityIntegrationRequest) { + r.WithBlockedRolesList(sdk.BlockedRolesListRequest{BlockedRolesList: []sdk.AccountObjectIdentifier{role1.ID()}}). + WithComment("a"). + WithEnabled(true). + WithNetworkPolicy(sdk.NewAccountObjectIdentifier(networkPolicy.Name)). + WithOauthAllowNonTlsRedirectUri(true). + WithOauthClientRsaPublicKey(rsaKey). + WithOauthClientRsaPublicKey2(rsaKey). + WithOauthEnforcePkce(true). + WithOauthIssueRefreshTokens(true). + WithOauthRefreshTokenValidity(12345). + WithOauthUseSecondaryRoles(sdk.OauthSecurityIntegrationUseSecondaryRolesImplicit). + WithPreAuthorizedRolesList(sdk.PreAuthorizedRolesListRequest{PreAuthorizedRolesList: []sdk.AccountObjectIdentifier{role2.ID()}}) + }) + details, err := client.SecurityIntegrations.Describe(ctx, id) + require.NoError(t, err) + + assertOauthCustom(details, oauthPartnerDetails{ + enabled: "true", + oauthIssueRefreshTokens: "true", + refreshTokenValidity: "12345", + useSecondaryRoles: string(sdk.OauthSecurityIntegrationUseSecondaryRolesImplicit), + preAuthorizedRolesList: role2.Name, + blockedRolesList: role1.Name, + networkPolicy: networkPolicy.Name, + comment: "a", + }, "true", string(sdk.OauthSecurityIntegrationClientTypePublic), "true") + + assertSecurityIntegration(t, integration, id, "OAUTH - CUSTOM", true, "a") + }) + + t.Run("CreateSaml2", func(t *testing.T) { + _, id, issuer := createSAML2Integration(t, func(r *sdk.CreateSaml2SecurityIntegrationRequest) { r.WithAllowedEmailPatterns([]sdk.EmailPattern{{Pattern: "^(.+dev)@example.com$"}}). WithAllowedUserDomains([]sdk.UserDomain{{Domain: "example.com"}}). - WithComment(sdk.Pointer("a")). - WithSaml2EnableSpInitiated(sdk.Pointer(true)). - WithSaml2ForceAuthn(sdk.Pointer(true)). - WithSaml2PostLogoutRedirectUrl(sdk.Pointer("http://example.com/logout")). - WithSaml2RequestedNameidFormat(sdk.Pointer("urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified")). - WithSaml2SignRequest(sdk.Pointer(true)). - WithSaml2SnowflakeAcsUrl(&acsURL). - WithSaml2SnowflakeIssuerUrl(&issuerURL). - WithSaml2SpInitiatedLoginPageLabel(sdk.Pointer("label")) + WithComment("a"). + WithSaml2EnableSpInitiated(true). + WithSaml2ForceAuthn(true). + WithSaml2PostLogoutRedirectUrl("http://example.com/logout"). + WithSaml2RequestedNameidFormat("urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"). + WithSaml2SignRequest(true). + WithSaml2SnowflakeAcsUrl(acsURL). + WithSaml2SnowflakeIssuerUrl(issuerURL). + WithSaml2SpInitiatedLoginPageLabel("label") // TODO: fix after format clarification // WithSaml2SnowflakeX509Cert(sdk.Pointer(x509)) }) details, err := client.SecurityIntegrations.Describe(ctx, id) require.NoError(t, err) - assertSAML2Describe(details, saml2details{ + assertSAML2Describe(details, saml2Details{ provider: "Custom", enableSPInitiated: "true", spInitiatedLoginPageLabel: "label", @@ -166,11 +307,10 @@ func TestInt_SecurityIntegrations(t *testing.T) { networkPolicy, networkPolicyCleanup := testClientHelper().NetworkPolicy.CreateNetworkPolicy(t) t.Cleanup(networkPolicyCleanup) - id := testClientHelper().Ids.RandomAccountObjectIdentifier() - createSCIMIntegration(t, id, func(r *sdk.CreateScimSecurityIntegrationRequest) { - r.WithComment(sdk.Pointer("a")). - WithNetworkPolicy(sdk.Pointer(sdk.NewAccountObjectIdentifier(networkPolicy.Name))). - WithSyncPassword(sdk.Pointer(false)) + _, id := createSCIMIntegration(t, func(r *sdk.CreateScimSecurityIntegrationRequest) { + r.WithComment("a"). + WithNetworkPolicy(sdk.NewAccountObjectIdentifier(networkPolicy.Name)). + WithSyncPassword(false) }) details, err := client.SecurityIntegrations.Describe(ctx, id) require.NoError(t, err) @@ -182,28 +322,212 @@ func TestInt_SecurityIntegrations(t *testing.T) { assertSecurityIntegration(t, si, id, "SCIM - GENERIC", false, "a") }) + t.Run("AlterOauthPartner", func(t *testing.T) { + _, id := createOauthPartner(t, func(r *sdk.CreateOauthForPartnerApplicationsSecurityIntegrationRequest) { + r.WithOauthRedirectUri("http://example.com") + }) + role1, role1Cleanup := testClientHelper().Role.CreateRole(t) + t.Cleanup(role1Cleanup) + + setRequest := sdk.NewAlterOauthForPartnerApplicationsSecurityIntegrationRequest(id). + WithSet( + *sdk.NewOauthForPartnerApplicationsIntegrationSetRequest(). + WithBlockedRolesList(*sdk.NewBlockedRolesListRequest().WithBlockedRolesList([]sdk.AccountObjectIdentifier{role1.ID()})). + WithComment("a"). + WithEnabled(true). + WithOauthIssueRefreshTokens(true). + WithOauthRedirectUri("http://example2.com"). + WithOauthRefreshTokenValidity(22222). + WithOauthUseSecondaryRoles(sdk.OauthSecurityIntegrationUseSecondaryRolesImplicit), + ) + err := client.SecurityIntegrations.AlterOauthForPartnerApplications(ctx, setRequest) + require.NoError(t, err) + + details, err := client.SecurityIntegrations.Describe(ctx, id) + require.NoError(t, err) + + assertOauthPartner(details, oauthPartnerDetails{ + enabled: "true", + oauthIssueRefreshTokens: "true", + refreshTokenValidity: "22222", + useSecondaryRoles: string(sdk.OauthSecurityIntegrationUseSecondaryRolesImplicit), + preAuthorizedRolesList: "", + blockedRolesList: "ACCOUNTADMIN,SECURITYADMIN", + networkPolicy: "", + comment: "a", + }) + + unsetRequest := sdk.NewAlterOauthForPartnerApplicationsSecurityIntegrationRequest(id). + WithUnset( + *sdk.NewOauthForPartnerApplicationsIntegrationUnsetRequest(). + WithEnabled(true). + WithOauthUseSecondaryRoles(true), + ) + err = client.SecurityIntegrations.AlterOauthForPartnerApplications(ctx, unsetRequest) + require.NoError(t, err) + + details, err = client.SecurityIntegrations.Describe(ctx, id) + require.NoError(t, err) + + assert.Contains(t, details, sdk.SecurityIntegrationProperty{Name: "ENABLED", Type: "Boolean", Value: "false", Default: "false"}) + assert.Contains(t, details, sdk.SecurityIntegrationProperty{Name: "OAUTH_USE_SECONDARY_ROLES", Type: "String", Value: "NONE", Default: "NONE"}) + }) + + t.Run("AlterOauthPartner - set and unset tags", func(t *testing.T) { + tag, tagCleanup := testClientHelper().Tag.CreateTag(t) + t.Cleanup(tagCleanup) + + _, id := createOauthPartner(t, nil) + + tagValue := "abc" + tags := []sdk.TagAssociation{ + { + Name: tag.ID(), + Value: tagValue, + }, + } + alterRequestSetTags := sdk.NewAlterOauthForPartnerApplicationsSecurityIntegrationRequest(id).WithSetTags(tags) + + err := client.SecurityIntegrations.AlterOauthForPartnerApplications(ctx, alterRequestSetTags) + require.NoError(t, err) + + returnedTagValue, err := client.SystemFunctions.GetTag(ctx, tag.ID(), id, sdk.ObjectTypeIntegration) + require.NoError(t, err) + + assert.Equal(t, tagValue, returnedTagValue) + + unsetTags := []sdk.ObjectIdentifier{ + tag.ID(), + } + alterRequestUnsetTags := sdk.NewAlterOauthForPartnerApplicationsSecurityIntegrationRequest(id).WithUnsetTags(unsetTags) + + err = client.SecurityIntegrations.AlterOauthForPartnerApplications(ctx, alterRequestUnsetTags) + require.NoError(t, err) + + _, err = client.SystemFunctions.GetTag(ctx, tag.ID(), id, sdk.ObjectTypeIntegration) + require.Error(t, err) + }) + + t.Run("AlterOauthCustom", func(t *testing.T) { + _, id := createOauthCustom(t, nil) + + networkPolicy, networkPolicyCleanup := testClientHelper().NetworkPolicy.CreateNetworkPolicy(t) + t.Cleanup(networkPolicyCleanup) + role1, role1Cleanup := testClientHelper().Role.CreateRole(t) + t.Cleanup(role1Cleanup) + role2, role2Cleanup := testClientHelper().Role.CreateRole(t) + t.Cleanup(role2Cleanup) + + setRequest := sdk.NewAlterOauthForCustomClientsSecurityIntegrationRequest(id). + WithSet( + *sdk.NewOauthForCustomClientsIntegrationSetRequest(). + WithEnabled(true). + WithBlockedRolesList(sdk.BlockedRolesListRequest{BlockedRolesList: []sdk.AccountObjectIdentifier{role1.ID()}}). + WithComment("a"). + WithNetworkPolicy(sdk.NewAccountObjectIdentifier(networkPolicy.Name)). + WithOauthAllowNonTlsRedirectUri(true). + WithOauthClientRsaPublicKey(rsaKey). + WithOauthClientRsaPublicKey2(rsaKey). + WithOauthEnforcePkce(true). + WithOauthIssueRefreshTokens(true). + WithOauthRedirectUri("http://example2.com"). + WithOauthRefreshTokenValidity(22222). + WithOauthUseSecondaryRoles(sdk.OauthSecurityIntegrationUseSecondaryRolesImplicit). + WithPreAuthorizedRolesList(sdk.PreAuthorizedRolesListRequest{PreAuthorizedRolesList: []sdk.AccountObjectIdentifier{role2.ID()}}), + ) + err := client.SecurityIntegrations.AlterOauthForCustomClients(ctx, setRequest) + require.NoError(t, err) + + details, err := client.SecurityIntegrations.Describe(ctx, id) + require.NoError(t, err) + + assertOauthCustom(details, oauthPartnerDetails{ + enabled: "true", + oauthIssueRefreshTokens: "true", + refreshTokenValidity: "22222", + useSecondaryRoles: string(sdk.OauthSecurityIntegrationUseSecondaryRolesImplicit), + preAuthorizedRolesList: role2.Name, + blockedRolesList: role1.Name, + networkPolicy: networkPolicy.Name, + comment: "a", + }, "true", string(sdk.OauthSecurityIntegrationClientTypePublic), "true") + + unsetRequest := sdk.NewAlterOauthForCustomClientsSecurityIntegrationRequest(id). + WithUnset( + *sdk.NewOauthForCustomClientsIntegrationUnsetRequest(). + WithEnabled(true). + WithOauthUseSecondaryRoles(true). + WithNetworkPolicy(true). + WithOauthClientRsaPublicKey(true). + WithOauthClientRsaPublicKey2(true), + ) + err = client.SecurityIntegrations.AlterOauthForCustomClients(ctx, unsetRequest) + require.NoError(t, err) + + details, err = client.SecurityIntegrations.Describe(ctx, id) + require.NoError(t, err) + + assert.Contains(t, details, sdk.SecurityIntegrationProperty{Name: "ENABLED", Type: "Boolean", Value: "false", Default: "false"}) + assert.Contains(t, details, sdk.SecurityIntegrationProperty{Name: "OAUTH_USE_SECONDARY_ROLES", Type: "String", Value: "NONE", Default: "NONE"}) + assert.Contains(t, details, sdk.SecurityIntegrationProperty{Name: "NETWORK_POLICY", Type: "String", Value: "", Default: ""}) + assert.Contains(t, details, sdk.SecurityIntegrationProperty{Name: "OAUTH_CLIENT_RSA_PUBLIC_KEY_FP", Type: "String", Value: "", Default: ""}) + assert.Contains(t, details, sdk.SecurityIntegrationProperty{Name: "OAUTH_CLIENT_RSA_PUBLIC_KEY_2_FP", Type: "String", Value: "", Default: ""}) + }) + + t.Run("AlterOauthCustom - set and unset tags", func(t *testing.T) { + tag, tagCleanup := testClientHelper().Tag.CreateTag(t) + t.Cleanup(tagCleanup) + + _, id := createOauthCustom(t, nil) + + tagValue := "abc" + tags := []sdk.TagAssociation{ + { + Name: tag.ID(), + Value: tagValue, + }, + } + alterRequestSetTags := sdk.NewAlterOauthForCustomClientsSecurityIntegrationRequest(id).WithSetTags(tags) + + err := client.SecurityIntegrations.AlterOauthForCustomClients(ctx, alterRequestSetTags) + require.NoError(t, err) + + returnedTagValue, err := client.SystemFunctions.GetTag(ctx, tag.ID(), id, sdk.ObjectTypeIntegration) + require.NoError(t, err) + + assert.Equal(t, tagValue, returnedTagValue) + + unsetTags := []sdk.ObjectIdentifier{ + tag.ID(), + } + alterRequestUnsetTags := sdk.NewAlterOauthForCustomClientsSecurityIntegrationRequest(id).WithUnsetTags(unsetTags) + + err = client.SecurityIntegrations.AlterOauthForCustomClients(ctx, alterRequestUnsetTags) + require.NoError(t, err) + + _, err = client.SystemFunctions.GetTag(ctx, tag.ID(), id, sdk.ObjectTypeIntegration) + require.Error(t, err) + }) t.Run("AlterSAML2Integration", func(t *testing.T) { - id := testClientHelper().Ids.RandomAccountObjectIdentifier() - issuer := testClientHelper().Ids.Alpha() - createSAML2Integration(t, id, issuer, nil) + _, id, issuer := createSAML2Integration(t, nil) setRequest := sdk.NewAlterSaml2SecurityIntegrationRequest(id). WithSet( - sdk.NewSaml2IntegrationSetRequest(). - WithEnabled(sdk.Pointer(true)). - WithSaml2Issuer(sdk.Pointer(issuer)). - WithSaml2SsoUrl(sdk.Pointer("http://example.com")). - WithSaml2Provider(sdk.Pointer("OKTA")). - WithSaml2X509Cert(sdk.Pointer(cert)). - WithComment(sdk.Pointer("a")). - WithSaml2EnableSpInitiated(sdk.Pointer(true)). - WithSaml2ForceAuthn(sdk.Pointer(true)). - WithSaml2PostLogoutRedirectUrl(sdk.Pointer("http://example.com/logout")). - WithSaml2RequestedNameidFormat(sdk.Pointer("urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified")). - WithSaml2SignRequest(sdk.Pointer(true)). - WithSaml2SnowflakeAcsUrl(&acsURL). - WithSaml2SnowflakeIssuerUrl(&issuerURL). - WithSaml2SpInitiatedLoginPageLabel(sdk.Pointer("label")). + *sdk.NewSaml2IntegrationSetRequest(). + WithEnabled(true). + WithSaml2Issuer(issuer). + WithSaml2SsoUrl("http://example.com"). + WithSaml2Provider("OKTA"). + WithSaml2X509Cert(cert). + WithComment("a"). + WithSaml2EnableSpInitiated(true). + WithSaml2ForceAuthn(true). + WithSaml2PostLogoutRedirectUrl("http://example.com/logout"). + WithSaml2RequestedNameidFormat("urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"). + WithSaml2SignRequest(true). + WithSaml2SnowflakeAcsUrl(acsURL). + WithSaml2SnowflakeIssuerUrl(issuerURL). + WithSaml2SpInitiatedLoginPageLabel("label"). WithAllowedEmailPatterns([]sdk.EmailPattern{{Pattern: "^(.+dev)@example.com$"}}). WithAllowedUserDomains([]sdk.UserDomain{{Domain: "example.com"}}), // TODO: fix after format clarification @@ -215,7 +539,7 @@ func TestInt_SecurityIntegrations(t *testing.T) { details, err := client.SecurityIntegrations.Describe(ctx, id) require.NoError(t, err) - assertSAML2Describe(details, saml2details{ + assertSAML2Describe(details, saml2Details{ provider: "OKTA", enableSPInitiated: "true", spInitiatedLoginPageLabel: "label", @@ -234,11 +558,11 @@ func TestInt_SecurityIntegrations(t *testing.T) { unsetRequest := sdk.NewAlterSaml2SecurityIntegrationRequest(id). WithUnset( - sdk.NewSaml2IntegrationUnsetRequest(). - WithSaml2ForceAuthn(sdk.Pointer(true)). - WithSaml2RequestedNameidFormat(sdk.Pointer(true)). - WithSaml2PostLogoutRedirectUrl(sdk.Pointer(true)). - WithComment(sdk.Pointer(true)), + *sdk.NewSaml2IntegrationUnsetRequest(). + WithSaml2ForceAuthn(true). + WithSaml2RequestedNameidFormat(true). + WithSaml2PostLogoutRedirectUrl(true). + WithComment(true), ) err = client.SecurityIntegrations.AlterSaml2(ctx, unsetRequest) require.NoError(t, err) @@ -252,11 +576,9 @@ func TestInt_SecurityIntegrations(t *testing.T) { }) t.Run("AlterSAML2Integration - REFRESH SAML2_SNOWFLAKE_PRIVATE_KEY", func(t *testing.T) { - id := testClientHelper().Ids.RandomAccountObjectIdentifier() - issuer := testClientHelper().Ids.Alpha() - createSAML2Integration(t, id, issuer, nil) + _, id, _ := createSAML2Integration(t, nil) - setRequest := sdk.NewAlterSaml2SecurityIntegrationRequest(id).WithRefreshSaml2SnowflakePrivateKey(sdk.Pointer(true)) + setRequest := sdk.NewAlterSaml2SecurityIntegrationRequest(id).WithRefreshSaml2SnowflakePrivateKey(true) err := client.SecurityIntegrations.AlterSaml2(ctx, setRequest) require.NoError(t, err) }) @@ -265,9 +587,7 @@ func TestInt_SecurityIntegrations(t *testing.T) { tag, tagCleanup := testClientHelper().Tag.CreateTag(t) t.Cleanup(tagCleanup) - id := testClientHelper().Ids.RandomAccountObjectIdentifier() - issuer := testClientHelper().Ids.Alpha() - createSAML2Integration(t, id, issuer, nil) + _, id, _ := createSAML2Integration(t, nil) tagValue := "abc" tags := []sdk.TagAssociation{ @@ -299,19 +619,18 @@ func TestInt_SecurityIntegrations(t *testing.T) { }) t.Run("AlterSCIMIntegration", func(t *testing.T) { - id := testClientHelper().Ids.RandomAccountObjectIdentifier() - createSCIMIntegration(t, id, nil) + _, id := createSCIMIntegration(t, nil) networkPolicy, networkPolicyCleanup := testClientHelper().NetworkPolicy.CreateNetworkPolicy(t) t.Cleanup(networkPolicyCleanup) setRequest := sdk.NewAlterScimSecurityIntegrationRequest(id). WithSet( - sdk.NewScimIntegrationSetRequest(). - WithNetworkPolicy(sdk.Pointer(sdk.NewAccountObjectIdentifier(networkPolicy.Name))). - WithEnabled(sdk.Bool(true)). - WithSyncPassword(sdk.Bool(false)). - WithComment(sdk.String("altered")), + *sdk.NewScimIntegrationSetRequest(). + WithNetworkPolicy(sdk.NewAccountObjectIdentifier(networkPolicy.Name)). + WithEnabled(true). + WithSyncPassword(false). + WithComment("altered"), ) err := client.SecurityIntegrations.AlterScim(ctx, setRequest) require.NoError(t, err) @@ -323,9 +642,9 @@ func TestInt_SecurityIntegrations(t *testing.T) { unsetRequest := sdk.NewAlterScimSecurityIntegrationRequest(id). WithUnset( - sdk.NewScimIntegrationUnsetRequest(). - WithNetworkPolicy(sdk.Bool(true)). - WithSyncPassword(sdk.Bool(true)), + *sdk.NewScimIntegrationUnsetRequest(). + WithNetworkPolicy(true). + WithSyncPassword(true), ) err = client.SecurityIntegrations.AlterScim(ctx, unsetRequest) require.NoError(t, err) @@ -340,8 +659,7 @@ func TestInt_SecurityIntegrations(t *testing.T) { tag, tagCleanup := testClientHelper().Tag.CreateTag(t) t.Cleanup(tagCleanup) - id := testClientHelper().Ids.RandomAccountObjectIdentifier() - createSCIMIntegration(t, id, nil) + _, id := createSCIMIntegration(t, nil) tagValue := "abc" tags := []sdk.TagAssociation{ @@ -373,8 +691,7 @@ func TestInt_SecurityIntegrations(t *testing.T) { }) t.Run("Drop", func(t *testing.T) { - id := testClientHelper().Ids.RandomAccountObjectIdentifier() - createSCIMIntegration(t, id, nil) + _, id := createSCIMIntegration(t, nil) si, err := client.SecurityIntegrations.ShowByID(ctx, id) require.NotNil(t, si) @@ -396,8 +713,7 @@ func TestInt_SecurityIntegrations(t *testing.T) { }) t.Run("Describe", func(t *testing.T) { - id := testClientHelper().Ids.RandomAccountObjectIdentifier() - createSCIMIntegration(t, id, nil) + _, id := createSCIMIntegration(t, nil) details, err := client.SecurityIntegrations.Describe(ctx, id) require.NoError(t, err) @@ -406,22 +722,44 @@ func TestInt_SecurityIntegrations(t *testing.T) { }) t.Run("ShowByID", func(t *testing.T) { - id := testClientHelper().Ids.RandomAccountObjectIdentifier() - createSCIMIntegration(t, id, nil) + _, id := createSCIMIntegration(t, nil) si, err := client.SecurityIntegrations.ShowByID(ctx, id) require.NoError(t, err) assertSecurityIntegration(t, si, id, "SCIM - GENERIC", false, "") }) + t.Run("Show OauthPartner", func(t *testing.T) { + si1, id1 := createOauthPartner(t, nil) + // more than one oauth partner integration is not allowed, create a custom one + si2, _ := createOauthCustom(t, nil) + + returnedIntegrations, err := client.SecurityIntegrations.Show(ctx, sdk.NewShowSecurityIntegrationRequest().WithLike(sdk.Like{ + Pattern: sdk.Pointer(id1.Name()), + })) + require.NoError(t, err) + assert.Contains(t, returnedIntegrations, *si1) + assert.NotContains(t, returnedIntegrations, *si2) + }) + + t.Run("Show OauthCustom", func(t *testing.T) { + si1, id1 := createOauthCustom(t, nil) + si2, _ := createOauthCustom(t, nil) + + returnedIntegrations, err := client.SecurityIntegrations.Show(ctx, sdk.NewShowSecurityIntegrationRequest().WithLike(sdk.Like{ + Pattern: sdk.Pointer(id1.Name()), + })) + require.NoError(t, err) + assert.Contains(t, returnedIntegrations, *si1) + assert.NotContains(t, returnedIntegrations, *si2) + }) + t.Run("Show SAML2", func(t *testing.T) { - id := testClientHelper().Ids.RandomAccountObjectIdentifier() - si1 := createSAML2Integration(t, id, testClientHelper().Ids.Alpha(), nil) - id2 := testClientHelper().Ids.RandomAccountObjectIdentifier() - si2 := createSAML2Integration(t, id2, testClientHelper().Ids.Alpha(), nil) + si1, id1, _ := createSAML2Integration(t, nil) + si2, _, _ := createSAML2Integration(t, nil) - returnedIntegrations, err := client.SecurityIntegrations.Show(ctx, sdk.NewShowSecurityIntegrationRequest().WithLike(&sdk.Like{ - Pattern: sdk.Pointer(id.Name()), + returnedIntegrations, err := client.SecurityIntegrations.Show(ctx, sdk.NewShowSecurityIntegrationRequest().WithLike(sdk.Like{ + Pattern: sdk.Pointer(id1.Name()), })) require.NoError(t, err) assert.Contains(t, returnedIntegrations, *si1) @@ -429,13 +767,11 @@ func TestInt_SecurityIntegrations(t *testing.T) { }) t.Run("Show SCIM", func(t *testing.T) { - id := testClientHelper().Ids.RandomAccountObjectIdentifier() - si1 := createSCIMIntegration(t, id, nil) - id2 := testClientHelper().Ids.RandomAccountObjectIdentifier() - si2 := createSCIMIntegration(t, id2, nil) + si1, id1 := createSCIMIntegration(t, nil) + si2, _ := createSCIMIntegration(t, nil) - returnedIntegrations, err := client.SecurityIntegrations.Show(ctx, sdk.NewShowSecurityIntegrationRequest().WithLike(&sdk.Like{ - Pattern: sdk.Pointer(id.Name()), + returnedIntegrations, err := client.SecurityIntegrations.Show(ctx, sdk.NewShowSecurityIntegrationRequest().WithLike(sdk.Like{ + Pattern: sdk.Pointer(id1.Name()), })) require.NoError(t, err) assert.Contains(t, returnedIntegrations, *si1)