Skip to content

[DRAFT] AIO PR #2641

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
sfc-gh-turbaszek wants to merge 370 commits into from
Closed

[DRAFT] AIO PR #2641

sfc-gh-turbaszek wants to merge 370 commits into from

Conversation

@sfc-gh-turbaszek
Copy link
Contributor

@sfc-gh-turbaszek sfc-gh-turbaszek commented Nov 12, 2025

Please answer these questions before submitting your pull requests. Thanks!

  1. What GitHub issue is this PR addressing? Make sure that there is an accompanying issue to your PR.

    Fixes #NNNN

  2. Fill out the following pre-review checklist:

    • I am adding a new automated test(s) to verify correctness of my new code
    • I am adding new logging messages
    • I am adding a new telemetry message
    • I am modifying authorization mechanisms
    • I am adding new credentials
    • I am modifying OCSP code
    • I am adding a new dependency

  3. Please describe how your code solves the related issue.

    Please write a short description of how your code change solves the related issue.

  4. (Optional) PR for stored-proc connector:

sfc-gh-pczajka and others added 30 commits August 11, 2025 13:44
@sfc-gh-pczajka
Remove autodetect tests
7b7570c
@sfc-gh-jszczerbinski @sfc-gh-pczajka
NO-SNOW: Run test when targeting branches other than main (#2221)
d4712f5
@sfc-gh-aling @sfc-gh-pczajka
SNOW-2007887: improve error message handling related to timeout (#2236)
57c7802
@sfc-gh-pczajka
[ASYNC] Apply #2236 to async code
c53c827
@sfc-gh-pbulawa @sfc-gh-pczajka
SNOW-1789751: Add GCP regional and virtual endpoints support (#2233)
f19127c
@sfc-gh-pczajka
[ASYNC] Apply #2233 to async code
e0a46ea
@sfc-gh-pcyrek @sfc-gh-pczajka
SNOW-2021009: test optimisation (#2388)
41c99b6
@sfc-gh-pcyrek @sfc-gh-pczajka
SNOW-2226057: GH Actions moved to key-pair, old driver bump to 3.1.0 (#…
23df743 
…2432)
@sfc-gh-pczajka
Apply changes to async tests and workflows
d9704e3
@sfc-gh-pczajka
review fixes
a28725f
@sfc-gh-pczajka
Freeze pytest-rerunfailures
75646bb
@sfc-gh-pczajka
cherry-pick #2515
42d09d9
@sfc-gh-pczajka
Apply #2515 to async code
66722cd
@sfc-gh-lspiegelberg @sfc-gh-pczajka
SNOW-2027116 Allow for UUID encoding in SnowflakeRestful interface (#…
6477ab8 
…2254)
@sfc-gh-pczajka
[ASYNC] apply #2254 to async code
4766048
@sfc-gh-pbulawa @sfc-gh-pczajka
SNOW-1955965: Fix expired S3 credentials update (#2258)
4c4f4f8
@sfc-gh-pczajka
[ASYNC] apply #2258 to async code
63f101e
@sfc-gh-mkubik @sfc-gh-pczajka
NO-SNOW Add PAT to authenticators allowing empty username, remove han…
01d9042 
…dling of PAT in password field (#2264)
@sfc-gh-pczajka
[ASYNC] Apply #2264 to async code
a673238
@sfc-gh-mkubik @sfc-gh-pczajka
NO-SNOW Fix flaky query timeout test (#2266)
7ee9187
@sfc-gh-akolodziejczyk @sfc-gh-pczajka
SNOW-2040000 change tag to bptp-stable (#2268)
9e5e77f
@sfc-gh-mmishchenko @sfc-gh-pczajka
SNOW-2028051 introduce a new client_fetch_threads connection paramete…
ce7a5c2 
…r to decouple threads number limitations on fetching and pre-fetching (#2255)
@sfc-gh-pmansour @sfc-gh-pczajka
Add default entra app ID for Snowflake (#2267)
02e9dce
@sfc-gh-pczajka
[ASYNC] update test after #2267
faf60a3
@sfc-gh-fpawlowski @sfc-gh-pczajka
SNOW-2011595 Masking filter introduced on library levels (#2253)
7a2c121
@sfc-gh-pczajka
[ASYNC] remove azure filter after #2253
14b1457
@sfc-gh-mmishchenko @sfc-gh-pczajka
NO-SNOW acquiring a lock on local OCSP cache will use a timeout (#2280)
344a768
@sfc-gh-pmansour @sfc-gh-pczajka
Accept both v1 and v2 Entra ID issuer formats for WIF (#2281)
30f0116
@sfc-gh-pczajka
[ASYNC] apply #2281 to async code
5b3c6ee
@sfc-gh-mmishchenko @sfc-gh-pczajka
SNOW-2048239 revert zero timeout for oscp cache lock (#2283)
9ef4e65
sfc-gh-fpawlowski and others added 26 commits November 3, 2025 08:35
@sfc-gh-fpawlowski @sfc-gh-turbaszek
[async] Applied #2538 to async code
65a0746
@sfc-gh-turbaszek
SNOW-1763096: Fix async telemetry support (#2590)
6b77055
@sfc-gh-bchinn @sfc-gh-pczajka @sfc-gh-turbaszek
SNOW-2333702 Fix types for DictCursor (#2532)
334bc33 
Co-authored-by: Patryk Czajka <patryk.czajka@snowflake.com>
@sfc-gh-pczajka @sfc-gh-turbaszek
Add option to exclude boto3 and botocore from dependencies (#2525)
7902b54
@sfc-gh-nkrishna @sfc-gh-turbaszek
SNOW-2338989: Ensure Arrow to_pandas maps Interval types (#2536)
cf563f8
@sfc-gh-turbaszek
NO-SNOW: Fix failing test_invalid_connection_parameters_turned_off (#…
976b32c 
…2631)

The failure was caused by boto PythonDeprecationWarning. To avoid if/else logic for checking boto availability  I decided to check suffixes of the warnings instead of their types.
@sfc-gh-fpawlowski @sfc-gh-turbaszek
Temporary fix broken pipeline (#2622)
096ab0d
@sfc-gh-fpawlowski @sfc-gh-turbaszek
SNOW-2274410: Set no retries for WIF authentication (#2494)
60a6534
@sfc-gh-pczajka @sfc-gh-turbaszek
[async] Set no retries for WIF authentication (#2494)
0cf4ad0
@sfc-gh-pczajka @sfc-gh-turbaszek
REMOVE: temp fix begore rebase
c5327bc
@sfc-gh-pmansour @sfc-gh-turbaszek
Update WIF integration tests to verify authenticated username + prepa…
7987e90 
…re for impersonation (#2510)
@sfc-gh-pczajka @sfc-gh-turbaszek
[async] adjust async wif tests (#2510)
e5aeea7
@sfc-gh-eqin @sfc-gh-pmansour @sfc-gh-turbaszek
Support WIF Impersonation on GCP workloads (#2496)
6324c39 
Co-authored-by: Peter Mansour <peter.mansour@snowflake.com>
@sfc-gh-pczajka @sfc-gh-turbaszek
[async] WIF impersonation for GCP #2496
a5ea494
@sfc-gh-eqin @sfc-gh-pmansour @sfc-gh-turbaszek
Support WIF Impersonation on AWS workloads (#2517)
f052550 
Co-authored-by: Peter Mansour <peter.mansour@snowflake.com>
@sfc-gh-pczajka @sfc-gh-turbaszek
[async] WIF impersonation for AWS (#2517)
e00c593
@sfc-gh-eqin @sfc-gh-turbaszek
Add WIF impersonation path length as data sent to Snowflake backend (#…
7976686 
…2521)
@sfc-gh-pczajka @sfc-gh-turbaszek
[async] Add WIF impersonation path length as data sent to Snowflake b…
13b7365 
…ackend (#2521)
@sfc-gh-pczajka @sfc-gh-turbaszek
Fixup test_wif.sh
699e587
@sfc-gh-pczajka @sfc-gh-turbaszek
skip async WIF tests
cce6664
@sfc-gh-turbaszek
remove linting issues
8e5f131
@sfc-gh-turbaszek
Code review
6b9d691
@sfc-gh-fpawlowski
SNOW-1675422: add write pandas - part 1. - Added all files related to…
0438d37 
… write_pandas
@sfc-gh-fpawlowski
SNOW-1675422: removed pd_writer utils as those wont work with async i…
cad0229 
…n pandas.to_sql anyway
@sfc-gh-fpawlowski
SNOW-1675422: review fixes
dbcae65
@sfc-gh-turbaszek
Remove comments
3daae3a
github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 12, 2025
View reviewed changes
.github/workflows/build_test.yml Outdated
Comment on lines 326 to 379
name: Test FIPS linux-3.8-${{ matrix.cloud-provider }}
name: Test FIPS linux-3.9-${{ matrix.cloud-provider }}
needs: build
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
cloud-provider: [aws]
steps:
- uses: actions/checkout@v4
- name: Setup parameters file
shell: bash
env:
PARAMETERS_SECRET: ${{ secrets.PARAMETERS_SECRET }}
run: |
gpg --quiet --batch --yes --decrypt --passphrase="$PARAMETERS_SECRET" \
.github/workflows/parameters/public/parameters_${{ matrix.cloud-provider }}.py.gpg > test/parameters.py
- name: Setup private key file
shell: bash
env:
PYTHON_PRIVATE_KEY_SECRET: ${{ secrets.PYTHON_PRIVATE_KEY_SECRET }}
run: |
gpg --quiet --batch --yes --decrypt --passphrase="$PYTHON_PRIVATE_KEY_SECRET" \
.github/workflows/parameters/public/rsa_keys/rsa_key_python_${{ matrix.cloud-provider }}.p8.gpg > test/rsa_key_python_${{ matrix.cloud-provider }}.p8
- name: Download wheel(s)
uses: actions/download-artifact@v4
with:
name: manylinux_x86_64_py3.8
name: manylinux_x86_64_py3.9
path: dist
- name: Show wheels downloaded
run: ls -lh dist
shell: bash
- name: Run tests
run: ./ci/test_fips_docker.sh
env:
PYTHON_VERSION: 3.8
PYTHON_VERSION: 3.9
cloud_provider: ${{ matrix.cloud-provider }}
PYTEST_ADDOPTS: --color=yes --tb=short
TOX_PARALLEL_NO_SPINNER: 1
shell: bash
- uses: actions/upload-artifact@v4
with:
include-hidden-files: true
name: coverage_linux-fips-3.8-${{ matrix.cloud-provider }}
name: coverage_linux-fips-3.9-${{ matrix.cloud-provider }}
path: |
.coverage
coverage.xml
- uses: actions/upload-artifact@v4
with:
include-hidden-files: true
name: junit_linux-fips-3.9-${{ matrix.cloud-provider }}
path: |
junit.*.xml
test-lambda:
name: Test Lambda linux-${{ matrix.python-version }}-${{ matrix.cloud-provider }}
needs: build
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
python-version: ["3.8", "3.9", "3.10", "3.11", "3.12"]
# TODO: temporarily reduce number of jobs: SNOW-2311643
# python-version: ["3.9", "3.10", "3.11", "3.12", "3.13"]

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 26 days ago

The best way to fix the problem is to add a permissions block at the root of the workflow file (.github/workflows/build_test.yml), just after the name and before or after the on: trigger, but before defining jobs. This block should minimally specify contents: read, which means the default GITHUB_TOKEN provided to all jobs will only be able to read repository contents, not write or modify anything. If any job requires elevated permissions, those can be configured individually at the job level, but in this workflow, based on provided code snippets, none of the jobs appear to require more than contents: read.

Specifically, add:

permissions:
  contents: read

directly after the workflow name at the top of .github/workflows/build_test.yml.

No imports or definitions are required; just the YAML block as described.

Suggested changeset 1
.github/workflows/build_test.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/build_test.yml b/.github/workflows/build_test.yml
--- a/.github/workflows/build_test.yml
+++ b/.github/workflows/build_test.yml
@@ -1,4 +1,6 @@
 name: Build and Test
+permissions:
+  contents: read
 
 on:
     push:
EOF
@@ -1,4 +1,6 @@
name: Build and Test
permissions:
contents: read

on:
push:
Copilot is powered by AI and may make mistakes. Always verify output.
.github/workflows/build_test.yml
Comment on lines +449 to +527
python-version: ["3.13"]
cloud-provider: [aws, azure, gcp]
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: ${{ matrix.python-version }}
- name: Display Python version
run: python -c "import sys; print(sys.version)"
- name: Set up Java
uses: actions/setup-java@v4 # for wiremock
with:
java-version: 11
distribution: 'temurin'
java-package: 'jre'
- name: Fetch Wiremock
shell: bash
run: curl https://repo1.maven.org/maven2/org/wiremock/wiremock-standalone/3.11.0/wiremock-standalone-3.11.0.jar --output .wiremock/wiremock-standalone.jar
- name: Setup parameters file
shell: bash
env:
PARAMETERS_SECRET: ${{ secrets.PARAMETERS_SECRET }}
run: |
gpg --quiet --batch --yes --decrypt --passphrase="$PARAMETERS_SECRET" \
.github/workflows/parameters/public/parameters_${{ matrix.cloud-provider }}.py.gpg > test/parameters.py
- name: Setup private key file
shell: bash
env:
PYTHON_PRIVATE_KEY_SECRET: ${{ secrets.PYTHON_PRIVATE_KEY_SECRET }}
run: |
gpg --quiet --batch --yes --decrypt --passphrase="$PYTHON_PRIVATE_KEY_SECRET" \
.github/workflows/parameters/public/rsa_keys/rsa_key_python_${{ matrix.cloud-provider }}.p8.gpg > test/rsa_key_python_${{ matrix.cloud-provider }}.p8
- name: Download wheel(s)
uses: actions/download-artifact@v4
with:
name: ${{ matrix.os.download_name }}_py${{ matrix.python-version }}
path: dist
- name: Show wheels downloaded
run: ls -lh dist
shell: bash
- name: Upgrade setuptools, pip and wheel
run: python -m pip install -U setuptools pip wheel
- name: Install tox
run: python -m pip install tox>=4
- name: Run tests
run: python -m tox run -e aio
env:
PYTHON_VERSION: ${{ matrix.python-version }}
cloud_provider: ${{ matrix.cloud-provider }}
PYTEST_ADDOPTS: --color=yes --tb=short
TOX_PARALLEL_NO_SPINNER: 1
shell: bash
- name: Combine coverages
run: python -m tox run -e coverage --skip-missing-interpreters false
shell: bash
- uses: actions/upload-artifact@v4
with:
name: coverage_aio_${{ matrix.os.download_name }}-${{ matrix.python-version }}-${{ matrix.cloud-provider }}
path: |
.tox/.coverage
.tox/coverage.xml
test-unsupporeted-aio:
name: Test unsupported asyncio ${{ matrix.os.download_name }}-${{ matrix.python-version }}
runs-on: ${{ matrix.os.image_name }}
strategy:
fail-fast: false
matrix:
os:
- image_name: ubuntu-latest
download_name: manylinux_x86_64
python-version: [ "3.9", ]
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: ${{ matrix.python-version }}

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 26 days ago

To fix this issue, the permissions: key should be set explicitly for the test-aio job, or globally at the workflow level if all jobs share the same minimal needs. For jobs that only need to check out code and upload/download artifacts (such as test-aio), setting contents: read is sufficient and recommended. This prevents GITHUB_TOKEN from having broader write privileges. The explicit block should look like:

permissions:
  contents: read

The change should be made within .github/workflows/build_test.yml, either globally (above jobs:) or locally in the definition for the test-aio: job. If other jobs in the workflow might require different permissions, setting it per-job is safer; otherwise, global is preferred for consistency. For this fix, since CodeQL specifically flagged line 449 (the start of the test-aio job), the precise minimal fix is to add permissions: contents: read to the job definition immediately below test-aio: (i.e., after line 449).

No additional dependencies or code changes are required.

Suggested changeset 1
.github/workflows/build_test.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/build_test.yml b/.github/workflows/build_test.yml
--- a/.github/workflows/build_test.yml
+++ b/.github/workflows/build_test.yml
@@ -447,6 +447,8 @@
 
   test-aio:
     name: Test asyncio ${{ matrix.os.download_name }}-${{ matrix.python-version }}-${{ matrix.cloud-provider }}
+    permissions:
+      contents: read
     needs: build
     runs-on: ${{ matrix.os.image_name }}
     strategy:
EOF
@@ -447,6 +447,8 @@

test-aio:
name: Test asyncio ${{ matrix.os.download_name }}-${{ matrix.python-version }}-${{ matrix.cloud-provider }}
permissions:
contents: read
needs: build
runs-on: ${{ matrix.os.image_name }}
strategy:
Copilot is powered by AI and may make mistakes. Always verify output.
github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 12, 2025
View reviewed changes
test/integ/aio_it/test_put_get_with_azure_token_async.py
# azure_request_present = False
expected_token_prefix = "sig="
for line in caplog.text.splitlines():
if "blob.core.windows.net" in line and expected_token_prefix in line:

Check failure

Code scanning / CodeQL

Incomplete URL substring sanitization High test

The string
blob.core.windows.net
Loading
may be at an arbitrary position in the sanitized URL.

Copilot Autofix

AI 26 days ago

To fix the problem, the code should parse potential URLs in log lines and verify that any host matches (or ends with) 'blob.core.windows.net' rather than checking for this substring anywhere in the log line. The best way is to attempt to extract URLs from each log line and, for each, parse out the host portion. One can use the re module to extract URLs and urllib.parse.urlparse to get hosts, and then check if any host matches or ends with 'blob.core.windows.net'. Only those lines are subjected to further checks about expected_token_prefix. This keeps the test intent intact while avoiding false positives inherent to pure substring checks.

Required changes:

  • Add import re at the top (if not present).
  • Add from urllib.parse import urlparse at the top (if not present).
  • Refactor the for-loop on log lines:
    • Extract all candidate URLs from the line using regex.
    • For each URL, parse it and check if its host matches/ends with 'blob.core.windows.net'.
    • Only run the sensitive-information assertion on such lines.

All changes are localized to the test file and specifically to lines near the existing substring check.

Suggested changeset 1
test/integ/aio_it/test_put_get_with_azure_token_async.py

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/test/integ/aio_it/test_put_get_with_azure_token_async.py b/test/integ/aio_it/test_put_get_with_azure_token_async.py
--- a/test/integ/aio_it/test_put_get_with_azure_token_async.py
+++ b/test/integ/aio_it/test_put_get_with_azure_token_async.py
@@ -10,6 +10,8 @@
 import sys
 import time
 from logging import getLogger
+import re
+from urllib.parse import urlparse
 
 import pytest
 
@@ -92,14 +94,17 @@
     # azure_request_present = False
     expected_token_prefix = "sig="
     for line in caplog.text.splitlines():
-        if "blob.core.windows.net" in line and expected_token_prefix in line:
-            # azure_request_present = True
-            # getattr is used to stay compatible with old driver - before SECRET_STARRED_MASK_STR was added
-            assert (
-                expected_token_prefix
-                + getattr(SecretDetector, "SECRET_STARRED_MASK_STR", "****")
-                in line
-            ), "connectionpool logger is leaking sensitive information"
+        # Find all potential URLs in the line
+        urls = re.findall(r'(https?://[^\s\'"<>]+)', line)
+        for url in urls:
+            host = urlparse(url).hostname
+            if host and host.endswith("blob.core.windows.net") and expected_token_prefix in url:
+                # getattr is used to stay compatible with old driver - before SECRET_STARRED_MASK_STR was added
+                assert (
+                    expected_token_prefix
+                    + getattr(SecretDetector, "SECRET_STARRED_MASK_STR", "****")
+                    in url
+                ), "connectionpool logger is leaking sensitive information"
 
     # TODO: disable the check for now - SNOW-2311540
     # assert (
EOF
@@ -10,6 +10,8 @@
import sys
import time
from logging import getLogger
import re
from urllib.parse import urlparse

import pytest

@@ -92,14 +94,17 @@
# azure_request_present = False
expected_token_prefix = "sig="
for line in caplog.text.splitlines():
if "blob.core.windows.net" in line and expected_token_prefix in line:
# azure_request_present = True
# getattr is used to stay compatible with old driver - before SECRET_STARRED_MASK_STR was added
assert (
expected_token_prefix
+ getattr(SecretDetector, "SECRET_STARRED_MASK_STR", "****")
in line
), "connectionpool logger is leaking sensitive information"
# Find all potential URLs in the line
urls = re.findall(r'(https?://[^\s\'"<>]+)', line)
for url in urls:
host = urlparse(url).hostname
if host and host.endswith("blob.core.windows.net") and expected_token_prefix in url:
# getattr is used to stay compatible with old driver - before SECRET_STARRED_MASK_STR was added
assert (
expected_token_prefix
+ getattr(SecretDetector, "SECRET_STARRED_MASK_STR", "****")
in url
), "connectionpool logger is leaking sensitive information"

# TODO: disable the check for now - SNOW-2311540
# assert (
Copilot is powered by AI and may make mistakes. Always verify output.
test/unit/test_ocsp.py
Comment on lines +146 to +148
private_key = rsa.generate_private_key(
public_exponent=65537, key_size=1024, backend=default_backend()
)

Check failure

Code scanning / CodeQL

Use of weak cryptographic key High test

Creation of an RSA key uses
1024
Loading
bits, which is below 2048 and considered breakable.

Copilot Autofix

AI 26 days ago

To fix the security issue, the RSA key generated on line 146 should be at least 2048 bits, per current recommendations. Change the line

private_key = rsa.generate_private_key(
    public_exponent=65537, key_size=1024, backend=default_backend()
)

so that key_size=2048 (or higher). This change preserves the intent and functionality of the test code with a secure key size. No other code modifications are necessary, and no additional imports or libraries are required since the rest of the key creation process remains unaffected.

Suggested changeset 1
test/unit/test_ocsp.py

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/test/unit/test_ocsp.py b/test/unit/test_ocsp.py
--- a/test/unit/test_ocsp.py
+++ b/test/unit/test_ocsp.py
@@ -144,7 +144,7 @@
 def create_x509_cert(hash_algorithm):
     # Generate a private key
     private_key = rsa.generate_private_key(
-        public_exponent=65537, key_size=1024, backend=default_backend()
+        public_exponent=65537, key_size=2048, backend=default_backend()
     )
 
     # Generate a public key
EOF
@@ -144,7 +144,7 @@
def create_x509_cert(hash_algorithm):
# Generate a private key
private_key = rsa.generate_private_key(
public_exponent=65537, key_size=1024, backend=default_backend()
public_exponent=65537, key_size=2048, backend=default_backend()
)

# Generate a public key
Copilot is powered by AI and may make mistakes. Always verify output.
@github-actions github-actions bot locked and limited conversation to collaborators Nov 28, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.