UNPKG

snowflake-sdk

Version:
398 lines (397 loc) 15.8 kB
import { WorkloadIdentityProviderKey } from '../authentication/auth_workload_identity/types'; import { CRLValidatorConfig } from '../agent/crl_validator'; /** * Work In Progress typing for ConnectionOptions * * TODO: * - revisit doc of every option * - if an options works only when another option is set - document it */ export interface WIP_ConnectionOptions { /** * Your account identifier. */ account?: string; /** * Specifies a fully-qualified endpoint for connecting to Snowflake. */ accessUrl?: string; /** * @deprecated * Append a region or any sub domains before snowflakecomputing.com to the * end of account parameter after a dot, e.g., account=<account>.<region>. */ region?: string; /** * The login name for your Snowflake user or your Identity Provider (e.g. your login name for Okta). */ username?: string; /** * Password for the user. */ password?: string; /** * Host address to which the driver should connect. */ host?: string; /** * The default virtual warehouse to use for the session after connecting. Used for performing queries, loading data, etc. */ warehouse?: string; /** * The default database to use for the session after connecting. */ database?: string; /** * The default schema to use for the session after connecting. */ schema?: string; /** * The default security role to use for the session after connecting. */ role?: string; /** * Specifies the authenticator to use for verifying user login credentials. * * Available options: * * `SNOWFLAKE` - Default authenticator that uses basic username/password authentication * * `EXTERNALBROWSER` - Browser-based SSO authentication through your identity provider * * `SNOWFLAKE_JWT` - Key pair authentication using a private key and public key pair * * `OAUTH` - OAuth authentication using a token obtained from OAuth flow * * `USERNAME_PASSWORD_MFA` - Username/password with multi-factor authentication * * `PROGRAMMATIC_ACCESS_TOKEN` - Using a programmatic access token set in ConnectionOptions.token or ConnectionOptions.password * * `OAUTH_AUTHORIZATION_CODE` - OAuth authorization code flow for web applications * * `OAUTH_CLIENT_CREDENTIALS` - OAuth client credentials flow for service-to-service auth * * `WORKLOAD_IDENTITY` - Workload identity authentication * * `https://<okta_account_name>.okta.com` - Native SSO authentication through Okta */ authenticator?: string; /** * By default, client connections typically time out approximately 3-4 hours after the most recent query was executed. */ clientSessionKeepAlive?: boolean; /** * Sets the frequency (interval in seconds) between heartbeat messages. */ clientSessionKeepAliveHeartbeatFrequency?: number; /** * When true, the session is not destroyed on the server side when the connection * is closed. This allows async queries to continue running after disconnect. * Any unfinished queries will continue to live in Snowflake and consume credits * until they finish. * * @default false */ serverSessionKeepAlive?: boolean; /** * Enable MFA/SSO token caching. * * https://docs.snowflake.com/en/developer-guide/node-js/nodejs-driver-authenticate#authentication-token-caching * * @default false */ clientStoreTemporaryCredential?: boolean; /** * When clientStoreTemporaryCredential=true, sets the directory where cached authentication * tokens are stored. * * If not set, the driver resolves the cache directory by checking, in order: * 1. The `SF_TEMPORARY_CREDENTIAL_CACHE_DIR` environment variable * 2. Platform-specific defaults: * - **Windows**: `<home>/AppData/Local/Snowflake/Caches` * - **Linux**: `$XDG_CACHE_HOME/snowflake`, or `~/.cache/snowflake` * - **macOS**: `~/Library/Caches/Snowflake` */ credentialCacheDir?: string; /** * Specifies the token to use for authentication. Set this option if you set the authenticator option to * * OAUTH * * PROGRAMMATIC_ACCESS_TOKEN * * WORKLOAD_IDENTITY */ token?: string; /** * Specifies the path to a file containing the token for authentication. * * This option works similarly to the `token` property, but retrieves the token value by reading the specified file from disk. * * If `token` is not provided, the driver will attempt to read the token from this file for suitable token-based authenticators. * * If both `token` and `tokenFilePath` are set, `token` takes precedence and this file path will be ignored. */ tokenFilePath?: string; /** * Enable single use refresh tokens for OAuth */ oauthEnableSingleUseRefreshTokens?: boolean; /** * Value of `client id` provided by the identity provider for Snowflake integration (Snowflake security integration metadata). */ oauthClientId?: string; /** * Value of the `client secret` provided by the identity provider for Snowflake integration (Snowflake security integration metadata). */ oauthClientSecret?: string; /** * Identity provider endpoint supplying the authorization code to the driver. * When Snowflake is used as an identity provider, this value is derived from the `server` or `account` parameters. */ oauthAuthorizationUrl?: string; /** * Identity Provider endpoint supplying the access tokens to the driver. * When using Snowflake as an Identity Provider, this value is derived from the `server` or `account` parameters. */ oauthTokenRequestUrl?: string; /** * Scope requested in the Identity Provider authorization request. * By default, it is derived from the role. * When multiple scopes are required, the value should be a space-separated list of multiple scopes. */ oauthScope?: string; /** * When authenticator=OAUTH_AUTHORIZATION_CODE, customize the URI for authorization code redirection. * * @default "http://127.0.0.1:{randomAvailablePort}" */ oauthRedirectUri?: string; /** * @deprecated * FOR TESTING ONLY. Allows to use insecure http requests. */ oauthHttpAllowed?: boolean; /** * When authenticator=OAUTH_AUTHORIZATION_CODE, customize the code challenge method */ oauthChallengeMethod?: string; /** * The option to enable the MFA token. * @default false */ clientRequestMFAToken?: boolean; /** * The option to skip the SAML URL check in the Okta authentication * * @default false */ disableSamlURLCheck?: boolean; /** * When authenticator=SNOWFLAKE_JWT, specifies the private key (in PEM format). * * If the key is encrypted, use {@link privateKeyPass} to provide the passphrase. */ privateKey?: string; /** * When authenticator=SNOWFLAKE_JWT, specifies the local path to the private key file (in PEM * format). * * If the key is encrypted, use {@link privateKeyPass} to provide the passphrase. */ privateKeyPath?: string; /** * When authenticator=SNOWFLAKE_JWT, specifies the passcode to decrypt the encrypted private key * passed in {@link privateKey} or {@link privateKeyPath}. */ privateKeyPass?: string; /** * Specifies the timeout, in milliseconds, for browser activities related to MFA/SSO authentication. * * @default 120000 (milliseconds) */ browserActionTimeout?: number; /** * When authenticator=EXTERNALBROWSER, customize the port of * the local server that receives the authentication callback. * * The server always redirects to `http://localhost:${browserRedirectPort}`. * * For OAUTH_AUTHORIZATION_CODE, use {@link oauthRedirectUri} * instead, which supports customizing both host and port. * * @default 0 (random available port) */ browserRedirectPort?: number; /** * Lets you customize the web page a user sees in their browser after they * finish signing in, instead of the default confirmation message. Use it to * show your own branding, wording, or a "you can close this tab" page. * * Supported when authenticator is set to: * * EXTERNALBROWSER * * OAUTH_AUTHORIZATION_CODE * * Return the full HTML page to display. On success, `error` is `null`. * If sign-in failed, `error` contains the message from your identity provider * (already HTML-escaped, so it is safe to embed directly). * * @example * browserResponseRenderer: ({ error }) => { * const message = error * ? `<h1>Login failed</h1><p>${error}</p>` * : '<h1>All set! You can close this tab.</h1>'; * return `<html><body>${message}</body></html>`; * } */ browserResponseRenderer?: (result: { error: string | null; }) => string; /** * Specifies a custom callback for opening the browser window during authentication. * Supported when the authenticator is set to: * * EXTERNALBROWSER * * OAUTH_AUTHORIZATION_CODE * * By default, the npm `open` package is used. */ openExternalBrowserCallback?: (url: string) => void; /** * When authenticator=WORKLOAD_IDENTITY, specifies the identity provider. Available options: * * AWS - Uses `@aws-sdk` to find credentials. Supports two attestation methods: * * `GetCallerIdentity` (default) - encodes a SigV4-signed `GetCallerIdentity` request as the token * * `GetWebIdentityToken` - obtains a signed JWT token, enabled via {@link workloadIdentityAwsUseOutboundToken} * * AZURE - Uses `@azure/identity` to find credentials and get JWT token * * GCP - Uses `google-auth-library` to find credentials and get JWT token * * OIDC - Reads JWT token from `ConnectionOptions.token` */ workloadIdentityProvider?: WorkloadIdentityProviderKey; /** * When authenticator=WORKLOAD_IDENTITY, specifies a chain of service accounts for transitive impersonation. * Each element represents a service account to impersonate in sequence, allowing workloads to authenticate * as a different identity than their default attached service account. * * Supported for AWS and GCP. */ workloadIdentityImpersonationPath?: string[]; /** * When workloadIdentityProvider=AZURE, customize Azure Entra Id Resource */ workloadIdentityAzureEntraIdResource?: string; /** * When workloadIdentityProvider=AZURE, customize Azure Managed Identity Client Id */ workloadIdentityAzureClientId?: string; /** * When workloadIdentityProvider=AWS, selects the AWS attestation method. * * AWS WIF supports two methods: * * `GetCallerIdentity` (default, `false`) - the connector encodes a SigV4-signed * `GetCallerIdentity` request as the attestation token. * * `GetWebIdentityToken` (`true`) - the connector calls STS `GetWebIdentityToken` and * forwards a standards-based JWT instead. This provides stateless token verification and * compatibility with AWS outbound identity federation. It requires the AWS IAM role to have * `sts:GetWebIdentityToken` permission and the Snowflake service user to be configured with an * `ISSUER`. * * The `GetWebIdentityToken` method is recommended and may become the default in a future release. * * See {@link https://docs.snowflake.com/en/user-guide/workload-identity-federation#label-wif-aws-upgrade-jwt} * for setup instructions, including the Node.js connector configuration. * * @default false */ workloadIdentityAwsUseOutboundToken?: boolean; /** * Enables Certificate Revocation List (CRL) validation. * * When `ENABLED` is set, it fails if the certificate is revoked or if any error occurs (network, parsing, etc.). * When `ADVISORY` is set, it fails only if the certificate is revoked. * * @default "DISABLED" */ certRevocationCheckMode?: CRLValidatorConfig['checkMode']; /** * Allows to connect when certificate doesn't have CRL URLs (cRLDistributionPoints) * * This option applies only when certRevocationCheckMode is `ADVISORY` or `ENABLED` * * @default false */ crlAllowCertificatesWithoutCrlURL?: CRLValidatorConfig['allowCertificatesWithoutCrlURL']; /** * Enable CRL caching in memory. * * This option applies only when certRevocationCheckMode is `ADVISORY` or `ENABLED` * * @default true */ crlInMemoryCache?: CRLValidatorConfig['inMemoryCache']; /** * Enable CRL caching on disk. Disk read/write failures are ignored. * * This option applies only when certRevocationCheckMode is `ADVISORY` or `ENABLED` * * @default true */ crlOnDiskCache?: CRLValidatorConfig['onDiskCache']; /** * Controls how many rows are buffered by the stream returned from * `statement.streamRows()`. Passed as the `highWaterMark` to the * underlying Node.js Readable class. * * @default 10 */ rowStreamHighWaterMark?: number; /** * Specifies the name of the client application connecting to Snowflake. */ application?: string; /** * Turn on the validation function which checks whether all the connection configuration from users are valid or not. * * @default false */ validateDefaultParameters?: boolean; /** * Specifies a list of hosts that the driver should connect to directly, bypassing the proxy server. * * - Use a pipe symbol (`|`) to separate multiple hosts. * - Use `*` as a wildcard (e.g., `*sub.amazonaws.com`). * - A leading dot (e.g., `.amazonaws.com`) matches any subdomain. * * @example * noProxy: ".amazonaws.com|*sub.my_company.com" */ noProxy?: string; /** * Specifies the hostname of an authenticated proxy server. */ proxyHost?: string; /** * Specifies the username used to connect to an authenticated proxy server. */ proxyUser?: string; /** * Specifies the password for the user specified by proxyUser. */ proxyPassword?: string; /** * Specifies the port of an authenticated proxy server. */ proxyPort?: number; /** * Specifies the protocol (`http` or `https`) used to connect to the proxy server. */ proxyProtocol?: string; /** * Optional string that can be used to tag queries and other SQL statements executed within a connection. * The tags are displayed in the output of the QUERY_HISTORY , QUERY_HISTORY_BY_* functions. */ queryTag?: string; } /** * Work In Progress typing for ConnectionConfig instance */ export type WIP_ConnectionConfig = Pick<WIP_ConnectionOptions, 'token' | 'workloadIdentityProvider' | 'workloadIdentityImpersonationPath' | 'workloadIdentityAzureEntraIdResource' | 'workloadIdentityAzureClientId' | 'workloadIdentityAwsUseOutboundToken' | 'oauthEnableSingleUseRefreshTokens' | 'rowStreamHighWaterMark'> & { browserRedirectPort: number; crlValidatorConfig: CRLValidatorConfig; getClientType(): string; getClientVersion(): string; getClientApplication(): string; getOauthHttpAllowed(): boolean; getOauthClientId(): string; getOauthClientSecret(): string; getProxy(): { [key: string]: any; }; agentCache: Map<string, any>; destroyAgentCache(): void; };