feat: OAuth security integration for partner applications

[gouline]

Implementing OAuth security integration, largely based on the existing SCIM security integration that's quite similar.

This one only covers the partner applications (i.e. Tableau Desktop, Tableau Server and Looker), however extending it to support custom OAuth clients would just involve adding required and optional parameters.

Test Plan

• acceptance tests

References

• Documentation
• CREATE
• ALTER
• SHOW
• DESCRIBE

[edulop91]

just a couple of quick comments, thank you!

[edulop91]

do we need oauth_issue_refresh_tokens or would the presence/absence of oauth_refresh_token_validity give us enough information?

[edulop91]

I see that keeping both would more closely match Snowflake's api, so we might want to keep as is

[gouline]

Looks like oauth_issue_refresh_tokens is true by default, so you need it here if you want to set it to false. However, oauth_refresh_token_validity is optional too, it defaults to various values depending on the client (10 hours for Tableau Desktop, 90 days for Tableau Server, etc) - there will be cases where people omit both or specify only one.

[edulop91]

I think this'll now panic because blocked_roles_list is a set, not []interface{}

[gouline]

I can't get acceptance tests to run locally, so hopefully this fixes it. Found a similar instance in network policies and copied it:

expandStringList(d.Get("blocked_roles_list").(*schema.Set).List())

[edulop91]

/ok-to-test sha=d10af87

[github-actions]

Integration tests failure for d10af87

[edulop91]

Integration tests failure for d10af87

Looks like there might be a panic here: https://github.com/chanzuckerberg/terraform-provider-snowflake/runs/4301715646?check_suite_focus=true#step:9:1050 (not sure if this log is hidden behind GitHub access controls)

[alldoami]

/ok-to-test sha=3eb42aa

[github-actions]

Integration tests failure for 3eb42aa

[gouline]

CI step integration-trusted failed but I have no access to it, so cannot see what is causing it.

[alldoami]

=== CONT  TestAcc_OAuthIntegration
panic: interface conversion: interface {} is nil, not bool

goroutine 60401 [running]:
github.com/chanzuckerberg/terraform-provider-snowflake/pkg/resources.CreateOAuthIntegration(0x0, {0x14b1940, 0xc002a0c680})
	/home/runner/work/terraform-provider-snowflake/terraform-provider-snowflake/pkg/resources/oauth_integration.go:99 +0x7c5
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).create(0x1330a20, {0x17f2748, 0xc000f6ce80}, 0x2, {0x14b1940, 0xc002a0c680})
	/home/runner/go/pkg/mod/github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/resource.go:318 +0x178
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).Apply(0xc00073cb60, {0x17f2748, 0xc000f6ce80}, 0xc00053c270, 0xc003091580, {0x14b1940, 0xc002a0c680})
	/home/runner/go/pkg/mod/github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/resource.go:456 +0x871
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*GRPCProviderServer).ApplyResourceChange(0xc003b0c1b0, {0x17f2748, 0xc000f6ce80}, 0xc003e37900)
	/home/runner/go/pkg/mod/github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/grpc_provider.go:977 +0xd8a
github.com/hashicorp/terraform-plugin-go/tfprotov5/tf5server.(*server).ApplyResourceChange(0xc0026ff4e0, {0x17f27f0, 0xc001833b60}, 0x4423e0)
	/home/runner/go/pkg/mod/github.com/hashicorp/[email protected]/tfprotov5/tf5server/server.go:332 +0x6c
github.com/hashicorp/terraform-plugin-go/tfprotov5/internal/tfplugin5._Provider_ApplyResourceChange_Handler({0x14722e0, 0xc0026ff4e0}, {0x17f27f0, 0xc001833b60}, 0xc002634e40, 0x0)
	/home/runner/go/pkg/mod/github.com/hashicorp/[email protected]/tfprotov5/internal/tfplugin5/tfplugin5_grpc.pb.go:380 +0x170
google.golang.org/grpc.(*Server).processUnaryRPC(0xc00217e540, {0x180adc8, 0xc0025a7b00}, 0xc00299ca20, 0xc0036934a0, 0x2152ee0, 0x0)
	/home/runner/go/pkg/mod/google.golang.org/[email protected]/server.go:1279 +0xccf
google.golang.org/grpc.(*Server).handleStream(0xc00217e540, {0x180adc8, 0xc0025a7b00}, 0xc00299ca20, 0x0)
	/home/runner/go/pkg/mod/google.golang.org/[email protected]/server.go:1608 +0xa2a
google.golang.org/grpc.(*Server).serveStreams.func1.2()
	/home/runner/go/pkg/mod/google.golang.org/[email protected]/server.go:923 +0x98
created by google.golang.org/grpc.(*Server).serveStreams.func1
	/home/runner/go/pkg/mod/google.golang.org/[email protected]/server.go:921 +0x294
FAIL	github.com/chanzuckerberg/terraform-provider-snowflake/pkg/resources	356.529s

When you click on the link in this comment, what does it say? #763 (comment)

[gouline]

When you click on the link in this comment, what does it say? #763 (comment)

Sorry, this works. I was previously clicking on 'integration-trusted' in the footer (force of habit).

[gouline]

Found the problem! Silly copy-paste typo 🤦

[alldoami]

/ok-to-test sha=ba75402

[github-actions]

Integration tests failure for ba75402

[gouline]

Hmm, are these all meant to be treated as strings and parsed to booleans/integers? https://github.com/gouline/terraform-provider-snowflake/blob/161f112/pkg/resources/oauth_integration.go#L186-L201

case "OAUTH_ISSUE_REFRESH_TOKENS":
	if err = d.Set("oauth_issue_refresh_tokens", v.(bool)); err != nil {
		return errors.Wrap(err, "unable to set OAuth issue refresh tokens for security integration")
	}
case "OAUTH_REFRESH_TOKEN_VALIDITY":
	if err = d.Set("oauth_refresh_token_validity", v.(int64)); err != nil {
		return errors.Wrap(err, "unable to set OAuth refresh token validity for security integration")
	}
case "OAUTH_USE_SECONDARY_ROLES":
	if err = d.Set("oauth_use_secondary_roles", v.(string)); err != nil {
		return errors.Wrap(err, "unable to set OAuth use secondary roles for security integration")
	}
case "BLOCKED_ROLES_LIST":
	if err = d.Set("blocked_roles_list", strings.Split(v.(string), ",")); err != nil {
		return errors.Wrap(err, "unable to set blocked roles list for security integration")
	}

I assumed from the ENABLED parameter fed as a boolean in all unit tests, they should be treated as booleans/integers, but ENABLED is always ignored in the switch statement so it might just be copy-pasted mistake that nobody picked up?

descRows := sqlmock.NewRows([]string{
		"property", "property_type", "property_value", "property_default",
	}).AddRow("ENABLED", "Boolean", true, false)

Latest commit treats them as strings, so hopefully that works 🤷

[alldoami]

/ok-to-test sha=c165355

[github-actions]

Integration tests failure for c165355

[gouline]

Previous error looks fixed now, latest commit should fix the new error.

[alldoami]

/ok-to-test sha=e09bf36

[github-actions]

Integration tests failure for e09bf36

[gouline]

Should be fixed again.

[alldoami]

/ok-to-test sha=c2634c8

[github-actions]

Integration tests failure for c2634c8

[gouline]

This one was interesting: blocked_roles_list should only include roles not already implicitly enforced (ACCOUNTADMIN, ORGADMIN, SECURITYADMIN) on create, so I had to filter them out from the read. Should work now.

[alldoami]

/ok-to-test sha=e40332d

[github-actions]

Integration tests success for e40332d