Enable query parameters parsing in connection URL for keypair auth (#135)

Co-authored-by: Robert <17119716+robmonte@users.noreply.github.com>

Author: vinay-gopalan

.changes/unreleased/BUG FIXES-20250911-121401.yaml

@@ -0,0 +1,5 @@
+kind: BUG FIXES
+body: Enable query param parsing on connection URL
+time: 2025-09-11T12:14:01.697808-07:00
+custom:
+    Issue: "135"

connection_producer.go

@@ -197,42 +197,45 @@ func (c *snowflakeConnectionProducer) Close() error {
 
 // Open the DB connection to Snowflake or return an error.
 func openSnowflake(connectionURL, username string, providedPrivateKey []byte) (*sql.DB, error) {
-	// Parse the connection_url for required fields. Should be of
-	// the form <account_name>.snowflakecomputing.com/<db_name>
-	accountName, dbName, err := parseSnowflakeFieldsFromURL(connectionURL)
+	cfg, err := getSnowflakeConfig(connectionURL, username, providedPrivateKey)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("error constructing snowflake config: %w", err)
 	}
+	connector := gosnowflake.NewConnector(gosnowflake.SnowflakeDriver{}, *cfg)
 
-	privateKey, err := getPrivateKey(providedPrivateKey)
+	return sql.OpenDB(connector), nil
+}
+
+func getSnowflakeConfig(connectionURL, username string, providedPrivateKey []byte) (*gosnowflake.Config, error) {
+	// <account_name>.snowflakecomputing.com/<db_name>?queryParameters...
+	u, err := url.Parse(connectionURL)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("error parsing Snowflake connection URL %q: %w", connectionURL, err)
 	}
 
-	snowflakeConfig := &gosnowflake.Config{
-		Account:       accountName,
-		Database:      dbName,
-		User:          username,
-		Authenticator: gosnowflake.AuthTypeJwt,
-		PrivateKey:    privateKey,
+	// add authenticator query param to URL to indicate JWT auth
+	// https://pkg.go.dev/github.com/snowflakedb/gosnowflake#hdr-JWT_authentication
+	q := u.Query()
+	q.Set("authenticator", gosnowflake.AuthTypeJwt.String())
+	//q.Set("privateKey", "true") // This is needed to avoid gosnowflake trying to read the private key from a file path
+	u.RawQuery = q.Encode()
+
+	// construct dsn for gosnowflake
+	// "user:""@<account_name>.snowflakecomputing.com/<db_name>?queryParameters...
+	dsn := fmt.Sprintf("%s:%s@%s", username, "", u.String())
+	cfg, err := gosnowflake.ParseDSN(dsn)
+	if err != nil {
+		return nil, fmt.Errorf("error parsing Snowflake DSN %s; err=%w", dsn, err)
 	}
-	connector := gosnowflake.NewConnector(gosnowflake.SnowflakeDriver{}, *snowflakeConfig)
 
-	return sql.OpenDB(connector), nil
-}
-
-// parseSnowflakeFieldsFromURL uses a regex to extract account and DB
-// info from a connectionURL
-func parseSnowflakeFieldsFromURL(connectionURL string) (string, string, error) {
-	if !accountAndDBNameFromConnURLRegex.MatchString(connectionURL) {
-		return "", "", ErrInvalidSnowflakeURL
-	}
-	res := accountAndDBNameFromConnURLRegex.FindStringSubmatch(connectionURL)
-	if len(res) != 3 {
-		return "", "", ErrInvalidSnowflakeURL
+	privateKey, err := getPrivateKey(providedPrivateKey)
+	if err != nil {
+		return nil, err
 	}
 
-	return res[1], res[2], nil
+	cfg.PrivateKey = privateKey
+
+	return cfg, nil
 }
 
 // Open and decode the private key file

connection_producer_test.go

@@ -9,6 +9,7 @@ import (
 	"crypto/rsa"
 	"crypto/x509"
 	"encoding/pem"
+	"github.com/snowflakedb/gosnowflake"
 	"testing"
 
 	"github.com/stretchr/testify/require"
@@ -41,65 +42,86 @@ func TestOpenSnowflake(t *testing.T) {
 	require.NotNil(t, db.Stats())
 }
 
-// TestParseSnowflakeFieldsFromURL validates that URL
-// parsing for keypair authentication works as expected
-func TestParseSnowflakeFieldsFromURL(t *testing.T) {
-	tests := map[string]struct {
-		connectionURL string
-		wantAccount   string
-		wantDB        string
-		wantErr       error
+func TestGetSnowflakeConfig(t *testing.T) {
+	tt := map[string]struct {
+		providedPrivateKey string
+		username           string
+		connectionURL      string
+		expectedConfig     *gosnowflake.Config
+		expectedError      string
 	}{
-		"valid URL": {
-			connectionURL: "account.snowflakecomputing.com/db",
-			wantAccount:   "account",
-			wantDB:        "db",
-			wantErr:       nil,
-		},
-		"complex URL": {
-			connectionURL: "dev.org_v2.1.5-us-eas2-1.snowflakecomputing.com/secret-db.name/withslash",
-			wantAccount:   "dev.org_v2.1.5-us-eas2-1",
-			wantDB:        "secret-db.name/withslash",
-			wantErr:       nil,
-		},
-		"invalid URL": {
-			connectionURL: "invalid-url",
-			wantAccount:   "",
-			wantDB:        "",
-			wantErr:       ErrInvalidSnowflakeURL,
-		},
-		"missing account name": {
-			connectionURL: ".snowflakecomputing.com/db",
-			wantAccount:   "",
-			wantDB:        "",
-			wantErr:       ErrInvalidSnowflakeURL,
-		},
-		"missing database name": {
-			connectionURL: "account.snowflakecomputing.com/",
-			wantAccount:   "",
-			wantDB:        "",
-			wantErr:       ErrInvalidSnowflakeURL,
+		// confirms that the connection URL format upon initial release is correctly parsed
+		"key pair connection URL format without params": {
+			providedPrivateKey: testPrivateKey,
+			username:           "testvaultuser",
+			connectionURL:      "testaccount.snowflakecomputing.com/testdb",
+			expectedConfig: &gosnowflake.Config{
+				Account:  "testaccount",
+				User:     "testvaultuser",
+				Database: "testdb",
+				PrivateKey: func() *rsa.PrivateKey {
+					key, _ := getPrivateKey([]byte(testPrivateKey))
+					return key
+				}(),
+				Authenticator: gosnowflake.AuthTypeJwt,
+			},
 		},
-		"missing domain": {
-			connectionURL: "account..com/db",
-			wantAccount:   "",
-			wantDB:        "",
-			wantErr:       ErrInvalidSnowflakeURL,
+		// confirms that query params in the connection URL are correctly parsed
+		"key pair connection URL format with query params": {
+			providedPrivateKey: testPrivateKey,
+			username:           "testvaultuser",
+			connectionURL:      "testaccount.snowflakecomputing.com/testdb?disableOCSPChecks=true&maxRetryCount=5",
+			expectedConfig: &gosnowflake.Config{
+				Account:  "testaccount",
+				User:     "testvaultuser",
+				Database: "testdb",
+				PrivateKey: func() *rsa.PrivateKey {
+					key, _ := getPrivateKey([]byte(testPrivateKey))
+					return key
+				}(),
+				DisableOCSPChecks: true,
+				MaxRetryCount:     5,
+				Authenticator:     gosnowflake.AuthTypeJwt,
+			},
 		},
-		"escape dots": {
-			connectionURL: "account.snowflakecomputingXcom/db",
-			wantAccount:   "",
-			wantDB:        "",
-			wantErr:       ErrInvalidSnowflakeURL,
+		// confirms that DB is optional in the connection URL
+		"key pair connection URL without DB": {
+			providedPrivateKey: testPrivateKey,
+			username:           "testvaultuser",
+			connectionURL:      "testaccount.snowflakecomputing.com?disableOCSPChecks=true&maxRetryCount=5",
+			expectedConfig: &gosnowflake.Config{
+				Account: "testaccount",
+				User:    "testvaultuser",
+				PrivateKey: func() *rsa.PrivateKey {
+					key, _ := getPrivateKey([]byte(testPrivateKey))
+					return key
+				}(),
+				DisableOCSPChecks: true,
+				MaxRetryCount:     5,
+				Authenticator:     gosnowflake.AuthTypeJwt,
+			},
 		},
 	}
-	for name, tt := range tests {
-		t.Run(name, func(t *testing.T) {
-			user, db, err := parseSnowflakeFieldsFromURL(tt.connectionURL)
 
-			require.Equal(t, tt.wantAccount, user)
-			require.Equal(t, tt.wantDB, db)
-			require.Equal(t, tt.wantErr, err)
+	for name, tc := range tt {
+		t.Run(name, func(t *testing.T) {
+			cfg, err := getSnowflakeConfig(tc.connectionURL, tc.username, []byte(tc.providedPrivateKey))
+			if tc.expectedError != "" {
+				require.Error(t, err)
+				require.Contains(t, err.Error(), tc.expectedError)
+				return
+			}
+			require.NoError(t, err)
+			require.NotNil(t, cfg)
+			// Compare all relevant fields for this test
+			// this confirms that the config was correctly parsed from the provided inputs
+			require.Equal(t, tc.expectedConfig.Account, cfg.Account)
+			require.Equal(t, tc.expectedConfig.User, cfg.User)
+			require.Equal(t, tc.expectedConfig.Database, cfg.Database)
+			require.Equal(t, tc.expectedConfig.Authenticator, cfg.Authenticator)
+			require.Equal(t, tc.expectedConfig.DisableOCSPChecks, cfg.DisableOCSPChecks)
+			require.Equal(t, tc.expectedConfig.KeepSessionAlive, cfg.KeepSessionAlive)
+			require.NotNil(t, cfg.PrivateKey)
 		})
 	}
 }

snowflake_test.go

@@ -95,7 +95,53 @@ func TestSnowflakeSQL_Initialize(t *testing.T) {
 		db := new()
 		defer dbtesting.AssertClose(t, db)
 
-		connURL, rawBase64PrivateKey, user, err := getKeyPairAuthParameters()
+		connURL, rawBase64PrivateKey, user, err := getKeyPairAuthParameters("")
+		if err != nil {
+			t.Fatalf("failed to retrieve connection URL: %s", err)
+		}
+
+		// decode base64 encoded private key from environment
+		privateKey, err := base64.StdEncoding.DecodeString(rawBase64PrivateKey)
+		if err != nil {
+			t.Fatalf("failed to decode private key: %s", err)
+		}
+
+		expectedConfig := map[string]interface{}{
+			"connection_url": connURL,
+			"username":       user,
+			"private_key":    privateKey,
+			dbplugin.SupportedCredentialTypesKey: []interface{}{
+				dbplugin.CredentialTypePassword.String(),
+				dbplugin.CredentialTypeRSAPrivateKey.String(),
+			},
+		}
+		req := dbplugin.InitializeRequest{
+			Config: map[string]interface{}{
+				"connection_url": connURL,
+				"username":       user,
+				"private_key":    privateKey,
+			},
+			VerifyConnection: true,
+		}
+		resp := dbtesting.AssertInitialize(t, db, req)
+		if !reflect.DeepEqual(resp.Config, expectedConfig) {
+			t.Fatalf("Actual: %#v\nExpected: %#v", resp.Config, expectedConfig)
+		}
+
+		connProducer := db.snowflakeConnectionProducer
+		if !connProducer.Initialized {
+			t.Fatal("Database should be initialized")
+		}
+	})
+
+	// the environment variable SNOWFLAKE_PRIVATE_KEY in CI
+	// is a base64 encoded string. As such, this test expects the
+	// input for the variable to be base64 encoded
+	t.Run("keypair auth with query params", func(t *testing.T) {
+		db := new()
+		defer dbtesting.AssertClose(t, db)
+
+		connURL, rawBase64PrivateKey, user, err := getKeyPairAuthParameters("disableOCSPChecks=true&maxRetryCount=5")
 		if err != nil {
 			t.Fatalf("failed to retrieve connection URL: %s", err)
 		}
@@ -506,7 +552,7 @@ func dsnString() (string, error) {
 	return dsnString, nil
 }
 
-func getKeyPairAuthParameters() (connURL string, pKey string, user string, err error) {
+func getKeyPairAuthParameters(optionalQueryParams string) (connURL string, pKey string, user string, err error) {
 	user = os.Getenv(envVarSnowflakeUser)
 	pKey = os.Getenv(envVarSnowflakePrivateKey)
 	account := os.Getenv(envVarSnowflakeAccount)
@@ -528,6 +574,10 @@ func getKeyPairAuthParameters() (connURL string, pKey string, user string, err e
 
 	connURL = fmt.Sprintf("%s.snowflakecomputing.com/%s", user, database)
 
+	if optionalQueryParams != "" {
+		connURL = fmt.Sprintf("%s?%s", connURL, optionalQueryParams)
+	}
+
 	return connURL, pKey, user, err
 }