clean up

Author: madhav-db

.github/workflows/token-federation-test.yml

@@ -1,8 +1,6 @@
 name: Token Federation Test
 
-# This workflow tests token federation functionality with GitHub Actions OIDC tokens
-# in the databricks-sql-python connector to ensure CI/CD functionality
-
+# Tests token federation functionality with GitHub Actions OIDC tokens
 on:
   # Manual trigger with required inputs
   workflow_dispatch:
@@ -17,31 +15,34 @@ on:
         description: 'Identity federation client ID'
         required: true
 
-  # Automatically run on PR that changes token federation files
+  # Run on PRs that might affect token federation
   pull_request:
-    branches:
-      - main
+    branches: [main]
+    paths:
+      - 'src/databricks/sql/auth/**'
+      - 'examples/token_federation_*.py'
+      - 'tests/token_federation/**'
+      - '.github/workflows/token-federation-test.yml'
 
   # Run on push to main that affects token federation
   push:
+    branches: [main]
     paths:
-      - 'src/databricks/sql/auth/token_federation.py'
-      - 'src/databricks/sql/auth/auth.py'
+      - 'src/databricks/sql/auth/**'
       - 'examples/token_federation_*.py'
-      - 'tests/token_federation/github_oidc_test.py'
-    branches:
-      - main
+      - 'tests/token_federation/**'
+      - '.github/workflows/token-federation-test.yml'
 
 permissions:
-  # Required for GitHub OIDC token
-  id-token: write
+  id-token: write  # Required for GitHub OIDC token
   contents: read
 
 jobs:
   test-token-federation:
+    name: Test Token Federation
     runs-on:
-        group: databricks-protected-runner-group
-        labels: linux-ubuntu-latest
+      group: databricks-protected-runner-group
+      labels: linux-ubuntu-latest
 
     steps:
       - name: Checkout code
@@ -51,6 +52,7 @@ jobs:
         uses: actions/setup-python@v5
         with:
           python-version: '3.9'
+          cache: 'pip'
 
       - name: Install dependencies
         run: |
@@ -73,5 +75,4 @@ jobs:
           DATABRICKS_HTTP_PATH_FOR_TF: ${{ github.event_name == 'workflow_dispatch' && inputs.databricks_http_path || secrets.DATABRICKS_HTTP_PATH_FOR_TF }}
           IDENTITY_FEDERATION_CLIENT_ID: ${{ github.event_name == 'workflow_dispatch' && inputs.identity_federation_client_id || secrets.IDENTITY_FEDERATION_CLIENT_ID }}
           OIDC_TOKEN: ${{ steps.get-id-token.outputs.token }}
-        run: |
-          python tests/token_federation/github_oidc_test.py
+        run: python tests/token_federation/github_oidc_test.py

tests/token_federation/github_oidc_test.py

@@ -12,11 +12,27 @@
 import sys
 import json
 import base64
+import logging
 from databricks import sql
 
 
+logging.basicConfig(
+    level=logging.INFO,
+    format="%(asctime)s - %(levelname)s - %(message)s"
+)
+logger = logging.getLogger(__name__)
+
+
 def decode_jwt(token):
-    """Decode and return the claims from a JWT token."""
+    """
+    Decode and return the claims from a JWT token.
+    
+    Args:
+        token: The JWT token string
+        
+    Returns:
+        dict: The decoded token claims or None if decoding fails
+    """
     try:
         parts = token.split(".")
         if len(parts) != 3:
@@ -30,72 +46,121 @@ def decode_jwt(token):
         decoded = base64.b64decode(payload)
         return json.loads(decoded)
     except Exception as e:
-        print(f"Failed to decode token: {str(e)}")
+        logger.error(f"Failed to decode token: {str(e)}")
         return None
 
 
-def main():
-    # Get GitHub OIDC token
+def get_environment_variables():
+    """
+    Get required environment variables for the test.
+    
+    Returns:
+        tuple: (github_token, host, http_path, identity_federation_client_id)
+    
+    Raises:
+        SystemExit: If any required environment variable is missing
+    """
     github_token = os.environ.get("OIDC_TOKEN")
     if not github_token:
-        print("GitHub OIDC token not available")
+        logger.error("GitHub OIDC token not available")
         sys.exit(1)
 
-    # Get Databricks connection parameters
     host = os.environ.get("DATABRICKS_HOST_FOR_TF")
     http_path = os.environ.get("DATABRICKS_HTTP_PATH_FOR_TF")
     identity_federation_client_id = os.environ.get("IDENTITY_FEDERATION_CLIENT_ID")
 
     if not host or not http_path:
-        print("Missing Databricks connection parameters")
+        logger.error("Missing Databricks connection parameters")
         sys.exit(1)
 
-    # Display token claims for debugging
-    claims = decode_jwt(github_token)
-    if claims:
-        print("\n=== GitHub OIDC Token Claims ===")
-        print(f"Token issuer: {claims.get('iss')}")
-        print(f"Token subject: {claims.get('sub')}")
-        print(f"Token audience: {claims.get('aud')}")
-        print(f"Token expiration: {claims.get('exp', 'unknown')}")
-        print(f"Repository: {claims.get('repository', 'unknown')}")
-        print(f"Workflow ref: {claims.get('workflow_ref', 'unknown')}")
-        print(f"Event name: {claims.get('event_name', 'unknown')}")
-        print("===============================\n")
-    
-    try:
-        # Connect to Databricks using token federation
-        print(f"=== Testing Connection via Connector ===")
-        print(f"Connecting to Databricks at {host}{http_path}")
-        print(f"Using client ID: {identity_federation_client_id}")
+    return github_token, host, http_path, identity_federation_client_id
+
+
+def display_token_info(claims):
+    """Display token claims for debugging."""
+    if not claims:
+        logger.warning("No token claims available to display")
+        return
 
-        connection_params = {
-            "server_hostname": host,
-            "http_path": http_path,
-            "access_token": github_token,
-            "auth_type": "token-federation",
-            "identity_federation_client_id": identity_federation_client_id,
-        }
+    logger.info("=== GitHub OIDC Token Claims ===")
+    logger.info(f"Token issuer: {claims.get('iss')}")
+    logger.info(f"Token subject: {claims.get('sub')}")
+    logger.info(f"Token audience: {claims.get('aud')}")
+    logger.info(f"Token expiration: {claims.get('exp', 'unknown')}")
+    logger.info(f"Repository: {claims.get('repository', 'unknown')}")
+    logger.info(f"Workflow ref: {claims.get('workflow_ref', 'unknown')}")
+    logger.info(f"Event name: {claims.get('event_name', 'unknown')}")
+    logger.info("===============================")
+
+
+def test_databricks_connection(host, http_path, github_token, identity_federation_client_id):
+    """
+    Test connection to Databricks using token federation.
+    
+    Args:
+        host: Databricks host
+        http_path: Databricks HTTP path
+        github_token: GitHub OIDC token
+        identity_federation_client_id: Identity federation client ID
         
+    Returns:
+        bool: True if the test is successful, False otherwise
+    """
+    logger.info("=== Testing Connection via Connector ===")
+    logger.info(f"Connecting to Databricks at {host}{http_path}")
+    logger.info(f"Using client ID: {identity_federation_client_id}")
+    
+    connection_params = {
+        "server_hostname": host,
+        "http_path": http_path,
+        "access_token": github_token,
+        "auth_type": "token-federation",
+        "identity_federation_client_id": identity_federation_client_id,
+    }
+    
+    try:
         with sql.connect(**connection_params) as connection:
-            print("Connection established successfully")
+            logger.info("Connection established successfully")
 
             # Execute a simple query
             cursor = connection.cursor()
             cursor.execute("SELECT 1 + 1 as result")
             result = cursor.fetchall()
-            print(f"Query result: {result[0][0]}")
+            logger.info(f"Query result: {result[0][0]}")
 
             # Show current user
             cursor.execute("SELECT current_user() as user")
             result = cursor.fetchall()
-            print(f"Connected as user: {result[0][0]}")
+            logger.info(f"Connected as user: {result[0][0]}")
 
-            print("Token federation test successful!")
+            logger.info("Token federation test successful!")
             return True
     except Exception as e:
-        print(f"Error connecting to Databricks: {str(e)}")
-        print("===================================\n")
+        logger.error(f"Error connecting to Databricks: {str(e)}")
+        return False
+
+
+def main():
+    """Main entry point for the test script."""
+    try:
+        # Get environment variables
+        github_token, host, http_path, identity_federation_client_id = get_environment_variables()
+        
+        # Display token claims
+        claims = decode_jwt(github_token)
+        display_token_info(claims)
+        
+        # Test Databricks connection
+        success = test_databricks_connection(
+            host, http_path, github_token, identity_federation_client_id
+        )
+        
+        if not success:
+            logger.error("Token federation test failed")
+            sys.exit(1)
+            
+    except Exception as e:
+        logger.error(f"Unexpected error: {str(e)}")
         sys.exit(1)
 
 

tests/unit/test_token_federation.py

@@ -13,7 +13,8 @@
     Token,
     DatabricksTokenFederationProvider,
     SimpleCredentialsProvider,
-    create_token_federation_provider
+    create_token_federation_provider,
+    TOKEN_REFRESH_BUFFER_SECONDS
 )
 
 
@@ -47,12 +48,12 @@ def test_token_needs_refresh(self):
         self.assertTrue(token.needs_refresh())
 
         # Token with expiry in the near future (within refresh buffer)
-        near_future = datetime.now(tz=timezone.utc) + timedelta(minutes=4)
+        near_future = datetime.now(tz=timezone.utc) + timedelta(seconds=TOKEN_REFRESH_BUFFER_SECONDS - 60)
         token = Token("access_token", "Bearer", expiry=near_future)
         self.assertTrue(token.needs_refresh())
 
         # Token with expiry far in the future
-        far_future = datetime.now(tz=timezone.utc) + timedelta(hours=1)
+        far_future = datetime.now(tz=timezone.utc) + timedelta(seconds=TOKEN_REFRESH_BUFFER_SECONDS + 60)
         token = Token("access_token", "Bearer", expiry=far_future)
         self.assertFalse(token.needs_refresh())
 
@@ -118,22 +119,30 @@ def test_init_oidc_discovery(self, mock_get_endpoints, mock_requests_get):
     @patch('databricks.sql.auth.token_federation.DatabricksTokenFederationProvider._parse_jwt_claims')
     @patch('databricks.sql.auth.token_federation.DatabricksTokenFederationProvider._exchange_token')
     @patch('databricks.sql.auth.token_federation.DatabricksTokenFederationProvider._is_same_host')
-    def test_token_refresh(self, mock_is_same_host, mock_exchange_token, mock_parse_jwt):
+    @patch('databricks.sql.auth.token_federation.DatabricksTokenFederationProvider._detect_idp_from_claims')
+    def test_token_refresh(self, mock_detect_idp, mock_is_same_host, mock_exchange_token, mock_parse_jwt):
         """Test token refresh functionality for approaching expiry."""
         # Set up mocks
         mock_parse_jwt.return_value = {"iss": "https://login.microsoftonline.com/tenant"}
         mock_is_same_host.return_value = False
+        mock_detect_idp.return_value = "azure"
 
-        # Create a mock credentials provider that can return different tokens
+        # Create mock credentials provider that can return different tokens for different calls
         mock_creds_provider = MagicMock()
-        # Initial token factory
+        
+        # First call returns initial_token, second call returns fresh_token
+        initial_headers = {"Authorization": "Bearer initial_token"}
+        fresh_headers = {"Authorization": "Bearer fresh_token"}
+        
+        # Set up initial header factory
         initial_header_factory = MagicMock()
-        initial_header_factory.return_value = {"Authorization": "Bearer initial_token"}
-        # Fresh token factory for refresh
+        initial_header_factory.return_value = initial_headers
+        
+        # Set up fresh header factory for second call
         fresh_header_factory = MagicMock()
-        fresh_header_factory.return_value = {"Authorization": "Bearer fresh_token"}
+        fresh_header_factory.return_value = fresh_headers
 
-        # Configure the mock to return different header factories on consecutive calls
+        # Configure the mock to return factories
         mock_creds_provider.side_effect = [initial_header_factory, fresh_header_factory]
 
         # Set up the token federation provider
@@ -157,9 +166,11 @@ def test_token_refresh(self, mock_is_same_host, mock_exchange_token, mock_parse_
 
         # Reset the mocks to track the next call
         mock_exchange_token.reset_mock()
+        mock_creds_provider.reset_mock()
+        mock_creds_provider.return_value = fresh_header_factory
 
         # Now simulate an approaching expiry
-        near_expiry = datetime.now(tz=timezone.utc) + timedelta(minutes=4)
+        near_expiry = datetime.now(tz=timezone.utc) + timedelta(seconds=TOKEN_REFRESH_BUFFER_SECONDS - 60)
         federation_provider.last_exchanged_token = Token(
             "exchanged_token_1", "Bearer", expiry=near_expiry
         )