Merge pull request #44 from RelationalAI/snowflake-tss

Add support for Snowflake Stages and SNOWFLAKE_FULL encryption

Author: adnan-alhomssi

Project.toml

@@ -1,10 +1,14 @@
 name = "RustyObjectStore"
 uuid = "1b5eed3d-1f46-4baa-87f3-a4a892b23610"
-version = "0.8.2"
+version = "0.9.1"
 
 [deps]
+Base64 = "2a0f44e3-6c83-55bd-87e4-b1978d98bd5f"
+CloudBase = "85eb1798-d7c4-4918-bb13-c944d38e27ed"
 DocStringExtensions = "ffbed154-4ef7-542d-bbb7-c09d3a79fcae"
+HTTP = "cd3eb016-35fb-5094-929b-558a96fad6f3"
 JSON3 = "0f8b85d8-7281-11e9-16c2-39a750bddbf1"
+Sockets = "6462fe0b-24de-5631-8697-dd941f90decc"
 object_store_ffi_jll = "0e112785-0821-598c-8835-9f07837e8d7b"
 
 [compat]
@@ -16,7 +20,7 @@ ReTestItems = "1"
 Sockets = "1"
 Test = "1"
 julia = "1.8"
-object_store_ffi_jll = "0.8.2"
+object_store_ffi_jll = "0.9.1"
 
 [extras]
 CloudBase = "85eb1798-d7c4-4918-bb13-c944d38e27ed"

src/RustyObjectStore.jl

@@ -1,11 +1,11 @@
 module RustyObjectStore
 
 export init_object_store, get_object!, put_object, delete_object
-export StaticConfig, ClientOptions, Config, AzureConfig, AWSConfig
+export StaticConfig, ClientOptions, Config, AzureConfig, AWSConfig, SnowflakeConfig
 export status_code, is_connection, is_timeout, is_early_eof, is_unknown, is_parse_url
 export get_object_stream, ReadStream, finish!
 export put_object_stream, WriteStream, cancel!, shutdown!
-export current_metrics
+export current_metrics, invalidate_config
 export max_entries_per_chunk, ListEntry, list_objects, list_objects_stream, next_chunk!
 
 using Base.Libc.Libdl: dlext
@@ -550,6 +550,156 @@ function Base.show(io::IO, conf::AWSConfig)
     print(io, ", ", "opts=", repr(conf.opts), ")")
 end
 
+"""
+    $TYPEDEF
+
+Configuration for the Snowflake stage object store backend.
+
+It is recommended to reuse an instance for many operations.
+
+# Keyword Arguments
+- `stage::String`: Snowflake stage
+- `encryption_scheme::Option{String}`: (Optional) Encryption scheme to enforce (one of AES_128_CBC, AES_256_GCM)
+- `account::Option{String}`: (Optional) Snowflake account (read from SNOWFLAKE_ACCOUNT env var if missing)
+- `database::Option{String}`: (Optional) Snwoflake database (read from SNOWFLAKE_DATABASE env var if missing)
+- `schema::Option{String}`: (Optional) Snowflake schema (read from SNOWFLAKE_SCHEMA env var if missing)
+- `endpoint::Option{String}`: (Optional) Snowflake endpoint (read from SNOWFLAKE_ENDPOINT or SNOWFLAKE_HOST env vars if missing)
+- `warehouse::Option{String}`: (Optional) Snowflake warehouse
+- `username::Option{String}`: (Optional) Snowflake username (required for user/pass flow)
+- `password::Option{String}`: (Optional) Snowflake password (required for user/pass flow)
+- `role::Option{String}`: (Optional) Snowflake role (required for user/pass flow)
+- `master_token_path::Option{String}`: (Optional) Path to Snowflake master token (read from MASTER_TOKEN_PATH or defaults to `/snowflake/session/token` if missing)
+- `keyring_capacity::Option{Int}`: (Optional) Maximum number of keys to be kept in the in-memory keyring (key cache)
+- `keyring_ttl_secs::Option{Int}`: (Optional) Duration in seconds after which a key is removed from the keyring
+- `opts::ClientOptions`: (Optional) Client configuration options.
+"""
+struct SnowflakeConfig <: AbstractConfig
+    stage::String
+    encryption_scheme::Option{String}
+    account::Option{String}
+    database::Option{String}
+    schema::Option{String}
+    endpoint::Option{String}
+    warehouse::Option{String}
+    username::Option{String}
+    password::Option{String}
+    role::Option{String}
+    master_token_path::Option{String}
+    keyring_capacity::Option{Int}
+    keyring_ttl_secs::Option{Int}
+    opts::ClientOptions
+    cached_config::Config
+    function SnowflakeConfig(;
+        stage::String,
+        encryption_scheme::Option{String} = nothing,
+        account::Option{String} = nothing,
+        database::Option{String} = nothing,
+        schema::Option{String} = nothing,
+        endpoint::Option{String} = nothing,
+        warehouse::Option{String} = nothing,
+        username::Option{String} = nothing,
+        password::Option{String} = nothing,
+        role::Option{String} = nothing,
+        master_token_path::Option{String} = nothing,
+        keyring_capacity::Option{Int} = nothing,
+        keyring_ttl_secs::Option{Int} = nothing,
+        opts::ClientOptions = ClientOptions()
+    )
+        params = copy(opts.params)
+
+        params["snowflake_stage"] = stage
+
+        if !isnothing(encryption_scheme)
+            params["snowflake_encryption_scheme"] = encryption_scheme
+        end
+
+        if !isnothing(account)
+            params["snowflake_account"] = account
+        end
+
+        if !isnothing(database)
+            params["snowflake_database"] = database
+        end
+
+        if !isnothing(schema)
+            params["snowflake_schema"] = schema
+        end
+
+        if !isnothing(endpoint)
+            params["snowflake_endpoint"] = endpoint
+        end
+
+        if !isnothing(warehouse)
+            params["snowflake_warehouse"] = warehouse
+        end
+
+        if !isnothing(username)
+            params["snowflake_username"] = username
+        end
+
+        if !isnothing(password)
+            params["snowflake_password"] = password
+        end
+
+        if !isnothing(role)
+            params["snowflake_role"] = role
+        end
+
+        if !isnothing(master_token_path)
+            params["snowflake_master_token_path"] = master_token_path
+        end
+
+        if !isnothing(keyring_capacity)
+            params["snowflake_keyring_capacity"] = string(keyring_capacity)
+        end
+
+        if !isnothing(keyring_ttl_secs)
+            params["snowflake_keyring_ttl_secs"] = string(keyring_ttl_secs)
+        end
+
+        # All defaults for the optional values are defined on the Rust side.
+        map!(v -> strip(v), values(params))
+        cached_config = Config("snowflake://$(strip(stage))/", params)
+        return new(
+            stage,
+            encryption_scheme,
+            account,
+            database,
+            schema,
+            endpoint,
+            warehouse,
+            username,
+            password,
+            role,
+            master_token_path,
+            keyring_capacity,
+            keyring_ttl_secs,
+            opts,
+            cached_config
+        )
+    end
+end
+
+into_config(conf::SnowflakeConfig) = conf.cached_config
+
+function Base.show(io::IO, conf::SnowflakeConfig)
+    print(io, "SnowflakeConfig("),
+    print(io, "stage=", repr(conf.stage))
+    @option_print(conf, encryption_scheme)
+    @option_print(conf, account)
+    @option_print(conf, database)
+    @option_print(conf, schema)
+    @option_print(conf, endpoint)
+    @option_print(conf, warehouse)
+    @option_print(conf, username)
+    @option_print(conf, password, true)
+    @option_print(conf, role)
+    @option_print(conf, master_token_path)
+    @option_print(conf, keyring_capacity)
+    @option_print(conf, keyring_ttl_secs)
+    print(io, ", ", "opts=", repr(conf.opts), ")")
+end
+
 mutable struct Response
     result::Cint
     length::Culonglong
@@ -1755,6 +1905,105 @@ function finish!(stream::ListStream)
     return true
 end
 
+mutable struct StageInfoResponseFFI
+    result::Cint
+    stage_info::Ptr{Cchar}
+    error_message::Ptr{Cchar}
+    context::Ptr{Cvoid}
+
+    StageInfoResponseFFI() = new(-1, C_NULL, C_NULL, C_NULL)
+end
+
+function current_stage_info(conf::AbstractConfig)
+    response = StageInfoResponseFFI()
+    ct = current_task()
+    event = Base.Event()
+    handle = pointer_from_objref(event)
+    config = into_config(conf)
+    while true
+        preserve_task(ct)
+        result = GC.@preserve config response event try
+            result = @ccall rust_lib.current_stage_info(
+                config::Ref{Config},
+                response::Ref{StageInfoResponseFFI},
+                handle::Ptr{Cvoid}
+            )::Cint
+
+            wait_or_cancel(event, response)
+
+            result
+        finally
+            unpreserve_task(ct)
+        end
+
+        if result == 2
+            # backoff
+            sleep(0.01)
+            continue
+        end
+
+        # No need to destroy_cstring(response.stage_info) in case of errors here
+        @throw_on_error(response, "current_stage_info", GetException)
+
+        info_string = unsafe_string(response.stage_info)
+        @ccall rust_lib.destroy_cstring(response.stage_info::Ptr{Cchar})::Cint
+
+        stage_info = JSON3.read(info_string, Dict{String, String})
+        return stage_info
+    end
+end
+
+"""
+    invalidate_config(conf::Option{AbstractConfig}) -> Bool
+
+Invalidates the specified config (or all if no config is provided) in the Rust
+config cache. This is useful to mitigate test interference.
+
+# Arguments
+- `conf::AbstractConfig`: (Optional) The config to be invalidated.
+"""
+function invalidate_config(conf::Option{AbstractConfig}=nothing)
+    response = Response()
+    ct = current_task()
+    event = Base.Event()
+    handle = pointer_from_objref(event)
+    while true
+        preserve_task(ct)
+        result = GC.@preserve conf response event try
+            result = if !isnothing(conf)
+                config = into_config(conf)
+                @ccall rust_lib.invalidate_config(
+                    config::Ref{Config},
+                    response::Ref{Response},
+                    handle::Ptr{Cvoid}
+                )::Cint
+            else
+                @ccall rust_lib.invalidate_config(
+                    C_NULL::Ptr{Cvoid},
+                    response::Ref{Response},
+                    handle::Ptr{Cvoid}
+                )::Cint
+            end
+
+            wait_or_cancel(event, response)
+
+            result
+        finally
+            unpreserve_task(ct)
+        end
+
+        if result == 2
+            # backoff
+            sleep(0.01)
+            continue
+        end
+
+        @throw_on_error(response, "invalidate_config", PutException)
+
+        return true
+    end
+end
+
 struct Metrics
     live_bytes::Int64
 end
@@ -1763,4 +2012,8 @@ function current_metrics()
     return @ccall rust_lib.current_metrics()::Metrics
 end
 
-end # module
+module Test
+include("mock_server.jl")
+end # Test module
+
+end # RustyObjectStore module

src/mock_server.jl

@@ -0,0 +1,317 @@
+using CloudBase: CloudCredentials, AWSCredentials, AbstractStore, AWS
+using JSON3, HTTP, Sockets, Base64
+using RustyObjectStore: SnowflakeConfig, ClientOptions
+using Base: UUID
+
+export SFGatewayMock, start, with
+
+struct SFConfig
+    account::String
+    database::String
+    default_schema::String
+end
+
+struct Stage
+    database::String
+    schema::String
+    name::String
+end
+
+mutable struct SFGatewayMock
+    credentials::CloudCredentials
+    store::AbstractStore
+    opts::ClientOptions
+    config::SFConfig
+    allowed_stages::Vector{Stage}
+    encrypted::Bool
+    keys_lock::ReentrantLock
+    next_key_id::Int
+    keys::Dict{String, String}
+end
+
+
+function to_stage(stage::AbstractString, config::SFConfig)
+    parts = split(stage, ".")
+    if length(parts) == 1
+        return Stage(uppercase(config.database), uppercase(config.default_schema), uppercase(parts[1]))
+    elseif length(parts) == 2
+        return Stage(uppercase(config.database), uppercase(parts[1]), uppercase(parts[2]))
+    elseif length(parts) == 3
+        return Stage(uppercase(parts[1]), uppercase(parts[2]), uppercase(parts[3]))
+    else
+        error("Invalid stage spec")
+    end
+end
+
+fqsn(s::Stage) = "$(s.database).$(s.schema).$(s.name)"
+stage_uuid(s::Stage) = UUID((hash(fqsn(s)), hash(fqsn(s))))
+stage_path(s::Stage) = "stages/$(stage_uuid(s))/"
+
+function SFGatewayMock(
+        credentials::CloudCredentials,
+        store::AbstractStore,
+        encrypted::Bool;
+        opts=ClientOptions(),
+        default_schema::String="testschema",
+        allowed_stages::Vector{String}=["teststage" * string(rand(UInt64), base=16)]
+    )
+    config = SFConfig(
+        "testaccount",
+        "testdatabase",
+        default_schema
+    )
+    allowed_stages_parsed = map(s -> to_stage(s, config), allowed_stages)
+    SFGatewayMock(
+        credentials,
+        store,
+        opts,
+        config,
+        allowed_stages_parsed,
+        encrypted,
+        ReentrantLock(),
+        1,
+        Dict{String, String}()
+    )
+end
+
+function authorized(request::HTTP.Request)
+    return HTTP.header(request, "Authorization") == "Snowflake Token=\"dummy-token\""
+end
+
+function unauthorized_response()
+    return HTTP.Response(401, "Invalid token")
+end
+
+function error_json_response(msg::String; code::String="1234")
+    response_data = Dict(
+        "data" => Dict(
+            "queryId" => "dummy-query-id"
+        ),
+        "code" => code,
+        "message" => msg,
+        "success" => false
+    )
+    return HTTP.Response(200, JSON3.write(response_data))
+end
+
+function construct_stage_info(credentials::AWSCredentials, store::AWS.Bucket, path::String, encrypted::Bool)
+    m = match(r"(https?://.*?)/", store.baseurl)
+    @assert !isnothing(m)
+    test_endpoint = m.captures[1]
+
+    Dict(
+        "locationType" => "S3",
+        "location" => joinpath(store.name, "xox50000-s", path),
+        "path" => path,
+        "region" => "us-east-1",
+        "storageAccount" => nothing,
+        "isClientSideEncrypted" => encrypted,
+        "ciphers" => encrypted ? "AES_CBC" : nothing,
+        "creds" => Dict(
+            "AWS_KEY_ID" => credentials.access_key_id,
+            "AWS_SECRET_KEY" => credentials.secret_access_key,
+            "AWS_TOKEN" => credentials.session_token
+        ),
+        "useS3RegionalUrl" => false,
+        "endPoint" => "us-east-1.s3.amazonaws.com",
+        "testEndpoint" => test_endpoint
+    )
+end
+
+function next_id_and_key(gw::SFGatewayMock)
+    @lock gw.keys_lock begin
+        key_id = gw.next_key_id
+        gw.next_key_id += 1
+        key = base64encode(rand(UInt8, 16))
+        push!(gw.keys, string(key_id) => key)
+        return key_id, key
+    end
+end
+
+function find_key_by_id(gw::SFGatewayMock, id::String)
+    @lock gw.keys_lock begin
+        return get(gw.keys, id, nothing)
+    end
+end
+
+# Returns a SnowflakeConfig and a server instance.
+# The config can be used to perform operations against
+# a simulated Snowflake stage backed by a Minio instance.
+function start(gw::SFGatewayMock)
+    (port, tcp_server) = Sockets.listenany(8080)
+    http_server = HTTP.serve!(tcp_server) do request::HTTP.Request
+        if request.method == "POST" && startswith(request.target, "/session/heartbeat")
+            # Heartbeat
+            authorized(request) || return unauthorized_response()
+            return HTTP.Response(200, "Pong")
+        elseif request.method == "POST" && startswith(request.target, "/session/token-request")
+            # Token Renewal
+            authorized(request) || return unauthorized_response()
+            object = JSON3.read(request.body)
+            if get(object, "oldSessionToken", nothing) != "dummy-token"
+                return error_json_response("Invalid session token")
+            end
+
+            response_data = Dict(
+                "data" => Dict(
+                    "sessionToken" => "dummy-token",
+                    "validityInSecondsST" => 3600,
+                    "masterToken" => "dummy-master-token",
+                    "validityInSecondsMT" => 3600
+                ),
+                "success" => true
+            )
+            return HTTP.Response(200, JSON3.write(response_data))
+        elseif request.method == "POST" && startswith(request.target, "/session/v1/login-request")
+            # Login
+            response_data = Dict(
+                "data" => Dict(
+                    "token" => "dummy-token",
+                    "validityInSeconds" => 3600,
+                    "masterToken" => "dummy-master-token",
+                    "masterValidityInSeconds" => 3600
+                ),
+                "success" => true
+            )
+            return HTTP.Response(200, JSON3.write(response_data))
+        elseif request.method == "POST" && startswith(request.target, "/queries/v1/query-request")
+            # Query
+            authorized(request) || return unauthorized_response()
+            object = JSON3.read(request.body)
+            sql = get(object, "sqlText", nothing)
+            if isnothing(sql) || !isa(sql, String)
+                return error_json_response("Missing sql query text")
+            end
+
+            sql = strip(sql)
+
+            if startswith(sql, "PUT")
+                m = match(r"PUT\s+?file://.*?\s+?@(.+?)(\s|$)", sql)
+                if isnothing(m)
+                    return error_json_response("Missing stage name or file path")
+                end
+
+                stage = try
+                    to_stage(m.captures[1], gw.config)
+                catch e
+                    return error_json_response("$(e)")
+                end
+
+                if !(stage in gw.allowed_stages)
+                    return error_json_response("Stage not found")
+                end
+
+                encryption_material = if gw.encrypted
+                    # generate new key
+                    key_id, key = next_id_and_key(gw)
+                    Dict(
+                        "queryStageMasterKey" => key,
+                        "queryId" => string(key_id),
+                        "smkId" => key_id
+                    )
+                else
+                    nothing
+                end
+
+
+                stage_info = if isa(gw.credentials, AWSCredentials) && isa(gw.store, AWS.Bucket)
+                    construct_stage_info(gw.credentials, gw.store, stage_path(stage), gw.encrypted)
+                else
+                    error("unimplemented")
+                end
+
+                # PUT Query
+                response_data = Dict(
+                    "data" => Dict(
+                        "queryId" => "dummy-query-id",
+                        "encryptionMaterial" => encryption_material,
+                        "stageInfo" => stage_info
+                    ),
+                    "success" => true
+                )
+                return HTTP.Response(200, JSON3.write(response_data))
+            elseif startswith(sql, "GET")
+                # GET Query
+                m = match(r"GET\s+?@(.+?)/(.+?)\s", sql)
+                if isnothing(m)
+                    return error_json_response("Missing stage name or file path")
+                end
+
+                stage = try
+                    to_stage(m.captures[1], gw.config)
+                catch e
+                    return error_json_response("$(e)")
+                end
+
+                if !(stage in gw.allowed_stages)
+                    return error_json_response("Stage not found")
+                end
+
+                path = m.captures[2]
+
+                stage_info = if isa(gw.credentials, AWSCredentials) && isa(gw.store, AWS.Bucket)
+                    construct_stage_info(gw.credentials, gw.store, stage_path(stage), gw.encrypted)
+                else
+                    error("unimplemented")
+                end
+
+                encryption_material = if gw.encrypted
+                    # fetch key id from s3 meta and return key
+                    response = AWS.head(
+                        stage_info["testEndpoint"] * "/" * stage_info["location"] * path;
+                        service="s3", region="us-east-1", credentials=gw.credentials
+                    )
+                    pos = findfirst(x -> x[1] == "x-amz-meta-x-amz-matdesc", response.headers)
+                    matdesc = JSON3.read(response.headers[pos][2])
+                    key_id = matdesc["queryId"]
+                    key = find_key_by_id(gw, key_id)
+                    Dict(
+                        "queryStageMasterKey" => key,
+                        "queryId" => key_id,
+                        "smkId" => parse(Int, key_id)
+                    )
+                else
+                    nothing
+                end
+
+                response_data = Dict(
+                    "data" => Dict(
+                        "queryId" => "dummy-query-id",
+                        "src_locations" => [path],
+                        "encryptionMaterial" => [encryption_material],
+                        "stageInfo" => stage_info
+                    ),
+                    "success" => true
+                )
+                return HTTP.Response(200, JSON3.write(response_data))
+            else
+                return error_json_response("Unsupported query")
+            end
+        else
+            return HTTP.Response(404, "Not Found")
+        end
+    end
+
+    master_path, fileio = mktemp()
+    write(fileio, "dummy-file-master-token")
+    sfconfig = SnowflakeConfig(
+        stage=fqsn(gw.allowed_stages[1]),
+        account=gw.config.account,
+        database=gw.config.database,
+        schema=gw.allowed_stages[1].schema,
+        endpoint="http://127.0.0.1:$(port)",
+        master_token_path=master_path,
+        opts=gw.opts
+    )
+    return sfconfig, http_server
+end
+
+function with(f::Function, gw::SFGatewayMock)
+    config, server = start(gw)
+    try
+        f(config)
+    finally
+        HTTP.forceclose(server)
+        rm(config.master_token_path)
+    end
+end

test/basic_unified_tests.jl

@@ -531,7 +531,13 @@ function run_sanity_test_cases(read_config::AbstractConfig, write_config::Abstra
     end
 end
 
-function run_list_test_cases(config::AbstractConfig)
+function within_margin(a, b, margin = 32)
+    return all(abs.(a .- b) .<= margin)
+end
+
+
+function run_list_test_cases(config::AbstractConfig; strict_entry_size=true)
+    margin = strict_entry_size ? 0 : 32
     @testset "basic listing" begin
         for i in range(10; step=10, length=5)
             nbytes_written = put_object(codeunits(repeat('=', i)), "list/$(i).csv", config)
@@ -540,7 +546,7 @@ function run_list_test_cases(config::AbstractConfig)
 
         entries = list_objects("list/", config)
         @test length(entries) == 5
-        @test map(x -> x.size, entries) == range(10; step=10, length=5)
+        @test within_margin(map(x -> x.size, entries), range(10; step=10, length=5), margin)
         @test map(x -> x.location, entries) == ["list/10.csv", "list/20.csv", "list/30.csv", "list/40.csv", "list/50.csv"]
     end
 
@@ -560,7 +566,7 @@ function run_list_test_cases(config::AbstractConfig)
 
         entries = list_objects("other/prefix/", config)
         @test length(entries) == 5
-        @test map(x -> x.size, entries) == range(110; step=10, length=5)
+        @test within_margin(map(x -> x.size, entries), range(110; step=10, length=5), margin)
         @test map(x -> x.location, entries) ==
             ["other/prefix/110.csv", "other/prefix/120.csv", "other/prefix/130.csv", "other/prefix/140.csv", "other/prefix/150.csv"]
 
@@ -569,6 +575,10 @@ function run_list_test_cases(config::AbstractConfig)
 
         entries = list_objects("other/p/", config)
         @test length(entries) == 0
+
+        entries = list_objects("other/prefix/150.csv", config)
+        @test length(entries) == 1
+        @test map(x -> x.location, entries) == ["other/prefix/150.csv"]
     end
 
     @testset "list empty entries" begin
@@ -602,7 +612,7 @@ function run_list_test_cases(config::AbstractConfig)
 
         append!(entries, one_entry)
 
-        @test sort(map(x -> x.size, entries)) == data
+        @test within_margin(sort(map(x -> x.size, entries)), data, margin)
         @test sort(map(x -> x.location, entries)) == sort(map(x -> "list/$(x).csv", data))
     end
 
@@ -640,7 +650,7 @@ function run_list_test_cases(config::AbstractConfig)
 
         @test isnothing(next_chunk!(stream))
 
-        @test sort(map(x -> x.size, entries)) == data[51:end]
+        @test within_margin(sort(map(x -> x.size, entries)), data[51:end], margin)
         @test sort(map(x -> x.location, entries)) == sort(map(x -> key(x), data[51:end]))
     end
 end
@@ -765,3 +775,37 @@ Minio.with(; debug=true, public=true) do conf
     run_read_write_test_cases(config_no_creds, config)
 end # Minio.with
 end # @testitem
+
+@testitem "Basic Snowflake Stage usage" setup=[InitializeObjectStore, SnowflakeMock, ReadWriteCases] begin
+using CloudBase.CloudTest: Minio
+using RustyObjectStore: SnowflakeConfig, ClientOptions
+
+# For interactive testing, use Minio.run() instead of Minio.with()
+# conf, p = Minio.run(; debug=true, public=false); atexit(() -> kill(p))
+Minio.with(; debug=true, public=false) do conf
+    credentials, container = conf
+    with(SFGatewayMock(credentials, container, false)) do config::SnowflakeConfig
+        run_read_write_test_cases(config)
+        run_stream_test_cases(config)
+        run_list_test_cases(config)
+        run_sanity_test_cases(config)
+    end
+end # Minio.with
+end # @testitem
+
+@testitem "Basic Snowflake Stage usage (encrypted)" setup=[InitializeObjectStore, SnowflakeMock, ReadWriteCases] begin
+using CloudBase.CloudTest: Minio
+using RustyObjectStore: SnowflakeConfig, ClientOptions
+
+# For interactive testing, use Minio.run() instead of Minio.with()
+# conf, p = Minio.run(; debug=true, public=false); atexit(() -> kill(p))
+Minio.with(; debug=true, public=false) do conf
+    credentials, container = conf
+    with(SFGatewayMock(credentials, container, true)) do config::SnowflakeConfig
+        run_read_write_test_cases(config)
+        run_stream_test_cases(config)
+        run_list_test_cases(config; strict_entry_size=false)
+        run_sanity_test_cases(config)
+    end
+end # Minio.with
+end # @testitem

test/common_testsetup.jl

@@ -12,3 +12,9 @@
     )
     init_object_store(test_config)
 end
+
+@testsetup module SnowflakeMock
+    using RustyObjectStore.Test: SFGatewayMock, start, with
+
+    export SFGatewayMock, start, with
+end

test/snowflake_api_tests.jl

@@ -0,0 +1,24 @@
+@testitem "SnowflakeConfig" begin
+    # basic case
+    @test repr(SnowflakeConfig(;
+        stage="a"
+    )) == "SnowflakeConfig(stage=\"a\", opts=ClientOptions())"
+
+    # password is obscured when printing
+    @test repr(SnowflakeConfig(;
+        stage="a",
+        username="b",
+        password="c",
+        role="d"
+    )) == "SnowflakeConfig(stage=\"a\", username=\"b\", password=*****, role=\"d\", opts=ClientOptions())"
+
+    # optional params are supported
+    @test repr(SnowflakeConfig(;
+        stage="a",
+        encryption_scheme="b",
+        account="c",
+        database="d",
+        schema="e",
+        endpoint="f"
+       )) == "SnowflakeConfig(stage=\"a\", encryption_scheme=\"b\", account=\"c\", database=\"d\", schema=\"e\", endpoint=\"f\", opts=ClientOptions())"
+end