add MFA authentication support to snowflake integration

[ChinmayBansal]

Related Issues

• fixes update: update Snowflake integration to support MFA #2265

Proposed Changes:

This PR implements multi-factor authentication (MFA) support for the Snowflake
integration to address Snowflake's enhanced security requirements that mandate
MFA for connections. The implementation adds non-interactive authentication
methods while maintaining full backward compatibility.

Key Features Added:

• Key-pair JWT Authentication (SNOWFLAKE_JWT) that supports:
  • Pre-configured private key file paths via private_key_file parameter
  • Private key passphrases via private_key_file_pwd parameter
  • JWT-based authentication without user interaction prompts
• OAuth 2.0 Authentication (OAUTH) supporting:
  • Client Credentials flow with oauth_client_id and oauth_client_secret
  • Configurable token request URLs via oauth_token_request_url
  • Authorization URLs via oauth_authorization_url for future extensibility
• Enhanced Security Features:
  • Credential masking in URI logging via _create_masked_uri() method
  • Secure handling of all sensitive data using Haystack's Secret class
  • Comprehensive parameter validation with clear error messages
• Non-interactive Design: All authentication credentials sourced from
  environment variables, eliminating user prompts as specifically requested
• Backward Compatibility: Existing password-based authentication (SNOWFLAKE)
  remains unchanged with no breaking changes

How did you test it?

• Unit Tests: Added comprehensive test suite with 11 new test cases (36 total
  tests passing)
  • Code Quality: hatch run fmt and hatch run test:types both pass
  • Security Testing: Verified credential masking in logs
  • Manual verification: Tested all authentication methods and parameter
    validation

Notes for the reviewer

• The core authentication logic is in _snowflake_uri_constructor() method
  (lines ~257-301)
  • Parameter validation logic is centralized in _validate_auth_params() method
    (lines ~152-185)
  • Security enhancement via _create_masked_uri() method (lines ~303-329) ensures
    sensitive data never appears in logs
  • The implementation specifically addresses the "no user authentication
    prompts" requirement

Checklist

• I have read the contributors guidelines and the code of conduct
• I have updated the related issue with new insights and changes
• I added unit tests and updated the docstrings
• I've used one of the conventional commit types for my PR title: fix:, feat:, build:, chore:, ci:, docs:, style:, refactor:, perf:, test:.

[medsriha]

Thank you so much for your effort and contribution, @ChinmayBansal! I left a few comments, but overall this looks great. Would you mind moving the authentication code to a separate file outside of the main component to help keep things tidy? Also, were you able to test JWT and OAuth with real credentials?

[medsriha]

If a user doesn't specify authenticator but provides JWT credentials, it will default to "SNOWFLAKE" and then validation will require api_key. I suggest making authenticator required rather than optional.

[medsriha]

Sensitive credentials such as passwords and Secrets should always use Secrets and not combination of string and Secrets

[medsriha]

same

[medsriha]

Good idea to add an exception handling here

[medsriha]

What happen if api_key, user, account etc have special charaters? Would it be a good idea if we encode the URI before sending it?

[medsriha]

What do you think of adding a test_connection function during initialization? It allows us to verify the credentials are valid without executing an actual query at runtime.