SNOW-2306184: config refactor - tests for value masking

sfc-gh-mraba · sfc-gh-mraba · commit b849f52ff45c · 2025-11-18T10:48:26.000+01:00
diff --git a/src/snowflake/cli/_plugins/connection/commands.py b/src/snowflake/cli/_plugins/connection/commands.py
@@ -62,6 +62,7 @@
     set_config_value,
     unset_config_value,
 )
+from snowflake.cli.api.config_ng.masking import mask_sensitive_value
 from snowflake.cli.api.console import cli_console
 from snowflake.cli.api.constants import ObjectType
 from snowflake.cli.api.output.types import (
@@ -85,12 +86,11 @@ def __repr__(self):
         return "optional"
 
 
-def _mask_sensitive_parameters(connection_params: dict):
-    if "password" in connection_params:
-        connection_params["password"] = "****"
-    if "oauth_client_secret" in connection_params:
-        connection_params["oauth_client_secret"] = "****"
-    return connection_params
+def mask_sensitive_parameters(connection_params: dict):
+    return {
+        key: mask_sensitive_value(key, value)
+        for key, value in connection_params.items()
+    }
 
 
 @app.command(name="list")
@@ -124,7 +124,7 @@ def list_connections(
     result = (
         {
             "connection_name": connection_name,
-            "parameters": _mask_sensitive_parameters(
+            "parameters": mask_sensitive_parameters(
                 connection_config.to_dict_of_known_non_empty_values()
             ),
             "is_default": connection_name == default_connection,
diff --git a/tests/test_connection.py b/tests/test_connection.py
@@ -21,7 +21,9 @@
 
 import pytest
 import tomlkit
+from snowflake.cli._plugins.connection import commands as connection_commands
 from snowflake.cli.api.config import ConnectionConfig
+from snowflake.cli.api.config_ng.masking import MASKED_VALUE
 from snowflake.cli.api.constants import ObjectType
 from snowflake.cli.api.secret import SecretType
 
@@ -366,6 +368,35 @@ def test_lists_connection_information(mock_get_default_conn_name, runner):
     ]
 
 
+def test_mask_sensitive_parameters_masks_all_known_sensitive_keys():
+    params = {
+        "password": "hunter2",
+        "oauth_client_secret": "secret1",
+        "token": "token-value",
+        "session_token": "session",
+        "master_token": "master",
+        "private_key_passphrase": "pk-pass",
+        "mfa_passcode": "code",
+        "warehouse": "xs",
+    }
+
+    masked = connection_commands.mask_sensitive_parameters(params)
+
+    for key in (
+        "password",
+        "oauth_client_secret",
+        "token",
+        "session_token",
+        "master_token",
+        "private_key_passphrase",
+        "mfa_passcode",
+    ):
+        assert masked[key] == MASKED_VALUE
+
+    assert masked["warehouse"] == "xs"
+    assert params["password"] == "hunter2"
+
+
 @mock.patch.dict(
     os.environ,
     {
