Merge pull request #14 from ApplauseOSS/feat/support-workspaces

feat: add support workspaces

Author: verbotenj

.github/workflows/go-test.yml

@@ -12,5 +12,5 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v5
         with:
-          go-version: '1.24'
+          go-version: '1.25'
       - run: go test ./...

.github/workflows/golanci-lint.yml

@@ -14,7 +14,7 @@ jobs:
     name: lint
     strategy:
       matrix:
-        go-version: [1.24.x]
+        go-version: [1.25.x]
         platform: [ubuntu-latest]
     runs-on: ${{ matrix.platform }}
     steps:

README.md

@@ -1,11 +1,11 @@
 # Snowflizzle
 
-Snowflizzle is a tool for declaratively managing Snowflake roles, users, and their permissions using a YAML configuration file. It enables mapping users (by login name or email) to Snowflake roles, and automates the granting and revoking of database, schema, and table privileges, including support for wildcards and partial name matching. The tool is designed for automation and integrates with Snowflake using a service user and key-pair authentication.
+Snowflizzle is a tool for declaratively managing Snowflake roles, users, and their permissions using a YAML configuration file. It enables mapping users (by login name or email) to Snowflake roles, and automates the granting and revoking of database, schema, table, and workspace privileges, including support for wildcards and partial name matching. The tool is designed for automation and integrates with Snowflake using a service user and key-pair authentication.
 
 ## Key Features
 
 - Declarative YAML configuration for roles, members, and permissions
-- Grant and revoke privileges on databases, schemas, and tables
+- Grant and revoke privileges on databases, schemas, tables, views, and workspaces
 - Supports wildcard and partial matching for schema and table names
 - Dry-run mode for previewing changes without applying them
 - Validation of configuration files before applying changes
@@ -22,7 +22,7 @@ roles:
       - email: exemployee2@example.com
         removed: true
     permissions:
-    # Option for names
+      # Option for names
       # - database_name
       databases:
         - name: test_a_db
@@ -31,26 +31,56 @@ roles:
         - name: test_b_db
           remove: true
       schemas:
-      # Options for names
-      # - database_name.schema_name
-      # - database_name.*
-      # - database_name.*schema_partial
-      # - database_name.schema_partial*
+        # Options for names
+        # - database_name.schema_name
+        # - database_name.*
+        # - database_name.*schema_partial
+        # - database_name.schema_partial*
         - name: test_c_db.credentials
           grants:
             - USAGE
         - name: test_b_db.assets
       tables:
-      # Options for names
-      # - database_name.*.*
-      # - database_name.schema_name.*
-      # - database_name.schema_partial_*.*
-      # - database_name.*_schema_partial.*
-      # - database_name.schema_name.table_name
+        # Options for names
+        # - database_name.*.*
+        # - database_name.schema_name.*
+        # - database_name.schema_partial_*.*
+        # - database_name.*_schema_partial.*
+        # - database_name.schema_name.table_name
         - name: test_c_db.credentials
           grants:
             - SELECT
         - name: test_b_db.*.*
+      workspaces:
+        # Name must be a 3-part identifier: database_name.schema_name.workspace_name
+        # Quote the value if the workspace name contains spaces.
+        # Supported grants: USAGE, READ, WRITE
+        - name: "test_a_db.my_schema.My Workspace"
+          grants:
+            - USAGE
+            - READ
+            - WRITE
+```
+
+### Workspace grants
+
+Snowflake [workspaces](https://docs.snowflake.com/en/user-guide/ui-snowsight-workspaces) are managed under the `workspaces` key in `permissions`. Each entry requires a 3-part name (`DATABASE.SCHEMA.WORKSPACE_NAME`) and one or more of the following privileges:
+
+| Privilege | Description                                  |
+| --------- | -------------------------------------------- |
+| `USAGE`   | Allows the role to see the workspace         |
+| `READ`    | Allows the role to read workspace contents   |
+| `WRITE`   | Allows the role to modify workspace contents |
+
+If a workspace name contains spaces, wrap the entire `name` value in single quotes:
+
+```yaml
+workspaces:
+  - name: "MY_DATABASE.MY_SCHEMA.SALESOPS WORKSPACE"
+    grants:
+      - USAGE
+      - READ
+      - WRITE
 ```
 
 Prepare snowflizzle service user in snowflake

config/snowflake.go

@@ -23,6 +23,7 @@ import (
 	"errors"
 	"fmt"
 	"os"
+	"path/filepath"
 
 	"github.com/applauseoss/snowflizzle/internal/logging"
 	"github.com/joho/godotenv"
@@ -109,7 +110,7 @@ func ConnectToSnowflake() (*sql.DB, error) {
 }
 
 func parsePrivateKeyFromFile(path string) (*rsa.PrivateKey, error) {
-	bytes, err := os.ReadFile(path)
+	bytes, err := os.ReadFile(filepath.Clean(path)) //nolint:gosec // G703: path is sourced from a trusted operator-controlled environment variable
 	if err != nil {
 		return nil, err
 	}

go.mod

@@ -1,8 +1,6 @@
 module github.com/applauseoss/snowflizzle
 
-go 1.24
-
-toolchain go1.24.1
+go 1.25
 
 require (
 	github.com/DATA-DOG/go-sqlmock v1.5.2

internal/role/role.go

@@ -76,12 +76,21 @@ type ViewPermission struct {
 	Remove bool     `yaml:"remove,omitempty"`
 }
 
-// RolePermissions represents permissions for a role, including databases, schemas, tables, and views.
+// WorkspacePermission represents a Snowflake workspace permission entry.
+// Example: { name: "MYDB.MYSCHEMA.MY WORKSPACE", grants: ["USAGE", "READ", "WRITE"] }
+type WorkspacePermission struct {
+	Name   string   `yaml:"name"`
+	Grants []string `yaml:"grants,omitempty"`
+	Remove bool     `yaml:"remove,omitempty"`
+}
+
+// RolePermissions represents permissions for a role, including databases, schemas, tables, views, and workspaces.
 type RolePermissions struct {
-	Databases []DatabasePermission `yaml:"databases,omitempty"`
-	Schemas   []SchemaPermission   `yaml:"schemas,omitempty"`
-	Tables    []TablePermission    `yaml:"tables,omitempty"`
-	Views     []ViewPermission     `yaml:"views,omitempty"`
+	Databases  []DatabasePermission  `yaml:"databases,omitempty"`
+	Schemas    []SchemaPermission    `yaml:"schemas,omitempty"`
+	Tables     []TablePermission     `yaml:"tables,omitempty"`
+	Views      []ViewPermission      `yaml:"views,omitempty"`
+	Workspaces []WorkspacePermission `yaml:"workspaces,omitempty"`
 }
 
 // Role represents a single role entry in the YAML configuration.
@@ -477,7 +486,7 @@ func (rp *RoleProcessor) memberProcess(role Role) (usersSkipped int, err error)
 			return usersSkipped, err
 		}
 	}
-	return
+	return usersSkipped, err
 }
 
 func (rp *RoleProcessor) execQuery(query string) error {
@@ -703,7 +712,7 @@ func (rp *RoleProcessor) Process() error {
 		if role.Remove {
 			// If the role exists, drop it
 			if _, exists := rp.existingRoles[upperRole]; exists {
-				dropRoleQuery := "DROP ROLE IF EXISTS " + rp.qRole
+				dropRoleQuery := "DROP ROLE IF EXISTS " + rp.qRole //nolint:gosec // G202: role name is safely quoted by quoteIdentifier
 				if rp.dryRun {
 					rp.logger.InfoContext(context.Background(), "[DryRun] Would drop role", "query", dropRoleQuery)
 				} else {
@@ -781,7 +790,7 @@ func (rp *RoleProcessor) FindNonExistentRoles() []string {
 // GetSchemasInDatabase fetches all schemas in a given database.
 func (rp *RoleProcessor) GetSchemasInDatabase(dbName string) ([]string, error) {
 	ctx := context.Background()
-	query := "SHOW SCHEMAS IN DATABASE " + quoteIdentifier(dbName)
+	query := "SHOW SCHEMAS IN DATABASE " + quoteIdentifier(dbName) //nolint:gosec // G202: dbName is safely quoted by quoteIdentifier
 	rows, err := rp.db.QueryContext(ctx, query)
 	if err != nil {
 		rp.logger.ErrorContext(context.Background(), "SHOW SCHEMAS failed", "database", dbName, "error", err)
@@ -839,7 +848,7 @@ func patternMatches(pattern, candidate string) bool {
 // GetTablesInDatabase fetches all tables in a given database, grouped by schema.
 func (rp *RoleProcessor) GetTablesInDatabase(dbName string) (map[string][]string, error) {
 	ctx := context.Background()
-	query := "SHOW TABLES IN DATABASE " + quoteIdentifier(dbName)
+	query := "SHOW TABLES IN DATABASE " + quoteIdentifier(dbName) //nolint:gosec // G202: dbName is safely quoted by quoteIdentifier
 	rows, err := rp.db.QueryContext(ctx, query)
 	if err != nil {
 		return nil, err
@@ -880,7 +889,7 @@ func (rp *RoleProcessor) GetTablesInDatabase(dbName string) (map[string][]string
 // GetViewsInDatabase fetches all views in a given database, grouped by schema.
 func (rp *RoleProcessor) GetViewsInDatabase(dbName string) (map[string][]string, error) {
 	ctx := context.Background()
-	query := "SHOW VIEWS IN DATABASE " + quoteIdentifier(dbName)
+	query := "SHOW VIEWS IN DATABASE " + quoteIdentifier(dbName) //nolint:gosec // G202: dbName is safely quoted by quoteIdentifier
 	rows, err := rp.db.QueryContext(ctx, query)
 	if err != nil {
 		errStr := strings.ToLower(err.Error())
@@ -985,6 +994,14 @@ func (rp *RoleProcessor) ValidateConfigObjects(role Role) error {
 			}
 		}
 	}
+	// Workspaces: validate name is a 3-part identifier (DATABASE.SCHEMA.WORKSPACE)
+	for _, ws := range role.Permissions.Workspaces {
+		parts := strings.SplitN(ws.Name, ".", 3)
+		if len(parts) != 3 || strings.TrimSpace(parts[0]) == "" || strings.TrimSpace(parts[1]) == "" || strings.TrimSpace(parts[2]) == "" {
+			errs = append(errs, fmt.Errorf("workspace permission name must be in format DATABASE.SCHEMA.WORKSPACE_NAME, got: %q", ws.Name))
+		}
+	}
+
 	if len(errs) > 0 {
 		return errors.New("configuration validation errors")
 	}
@@ -1019,7 +1036,7 @@ func (rp *RoleProcessor) FetchRoleGrants(roleName string) ([]FetchedRoleGrant, e
 	logger := rp.logger
 	ctx := context.Background()
 	qRole := quoteIdentifier(strings.ToUpper(roleName))
-	query := "SHOW GRANTS TO ROLE " + qRole
+	query := "SHOW GRANTS TO ROLE " + qRole //nolint:gosec // G202: role name is safely quoted by quoteIdentifier
 	rows, err := rp.db.QueryContext(ctx, query)
 	if err != nil {
 		logger.ErrorContext(context.Background(), "query SHOW GRANTS TO ROLE failed", "error", err, "role", roleName)
@@ -1182,6 +1199,14 @@ func (rp *RoleProcessor) buildDesiredGrantsFromConfig(role Role) map[GrantKey]st
 		}
 	}
 
+	// Workspaces
+	for _, ws := range role.Permissions.Workspaces {
+		for _, priv := range ws.Grants {
+			gk := GrantKey{Privilege: strings.ToUpper(priv), ObjectType: "WORKSPACE", ObjectName: normalizeObjectName(ws.Name)}
+			grants[gk] = struct{}{}
+		}
+	}
+
 	// Add warehouse usage grant as part of desired grants because it is a default requirement
 	warehouseName := rp.roleName + "_WAREHOUSE"
 	gk := GrantKey{
@@ -1227,7 +1252,8 @@ func (rp *RoleProcessor) syncRoleGrants(role Role) {
 		role.Permissions == nil || (len(role.Permissions.Databases) == 0 &&
 		len(role.Permissions.Schemas) == 0 &&
 		len(role.Permissions.Tables) == 0 &&
-		len(role.Permissions.Views) == 0) {
+		len(role.Permissions.Views) == 0 &&
+		len(role.Permissions.Workspaces) == 0) {
 		return
 	}