From 421d956daa20339e06042d16384f70f3f581f1bf Mon Sep 17 00:00:00 2001
From: richbenwell <richard.benwell@squaredup.com>
Date: Fri, 17 Apr 2026 14:28:23 -0400
Subject: [PATCH 1/4] Snowflake v1

---
 plugins/Snowflake/v1/README.md                |  3 +
 plugins/Snowflake/v1/configValidation.json    | 43 ++++++++
 .../v1/dataStreams/scripts/sqlQuery-post.js   | 36 +++++++
 .../Snowflake/v1/dataStreams/sqlQuery.json    | 80 +++++++++++++++
 plugins/Snowflake/v1/docs/setup.md            | 99 +++++++++++++++++++
 plugins/Snowflake/v1/icon.svg                 |  1 +
 plugins/Snowflake/v1/metadata.json            | 50 ++++++++++
 plugins/Snowflake/v1/ui.json                  | 50 ++++++++++
 8 files changed, 362 insertions(+)
 create mode 100644 plugins/Snowflake/v1/README.md
 create mode 100644 plugins/Snowflake/v1/configValidation.json
 create mode 100644 plugins/Snowflake/v1/dataStreams/scripts/sqlQuery-post.js
 create mode 100644 plugins/Snowflake/v1/dataStreams/sqlQuery.json
 create mode 100644 plugins/Snowflake/v1/docs/setup.md
 create mode 100644 plugins/Snowflake/v1/icon.svg
 create mode 100644 plugins/Snowflake/v1/metadata.json
 create mode 100644 plugins/Snowflake/v1/ui.json

diff --git a/plugins/Snowflake/v1/README.md b/plugins/Snowflake/v1/README.md
new file mode 100644
index 0000000..369130a
--- /dev/null
+++ b/plugins/Snowflake/v1/README.md
@@ -0,0 +1,3 @@
+## Overview
+
+A simple data source for Snowflake that supports Snowflake SQL queries. Requires an OAuth connection.
\ No newline at end of file
diff --git a/plugins/Snowflake/v1/configValidation.json b/plugins/Snowflake/v1/configValidation.json
new file mode 100644
index 0000000..4b1b524
--- /dev/null
+++ b/plugins/Snowflake/v1/configValidation.json
@@ -0,0 +1,43 @@
+{
+  "steps": [
+    {
+      "displayName": "API access",
+      "dataStream": {
+        "name": "sqlQuery",
+        "config": {
+          "query": "show databases"
+        }
+      },
+      "success": "User credentials has Snowflake query permissions.",
+      "error": "User does not have permission to access the Snowflake API (query 'SHOW DATABASES' failed).",
+      "required": true
+    },
+    {
+      "displayName": "Compute access",
+      "dataStream": {
+        "name": "sqlQuery",
+        "config": {
+          "query": "select 1/1",
+          "errorOnEmptyResults": true
+        }
+      },
+      "success": "User has access to warehouse.",
+      "error": "User does not have access to a warehouse (query 'SELECT 1/1' failed). Check user's role is configured with a default warehouse and has warehouse permissions.",
+      "required": true
+    },
+        {
+      "displayName": "Database access",
+      "dataStream": {
+        "name": "sqlQuery",
+        "config": {
+          "query": "show databases",
+          "errorOnEmptyResults": true
+        }
+      },
+      "success": "User has access to at least one database.",
+      "error": "User does not have permission to access any databases. Check user's default role or specify a role.",
+      "required": false
+    }
+  ]
+}
+
diff --git a/plugins/Snowflake/v1/dataStreams/scripts/sqlQuery-post.js b/plugins/Snowflake/v1/dataStreams/scripts/sqlQuery-post.js
new file mode 100644
index 0000000..1437115
--- /dev/null
+++ b/plugins/Snowflake/v1/dataStreams/scripts/sqlQuery-post.js
@@ -0,0 +1,36 @@
+result = data.data.map( r => r.reduce((obj, value, i) => {
+    const columnName = data.resultSetMetaData.rowType[i].name;
+    obj[columnName] = value;
+    return obj;
+}, {}));
+
+// support value column for autoComplete queries
+if (context.config.valueColumn) {
+    metadata = [
+        {
+            name: context.config.valueColumn,
+            role: "value"
+        }
+    ]
+} else {
+    const typeMapping = {
+        "text": "string",
+        "fixed": "number",
+        "real": "number",
+        "varchar": "string",
+        "date": "date",
+        "timestamp": "date"
+    };
+
+    metadata = data.resultSetMetaData.rowType.map( c => {
+        return {
+            name: c.name,
+            shape: typeMapping[c.type] || "string"
+        }
+    });
+}
+
+// used for validation queries
+if (context.config.errorOnEmptyResults === true && data.data.length === 0) {
+    throw new Error("No results");
+}
\ No newline at end of file
diff --git a/plugins/Snowflake/v1/dataStreams/sqlQuery.json b/plugins/Snowflake/v1/dataStreams/sqlQuery.json
new file mode 100644
index 0000000..9e63477
--- /dev/null
+++ b/plugins/Snowflake/v1/dataStreams/sqlQuery.json
@@ -0,0 +1,80 @@
+{
+    "name": "sqlQuery",
+    "displayName": "SQL Query",
+    "baseDataSourceName": "httpRequestUnscoped",
+    "config": {
+        "httpMethod": "post",
+        "paging": {
+            "mode": "none"
+        },
+        "expandInnerObjects": true,
+        "endpointPath": "/v2/statements/",
+        "postBody": {
+            "database": "{{typeof database !== 'undefined' ? database : undefined}}",
+            "schema": "{{typeof schema !== 'undefined' ? schema : undefined}}",
+            "statement": "{{query}}"
+        },
+        "postRequestScript": "sqlQuery-post.js",
+        "getArgs": [],
+        "headers": [],
+        "valueColumn": "{{typeof valueColumn !== 'undefined' ? valueColumn : undefined}}",
+        "errorOnEmptyResults": "{{typeof errorOnEmptyResults !== 'undefined' ? errorOnEmptyResults : undefined}}"
+        
+    },
+    "ui": [
+        {
+          "name": "database",
+          "type": "autocomplete",
+          "label": "Database",
+          "validation": {
+            "required": false
+          },
+          "isMulti": false,
+          "allowCustomValues": true,
+          "data": {
+            "source": "dataStream",
+            "dataStreamName": "sqlQuery",
+            "dataSourceConfig": {
+              "valueColumn": "name",
+              "query": "show databases"
+            }
+          }
+        },
+                {
+          "name": "schema",
+          "type": "autocomplete",
+          "label": "Schema",
+          "validation": {
+            "required": false
+          },
+          "isMulti": false,
+          "allowCustomValues": true,
+          "data": {
+            "source": "dataStream",
+            "dataStreamName": "sqlQuery",
+            "dataSourceConfig": {
+                "valueColumn": "name",
+                "database": {
+                    "fieldName": "database",
+                    "required": true
+                },
+                "query": "show schemas"
+            }
+          }
+        },
+        {
+            "help": "Enter a query using Snowflake SQL syntax. You can also use parameters like {{timeframe.start}}, e.g. event_time BETWEEN '{{timeframe.start}}' AND '{{timeframe.end}}'",
+            "name": "query",
+            "language": "sql",
+            "label": "SQL query",
+            "type": "code",
+            "validation": {
+                "required": true
+            }
+        }
+    ],
+    "manualConfigApply": true,
+    "supportsNoneTimeframe": true,
+    "requiresParameterTimeframe": true,
+    "defaultTimeframe": "none"
+}
\ No newline at end of file
diff --git a/plugins/Snowflake/v1/docs/setup.md b/plugins/Snowflake/v1/docs/setup.md
new file mode 100644
index 0000000..f633110
--- /dev/null
+++ b/plugins/Snowflake/v1/docs/setup.md
@@ -0,0 +1,99 @@
+# Before you start
+
+## Creating an OAuth integration in Snowflake
+
+The Snowflake data source authenticates using OAuth.
+
+Before configuring the data source you will need to register SquaredUp with your Snowflake account bby creating a custom integration.
+
+Sample Snowflake commands for creating the integration are provided below.
+
+For more information on creating a Snowflake integration see:
+https://docs.snowflake.com/en/sql-reference/sql/create-security-integration-oauth-snowflake
+
+
+If your SquaredUp account is in the US region (default):
+
+```
+CREATE SECURITY INTEGRATION oauth_squaredup
+  TYPE = oauth
+  OAUTH_CLIENT = custom
+  OAUTH_CLIENT_TYPE = 'CONFIDENTIAL'
+  OAUTH_REDIRECT_URI = 'https://app.squaredup.com/settings/pluginsoauth2'
+  COMMENT = 'Used by SquaredUp to connect to this Snowflake account'
+```
+
+If your SquaredUp account is in the EU region (default):
+
+```
+CREATE SECURITY INTEGRATION oauth_squaredup
+  TYPE = oauth
+  OAUTH_CLIENT = custom
+  OAUTH_CLIENT_TYPE = 'CONFIDENTIAL'
+  OAUTH_REDIRECT_URI = 'https://eu.app.squaredup.com/settings/pluginsoauth2'
+  COMMENT = 'Used by SquaredUp to connect to this Snowflake account'
+```
+
+Once your integration is created, run:
+
+```
+SELECT
+    oauth:OAUTH_CLIENT_SECRET::STRING AS OAUTH_CLIENT_SECRET,
+    oauth:OAUTH_CLIENT_ID::STRING AS OAUTH_CLIENT_ID
+FROM (SELECT PARSE_JSON(SYSTEM$SHOW_OAUTH_CLIENT_SECRETS('oauth_squaredup')) AS oauth)
+
+```
+
+Use the values of the `OAUTH_CLIENT_ID` and `OAUTH_CLIENT_SECRET` columns in your configuration below. 
+
+
+## Creating a read-only user
+
+To connect to Snowflake you will need the credentials for a Snowflake user.
+
+By default, it is NOT possible to connect via OAuth using an ACCOUNTADMIN role. Snowflake automatically adds privileged roles to the blocked role list used for OAuth authorization, see https://docs.snowflake.com/en/sql-reference/parameters#oauth-add-privileged-roles-to-blocked-list
+
+We recommend a dedicated 'squaredup' user account that is assigned read only role. For more information on Snowflake users and roles, see https://docs.snowflake.com/en/user-guide/security-access-control-configure.
+
+Ensure the user has a default role set, or specify the role when configuring the data source (see below). If the user does not have a default role and no role is specified, the connection will use the PUBLIC role, which typically does not have any permissions to databases.
+
+
+# Configuration
+
+## Snowflake account identifier
+
+Enter your Snowflake account identifier.
+
+This can be found in the Snowflake portal under 'Your Username' > Account > Account Identifier.
+
+The account identifier It is in the format <org_name>-<account_name>, e.g. ABCDEFG-XYZ12345
+
+For example: `https://<your-opensearch-host>:9200`
+
+Alternatively, run the following Snowflake query:
+
+```
+SELECT CURRENT_ORGANIZATION_NAME() || '-' || CURRENT_ACCOUNT_NAME();
+```
+
+## Snowflake OAuth client ID
+
+The client ID for your Snowflake OAuth application.
+
+Enter the `OAUTH_CLIENT_ID` value from the integration you created above.
+
+## Snowflake OAuth client secret
+
+The client secret for your Snowflake OAuth application.
+
+Enter the `OAUTH_CLIENT_SECRET` value from the integration you created above.
+
+## Role (optional)
+
+Restrict OAuth connection to a specific role. If not specified, the user's default role is used.
+
+If you have created a custom role for your database, for example a read-only role, enter its name here.
+
+## Authorize
+
+Click the Sign-in button to authorize SquaredUp to access Snowflake.
diff --git a/plugins/Snowflake/v1/icon.svg b/plugins/Snowflake/v1/icon.svg
new file mode 100644
index 0000000..c7a0eba
--- /dev/null
+++ b/plugins/Snowflake/v1/icon.svg
@@ -0,0 +1 @@
+<svg id="Layer_1" data-name="Layer 1" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 146.36 139.16"><defs><style>.cls-1{fill:#29b5e8;fill-rule:evenodd;}</style></defs><path class="cls-1" d="M134.81,60.1l-16.47,9.49L134.81,79a8.65,8.65,0,1,1-8.67,15l-29.51-17a8.68,8.68,0,0,1-4.33-7.75,8.48,8.48,0,0,1,.31-2,8.68,8.68,0,0,1,4-5.19l29.51-16.94A8.69,8.69,0,0,1,138,48.31,8.58,8.58,0,0,1,134.81,60.1Zm-15.59,46L89.72,89.13a8.72,8.72,0,0,0-13.06,7.48v33.9a8.69,8.69,0,0,0,17.37,0v-19L110.54,121a8.66,8.66,0,1,0,8.68-15Zm-34-33.16L72.92,85.09a2.44,2.44,0,0,1-1.54.65H67.77a2.51,2.51,0,0,1-1.54-.65L54,72.9a2.45,2.45,0,0,1-.64-1.52v-3.6A2.5,2.5,0,0,1,54,66.25L66.23,54.06a2.5,2.5,0,0,1,1.54-.64h3.61a2.45,2.45,0,0,1,1.54.64L85.18,66.25a2.49,2.49,0,0,1,.63,1.53v3.6A2.44,2.44,0,0,1,85.18,72.9Zm-9.8-3.38A2.59,2.59,0,0,0,74.73,68l-3.55-3.51a2.51,2.51,0,0,0-1.54-.64h-.13a2.46,2.46,0,0,0-1.53.64L64.43,68a2.51,2.51,0,0,0-.63,1.55v.13a2.41,2.41,0,0,0,.63,1.52L68,74.7a2.48,2.48,0,0,0,1.53.64h.13a2.51,2.51,0,0,0,1.54-.64l3.55-3.53a2.49,2.49,0,0,0,.65-1.52ZM19.93,33.08,49.44,50a8.73,8.73,0,0,0,13.07-7.49V8.64a8.69,8.69,0,0,0-17.37,0v19l-16.53-9.5a8.65,8.65,0,1,0-8.68,15ZM84.69,51.16a8.64,8.64,0,0,0,5-1.13l29.5-17a8.65,8.65,0,1,0-8.68-15L94,27.61v-19a8.69,8.69,0,0,0-17.37,0v33.9A8.66,8.66,0,0,0,84.69,51.16ZM54.48,88a8.58,8.58,0,0,0-5,1.13L19.93,106.06a8.66,8.66,0,1,0,8.68,15l16.53-9.49v19a8.69,8.69,0,0,0,17.37,0V96.61A8.65,8.65,0,0,0,54.48,88Zm-8-15.87a8.61,8.61,0,0,0-4-10L13,45.14A8.69,8.69,0,0,0,1.17,48.31,8.59,8.59,0,0,0,4.35,60.1l16.47,9.49L4.35,79A8.65,8.65,0,1,0,13,94l29.48-17A8.59,8.59,0,0,0,46.47,72.13Zm93.15-56.22H138.3v1.63h1.32c.61,0,1-.28,1-.8S140.26,15.91,139.62,15.91Zm-2.94-1.5h3c1.62,0,2.7.89,2.7,2.27a2.16,2.16,0,0,1-1.08,1.9l1.17,1.68v.34h-1.69L139.62,19H138.3V20.6h-1.62Zm8.3,3.22a5.48,5.48,0,0,0-5.58-5.83c-3.31,0-5.51,2.39-5.51,5.83,0,3.28,2.2,5.82,5.51,5.82A5.47,5.47,0,0,0,145,17.63Zm1.38,0c0,3.89-2.6,7.14-7,7.14s-6.89-3.28-6.89-7.14,2.57-7.14,6.89-7.14S146.36,13.73,146.36,17.63Z"/></svg>
\ No newline at end of file
diff --git a/plugins/Snowflake/v1/metadata.json b/plugins/Snowflake/v1/metadata.json
new file mode 100644
index 0000000..baf71f3
--- /dev/null
+++ b/plugins/Snowflake/v1/metadata.json
@@ -0,0 +1,50 @@
+{
+    "name": "snowflake-preview",
+    "displayName": "Snowflake (Preview)",
+    "version": "1.0.0",
+    "author": {
+        "name": "SquaredUp Labs",
+        "type": "labs"
+    },
+    "description": "Query data from Snowflake.",
+    "category": "Database",
+    "type": "hybrid",
+    "schemaVersion": "2.0",
+    "base": {
+        "plugin": "WebAPI",
+        "majorVersion": "1",
+        "config": {
+            "queryArgs": [],
+            "headers": [],
+            "oauth2TokenExtraArgs": [],
+            "oauth2ClientSecret": "{{oauth2ClientSecret}}",
+            "oauth2ClientSecretLocationDuringAuth": "header",
+            "oauth2AuthUrl": "https://{{accountId}}.snowflakecomputing.com/oauth/authorize",
+            "authMode": "oauth2",
+            "oauth2GrantType": "authCode",
+            "baseUrl": "https://{{accountId}}.snowflakecomputing.com/api",
+            "oauth2TokenExtraHeaders": [
+                {
+                    "value": "application/x-www-form-urlencoded",
+                    "key": "Content-Type"
+                }
+            ],
+            "oauth2ClientId": "{{oauth2ClientId}}",
+            "oauth2TokenUrl": "https://{{accountId}}.snowflakecomputing.com/oauth/token-request",
+            "oauth2AuthExtraArgs": [],
+            "oauth2Scope": "refresh_token {{oauth2Role? 'session:role:' + oauth2Role : ''}}"
+        }
+    },
+    "links": [
+        {
+            "category": "documentation",
+            "url": "https://github.com/squaredup/plugins/blob/main/plugins/Snowflake/v1/docs/setup.md",
+            "label": "Help adding this plugin"
+        },
+        {
+            "category": "source",
+            "url": "https://github.com/squaredup/plugins/tree/main/plugins/Snowflake/v1",
+            "label": "Repository"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/plugins/Snowflake/v1/ui.json b/plugins/Snowflake/v1/ui.json
new file mode 100644
index 0000000..fcaaed9
--- /dev/null
+++ b/plugins/Snowflake/v1/ui.json
@@ -0,0 +1,50 @@
+[
+    {
+        "type": "text",
+        "name": "accountId",
+        "label": "Snowflake account identifier",
+        "help": "Enter your Snowflake account identifier. Find this in the portal under Your Username > Account > Account Identifier. It is in the format <org_name>-<account_name>, e.g. ABCDEFG-XYZ12345",
+        "validation": {
+            "required": true
+        },
+        "placeholder": "<org_name>-<account_name>, e.g. ABCDEFG-XYZ12345"
+    },
+    {
+        "type": "text",
+        "name": "oauth2ClientId",
+        "label": "Snowflake OAuth client ID",
+        "help": "The client ID for your Snowflake OAuth application. See documentation for details on how to set up an OAuth application in Snowflake and obtain the client ID.",
+        "validation": {
+            "required": true
+        },
+        "placeholder": "Enter your Snowflake OAuth client ID"
+    },
+    {
+        "type": "password",
+        "name": "oauth2ClientSecret",
+        "label": "Snowflake OAuth secret",
+        "help": "The client secret for your Snowflake OAuth application. See documentation for details on how to set up an OAuth application in Snowflake and obtain the client secret.",
+        "validation": {
+            "required": true
+        },
+        "placeholder": "Enter your Snowflake OAuth secret"
+    },
+    {
+        "type": "text",
+        "name": "oauth2Role",
+        "label": "Role (optional)",
+        "help": "Scope OAuth connection to a specific role. If not specified, the user's default role is used.",
+        "validation": {
+            "required": false
+        },
+        "placeholder": "Enter your Snowflake OAuth role"
+    },
+    {
+        "type": "oAuth2",
+        "name": "oauth2AuthCodeSignIn",
+        "label": "Authorize",
+        "validation": {
+            "required": true
+        }
+    }
+]
\ No newline at end of file

From 3919b20967085a9e8c8c417b2b7dd5b8437155b4 Mon Sep 17 00:00:00 2001
From: richbenwell <richard.benwell@squaredup.com>
Date: Fri, 17 Apr 2026 15:01:25 -0400
Subject: [PATCH 2/4] Docs tidy up.

---
 plugins/Snowflake/v1/README.md     | 2 +-
 plugins/Snowflake/v1/docs/setup.md | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/plugins/Snowflake/v1/README.md b/plugins/Snowflake/v1/README.md
index 369130a..9853655 100644
--- a/plugins/Snowflake/v1/README.md
+++ b/plugins/Snowflake/v1/README.md
@@ -1,3 +1,3 @@
-## Overview
+# Snowflake plugin
 
 A simple data source for Snowflake that supports Snowflake SQL queries. Requires an OAuth connection.
\ No newline at end of file
diff --git a/plugins/Snowflake/v1/docs/setup.md b/plugins/Snowflake/v1/docs/setup.md
index f633110..36f2215 100644
--- a/plugins/Snowflake/v1/docs/setup.md
+++ b/plugins/Snowflake/v1/docs/setup.md
@@ -4,7 +4,7 @@
 
 The Snowflake data source authenticates using OAuth.
 
-Before configuring the data source you will need to register SquaredUp with your Snowflake account bby creating a custom integration.
+Before configuring the data source you will need to register SquaredUp with your Snowflake account by creating a custom integration.
 
 Sample Snowflake commands for creating the integration are provided below.
 
@@ -23,7 +23,7 @@ CREATE SECURITY INTEGRATION oauth_squaredup
   COMMENT = 'Used by SquaredUp to connect to this Snowflake account'
 ```
 
-If your SquaredUp account is in the EU region (default):
+If your SquaredUp account is in the EU region:
 
 ```
 CREATE SECURITY INTEGRATION oauth_squaredup
@@ -66,9 +66,9 @@ Enter your Snowflake account identifier.
 
 This can be found in the Snowflake portal under 'Your Username' > Account > Account Identifier.
 
-The account identifier It is in the format <org_name>-<account_name>, e.g. ABCDEFG-XYZ12345
+The account identifier is in the format <org_name>-<account_name>.
 
-For example: `https://<your-opensearch-host>:9200`
+For example: `ABCDEFG-XYZ12345`
 
 Alternatively, run the following Snowflake query:
 

From 4d5afe514062e3d7dd3dbcc38c1d33cecb71ac66 Mon Sep 17 00:00:00 2001
From: richbenwell <richard.benwell@squaredup.com>
Date: Fri, 17 Apr 2026 15:04:01 -0400
Subject: [PATCH 3/4] Remove `preview` suffix

---
 plugins/Snowflake/v1/metadata.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/plugins/Snowflake/v1/metadata.json b/plugins/Snowflake/v1/metadata.json
index baf71f3..beafd55 100644
--- a/plugins/Snowflake/v1/metadata.json
+++ b/plugins/Snowflake/v1/metadata.json
@@ -1,6 +1,6 @@
 {
-    "name": "snowflake-preview",
-    "displayName": "Snowflake (Preview)",
+    "name": "snowflake",
+    "displayName": "Snowflake",
     "version": "1.0.0",
     "author": {
         "name": "SquaredUp Labs",

From 7b384e0091925337a9526db47f5f59c7c8bf97d4 Mon Sep 17 00:00:00 2001
From: richbenwell <richard.benwell@squaredup.com>
Date: Mon, 20 Apr 2026 18:20:21 -0400
Subject: [PATCH 4/4] =?UTF-8?q?Remove=20explicit=20pass=20through=20?=
 =?UTF-8?q?=E2=80=93=C2=A0framework=20already=20does=20it?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 plugins/Snowflake/v1/dataStreams/sqlQuery.json | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/plugins/Snowflake/v1/dataStreams/sqlQuery.json b/plugins/Snowflake/v1/dataStreams/sqlQuery.json
index 9e63477..586f2a3 100644
--- a/plugins/Snowflake/v1/dataStreams/sqlQuery.json
+++ b/plugins/Snowflake/v1/dataStreams/sqlQuery.json
@@ -16,10 +16,7 @@
         },
         "postRequestScript": "sqlQuery-post.js",
         "getArgs": [],
-        "headers": [],
-        "valueColumn": "{{typeof valueColumn !== 'undefined' ? valueColumn : undefined}}",
-        "errorOnEmptyResults": "{{typeof errorOnEmptyResults !== 'undefined' ? errorOnEmptyResults : undefined}}"
-        
+        "headers": []        
     },
     "ui": [
         {