Re: [PR] Encrypt all string trigger attributes [airflow]

Mon, 15 Jan 2024 14:14:31 -0800 


potiuk commented on code in PR #36801:
URL: https://github.com/apache/airflow/pull/36801#discussion_r1452771898


##########
airflow/jobs/triggerer_job_runner.py:
##########
@@ -715,13 +715,20 @@ def trigger_row_to_trigger_instance(self, trigger_row: 
Trigger, trigger_class: t
         """Convert a Trigger row into a Trigger instance."""
         from airflow.models.crypto import get_fernet
 
-        decrypted_kwargs = {}
         fernet = get_fernet()
-        for k, v in trigger_row.kwargs.items():
-            if k.startswith(ENCRYPTED_KWARGS_PREFIX):
-                decrypted_kwargs[k[len(ENCRYPTED_KWARGS_PREFIX) :]] = 
fernet.decrypt(
-                    v.encode("utf-8")
-                ).decode("utf-8")
-            else:
-                decrypted_kwargs[k] = v
+
+        def _decrypt(_value: Any) -> Any:
+            if isinstance(_value, str):
+                return fernet.decrypt(_value.encode("utf-8")).decode("utf-8")
+            if isinstance(_value, dict):
+                return {k: _decrypt(v) for k, v in _value.items()}
+            if isinstance(_value, list):
+                return [_decrypt(v) for v in _value]
+            if isinstance(_value, tuple):
+                return tuple(_decrypt(v) for v in _value)
+            return _value
+
+        decrypted_kwargs = {}
+        for key, value in trigger_row.kwargs.items():
+            decrypted_kwargs[key] = _decrypt(value)

Review Comment:
   Hmm. I am not sure. That will complicate rotation of the fernet key. 
   
   Actually if you look at the Trigger definition of the Trigger, this field is 
ExtendedJson which (look at it) already serializes whatever is passed to it as 
string (and this is how it stores it). 
   
   So actually what we would need to do is we should - I think modify 
ExtendedJson to encrypt/decrypt the serialized string just before saving/after 
retrieving it - and there also all the fernet_rotation could be implemented as 
well much faster (without having to deserialize the data - it will just need to 
be re-encrypted. Also this ExtendedJson field type **could** handle migration 
from previous airflow version and simply use the original string if decryption 
fails. 



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to