This is an automated email from the ASF dual-hosted git repository.
husseinawala pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/main by this push:
new f411c147cd inherit key "verify" from env into session so that
kv_client can read it properly (#38614)
f411c147cd is described below
commit f411c147cd7d7b21295b152e37566a159ddf94fe
Author: Charlie <[email protected]>
AuthorDate: Tue May 14 23:20:49 2024 -0400
inherit key "verify" from env into session so that kv_client can read it
properly (#38614)
---
.../hashicorp/_internal_client/vault_client.py | 2 +
.../_internal_client/test_vault_client.py | 64 ++++++++++++++++++++++
2 files changed, 66 insertions(+)
diff --git a/airflow/providers/hashicorp/_internal_client/vault_client.py
b/airflow/providers/hashicorp/_internal_client/vault_client.py
index a90188f996..98bcc71405 100644
--- a/airflow/providers/hashicorp/_internal_client/vault_client.py
+++ b/airflow/providers/hashicorp/_internal_client/vault_client.py
@@ -212,6 +212,8 @@ class _VaultClient(LoggingMixin):
session = Session()
session.mount("http://";, adapter)
session.mount("https://";, adapter)
+ if self.kwargs and "verify" in self.kwargs:
+ session.verify = self.kwargs["verify"]
self.kwargs["session"] = session
_client = hvac.Client(url=self.url, **self.kwargs)
diff --git a/tests/providers/hashicorp/_internal_client/test_vault_client.py
b/tests/providers/hashicorp/_internal_client/test_vault_client.py
index 2973178e0a..f491f12129 100644
--- a/tests/providers/hashicorp/_internal_client/test_vault_client.py
+++ b/tests/providers/hashicorp/_internal_client/test_vault_client.py
@@ -837,6 +837,70 @@ class TestVaultClient:
mount_point="secret", path="/path/to/secret"
)
+
@mock.patch("airflow.providers.hashicorp._internal_client.vault_client.hvac")
+ def test_get_existing_key_v1_ssl_verify_false(self, mock_hvac):
+ mock_client = mock.MagicMock()
+ mock_hvac.Client.return_value = mock_client
+
+ mock_client.secrets.kv.v1.read_secret.return_value = {
+ "request_id": "182d0673-618c-9889-4cba-4e1f4cfe4b4b",
+ "lease_id": "",
+ "renewable": False,
+ "lease_duration": 2764800,
+ "data": {"value": "world"},
+ "wrap_info": None,
+ "warnings": None,
+ "auth": None,
+ }
+
+ vault_client = _VaultClient(
+ auth_type="radius",
+ radius_host="radhost",
+ radius_port=8110,
+ radius_secret="pass",
+ kv_engine_version=1,
+ url="http://localhost:8180";,
+ verify=False,
+ )
+ secret = vault_client.get_secret(secret_path="/path/to/secret")
+ assert {"value": "world"} == secret
+ assert not vault_client.kwargs["session"].verify
+ mock_client.secrets.kv.v1.read_secret.assert_called_once_with(
+ mount_point="secret", path="/path/to/secret"
+ )
+
+
@mock.patch("airflow.providers.hashicorp._internal_client.vault_client.hvac")
+ def test_get_existing_key_v1_trust_private_ca(self, mock_hvac):
+ mock_client = mock.MagicMock()
+ mock_hvac.Client.return_value = mock_client
+
+ mock_client.secrets.kv.v1.read_secret.return_value = {
+ "request_id": "182d0673-618c-9889-4cba-4e1f4cfe4b4b",
+ "lease_id": "",
+ "renewable": False,
+ "lease_duration": 2764800,
+ "data": {"value": "world"},
+ "wrap_info": None,
+ "warnings": None,
+ "auth": None,
+ }
+
+ vault_client = _VaultClient(
+ auth_type="radius",
+ radius_host="radhost",
+ radius_port=8110,
+ radius_secret="pass",
+ kv_engine_version=1,
+ url="http://localhost:8180";,
+ verify="/etc/ssl/certificates/ca-bundle.pem",
+ )
+ secret = vault_client.get_secret(secret_path="/path/to/secret")
+ assert {"value": "world"} == secret
+ assert "/etc/ssl/certificates/ca-bundle.pem" ==
vault_client.kwargs["session"].verify
+ mock_client.secrets.kv.v1.read_secret.assert_called_once_with(
+ mount_point="secret", path="/path/to/secret"
+ )
+
@mock.patch("airflow.providers.hashicorp._internal_client.vault_client.hvac")
def test_get_existing_key_v1_without_preconfigured_mount_point(self,
mock_hvac):
mock_client = mock.MagicMock()
