jscheffl commented on code in PR #60771: URL: https://github.com/apache/airflow/pull/60771#discussion_r2705944190
########## task-sdk/src/airflow/sdk/crypto.py: ########## @@ -0,0 +1,118 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +from __future__ import annotations + +import logging +from functools import cache +from typing import Protocol + +log = logging.getLogger(__name__) + + +class FernetProtocol(Protocol): + """This class is only used for TypeChecking (for IDEs, mypy, etc).""" + + is_encrypted: bool + + def decrypt(self, msg: bytes | str, ttl: int | None = None) -> bytes: + """Decrypt with Fernet.""" + ... + + def encrypt(self, msg: bytes) -> bytes: + """Encrypt with Fernet.""" + ... + + +class _NullFernet: + """ + A "Null" encryptor class that doesn't encrypt or decrypt but that presents a similar interface to Fernet. + + The purpose of this is to make the rest of the code not have to know the + difference, and to only display the message once, not 20 times when + `airflow db migrate` is run. + """ + + is_encrypted = False + + def decrypt(self, msg: bytes | str, ttl: int | None = None) -> bytes: + """Decrypt with Fernet.""" + if isinstance(msg, bytes): + return msg + if isinstance(msg, str): + return msg.encode("utf-8") + raise ValueError(f"Expected bytes or str, got {type(msg)}") + + def encrypt(self, msg: bytes) -> bytes: + """Encrypt with Fernet.""" + return msg + + +class _RealFernet: + """ + A wrapper around the real Fernet to set is_encrypted to True. + + This class is only used internally to avoid changing the interface of + the get_fernet function. + """ + + from cryptography.fernet import Fernet, MultiFernet + + is_encrypted = True + + def __init__(self, fernet: MultiFernet): + self._fernet = fernet + + def decrypt(self, msg: bytes | str, ttl: int | None = None) -> bytes: + """Decrypt with Fernet.""" + return self._fernet.decrypt(msg, ttl) + + def encrypt(self, msg: bytes) -> bytes: + """Encrypt with Fernet.""" + return self._fernet.encrypt(msg) + + def rotate(self, msg: bytes | str) -> bytes: Review Comment: This is because of my previous work where I cleaned-up code. NulLFernet is just kept for the very special cases where no KEY is provided in unit tests, in all regular runs the fernet key is either externally provided or generated at startup (config file is re-written then) I left this gap explicitly, rotation is called by CLI only if you make this in a unit test it might fail. But all real deployments will not have NullFernet. I actually wanted to completely delete it but in the PR review the discussion tended to keep it... still I'd propose again to just drop it... and for testing we could still use a fixture in my view. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
