andreahlert opened a new pull request, #62344: URL: https://github.com/apache/airflow/pull/62344
## Summary Implements the security enhancement requested in issue #59844 to prevent accidental exposure of sensitive connection credentials and variable values in CLI output. ## Changes - **CLI Arguments**: Added `--show-values` and `--hide-sensitive` flags to both `airflow connections list` and `airflow variables list` commands - **Default Behavior**: Commands now show only connection IDs/types and variable keys by default, hiding sensitive values - **Security**: Sensitive data requires explicit `--show-values` flag to be displayed - **Performance**: Optimized database queries to avoid unnecessary decryption when values will be masked - **URI Masking**: Implemented smart credential masking that preserves URI structure while hiding passwords - **Testing**: Added comprehensive test coverage for edge cases and security scenarios - **Code Quality**: Refactored mapper logic into dedicated classes for better maintainability ## Backward Compatibility All existing functionality is preserved. The changes are purely additive with new default behavior being more secure. ## Testing - Added unit tests for URI masking logic - Added integration tests for CLI flag combinations - Added edge case tests for None/empty values - All existing tests continue to pass Closes #59844 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
