Re: [PR] Add support for mTLS and private CAs to the api client / server [airflow]

Wed, 27 May 2026 06:06:42 -0700 


kaxil commented on code in PR #67214:
URL: https://github.com/apache/airflow/pull/67214#discussion_r3310922155


##########
airflow-core/src/airflow/cli/commands/api_server_command.py:
##########
@@ -254,21 +259,33 @@ def api_server(args: Namespace):
     )
 
 
-def _get_ssl_cert_and_key_filepaths(cli_arguments) -> tuple[str | None, str | 
None]:
+def _get_ssl_filepaths(cli_arguments) -> tuple[str | None, str | None, str | 
None]:
     error_template_1 = "Need both, have provided {} but not {}"
     error_template_2 = "SSL related file does not exist {}"
 
-    ssl_cert, ssl_key = cli_arguments.ssl_cert, cli_arguments.ssl_key
+    ssl_cert, ssl_key, ssl_ca_file = cli_arguments.ssl_cert, 
cli_arguments.ssl_key, cli_arguments.ssl_ca_file
     if ssl_cert and ssl_key:
         if not os.path.isfile(ssl_cert):
             raise AirflowConfigException(error_template_2.format(ssl_cert))
         if not os.path.isfile(ssl_key):
             raise AirflowConfigException(error_template_2.format(ssl_key))
+        if ssl_ca_file is not None and not os.path.isfile(ssl_ca_file):
+            raise AirflowConfigException(error_template_2.format(ssl_ca_file))
 
-        return (ssl_cert, ssl_key)
+        return (ssl_cert, ssl_key, ssl_ca_file)
     if ssl_cert:
         raise AirflowConfigException(error_template_1.format("SSL 
certificate", "SSL key"))
     if ssl_key:
         raise AirflowConfigException(error_template_1.format("SSL key", "SSL 
certificate"))
 
-    return (None, None)
+    return (None, None, None)
+
+def _ssl_cert_reqs(cli_arguments):
+    cert_reqs = cli_arguments.ssl_cert_reqs
+    if cert_reqs is None or cert_reqs == "none":
+        return ssl.CERT_NONE
+    if cert_reqs == "required":
+        return ssl.CERT_REQUIRED
+    if cert_reqs == "optional":
+        return ssl.CERT_OPTIONAL
+    raise ValueError("Invalid ssl cert reqs option: %s", cert_reqs)

Review Comment:
   The `ValueError` here won't render the bad value. `ValueError("Invalid ssl 
cert reqs option: %s", cert_reqs)` passes two positional args to the exception 
(you'd see `('Invalid ssl cert reqs option: %s', 'REQUIRED')` in the 
traceback), so the `%s` is never substituted. Either f-string it, or better, 
gate the input at parse time with `choices=("none", "optional", "required")` on 
`ARG_SSL_CERT_REQS` so a typo like `--ssl-cert-reqs REQUIRED` fails with 
argparse's standard error before reaching this function.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to