From fe1648007668ac25e8851e52a4695602a7482684 Mon Sep 17 00:00:00 2001 From: Ziyi Chen Date: Fri, 29 Mar 2024 05:18:23 -0400 Subject: [PATCH 1/9] inherit key verify from env into session so that kv_client can read it properly --- airflow/providers/hashicorp/_internal_client/vault_client.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/airflow/providers/hashicorp/_internal_client/vault_client.py b/airflow/providers/hashicorp/_internal_client/vault_client.py index 5d0ef90afca13..70e03b15af417 100644 --- a/airflow/providers/hashicorp/_internal_client/vault_client.py +++ b/airflow/providers/hashicorp/_internal_client/vault_client.py @@ -207,6 +207,8 @@ def _client(self) -> hvac.Client: session = Session() session.mount("http://", adapter) session.mount("https://", adapter) + if self.kwargs["verify"] is not None: + session.verify = self.kwargs["verify"] self.kwargs["session"] = session _client = hvac.Client(url=self.url, **self.kwargs) From a17b61bad9b344e5d416e353c1e96c99b59c89ea Mon Sep 17 00:00:00 2001 From: Ziyi Chen Date: Fri, 29 Mar 2024 06:48:31 -0400 Subject: [PATCH 2/9] add assurance --- airflow/providers/hashicorp/_internal_client/vault_client.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/airflow/providers/hashicorp/_internal_client/vault_client.py b/airflow/providers/hashicorp/_internal_client/vault_client.py index 70e03b15af417..f3ed21f87abf3 100644 --- a/airflow/providers/hashicorp/_internal_client/vault_client.py +++ b/airflow/providers/hashicorp/_internal_client/vault_client.py @@ -207,8 +207,9 @@ def _client(self) -> hvac.Client: session = Session() session.mount("http://", adapter) session.mount("https://", adapter) - if self.kwargs["verify"] is not None: - session.verify = self.kwargs["verify"] + if self.kwargs is not None and "verify" in self.kwargs: + if self.kwargs["verify"] is not None: + session.verify = self.kwargs["verify"] self.kwargs["session"] = session _client = hvac.Client(url=self.url, **self.kwargs) From a1f775810e15c7d6a01e7ef4adefe039c25a3660 Mon Sep 17 00:00:00 2001 From: Charlie Date: Sat, 30 Mar 2024 11:16:19 -0400 Subject: [PATCH 3/9] Update airflow/providers/hashicorp/_internal_client/vault_client.py Co-authored-by: Gopal Dirisala <39794726+dirrao@users.noreply.github.com> --- airflow/providers/hashicorp/_internal_client/vault_client.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/airflow/providers/hashicorp/_internal_client/vault_client.py b/airflow/providers/hashicorp/_internal_client/vault_client.py index f3ed21f87abf3..505f71b05aaec 100644 --- a/airflow/providers/hashicorp/_internal_client/vault_client.py +++ b/airflow/providers/hashicorp/_internal_client/vault_client.py @@ -207,7 +207,7 @@ def _client(self) -> hvac.Client: session = Session() session.mount("http://", adapter) session.mount("https://", adapter) - if self.kwargs is not None and "verify" in self.kwargs: + if self.kwargs and "verify" in self.kwargs: if self.kwargs["verify"] is not None: session.verify = self.kwargs["verify"] self.kwargs["session"] = session From 602d2768c5ba90e86ec54e550b9d3afddcbf6780 Mon Sep 17 00:00:00 2001 From: Charlie Date: Sat, 30 Mar 2024 11:16:24 -0400 Subject: [PATCH 4/9] Update airflow/providers/hashicorp/_internal_client/vault_client.py Co-authored-by: Gopal Dirisala <39794726+dirrao@users.noreply.github.com> --- airflow/providers/hashicorp/_internal_client/vault_client.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/airflow/providers/hashicorp/_internal_client/vault_client.py b/airflow/providers/hashicorp/_internal_client/vault_client.py index 505f71b05aaec..99daf1efc3b31 100644 --- a/airflow/providers/hashicorp/_internal_client/vault_client.py +++ b/airflow/providers/hashicorp/_internal_client/vault_client.py @@ -208,7 +208,7 @@ def _client(self) -> hvac.Client: session.mount("http://", adapter) session.mount("https://", adapter) if self.kwargs and "verify" in self.kwargs: - if self.kwargs["verify"] is not None: + if self.kwargs["verify"]: session.verify = self.kwargs["verify"] self.kwargs["session"] = session From edbff794b093cacb09ca185ec3c9b0b28653c39e Mon Sep 17 00:00:00 2001 From: Ziyi Chen Date: Tue, 2 Apr 2024 17:05:36 -0400 Subject: [PATCH 5/9] add test for verify and fix False case for session dict key condition --- .../_internal_client/vault_client.py | 3 +- .../_internal_client/test_vault_client.py | 64 +++++++++++++++++++ 2 files changed, 65 insertions(+), 2 deletions(-) diff --git a/airflow/providers/hashicorp/_internal_client/vault_client.py b/airflow/providers/hashicorp/_internal_client/vault_client.py index 99daf1efc3b31..8de79f3aa405c 100644 --- a/airflow/providers/hashicorp/_internal_client/vault_client.py +++ b/airflow/providers/hashicorp/_internal_client/vault_client.py @@ -208,8 +208,7 @@ def _client(self) -> hvac.Client: session.mount("http://", adapter) session.mount("https://", adapter) if self.kwargs and "verify" in self.kwargs: - if self.kwargs["verify"]: - session.verify = self.kwargs["verify"] + session.verify = self.kwargs["verify"] self.kwargs["session"] = session _client = hvac.Client(url=self.url, **self.kwargs) diff --git a/tests/providers/hashicorp/_internal_client/test_vault_client.py b/tests/providers/hashicorp/_internal_client/test_vault_client.py index 2973178e0a65c..50a78f31a4c1e 100644 --- a/tests/providers/hashicorp/_internal_client/test_vault_client.py +++ b/tests/providers/hashicorp/_internal_client/test_vault_client.py @@ -837,6 +837,70 @@ def test_get_existing_key_v1(self, mock_hvac): mount_point="secret", path="/path/to/secret" ) + @mock.patch("airflow.providers.hashicorp._internal_client.vault_client.hvac") + def test_get_existing_key_v1_ssl_verify_false(self, mock_hvac): + mock_client = mock.MagicMock() + mock_hvac.Client.return_value = mock_client + + mock_client.secrets.kv.v1.read_secret.return_value = { + "request_id": "182d0673-618c-9889-4cba-4e1f4cfe4b4b", + "lease_id": "", + "renewable": False, + "lease_duration": 2764800, + "data": {"value": "world"}, + "wrap_info": None, + "warnings": None, + "auth": None, + } + + vault_client = _VaultClient( + auth_type="radius", + radius_host="radhost", + radius_port=8110, + radius_secret="pass", + kv_engine_version=1, + url="http://localhost:8180", + verify=False + ) + secret = vault_client.get_secret(secret_path="/path/to/secret") + assert {"value": "world"} == secret + assert False == vault_client.kwargs["session"].verify + mock_client.secrets.kv.v1.read_secret.assert_called_once_with( + mount_point="secret", path="/path/to/secret" + ) + + @mock.patch("airflow.providers.hashicorp._internal_client.vault_client.hvac") + def test_get_existing_key_v1_trust_private_ca(self, mock_hvac): + mock_client = mock.MagicMock() + mock_hvac.Client.return_value = mock_client + + mock_client.secrets.kv.v1.read_secret.return_value = { + "request_id": "182d0673-618c-9889-4cba-4e1f4cfe4b4b", + "lease_id": "", + "renewable": False, + "lease_duration": 2764800, + "data": {"value": "world"}, + "wrap_info": None, + "warnings": None, + "auth": None, + } + + vault_client = _VaultClient( + auth_type="radius", + radius_host="radhost", + radius_port=8110, + radius_secret="pass", + kv_engine_version=1, + url="http://localhost:8180", + verify='/etc/ssl/certificates/ca-bundle.pem' + ) + secret = vault_client.get_secret(secret_path="/path/to/secret") + assert {"value": "world"} == secret + assert "/etc/ssl/certificates/ca-bundle.pem" == vault_client.kwargs["session"].verify + mock_client.secrets.kv.v1.read_secret.assert_called_once_with( + mount_point="secret", path="/path/to/secret" + ) + @mock.patch("airflow.providers.hashicorp._internal_client.vault_client.hvac") def test_get_existing_key_v1_without_preconfigured_mount_point(self, mock_hvac): mock_client = mock.MagicMock() From 5a698aeefc4279f1b4d8fd150d76f7876e37945d Mon Sep 17 00:00:00 2001 From: Ziyi Chen Date: Wed, 3 Apr 2024 15:15:12 -0400 Subject: [PATCH 6/9] fix missing , --- .../providers/hashicorp/_internal_client/test_vault_client.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/providers/hashicorp/_internal_client/test_vault_client.py b/tests/providers/hashicorp/_internal_client/test_vault_client.py index 50a78f31a4c1e..1282be9584620 100644 --- a/tests/providers/hashicorp/_internal_client/test_vault_client.py +++ b/tests/providers/hashicorp/_internal_client/test_vault_client.py @@ -860,7 +860,7 @@ def test_get_existing_key_v1_ssl_verify_false(self, mock_hvac): radius_secret="pass", kv_engine_version=1, url="http://localhost:8180", - verify=False + verify=False, ) secret = vault_client.get_secret(secret_path="/path/to/secret") assert {"value": "world"} == secret @@ -892,7 +892,7 @@ def test_get_existing_key_v1_trust_private_ca(self, mock_hvac): radius_secret="pass", kv_engine_version=1, url="http://localhost:8180", - verify='/etc/ssl/certificates/ca-bundle.pem' + verify='/etc/ssl/certificates/ca-bundle.pem', ) secret = vault_client.get_secret(secret_path="/path/to/secret") assert {"value": "world"} == secret From 1418c8045b4c70153fb5f77054ee2914f98e0374 Mon Sep 17 00:00:00 2001 From: Ziyi Chen Date: Thu, 4 Apr 2024 22:07:28 -0400 Subject: [PATCH 7/9] fix " --- tests/providers/hashicorp/_internal_client/test_vault_client.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/providers/hashicorp/_internal_client/test_vault_client.py b/tests/providers/hashicorp/_internal_client/test_vault_client.py index 1282be9584620..42a2e44ed1f3e 100644 --- a/tests/providers/hashicorp/_internal_client/test_vault_client.py +++ b/tests/providers/hashicorp/_internal_client/test_vault_client.py @@ -892,7 +892,7 @@ def test_get_existing_key_v1_trust_private_ca(self, mock_hvac): radius_secret="pass", kv_engine_version=1, url="http://localhost:8180", - verify='/etc/ssl/certificates/ca-bundle.pem', + verify="/etc/ssl/certificates/ca-bundle.pem", ) secret = vault_client.get_secret(secret_path="/path/to/secret") assert {"value": "world"} == secret From bb88612852042844fcf8fff74e67bdb493e967fc Mon Sep 17 00:00:00 2001 From: Ziyi Chen Date: Thu, 2 May 2024 11:53:33 -0400 Subject: [PATCH 8/9] fix typo space --- tests/providers/hashicorp/_internal_client/test_vault_client.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/providers/hashicorp/_internal_client/test_vault_client.py b/tests/providers/hashicorp/_internal_client/test_vault_client.py index 42a2e44ed1f3e..f9ff6c648b204 100644 --- a/tests/providers/hashicorp/_internal_client/test_vault_client.py +++ b/tests/providers/hashicorp/_internal_client/test_vault_client.py @@ -899,7 +899,7 @@ def test_get_existing_key_v1_trust_private_ca(self, mock_hvac): assert "/etc/ssl/certificates/ca-bundle.pem" == vault_client.kwargs["session"].verify mock_client.secrets.kv.v1.read_secret.assert_called_once_with( mount_point="secret", path="/path/to/secret" - ) + ) @mock.patch("airflow.providers.hashicorp._internal_client.vault_client.hvac") def test_get_existing_key_v1_without_preconfigured_mount_point(self, mock_hvac): From 2c628c9a202868f5e42b19796b76db6238462e16 Mon Sep 17 00:00:00 2001 From: Ziyi Chen Date: Thu, 2 May 2024 12:18:13 -0400 Subject: [PATCH 9/9] use not --- tests/providers/hashicorp/_internal_client/test_vault_client.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/providers/hashicorp/_internal_client/test_vault_client.py b/tests/providers/hashicorp/_internal_client/test_vault_client.py index f9ff6c648b204..f491f12129007 100644 --- a/tests/providers/hashicorp/_internal_client/test_vault_client.py +++ b/tests/providers/hashicorp/_internal_client/test_vault_client.py @@ -864,7 +864,7 @@ def test_get_existing_key_v1_ssl_verify_false(self, mock_hvac): ) secret = vault_client.get_secret(secret_path="/path/to/secret") assert {"value": "world"} == secret - assert False == vault_client.kwargs["session"].verify + assert not vault_client.kwargs["session"].verify mock_client.secrets.kv.v1.read_secret.assert_called_once_with( mount_point="secret", path="/path/to/secret" )