Re: [PR] Support encryption for triggers parameters [airflow]

Sun, 31 Dec 2023 16:22:14 -0800 


jscheffl commented on code in PR #36492:
URL: https://github.com/apache/airflow/pull/36492#discussion_r1438942362


##########
tests/models/test_trigger.py:
##########
@@ -337,3 +341,47 @@ def 
test_get_sorted_triggers_different_priority_weights(session, create_task_ins
     trigger_ids_query = Trigger.get_sorted_triggers(capacity=100, 
alive_triggerer_ids=[], session=session)
 
     assert trigger_ids_query == [(2,), (1,)]
+
+
+class SensitiveKwargsTrigger(BaseTrigger):
+    """
+    A trigger that has sensitive kwargs.
+    """
+
+    def __init__(self, param1: str, param2: str):
+        super().__init__()
+        self.param1 = param1
+        self.param2 = param2
+
+    def serialize(self) -> tuple[str, dict[str, Any]]:
+        return (
+            "tests.models.test_trigger.SensitiveKwargsTrigger",
+            {
+                "param1": self.param1,
+                "encrypted__param2": self.param2,
+            },
+        )
+
+    async def run(self) -> AsyncIterator[TriggerEvent]:
+        yield TriggerEvent({})
+
+
+@conf_vars({("core", "fernet_key"): Fernet.generate_key().decode()})
+def test_serialize_sensitive_kwargs():
+    """
+    Tests that sensitive kwargs are encrypted.
+    """
+    trigger_instance = SensitiveKwargsTrigger(param1="value1", param2="value2")
+    trigger_row: Trigger = Trigger.from_object(trigger_instance)
+
+    assert trigger_row.kwargs["param1"] == "value1"
+    assert (
+        
get_fernet().decrypt(trigger_row.kwargs["encrypted__param2"].encode("utf-8")).decode("utf-8")
+        == "value2"
+    )

Review Comment:
   In this pytest you actually re-implement the 100% encryption logic. Can you 
rather test on an "abstract" level, that stored value in DB is != the original 
value?
   Details of encryption should be in the implementation (=black box), pytest 
just should ensire you do not miss a regression and by accident with an update 
the encryption is missed.
   
   Proposal:
   ```suggestion
       assert trigger_row.kwargs["encrypted__param2"] # Check that it contains 
a value
       assert trigger_row.kwargs["encrypted__param2"] != "value2"
   ```



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@airflow.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to