jscheffl commented on code in PR #36492: URL: https://github.com/apache/airflow/pull/36492#discussion_r1438942362
########## tests/models/test_trigger.py: ########## @@ -337,3 +341,47 @@ def test_get_sorted_triggers_different_priority_weights(session, create_task_ins trigger_ids_query = Trigger.get_sorted_triggers(capacity=100, alive_triggerer_ids=[], session=session) assert trigger_ids_query == [(2,), (1,)] + + +class SensitiveKwargsTrigger(BaseTrigger): + """ + A trigger that has sensitive kwargs. + """ + + def __init__(self, param1: str, param2: str): + super().__init__() + self.param1 = param1 + self.param2 = param2 + + def serialize(self) -> tuple[str, dict[str, Any]]: + return ( + "tests.models.test_trigger.SensitiveKwargsTrigger", + { + "param1": self.param1, + "encrypted__param2": self.param2, + }, + ) + + async def run(self) -> AsyncIterator[TriggerEvent]: + yield TriggerEvent({}) + + +@conf_vars({("core", "fernet_key"): Fernet.generate_key().decode()}) +def test_serialize_sensitive_kwargs(): + """ + Tests that sensitive kwargs are encrypted. + """ + trigger_instance = SensitiveKwargsTrigger(param1="value1", param2="value2") + trigger_row: Trigger = Trigger.from_object(trigger_instance) + + assert trigger_row.kwargs["param1"] == "value1" + assert ( + get_fernet().decrypt(trigger_row.kwargs["encrypted__param2"].encode("utf-8")).decode("utf-8") + == "value2" + ) Review Comment: In this pytest you actually re-implement the 100% encryption logic. Can you rather test on an "abstract" level, that stored value in DB is != the original value? Details of encryption should be in the implementation (=black box), pytest just should ensire you do not miss a regression and by accident with an update the encryption is missed. Proposal: ```suggestion assert trigger_row.kwargs["encrypted__param2"] # Check that it contains a value assert trigger_row.kwargs["encrypted__param2"] != "value2" ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@airflow.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org