Re: [PR] Add JWT/OIDC authentication support to Hashicorp Vault provider [airflow]

via GitHub Fri, 06 Feb 2026 00:43:31 -0800


Lee-W commented on code in PR #61439:
URL: https://github.com/apache/airflow/pull/61439#discussion_r2772954535



##########
providers/hashicorp/tests/unit/hashicorp/_internal_client/test_vault_client.py:
##########
@@ -587,6 +587,120 @@ def test_kubernetes_kubernetes_jwt_path_none(self, 
mock_hvac):
                 url="http://localhost:8180";,
             )
 
+    
@mock.patch("airflow.providers.hashicorp._internal_client.vault_client.hvac")
+    def test_jwt_with_token(self, mock_hvac):
+        mock_client = mock.MagicMock()
+        mock_hvac.Client.return_value = mock_client
+        vault_client = _VaultClient(
+            auth_type="jwt",
+            jwt_role="my-role",
+            jwt_token="eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.test",
+            url="http://localhost:8180";,
+            session=None,
+        )
+        client = vault_client.client
+        mock_hvac.Client.assert_called_with(url="http://localhost:8180";, 
session=None)
+        client.auth.jwt.jwt_login.assert_called_with(
+            role="my-role", jwt="eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.test"
+        )
+        client.is_authenticated.assert_called_with()

Review Comment:
   ```suggestion
           assert mock_hvac.Client.mock_calls == [
               call(
                   url="http://localhost:8180";,
                   session=None
               )
           ]
           assert client.auth.jwt.jwt_login.mock_calls == [
               call(
                   role="my-role",
                   jwt="eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.test",
               )
           ]
           client.is_authenticated.mock_calls == [
               call()
           ]
   ```
   



##########
providers/hashicorp/tests/unit/hashicorp/hooks/test_vault.py:
##########
@@ -733,6 +733,95 @@ def test_kubernetes_dejson(self, mock_kubernetes, 
mock_hvac, mock_get_connection
         test_client.is_authenticated.assert_called_with()
         assert test_hook.vault_client.kv_engine_version == 2
 
+    
@mock.patch("airflow.providers.hashicorp.hooks.vault.VaultHook.get_connection")
+    
@mock.patch("airflow.providers.hashicorp._internal_client.vault_client.hvac")
+    def test_jwt_init_params(self, mock_hvac, mock_get_connection):
+        mock_client = mock.MagicMock()
+        mock_hvac.Client.return_value = mock_client
+        mock_connection = self.get_mock_connection()
+        mock_get_connection.return_value = mock_connection
+
+        connection_dict = {}
+
+        mock_connection.extra_dejson.get.side_effect = connection_dict.get
+        kwargs = {
+            "auth_type": "jwt",
+            "jwt_role": "my-role",
+            "jwt_token": "eyJhbGciOiJSUzI1NiJ9.test",
+            "vault_conn_id": "vault_conn_id",
+            "session": None,
+        }
+
+        test_hook = VaultHook(**kwargs)

Review Comment:
   Since this `kwargs` is not used elsewhere, we can just pass them into 
`VaultHook`



##########
providers/hashicorp/tests/unit/hashicorp/hooks/test_vault.py:
##########
@@ -733,6 +733,95 @@ def test_kubernetes_dejson(self, mock_kubernetes, 
mock_hvac, mock_get_connection
         test_client.is_authenticated.assert_called_with()
         assert test_hook.vault_client.kv_engine_version == 2
 
+    
@mock.patch("airflow.providers.hashicorp.hooks.vault.VaultHook.get_connection")
+    
@mock.patch("airflow.providers.hashicorp._internal_client.vault_client.hvac")
+    def test_jwt_init_params(self, mock_hvac, mock_get_connection):
+        mock_client = mock.MagicMock()
+        mock_hvac.Client.return_value = mock_client
+        mock_connection = self.get_mock_connection()
+        mock_get_connection.return_value = mock_connection
+
+        connection_dict = {}
+
+        mock_connection.extra_dejson.get.side_effect = connection_dict.get
+        kwargs = {
+            "auth_type": "jwt",
+            "jwt_role": "my-role",
+            "jwt_token": "eyJhbGciOiJSUzI1NiJ9.test",
+            "vault_conn_id": "vault_conn_id",
+            "session": None,
+        }
+
+        test_hook = VaultHook(**kwargs)

Review Comment:
   same elsewhere



##########
providers/hashicorp/src/airflow/providers/hashicorp/secrets/vault.py:
##########
@@ -120,6 +123,9 @@ def __init__(
         radius_host: str | None = None,
         radius_secret: str | None = None,
         radius_port: int | None = None,
+        jwt_role: str | None = None,

Review Comment:
   ```suggestion
           *,
           jwt_role: str | None = None,
   ```



##########
providers/hashicorp/src/airflow/providers/hashicorp/hooks/vault.py:
##########
@@ -124,6 +128,9 @@ def __init__(
         azure_resource: str | None = None,
         radius_host: str | None = None,
         radius_port: int | None = None,
+        jwt_role: str | None = None,

Review Comment:
   ```suggestion
           *,
           jwt_role: str | None = None,
   ```



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Re: [PR] Add JWT/OIDC authentication support to Hashicorp Vault provider [airflow]

Reply via email to