This is an automated email from the ASF dual-hosted git repository.
potiuk pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/main by this push:
new 62c68b704d6 Refactor VaultBackend to centralize secret path resolution
and fetching logic (#62643)
62c68b704d6 is described below
commit 62c68b704d6e36bc8b786d7481c0dd5ab2608178
Author: SameerMesiah97 <[email protected]>
AuthorDate: Tue Mar 10 19:23:10 2026 +0000
Refactor VaultBackend to centralize secret path resolution and fetching
logic (#62643)
Introduce a private helper to remove duplicated mount parsing,
base path handling, and get_secret invocation across public methods.
Co-authored-by: Sameer Mesiah <[email protected]>
---
.../airflow/providers/hashicorp/secrets/vault.py | 50 +++++++++-------------
1 file changed, 20 insertions(+), 30 deletions(-)
diff --git
a/providers/hashicorp/src/airflow/providers/hashicorp/secrets/vault.py
b/providers/hashicorp/src/airflow/providers/hashicorp/secrets/vault.py
index b60e6238510..3459314bf70 100644
--- a/providers/hashicorp/src/airflow/providers/hashicorp/secrets/vault.py
+++ b/providers/hashicorp/src/airflow/providers/hashicorp/secrets/vault.py
@@ -173,23 +173,30 @@ class VaultBackend(BaseSecretsBackend, LoggingMixin):
return split_secret_path[0], split_secret_path[1]
return "", secret_path
- def get_response(self, conn_id: str) -> dict | None:
- """
- Get data from Vault.
+ def _get_secret_with_base(self, base_path: str | None, key: str) -> dict |
None:
+ """Resolve mount and base path, then fetch the secret from Vault."""
+ mount_point, key_part = self._parse_path(key)
- :return: The data from the Vault path if exists
- """
- mount_point, conn_key = self._parse_path(conn_id)
- if self.connections_path is None or conn_key is None:
+ if base_path is None or key_part is None:
return None
- if self.connections_path == "":
- secret_path = conn_key
+
+ if base_path == "":
+ secret_path = key_part
else:
- secret_path = self.build_path(self.connections_path, conn_key)
+ secret_path = self.build_path(base_path, key_part)
+
return self.vault_client.get_secret(
secret_path=(mount_point + "/" if mount_point else "") +
secret_path
)
+ def get_response(self, conn_id: str) -> dict | None:
+ """
+ Get data from Vault.
+
+ :return: The data from the Vault path if exists
+ """
+ return self._get_secret_with_base(self.connections_path, conn_id)
+
# Make sure connection is imported this way for type checking, otherwise
when importing
# the backend it will get a circular dependency and fail
if TYPE_CHECKING:
@@ -225,16 +232,8 @@ class VaultBackend(BaseSecretsBackend, LoggingMixin):
:param team_name: Team name associated to the task trying to access
the variable (if any)
:return: Variable Value retrieved from the vault
"""
- mount_point, variable_key = self._parse_path(key)
- if self.variables_path is None or variable_key is None:
- return None
- if self.variables_path == "":
- secret_path = variable_key
- else:
- secret_path = self.build_path(self.variables_path, variable_key)
- response = self.vault_client.get_secret(
- secret_path=(mount_point + "/" if mount_point else "") +
secret_path
- )
+ response = self._get_secret_with_base(self.variables_path, key)
+
if not response:
return None
try:
@@ -250,16 +249,7 @@ class VaultBackend(BaseSecretsBackend, LoggingMixin):
:param key: Configuration Option Key
:return: Configuration Option Value retrieved from the vault
"""
- mount_point, config_key = self._parse_path(key)
- if self.config_path is None or config_key is None:
- return None
- if self.config_path == "":
- secret_path = config_key
- else:
- secret_path = self.build_path(self.config_path, config_key)
- response = self.vault_client.get_secret(
- secret_path=(mount_point + "/" if mount_point else "") +
secret_path
- )
+ response = self._get_secret_with_base(self.config_path, key)
if not response:
return None
try:
