[airflow] branch main updated: Fix masking nested variable fields (#31964)

Fri, 16 Jun 2023 12:05:37 -0700 

This is an automated email from the ASF dual-hosted git repository.

husseinawala pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git


The following commit(s) were added to refs/heads/main by this push:
     new e22ce9baed Fix masking nested variable fields (#31964)
e22ce9baed is described below

commit e22ce9baed19ddf771db59b7da1d25e240430625
Author: Hussein Awala <huss...@awala.fr>
AuthorDate: Fri Jun 16 21:05:01 2023 +0200

    Fix masking nested variable fields (#31964)
    
    * Fix masking nested variable fields
    
    Signed-off-by: Hussein Awala <huss...@awala.fr>
    
    * add a unit test
    
    Signed-off-by: Hussein Awala <huss...@awala.fr>
    
    ---------
    
    Signed-off-by: Hussein Awala <huss...@awala.fr>
---
 airflow/models/variable.py    |  2 +-
 tests/models/test_variable.py | 35 +++++++++++++++++++++++++++++++++++
 2 files changed, 36 insertions(+), 1 deletion(-)

diff --git a/airflow/models/variable.py b/airflow/models/variable.py
index 1051f889ed..bba785ee0a 100644
--- a/airflow/models/variable.py
+++ b/airflow/models/variable.py
@@ -142,7 +142,7 @@ class Variable(Base, LoggingMixin):
         else:
             if deserialize_json:
                 obj = json.loads(var_val)
-                mask_secret(var_val, key)
+                mask_secret(obj, key)
                 return obj
             else:
                 mask_secret(var_val, key)
diff --git a/tests/models/test_variable.py b/tests/models/test_variable.py
index b67027a905..67e267b8ca 100644
--- a/tests/models/test_variable.py
+++ b/tests/models/test_variable.py
@@ -258,3 +258,38 @@ class TestVariable:
             ]
         finally:
             session.rollback()
+
+
+@pytest.mark.parametrize(
+    "variable_value, deserialize_json, expected_masked_values",
+    [
+        ("s3cr3t", False, ["s3cr3t"]),
+        ('{"api_key": "s3cr3t"}', True, ["s3cr3t"]),
+        ('{"api_key": "s3cr3t", "normal_key": "normal_value"}', True, 
["s3cr3t"]),
+        ('{"api_key": "s3cr3t", "another_secret": "123456"}', True, ["s3cr3t", 
"123456"]),
+    ],
+)
+def test_masking_only_secret_values(variable_value, deserialize_json, 
expected_masked_values):
+    from airflow.utils.log.secrets_masker import _secrets_masker
+
+    session = settings.Session()
+
+    try:
+        var = Variable(
+            key=f"password-{os.getpid()}",
+            val=variable_value,
+        )
+        session.add(var)
+        session.flush()
+
+        # Make sure we re-load it, not just get the cached object back
+        session.expunge(var)
+        _secrets_masker().patterns = set()
+
+        Variable.get(var.key, deserialize_json=deserialize_json)
+
+        for expected_masked_value in expected_masked_values:
+            assert expected_masked_value in _secrets_masker().patterns
+    finally:
+        session.rollback()
+        db.clear_db_variables()

Reply via email to