This is an automated email from the ASF dual-hosted git repository. husseinawala pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/main by this push: new e22ce9baed Fix masking nested variable fields (#31964) e22ce9baed is described below commit e22ce9baed19ddf771db59b7da1d25e240430625 Author: Hussein Awala <huss...@awala.fr> AuthorDate: Fri Jun 16 21:05:01 2023 +0200 Fix masking nested variable fields (#31964) * Fix masking nested variable fields Signed-off-by: Hussein Awala <huss...@awala.fr> * add a unit test Signed-off-by: Hussein Awala <huss...@awala.fr> --------- Signed-off-by: Hussein Awala <huss...@awala.fr> --- airflow/models/variable.py | 2 +- tests/models/test_variable.py | 35 +++++++++++++++++++++++++++++++++++ 2 files changed, 36 insertions(+), 1 deletion(-) diff --git a/airflow/models/variable.py b/airflow/models/variable.py index 1051f889ed..bba785ee0a 100644 --- a/airflow/models/variable.py +++ b/airflow/models/variable.py @@ -142,7 +142,7 @@ class Variable(Base, LoggingMixin): else: if deserialize_json: obj = json.loads(var_val) - mask_secret(var_val, key) + mask_secret(obj, key) return obj else: mask_secret(var_val, key) diff --git a/tests/models/test_variable.py b/tests/models/test_variable.py index b67027a905..67e267b8ca 100644 --- a/tests/models/test_variable.py +++ b/tests/models/test_variable.py @@ -258,3 +258,38 @@ class TestVariable: ] finally: session.rollback() + + +@pytest.mark.parametrize( + "variable_value, deserialize_json, expected_masked_values", + [ + ("s3cr3t", False, ["s3cr3t"]), + ('{"api_key": "s3cr3t"}', True, ["s3cr3t"]), + ('{"api_key": "s3cr3t", "normal_key": "normal_value"}', True, ["s3cr3t"]), + ('{"api_key": "s3cr3t", "another_secret": "123456"}', True, ["s3cr3t", "123456"]), + ], +) +def test_masking_only_secret_values(variable_value, deserialize_json, expected_masked_values): + from airflow.utils.log.secrets_masker import _secrets_masker + + session = settings.Session() + + try: + var = Variable( + key=f"password-{os.getpid()}", + val=variable_value, + ) + session.add(var) + session.flush() + + # Make sure we re-load it, not just get the cached object back + session.expunge(var) + _secrets_masker().patterns = set() + + Variable.get(var.key, deserialize_json=deserialize_json) + + for expected_masked_value in expected_masked_values: + assert expected_masked_value in _secrets_masker().patterns + finally: + session.rollback() + db.clear_db_variables()