-
Notifications
You must be signed in to change notification settings - Fork 14.5k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Secret masker ignores passwords with special chars (#36692)
* Secret masker ignores passwords with special chars #36688 Connection uri's get connection uses quote to change the password and certain other fields to escape special chars due to this, when the connection object is passed through the masker this changed string is skipped. * Added a test for the logging change (cherry picked from commit e853849)
- Loading branch information
Showing
3 changed files
with
27 additions
and
6 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -22,6 +22,7 @@ | |
import re | ||
from collections import namedtuple | ||
from unittest import mock | ||
from urllib.parse import quote | ||
|
||
import pytest | ||
import sqlalchemy | ||
|
@@ -362,6 +363,7 @@ def test_connection_from_uri(self, test_config: UriTestCaseConfig): | |
expected_calls = [] | ||
if test_config.test_conn_attributes.get("password"): | ||
expected_calls.append(mock.call(test_config.test_conn_attributes["password"])) | ||
expected_calls.append(mock.call(quote(test_config.test_conn_attributes["password"]))) | ||
|
||
if test_config.test_conn_attributes.get("extra_dejson"): | ||
expected_calls.append(mock.call(test_config.test_conn_attributes["extra_dejson"])) | ||
|
@@ -592,18 +594,18 @@ def test_from_json_special_characters(self, val, expected): | |
@mock.patch.dict( | ||
"os.environ", | ||
{ | ||
"AIRFLOW_CONN_TEST_URI": "postgresql://username:[email protected]:5432/the_database", | ||
"AIRFLOW_CONN_TEST_URI": "postgresql://username:password%21@ec2.compute.com:5432/the_database", | ||
}, | ||
) | ||
def test_using_env_var(self): | ||
conn = SqliteHook.get_connection(conn_id="test_uri") | ||
assert "ec2.compute.com" == conn.host | ||
assert "the_database" == conn.schema | ||
assert "username" == conn.login | ||
assert "password" == conn.password | ||
assert "password!" == conn.password | ||
assert 5432 == conn.port | ||
|
||
self.mask_secret.assert_called_once_with("password") | ||
self.mask_secret.assert_has_calls([mock.call("password!"), mock.call(quote("password!"))]) | ||
|
||
@mock.patch.dict( | ||
"os.environ", | ||
|
@@ -717,7 +719,7 @@ def test_masking_from_db(self): | |
conn = Connection( | ||
conn_id=f"test-{os.getpid()}", | ||
conn_type="http", | ||
password="s3cr3t", | ||
password="s3cr3t!", | ||
extra='{"apikey":"masked too"}', | ||
) | ||
session.add(conn) | ||
|
@@ -733,7 +735,8 @@ def test_masking_from_db(self): | |
|
||
assert self.mask_secret.mock_calls == [ | ||
# We should have called it _again_ when loading from the DB | ||
mock.call("s3cr3t"), | ||
mock.call("s3cr3t!"), | ||
mock.call(quote("s3cr3t!")), | ||
mock.call({"apikey": "masked too"}), | ||
] | ||
finally: | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters