You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by as...@apache.org on 2021/04/15 12:07:51 UTC
[airflow] 32/36: Fix password masking in CLI action_logging (#15143)
This is an automated email from the ASF dual-hosted git repository.
ash pushed a commit to branch v2-0-test
in repository https://gitbox.apache.org/repos/asf/airflow.git
commit 84d305fbc9160d320f45e35887af7a1bad538bc7
Author: Xiaodong DENG <xd...@apache.org>
AuthorDate: Thu Apr 1 23:02:28 2021 +0200
Fix password masking in CLI action_logging (#15143)
Currently as long as argument '-p' if present, code tries to mask it.
However, '-p' may mean something else (not password), like a boolean flag. Such cases may result in exception
(cherry picked from commit 486b76438c0679682cf98cb88ed39c4b161cbcc8)
---
airflow/utils/cli.py | 20 +++++++++++---------
tests/utils/test_cli_util.py | 10 ++++++++++
2 files changed, 21 insertions(+), 9 deletions(-)
diff --git a/airflow/utils/cli.py b/airflow/utils/cli.py
index 68a0b44..fc73dfc 100644
--- a/airflow/utils/cli.py
+++ b/airflow/utils/cli.py
@@ -110,17 +110,19 @@ def _build_metrics(func_name, namespace):
"""
from airflow.models import Log
+ sub_commands_to_check = {'users', 'connections'}
sensitive_fields = {'-p', '--password', '--conn-password'}
full_command = list(sys.argv)
- for idx, command in enumerate(full_command): # pylint: disable=too-many-nested-blocks
- if command in sensitive_fields:
- # For cases when password is passed as "--password xyz" (with space between key and value)
- full_command[idx + 1] = "*" * 8
- else:
- # For cases when password is passed as "--password=xyz" (with '=' between key and value)
- for sensitive_field in sensitive_fields:
- if command.startswith(f'{sensitive_field}='):
- full_command[idx] = f'{sensitive_field}={"*" * 8}'
+ if full_command[1] in sub_commands_to_check: # pylint: disable=too-many-nested-blocks
+ for idx, command in enumerate(full_command):
+ if command in sensitive_fields:
+ # For cases when password is passed as "--password xyz" (with space between key and value)
+ full_command[idx + 1] = "*" * 8
+ else:
+ # For cases when password is passed as "--password=xyz" (with '=' between key and value)
+ for sensitive_field in sensitive_fields:
+ if command.startswith(f'{sensitive_field}='):
+ full_command[idx] = f'{sensitive_field}={"*" * 8}'
metrics = {
'sub_command': func_name,
diff --git a/tests/utils/test_cli_util.py b/tests/utils/test_cli_util.py
index c567f44..6d88f66 100644
--- a/tests/utils/test_cli_util.py
+++ b/tests/utils/test_cli_util.py
@@ -112,9 +112,19 @@ class TestCliUtil(unittest.TestCase):
"airflow connections add dsfs --conn-login asd --conn-password test --conn-type google",
"airflow connections add dsfs --conn-login asd --conn-password ******** --conn-type google",
),
+ (
+ "airflow scheduler -p",
+ "airflow scheduler -p",
+ ),
+ (
+ "airflow celery flower -p 8888",
+ "airflow celery flower -p 8888",
+ ),
]
)
def test_cli_create_user_supplied_password_is_masked(self, given_command, expected_masked_command):
+ # '-p' value which is not password, like 'airflow scheduler -p'
+ # or 'airflow celery flower -p 8888', should not be masked
args = given_command.split()
expected_command = expected_masked_command.split()