Sanitize end of line character when loading token from a file (vault)…

… (#16407) This commit addresses apache/airflow#16406 GitOrigin-RevId: 70cfe0135373d1f0400e7d9b275ebb017429794b
kosteev · Sep 13, 2024 · 6076cbd · 6076cbd
1 parent 18ce291
commit 6076cbd
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 2 deletions.
diff --git a/airflow/providers/hashicorp/_internal_client/vault_client.py b/airflow/providers/hashicorp/_internal_client/vault_client.py
@@ -262,7 +262,7 @@ def _auth_kubernetes(self, _client: hvac.Client) -> None:
         if not self.kubernetes_jwt_path:
             raise VaultError("The kubernetes_jwt_path should be set here. This should not happen.")
         with open(self.kubernetes_jwt_path) as f:
-            jwt = f.read()
+            jwt = f.read().strip()
             if self.auth_mount_point:
                 _client.auth_kubernetes(role=self.kubernetes_role, jwt=jwt, mount_point=self.auth_mount_point)
             else:
@@ -328,7 +328,7 @@ def _auth_approle(self, _client: hvac.Client) -> None:
     def _set_token(self, _client: hvac.Client) -> None:
         if self.token_path:
             with open(self.token_path) as f:
-                _client.token = f.read()
+                _client.token = f.read().strip()
         else:
             _client.token = self.token
 

diff --git a/tests/providers/hashicorp/_internal_client/test_vault_client.py b/tests/providers/hashicorp/_internal_client/test_vault_client.py
@@ -511,6 +511,22 @@ def test_token_path(self, mock_hvac):
         assert 2 == vault_client.kv_engine_version
         assert "secret" == vault_client.mount_point
 
+    @mock.patch("airflow.providers.hashicorp._internal_client.vault_client.hvac")
+    def test_token_path_strip(self, mock_hvac):
+        mock_client = mock.MagicMock()
+        mock_hvac.Client.return_value = mock_client
+        with open('/tmp/test_token.txt', 'w+') as the_file:
+            the_file.write('  s.7AU0I51yv1Q1lxOIg1F3ZRAS\n')
+        vault_client = _VaultClient(
+            auth_type="token", token_path="/tmp/test_token.txt", url="http://localhost:8180"
+        )
+        client = vault_client.client
+        mock_hvac.Client.assert_called_with(url='http://localhost:8180')
+        client.is_authenticated.assert_called_with()
+        assert "s.7AU0I51yv1Q1lxOIg1F3ZRAS" == client.token
+        assert 2 == vault_client.kv_engine_version
+        assert "secret" == vault_client.mount_point
+
     @mock.patch("airflow.providers.hashicorp._internal_client.vault_client.hvac")
     def test_default_auth_type(self, mock_hvac):
         mock_client = mock.MagicMock()