From 6076cbd4b84f93652e3c41faae2173da6ce0fc8c Mon Sep 17 00:00:00 2001
From: mmenarguezpear <61213452+mmenarguezpear@users.noreply.github.com>
Date: Sat, 12 Jun 2021 23:00:06 +0200
Subject: [PATCH] Sanitize end of line character when loading token from a file
 (vault) (#16407)

This commit addresses https://github.com/apache/airflow/issues/16406

GitOrigin-RevId: 70cfe0135373d1f0400e7d9b275ebb017429794b
---
 .../hashicorp/_internal_client/vault_client.py   |  4 ++--
 .../_internal_client/test_vault_client.py        | 16 ++++++++++++++++
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/airflow/providers/hashicorp/_internal_client/vault_client.py b/airflow/providers/hashicorp/_internal_client/vault_client.py
index 5b6d8de38d..7abe54dd71 100644
--- a/airflow/providers/hashicorp/_internal_client/vault_client.py
+++ b/airflow/providers/hashicorp/_internal_client/vault_client.py
@@ -262,7 +262,7 @@ def _auth_kubernetes(self, _client: hvac.Client) -> None:
         if not self.kubernetes_jwt_path:
             raise VaultError("The kubernetes_jwt_path should be set here. This should not happen.")
         with open(self.kubernetes_jwt_path) as f:
-            jwt = f.read()
+            jwt = f.read().strip()
             if self.auth_mount_point:
                 _client.auth_kubernetes(role=self.kubernetes_role, jwt=jwt, mount_point=self.auth_mount_point)
             else:
@@ -328,7 +328,7 @@ def _auth_approle(self, _client: hvac.Client) -> None:
     def _set_token(self, _client: hvac.Client) -> None:
         if self.token_path:
             with open(self.token_path) as f:
-                _client.token = f.read()
+                _client.token = f.read().strip()
         else:
             _client.token = self.token
 
diff --git a/tests/providers/hashicorp/_internal_client/test_vault_client.py b/tests/providers/hashicorp/_internal_client/test_vault_client.py
index 6b7d4aad97..3df03dc0c7 100644
--- a/tests/providers/hashicorp/_internal_client/test_vault_client.py
+++ b/tests/providers/hashicorp/_internal_client/test_vault_client.py
@@ -511,6 +511,22 @@ def test_token_path(self, mock_hvac):
         assert 2 == vault_client.kv_engine_version
         assert "secret" == vault_client.mount_point
 
+    @mock.patch("airflow.providers.hashicorp._internal_client.vault_client.hvac")
+    def test_token_path_strip(self, mock_hvac):
+        mock_client = mock.MagicMock()
+        mock_hvac.Client.return_value = mock_client
+        with open('/tmp/test_token.txt', 'w+') as the_file:
+            the_file.write('  s.7AU0I51yv1Q1lxOIg1F3ZRAS\n')
+        vault_client = _VaultClient(
+            auth_type="token", token_path="/tmp/test_token.txt", url="http://localhost:8180"
+        )
+        client = vault_client.client
+        mock_hvac.Client.assert_called_with(url='http://localhost:8180')
+        client.is_authenticated.assert_called_with()
+        assert "s.7AU0I51yv1Q1lxOIg1F3ZRAS" == client.token
+        assert 2 == vault_client.kv_engine_version
+        assert "secret" == vault_client.mount_point
+
     @mock.patch("airflow.providers.hashicorp._internal_client.vault_client.hvac")
     def test_default_auth_type(self, mock_hvac):
         mock_client = mock.MagicMock()