diff --git a/airflow/composer/security_manager.py b/airflow/composer/security_manager.py index 2c880513a46..120543e71a0 100644 --- a/airflow/composer/security_manager.py +++ b/airflow/composer/security_manager.py @@ -33,9 +33,6 @@ log = logging.getLogger(__file__) -# Expected audience of IAP JWT. -IAP_JWT_AUDIENCE = conf.get("webserver", "google_oauth2_audience") - def _decode_iap_jwt(iap_jwt): """Returns username and email decoded from the given IAP JWT. @@ -52,7 +49,7 @@ def _decode_iap_jwt(iap_jwt): decoded_jwt = id_token.verify_token( iap_jwt, requests.Request(), - audience=IAP_JWT_AUDIENCE, + audience=conf.get("webserver", "google_oauth2_audience"), certs_url="https://www.gstatic.com/iap/verify/public_key", ) return decoded_jwt["sub"], decoded_jwt["email"] diff --git a/tests/composer/api/backend/test_composer_auth.py b/tests/composer/api/backend/test_composer_auth.py index 2c5a4c33e22..da0433a1653 100644 --- a/tests/composer/api/backend/test_composer_auth.py +++ b/tests/composer/api/backend/test_composer_auth.py @@ -41,7 +41,6 @@ def setUpClass(cls): shutil.copy(cls.COMPOSER_WEBSERVER_CONFIG, WEBSERVER_CONFIG) with conf_vars( { - ("webserver", "google_oauth2_audience"): "audience", ("webserver", "rbac_user_registration_role"): "Viewer", ("api", "auth_backends"): "airflow.composer.api.backend.composer_auth", ("api", "composer_auth_user_registration_role"): "User", @@ -57,6 +56,7 @@ def tearDownClass(cls): shutil.copy(cls.WEBSERVER_CONFIG_BACKUP, WEBSERVER_CONFIG) @mock.patch("airflow.composer.security_manager._decode_iap_jwt", autospec=True) + @conf_vars({("webserver", "google_oauth2_audience"): "audience"}) def test_authentication_success(self, _decode_iap_jwt_mock): def _decode_iap_jwt_mock_side_effect(iap_jwt): assert iap_jwt == "jwt-test" @@ -80,6 +80,7 @@ def _decode_iap_jwt_mock_side_effect(iap_jwt): # "User" role doesn't have access to pools endpoint. assert pools_response.status_code == 403 + @conf_vars({("webserver", "google_oauth2_audience"): "audience"}) def test_authentication_failure(self): response = self.test_client.get( "/api/v1/pools", headers={"X-Goog-IAP-JWT-Assertion": "invalid-jwt-token"} diff --git a/tests/composer/test_security_manager.py b/tests/composer/test_security_manager.py index 3e13d052273..c6490b512ba 100644 --- a/tests/composer/test_security_manager.py +++ b/tests/composer/test_security_manager.py @@ -42,7 +42,6 @@ def setUpClass(cls): shutil.copy(cls.COMPOSER_WEBSERVER_CONFIG, WEBSERVER_CONFIG) with conf_vars( { - ("webserver", "google_oauth2_audience"): "audience", ("webserver", "rbac_user_registration_role"): "Viewer", ("webserver", "rbac_autoregister_per_folder_roles"): "True", } @@ -71,6 +70,7 @@ def test_login_incorrect_jwt(self): assert resp.status_code == 403 @mock.patch("airflow.composer.security_manager.id_token", autospec=True) + @conf_vars({("webserver", "google_oauth2_audience"): "audience"}) def test_login_user_auto_registered(self, id_token_mock): username = f"test-{self.get_random_id()}" email = f"test-{self.get_random_id()}@test.com" @@ -149,6 +149,7 @@ def id_token_mock_verify_token_side_effect( assert resp.status_code == 403 @mock.patch("airflow.composer.security_manager.id_token", autospec=True) + @conf_vars({("webserver", "google_oauth2_audience"): "audience"}) def test_login_user_preregistered(self, id_token_mock): username = f"test-{self.get_random_id()}" email = f"test-{self.get_random_id()}@test.com" diff --git a/tests/composer/test_webserver_config.py b/tests/composer/test_webserver_config.py index a0bd5729a5a..98eac94bd30 100644 --- a/tests/composer/test_webserver_config.py +++ b/tests/composer/test_webserver_config.py @@ -21,7 +21,6 @@ class TestWebserverConfig(unittest.TestCase): def test_webserver_config(self): with conf_vars( { - ("webserver", "google_oauth2_audience"): "audience", ("webserver", "rbac_user_registration_role"): "Viewer", } ):