Explicitly passing raise_on_deleted_version=True to `read_secret_ve…

…rsion` in Hashicorp operator (#36532)

* explicitly passing raise_on_deleted_version=True to read_secret_version

* fix tests

* update hvac version

airflow/providers/hashicorp/_internal_client/vault_client.py

@@ -373,7 +373,10 @@ def get_secret(self, secret_path: str, secret_version: int | None = None) -> dic
                 response = self.client.secrets.kv.v1.read_secret(path=secret_path, mount_point=mount_point)
             else:
                 response = self.client.secrets.kv.v2.read_secret_version(
-                    path=secret_path, mount_point=mount_point, version=secret_version
+                    path=secret_path,
+                    mount_point=mount_point,
+                    version=secret_version,
+                    raise_on_deleted_version=True,
                 )
         except InvalidPath:
             self.log.debug("Secret not found %s with mount point %s", secret_path, mount_point)
@@ -422,7 +425,10 @@ def get_secret_including_metadata(
         try:
             mount_point, secret_path = self._parse_secret_path(secret_path)
             return self.client.secrets.kv.v2.read_secret_version(
-                path=secret_path, mount_point=mount_point, version=secret_version
+                path=secret_path,
+                mount_point=mount_point,
+                version=secret_version,
+                raise_on_deleted_version=True,
             )
         except InvalidPath:
             self.log.debug(

airflow/providers/hashicorp/provider.yaml

@@ -50,7 +50,7 @@ versions:
 
 dependencies:
   - apache-airflow>=2.6.0
-  - hvac>=0.10
+  - hvac>=1.1.0
 
 integrations:
   - integration-name: Hashicorp Vault

generated/provider_dependencies.json

@@ -550,7 +550,7 @@
   "hashicorp": {
     "deps": [
       "apache-airflow>=2.6.0",
-      "hvac>=0.10"
+      "hvac>=1.1.0"
     ],
     "cross-providers-deps": [
       "google"

tests/providers/hashicorp/_internal_client/test_vault_client.py

@@ -641,7 +641,7 @@ def test_get_non_existing_key_v2(self, mock_hvac):
         secret = vault_client.get_secret(secret_path="missing")
         assert secret is None
         mock_client.secrets.kv.v2.read_secret_version.assert_called_once_with(
-            mount_point="secret", path="missing", version=None
+            mount_point="secret", path="missing", version=None, raise_on_deleted_version=True
         )
 
     @mock.patch("airflow.providers.hashicorp._internal_client.vault_client.hvac")
@@ -661,7 +661,7 @@ def test_get_non_existing_key_v2_different_auth(self, mock_hvac):
         assert secret is None
         assert "secret" == vault_client.mount_point
         mock_client.secrets.kv.v2.read_secret_version.assert_called_once_with(
-            mount_point="secret", path="missing", version=None
+            mount_point="secret", path="missing", version=None, raise_on_deleted_version=True
         )
 
     @mock.patch("airflow.providers.hashicorp._internal_client.vault_client.hvac")
@@ -716,7 +716,7 @@ def test_get_existing_key_v2(self, mock_hvac):
         secret = vault_client.get_secret(secret_path="path/to/secret")
         assert {"secret_key": "secret_value"} == secret
         mock_client.secrets.kv.v2.read_secret_version.assert_called_once_with(
-            mount_point="secret", path="path/to/secret", version=None
+            mount_point="secret", path="path/to/secret", version=None, raise_on_deleted_version=True
         )
 
     @mock.patch("airflow.providers.hashicorp._internal_client.vault_client.hvac")
@@ -754,7 +754,7 @@ def test_get_existing_key_v2_without_preconfigured_mount_point(self, mock_hvac):
         secret = vault_client.get_secret(secret_path="mount_point/path/to/secret")
         assert {"secret_key": "secret_value"} == secret
         mock_client.secrets.kv.v2.read_secret_version.assert_called_once_with(
-            mount_point="mount_point", path="path/to/secret", version=None
+            mount_point="mount_point", path="path/to/secret", version=None, raise_on_deleted_version=True
         )
 
     @mock.patch("airflow.providers.hashicorp._internal_client.vault_client.hvac")
@@ -791,7 +791,7 @@ def test_get_existing_key_v2_version(self, mock_hvac):
         secret = vault_client.get_secret(secret_path="missing", secret_version=1)
         assert {"secret_key": "secret_value"} == secret
         mock_client.secrets.kv.v2.read_secret_version.assert_called_once_with(
-            mount_point="secret", path="missing", version=1
+            mount_point="secret", path="missing", version=1, raise_on_deleted_version=True
         )
 
     @mock.patch("airflow.providers.hashicorp._internal_client.vault_client.hvac")
@@ -1015,7 +1015,7 @@ def test_get_secret_including_metadata_v2(self, mock_hvac):
             "auth": None,
         } == metadata
         mock_client.secrets.kv.v2.read_secret_version.assert_called_once_with(
-            mount_point="secret", path="missing", version=None
+            mount_point="secret", path="missing", version=None, raise_on_deleted_version=True
         )
 
     @mock.patch("airflow.providers.hashicorp._internal_client.vault_client.hvac")

tests/providers/hashicorp/hooks/test_vault.py

@@ -1005,7 +1005,7 @@ def test_get_existing_key_v2(self, mock_hvac, mock_get_connection):
         secret = test_hook.get_secret(secret_path="missing")
         assert {"secret_key": "secret_value"} == secret
         mock_client.secrets.kv.v2.read_secret_version.assert_called_once_with(
-            mount_point="secret", path="missing", version=None
+            mount_point="secret", path="missing", version=None, raise_on_deleted_version=True
         )
 
     @mock.patch("airflow.providers.hashicorp.hooks.vault.VaultHook.get_connection")
@@ -1044,7 +1044,7 @@ def test_get_existing_key_v2_version(self, mock_hvac, mock_get_connection):
         secret = test_hook.get_secret(secret_path="missing", secret_version=1)
         assert {"secret_key": "secret_value"} == secret
         mock_client.secrets.kv.v2.read_secret_version.assert_called_once_with(
-            mount_point="secret", path="missing", version=1
+            mount_point="secret", path="missing", version=1, raise_on_deleted_version=True
         )
 
     @mock.patch("airflow.providers.hashicorp.hooks.vault.VaultHook.get_connection")
@@ -1189,7 +1189,7 @@ def test_get_secret_including_metadata_v2(self, mock_hvac, mock_get_connection):
             "auth": None,
         } == metadata
         mock_client.secrets.kv.v2.read_secret_version.assert_called_once_with(
-            mount_point="secret", path="missing", version=None
+            mount_point="secret", path="missing", version=None, raise_on_deleted_version=True
         )
 
     @mock.patch("airflow.providers.hashicorp.hooks.vault.VaultHook.get_connection")

tests/providers/hashicorp/secrets/test_vault.py

@@ -302,7 +302,7 @@ def test_get_conn_uri_non_existent_key(self, mock_hvac):
         test_client = VaultBackend(**kwargs)
         assert test_client.get_conn_uri(conn_id="test_mysql") is None
         mock_client.secrets.kv.v2.read_secret_version.assert_called_once_with(
-            mount_point="airflow", path="connections/test_mysql", version=None
+            mount_point="airflow", path="connections/test_mysql", version=None, raise_on_deleted_version=True
         )
         assert test_client.get_connection(conn_id="test_mysql") is None
 
@@ -454,7 +454,7 @@ def test_get_variable_value_non_existent_key(self, mock_hvac):
         test_client = VaultBackend(**kwargs)
         assert test_client.get_variable("hello") is None
         mock_client.secrets.kv.v2.read_secret_version.assert_called_once_with(
-            mount_point="airflow", path="variables/hello", version=None
+            mount_point="airflow", path="variables/hello", version=None, raise_on_deleted_version=True
         )
         assert test_client.get_variable("hello") is None