diff --git a/airflow/providers/hashicorp/_internal_client/vault_client.py b/airflow/providers/hashicorp/_internal_client/vault_client.py index f8e5c254d490c..0012d9580262c 100644 --- a/airflow/providers/hashicorp/_internal_client/vault_client.py +++ b/airflow/providers/hashicorp/_internal_client/vault_client.py @@ -373,7 +373,10 @@ def get_secret(self, secret_path: str, secret_version: int | None = None) -> dic response = self.client.secrets.kv.v1.read_secret(path=secret_path, mount_point=mount_point) else: response = self.client.secrets.kv.v2.read_secret_version( - path=secret_path, mount_point=mount_point, version=secret_version + path=secret_path, + mount_point=mount_point, + version=secret_version, + raise_on_deleted_version=True, ) except InvalidPath: self.log.debug("Secret not found %s with mount point %s", secret_path, mount_point) @@ -422,7 +425,10 @@ def get_secret_including_metadata( try: mount_point, secret_path = self._parse_secret_path(secret_path) return self.client.secrets.kv.v2.read_secret_version( - path=secret_path, mount_point=mount_point, version=secret_version + path=secret_path, + mount_point=mount_point, + version=secret_version, + raise_on_deleted_version=True, ) except InvalidPath: self.log.debug( diff --git a/airflow/providers/hashicorp/provider.yaml b/airflow/providers/hashicorp/provider.yaml index ce2b3846b4892..e42cad0ff9dc9 100644 --- a/airflow/providers/hashicorp/provider.yaml +++ b/airflow/providers/hashicorp/provider.yaml @@ -50,7 +50,7 @@ versions: dependencies: - apache-airflow>=2.6.0 - - hvac>=0.10 + - hvac>=1.1.0 integrations: - integration-name: Hashicorp Vault diff --git a/generated/provider_dependencies.json b/generated/provider_dependencies.json index 76f27a032e617..3cba566e52148 100644 --- a/generated/provider_dependencies.json +++ b/generated/provider_dependencies.json @@ -550,7 +550,7 @@ "hashicorp": { "deps": [ "apache-airflow>=2.6.0", - "hvac>=0.10" + "hvac>=1.1.0" ], "cross-providers-deps": [ "google" diff --git a/tests/providers/hashicorp/_internal_client/test_vault_client.py b/tests/providers/hashicorp/_internal_client/test_vault_client.py index bb9a53ceb5327..28c6944fa6b85 100644 --- a/tests/providers/hashicorp/_internal_client/test_vault_client.py +++ b/tests/providers/hashicorp/_internal_client/test_vault_client.py @@ -641,7 +641,7 @@ def test_get_non_existing_key_v2(self, mock_hvac): secret = vault_client.get_secret(secret_path="missing") assert secret is None mock_client.secrets.kv.v2.read_secret_version.assert_called_once_with( - mount_point="secret", path="missing", version=None + mount_point="secret", path="missing", version=None, raise_on_deleted_version=True ) @mock.patch("airflow.providers.hashicorp._internal_client.vault_client.hvac") @@ -661,7 +661,7 @@ def test_get_non_existing_key_v2_different_auth(self, mock_hvac): assert secret is None assert "secret" == vault_client.mount_point mock_client.secrets.kv.v2.read_secret_version.assert_called_once_with( - mount_point="secret", path="missing", version=None + mount_point="secret", path="missing", version=None, raise_on_deleted_version=True ) @mock.patch("airflow.providers.hashicorp._internal_client.vault_client.hvac") @@ -716,7 +716,7 @@ def test_get_existing_key_v2(self, mock_hvac): secret = vault_client.get_secret(secret_path="path/to/secret") assert {"secret_key": "secret_value"} == secret mock_client.secrets.kv.v2.read_secret_version.assert_called_once_with( - mount_point="secret", path="path/to/secret", version=None + mount_point="secret", path="path/to/secret", version=None, raise_on_deleted_version=True ) @mock.patch("airflow.providers.hashicorp._internal_client.vault_client.hvac") @@ -754,7 +754,7 @@ def test_get_existing_key_v2_without_preconfigured_mount_point(self, mock_hvac): secret = vault_client.get_secret(secret_path="mount_point/path/to/secret") assert {"secret_key": "secret_value"} == secret mock_client.secrets.kv.v2.read_secret_version.assert_called_once_with( - mount_point="mount_point", path="path/to/secret", version=None + mount_point="mount_point", path="path/to/secret", version=None, raise_on_deleted_version=True ) @mock.patch("airflow.providers.hashicorp._internal_client.vault_client.hvac") @@ -791,7 +791,7 @@ def test_get_existing_key_v2_version(self, mock_hvac): secret = vault_client.get_secret(secret_path="missing", secret_version=1) assert {"secret_key": "secret_value"} == secret mock_client.secrets.kv.v2.read_secret_version.assert_called_once_with( - mount_point="secret", path="missing", version=1 + mount_point="secret", path="missing", version=1, raise_on_deleted_version=True ) @mock.patch("airflow.providers.hashicorp._internal_client.vault_client.hvac") @@ -1015,7 +1015,7 @@ def test_get_secret_including_metadata_v2(self, mock_hvac): "auth": None, } == metadata mock_client.secrets.kv.v2.read_secret_version.assert_called_once_with( - mount_point="secret", path="missing", version=None + mount_point="secret", path="missing", version=None, raise_on_deleted_version=True ) @mock.patch("airflow.providers.hashicorp._internal_client.vault_client.hvac") diff --git a/tests/providers/hashicorp/hooks/test_vault.py b/tests/providers/hashicorp/hooks/test_vault.py index 29bace0642419..b9db1e7c1f34d 100644 --- a/tests/providers/hashicorp/hooks/test_vault.py +++ b/tests/providers/hashicorp/hooks/test_vault.py @@ -1005,7 +1005,7 @@ def test_get_existing_key_v2(self, mock_hvac, mock_get_connection): secret = test_hook.get_secret(secret_path="missing") assert {"secret_key": "secret_value"} == secret mock_client.secrets.kv.v2.read_secret_version.assert_called_once_with( - mount_point="secret", path="missing", version=None + mount_point="secret", path="missing", version=None, raise_on_deleted_version=True ) @mock.patch("airflow.providers.hashicorp.hooks.vault.VaultHook.get_connection") @@ -1044,7 +1044,7 @@ def test_get_existing_key_v2_version(self, mock_hvac, mock_get_connection): secret = test_hook.get_secret(secret_path="missing", secret_version=1) assert {"secret_key": "secret_value"} == secret mock_client.secrets.kv.v2.read_secret_version.assert_called_once_with( - mount_point="secret", path="missing", version=1 + mount_point="secret", path="missing", version=1, raise_on_deleted_version=True ) @mock.patch("airflow.providers.hashicorp.hooks.vault.VaultHook.get_connection") @@ -1189,7 +1189,7 @@ def test_get_secret_including_metadata_v2(self, mock_hvac, mock_get_connection): "auth": None, } == metadata mock_client.secrets.kv.v2.read_secret_version.assert_called_once_with( - mount_point="secret", path="missing", version=None + mount_point="secret", path="missing", version=None, raise_on_deleted_version=True ) @mock.patch("airflow.providers.hashicorp.hooks.vault.VaultHook.get_connection") diff --git a/tests/providers/hashicorp/secrets/test_vault.py b/tests/providers/hashicorp/secrets/test_vault.py index 4897a73c22334..fc30da9add2b6 100644 --- a/tests/providers/hashicorp/secrets/test_vault.py +++ b/tests/providers/hashicorp/secrets/test_vault.py @@ -302,7 +302,7 @@ def test_get_conn_uri_non_existent_key(self, mock_hvac): test_client = VaultBackend(**kwargs) assert test_client.get_conn_uri(conn_id="test_mysql") is None mock_client.secrets.kv.v2.read_secret_version.assert_called_once_with( - mount_point="airflow", path="connections/test_mysql", version=None + mount_point="airflow", path="connections/test_mysql", version=None, raise_on_deleted_version=True ) assert test_client.get_connection(conn_id="test_mysql") is None @@ -454,7 +454,7 @@ def test_get_variable_value_non_existent_key(self, mock_hvac): test_client = VaultBackend(**kwargs) assert test_client.get_variable("hello") is None mock_client.secrets.kv.v2.read_secret_version.assert_called_once_with( - mount_point="airflow", path="variables/hello", version=None + mount_point="airflow", path="variables/hello", version=None, raise_on_deleted_version=True ) assert test_client.get_variable("hello") is None