From 6668fbd33fffd80dffa731ef483ef6a50f17cce7 Mon Sep 17 00:00:00 2001 From: Sameer Mesiah Date: Sat, 28 Feb 2026 18:00:28 +0000 Subject: [PATCH] Refactor VaultBackend to centralize secret path resolution and fetching logic Introduce a private helper to remove duplicated mount parsing, base path handling, and get_secret invocation across public methods. --- .../providers/hashicorp/secrets/vault.py | 50 ++++++++----------- 1 file changed, 20 insertions(+), 30 deletions(-) diff --git a/providers/hashicorp/src/airflow/providers/hashicorp/secrets/vault.py b/providers/hashicorp/src/airflow/providers/hashicorp/secrets/vault.py index b60e623851025..3459314bf7030 100644 --- a/providers/hashicorp/src/airflow/providers/hashicorp/secrets/vault.py +++ b/providers/hashicorp/src/airflow/providers/hashicorp/secrets/vault.py @@ -173,23 +173,30 @@ def _parse_path(self, secret_path: str) -> tuple[str | None, str | None]: return split_secret_path[0], split_secret_path[1] return "", secret_path - def get_response(self, conn_id: str) -> dict | None: - """ - Get data from Vault. + def _get_secret_with_base(self, base_path: str | None, key: str) -> dict | None: + """Resolve mount and base path, then fetch the secret from Vault.""" + mount_point, key_part = self._parse_path(key) - :return: The data from the Vault path if exists - """ - mount_point, conn_key = self._parse_path(conn_id) - if self.connections_path is None or conn_key is None: + if base_path is None or key_part is None: return None - if self.connections_path == "": - secret_path = conn_key + + if base_path == "": + secret_path = key_part else: - secret_path = self.build_path(self.connections_path, conn_key) + secret_path = self.build_path(base_path, key_part) + return self.vault_client.get_secret( secret_path=(mount_point + "/" if mount_point else "") + secret_path ) + def get_response(self, conn_id: str) -> dict | None: + """ + Get data from Vault. + + :return: The data from the Vault path if exists + """ + return self._get_secret_with_base(self.connections_path, conn_id) + # Make sure connection is imported this way for type checking, otherwise when importing # the backend it will get a circular dependency and fail if TYPE_CHECKING: @@ -225,16 +232,8 @@ def get_variable(self, key: str, team_name: str | None = None) -> str | None: :param team_name: Team name associated to the task trying to access the variable (if any) :return: Variable Value retrieved from the vault """ - mount_point, variable_key = self._parse_path(key) - if self.variables_path is None or variable_key is None: - return None - if self.variables_path == "": - secret_path = variable_key - else: - secret_path = self.build_path(self.variables_path, variable_key) - response = self.vault_client.get_secret( - secret_path=(mount_point + "/" if mount_point else "") + secret_path - ) + response = self._get_secret_with_base(self.variables_path, key) + if not response: return None try: @@ -250,16 +249,7 @@ def get_config(self, key: str) -> str | None: :param key: Configuration Option Key :return: Configuration Option Value retrieved from the vault """ - mount_point, config_key = self._parse_path(key) - if self.config_path is None or config_key is None: - return None - if self.config_path == "": - secret_path = config_key - else: - secret_path = self.build_path(self.config_path, config_key) - response = self.vault_client.get_secret( - secret_path=(mount_point + "/" if mount_point else "") + secret_path - ) + response = self._get_secret_with_base(self.config_path, key) if not response: return None try: