apache-airflow-providers-hashicorp 4.3.0rc1__tar.gz → 4.3.1rc1__tar.gz

{apache_airflow_providers_hashicorp-4.3.0rc1 → apache_airflow_providers_hashicorp-4.3.1rc1}/PKG-INFO

@@ -1,11 +1,11 @@
 Metadata-Version: 2.4
 Name: apache-airflow-providers-hashicorp
-Version: 4.3.0rc1
+Version: 4.3.1rc1
 Summary: Provider package apache-airflow-providers-hashicorp for Apache Airflow
 Keywords: airflow-provider,hashicorp,airflow,integration
 Author-email: Apache Software Foundation <dev@airflow.apache.org>
 Maintainer-email: Apache Software Foundation <dev@airflow.apache.org>
-Requires-Python: ~=3.9
+Requires-Python: ~=3.10
 Description-Content-Type: text/x-rst
 Classifier: Development Status :: 5 - Production/Stable
 Classifier: Environment :: Console
@@ -15,7 +15,6 @@ Classifier: Intended Audience :: System Administrators
 Classifier: Framework :: Apache Airflow
 Classifier: Framework :: Apache Airflow :: Provider
 Classifier: License :: OSI Approved :: Apache Software License
-Classifier: Programming Language :: Python :: 3.9
 Classifier: Programming Language :: Python :: 3.10
 Classifier: Programming Language :: Python :: 3.11
 Classifier: Programming Language :: Python :: 3.12
@@ -25,8 +24,8 @@ Requires-Dist: hvac>=1.1.0
 Requires-Dist: boto3>=1.33.0 ; extra == "boto3"
 Requires-Dist: apache-airflow-providers-google ; extra == "google"
 Project-URL: Bug Tracker, https://github.com/apache/airflow/issues
-Project-URL: Changelog, https://airflow.staged.apache.org/docs/apache-airflow-providers-hashicorp/4.3.0/changelog.html
-Project-URL: Documentation, https://airflow.staged.apache.org/docs/apache-airflow-providers-hashicorp/4.3.0
+Project-URL: Changelog, https://airflow.staged.apache.org/docs/apache-airflow-providers-hashicorp/4.3.1/changelog.html
+Project-URL: Documentation, https://airflow.staged.apache.org/docs/apache-airflow-providers-hashicorp/4.3.1
 Project-URL: Mastodon, https://fosstodon.org/@airflow
 Project-URL: Slack Chat, https://s.apache.org/airflow-slack
 Project-URL: Source Code, https://github.com/apache/airflow
@@ -59,7 +58,7 @@ Provides-Extra: google
 
 Package ``apache-airflow-providers-hashicorp``
 
-Release: ``4.3.0``
+Release: ``4.3.1``
 
 
 Hashicorp including `Hashicorp Vault <https://www.vaultproject.io/>`__
@@ -72,7 +71,7 @@ This is a provider package for ``hashicorp`` provider. All classes for this prov
 are in ``airflow.providers.hashicorp`` python package.
 
 You can find package information and changelog for the provider
-in the `documentation <https://airflow.apache.org/docs/apache-airflow-providers-hashicorp/4.3.0/>`_.
+in the `documentation <https://airflow.apache.org/docs/apache-airflow-providers-hashicorp/4.3.1/>`_.
 
 Installation
 ------------
@@ -81,7 +80,7 @@ You can install this package on top of an existing Airflow 2 installation (see `
 for the minimum Airflow version supported) via
 ``pip install apache-airflow-providers-hashicorp``
 
-The package supports the following python versions: 3.9,3.10,3.11,3.12
+The package supports the following python versions: 3.10,3.11,3.12
 
 Requirements
 ------------
@@ -113,5 +112,5 @@ Dependent package
 ====================================================================================================  ==========
 
 The changelog for the provider package can be found in the
-`changelog <https://airflow.apache.org/docs/apache-airflow-providers-hashicorp/4.3.0/changelog.html>`_.
+`changelog <https://airflow.apache.org/docs/apache-airflow-providers-hashicorp/4.3.1/changelog.html>`_.
 

{apache_airflow_providers_hashicorp-4.3.0rc1 → apache_airflow_providers_hashicorp-4.3.1rc1}/README.rst

@@ -23,7 +23,7 @@
 
 Package ``apache-airflow-providers-hashicorp``
 
-Release: ``4.3.0``
+Release: ``4.3.1``
 
 
 Hashicorp including `Hashicorp Vault <https://www.vaultproject.io/>`__
@@ -36,7 +36,7 @@ This is a provider package for ``hashicorp`` provider. All classes for this prov
 are in ``airflow.providers.hashicorp`` python package.
 
 You can find package information and changelog for the provider
-in the `documentation <https://airflow.apache.org/docs/apache-airflow-providers-hashicorp/4.3.0/>`_.
+in the `documentation <https://airflow.apache.org/docs/apache-airflow-providers-hashicorp/4.3.1/>`_.
 
 Installation
 ------------
@@ -45,7 +45,7 @@ You can install this package on top of an existing Airflow 2 installation (see `
 for the minimum Airflow version supported) via
 ``pip install apache-airflow-providers-hashicorp``
 
-The package supports the following python versions: 3.9,3.10,3.11,3.12
+The package supports the following python versions: 3.10,3.11,3.12
 
 Requirements
 ------------
@@ -77,4 +77,4 @@ Dependent package
 ====================================================================================================  ==========
 
 The changelog for the provider package can be found in the
-`changelog <https://airflow.apache.org/docs/apache-airflow-providers-hashicorp/4.3.0/changelog.html>`_.
+`changelog <https://airflow.apache.org/docs/apache-airflow-providers-hashicorp/4.3.1/changelog.html>`_.

{apache_airflow_providers_hashicorp-4.3.0rc1 → apache_airflow_providers_hashicorp-4.3.1rc1}/docs/changelog.rst

@@ -27,6 +27,23 @@
 Changelog
 ---------
 
+4.3.1
+.....
+
+Bug Fixes
+~~~~~~~~~
+
+* ``Fix gcp auth in hashicorp vault provider. (#51991)``
+
+Misc
+~~~~
+
+* ``Move 'BaseHook' implementation to task SDK (#51873)``
+* ``Drop support for Python 3.9 (#52072)``
+
+.. Below changes are excluded from the changelog. Move them to
+   appropriate section above if needed. Do not delete the lines(!):
+
 4.3.0
 .....
 

{apache_airflow_providers_hashicorp-4.3.0rc1 → apache_airflow_providers_hashicorp-4.3.1rc1}/docs/index.rst

@@ -69,7 +69,7 @@ apache-airflow-providers-hashicorp package
 Hashicorp including `Hashicorp Vault <https://www.vaultproject.io/>`__
 
 
-Release: 4.3.0
+Release: 4.3.1
 
 Provider package
 ----------------
@@ -121,5 +121,5 @@ Downloading official packages
 You can download officially released packages and verify their checksums and signatures from the
 `Official Apache Download site <https://downloads.apache.org/airflow/providers/>`_
 
-* `The apache-airflow-providers-hashicorp 4.3.0 sdist package <https://downloads.apache.org/airflow/providers/apache_airflow_providers_hashicorp-4.3.0.tar.gz>`_ (`asc <https://downloads.apache.org/airflow/providers/apache_airflow_providers_hashicorp-4.3.0.tar.gz.asc>`__, `sha512 <https://downloads.apache.org/airflow/providers/apache_airflow_providers_hashicorp-4.3.0.tar.gz.sha512>`__)
-* `The apache-airflow-providers-hashicorp 4.3.0 wheel package <https://downloads.apache.org/airflow/providers/apache_airflow_providers_hashicorp-4.3.0-py3-none-any.whl>`_ (`asc <https://downloads.apache.org/airflow/providers/apache_airflow_providers_hashicorp-4.3.0-py3-none-any.whl.asc>`__, `sha512 <https://downloads.apache.org/airflow/providers/apache_airflow_providers_hashicorp-4.3.0-py3-none-any.whl.sha512>`__)
+* `The apache-airflow-providers-hashicorp 4.3.1 sdist package <https://downloads.apache.org/airflow/providers/apache_airflow_providers_hashicorp-4.3.1.tar.gz>`_ (`asc <https://downloads.apache.org/airflow/providers/apache_airflow_providers_hashicorp-4.3.1.tar.gz.asc>`__, `sha512 <https://downloads.apache.org/airflow/providers/apache_airflow_providers_hashicorp-4.3.1.tar.gz.sha512>`__)
+* `The apache-airflow-providers-hashicorp 4.3.1 wheel package <https://downloads.apache.org/airflow/providers/apache_airflow_providers_hashicorp-4.3.1-py3-none-any.whl>`_ (`asc <https://downloads.apache.org/airflow/providers/apache_airflow_providers_hashicorp-4.3.1-py3-none-any.whl.asc>`__, `sha512 <https://downloads.apache.org/airflow/providers/apache_airflow_providers_hashicorp-4.3.1-py3-none-any.whl.sha512>`__)

{apache_airflow_providers_hashicorp-4.3.0rc1 → apache_airflow_providers_hashicorp-4.3.1rc1}/provider.yaml

@@ -22,12 +22,13 @@ description: |
     Hashicorp including `Hashicorp Vault <https://www.vaultproject.io/>`__
 
 state: ready
-source-date-epoch: 1749896774
+source-date-epoch: 1751473545
 # Note that those versions are maintained by release manager - do not update them manually
 # with the exception of case where other provider in sources has >= new provider version.
 # In such case adding >= NEW_VERSION and bumping to NEW_VERSION in a provider have
 # to be done in the same PR
 versions:
+  - 4.3.1
   - 4.3.0
   - 4.2.0
   - 4.1.1

{apache_airflow_providers_hashicorp-4.3.0rc1 → apache_airflow_providers_hashicorp-4.3.1rc1}/pyproject.toml

@@ -25,7 +25,7 @@ build-backend = "flit_core.buildapi"
 
 [project]
 name = "apache-airflow-providers-hashicorp"
-version = "4.3.0rc1"
+version = "4.3.1rc1"
 description = "Provider package apache-airflow-providers-hashicorp for Apache Airflow"
 readme = "README.rst"
 authors = [
@@ -44,13 +44,12 @@ classifiers = [
     "Framework :: Apache Airflow",
     "Framework :: Apache Airflow :: Provider",
     "License :: OSI Approved :: Apache Software License",
-    "Programming Language :: Python :: 3.9",
     "Programming Language :: Python :: 3.10",
     "Programming Language :: Python :: 3.11",
     "Programming Language :: Python :: 3.12",
     "Topic :: System :: Monitoring",
 ]
-requires-python = "~=3.9"
+requires-python = "~=3.10"
 
 # The dependencies should be modified in place in the generated file.
 # Any change in the dependencies is preserved when the file is regenerated
@@ -107,8 +106,8 @@ apache-airflow-providers-common-sql = {workspace = true}
 apache-airflow-providers-standard = {workspace = true}
 
 [project.urls]
-"Documentation" = "https://airflow.staged.apache.org/docs/apache-airflow-providers-hashicorp/4.3.0"
-"Changelog" = "https://airflow.staged.apache.org/docs/apache-airflow-providers-hashicorp/4.3.0/changelog.html"
+"Documentation" = "https://airflow.staged.apache.org/docs/apache-airflow-providers-hashicorp/4.3.1"
+"Changelog" = "https://airflow.staged.apache.org/docs/apache-airflow-providers-hashicorp/4.3.1/changelog.html"
 "Bug Tracker" = "https://github.com/apache/airflow/issues"
 "Source Code" = "https://github.com/apache/airflow"
 "Slack Chat" = "https://s.apache.org/airflow-slack"

{apache_airflow_providers_hashicorp-4.3.0rc1 → apache_airflow_providers_hashicorp-4.3.1rc1}/src/airflow/providers/hashicorp/__init__.py

@@ -29,7 +29,7 @@ from airflow import __version__ as airflow_version
 
 __all__ = ["__version__"]
 
-__version__ = "4.3.0"
+__version__ = "4.3.1"
 
 if packaging.version.parse(packaging.version.parse(airflow_version).base_version) < packaging.version.parse(
     "2.10.0"

{apache_airflow_providers_hashicorp-4.3.0rc1 → apache_airflow_providers_hashicorp-4.3.1rc1}/src/airflow/providers/hashicorp/_internal_client/vault_client.py

@@ -153,6 +153,15 @@ class _VaultClient(LoggingMixin):
                 raise VaultError("The 'radius' authentication type requires 'radius_host'")
             if not radius_secret:
                 raise VaultError("The 'radius' authentication type requires 'radius_secret'")
+        if auth_type == "gcp":
+            if not gcp_scopes:
+                raise VaultError("The 'gcp' authentication type requires 'gcp_scopes'")
+            if not role_id:
+                raise VaultError("The 'gcp' authentication type requires 'role_id'")
+            if not gcp_key_path and not gcp_keyfile_dict:
+                raise VaultError(
+                    "The 'gcp' authentication type requires 'gcp_key_path' or 'gcp_keyfile_dict'"
+                )
 
         self.kv_engine_version = kv_engine_version or 2
         self.url = url
@@ -303,13 +312,41 @@ class _VaultClient(LoggingMixin):
         )
 
         scopes = _get_scopes(self.gcp_scopes)
-        credentials, _ = get_credentials_and_project_id(
+        credentials, project_id = get_credentials_and_project_id(
             key_path=self.gcp_key_path, keyfile_dict=self.gcp_keyfile_dict, scopes=scopes
         )
+
+        import json
+        import time
+
+        import googleapiclient
+
+        if self.gcp_keyfile_dict:
+            creds = self.gcp_keyfile_dict
+        elif self.gcp_key_path:
+            with open(self.gcp_key_path) as f:
+                creds = json.load(f)
+
+        service_account = creds["client_email"]
+
+        # Generate a payload for subsequent "signJwt()" call
+        # Reference: https://googleapis.dev/python/google-auth/latest/reference/google.auth.jwt.html#google.auth.jwt.Credentials
+        now = int(time.time())
+        expires = now + 900  # 15 mins in seconds, can't be longer.
+        payload = {"iat": now, "exp": expires, "sub": credentials, "aud": f"vault/{self.role_id}"}
+        body = {"payload": json.dumps(payload)}
+        name = f"projects/{project_id}/serviceAccounts/{service_account}"
+
+        # Perform the GCP API call
+        iam = googleapiclient.discovery.build("iam", "v1", credentials=credentials)
+        request = iam.projects().serviceAccounts().signJwt(name=name, body=body)
+        resp = request.execute()
+        jwt = resp["signedJwt"]
+
         if self.auth_mount_point:
-            _client.auth.gcp.configure(credentials=credentials, mount_point=self.auth_mount_point)
+            _client.auth.gcp.login(role=self.role_id, jwt=jwt, mount_point=self.auth_mount_point)
         else:
-            _client.auth.gcp.configure(credentials=credentials)
+            _client.auth.gcp.login(role=self.role_id, jwt=jwt)
 
     def _auth_azure(self, _client: hvac.Client) -> None:
         if self.auth_mount_point:

{apache_airflow_providers_hashicorp-4.3.0rc1 → apache_airflow_providers_hashicorp-4.3.1rc1}/src/airflow/providers/hashicorp/hooks/vault.py

@@ -23,12 +23,16 @@ from typing import TYPE_CHECKING, Any
 
 from hvac.exceptions import VaultError
 
-from airflow.hooks.base import BaseHook
 from airflow.providers.hashicorp._internal_client.vault_client import (
     DEFAULT_KUBERNETES_JWT_PATH,
     DEFAULT_KV_ENGINE_VERSION,
     _VaultClient,
 )
+
+try:
+    from airflow.sdk import BaseHook
+except ImportError:
+    from airflow.hooks.base import BaseHook  # type: ignore[attr-defined,no-redef]
 from airflow.utils.helpers import merge_dicts
 
 if TYPE_CHECKING:

{apache_airflow_providers_hashicorp-4.3.0rc1 → apache_airflow_providers_hashicorp-4.3.1rc1}/tests/unit/hashicorp/_internal_client/test_vault_client.py

@@ -16,6 +16,8 @@
 # under the License.
 from __future__ import annotations
 
+import json
+import time
 from unittest import mock
 from unittest.mock import mock_open, patch
 
@@ -253,86 +255,217 @@ class TestVaultClient:
                 secret_id="pass",
             )
 
+    @mock.patch("builtins.open", create=True)
     @mock.patch("airflow.providers.google.cloud.utils.credentials_provider._get_scopes")
     @mock.patch("airflow.providers.google.cloud.utils.credentials_provider.get_credentials_and_project_id")
-    @mock.patch("airflow.providers.hashicorp._internal_client.vault_client.hvac")
-    def test_gcp(self, mock_hvac, mock_get_credentials, mock_get_scopes):
+    @mock.patch("airflow.providers.hashicorp._internal_client.vault_client.hvac.Client")
+    @mock.patch("googleapiclient.discovery.build")
+    def test_gcp(self, mock_google_build, mock_hvac_client, mock_get_credentials, mock_get_scopes, mock_open):
+        # Mock the content of the file 'path.json'
+        mock_file = mock.MagicMock()
+        mock_file.read.return_value = '{"client_email": "service_account_email"}'
+        mock_open.return_value.__enter__.return_value = mock_file
+
         mock_client = mock.MagicMock()
-        mock_hvac.Client.return_value = mock_client
+        mock_hvac_client.return_value = mock_client
         mock_get_scopes.return_value = ["scope1", "scope2"]
         mock_get_credentials.return_value = ("credentials", "project_id")
+
+        # Mock the current time to use for iat and exp
+        current_time = int(time.time())
+        iat = current_time
+        exp = iat + 3600  # 1 hour after iat
+
+        # Mock the signJwt API to return the expected payload
+        mock_sign_jwt = (
+            mock_google_build.return_value.projects.return_value.serviceAccounts.return_value.signJwt
+        )
+        mock_sign_jwt.return_value.execute.return_value = {"signedJwt": "mocked_jwt"}
+
         vault_client = _VaultClient(
             auth_type="gcp",
             gcp_key_path="path.json",
             gcp_scopes="scope1,scope2",
+            role_id="role",
             url="http://localhost:8180",
             session=None,
         )
-        client = vault_client.client
-        mock_hvac.Client.assert_called_with(url="http://localhost:8180", session=None)
+
+        # Preserve the original json.dumps
+        original_json_dumps = json.dumps
+
+        # Inject the mocked payload into the JWT signing process
+        with mock.patch("json.dumps") as mock_json_dumps:
+
+            def mocked_json_dumps(payload):
+                # Override the payload to inject controlled iat and exp values
+                payload["iat"] = iat
+                payload["exp"] = exp
+                return original_json_dumps(payload)  # Use the original json.dumps
+
+            mock_json_dumps.side_effect = mocked_json_dumps
+
+            client = vault_client.client  # Trigger the Vault client creation
+
+        # Validate that the HVAC client and other mocks are called correctly
+        mock_hvac_client.assert_called_with(url="http://localhost:8180", session=None)
         mock_get_scopes.assert_called_with("scope1,scope2")
         mock_get_credentials.assert_called_with(
             key_path="path.json", keyfile_dict=None, scopes=["scope1", "scope2"]
         )
-        mock_hvac.Client.assert_called_with(url="http://localhost:8180", session=None)
-        client.auth.gcp.configure.assert_called_with(
-            credentials="credentials",
-        )
+
+        # Extract the arguments passed to the mocked signJwt API
+        args, kwargs = mock_sign_jwt.call_args
+        payload = json.loads(kwargs["body"]["payload"])
+
+        # Assert iat and exp values are as expected
+        assert payload["iat"] == iat
+        assert payload["exp"] == exp
+        assert abs(payload["exp"] - (payload["iat"] + 3600)) < 10  # Validate exp is 3600 seconds after iat
+
+        client.auth.gcp.login.assert_called_with(role="role", jwt="mocked_jwt")
         client.is_authenticated.assert_called_with()
         assert vault_client.kv_engine_version == 2
 
+    @mock.patch("builtins.open", create=True)
     @mock.patch("airflow.providers.google.cloud.utils.credentials_provider._get_scopes")
     @mock.patch("airflow.providers.google.cloud.utils.credentials_provider.get_credentials_and_project_id")
-    @mock.patch("airflow.providers.hashicorp._internal_client.vault_client.hvac")
-    def test_gcp_different_auth_mount_point(self, mock_hvac, mock_get_credentials, mock_get_scopes):
-        mock_client = mock.MagicMock()
-        mock_hvac.Client.return_value = mock_client
+    @mock.patch("airflow.providers.hashicorp._internal_client.vault_client.hvac.Client")
+    @mock.patch("googleapiclient.discovery.build")
+    def test_gcp_different_auth_mount_point(
+        self, mock_google_build, mock_hvac_client, mock_get_credentials, mock_get_scopes, mock_open
+    ):
+        # Mock the content of the file 'path.json'
+        mock_file = mock.MagicMock()
+        mock_file.read.return_value = '{"client_email": "service_account_email"}'
+        mock_open.return_value.__enter__.return_value = mock_file
+
+        mock_client = mock.MagicMock()
+        mock_hvac_client.return_value = mock_client
         mock_get_scopes.return_value = ["scope1", "scope2"]
         mock_get_credentials.return_value = ("credentials", "project_id")
+
+        mock_sign_jwt = (
+            mock_google_build.return_value.projects.return_value.serviceAccounts.return_value.signJwt
+        )
+        mock_sign_jwt.return_value.execute.return_value = {"signedJwt": "mocked_jwt"}
+
+        # Generate realistic iat and exp values
+        current_time = int(time.time())
+        iat = current_time
+        exp = current_time + 3600  # 1 hour later
+
         vault_client = _VaultClient(
             auth_type="gcp",
             gcp_key_path="path.json",
             gcp_scopes="scope1,scope2",
+            role_id="role",
             url="http://localhost:8180",
             auth_mount_point="other",
             session=None,
         )
-        client = vault_client.client
-        mock_hvac.Client.assert_called_with(url="http://localhost:8180", session=None)
+
+        # Preserve the original json.dumps
+        original_json_dumps = json.dumps
+
+        # Inject the mocked payload into the JWT signing process
+        with mock.patch("json.dumps") as mock_json_dumps:
+
+            def mocked_json_dumps(payload):
+                # Override the payload to inject controlled iat and exp values
+                payload["iat"] = iat
+                payload["exp"] = exp
+                return original_json_dumps(payload)  # Use the original json.dumps
+
+            mock_json_dumps.side_effect = mocked_json_dumps
+
+            client = vault_client.client  # Trigger the Vault client creation
+
+        # Assertions
+        mock_hvac_client.assert_called_with(url="http://localhost:8180", session=None)
         mock_get_scopes.assert_called_with("scope1,scope2")
         mock_get_credentials.assert_called_with(
             key_path="path.json", keyfile_dict=None, scopes=["scope1", "scope2"]
         )
-        mock_hvac.Client.assert_called_with(url="http://localhost:8180", session=None)
-        client.auth.gcp.configure.assert_called_with(credentials="credentials", mount_point="other")
+        # Extract the arguments passed to the mocked signJwt API
+        args, kwargs = mock_sign_jwt.call_args
+        payload = json.loads(kwargs["body"]["payload"])
+
+        # Assert iat and exp values are as expected
+        assert payload["iat"] == iat
+        assert payload["exp"] == exp
+        assert abs(payload["exp"] - (payload["iat"] + 3600)) < 10  # Validate exp is 3600 seconds after iat
+
+        client.auth.gcp.login.assert_called_with(role="role", jwt="mocked_jwt", mount_point="other")
         client.is_authenticated.assert_called_with()
         assert vault_client.kv_engine_version == 2
 
+    @mock.patch(
+        "builtins.open", new_callable=mock_open, read_data='{"client_email": "service_account_email"}'
+    )
     @mock.patch("airflow.providers.google.cloud.utils.credentials_provider._get_scopes")
     @mock.patch("airflow.providers.google.cloud.utils.credentials_provider.get_credentials_and_project_id")
-    @mock.patch("airflow.providers.hashicorp._internal_client.vault_client.hvac")
-    def test_gcp_dict(self, mock_hvac, mock_get_credentials, mock_get_scopes):
+    @mock.patch("airflow.providers.hashicorp._internal_client.vault_client.hvac.Client")
+    @mock.patch("googleapiclient.discovery.build")
+    def test_gcp_dict(
+        self, mock_google_build, mock_hvac_client, mock_get_credentials, mock_get_scopes, mock_file
+    ):
         mock_client = mock.MagicMock()
-        mock_hvac.Client.return_value = mock_client
+        mock_hvac_client.return_value = mock_client
         mock_get_scopes.return_value = ["scope1", "scope2"]
         mock_get_credentials.return_value = ("credentials", "project_id")
+
+        mock_sign_jwt = (
+            mock_google_build.return_value.projects.return_value.serviceAccounts.return_value.signJwt
+        )
+        mock_sign_jwt.return_value.execute.return_value = {"signedJwt": "mocked_jwt"}
+
+        # Generate realistic iat and exp values
+        current_time = int(time.time())
+        iat = current_time
+        exp = current_time + 3600  # 1 hour later
+
         vault_client = _VaultClient(
             auth_type="gcp",
-            gcp_keyfile_dict={"key": "value"},
+            gcp_keyfile_dict={"client_email": "service_account_email"},
             gcp_scopes="scope1,scope2",
+            role_id="role",
             url="http://localhost:8180",
             session=None,
         )
-        client = vault_client.client
-        mock_hvac.Client.assert_called_with(url="http://localhost:8180", session=None)
+
+        # Preserve the original json.dumps
+        original_json_dumps = json.dumps
+
+        # Inject the mocked payload into the JWT signing process
+        with mock.patch("json.dumps") as mock_json_dumps:
+
+            def mocked_json_dumps(payload):
+                # Override the payload to inject controlled iat and exp values
+                payload["iat"] = iat
+                payload["exp"] = exp
+                return original_json_dumps(payload)  # Use the original json.dumps
+
+            mock_json_dumps.side_effect = mocked_json_dumps
+
+            client = vault_client.client  # Trigger the Vault client creation
+
+        # Assertions
+        mock_hvac_client.assert_called_with(url="http://localhost:8180", session=None)
         mock_get_scopes.assert_called_with("scope1,scope2")
         mock_get_credentials.assert_called_with(
-            key_path=None, keyfile_dict={"key": "value"}, scopes=["scope1", "scope2"]
-        )
-        mock_hvac.Client.assert_called_with(url="http://localhost:8180", session=None)
-        client.auth.gcp.configure.assert_called_with(
-            credentials="credentials",
+            key_path=None, keyfile_dict={"client_email": "service_account_email"}, scopes=["scope1", "scope2"]
         )
+        # Extract the arguments passed to the mocked signJwt API
+        args, kwargs = mock_sign_jwt.call_args
+        payload = json.loads(kwargs["body"]["payload"])
+
+        # Assert iat and exp values are as expected
+        assert payload["iat"] == iat
+        assert payload["exp"] == exp
+        assert abs(payload["exp"] - (payload["iat"] + 3600)) < 10  # Validate exp is 3600 seconds after iat
+
+        client.auth.gcp.login.assert_called_with(role="role", jwt="mocked_jwt")
         client.is_authenticated.assert_called_with()
         assert vault_client.kv_engine_version == 2
 

{apache_airflow_providers_hashicorp-4.3.0rc1 → apache_airflow_providers_hashicorp-4.3.1rc1}/tests/unit/hashicorp/hooks/test_vault.py

@@ -18,7 +18,7 @@ from __future__ import annotations
 
 import re
 from unittest import mock
-from unittest.mock import PropertyMock, mock_open, patch
+from unittest.mock import MagicMock, PropertyMock, mock_open, patch
 
 import pytest
 from hvac.exceptions import VaultError
@@ -431,7 +431,10 @@ class TestVaultHook:
     @mock.patch("airflow.providers.google.cloud.utils.credentials_provider.get_credentials_and_project_id")
     @mock.patch("airflow.providers.hashicorp.hooks.vault.VaultHook.get_connection")
     @mock.patch("airflow.providers.hashicorp._internal_client.vault_client.hvac")
-    def test_gcp_init_params(self, mock_hvac, mock_get_connection, mock_get_credentials, mock_get_scopes):
+    @mock.patch("googleapiclient.discovery.build")
+    def test_gcp_init_params(
+        self, mock_build, mock_hvac, mock_get_connection, mock_get_credentials, mock_get_scopes
+    ):
         mock_client = mock.MagicMock()
         mock_hvac.Client.return_value = mock_client
         mock_connection = self.get_mock_connection()
@@ -439,6 +442,17 @@ class TestVaultHook:
         mock_get_scopes.return_value = ["scope1", "scope2"]
         mock_get_credentials.return_value = ("credentials", "project_id")
 
+        # Mock googleapiclient.discovery.build chain
+        mock_service = MagicMock()
+        mock_projects = MagicMock()
+        mock_service_accounts = MagicMock()
+        mock_sign_jwt = MagicMock()
+        mock_sign_jwt.execute.return_value = {"signedJwt": "mocked_jwt"}
+        mock_service_accounts.signJwt.return_value = mock_sign_jwt
+        mock_projects.serviceAccounts.return_value = mock_service_accounts
+        mock_service.projects.return_value = mock_projects
+        mock_build.return_value = mock_service
+
         connection_dict = {}
 
         mock_connection.extra_dejson.get.side_effect = connection_dict.get
@@ -447,20 +461,24 @@ class TestVaultHook:
             "auth_type": "gcp",
             "gcp_key_path": "path.json",
             "gcp_scopes": "scope1,scope2",
+            "role_id": "role",
             "session": None,
         }
 
-        test_hook = VaultHook(**kwargs)
-        test_client = test_hook.get_conn()
+        with patch(
+            "builtins.open", mock_open(read_data='{"client_email": "service_account_email"}')
+        ) as mock_file:
+            test_hook = VaultHook(**kwargs)
+            test_client = test_hook.get_conn()
+            mock_file.assert_called_with("path.json")
+
         mock_get_connection.assert_called_with("vault_conn_id")
         mock_get_scopes.assert_called_with("scope1,scope2")
         mock_get_credentials.assert_called_with(
             key_path="path.json", keyfile_dict=None, scopes=["scope1", "scope2"]
         )
         mock_hvac.Client.assert_called_with(url="http://localhost:8180", session=None)
-        test_client.auth.gcp.configure.assert_called_with(
-            credentials="credentials",
-        )
+        test_client.auth.gcp.login.assert_called_with(role="role", jwt="mocked_jwt")
         test_client.is_authenticated.assert_called_with()
         assert test_hook.vault_client.kv_engine_version == 2
 
@@ -468,7 +486,10 @@ class TestVaultHook:
     @mock.patch("airflow.providers.google.cloud.utils.credentials_provider.get_credentials_and_project_id")
     @mock.patch("airflow.providers.hashicorp.hooks.vault.VaultHook.get_connection")
     @mock.patch("airflow.providers.hashicorp._internal_client.vault_client.hvac")
-    def test_gcp_dejson(self, mock_hvac, mock_get_connection, mock_get_credentials, mock_get_scopes):
+    @mock.patch("googleapiclient.discovery.build")
+    def test_gcp_dejson(
+        self, mock_build, mock_hvac, mock_get_connection, mock_get_credentials, mock_get_scopes
+    ):
         mock_client = mock.MagicMock()
         mock_hvac.Client.return_value = mock_client
         mock_connection = self.get_mock_connection()
@@ -476,29 +497,45 @@ class TestVaultHook:
         mock_get_scopes.return_value = ["scope1", "scope2"]
         mock_get_credentials.return_value = ("credentials", "project_id")
 
+        # Mock googleapiclient.discovery.build chain
+        mock_service = MagicMock()
+        mock_projects = MagicMock()
+        mock_service_accounts = MagicMock()
+        mock_sign_jwt = MagicMock()
+        mock_sign_jwt.execute.return_value = {"signedJwt": "mocked_jwt"}
+        mock_service_accounts.signJwt.return_value = mock_sign_jwt
+        mock_projects.serviceAccounts.return_value = mock_service_accounts
+        mock_service.projects.return_value = mock_projects
+        mock_build.return_value = mock_service
+
         connection_dict = {
             "auth_type": "gcp",
             "gcp_key_path": "path.json",
             "gcp_scopes": "scope1,scope2",
+            "role_id": "role",
         }
 
         mock_connection.extra_dejson.get.side_effect = connection_dict.get
         kwargs = {
             "vault_conn_id": "vault_conn_id",
             "session": None,
+            "role_id": "role",
         }
 
-        test_hook = VaultHook(**kwargs)
-        test_client = test_hook.get_conn()
+        with patch(
+            "builtins.open", mock_open(read_data='{"client_email": "service_account_email"}')
+        ) as mock_file:
+            test_hook = VaultHook(**kwargs)
+            test_client = test_hook.get_conn()
+            mock_file.assert_called_with("path.json")
+
         mock_get_connection.assert_called_with("vault_conn_id")
         mock_get_scopes.assert_called_with("scope1,scope2")
         mock_get_credentials.assert_called_with(
             key_path="path.json", keyfile_dict=None, scopes=["scope1", "scope2"]
         )
         mock_hvac.Client.assert_called_with(url="http://localhost:8180", session=None)
-        test_client.auth.gcp.configure.assert_called_with(
-            credentials="credentials",
-        )
+        test_client.auth.gcp.login.assert_called_with(role="role", jwt="mocked_jwt")
         test_client.is_authenticated.assert_called_with()
         assert test_hook.vault_client.kv_engine_version == 2
 
@@ -506,7 +543,10 @@ class TestVaultHook:
     @mock.patch("airflow.providers.google.cloud.utils.credentials_provider.get_credentials_and_project_id")
     @mock.patch("airflow.providers.hashicorp.hooks.vault.VaultHook.get_connection")
     @mock.patch("airflow.providers.hashicorp._internal_client.vault_client.hvac")
-    def test_gcp_dict_dejson(self, mock_hvac, mock_get_connection, mock_get_credentials, mock_get_scopes):
+    @mock.patch("googleapiclient.discovery.build")
+    def test_gcp_dict_dejson(
+        self, mock_build, mock_hvac, mock_get_connection, mock_get_credentials, mock_get_scopes
+    ):
         mock_client = mock.MagicMock()
         mock_hvac.Client.return_value = mock_client
         mock_connection = self.get_mock_connection()
@@ -514,16 +554,29 @@ class TestVaultHook:
         mock_get_scopes.return_value = ["scope1", "scope2"]
         mock_get_credentials.return_value = ("credentials", "project_id")
 
+        # Mock googleapiclient.discovery.build chain
+        mock_service = MagicMock()
+        mock_projects = MagicMock()
+        mock_service_accounts = MagicMock()
+        mock_sign_jwt = MagicMock()
+        mock_sign_jwt.execute.return_value = {"signedJwt": "mocked_jwt"}
+        mock_service_accounts.signJwt.return_value = mock_sign_jwt
+        mock_projects.serviceAccounts.return_value = mock_service_accounts
+        mock_service.projects.return_value = mock_projects
+        mock_build.return_value = mock_service
+
         connection_dict = {
             "auth_type": "gcp",
-            "gcp_keyfile_dict": '{"key": "value"}',
+            "gcp_keyfile_dict": '{"client_email": "service_account_email"}',
             "gcp_scopes": "scope1,scope2",
+            "role_id": "role",
         }
 
         mock_connection.extra_dejson.get.side_effect = connection_dict.get
         kwargs = {
             "vault_conn_id": "vault_conn_id",
             "session": None,
+            "role_id": "role",
         }
 
         test_hook = VaultHook(**kwargs)
@@ -531,12 +584,10 @@ class TestVaultHook:
         mock_get_connection.assert_called_with("vault_conn_id")
         mock_get_scopes.assert_called_with("scope1,scope2")
         mock_get_credentials.assert_called_with(
-            key_path=None, keyfile_dict={"key": "value"}, scopes=["scope1", "scope2"]
+            key_path=None, keyfile_dict={"client_email": "service_account_email"}, scopes=["scope1", "scope2"]
         )
         mock_hvac.Client.assert_called_with(url="http://localhost:8180", session=None)
-        test_client.auth.gcp.configure.assert_called_with(
-            credentials="credentials",
-        )
+        test_client.auth.gcp.login.assert_called_with(role="role", jwt="mocked_jwt")
         test_client.is_authenticated.assert_called_with()
         assert test_hook.vault_client.kv_engine_version == 2