Log in
Log in
Log in
Book a Demo
Get Started
669.7K 483.1K 8.3K
Back to Repositories

Testing Result Backend Connection Secret Configuration in Apache Airflow

This test suite validates the result backend connection secret configuration in Apache Airflow’s Helm chart. It ensures proper handling of database connections, authentication, and integration with PgBouncer for different executor types and Airflow versions.

Test Coverage Overview

The test suite provides comprehensive coverage of result backend connection secret generation and configuration scenarios.

  • Tests secret generation based on executor type (Celery, CeleryKubernetes, Local)
  • Validates connection string formatting for different database types
  • Verifies PgBouncer integration and override behavior
  • Tests backward compatibility across Airflow versions

Implementation Analysis

The implementation uses pytest parametrization to test multiple scenarios efficiently. The suite employs helper methods for version-specific testing and connection string validation, with particular attention to database URL encoding and special character handling.

Testing patterns include fixture-based setup, parameterized test cases, and assertion helpers for version-specific behavior.

Technical Details

  • Uses pytest framework with parametrize decorators
  • Implements jmespath for YAML parsing
  • Utilizes base64 encoding/decoding for secret handling
  • Employs custom chart rendering helper functions
  • Includes version-specific test logic for Airflow 2.3.2 and newer

Best Practices Demonstrated

The test suite exemplifies several testing best practices including isolation of test cases, comprehensive edge case coverage, and clear test organization.

  • Modular test methods with clear single responsibilities
  • Thorough validation of connection string formatting
  • Proper handling of special characters and URL encoding
  • Version-specific compatibility testing

apache/airflow

helm_tests/security/test_result_backend_connection_secret.py

            
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements.  See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership.  The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License.  You may obtain a copy of the License at
#
#   http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied.  See the License for the
# specific language governing permissions and limitations
# under the License.
from __future__ import annotations

import base64

import jmespath
import pytest

from tests.charts.helm_template_generator import render_chart


class TestResultBackendConnectionSecret:
    """Tests result backend connection secret."""

    def _get_values_with_version(self, values, version):
        if version != "default":
            values["airflowVersion"] = version
        return values

    def _assert_for_old_version(self, version, value, expected_value):
        if version == "2.3.2":
            assert value == expected_value
        else:
            assert value is None

    non_chart_database_values = {
        "user": "someuser",
        "pass": "somepass",
        "host": "somehost",
        "protocol": "postgresql",
        "port": 7777,
        "db": "somedb",
        "sslmode": "allow",
    }

    def test_should_not_generate_a_document_if_using_existing_secret(self):
        docs = render_chart(
            values={"data": {"resultBackendSecretName": "foo"}},
            show_only=["templates/secrets/result-backend-connection-secret.yaml"],
        )

        assert len(docs) == 0

    @pytest.mark.parametrize(
        "executor, expected_doc_count",
        [
            ("CeleryExecutor", 1),
            ("CeleryKubernetesExecutor", 1),
            ("LocalExecutor", 0),
        ],
    )
    def test_should_a_document_be_generated_for_executor(self, executor, expected_doc_count):
        docs = render_chart(
            values={
                "executor": executor,
                "data": {
                    "metadataConnection": {**self.non_chart_database_values},
                    "resultBackendConnection": {
                        **self.non_chart_database_values,
                        "user": "anotheruser",
                        "pass": "anotherpass",
                    },
                },
            },
            show_only=["templates/secrets/result-backend-connection-secret.yaml"],
        )

        assert expected_doc_count == len(docs)

    def _get_connection(self, values: dict) -> str | None:
        docs = render_chart(
            values=values,
            show_only=["templates/secrets/result-backend-connection-secret.yaml"],
        )
        if len(docs) == 0:
            return None
        encoded_connection = jmespath.search("data.connection", docs[0])
        return base64.b64decode(encoded_connection).decode()

    @pytest.mark.parametrize("version", ["2.3.2", "2.4.0", "default"])
    def test_default_connection_old_version(self, version):
        connection = self._get_connection(self._get_values_with_version(version=version, values={}))
        self._assert_for_old_version(
            version,
            value=connection,
            expected_value="db+postgresql://postgres:postgres@release-name"
            "-postgresql:5432/postgres?sslmode=disable",
        )

    @pytest.mark.parametrize("version", ["2.3.2", "2.4.0", "default"])
    def test_should_default_to_custom_metadata_db_connection_with_pgbouncer_overrides(self, version):
        values = {
            "pgbouncer": {"enabled": True},
            "data": {"metadataConnection": {**self.non_chart_database_values}},
        }
        connection = self._get_connection(self._get_values_with_version(values=values, version=version))

        # host, port, dbname still get overridden
        self._assert_for_old_version(
            version,
            value=connection,
            expected_value="db+postgresql://someuser:somepass@release-name-pgbouncer"
            ":6543/release-name-result-backend?sslmode=allow",
        )

    @pytest.mark.parametrize("version", ["2.3.2", "2.4.0", "default"])
    def test_should_set_pgbouncer_overrides_when_enabled(self, version):
        values = {"pgbouncer": {"enabled": True}}
        connection = self._get_connection(self._get_values_with_version(values=values, version=version))

        # host, port, dbname get overridden
        self._assert_for_old_version(
            version,
            value=connection,
            expected_value="db+postgresql://postgres:postgres@release-name-pgbouncer"
            ":6543/release-name-result-backend?sslmode=disable",
        )

    def test_should_set_pgbouncer_overrides_with_non_chart_database_when_enabled(self):
        values = {
            "pgbouncer": {"enabled": True},
            "data": {"resultBackendConnection": {**self.non_chart_database_values}},
        }
        connection = self._get_connection(values)

        # host, port, dbname still get overridden even with an non-chart db
        assert (
            connection == "db+postgresql://someuser:somepass@release-name-pgbouncer:6543"
            "/release-name-result-backend?sslmode=allow"
        )

    @pytest.mark.parametrize("version", ["2.3.2", "2.4.0", "default"])
    def test_should_default_to_custom_metadata_db_connection_in_old_version(self, version):
        values = {
            "data": {"metadataConnection": {**self.non_chart_database_values}},
        }
        connection = self._get_connection(self._get_values_with_version(values=values, version=version))
        self._assert_for_old_version(
            version,
            value=connection,
            expected_value="db+postgresql://someuser:somepass@somehost:7777/somedb?sslmode=allow",
        )

    def test_should_correctly_use_non_chart_database(self):
        values = {"data": {"resultBackendConnection": {**self.non_chart_database_values}}}
        connection = self._get_connection(values)

        assert connection == "db+postgresql://someuser:somepass@somehost:7777/somedb?sslmode=allow"

    def test_should_support_non_postgres_db(self):
        values = {
            "data": {
                "resultBackendConnection": {
                    **self.non_chart_database_values,
                    "protocol": "mysql",
                }
            }
        }
        connection = self._get_connection(values)

        # sslmode is only added for postgresql
        assert connection == "db+mysql://someuser:somepass@somehost:7777/somedb"

    def test_should_correctly_use_non_chart_database_when_both_db_are_external(self):
        values = {
            "data": {
                "metadataConnection": {**self.non_chart_database_values},
                "resultBackendConnection": {
                    **self.non_chart_database_values,
                    "user": "anotheruser",
                    "pass": "anotherpass",
                },
            }
        }
        connection = self._get_connection(values)

        assert connection == "db+postgresql://anotheruser:anotherpass@somehost:7777/somedb?sslmode=allow"

    def test_should_correctly_handle_password_with_special_characters(self):
        values = {
            "data": {
                "resultBackendConnection": {
                    **self.non_chart_database_values,
                    "user": "username@123123",
                    "pass": "password@!@#$^&*()",
                },
            }
        }
        connection = self._get_connection(values)

        assert (
            connection
            == "db+postgresql://username%40123123:password%40%21%40%23$%5E&%2A%28%29@somehost:7777/"
            "somedb?sslmode=allow"
        )