From 7c93ce06788919160e705134aabdc68b5633f2a9 Mon Sep 17 00:00:00 2001 From: shaealh Date: Tue, 14 Jul 2026 20:27:27 -0700 Subject: [PATCH] Secure AWS auth cookies behind TLS proxies TLS is commonly terminated upstream, leaving api.ssl_cert empty even though browsers reach Airflow over HTTPS. --- .../providers/amazon/aws/auth_manager/routes/login.py | 2 +- .../unit/amazon/aws/auth_manager/routes/test_login.py | 11 ++++++++--- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/providers/amazon/src/airflow/providers/amazon/aws/auth_manager/routes/login.py b/providers/amazon/src/airflow/providers/amazon/aws/auth_manager/routes/login.py index 5f7dcb84bcd26..d88c2b15252db 100644 --- a/providers/amazon/src/airflow/providers/amazon/aws/auth_manager/routes/login.py +++ b/providers/amazon/src/airflow/providers/amazon/aws/auth_manager/routes/login.py @@ -118,7 +118,7 @@ def login_callback(request: Request): if relay_state == "login-redirect": response = RedirectResponse(url=url, status_code=303) - secure = bool(conf.get("api", "ssl_cert", fallback="")) + secure = request.base_url.scheme == "https" or bool(conf.get("api", "ssl_cert", fallback="")) # In Airflow 3.1.1 authentication changes, front-end no longer handle the token # See https://github.com/apache/airflow/pull/55506 cookie_path = get_cookie_path() diff --git a/providers/amazon/tests/unit/amazon/aws/auth_manager/routes/test_login.py b/providers/amazon/tests/unit/amazon/aws/auth_manager/routes/test_login.py index b24ec8b1bf7af..350b1b9afe492 100644 --- a/providers/amazon/tests/unit/amazon/aws/auth_manager/routes/test_login.py +++ b/providers/amazon/tests/unit/amazon/aws/auth_manager/routes/test_login.py @@ -80,7 +80,7 @@ def test_client(): yield TestClient(create_app()) -def get_login_callback_response(relay_state: str): +def get_login_callback_response(relay_state: str, *, base_url: str = "http://testserver"): with conf_vars( { ( @@ -88,7 +88,7 @@ def get_login_callback_response(relay_state: str): "auth_manager", ): "airflow.providers.amazon.aws.auth_manager.aws_auth_manager.AwsAuthManager", ("aws_auth_manager", "saml_metadata_url"): SAML_METADATA_URL, - ("api", "ssl_cert"): "false", + ("api", "ssl_cert"): "", } ): with ( @@ -112,7 +112,7 @@ def get_login_callback_response(relay_state: str): "email": ["email"], } mock_init_saml_auth.return_value = auth - client = TestClient(create_app()) + client = TestClient(create_app(), base_url=base_url) return client.post( AUTH_MANAGER_FASTAPI_APP_PREFIX + "/login_callback", follow_redirects=False, @@ -141,6 +141,11 @@ def test_login_callback_successful_with_relay_state_redirect(self): assert "_token" in response.cookies assert response.headers["location"].startswith("http://localhost:8080/") + def test_login_callback_sets_secure_cookie_behind_tls_proxy(self): + response = get_login_callback_response("login-redirect", base_url="https://testserver") + + assert "Secure" in response.headers["set-cookie"] + def test_login_callback_successful_with_relay_state_token(self): response = get_login_callback_response("login-token") assert response.status_code == 200