Passwords from stdin in Keycloak Provider (#59119)

ecodina · web-flow · commit af5e469f8c2f · 2025-12-09T14:26:07.000-05:00
* implement cli password action

* keycloak: get password from cli command or stdin

* add password action in keycloak version_compat

* Password action only for keycloak

* remove unneeded code
diff --git a/providers/keycloak/docs/auth-manager/manage/permissions.rst b/providers/keycloak/docs/auth-manager/manage/permissions.rst
@@ -37,7 +37,7 @@ There are two options to create the permissions:
 CLI commands take the following parameters:
 
 * ``--username``: Keycloak admin username
-* ``--password``: Keycloak admin password
+* ``--password``: Keycloak admin password. Specifying the parameter without a value will prompt for the password securely.
 * ``--user-realm``: Keycloak user realm
 * ``--client-id``: Keycloak client id (default: admin-cli)
 
diff --git a/providers/keycloak/src/airflow/providers/keycloak/auth_manager/cli/definition.py b/providers/keycloak/src/airflow/providers/keycloak/auth_manager/cli/definition.py
@@ -17,12 +17,25 @@
 
 from __future__ import annotations
 
+import argparse
+import getpass
+
 from airflow.cli.cli_config import (
     ActionCommand,
     Arg,
     lazy_load_command,
 )
 
+
+class Password(argparse.Action):
+    """Custom action to prompt for password input."""
+
+    def __call__(self, parser, namespace, values, option_string=None):
+        if values is None:
+            values = getpass.getpass(prompt="Password: ")
+        setattr(namespace, self.dest, values)
+
+
 ############
 # # ARGS # #
 ############
@@ -33,7 +46,11 @@
 )
 ARG_PASSWORD = Arg(
     ("--password",),
-    help="Password associated to the user used to create resources",
+    help="Password associated to the user used to create resources. If not provided, you will be prompted to enter it.",
+    action=Password,
+    nargs="?",
+    dest="password",
+    type=str,
 )
 ARG_USER_REALM = Arg(
     ("--user-realm",), help="Realm name where the user used to create resources is", default="master"
diff --git a/providers/keycloak/tests/unit/keycloak/auth_manager/cli/test_definition.py b/providers/keycloak/tests/unit/keycloak/auth_manager/cli/test_definition.py
@@ -16,9 +16,90 @@
 # under the License.
 from __future__ import annotations
 
-from airflow.providers.keycloak.auth_manager.cli.definition import KEYCLOAK_AUTH_MANAGER_COMMANDS
+import argparse
+import importlib
+from unittest.mock import patch
+
+import pytest
+
+from airflow.cli import cli_parser
+from airflow.providers.keycloak.auth_manager.cli.definition import KEYCLOAK_AUTH_MANAGER_COMMANDS, Password
+
+from tests_common.test_utils.config import conf_vars
 
 
 class TestKeycloakCliDefinition:
-    def test_aws_auth_manager_cli_commands(self):
+    @classmethod
+    def setup_class(cls):
+        with conf_vars(
+            {
+                (
+                    "core",
+                    "auth_manager",
+                ): "airflow.providers.keycloak.auth_manager.keycloak_auth_manager.KeycloakAuthManager",
+            }
+        ):
+            importlib.reload(cli_parser)
+            cls.arg_parser = cli_parser.get_parser()
+
+    def test_keycloak_auth_manager_cli_commands(self):
         assert len(KEYCLOAK_AUTH_MANAGER_COMMANDS) == 4
+
+    @pytest.mark.parametrize(
+        "command",
+        ["create-scopes", "create-resources", "create-permissions", "create-all"],
+    )
+    def test_password_with_explicit_value(self, command):
+        """Test commands are defined correctly to allow passing password explicitly via --password value."""
+        params = [
+            "keycloak-auth-manager",
+            command,
+            "--username",
+            "test",
+            "--password",
+            "my_password",
+        ]
+        args = self.arg_parser.parse_args(params)
+        assert args.password == "my_password"
+
+    @pytest.mark.parametrize(
+        "command",
+        ["create-scopes", "create-resources", "create-permissions", "create-all"],
+    )
+    @patch("getpass.getpass", return_value="stdin_password")
+    def test_password_from_stdin(self, mock_getpass, command):
+        """Test commands are defined correctly to allow password prompting from stdin when --password has no value."""
+        params = [
+            "keycloak-auth-manager",
+            command,
+            "--username",
+            "test",
+            "--password",
+        ]
+        args = self.arg_parser.parse_args(params)
+        mock_getpass.assert_called_once_with(prompt="Password: ")
+        assert args.password == "stdin_password"
+
+
+class TestPasswordAction:
+    """Tests for the Password argparse action."""
+
+    def test_password_with_explicit_value(self):
+        """Test passing password explicitly via --password value."""
+
+        parser = argparse.ArgumentParser()
+        parser.add_argument("--password", action=Password, nargs="?", dest="password")
+
+        args = parser.parse_args(["--password", "my_password"])
+        assert args.password == "my_password"
+
+    @patch("getpass.getpass", return_value="stdin_password")
+    def test_password_from_stdin(self, mock_getpass):
+        """Test password prompted from stdin when --password has no value."""
+
+        parser = argparse.ArgumentParser()
+        parser.add_argument("--password", action=Password, nargs="?", dest="password")
+
+        args = parser.parse_args(["--password"])
+        mock_getpass.assert_called_once_with(prompt="Password: ")
+        assert args.password == "stdin_password"
