feat(AIP-84): Add auth for ui config (apache#47487)

Lee-W · nailo2c · commit 259a5f3ac101 · 2025-04-04T14:54:22.000-07:00
diff --git a/airflow/api_fastapi/core_api/openapi/v1-generated.yaml b/airflow/api_fastapi/core_api/openapi/v1-generated.yaml
@@ -56,6 +56,8 @@ paths:
             application/json:
               schema:
                 $ref: '#/components/schemas/HTTPExceptionResponse'
+      security:
+      - OAuth2PasswordBearer: []
   /ui/dags/recent_dag_runs:
     get:
       tags:
diff --git a/airflow/api_fastapi/core_api/routes/ui/config.py b/airflow/api_fastapi/core_api/routes/ui/config.py
@@ -18,11 +18,12 @@
 
 from typing import Any
 
-from fastapi import status
+from fastapi import Depends, status
 
 from airflow.api_fastapi.common.router import AirflowRouter
 from airflow.api_fastapi.core_api.datamodels.ui.config import ConfigResponse
 from airflow.api_fastapi.core_api.openapi.exceptions import create_openapi_http_exception_doc
+from airflow.api_fastapi.core_api.security import requires_access_configuration
 from airflow.configuration import conf
 from airflow.settings import STATE_COLORS
 
@@ -49,6 +50,7 @@
 @config_router.get(
     "/config",
     responses=create_openapi_http_exception_doc([status.HTTP_404_NOT_FOUND]),
+    dependencies=[Depends(requires_access_configuration("GET"))],
 )
 def get_configs() -> ConfigResponse:
     """Get configs for UI."""
diff --git a/tests/api_fastapi/core_api/routes/ui/test_config.py b/tests/api_fastapi/core_api/routes/ui/test_config.py
@@ -105,12 +105,21 @@ def mock_config_data():
             yield mock_conf
 
 
-def test_get_configs_basic(mock_config_data, test_client):
-    """
-    Test the /ui/config endpoint to verify response matches mock data.
-    """
+class TestGetConfig:
+    def test_should_response_200(self, mock_config_data, test_client):
+        """
+        Test the /ui/config endpoint to verify response matches mock data.
+        """
+
+        response = test_client.get("/ui/config")
+
+        assert response.status_code == 200
+        assert response.json() == mock_config_response
 
-    response = test_client.get("/ui/config")
+    def test_get_config_should_response_401(self, unauthenticated_test_client):
+        response = unauthenticated_test_client.get("/ui/config")
+        assert response.status_code == 401
 
-    assert response.status_code == 200
-    assert response.json() == mock_config_response
+    def test_get_config_should_response_403(self, unauthorized_test_client):
+        response = unauthorized_test_client.get("/ui/config")
+        assert response.status_code == 403
