Strip off shared secrets masker's dependency from conf (#60037)

amoghrajesh · web-flow · commit a6fedee0d660 · 2026-01-02T15:29:35.000+05:30
diff --git a/airflow-core/src/airflow/settings.py b/airflow-core/src/airflow/settings.py
@@ -612,17 +612,21 @@ def _configure_secrets_masker():
     if sensitive_variable_fields:
         sensitive_fields |= frozenset({field.strip() for field in sensitive_variable_fields.split(",")})
 
+    hide_sensitive_var_conn_fields = conf.getboolean("core", "hide_sensitive_var_conn_fields")
+
     core_masker = secrets_masker_core()
     core_masker.min_length_to_mask = min_length_to_mask
     core_masker.sensitive_variables_fields = list(sensitive_fields)
     core_masker.secret_mask_adapter = secret_mask_adapter
+    core_masker.hide_sensitive_var_conn_fields = hide_sensitive_var_conn_fields
 
     from airflow.sdk._shared.secrets_masker import _secrets_masker as sdk_secrets_masker
 
     sdk_masker = sdk_secrets_masker()
     sdk_masker.min_length_to_mask = min_length_to_mask
     sdk_masker.sensitive_variables_fields = list(sensitive_fields)
     sdk_masker.secret_mask_adapter = secret_mask_adapter
+    sdk_masker.hide_sensitive_var_conn_fields = hide_sensitive_var_conn_fields
 
 
 def configure_action_logging() -> None:
diff --git a/shared/secrets_masker/src/airflow_shared/secrets_masker/secrets_masker.py b/shared/secrets_masker/src/airflow_shared/secrets_masker/secrets_masker.py
@@ -196,6 +196,7 @@ def __init__(self):
         super().__init__()
         self.patterns = set()
         self.sensitive_variables_fields = []
+        self.hide_sensitive_var_conn_fields = True
 
     @classmethod
     def __init_subclass__(cls, **kwargs):
@@ -527,9 +528,7 @@ def should_hide_value_for_key(self, name):
 
         Name might be a Variable name, or key in conn.extra_dejson, for example.
         """
-        from airflow.configuration import conf
-
-        if isinstance(name, str) and conf.getboolean("core", "hide_sensitive_var_conn_fields"):
+        if isinstance(name, str) and self.hide_sensitive_var_conn_fields:
             name = name.strip().lower()
             return any(s in name for s in self.sensitive_variables_fields)
         return False
diff --git a/shared/secrets_masker/tests/secrets_masker/test_secrets_masker.py b/shared/secrets_masker/tests/secrets_masker/test_secrets_masker.py
@@ -474,6 +474,16 @@ def test_hiding_config(self, sensitive_variable_fields, key, expected_result):
             configure_secrets_masker_for_test(masker, sensitive_fields=sensitive_fields)
             assert expected_result == masker.should_hide_value_for_key(key)
 
+    @pytest.mark.parametrize("hide_sensitive_var_conn_fields", [True, False])
+    def test_hiding_disabled(self, hide_sensitive_var_conn_fields):
+        """Test that hiding can be disabled via hide_sensitive_var_conn_fields."""
+        masker = SecretsMasker()
+        configure_secrets_masker_for_test(masker)
+
+        masker.hide_sensitive_var_conn_fields = hide_sensitive_var_conn_fields
+        assert masker.should_hide_value_for_key("password") is hide_sensitive_var_conn_fields
+        assert masker.should_hide_value_for_key("GOOGLE_API_KEY") is hide_sensitive_var_conn_fields
+
 
 class ShortExcFormatter(logging.Formatter):
     """Don't include full path in exc_info messages"""
