Bump paramiko dependency to version 4.0.0#64898
Conversation
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Updates the SSH/SFTP providers to require Paramiko 4.x and removes/guards usage of deprecated DSS/DSA key support, adding explicit errors and documentation for the breaking change.
Changes:
- Bump
paramikominimum version to>=4.0.0(and update type stubs accordingly). - Remove DSS/DSA key loader/mapping usage and add explicit
ValueErrorforssh-dss/unsupported host key algorithms. - Add/adjust tests and documentation/changelog entries describing the breaking change and migration path.
Reviewed changes
Copilot reviewed 12 out of 13 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| providers/ssh/src/airflow/providers/ssh/hooks/ssh.py | Removes DSS support and adds explicit validation/errors for host key algorithms; updates private-key error text. |
| providers/ssh/tests/unit/ssh/hooks/test_ssh.py | Adds unit tests asserting failures for ssh-dss and unknown host key algorithms. |
| providers/ssh/pyproject.toml | Bumps Paramiko requirement to >=4.0.0. |
| providers/ssh/docs/index.rst | Updates documented Paramiko requirement to >=4.0.0. |
| providers/ssh/docs/connections/ssh.rst | Documents supported host_key types and DSS/DSA removal rationale. |
| providers/ssh/docs/changelog.rst | Adds a breaking-changes entry describing DSS/DSA removal and migration steps. |
| providers/ssh/README.rst | Updates documented Paramiko requirement to >=4.0.0. |
| providers/sftp/pyproject.toml | Bumps Paramiko requirement to >=4.0.0. |
| providers/sftp/docs/index.rst | Updates documented Paramiko requirement to >=4.0.0. |
| providers/sftp/docs/changelog.rst | Adds a breaking-changes entry describing DSS/DSA removal and migration steps. |
| providers/sftp/README.rst | Updates documented Paramiko requirement to >=4.0.0. |
| devel-common/pyproject.toml | Bumps types-paramiko to a 4.x-compatible version. |
| @mock.patch.object(SSHHook, "get_connection") | ||
| def test_dss_host_key_in_connection_extra_raises(self, mock_get_connection): | ||
| mock_get_connection.return_value = Connection( | ||
| conn_id="ssh_dss_host_key", | ||
| conn_type="ssh", | ||
| host="remote_host", | ||
| login="user", | ||
| extra=json.dumps({"host_key": "ssh-dss AAAAB3NzaC1kc3MAAA==", "no_host_key_check": False}), | ||
| ) | ||
| with pytest.raises(ValueError, match="DSA/DSS host keys"): | ||
| SSHHook(ssh_conn_id="ssh_dss_host_key") | ||
|
|
||
| @mock.patch.object(SSHHook, "get_connection") | ||
| def test_unsupported_host_key_algorithm_raises(self, mock_get_connection): | ||
| mock_get_connection.return_value = Connection( | ||
| conn_id="ssh_fake_alg", | ||
| conn_type="ssh", | ||
| host="remote_host", | ||
| login="user", | ||
| extra=json.dumps( | ||
| {"host_key": "ssh-fake AAAAB3NzaC1yc2EAAAADAQABAA==", "no_host_key_check": False} | ||
| ), | ||
| ) | ||
| with pytest.raises(ValueError, match=r"Unsupported SSH host key algorithm 'fake'"): | ||
| SSHHook(ssh_conn_id="ssh_fake_alg") |
There was a problem hiding this comment.
These tests cover the new failure paths, but there’s no unit test asserting acceptance/selection of supported host key types. Adding a focused test that validates host_key parsing/constructor selection for at least one supported type (notably an ECDSA ecdsa-sha2-nistp256 token) would prevent regressions and would catch the current mis-detection behavior; you can avoid needing real key material by patching the relevant Paramiko key class/constructor and asserting it was chosen.
|
@rawwar Are you planning to resume work on this some time soon? |
| _SUPPORTED_HOST_KEY_TYPES_MSG = ( | ||
| "ssh-rsa, ssh-ed25519, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521 " | ||
| "(bare base64 is treated as ssh-rsa)" | ||
| ) |
| key_constructor, key_data = cls._parse_host_key(host_key) | ||
| decoded_host_key = decodebytes(key_data.encode("utf-8")) | ||
| return key_constructor(data=decoded_host_key) |
closes #54079
Made-with: Cursor
Was generative AI tooling used to co-author this PR?
{pr_number}.significant.rst, in airflow-core/newsfragments. You can add this file in a follow-up commit after the PR is created so you know the PR number.