refactor: improve ingestion safety and log sanitization

Author: RinZ27

ingestion/src/metadata/ingestion/source/database/sas/client.py

@@ -24,6 +24,8 @@
 
 logger = ingestion_logger()
 
+SAS_CLI_AUTH_HEADER = "Basic c2FzLmNsaTo="
+
 
 class SASClient:
     """
@@ -39,7 +41,7 @@ def __init__(self, config: SASConnection):
             auth_token=self.get_auth_token,
             api_version="",
             allow_redirects=True,
-            verify=False,
+            verify=self.config.verifySSL,
         )
         self.client = TrackedREST(client_config, source_name="sas")
         # custom setting
@@ -164,8 +166,33 @@ def get_token(self, base_url, user, password):
         payload = {"grant_type": "password", "username": user, "password": password}
         headers = {
             "Content-type": "application/x-www-form-urlencoded",
-            "Authorization": "Basic c2FzLmNsaTo=",
+            "Authorization": SAS_CLI_AUTH_HEADER,
         }
         url = base_url + endpoint
-        response = requests.request("POST", url, headers=headers, data=payload, verify=False, timeout=10)
-        return response.json()["access_token"]
+        response = requests.request(
+            "POST",
+            url,
+            headers=headers,
+            data=payload,
+            verify=self.config.verifySSL,
+            timeout=10,
+        )
+        logger.debug(
+            "Token request for user: %s completed with status: %s",
+            user,
+            response.status_code,
+        )
+        response.raise_for_status()
+        try:
+            body = response.json()
+        except ValueError as exc:
+            raise RuntimeError(
+                f"SAS token endpoint returned non-JSON response (HTTP {response.status_code})"
+            ) from exc
+
+        token = body.get("access_token")
+        if not token:
+            raise RuntimeError(
+                f"Failed to retrieve access_token from SAS (HTTP {response.status_code})"
+            )
+        return token

ingestion/src/metadata/ingestion/source/search/elasticsearch/connection.py

@@ -133,7 +133,7 @@ def get_ssl_context(ssl_config: SslConfig) -> ssl.SSLContext:
         )
         return ssl_context  # noqa: RET504
 
-    return ssl._create_unverified_context()  # pylint: disable=protected-access
+    return ssl.create_default_context()
 
 
 def get_connection(connection: ElasticsearchConnection) -> Elasticsearch:
@@ -146,7 +146,11 @@ def get_connection(connection: ElasticsearchConnection) -> Elasticsearch:
     if isinstance(connection.authType, BasicAuthentication) and connection.authType.username:
         basic_auth = (
             connection.authType.username,
-            connection.authType.password.get_secret_value() if connection.authType.password else None,
+            (
+                connection.authType.password.get_secret_value()
+                if connection.authType.password
+                else None
+            ),
         )
 
     if isinstance(connection.authType, ApiKeyAuthentication):

ingestion/src/metadata/utils/secrets/aws_secrets_manager.py

@@ -52,7 +52,7 @@ def get_string_value(self, secret_id: str) -> Optional[str]:  # noqa: UP045
         try:
             kwargs = {"SecretId": secret_id}
             response = self.client.get_secret_value(**kwargs)
-            logger.debug("Got value for secret %s.", secret_id)
+            logger.debug("Successfully retrieved value from secrets manager.")
         except ClientError as err:
             logger.debug(traceback.format_exc())
             logger.error(f"Couldn't get value for secret [{secret_id}]: {err}")

openmetadata-spec/src/main/resources/json/schema/entity/services/connections/database/sasConnection.json

@@ -114,6 +114,12 @@
     "supportsMetadataExtraction": {
       "title": "Supports Metadata Extraction",
       "$ref": "../connectionBasicType.json#/definitions/supportsMetadataExtraction"
+    },
+    "verifySSL": {
+      "title": "Verify SSL",
+      "description": "Verify SSL certificates for the SAS Viya deployment.",
+      "type": "boolean",
+      "default": true
     }
   },
   "required": ["username", "password", "serverHost"],