# TLS/SSL Configuration Guide

Complete guide to secure connections with pyhdb-rs using the **TlsConfig** API.

## TLS Configuration Methods

pyhdb-rs provides **five factory methods** for different certificate sources:

1. `TlsConfig.from_directory(path)` - Load from certificate directory
2. `TlsConfig.from_environment(var)` - Load from environment variable
3. `TlsConfig.from_certificate(pem)` - Direct PEM string
4. `TlsConfig.with_system_roots()` - Mozilla root certificates
5. `TlsConfig.insecure()` - Skip verification (dev only)

In [None]:
import os
from pathlib import Path
from pyhdb_rs import ConnectionBuilder, TlsConfig

## Method 1: System Root Certificates

**Best for:** Servers with certificates signed by well-known CAs (Let's Encrypt, DigiCert, etc.)

Uses Mozilla's bundled root certificates - no setup required!

In [None]:
tls = TlsConfig.with_system_roots()

conn = (ConnectionBuilder()
    .host("hana.example.com")
    .port(30015)
    .credentials("SYSTEM", "password")
    .tls(tls)
    .build())

try:
    with conn.cursor() as cur:
        cur.execute("SELECT 'Secure!' FROM DUMMY")
        print(cur.fetchone()[0])
    print("✓ Connected with system root certificates")
finally:
    conn.close()

## Method 2: From Directory

**Best for:** Production environments with custom CA certificates

Loads all `.pem`, `.crt`, and `.cer` files from a directory.

In [None]:
# Example directory structure:
# /etc/hana/certs/
#   ├── ca-bundle.pem
#   ├── intermediate.crt
#   └── root-ca.cer

cert_dir = "/etc/hana/certs"

# This will load ALL certificate files from the directory
tls = TlsConfig.from_directory(cert_dir)

conn = (ConnectionBuilder()
    .host("hana.example.com")
    .credentials("SYSTEM", "password")
    .tls(tls)
    .build())

print(f"✓ TLS configured with certificates from {cert_dir}")
conn.close()

### Directory Setup Example

```bash
# Create certificate directory
mkdir -p /etc/hana/certs

# Copy your CA certificates
cp /path/to/ca-certificate.pem /etc/hana/certs/
cp /path/to/intermediate.crt /etc/hana/certs/

# Verify files
ls -la /etc/hana/certs/
```

## Method 3: From Environment Variable

**Best for:** Containerized deployments (Docker, Kubernetes)

Certificate is injected via environment variable.

In [None]:
# Set certificate in environment
os.environ["HANA_CA_CERT"] = """-----BEGIN CERTIFICATE-----
MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ
RUlKMRwwGgYDVQQKExNTQVAgVHJ1c3QgQ29tbXVuaXR5MQswCQYDVQQHEwJXQUwxCzAJ
...(full certificate content)...
-----END CERTIFICATE-----"""

tls = TlsConfig.from_environment("HANA_CA_CERT")

conn = (ConnectionBuilder()
    .host("hana.example.com")
    .credentials("SYSTEM", "password")
    .tls(tls)
    .build())

print("✓ TLS configured from environment variable")
conn.close()

### Kubernetes ConfigMap Example

```yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: hana-certs
data:
  HANA_CA_CERT: |
    -----BEGIN CERTIFICATE-----
    MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBa...
    -----END CERTIFICATE-----
```

## Method 4: From Certificate String

**Best for:** Dynamic certificate loading from secrets management systems

Pass PEM-encoded certificate directly as a string.

In [None]:
# Load from file
cert_path = Path("/path/to/ca-bundle.pem")

if cert_path.exists():
    cert_pem = cert_path.read_text()
    tls = TlsConfig.from_certificate(cert_pem)
    
    conn = (ConnectionBuilder()
        .host("hana.example.com")
        .credentials("SYSTEM", "password")
        .tls(tls)
        .build())
    
    print(f"✓ TLS configured from {cert_path}")
    conn.close()
else:
    print(f"Certificate not found: {cert_path}")

### AWS Secrets Manager Example

```python
import boto3

# Fetch certificate from AWS Secrets Manager
secrets = boto3.client('secretsmanager')
response = secrets.get_secret_value(SecretId='hana/ca-cert')
cert_pem = response['SecretString']

tls = TlsConfig.from_certificate(cert_pem)
```

## Method 5: Insecure (Development Only)

⚠️ **WARNING**: Disables certificate verification completely!

**ONLY use for:**
- Local development
- Testing with self-signed certificates
- Non-production environments

**NEVER use in production!**

In [None]:
# Development/testing ONLY
tls = TlsConfig.insecure()

conn = (ConnectionBuilder()
    .host("hana-dev.internal")
    .credentials("SYSTEM", "password")
    .tls(tls)
    .build())

print("⚠️  WARNING: Certificate verification disabled!")
print("⚠️  This connection is vulnerable to MITM attacks!")
conn.close()

## URL Scheme for TLS

The `hdbsqls://` scheme automatically enables TLS with system roots:

In [None]:
# Automatic TLS with hdbsqls:// scheme
conn = ConnectionBuilder.from_url("hdbsqls://user:pass@host:30015").build()
print("✓ TLS enabled automatically via hdbsqls:// scheme")
conn.close()

# Override with custom TLS config
conn = (ConnectionBuilder.from_url("hdbsqls://user:pass@host:30015")
    .tls(TlsConfig.from_directory("/custom/certs"))
    .build())
print("✓ Custom TLS config overrides URL scheme")
conn.close()

## Production Best Practices

### 1. Prefer `from_directory()` for Production

```python
# Recommended for production
tls = TlsConfig.from_directory("/etc/hana/certs")
```

**Benefits:**
- Easy certificate rotation (just update files)
- Supports multiple CA certificates
- Standard Linux/Unix practice

### 2. Use `with_system_roots()` for Public CAs

```python
# Good for cloud providers with public certificates
tls = TlsConfig.with_system_roots()
```

**Benefits:**
- Zero configuration
- Works with Let's Encrypt, DigiCert, etc.
- Automatically updated with pyhdb-rs releases

### 3. Environment Variables for Containers

```python
# Kubernetes/Docker deployments
tls = TlsConfig.from_environment("HANA_CA_CERT")
```

**Benefits:**
- 12-factor app compliance
- Easy secrets injection
- Platform-agnostic

### 4. Never Use `insecure()` in Production

```python
# DON'T DO THIS IN PRODUCTION!
# tls = TlsConfig.insecure()
```

**Security risks:**
- Man-in-the-middle attacks
- Data interception
- Credential theft

## Complete Production Example

In [None]:
import os
import polars as pl
from pyhdb_rs import ConnectionBuilder, TlsConfig, CursorHoldability

# Production connection with all security features
conn = (ConnectionBuilder()
    .host(os.environ["HANA_HOST"])
    .port(int(os.environ.get("HANA_PORT", "30015")))
    .credentials(os.environ["HANA_USER"], os.environ["HANA_PASSWORD"])
    .database(os.environ.get("HANA_DATABASE", "SYSTEMDB"))
    .tls(TlsConfig.from_directory("/etc/hana/certs"))
    .network_group("production")
    .cursor_holdability(CursorHoldability.CommitAndRollback)
    .autocommit(False)
    .build())

try:
    reader = conn.execute_arrow(
        """SELECT table_name, record_count 
           FROM sys.m_tables 
           WHERE schema_name = 'SYSTEM' 
           ORDER BY record_count DESC 
           LIMIT 10"""
    )
    df = pl.from_arrow(reader)
    print(df)
finally:
    conn.close()

## Troubleshooting TLS Issues

### Certificate Verification Failed

**Error:** `certificate verify failed`

**Solutions:**

1. Check certificate path:
```python
from pathlib import Path
cert_dir = Path("/etc/hana/certs")
print(f"Exists: {cert_dir.exists()}")
print(f"Files: {list(cert_dir.glob('*.pem'))}")
```

2. Verify certificate format:
```bash
openssl x509 -in /etc/hana/certs/ca.pem -text -noout
```

3. Use system roots if certificate is from public CA:
```python
tls = TlsConfig.with_system_roots()
```

### Self-Signed Certificate

**For development only:**

```python
# Option 1: Use insecure mode (NOT recommended)
tls = TlsConfig.insecure()

# Option 2: Export and use the self-signed cert
# Get cert from HANA: SELECT * FROM SYS.CERTIFICATES
# Save to file and use:
tls = TlsConfig.from_certificate(cert_pem)
```

## Next Steps

- **[07_connection_pooling.ipynb](./07_connection_pooling.ipynb)** - Async pools with TLS
- **[08_advanced_features.ipynb](./08_advanced_features.ipynb)** - Complete feature overview