further work around asyncpg weirdness

ref: sqlalchemy/sqlalchemy#5975
ethyca · Jun 5, 2023 · 817ce12 · 817ce12
1 parent c2ea037
commit 817ce12
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 3 deletions.
diff --git a/src/fides/api/ctl/database/session.py b/src/fides/api/ctl/database/session.py
@@ -1,3 +1,4 @@
+import ssl
 from typing import AsyncGenerator
 
 from sqlalchemy import create_engine
@@ -7,14 +8,23 @@
 from fides.api.db.session import ExtendedSession
 from fides.core.config import CONFIG
 
+# Associated with a workaround in fides.core.config.database_settings
+# ref: https://github.com/sqlalchemy/sqlalchemy/discussions/5975
+connect_args = {}
+if CONFIG.database.params.get("sslrootcert"):
+    ssl_ctx = ssl.create_default_context(cafile=CONFIG.database.params["sslrootcert"])
+    ssl_ctx.verify_mode = ssl.CERT_REQUIRED
+    connect_args["ssl"] = ssl_ctx
+
 # Parameters are hidden for security
-engine = create_async_engine(
+async_engine = create_async_engine(
     CONFIG.database.async_database_uri,
+    connect_args=connect_args,
     echo=False,
     hide_parameters=not CONFIG.dev_mode,
     logging_name="AsyncEngine",
 )
-async_session = sessionmaker(engine, class_=AsyncSession, expire_on_commit=False)
+async_session = sessionmaker(async_engine, class_=AsyncSession, expire_on_commit=False)
 
 sync_engine = create_engine(
     CONFIG.database.sync_database_uri,

diff --git a/src/fides/core/config/database_settings.py b/src/fides/core/config/database_settings.py
@@ -135,6 +135,10 @@ def assemble_async_database_uri(
         if "sslmode" in params.keys():
             params["ssl"] = params["sslmode"]
             del params["sslmode"]
+        # This must be constructed in fides.api.ctl.database.session as part of the ssl context
+        # ref: https://github.com/sqlalchemy/sqlalchemy/discussions/5975
+        if "sslrootcert" in params.keys():
+            del params["sslrootcert"]
         # End workaround
         return str(
             PostgresDsn.build(

diff --git a/tests/ctl/core/config/test_config.py b/tests/ctl/core/config/test_config.py
@@ -377,7 +377,15 @@ def test_builds_with_params(self) -> None:
         )
         assert (
             database_settings.async_database_uri
-            == "postgresql+asyncpg://postgres:fides@fides-db:5432/database?sslrootcert=/etc/ssl/private/myca.crt&ssl=verify-full"
+            == "postgresql+asyncpg://postgres:fides@fides-db:5432/database?ssl=verify-full"
+            # Q: But why! Where did the sslrootcert parameter go?
+            # A: asyncpg cannot accept it, and an ssl context must be
+            #    passed to the create_async_engine function.
+            # Q: But wait! `ssl` is a different name than what we
+            #    passed in the parameters!
+            # A: That was more of a statement, but Jeopardy rules
+            #    aside, asyncpg has a different set of names
+            #    for these extremely standardized parameter names...
         )
         assert (
             database_settings.sync_database_uri