FIDES-1887 - Add sslmode to MySQL DB integration

[wadesdev]

Closes FIDES-1887

Description Of Changes

Adds sslmode field for MySQL; does not permit passing certificates through for verify-ca and verify-full

Code Changes

• Updates mysql to provide connect_args argument for SSL
• Writes get_connect_args function for MySQL connector

Steps to Confirm

1. For a MySQL DB configured for SSL with ssl: required field, providing required in sslmode field should result in a successful connection. Otherwise, connection will be unsuccessful.

Pre-Merge Checklist

• Issue requirements met
• All CI pipelines succeeded
• CHANGELOG.md updated
  • Add a db-migration This indicates that a change includes a database migration label to the entry if your change includes a DB migration
  • Add a high-risk This issue suggests changes that have a high-probability of breaking existing code label to the entry if your change includes a high-risk change (i.e. potential for performance impact or unexpected regression) that should be flagged
• Followup issues:
  • Followup issues created (include link)
  • No followup issues
• Database migrations:
  • Ensure that your downrev is up to date with the latest revision on main
  • Ensure that your downgrade() migration is correct and works
    • If a downgrade migration is not possible for this change, please call this out in the PR description!
  • No migrations
• Documentation:
  • Documentation complete, PR opened in fidesdocs
  • Documentation issue created in fidesdocs
  • If there are any new client scopes created as part of the pull request, remember to update public-facing documentation that references our scope registry
  • No documentation updates required

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
fides-plus-nightly	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Apr 18, 2025 0:51am
fides-privacy-center	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Apr 18, 2025 0:51am

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 86.89%. Comparing base (400bb2e) to head (1a624fd).
Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #6048      +/-   ##
==========================================
+ Coverage   86.88%   86.89%   +0.01%     
==========================================
  Files         419      419              
  Lines       25968    25978      +10     
  Branches     2828     2828              
==========================================
+ Hits        22561    22574      +13     
+ Misses       2788     2785       -3     
  Partials      619      619              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[galvana]

Overall this looks good! Just recommending the use of an enum of sslmode and adding the missing tests we discussed offline

[galvana]

We could use an enum for this

class SSLMode(str, Enum):
    preferred = "preferred"
    required = "required"
    disabled = "disabled"

Then we could just do this

Suggested change

	sslmode: Optional[str] = Field(
	None, # TODO: support for verify-ca and verify-full
	title="SSL Mode",
	description="The SSL mode to use for the connection. Valid values are 'required', 'preferred', and 'disabled'.",
	pattern=r"required|preferred|disabled",
	)
	sslmode: Optional[SSLMode] = Field(
	None, # TODO: support for verify-ca and verify-full
	title="SSL Mode",
	description="The SSL mode to use for the connection. Valid values are 'required', 'preferred', and 'disabled'."
	)

[wadesdev]

@galvana could I define that ENUM in connection_secrets_mysql.py?

[galvana]

You might need to remove this line if we go with the enum approach

[galvana]

Replace this with the direct get_connect_args() tests to get that increase in code coverage

[tvandort]

Should this be ssl_mode?

[galvana]

nit: we should upper case all acronyms

Note: When using acronyms in CapWords, capitalize all the letters of the acronym. Thus HTTPServerError is better than HttpServerError.

https://peps.python.org/pep-0008/#descriptive-naming-styles

Suggested change

	class MySQLSslMode(str, Enum):
	class MySQLSSLMode(str, Enum):

[cypress]

fides    Run #12834

Run Properties:   Passed #12834  •  58fd4263f3: FIDES-1887 - Add ssl_mode to MySQL DB integration (#6048)

Project	fides
Branch Review	main
Run status	Passed #12834
Run duration	00m 51s
Commit	58fd4263f3: FIDES-1887 - Add ssl_mode to MySQL DB integration (#6048)
Committer	wadesdev
View all properties for this run ↗︎

---

Test results
Failures	0
Flaky	0
Pending	0
Skipped	0
Passing	5
View all changes introduced in this branch ↗︎