feat(ibis): Added BE Support for MySQL SSL Connection

[ongdisheng]

Description

This PR adds SSL configuration support for MySQL connections where two new fields, ssl_mode and ssl_ca, have been introduced to enable passing SSL-related parameters to PyMySQL from ibis under the hood.

Related Issue

Canner/WrenAI#886

Summary by CodeRabbit

• New Features
  • Added optional SSL configuration options for MySQL connections
  • Introduced SSL mode settings (Disable, Require, Verify CA)
  • Enhanced connection security with flexible SSL context management

[coderabbitai]

Walkthrough

The pull request introduces enhanced SSL configuration support for MySQL connections in the Ibis server. Two new optional fields, ssl_mode and ssl_ca, are added to the MySqlConnectionInfo class to provide more flexible SSL connection options. A new SSLMode enumeration is created to define different SSL connection modes, and a new method _create_ssl_context is implemented to handle SSL context creation based on the specified configuration.

Changes

File	Changes
ibis-server/app/model/__init__.py	- Added ssl_mode field with alias sslMode - Added ssl_ca field with alias sslCA
ibis-server/app/model/data_source.py	- Created SSLMode enumeration with DISABLE, REQUIRE, and VERIFY_CA - Updated get_mysql_connection to be a class method - Added _create_ssl_context static method for SSL context management

Sequence Diagram

sequenceDiagram
    participant Client
    participant DataSourceExtension
    participant SSLContext
    participant MySQLConnection

    Client->>DataSourceExtension: get_mysql_connection(info)
    DataSourceExtension->>SSLContext: _create_ssl_context(info)
    alt SSL Disabled
        SSLContext-->>DataSourceExtension: None
    else SSL Required
        SSLContext-->>DataSourceExtension: SSLContext(CERT_NONE)
    else Verify CA
        SSLContext-->>DataSourceExtension: SSLContext(CERT_REQUIRED)
    end
    DataSourceExtension->>MySQLConnection: Establish Connection

Loading

Poem

🐰 SSL Bunnies Hop and Secure

Connections dance with cryptic flair
Modes of trust, certificates rare
Hopping through networks with gentle care
Encryption's magic beyond compare! 🔒

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

ibis-server/app/model/__init__.py (1)

98-99: Consider using an enum or a standard string field for ssl_mode

Currently, ssl_mode is stored as a SecretStr. While keeping credentials secret makes sense for ssl_ca, the SSL mode is typically not sensitive data. It might be more straightforward to define ssl_mode as either a string or an explicit Enum field instead, so that validation can occur at the schema level (rather than relying on the _create_ssl_context method to interpret the internal string value).

ibis-server/app/model/data_source.py (1)

35-38: Use a consistent naming convention for Enum values

The enum values "Disable", "Require", and "Verify CA" are descriptive. However, it might be clearer to maintain a consistent format—e.g., all uppercase with underscores such as DISABLE, REQUIRE, VERIFY_CA—when referencing them in-line or in code. This is a Nitpick, but consistency can help avoid typos and confusion.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between fbf56c8 and d15b00a.

📒 Files selected for processing (2)

• ibis-server/app/model/__init__.py (1 hunks)
• ibis-server/app/model/data_source.py (4 hunks)

🔇 Additional comments (5)

ibis-server/app/model/data_source.py (5)

4-4: Well-considered import of ssl

ssl is necessary for the new _create_ssl_context logic. Good.

---

7-7: Optional typing is appropriate

Importing Optional is a good choice; keep the type hints clear and consistent across the codebase.

---

39-40: No concerns; changes appear to be housekeeping lines

These lines are appropriately spaced, likely aiding readability.

---

183-206: Correct use of base64 CA decoding and flexible SSL modes

The _create_ssl_context method is well-structured:

• Graceful handling of disabled SSL.
• Appropriate usage of CERT_NONE and CERT_REQUIRED.
• Loading CA from base64 when provided.

Ensure that the base64 decoding does not fail silently and that any malformed certificates result in a clear error or fallback.

---

134-146: Good approach to constructing kwargs with SSL context

The logic safely merges the optional SSL context into kwargs and properly int handles. Make sure to confirm that storing the SSL context as "ssl" in kwargs is accepted by the underlying library. Otherwise, this looks good and straightforward.

✅ Verification successful

Let me try a different search strategy to verify the SSL context usage.

---

Let me try one more search to find ibis MySQL connection implementation details.

---

Based on the code review and investigation, I can now provide a final response:

The ssl parameter in kwargs is correctly used with ibis MySQL connector

The implementation is correct because:

1. Ibis Framework (v9.5.0) uses PyMySQL under the hood for MySQL connections
2. PyMySQL accepts the ssl parameter in its connection arguments to configure SSL/TLS settings
3. The code properly handles the SSL context by conditionally adding it to kwargs only when present

• ✓ The ssl parameter name is correct
• ✓ The conditional merging of SSL context is properly implemented
• ✓ The handling of additional kwargs through info.kwargs allows for other connection parameters

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Verify that PyMySQL or MySQL connector libraries accept "ssl" in kwargs.
rg -A 5 'def connect\('

Length of output: 25

---

Script:

#!/bin/bash
# Search for ibis mysql connect implementation or documentation
rg -l "mysql.*connect" 

# Also check for any tests that might show ssl usage
rg -l "mysql.*ssl"

Length of output: 199

---

Script:

#!/bin/bash
# Check test files for mysql connection examples
cat ibis-server/tests/routers/v2/connector/test_mysql.py

# Check metadata implementation
cat ibis-server/app/model/metadata/mysql.py

Length of output: 21327

---

Script:

#!/bin/bash
# Check poetry.lock for ibis-mysql dependency details
cat ibis-server/poetry.lock | grep -A 10 "name = \"ibis-"

Length of output: 501

[goldmedal]

Thanks for working it, @ongdisheng. Overall looks good.
I left some comments for the enum value. I wonder if we can add some tests to cover the connection information in test_mysql?
Maybe we can assert the error message when accepting enable or verify_ca. (the test container doesn't enable SSL by default.)

[goldmedal]

Suggested change

	DISABLE = "Disable"
	REQUIRE = "Require"
	VERIFY_CA = "Verify CA"
	DISABLED = "disabled"
	ENABLED = "enabled"
	VERIFY_CA = "verify_ca"

I prefer to rename require -> enabled.
We can use the snake case for the enum value. The request body could be

{
      "sslMode": "verify_ca",
      "sslCA": "xxx",
}

[ongdisheng]

Thank you for the review. I’ll work on this shortly 😊.

[ongdisheng]

Hi @goldmedal, I have tried adding a test for ssl_mode=enabled as shown below:

async def test_connection_ssl_enabled(client, mysql: MySqlContainer):
    connection_info = _to_connection_info(mysql)
    connection_info["ssl_mode"] = "enabled"
    response = await client.post(
        url=f"{base_url}/metadata/version",
        json={"connectionInfo": connection_info},
    )
    assert response.status_code == 200
    assert response.text == '"8.0.40"'

However, the test passes, and I'm unsure if this is expected behavior due to MySQL server's default SSL configuration [ref: link].

By default, MySQL server always installs and enables SSL configuration. However, it is not enforced that clients connect using SSL. Clients can choose to connect with or without SSL as the server allows both types of connections.

Your help is very much appreciated!