Cherry picking SSL mode for MySQL

galvana · galvana · commit b5a444034a5c · 2025-04-21T14:23:52.000-07:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -25,6 +25,8 @@ Changes can also be flagged with a GitHub label for tracking purposes. The URL o
 - Migrate `Cookies` resources to `Asset` resources of type `Cookie` [#5776](https://github.com/ethyca/fides/pull/5776) https://github.com/ethyca/fides/labels/db-migration https://github.com/ethyca/fides/labels/high-risk
 - Added support for selecting TCF Publisher Override configuration when configuring Privacy Experience [#6033](https://github.com/ethyca/fides/pull/6033)
 - Added Google Cloud Storage as a storage option [#6006](https://github.com/ethyca/fides/pull/6006)
+- Added SSL Mode field for MySQL connections [#6048](https://github.com/ethyca/fides/pull/6048)
+- Added PostgreSQL connection config form to the "integrations" page to support use with discovery monitors [#6018](https://github.com/ethyca/fides/pull/6018)
 - Update the Datahub Permissions section to include required permissions from Datahub [#6052](https://github.com/ethyca/fides/pull/6052)
 - Added the ability to create new TCF Experiences within Admin UI [#6055](https://github.com/ethyca/fides/pull/6055)
 - PostgreSQL connection config now supports SSL Mode [#6068](https://github.com/ethyca/fides/pull/6068)
diff --git a/clients/admin-ui/src/features/integrations/integration-type-info/mySQLInfo.tsx b/clients/admin-ui/src/features/integrations/integration-type-info/mySQLInfo.tsx
@@ -22,7 +22,12 @@ export const MYSQL_TAGS = ["DSR Automation", "Discovery", "Detection"];
 export const MySQLOverview = () => (
   <>
     <InfoHeading text="Overview" />
-    <InfoText>Add infotext</InfoText>
+    <InfoText>
+      Continuously monitor MySQL databases to detect and track schema-level
+      changes, automatically discover and label data categories as well as
+      automatically process DSR (privacy requests) and consent enforcement to
+      proactively manage data governance risks.
+    </InfoText>
     <ShowMoreContent>
       <InfoHeading text="Categories" />
       <InfoUnorderedList>
diff --git a/clients/admin-ui/src/types/api/models/MySQLDocsSchema.ts b/clients/admin-ui/src/types/api/models/MySQLDocsSchema.ts
@@ -30,4 +30,8 @@ export type MySQLDocsSchema = {
    * Indicates whether an SSH tunnel is required for the connection. Enable this option if your MySQL server is behind a firewall and requires SSH tunneling for remote connections.
    */
   ssh_required?: boolean;
+  /**
+   * The SSL mode to use for the connection. Valid values are 'required', 'preferred', and 'disabled'.
+   */
+  ssl_mode?: string;
 };
diff --git a/src/fides/api/schemas/connection_configuration/connection_secrets_mysql.py b/src/fides/api/schemas/connection_configuration/connection_secrets_mysql.py
@@ -1,3 +1,4 @@
+from enum import Enum
 from typing import ClassVar, List, Optional
 
 from pydantic import Field
@@ -8,6 +9,12 @@
 )
 
 
+class MySQLSSLMode(str, Enum):
+    preferred = "preferred"
+    required = "required"
+    disabled = "disabled"
+
+
 class MySQLSchema(ConnectionConfigSecretsSchema):
     """Schema to validate the secrets needed to connect to a MySQL Database"""
 
@@ -40,6 +47,11 @@ class MySQLSchema(ConnectionConfigSecretsSchema):
         title="SSH required",
         description="Indicates whether an SSH tunnel is required for the connection. Enable this option if your MySQL server is behind a firewall and requires SSH tunneling for remote connections.",
     )
+    ssl_mode: Optional[MySQLSSLMode] = Field(
+        None,  # TODO: support for verify-ca and verify-full
+        title="SSL Mode",
+        description="The SSL mode to use for the connection. Valid values are 'required', 'preferred', and 'disabled'.",
+    )
 
     _required_components: ClassVar[List[str]] = ["host", "dbname"]
 
diff --git a/src/fides/api/service/connectors/mysql_connector.py b/src/fides/api/service/connectors/mysql_connector.py
@@ -1,10 +1,11 @@
-from typing import List
+from typing import Dict, List
 
 from sqlalchemy.engine import Engine, LegacyCursorResult, create_engine  # type: ignore
 
 from fides.api.graph.execution import ExecutionNode
 from fides.api.schemas.connection_configuration.connection_secrets_mysql import (
     MySQLSchema,
+    MySQLSSLMode,
 )
 from fides.api.service.connectors.query_configs.mysql_query_config import (
     MySQLQueryConfig,
@@ -69,16 +70,27 @@ def create_client(self) -> Engine:
             uri = self.build_ssh_uri(local_address=self.ssh_server.local_bind_address)
         else:
             uri = (self.configuration.secrets or {}).get("url") or self.build_uri()
+        connect_args = self.get_connect_args()
         return create_engine(
             uri,
             hide_parameters=self.hide_parameters,
             echo=not self.hide_parameters,
+            connect_args=connect_args,
         )
 
     def query_config(self, node: ExecutionNode) -> SQLQueryConfig:
         """Query wrapper corresponding to the input execution_node."""
         return MySQLQueryConfig(node)
 
+    def get_connect_args(self) -> Dict[str, Dict[str, MySQLSSLMode]]:
+        """Get connection arguments for the engine"""
+        ssl_mode = self.configuration.secrets.get("ssl_mode", MySQLSSLMode.preferred)
+        return {
+            "ssl": {
+                "mode": ssl_mode,
+            }
+        }
+
     @staticmethod
     def cursor_result_to_rows(results: LegacyCursorResult) -> List[Row]:
         """
diff --git a/tests/ops/api/v1/endpoints/test_connection_template_endpoints.py b/tests/ops/api/v1/endpoints/test_connection_template_endpoints.py
@@ -1065,8 +1065,20 @@ def test_get_connection_secret_schema_mysql(
                     "default": False,
                     "type": "boolean",
                 },
+                "ssl_mode": {
+                    "title": "SSL Mode",
+                    "description": "The SSL mode to use for the connection. Valid values are 'required', 'preferred', and 'disabled'.",
+                    "allOf": [{"$ref": "#/definitions/MySQLSSLMode"}],
+                },
             },
             "required": ["host", "dbname"],
+            "definitions": {
+                "MySQLSSLMode": {
+                    "title": "MySQLSSLMode",
+                    "type": "string",
+                    "enum": ["preferred", "required", "disabled"],
+                }
+            },
         }
 
     def test_get_connection_secret_schema_postgres(
diff --git a/tests/ops/integration_tests/test_connection_configuration_integration.py b/tests/ops/integration_tests/test_connection_configuration_integration.py
@@ -311,6 +311,7 @@ def test_mysql_db_connection_incorrect_secrets(
             "username": None,
             "password": None,
             "ssh_required": False,
+            "ssl_mode": None,
         }
         assert connection_config_mysql.last_test_timestamp is not None
         assert connection_config_mysql.last_test_succeeded is False
@@ -353,6 +354,51 @@ def test_mysql_db_connection_connect_with_components(
             "password": "mysql_pw",
             "port": 3306,
             "ssh_required": False,
+            "ssl_mode": None,
+        }
+        assert connection_config_mysql.last_test_timestamp is not None
+        assert connection_config_mysql.last_test_succeeded is True
+
+    def test_mysql_db_connection_connect_with_ssl(
+        self,
+        url,
+        api_client: TestClient,
+        db: Session,
+        generate_auth_header,
+        connection_config_mysql,
+    ) -> None:
+        payload = {
+            "host": "mysql_example",
+            "dbname": "mysql_example",
+            "username": "mysql_user",
+            "password": "mysql_pw",
+            "ssl_mode": "preferred",
+        }
+
+        auth_header = generate_auth_header(scopes=[CONNECTION_CREATE_OR_UPDATE])
+        resp = api_client.put(
+            url,
+            headers=auth_header,
+            json=payload,
+        )
+        assert resp.status_code == 200
+        body = resp.json()
+
+        assert (
+            body["msg"]
+            == f"Secrets updated for ConnectionConfig with key: {connection_config_mysql.key}."
+        )
+        assert body["test_status"] == "succeeded"
+        assert body["failure_reason"] is None
+        db.refresh(connection_config_mysql)
+        assert connection_config_mysql.secrets == {
+            "host": "mysql_example",
+            "dbname": "mysql_example",
+            "username": "mysql_user",
+            "password": "mysql_pw",
+            "port": 3306,
+            "ssh_required": False,
+            "ssl_mode": "preferred",
         }
         assert connection_config_mysql.last_test_timestamp is not None
         assert connection_config_mysql.last_test_succeeded is True
diff --git a/tests/ops/service/connection_config/test_mysql_connector.py b/tests/ops/service/connection_config/test_mysql_connector.py
@@ -1,3 +1,5 @@
+import pytest
+from pydantic import ValidationError
 from sqlalchemy.orm import Session
 
 from fides.api.service.connectors.mysql_connector import MySQLConnector
@@ -54,3 +56,28 @@ def test_mysql_connector_build_uri(connection_config_mysql, db: Session):
         connector.build_uri()
         == "mysql+pymysql://host.docker.internal:3306/mysql_example"
     )
+
+
+def test_get_connect_args(connection_config_mysql):
+    connector = MySQLConnector(configuration=connection_config_mysql)
+
+    # Default ssl_mode
+    connection_config_mysql.secrets = {
+        "username": "mysql_user",
+        "password": "mysql_pw",
+        "host": "host.docker.internal",
+        "dbname": "mysql_example",
+    }
+    connect_args = connector.get_connect_args()
+    assert connect_args == {"ssl": {"mode": "preferred"}}
+
+    # Custom ssl_mode
+    connection_config_mysql.secrets = {
+        "username": "mysql_user",
+        "password": "mysql_pw",
+        "host": "host.docker.internal",
+        "dbname": "mysql_example",
+        "ssl_mode": "required",
+    }
+    connect_args = connector.get_connect_args()
+    assert connect_args == {"ssl": {"mode": "required"}}
