Set sslmode to prefer for SSH connections (#3685)

ethyca · Jun 28, 2023 · 0337c66 · 0337c66
1 parent f47bc5d
commit 0337c66
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -19,6 +19,7 @@ The types of changes are:
 
 ### Added
 - Empty state for when there are no relevant privacy notices in the privacy center [#3640](https://github.com/ethyca/fides/pull/3640)
+- Set `sslmode` to `prefer` if connecting to Redshift via ssh [#3685](https://github.com/ethyca/fides/pull/3685)
 
 ### Fixed
 - Render linebreaks in the Fides.js overlay descriptions, etc. [#3665](https://github.com/ethyca/fides/pull/3665)

diff --git a/src/fides/api/service/connectors/sql_connector.py b/src/fides/api/service/connectors/sql_connector.py
@@ -367,16 +367,19 @@ def build_uri(self) -> str:
     def create_client(self) -> Engine:
         """Returns a SQLAlchemy Engine that can be used to interact with a database"""
         config = self.secrets_schema(**self.configuration.secrets or {})
+        connect_args = {}
         if config.ssh_required and CONFIG.security.bastion_server_ssh_private_key:
             self.create_ssh_tunnel(host=config.host, port=config.port)
             self.ssh_server.start()
             uri = self.build_ssh_uri(local_address=self.ssh_server.local_bind_address)
+            connect_args["sslmode"] = "prefer"
         else:
             uri = config.url or self.build_uri()
         return create_engine(
             uri,
             hide_parameters=self.hide_parameters,
             echo=not self.hide_parameters,
+            connect_args=connect_args,
         )
 
     def set_schema(self, connection: Connection) -> None:

diff --git a/tests/ops/integration_tests/test_external_database_connections.py b/tests/ops/integration_tests/test_external_database_connections.py
@@ -63,6 +63,16 @@ def snowflake_test_engine() -> Generator:
     engine.dispose()
 
 
+@pytest.mark.integration_external
+@pytest.mark.integration_redshift
+def test_redshift_sslmode_default(redshift_test_engine):
+    """Confirm that sslmode is set to verify-full for non SSH connections"""
+    _, kwargs = redshift_test_engine.dialect.create_connect_args(
+        redshift_test_engine.url
+    )
+    assert kwargs["sslmode"] == "verify-full"
+
+
 @pytest.mark.integration_external
 @pytest.mark.integration_redshift
 def test_redshift_example_data(redshift_test_engine):