Connect: Respect sslmode URI parameter

[amotl]

Problem

The new ?sslmode=require parameter with the CRATEDB_SQLALCHEMY_URL environment variable wasn't respected by the CFR job statistics subsystem.

export CRATEDB_SQLALCHEMY_URL=crate://crate@localhost/?sslmode=require
ctk cfr jobstats collect

Solution

Respect sslmode URI parameter when converting SQLAlchemy connection URLs to http(s)://.

[coderabbitai]

Caution

Review failed

The pull request is closed.

"""

Walkthrough

This change updates the CrateDB toolkit to properly handle the sslmode URI parameter when converting SQLAlchemy connection URLs to HTTP or HTTPS URLs. The logic for determining when to use SSL and whether to verify SSL certificates has been revised. A new property, verify_ssl, was added to the DatabaseAddress class to encapsulate the verification logic. The boot function's database connection now passes the SSL verification flag explicitly. The changelog was updated to document these changes.

Changes

File(s)	Change Summary
CHANGES.md	Updated changelog to document that the sslmode URI parameter is now respected for connection URL conversion.
cratedb_toolkit/model.py	Revised SSL and sslmode handling in httpuri property; added verify_ssl property to DatabaseAddress.
cratedb_toolkit/cfr/jobstats.py	Modified boot to pass verify_ssl_cert flag from address.verify_ssl to client.connect.
tests/test_model.py	Expanded and renamed tests for DatabaseAddress.httpuri to verify default and explicit ports with SSL modes.
.github/workflows/release-oci.yml	Changed scheduled workflow trigger time from 00:45 to 04:45 daily.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant DatabaseAddress
    participant Client

    User->>DatabaseAddress: Provide SQLAlchemy connection URL
    DatabaseAddress->>DatabaseAddress: Parse URL, extract ssl/sslmode
    DatabaseAddress->>DatabaseAddress: Determine scheme (http/https) and verify_ssl
    User->>Client: Call connect with httpuri, username, password, schema, verify_ssl_cert
    Client->>Database: Establish connection with appropriate SSL settings

Loading

Possibly related issues

• Respect sslmode option sqlalchemy-cratedb#197: Implements support for the sslmode parameter in connection handling, matching this PR's changes.

Possibly related PRs

• Connect: Respect sslmode URI parameter #408: Identical scope and code changes implementing sslmode support and SSL verification logic updates.

Suggested reviewers

• WalBeh

Poem

A toolkit update, crisp and neat,
Now sslmode guides how we connect and greet.
Secure or plain, the choice is clear,
With verify_ssl, there's nothing to fear.
Through HTTP or HTTPS we hop,
This bunny’s code just won’t stop! 🐇✨
"""

Tip

⚡💬 Agentic Chat (Pro Plan, General Availability)

• We're introducing multi-step agentic chat in review comments and issue comments, within and outside of PR's. This feature enhances review and issue discussions with the CodeRabbit agentic chat by enabling advanced interactions, including the ability to create pull requests directly from comments and add commits to existing pull requests.

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7e8abf4 and ed7301e.

📒 Files selected for processing (1)

• .github/workflows/release-oci.yml (1 hunks)

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

‼️ IMPORTANT
Auto-reply has been disabled for this repository in the CodeRabbit settings. The CodeRabbit bot will not respond to your replies unless it is explicitly tagged.

• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

🔭 Outside diff range comments (1)

cratedb_toolkit/model.py (1)

10-72: 💡 Verification agent

❓ Verification inconclusive

Improve test coverage for new SSL functionality.

According to the static analysis, the changes to the SSL handling logic lack sufficient test coverage. Consider adding tests for different sslmode values and their effects on both the URI scheme and the verify_ssl property.

---

🏁 Script executed:

#!/bin/bash
# Check test coverage of the verify_ssl property and various sslmode values
find tests/ -name "test_*.py" -type f -exec grep -l "verify_ssl" {} \;
find tests/ -name "test_*.py" -type f -exec grep -l "sslmode" {} \;

Length of output: 144

---

Action Required: Enhance test coverage for SSL functionality.

It appears there are no tests verifying the updated SSL logic. Please add tests to cover:

• Different sslmode values (e.g., "disable", "allow", "prefer", "require", "verify-ca", "verify-full") and verify how they affect the transformation of the URI scheme in the httpuri property.
• The behavior of the verify_ssl property to ensure it returns the expected boolean under various SSL configurations.

Adding these tests will help prevent regressions in SSL handling.

🧰 Tools

🪛 GitHub Check: codecov/patch

[warning] 10-10: cratedb_toolkit/model.py#L10
Added line #L10 was not covered by tests

---

[warning] 54-55: cratedb_toolkit/model.py#L54-L55
Added lines #L54 - L55 were not covered by tests

---

[warning] 57-58: cratedb_toolkit/model.py#L57-L58
Added lines #L57 - L58 were not covered by tests

---

[warning] 65-66: cratedb_toolkit/model.py#L65-L66
Added lines #L65 - L66 were not covered by tests

---

[warning] 69-71: cratedb_toolkit/model.py#L69-L71
Added lines #L69 - L71 were not covered by tests

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 58d012e and 835185e.

📒 Files selected for processing (4)

• CHANGES.md (1 hunks)
• cratedb_toolkit/cfr/jobstats.py (1 hunks)
• cratedb_toolkit/model.py (2 hunks)
• tests/test_model.py (1 hunks)

✅ Files skipped from review due to trivial changes (1)

• CHANGES.md

🧰 Additional context used

🧬 Code Graph Analysis (2)

cratedb_toolkit/cfr/jobstats.py (1)

cratedb_toolkit/model.py (5)

• httpuri (48-67)
• username (96-100)
• password (103-107)
• schema (110-114)
• verify_ssl (70-71)

cratedb_toolkit/model.py (1)

cratedb_toolkit/util/data.py (1)

• asbool (25-36)

🪛 GitHub Check: codecov/patch

cratedb_toolkit/cfr/jobstats.py

[warning] 57-57: cratedb_toolkit/cfr/jobstats.py#L57
Added line #L57 was not covered by tests

cratedb_toolkit/model.py

[warning] 10-10: cratedb_toolkit/model.py#L10
Added line #L10 was not covered by tests

---

[warning] 54-55: cratedb_toolkit/model.py#L54-L55
Added lines #L54 - L55 were not covered by tests

---

[warning] 57-58: cratedb_toolkit/model.py#L57-L58
Added lines #L57 - L58 were not covered by tests

---

[warning] 65-66: cratedb_toolkit/model.py#L65-L66
Added lines #L65 - L66 were not covered by tests

---

[warning] 69-71: cratedb_toolkit/model.py#L69-L71
Added lines #L69 - L71 were not covered by tests

🔇 Additional comments (9)

cratedb_toolkit/model.py (4)

10-10: Import added for SSL parameter handling.

The addition of asbool is necessary for properly parsing string-based SSL parameter values into booleans, supporting the enhanced SSL handling logic in the httpuri property.

🧰 Tools

🪛 GitHub Check: codecov/patch

[warning] 10-10: cratedb_toolkit/model.py#L10
Added line #L10 was not covered by tests

---

54-56: Default port explicitly set for HTTP URIs.

Setting a default port of 4200 when none is specified ensures consistency in the generated HTTP URIs and aligns with CrateDB's default HTTP port. This improves reliability when connecting to CrateDB instances.

🧰 Tools

🪛 GitHub Check: codecov/patch

[warning] 54-55: cratedb_toolkit/model.py#L54-L55
Added lines #L54 - L55 were not covered by tests

---

57-67: Enhanced SSL handling based on both ssl and sslmode parameters.

This implementation correctly respects both ssl and sslmode parameters from the connection URL, determining when to use HTTPS based on standard PostgreSQL SSL modes. The code properly handles all PostgreSQL SSL modes including "allow", "prefer", "require", "verify-ca", and "verify-full".

🧰 Tools

🪛 GitHub Check: codecov/patch

[warning] 57-58: cratedb_toolkit/model.py#L57-L58
Added lines #L57 - L58 were not covered by tests

---

[warning] 65-66: cratedb_toolkit/model.py#L65-L66
Added lines #L65 - L66 were not covered by tests

---

69-72: New property added to control SSL certificate verification.

The verify_ssl property provides a clean interface for determining whether SSL certificate validation should be performed, based on the sslmode parameter value. This correctly follows PostgreSQL's SSL mode behavior, where "disable" and "require" modes do not verify certificates.

🧰 Tools

🪛 GitHub Check: codecov/patch

[warning] 69-71: cratedb_toolkit/model.py#L69-L71
Added lines #L69 - L71 were not covered by tests

cratedb_toolkit/cfr/jobstats.py (1)

57-63: Connection setup now respects SSL certificate verification settings.

The client.connect() call has been updated to pass the verify_ssl_cert parameter based on the address.verify_ssl property. This ensures the connection respects the SSL verification settings derived from the sslmode parameter in the connection URL.

🧰 Tools

🪛 GitHub Check: codecov/patch

[warning] 57-57: cratedb_toolkit/cfr/jobstats.py#L57
Added line #L57 was not covered by tests

tests/test_model.py (4)

4-6: Test renamed to clarify it verifies default port behavior.

Test renamed to explicitly indicate it's checking the default port behavior with a standard (non-SSL) connection. The assertion correctly verifies that port 4200 is added to the URI when no port is specified.

---

9-12: New test added for explicit port with standard connection.

This test ensures that when an explicit port is provided in the connection string, it's preserved in the resulting HTTP URI rather than being replaced with the default port.

---

14-17: Test renamed and updated to verify SSL behavior with default port.

The test now explicitly verifies that both the scheme is changed to HTTPS and the default port (4200) is added when an SSL connection is requested without specifying a port.

---

19-22: New test added for explicit port with SSL connection.

This test ensures that when an explicit port is provided with an SSL connection, both the HTTPS scheme is used and the specified port is preserved in the resulting URI.