fix: SSL fields missing in some integration metadata schemas (#123)

jankuca · web-flow · commit cf3f038b913d · 2025-11-05T15:25:54.000+01:00
diff --git a/cspell.json b/cspell.json
@@ -40,6 +40,8 @@
     "awsathena",
     "bijective",
     "Braund",
+    "CACERTIFICATENAME",
+    "CACERTIFICATETEXT",
     "cleye",
     "daed",
     "dataframe",
diff --git a/packages/database-integrations/src/database-integration-env-vars.test.ts b/packages/database-integrations/src/database-integration-env-vars.test.ts
@@ -158,6 +158,43 @@ describe('Database integration env variables', () => {
         expect(sqlAlchemyInput.url).toBe('postgresql://my-user:my-password@my-host/my-database')
       })
 
+      it('should exclude caCertificateText from env vars', () => {
+        const { envVars, errors } = getEnvironmentVariablesForIntegrations(
+          [
+            {
+              type: 'alloydb',
+              id: 'my-alloydb',
+              name: 'My AlloyDB Connection',
+              metadata: {
+                host: 'my-host',
+                user: 'my-user',
+                password: 'my-password',
+                database: 'my-database',
+                caCertificateName: 'my-ca-certificate-name',
+                caCertificateText: 'my-ca-certificate-text',
+              },
+            },
+          ],
+          { projectRootDirectory: '/path/to/project' }
+        )
+        expect(errors).toHaveLength(0)
+
+        // Verify that caCertificateText is not in the env vars
+        const caCertTextEnvVar = envVars.find(envVar => envVar.name === 'MY_ALLOYDB_CONNECTION_CACERTIFICATETEXT')
+        expect(caCertTextEnvVar).toBeUndefined()
+
+        // Verify that caCertificateName is still included
+        const caCertNameEnvVar = envVars.find(envVar => envVar.name === 'MY_ALLOYDB_CONNECTION_CACERTIFICATENAME')
+        expect(caCertNameEnvVar).toBeDefined()
+        expect(caCertNameEnvVar?.value).toBe('my-ca-certificate-name')
+
+        // Verify that the SQL Alchemy input uses the path, not the text
+        const sqlAlchemyInput = getSqlAlchemyInputVar(envVars, 'my-alloydb')
+        expect(sqlAlchemyInput.params.connect_args.sslrootcert).toBe(
+          '/path/to/project/.deepnote/my-alloydb/my-ca-certificate-name'
+        )
+      })
+
       it('should generate env vars for metadata', () => {
         const { envVars, errors } = getEnvironmentVariablesForIntegrations(
           [
@@ -1321,6 +1358,43 @@ describe('Database integration env variables', () => {
         expect(sqlAlchemyInput.url).toBe('mysql+pymysql://my-user:my-password@my-host/my-database')
       })
 
+      it('should exclude caCertificateText from env vars', () => {
+        const { envVars, errors } = getEnvironmentVariablesForIntegrations(
+          [
+            {
+              type: 'mysql',
+              id: 'my-mysql',
+              name: 'My MySQL Connection',
+              metadata: {
+                host: 'my-host',
+                user: 'my-user',
+                password: 'my-password',
+                database: 'my-database',
+                caCertificateName: 'my-ca-certificate-name',
+                caCertificateText: 'my-ca-certificate-text',
+              },
+            },
+          ],
+          { projectRootDirectory: '/path/to/project' }
+        )
+        expect(errors).toHaveLength(0)
+
+        // Verify that caCertificateText is not in the env vars
+        const caCertTextEnvVar = envVars.find(envVar => envVar.name === 'MY_MYSQL_CONNECTION_CACERTIFICATETEXT')
+        expect(caCertTextEnvVar).toBeUndefined()
+
+        // Verify that caCertificateName is still included
+        const caCertNameEnvVar = envVars.find(envVar => envVar.name === 'MY_MYSQL_CONNECTION_CACERTIFICATENAME')
+        expect(caCertNameEnvVar).toBeDefined()
+        expect(caCertNameEnvVar?.value).toBe('my-ca-certificate-name')
+
+        // Verify that the SQL Alchemy input uses the path, not the text
+        const sqlAlchemyInput = getSqlAlchemyInputVar(envVars, 'my-mysql')
+        expect(sqlAlchemyInput.params.connect_args.ssl.ca).toBe(
+          '/path/to/project/.deepnote/my-mysql/my-ca-certificate-name'
+        )
+      })
+
       it('should generate env vars for metadata', () => {
         const { envVars, errors } = getEnvironmentVariablesForIntegrations(
           [
@@ -1666,6 +1740,43 @@ describe('Database integration env variables', () => {
         expect(sqlAlchemyInput.url).toBe('postgresql://my-user:my-password@my-host/my-database')
       })
 
+      it('should exclude caCertificateText from env vars', () => {
+        const { envVars, errors } = getEnvironmentVariablesForIntegrations(
+          [
+            {
+              type: 'pgsql',
+              id: 'my-postgres',
+              name: 'My PostgreSQL Connection',
+              metadata: {
+                host: 'my-host',
+                user: 'my-user',
+                password: 'my-password',
+                database: 'my-database',
+                caCertificateName: 'my-ca-certificate-name',
+                caCertificateText: 'my-ca-certificate-text',
+              },
+            },
+          ],
+          { projectRootDirectory: '/path/to/project' }
+        )
+        expect(errors).toHaveLength(0)
+
+        // Verify that caCertificateText is not in the env vars
+        const caCertTextEnvVar = envVars.find(envVar => envVar.name === 'MY_POSTGRESQL_CONNECTION_CACERTIFICATETEXT')
+        expect(caCertTextEnvVar).toBeUndefined()
+
+        // Verify that caCertificateName is still included
+        const caCertNameEnvVar = envVars.find(envVar => envVar.name === 'MY_POSTGRESQL_CONNECTION_CACERTIFICATENAME')
+        expect(caCertNameEnvVar).toBeDefined()
+        expect(caCertNameEnvVar?.value).toBe('my-ca-certificate-name')
+
+        // Verify that the SQL Alchemy input uses the path, not the text
+        const sqlAlchemyInput = getSqlAlchemyInputVar(envVars, 'my-postgres')
+        expect(sqlAlchemyInput.params.connect_args.sslrootcert).toBe(
+          '/path/to/project/.deepnote/my-postgres/my-ca-certificate-name'
+        )
+      })
+
       it('should generate env vars for metadata', () => {
         const { envVars, errors } = getEnvironmentVariablesForIntegrations(
           [
diff --git a/packages/database-integrations/src/database-integration-env-vars.ts b/packages/database-integrations/src/database-integration-env-vars.ts
@@ -43,28 +43,33 @@ export function getEnvironmentVariablesForIntegrations(
   integrations.forEach(integration => {
     const namePrefix = convertToEnvironmentVariableName(integration.name)
 
-    const envVarsForThisIntegration: Array<EnvVar> = Object.entries(integration.metadata).map(([key, rawValue]) => {
-      const name = `${namePrefix}_${key.toUpperCase()}`
-      const value = String(rawValue) // converts booleans to "true" or "false"
+    const envVarsForThisIntegration: Array<EnvVar> = Object.entries(integration.metadata)
+      .filter(([key]) => {
+        // Filter out caCertificateText - we only provide the path, not the cert text
+        return key !== 'caCertificateText'
+      })
+      .map(([key, rawValue]) => {
+        const name = `${namePrefix}_${key.toUpperCase()}`
+        const value = String(rawValue) // converts booleans to "true" or "false"
+
+        // For MongoDB, we need to inject the SSL options into the connection string.
+        if (integration.type === 'mongodb' && integration.metadata.sslEnabled && key === 'connection_string') {
+          return {
+            name,
+            value: addSslOptionsToMongoConnectionString(
+              params.projectRootDirectory,
+              value,
+              integration.id,
+              integration.metadata
+            ),
+          }
+        }
 
-      // For MongoDB, we need to inject the SSL options into the connection string.
-      if (integration.type === 'mongodb' && integration.metadata.sslEnabled && key === 'connection_string') {
         return {
           name,
-          value: addSslOptionsToMongoConnectionString(
-            params.projectRootDirectory,
-            value,
-            integration.id,
-            integration.metadata
-          ),
+          value: value,
         }
-      }
-
-      return {
-        name,
-        value: value,
-      }
-    })
+      })
 
     // NOTE: MongoDB is not a SQL integration, we only set the normal integration env variables without the SQL alchemy config.
     if (integration.type !== 'mongodb') {
diff --git a/packages/database-integrations/src/database-integration-metadata-schemas.test.ts b/packages/database-integrations/src/database-integration-metadata-schemas.test.ts
@@ -760,7 +760,9 @@ describe('SQL integration metadata schemas', () => {
         password: 'my-password',
         database: 'my-database',
         port: 'my-port',
+        sslEnabled: true,
         caCertificateName: 'my-ca-certificate-name',
+        caCertificateText: 'my-ca-certificate-text',
       })
 
       expect(result.success).toBe(true)
@@ -770,7 +772,9 @@ describe('SQL integration metadata schemas', () => {
         password: 'my-password',
         database: 'my-database',
         port: 'my-port',
+        sslEnabled: true,
         caCertificateName: 'my-ca-certificate-name',
+        caCertificateText: 'my-ca-certificate-text',
       })
     })
 
@@ -810,7 +814,9 @@ describe('SQL integration metadata schemas', () => {
         password: 'my-password',
         database: 'my-database',
         port: 'my-port',
+        sslEnabled: true,
         caCertificateName: 'my-ca-certificate-name',
+        caCertificateText: 'my-ca-certificate-text',
       })
 
       expect(result.success).toBe(true)
@@ -820,7 +826,9 @@ describe('SQL integration metadata schemas', () => {
         password: 'my-password',
         database: 'my-database',
         port: 'my-port',
+        sslEnabled: true,
         caCertificateName: 'my-ca-certificate-name',
+        caCertificateText: 'my-ca-certificate-text',
       })
     })
 
@@ -860,7 +868,9 @@ describe('SQL integration metadata schemas', () => {
         password: 'my-password',
         database: 'my-database',
         port: 'my-port',
+        sslEnabled: true,
         caCertificateName: 'my-ca-certificate-name',
+        caCertificateText: 'my-ca-certificate-text',
       })
 
       expect(result.success).toBe(true)
@@ -870,7 +880,9 @@ describe('SQL integration metadata schemas', () => {
         password: 'my-password',
         database: 'my-database',
         port: 'my-port',
+        sslEnabled: true,
         caCertificateName: 'my-ca-certificate-name',
+        caCertificateText: 'my-ca-certificate-text',
       })
     })
 
diff --git a/packages/database-integrations/src/database-integration-metadata-schemas.ts b/packages/database-integrations/src/database-integration-metadata-schemas.ts
@@ -215,18 +215,23 @@ const alloydbMetadataSchema = commonDatabaseSchema.extend({
 
 const mariadbMetadataSchema = commonDatabaseSchema.extend({
   port: z.string().optional(),
-  // Note: SSL is always attempted, only certificate can be specified
+  sslEnabled: z.boolean().optional(),
   caCertificateName: z.string().optional(),
+  caCertificateText: z.string().optional(),
 })
 
 const mindsdbMetadataSchema = commonDatabaseSchema.extend({
   port: z.string().optional(),
+  sslEnabled: z.boolean().optional(),
   caCertificateName: z.string().optional(),
+  caCertificateText: z.string().optional(),
 })
 
 const mysqlMetadataSchema = commonDatabaseSchema.extend({
   port: z.string().optional(),
+  sslEnabled: z.boolean().optional(),
   caCertificateName: z.string().optional(),
+  caCertificateText: z.string().optional(),
 })
 
 const pgsqlMetadataSchema = commonDatabaseSchema.extend({
diff --git a/packages/database-integrations/src/database-integration-types.ts b/packages/database-integrations/src/database-integration-types.ts
@@ -25,6 +25,7 @@ export const databaseIntegrationTypes = [...sqlIntegrationTypes, 'mongodb'] as c
 export type DatabaseIntegrationType = (typeof databaseIntegrationTypes)[number]
 
 export const databaseIntegrationTypesWithSslSupport = [
+  'alloydb',
   'clickhouse',
   'dremio',
   'mariadb',
