SQC-480 implement sslmode field for hyperdrive

Adrian Gracia · Adrian Gracia · commit 28d6acd87ec1 · 2025-03-30T18:21:44.000-05:00
diff --git a/packages/wrangler/src/__tests__/hyperdrive.test.ts b/packages/wrangler/src/__tests__/hyperdrive.test.ts
@@ -628,13 +628,14 @@ describe("hyperdrive commands", () => {
 	it("should create a hyperdrive with mtls config", async () => {
 		const reqProm = mockHyperdriveCreate();
 		await runWrangler(
-			"hyperdrive create test123 --host=example.com --database=neondb --user=test --password=password --port=1234 --ca-certificate-id=12345 --mtls-certificate-id=1234"
+			"hyperdrive create test123 --host=example.com --database=neondb --user=test --password=password --port=1234 --ca-certificate-id=12345 --mtls-certificate-id=1234 --sslmode=verify-full"
 		);
 		await expect(reqProm).resolves.toMatchInlineSnapshot(`
 			Object {
 			  "mtls": Object {
 			    "ca_certificate_id": "12345",
 			    "mtls_certificate_id": "1234",
+			    "sslmode": "verify-full",
 			  },
 			  "name": "test123",
 			  "origin": Object {
@@ -663,20 +664,99 @@ describe("hyperdrive commands", () => {
 		`);
 	});
 
+	it("should create a hyperdrive with mtls config sslmode require", async () => {
+		const reqProm = mockHyperdriveCreate();
+		await runWrangler(
+			"hyperdrive create test123 --host=example.com --database=neondb --user=test --password=password --port=1234 --mtls-certificate-id=1234 --sslmode=require"
+		);
+		expect(std.out).toMatchInlineSnapshot(`
+			"🚧 Creating 'test123'
+			✅ Created new Hyperdrive PostgreSQL config: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
+			📋 To start using your config from a Worker, add the following binding configuration to your Wrangler configuration file:
+
+			{
+			  \\"hyperdrive\\": [
+			    {
+			      \\"binding\\": \\"HYPERDRIVE\\",
+			      \\"id\\": \\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\\"
+			    }
+			  ]
+			}"
+		`);
+	});
+
+	it("should error a hyperdrive with mtls config sslmode require with CA", async () => {
+		const reqProm = mockHyperdriveCreate();
+		await expect(() =>
+			runWrangler(
+				"hyperdrive create test123 --host=example.com --database=neondb --user=test --password=password --port=1234 --ca-certificate-id=1234 --sslmode=require"
+			)
+		).rejects.toThrow();
+		expect(std.err).toMatchInlineSnapshot(`
+			"[31mX [41;31m[[41;97mERROR[41;31m][0m [1mCA not allowed when sslmode = 'require' is set[0m
+
+			"
+		`);
+	});
+
+	it("should error a hyperdrive with mtls config sslmode verify-ca missing CA", async () => {
+		const reqProm = mockHyperdriveCreate();
+		await expect(() =>
+			runWrangler(
+				"hyperdrive create test123 --host=example.com --database=neondb --user=test --password=password --port=1234 --mtls-certificate-id=1234 --sslmode=verify-ca"
+			)
+		).rejects.toThrow();
+		expect(std.err).toMatchInlineSnapshot(`
+			"[31mX [41;31m[[41;97mERROR[41;31m][0m [1mCA required when sslmode = 'verify-ca' or 'verify-full' is set[0m
+
+			"
+		`);
+	});
+
+	it("should error a hyperdrive with mtls config sslmode verify-full missing CA", async () => {
+		const reqProm = mockHyperdriveCreate();
+		await expect(() =>
+			runWrangler(
+				"hyperdrive create test123 --host=example.com --database=neondb --user=test --password=password --port=1234 --mtls-certificate-id=1234 --sslmode=verify-full"
+			)
+		).rejects.toThrow();
+		expect(std.err).toMatchInlineSnapshot(`
+			"[31mX [41;31m[[41;97mERROR[41;31m][0m [1mCA required when sslmode = 'verify-ca' or 'verify-full' is set[0m
+
+			"
+		`);
+	});
+
+	it("should error a hyperdrive with mtls config sslmode random", async () => {
+		const reqProm = mockHyperdriveCreate();
+		await expect(() =>
+			runWrangler(
+				"hyperdrive create test123 --host=example.com --database=neondb --user=test --password=password --port=1234 --mtls-certificate-id=1234 --sslmode=random"
+			)
+		).rejects.toThrow();
+		expect(std.err).toMatchInlineSnapshot(`
+			"[31mX [41;31m[[41;97mERROR[41;31m][0m [1mInvalid values:[0m
+
+			    Argument: sslmode, Given: \\"random\\", Choices: \\"require\\", \\"verify-ca\\", \\"verify-full\\"
+
+			"
+		`);
+	});
+
 	it("should handle listing configs", async () => {
 		mockHyperdriveGetListOrDelete();
 		await runWrangler("hyperdrive list");
 		expect(std.out).toMatchInlineSnapshot(`
 			"📋 Listing Hyperdrive configs
-			┌──────────────────────────────────────┬─────────────┬─────────┬────────────────┬──────┬────────────┬───────────┬──────────┬───────────────────────────────────────────────────────────┐
-			│ id                                   │ name        │ user    │ host           │ port │ scheme     │ database  │ caching  │ mtls                                                      │
-			├──────────────────────────────────────┼─────────────┼─────────┼────────────────┼──────┼────────────┼───────────┼──────────┼───────────────────────────────────────────────────────────┤
-			│ xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx │ test123     │ test    │ example.com    │ 5432 │ PostgreSQL │ neondb    │ enabled  │                                                           │
-			├──────────────────────────────────────┼─────────────┼─────────┼────────────────┼──────┼────────────┼───────────┼──────────┼───────────────────────────────────────────────────────────┤
-			│ yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy │ new-db      │ dbuser  │ www.google.com │ 3211 │ PostgreSQL │ mydb      │ disabled │                                                           │
-			├──────────────────────────────────────┼─────────────┼─────────┼────────────────┼──────┼────────────┼───────────┼──────────┼───────────────────────────────────────────────────────────┤
-			│ zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz │ new-db-mtls │ pg-mtls │ www.mtls.com   │ 3212 │            │ mydb-mtls │ enabled  │ {\\"ca_certificate_id\\":\\"1234\\",\\"mtls_certificate_id\\":\\"1234\\"} │
-			└──────────────────────────────────────┴─────────────┴─────────┴────────────────┴──────┴────────────┴───────────┴──────────┴───────────────────────────────────────────────────────────┘"
+			┌──────────────────────────────────────┬─────────────┬─────────┬────────────────┬──────┬────────────┬───────────┬──────────┬───────────────────────────────────────────────────────────────────────────────────┐
+			│ id                                   │ name        │ user    │ host           │ port │ scheme     │ database  │ caching  │ mtls                                                                              │
+			├──────────────────────────────────────┼─────────────┼─────────┼────────────────┼──────┼────────────┼───────────┼──────────┼───────────────────────────────────────────────────────────────────────────────────┤
+			│ xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx │ test123     │ test    │ example.com    │ 5432 │ PostgreSQL │ neondb    │ enabled  │                                                                                   │
+			├──────────────────────────────────────┼─────────────┼─────────┼────────────────┼──────┼────────────┼───────────┼──────────┼───────────────────────────────────────────────────────────────────────────────────┤
+			│ yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy │ new-db      │ dbuser  │ www.google.com │ 3211 │ PostgreSQL │ mydb      │ disabled │                                                                                   │
+			├──────────────────────────────────────┼─────────────┼─────────┼────────────────┼──────┼────────────┼───────────┼──────────┼───────────────────────────────────────────────────────────────────────────────────┤
+			│ zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz │ new-db-mtls │ pg-mtls │ www.mtls.com   │ 3212 │            │ mydb-mtls │ enabled  │ {\\"ca_certificate_id\\":\\"1234\\",\\"mtls_certificate_id\\":\\"1234\\",\\"sslmode\\":\\"verify-full\\"} │
+			└──────────────────────────────────────┴─────────────┴─────────┴────────────────┴──────┴────────────┴───────────┴──────────┴───────────────────────────────────────────────────────────────────────────────────┘"
 		`);
 	});
 
@@ -985,13 +1065,14 @@ describe("hyperdrive commands", () => {
 	it("should handle updating a hyperdrive config's mtls configuration", async () => {
 		const reqProm = mockHyperdriveUpdate();
 		await runWrangler(
-			"hyperdrive update xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx --ca-certificate-id=2345 --mtls-certificate-id=234"
+			"hyperdrive update xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx --ca-certificate-id=2345 --mtls-certificate-id=234 --sslmode=verify-full"
 		);
 		await expect(reqProm).resolves.toMatchInlineSnapshot(`
 			Object {
 			  "mtls": Object {
 			    "ca_certificate_id": "2345",
 			    "mtls_certificate_id": "234",
+			    "sslmode": "verify-full",
 			  },
 			}
 		`);
@@ -1010,7 +1091,8 @@ describe("hyperdrive commands", () => {
 			  },
 			  \\"mtls\\": {
 			    \\"ca_certificate_id\\": \\"2345\\",
-			    \\"mtls_certificate_id\\": \\"234\\"
+			    \\"mtls_certificate_id\\": \\"234\\",
+			    \\"sslmode\\": \\"verify-full\\"
 			  }
 			}"
 		`);
@@ -1080,6 +1162,7 @@ function mockHyperdriveGetListOrDelete() {
 								mtls: {
 									ca_certificate_id: "1234",
 									mtls_certificate_id: "1234",
+									sslmode: "verify-full",
 								},
 							},
 						],
diff --git a/packages/wrangler/src/hyperdrive/client.ts b/packages/wrangler/src/hyperdrive/client.ts
@@ -1,6 +1,7 @@
 import { fetchPagedListResult, fetchResult } from "../cfetch";
 import { requireAuth } from "../user";
 import type { Config } from "../config";
+import { array } from "yargs";
 
 export type HyperdriveConfig = {
 	id: string;
@@ -87,8 +88,11 @@ export type PatchHyperdriveBody = {
 export type Mtls = {
 	ca_certificate_id?: string;
 	mtls_certificate_id?: string;
+	sslmode?: string;
 };
 
+export const Sslmode = ['require', 'verify-ca', 'verify-full'];
+
 export async function createConfig(
 	config: Config,
 	body: CreateUpdateHyperdriveBody
diff --git a/packages/wrangler/src/hyperdrive/index.ts b/packages/wrangler/src/hyperdrive/index.ts
@@ -19,6 +19,8 @@ import type {
 	OriginWithSecretsPartial,
 } from "./client";
 
+import { Sslmode } from "./client";
+
 export function hyperdrive(yargs: CommonYargsArgv) {
 	return yargs
 		.command(
@@ -127,6 +129,12 @@ export function upsertOptions<T>(yargs: Argv<T>) {
 				describe:
 					"Sets custom mTLS client certificates when connecting to origin database. Must be valid UUID of already uploaded public/private key certificates.",
 			},
+			"sslmode": {
+				type: "string",
+				choices: ["require", "verify-ca", "verify-full"],
+				describe:
+					"Sets CA sslmode for connecting to database.",
+			},
 		})
 		.group(
 			["connection-string"],
@@ -323,11 +331,30 @@ export function getMtlsFromArgs(
 	const mtls = {
 		ca_certificate_id: args.caCertificateId,
 		mtls_certificate_id: args.mtlsCertificateId,
+		sslmode: args.sslmode,
 	};
 
 	if (JSON.stringify(mtls) === "{}") {
 		return undefined;
 	} else {
+		if(!!mtls.sslmode &&
+			!Sslmode.includes(mtls.sslmode)) {
+			throw new UserError(
+				"sslmode must be one of following: 'require', 'verify-ca', or 'verify-full'"
+			);
+		}
+
+		if(mtls.sslmode == "require" && mtls.ca_certificate_id?.trim()) {
+			throw new UserError(
+				"CA not allowed when sslmode = 'require' is set"
+			);
+		}
+
+		if((mtls.sslmode == "verify-ca" || mtls.sslmode == "verify-full") && !mtls.ca_certificate_id?.trim()) {
+			throw new UserError(
+				"CA required when sslmode = 'verify-ca' or 'verify-full' is set"
+			);
+		}
 		return mtls;
 	}
 }
