feat: configure pg8000 connection with SSLSocket (#789)

Author: jackwotherspoon

google/cloud/sql/connector/instance.py

@@ -104,10 +104,6 @@ def __init__(
                 "Upgrade your OpenSSL version to 1.1.1 for TLSv1.3 support."
             )
             self.context.minimum_version = ssl.TLSVersion.TLSv1_2
-
-        # add request_ssl attribute to ssl.SSLContext, required for pg8000 driver
-        self.context.request_ssl = False  # type: ignore
-
         self.expiration = expiration
 
         # tmpdir and its contents are automatically deleted after the CA cert

google/cloud/sql/connector/pg8000.py

@@ -13,6 +13,7 @@
 See the License for the specific language governing permissions and
 limitations under the License.
 """
+import socket
 import ssl
 from typing import Any, TYPE_CHECKING
 
@@ -39,26 +40,26 @@ def connect(
     :rtype: pg8000.dbapi.Connection
     :returns: A pg8000 Connection object for the Cloud SQL instance.
     """
-    # Connecting through pg8000 is done by passing in an SSL Context and setting the
-    # "request_ssl" attr to false. This works because when "request_ssl" is false,
-    # the driver skips the database level SSL/TLS exchange, but still uses the
-    # ssl_context (if it is not None) to create the connection.
     try:
         import pg8000
     except ImportError:
         raise ImportError(
             'Unable to import module "pg8000." Please install and try again.'
         )
+
+    # Create socket and wrap with context.
+    sock = ctx.wrap_socket(
+        socket.create_connection((ip_address, SERVER_PROXY_PORT)),
+        server_hostname=ip_address,
+    )
+
     user = kwargs.pop("user")
     db = kwargs.pop("db")
     passwd = kwargs.pop("password", None)
-    setattr(ctx, "request_ssl", False)
     return pg8000.dbapi.connect(
         user,
         database=db,
         password=passwd,
-        host=ip_address,
-        port=SERVER_PROXY_PORT,
-        ssl_context=ctx,
+        sock=sock,
         **kwargs,
     )

tests/unit/test_connector.py

@@ -108,7 +108,7 @@ def test_Connector_connect(connector: Connector) -> None:
     """Test that Connector.connect can properly return a DB API connection."""
     connect_string = "my-project:my-region:my-instance"
     # patch db connection creation
-    with patch("pg8000.dbapi.connect") as mock_connect:
+    with patch("google.cloud.sql.connector.pg8000.connect") as mock_connect:
         mock_connect.return_value = True
         connection = connector.connect(
             connect_string, "pg8000", user="my-user", password="my-pass", db="my-db"

tests/unit/test_pg8000.py

@@ -13,23 +13,32 @@
 See the License for the specific language governing permissions and
 limitations under the License.
 """
-import ssl
+from functools import partial
 from typing import Any
 
 from mock import patch
+from mocks import create_ssl_context
+import pytest
 
 from google.cloud.sql.connector.pg8000 import connect
 
 
-def test_pg8000(kwargs: Any) -> None:
+@pytest.mark.usefixtures("server")
+@pytest.mark.asyncio
+async def test_pg8000(kwargs: Any) -> None:
     """Test to verify that pg8000 gets to proper connection call."""
-    ip_addr = "0.0.0.0"
-    context = ssl.create_default_context()
+    ip_addr = "127.0.0.1"
+    # build ssl.SSLContext
+    context = await create_ssl_context()
+    # force all wrap_socket calls to have do_handshake_on_connect=False
+    setattr(
+        context,
+        "wrap_socket",
+        partial(context.wrap_socket, do_handshake_on_connect=False),
+    )
     with patch("pg8000.dbapi.connect") as mock_connect:
         mock_connect.return_value = True
         connection = connect(ip_addr, context, **kwargs)
         assert connection is True
-        # verify ssl.SSLContext has 'request_ssl' attribute set to false
-        assert context.request_ssl is False  # type: ignore
         # verify that driver connection call would be made
         assert mock_connect.assert_called_once