Skip to content

Commit 8ad45be

Browse files
m000dpage
authored andcommitted
Use ServerManager's passfile in connect() credential gate. (pgadmin-org#9810)
The passfile kwarg passed to Connection.connect() was only ever used as a gate for the passexec fallback; it was never forwarded to create_connection_string(), which builds the DSN's passfile from the ServerManager's connection parameters. This made the gate inconsistent with the passfile actually used for the connection. Use the ServerManager passfile for the credential gate so the check matches what is used to connect. The manager passfile now takes precedence over both passexec and any passfile kwarg; warnings are emitted when either is ignored in its favor.
1 parent 2918e16 commit 8ad45be

2 files changed

Lines changed: 28 additions & 9 deletions

File tree

docs/en_US/release_notes_9_16.rst

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,12 @@ Release date: TBD
66

77
This release contains a number of bug fixes and new features since the release of pgAdmin 4 v9.15.
88

9+
.. warning:: Starting with this release, when a server connection is configured
10+
with both an external password-exec command and a passfile, pgAdmin now
11+
uses the passfile and ignores the password-exec command. Previously the
12+
password-exec command took precedence. A warning is written to the log when
13+
the password-exec command is ignored in favour of the passfile.
14+
915
Supported Database Servers
1016
**************************
1117
**PostgreSQL**: 13, 14, 15, 16, 17 and 18
@@ -36,6 +42,7 @@ Bug fixes
3642
| `Issue #9677 <https://github.com/pgadmin-org/pgadmin4/issues/9677>`_ - Fix the Unlogged table toggle in table properties not generating any ALTER TABLE ... SET LOGGED/UNLOGGED statement.
3743
| `Issue #9828 <https://github.com/pgadmin-org/pgadmin4/issues/9828>`_ - Fix tool calls failing against OpenAI-compatible providers that emit empty/null name, arguments, or id fields in streaming continuation deltas.
3844
| `Issue #9875 <https://github.com/pgadmin-org/pgadmin4/issues/9875>`_ - Fixed an issue where EXPLAIN and EXPLAIN ANALYZE failed to execute when blank lines separated clauses in the SQL query.
45+
| `Issue #9810 <https://github.com/pgadmin-org/pgadmin4/issues/9810>`_ - Use the ServerManager's passfile for the credential gate in connect() so the check matches the passfile actually used for the connection, and warn on conflicting passfile/passexec settings.
3946
| `Issue #9892 <https://github.com/pgadmin-org/pgadmin4/issues/9892>`_ - Fix blank difference counts on the top-level group rows in Schema Diff.
4047
| `Issue #9896 <https://github.com/pgadmin-org/pgadmin4/issues/9896>`_ - Fix invalid DDL reconstruction for SERIAL columns in Schema Diff and the generated SQL/CREATE Script so the output round-trips on a clean target.
4148
| `Issue #9935 <https://github.com/pgadmin-org/pgadmin4/issues/9935>`_ - Fix "Illegal instruction" crash on startup of the Linux DEB and RPM packages on older x86_64 CPUs by pinning the psycopg C extension build to the x86-64 baseline.

web/pgadmin/utils/driver/psycopg3/connection.py

Lines changed: 21 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,6 @@
1717
import secrets
1818
import datetime
1919
import asyncio
20-
import copy
2120
from collections import deque
2221
import psycopg
2322
from flask import g, current_app
@@ -281,7 +280,6 @@ def connect(self, **kwargs):
281280
password, encpass, is_update_password = \
282281
self._check_user_password(kwargs)
283282

284-
passfile = kwargs['passfile'] if 'passfile' in kwargs else None
285283
tunnel_password = kwargs['tunnel_password'] if 'tunnel_password' in \
286284
kwargs else ''
287285

@@ -313,14 +311,28 @@ def connect(self, **kwargs):
313311
if is_error:
314312
return False, errmsg
315313

316-
# If no password credential is found then connect request might
317-
# come from Query tool, ViewData grid, debugger etc tools.
318-
# we will check for pgpass file availability from connection manager
319-
# if it's present then we will use it
320-
if not password and not encpass and not passfile:
321-
passfile = manager.get_connection_param_value('passfile')
322-
if manager.passexec:
314+
# If no password credential is found then connect request might come
315+
# from Query tool, ViewData grid, debugger, etc. In that case, fall
316+
# back to using the password returned from manager.passexec.
317+
passfile = manager.get_connection_param_value('passfile')
318+
if not password and not encpass and manager.passexec:
319+
if not passfile:
323320
password = manager.passexec.get()
321+
else:
322+
current_app.logger.warning(
323+
'Ignoring passexec in favor of the specified passfile '
324+
f'({passfile!r}).'
325+
)
326+
327+
# create_connection_string() automatically picks up the passfile from
328+
# connection parameters. Warn if that differs from the passfile kwarg.
329+
passfile_kwarg = kwargs.get('passfile', None)
330+
if passfile_kwarg and passfile_kwarg != passfile:
331+
current_app.logger.warning(
332+
'Conflicting passfiles specified through keyword arguments '
333+
f'({passfile_kwarg!r}) and connection parameters '
334+
f'({passfile!r}); using the latter.'
335+
)
324336

325337
try:
326338
database = self.db

0 commit comments

Comments
 (0)